We did an FMEA for the design of the room. Why do we need a risk assessment for the change control to implement the design features?
We have an environmental risk management plan, including a HAACP. Why does this change control require a new risk assessment?
If I received a nickel……
I want to expand on my earlier thoughts on risk management enabling change.
Risk Management is a key enabler of any quality by design, whether of product, facility/equipment or study. We do living risk assessments to understand the scope of our ongoing risk. Inevitably we either want to implement that new or improved design or we want to mitigate the ongoing risks in our operation. So we turn to change management. And as part of that change management we do a risk assessment. Our change management then informs ongoing risk review.
Risk Management Leads to Change Management
Design Implementation
Through the iterative design lifecycle there is a final design ready for introduction. Perhaps this is a totally new thing, perhaps it is a new set of equipment or processes, or just a modification.
All along through the iterative design lifecycle risk management has been applied to establish measurable, testable, unambiguous and traceable performance requirements. Now your process engages with change management to introduce the change.
And a new risk assessment is conducted.
This risk assessment is asking a different question. During the iterative design lifecycle the risk question is some form of “What are the risks from this design on the patient/process.” As part of risk management, the question is “What are the risks to SISPQ/GMP from introducing the change.”
This risk assessment is narrower, in that it looks at the process of implementing. Broader that it looks at the entirety of your operations: facility, supply chain, quality system, etc.
The design risk assessment and risk management activities informs the change management risk assessment, but it cannot replace them. They also can serve to lower the rigor of the change management risk assessment, allowing the use of a less formal tool.
Living Risk Reviews
In the third phase of risk management – risk review – we confirm that the risks identified and mitigated as planned and are functioning as intended. We also evaluate to see if any additional, previously unpredicted risks have appeared. Risk review is the living part of the lifecycle as we return to it on a periodic basis.
From this will come new mitigations, targeted to address the identified risks. These mitigations inevitably lead to change management.
We again do a new risk assessment focusing on the risk of implementing the change. Informed by the living risk assessment, we can often utilize a less formal tool to look at the full ramifications of introducing the mitigation (a change).
Change Controls contains Risk Management
Effective change management is enabled by risk management.
Each and every change requires a risk assessment to capture the risks of the change. This ICHQ10 requirement is the best way to determine if the change is acceptable.
This risk assessment evaluates the impact on the change on the facility, equipment, materials, supply chain, processes. testing, quality systems and everything else. It is one of the critical reasons it is crucial to involve the right experts.
From this risk assessment comes the appropriate actions before implementing the change, as well as appropriate follow-up activities and it can help define the effectiveness review.
What about grouped change controls?
Depends. Sometimes the risk management looks at the individual implementations. Othertimes you need to do separate ones. Many times the risk assessment lead you to breaking up one change control into many. Evaluate as follows:
- Are the risks from the separate implementations appropriately captured
- Are the risks from pauses between implementations appropriately captured
- As the ripples appropriately understood
Change Management Leads back to Risk Management
Sometimes a change control requires a specific risk assessment to be updated, or requires specific risk management to happen.
What about HAACP?
Hazard Analysis Critical Control Point (HACCP) are great tools for risk assessments. They are often the catalyst for doing a change, they are often the artifact of a change. They should never be utilized for determining the impact of a change.
A hazard is any biological, chemical, or physical property that impacts human safety. The HAACP identifies and establishes critical limits. But a HAACP is not the tool to use to determine if a change should move forward and what actions to do. It is to static.
In Closing
Risk Management is an enabler for change, a tenet enshrined in the ICH guidances. We are engaging in risk management activities throughout our organizations. It is critical to understand how the various risk management activities fit together and how they should be separated.
Investigations of a Dog 
15 thoughts on “Risk Management leads to Change Management, Change Management contains Risk Management”