Embracing Risk Management Principles: As Easy as One, Two, Three

In the pharmaceutical industry today, there are strict guidelines to adhere to throughout the product lifecycle. Some of them, like risk management, seem more complex and harder to adhere to than others. But maybe we just need a different perspective on what risk management is to inspire us to embrace it. Here are some examples of how simple it can be.

Consider a dinner date, what do you wear?

1. Assess the requirements: Is it a fancy restaurant? Is it “business or pleasure”?
2. Assess the risks: Is there a risk I will be cold? Is there a risk for rain?
3. Set up an action plan with risk mitigating actions: I will wear my warm coat that does not take rain very well, but I will bring an umbrella in case of rain.

This type of risk assessment is intuitive, and you do it without even realizing it is a risk assessment. While sometimes you need a more in-depth analysis, quite often it can be this easy to do a risk assessment for work related operations as well. More often than you think, it is enough to document the intuitive risk assessment.

Consider Company A as another example. Company A subcontracts a lot of activities, as many companies in the pharma sector do these days, but in their written procedure for qualifying new subcontractors there is no requirement for risk assessment. They feel the requirements for their subcontractors are known and defined through written directives and are set by different agencies. As long as they ask for the correct certifications and permits, they believe there are no risks to their operations.

Statements like “there are no risks” are results of risk assessments. If a risk assessment has not been completed though, how can you know there is no risk?

No one knows your business better than you. A risk assessment done by a regulatory agency is by default generic and cannot cover specifics for your operations. That is why we are required to always keep a risk-based approach and incorporate risk management into our quality systems.

If there is a generic risk assessment, you do not necessarily need to make yours so complicated. Consider the specifics of your operations and what risks might be applicable, and write it down.

For Company A, a simple one, two, three addition to their supplier qualification procedure is recommended.

1. Assess the requirements. Define the classifications for different products/operations (medical device, OTC, prescribed drugs, sterile, high potent, etc.) and the regulatory requirements for each of them.
2. Assess the risks. Each classification will come with its own set of risks – for some the regulatory requirements cover all foreseeable risks, for others there might be additional risks to consider.
3. Set up an action plan. In the case of supplier qualification some of the risks are handled by asking for certifications and permits, some need on-site audits.

This risk assessment will give Company A a very clear picture of their operations and I believe that they have already done this assessment on an intuitive level. If it is also documented, it can be used when a new product is considered to help recognize if it is a product of a previously handled category or if this product comes with additional risks that needs to be addressed. That is a very good starting point for deciding how to qualify a new subcontractor.