Risk Assessment as part of Quality Risk Management


Quality Risk Management (QRM) is an integral part of the corporate Quality Management System. Effective QRM is fundamental to ensuring the protection of human Subjects participating in Clinical Trials and fundamental to reliability of Clinical Trial results.

QRM helps to:

  • efficiently manage business operations
  • preserve the Resources that would otherwise be consumed on corrective actions and rework
  • avoid disruptions to delivering the business objectives.


This article aims to briefly introduce the risk assessment process as an essential part of successful QRM.


General guidance on risk management exists from multiple sources. As a discipline, risk management is described in academic settings, in other industries, and through standards. Commonly referenced quality standards such as ICH Q9, International Organisation for Standardisation (ISO) 31000, and ICH E6 provide different perspectives and scopes in risk management best practices.

Risk Assessment is a systematic process of organising information to support a risk decision to be made within a risk management process. It consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards

It is commonly understood that risk is defined as the combination of the probability of occurrence of harm and the severity of that harm.

As an aid to clearly defining the risk(s) for risk assessment purposes, four fundamental questions are used at CRG:

  1. What might go wrong?
  2. What is the probability (likelihood) it will go wrong?
  3. What are the consequences (severity or impact)?
  4. How easily the issue can be detected (detectability)?

Risk assessment helps to understand risks, their causes, consequences, probabilities, and ability to detect them with enough time for effective mitigation, either with existing controls or with launching contingency plan(s).

The purpose of risk assessment is to provide information and analysis to make informed decisions.

Hazard identification

Hazard identification is a systematic use of information to identify hazards referring to the risk question or problem description. Information can include historical data, theoretical analysis, informed opinions, and the concerns of stakeholders. Hazard identification addresses the “What might go wrong?” question, including identifying the possible consequences.

In Clinical Trials CRG Project Team focuses on participating Subjects’ safety and rights, data quality and reliability, overall study integrity including compliance with applicable laws and regulations, study timelines and costs.

The above-mentioned Subjects’ safety and rights, data quality and reliability are often referred as critical data and processes.

The risk to participating Subjects’ safety is considered as the increased risk arising from the clinical research activity as opposed to the baseline level of risk arising from normal (routine) clinical practice.

The following Risk Sources should be considered in Clinical Trials (non-exhaustive list):

  • Therapeutic indication and consequently the type and number of Adverse Events and Serious Adverse Events per Subject, severity of disease and its prognosis, ease, or difficulty to find, enroll and retain Subjects for the duration defined in the study protocol, possible comorbidities that may affect recruitment, incidence and prevalence of the disease, disease seasonal patterns, etc.
  • Clinical Trial Protocol, namely, its complexity, fit to the country-specific healthcare environment, number of visits, number of procedures per visit, the length of follow-up, comparators or standard of care requirements, equipment expected to be in place, experience in working with the equipment, central and local lab involvement, etc.
  • Subject population, such as recruiting in-patients versus out-patients, vulnerable Subjects’ populations, typical Subjects’ profiles, etc.
  • Geography, e.g., countries with a high Clinical Trial experience versus those with a limited experience, distances (thus, travel costs and inconveniences) of participants to get to Clinical Trial Site(s), normal (routine) clinical practice and standard of care in each participating country, logistics of supplies, etc.
  • Investigators, namely, their interest, qualifications, location, cooperativeness, time limitations, importance (Key Opinion Leaders), business hours and availability, commitment for the whole study duration, teams, and back-ups, etc.
  • Data collection and reliability, e.g., type of the Case Report Forms, monitoring strategy (on-site, remote, centralised, combined), Source Data Verification percentage, data critical for statistical analysis and adequate source data verification decision, etc.
  • Investigational Medicinal Product / Medical Device, namely, the phase of development, established safety profile, potential Regulatory limitations to obtain approvals, required study reporting, specific instructions related to study drug / device handling, etc. 
  • General study set-up, e.g., the number of Third-Party Vendors, logistics, timelines, agreed and documented delegated roles and responsibilities split between CRG and involved External Parties, collaboration model, clear definition of the scope, agreed risk-acceptance criteria, personnel availability, and qualifications, etc.
  • Timelines and budget, e.g., whether the timelines are realistic and supported by available intelligence data, whether the budget is sufficient to cover the study costs, etc.

Risk analysis

Risk analysis is the estimation of the risk associated with the identified hazards. It is the qualitative or quantitative process of linking the likelihood of occurrence and severity of harms. The ability to detect the harm (detectability) also factors in the estimation of risk.

Root cause analysis could be used to retrospectively identify the root causes of failure. Primary and secondary causes may be identified using various methodologies (e.g., Five Why’s method). This methodology is recommended to analyse audit findings and issues that have occurred previously.

Failure Modes and Effects Analysis (FMEA), could be used to prospectively analyse potential failures and associated causes, prioritise risks depending on their impact, probability, and detectability, and decide on measures to reduce the risks. The Risk Priority Number (RPN) used in FMEA indicates the attention the QRM team should pay to each risk; the higher RPN, the higher attention and need to treat the risk.

The use of Lessons Learned is important in Risk analysis.

Risk evaluation

Risk evaluation compares the identified and analysed risk against given risk criteria. Risk evaluations consider the strength of evidence for all four of the fundamental questions defined above. In doing an effective risk assessment, the robustness of the data set is important because it determines the quality of the output. Revealing assumptions and reasonable sources of uncertainty will enhance confidence in this output and/or help identify its limitations.

Uncertainty is due to a combination of incomplete knowledge about a process and its expected or unexpected variability. Typical sources of uncertainty include gaps in knowledge, gaps in process understanding, sources of harm (e.g., failure modes of a process, sources of variability), and probability of detection of problems.

The output of a risk assessment is either a quantitative estimate of risk or a qualitative description of a range of risk. When risk is expressed quantitatively, a numerical probability is used. Alternatively, risk can be expressed using qualitative descriptors, such as “high”, “medium”, or “low”, which should be defined in as much detail as possible.

Carpathian Research Group capabilities

CRG as a CRO promotes and encourages all of its staff to exercise ‘‘risk-based thinking” in execution of their job duties, so risks to quality could be proactively identified and prevented. We have extensive experience performing risk assessment in Clinical Trials and can greatly assist Sponsors in proper risk assessments for the benefit of smooth execution of Clinical Trials.

Information on all other Clinical Trial services that we provide could be found at www.crg.global