I have a little trick when reviewing a Quality Risk Management SOP. I go to the process/procedure map section, and if I see only the illustration from ICH Q9, I know I am looking at an organization that hasn’t actually thought about risk management.
A risk management process needs more than the methodology behind individual risk management (assess, control, review). It needs to include the following:
- Risk Plan: How do you manage risk management holistically? Which systems/processes have living risk assessments? What are your planned reviews? What significant initiatives around quality risk management are included?
- Risk Register: How do you manage your entire portfolio of risks? Link to quality management review.
- Selection of tools, and even more importantly, development of tools.
- Mechanisms and tools for risk treatment
- Improvement strategy for the quality risk management program. How do we know if the program is working as intended?
- How to define, select, and train risk owners
- How to engage the appropriate stakeholders in the risk process
Too many quality risk management SOPs do not read like process or procedure. They read like a regurgitation of ICH Q9 or the ISO31000 documents. Neither is a good thing. You must go deeper and create an executable process to govern the system.