Author: Jeremiah Genest

Quality professional with over 20 years of experience. Gamer and storyteller with forty years of practice.

Evaluating the Periphery Cases of Regulatory Actions

I have written in the past that I do not treat all regulatory compliance actions with equal importance. Not every Form 483 or Warning Letter carries the same weight; their significance is determined by the nature of the company involved.

Take the April 2025 Warning Letter to Cosco International, for example. One might quickly react with, “Holy cow! No process validation or cleaning validation—how is this even possible?” This could spark an exhaustive discussion about why these regulations have been in place for 30 years and the urgent need for companies to comply. But frankly, nothing really valuable to a company that already realizes they need to do process validation.

Yet this Warning Letter highlights a fundamental misunderstanding among companies regarding the difference between a cosmetic and a drug. As someone who reads Warning Letters, this seems to be a fairly common problem.

Key Regulatory Distinctions

  • Cosmetics: Products intended solely for cleansing, beautifying, or altering the appearance without affecting bodily functions are regulated as cosmetics under the FDA. These are not required to undergo premarket approval, except for color additives.
  • Drugs: Products intended to diagnose, cure, mitigate, treat, or prevent disease or that affect the structure or function of the body (such as blocking sweat glands) are regulated as drugs. This includes antiperspirants, regardless of their application site.

So not really all that interesting from a biotech perspective, but a fascinating insight to some bad trends if I was on the consumer goods side of the profession.

But, as I discussed, there is value from reading these holistically, for what they tell us regulators are thinking. In this case, there is a nice little set of bullet points on what is bare minimum in cleaning validation.

Applying Jobs-to-Be-Done to Risk Management

In my recent exploration of the Jobs-to-Be-Done (JTBD) tool for process improvement, I examined how this customer-centric approach could revolutionize our understanding of deviation management. I want to extend that analysis to another fundamental challenge in pharmaceutical quality: risk management.

As we grapple with increasing regulatory complexity, accelerating technological change, and the persistent threat of risk blindness, most organizations remain trapped in what I call “compliance theater”—performing risk management activities that satisfy auditors but fail to build genuine organizational resilience. JTBD is a useful tool as we move beyond this theater toward risk management that actually creates value.

The Risk Management Jobs Users Actually Hire

When quality professionals, executives, and regulatory teams engage with risk management processes, what job are they really trying to accomplish? The answer reveals a profound disconnect between organizational intent and actual capability.

The Core Functional Job

“When facing uncertainty that could impact product quality, patient safety, or business continuity, I want to systematically understand and address potential threats, so I can make confident decisions and prevent surprise failures.”

This job statement immediately exposes the inadequacy of most risk management systems. They focus on documentation rather than understanding, assessment rather than decision enablement, and compliance rather than prevention.

The Consumption Jobs: The Hidden Workload

Risk management involves numerous consumption jobs that organizations often ignore:

  • Evaluation and Selection: “I need to choose risk assessment methodologies that match our operational complexity and regulatory environment.”
  • Implementation and Training: “I need to build organizational risk capability without creating bureaucratic overhead.”
  • Maintenance and Evolution: “I need to keep our risk approach current as our business and threat landscape evolves.”
  • Integration and Communication: “I need to ensure risk insights actually influence business decisions rather than gathering dust in risk registers.”

These consumption jobs represent the difference between risk management systems that organizations grudgingly tolerate and those they genuinely want to “hire.”

The Eight-Step Risk Management Job Map

Applying JTBD’s universal job map to risk management reveals where current approaches systematically fail:

1. Define: Establishing Risk Context

What users need: Clear understanding of what they’re assessing, why it matters, and what decisions the risk analysis will inform.

Current reality: Risk assessments often begin with template completion rather than context establishment, leading to generic analyses that don’t support actual decision-making.

2. Locate: Gathering Risk Intelligence

What users need: Access to historical data, subject matter expertise, external intelligence, and tacit knowledge about how things actually work.

Current reality: Risk teams typically work from documentation rather than engaging with operational reality, missing the pattern recognition and apprenticeship dividend that experienced practitioners possess.

3. Prepare: Creating Assessment Conditions

What users need: Diverse teams, psychological safety for honest risk discussions, and structured approaches that challenge rather than confirm existing assumptions.

Current reality: Risk assessments often involve homogeneous teams working through predetermined templates, perpetuating the GI Joe fallacy—believing that knowledge of risk frameworks prevents risky thinking.

4. Confirm: Validating Assessment Readiness

What users need: Confidence that they have sufficient information, appropriate expertise, and clear success criteria before proceeding.

Current reality: Risk assessments proceed regardless of information quality or team readiness, driven by schedule rather than preparation.

5. Execute: Conducting Risk Analysis

What users need: Systematic identification of risks, analysis of interconnections, scenario testing, and development of robust mitigation strategies.

Current reality: Risk analysis often becomes risk scoring—reducing complex phenomena to numerical ratings that provide false precision rather than genuine insight.

6. Monitor: Tracking Risk Reality

What users need: Early warning systems that detect emerging risks and validate the effectiveness of mitigation strategies.

Current reality: Risk monitoring typically involves periodic register updates rather than active intelligence gathering, missing the dynamic nature of risk evolution.

7. Modify: Adapting to New Information

What users need: Responsive adjustment of risk strategies based on monitoring feedback and changing conditions.

Current reality: Risk assessments often become static documents, updated only during scheduled reviews rather than when new information emerges.

8. Conclude: Capturing Risk Learning

What users need: Systematic capture of risk insights, pattern recognition, and knowledge transfer that builds organizational risk intelligence.

Current reality: Risk analysis conclusions focus on compliance closure rather than learning capture, missing opportunities to build the organizational memory that prevents risk blindness.

The Emotional and Social Dimensions

Risk management involves profound emotional and social jobs that traditional approaches ignore:

  • Confidence: Risk practitioners want to feel genuinely confident that significant threats have been identified and addressed, not just that procedures have been followed.
  • Intellectual Satisfaction: Quality professionals are attracted to rigorous analysis and robust reasoning—risk management should engage their analytical capabilities, not reduce them to form completion.
  • Professional Credibility: Risk managers want to be perceived as strategic enablers rather than bureaucratic obstacles—as trusted advisors who help organizations navigate uncertainty rather than create administrative burden.
  • Organizational Trust: Executive teams want assurance that their risk management capabilities are genuinely protective, not merely compliant.

What’s Underserved: The Innovation Opportunities

JTBD analysis reveals four critical areas where current risk management approaches systematically underserve user needs:

Risk Intelligence

Current systems document known risks but fail to develop early warning capabilities, pattern recognition across multiple contexts, or predictive insights about emerging threats. Organizations need risk management that builds institutional awareness, not just institutional documentation.

Decision Enablement

Risk assessments should create confidence for strategic decisions, enable rapid assessment of time-sensitive opportunities, and provide scenario planning that prepares organizations for multiple futures. Instead, most risk management creates decision paralysis through endless analysis.

Organizational Capability

Effective risk management should build risk literacy across all levels, create cultural resilience that enables honest risk conversations, and develop adaptive capacity to respond when risks materialize. Current approaches often centralize risk thinking rather than distributing risk capability.

Stakeholder Trust

Risk management should enable transparent communication about threats and mitigation strategies, demonstrate competence in risk anticipation, and provide regulatory confidence in organizational capabilities. Too often, risk management creates opacity rather than transparency.

Canvas representation of the JBTD

Moving Beyond Compliance Theater

The JTBD framework helps us address a key challenge in risk management: many organizations place excessive emphasis on “table stakes” such as regulatory compliance and documentation requirements, while neglecting vital aspects like intelligence, enablement, capability, and trust that contribute to genuine resilience.

This represents a classic case of process myopia—becoming so focused on risk management activities that we lose sight of the fundamental job those activities should accomplish. Organizations perfect their risk registers while remaining vulnerable to surprise failures, not because they lack risk management processes, but because those processes fail to serve the jobs users actually need accomplished.

Design Principles for User-Centered Risk Management

  • Context Over Templates: Begin risk analysis with clear understanding of decisions to be informed rather than forms to be completed.
  • Intelligence Over Documentation: Prioritize systems that build organizational awareness and pattern recognition rather than risk libraries.
  • Engagement Over Compliance: Create risk processes that attract rather than burden users, recognizing that effective risk management requires active intellectual participation.
  • Learning Over Closure: Structure risk activities to build institutional memory and capability rather than simply completing assessment cycles.
  • Integration Over Isolation: Ensure risk insights flow naturally into operational decisions rather than remaining in separate risk management systems.

Hiring Risk Management for Real Jobs

The most dangerous risk facing pharmaceutical organizations may be risk management systems that create false confidence while building no real capability. JTBD analysis reveals why: these systems optimize for regulatory approval rather than user needs, creating elaborate processes that nobody genuinely wants to “hire.”

True risk management begins with understanding what jobs users actually need accomplished: building confidence for difficult decisions, developing organizational intelligence about threats, creating resilience against surprise failures, and enabling rather than impeding business progress. Organizations that design risk management around these jobs will develop competitive advantages in an increasingly uncertain world.

The choice is clear: continue performing compliance theater, or build risk management systems that organizations genuinely want to hire. In a world where zemblanity—the tendency to encounter negative, foreseeable outcomes—threatens every quality system, only the latter approach offers genuine protection.

Risk management should not be something organizations endure. It should be something they actively seek because it makes them demonstrably better at navigating uncertainty and protecting what matters most.

The Jobs-to-Be-Done (JTBD): Origins, Function, and Value for Quality Systems

In the relentless march of quality and operational improvement, frameworks, methodologies and tools abound but true breakthrough is rare. There is a persistent challenge: organizations often become locked into their own best practices, relying on habitual process reforms that seldom address the deeper why of operational behavior. This “process myopia”—where the visible sequence of tasks occludes the real purpose—runs in parallel to risk blindness, leaving many organizations vulnerable to the slow creep of inefficiency, bias, and ultimately, quality failures.

The Jobs-to-Be-Done (JTBD) tool offers an effective method for reorientation. Rather than focusing on processes or systems as static routines, JTBD asks a deceptively simple question: What job are people actually hiring this process or tool to do? In deviation management, audit response, even risk assessment itself, the answer to this question is the gravitational center on which effective redesign can be based.

What Does It Mean to Hire a Process?

To “hire” a process—even when it is a regulatory obligation—means viewing the process not merely as a compliance requirement, but as a tool or mechanism that stakeholders use to achieve specific, desirable outcomes beyond simple adherence. In Jobs-to-Be-Done (JTBD), the idea of “hiring” a process reframes organizational behavior: stakeholders (such as quality professionals, operators, managers, or auditors) are seen as engaging with the process to get particular jobs done—such as ensuring product safety, demonstrating control to regulators, reducing future risk, or creating operational transparency.

When a process is regulatory-mandated—such as deviation management, change control, or batch release—the “hiring” metaphor recognizes two coexisting realities:

Dual Functions: Compliance and Value Creation

  • Compliance Function: The organization must follow the process to satisfy legal, regulatory, or contractual obligations. Not following is not an option; it’s legally or organizationally enforced.
  • Functional “Hiring”: Even for required processes, users “hire” the process to accomplish additional jobs—like protecting patients, facilitating learning from mistakes, or building organizational credibility. A well-designed process serves both external (regulatory) and internal (value-creating) goals.

Implications for Process Design

  • Stakeholders still have choices in how they interact with the process—they can engage deeply (to learn and improve) or superficially (for box-checking), depending on how well the process helps them do their “real” job.
  • If a process is viewed only as a regulatory tax, users will find ways to shortcut, minimally comply, or bypass the spirit of the requirement, undermining learning and risk mitigation.
  • Effective design ensures the process delivers genuine value, making “compliance” a natural by-product of a process stakeholders genuinely want to “hire”—because it helps them achieve something meaningful and important.

Practical Example: Deviation Management

  • Regulatory “Must”: Deviations must be documented and investigated under GMP.
  • Users “Hire” the Process to: Identify real risks early, protect quality, learn from mistakes, and demonstrate control in audits.
  • If the process enables those jobs well, it will be embraced and used effectively. If not, it becomes paperwork compliance—and loses its potential as a learning or risk-reduction tool.

To “hire” a process under regulatory obligation is to approach its use intentionally, ensuring it not only satisfies external requirements but also delivers real value for those required to use it. The ultimate goal is to design a process that people would choose to “hire” even if it were not mandatory—because it supports their intrinsic goals, such as maintaining quality, learning, and risk control.

Unpacking Jobs-to-Be-Done: The Roots of Customer-Centricity

Historical Genesis: From Marketing Myopia to Outcome-Driven Innovation

The JTBD’s intellectual lineage traces back to Theodore Levitt’s famous adage: “People don’t want to buy a quarter-inch drill. They want a quarter-inch hole.” This insight, presented in his seminal 1960 Harvard Business Review article “Marketing Myopia,” underscores the fatal flaw of most process redesigns: overinvestment in features, tools, and procedures, while neglecting the underlying human need or outcome.

This thinking resonates strongly with Peter Drucker’s core dictum that “the purpose of a business is to create and keep a customer”—and that marketing and innovation, not internal optimization, are the only valid means to this end. Both Drucker and Levitt’s insights form the philosophical substrate for JTBD, framing the product, system, or process not as an end in itself, but as a means to enable desired change in someone’s “real world”.

Modern JTBD: Ulwick, Christensen, and Theory Development

Tony Ulwick, after experiencing firsthand the failure of IBM’s PCjr product, launched a search to discover how organizations could systematically identify the outcomes customers (or process users) use to judge new offerings. Ulwick formalized jobs-as-process thinking, and by marrying Six Sigma concepts with innovation research, developed the “Outcome-Driven Innovation” (ODI) method, later shared with Clayton Christensen at Harvard.

Clayton Christensen, in his disruption theory research, sharpened the framing: customers don’t simply buy products—they “hire” them to get a job done, to make progress in their lives or work. He and Bob Moesta extended this to include the emotional and social dimensions of these jobs, and added nuance on how jobs can signal category-breaking opportunities for disruptive innovation. In essence, JTBD isn’t just about features; it’s about the outcome and the experience of progress.

The JTBD tool is now well-established in business, product development, health care, and increasingly, internal process improvement.

What Is a “Job” and How Does JTBD Actually Work?

Core Premise: The “Job” as the Real Center of Process Design

A “Job” in JTBD is not a task or activity—it is the progress someone seeks in a specific context. In regulated quality systems, this reframing prompts a pivotal question: For every step in the process, what is the user actually trying to achieve?

JTBD Statement Structure:

When [situation], I want to [job], so I can [desired outcome].

  • “When a process deviation occurs, I want to quickly and accurately assess impact, so I can protect product quality without delaying production.”
  • “When reviewing supplier audit responses, I want to identify meaningful risk signals, so I can challenge assumptions before they become failures.”

The Mechanics: Job Maps, Outcome Statements, and Dimensional Analysis

Job Map:

JTBD practitioners break the “job” down into a series of steps—the job map—outlining the user’s journey to achieve the desired progress. Ulwick’s “Universal Job Map” includes steps like: Define and plan, Locate inputs, Prepare, Confirm and validate, Execute, Monitor, Modify, and Conclude.

Dimension Analysis:
A full JTBD approach considers not only the functional needs (what must be accomplished), but also emotional (how users want to feel), social (how users want to appear), and cost (what users have to give up).

Outcome Statements:
JTBD expresses desired process outcomes in solution-agnostic language: To [achieve a specific goal], [user] must [perform action] to [produce a result].

The Relationship Between Job Maps and Process Maps

Job maps and process maps represent fundamentally different approaches to understanding and documenting work, despite both being visual tools that break down activities into sequential steps. Understanding their relationship reveals why each serves distinct purposes in organizational improvement efforts.

Core Distinction: Purpose vs. Execution

Job Maps focus on what customers or users are trying to accomplish—their desired outcomes and progress independent of any specific solution or current method. A job map asks: “What is the person fundamentally trying to achieve at each step?”

Process Maps focus on how work currently gets done—the specific activities, decisions, handoffs, and systems involved in executing a workflow. A process map asks: “What are the actual steps, roles, and systems involved in completing this work?”

Job Map Structure

Job maps follow a universal eight-step method regardless of industry or solution:

  1. Define – Determine goals and plan resources
  2. Locate – Gather required inputs and information
  3. Prepare – Set up the environment for execution
  4. Confirm – Verify readiness to proceed
  5. Execute – Carry out the core activity
  6. Monitor – Assess progress and performance
  7. Modify – Make adjustments as needed
  8. Conclude – Finish or prepare for repetition

Process Map Structure

Process maps vary significantly based on the specific workflow being documented and typically include:

  • Tasks and activities performed by different roles
  • Decision points where choices affect the flow
  • Handoffs between departments or systems
  • Inputs and outputs at each step
  • Time and resource requirements
  • Exception handling and alternate paths

Perspective and Scope

Job Maps maintain a solution-agnostic perspective. We can actually get pretty close to universal industry job maps, because whatever approach an individual organization takes, the job map remains the same because it captures the underlying functional need, not the method of fulfillment. A job map starts an improvement effort, helping us understand what needs to exist.

Process Maps are solution-specific. They document exactly how a particular organization, system, or workflow operates, including specific tools, roles, and procedures currently in use. The process map defines what is, and is an outcome of process improvement.

JTBD vs. Design Thinking, and Other Process Redesign Models

Most process improvement methodologies—including classic “design thinking”—center around incremental improvement, risk minimization, and stakeholder consensus. As previously critiqued , design thinking’s participatory workshops and empathy prototypes can often reinforce conservative bias, indirectly perpetuating the status quo. The tendency to interview, ideate, and choose the “least disruptive” option can perpetuate “GI Joe Fallacy”: knowing is not enough; action emerges only through challenged structures and direct engagement.

JTBD’s strength?

It demands that organizations reframe the purpose and metrics of every step and tool: not “How do we optimize this investigation template?”; but rather, “Does this investigation process help users make actual progress towards safer, more effective risk detection?” JTBD uncovers latent needs, both explicit and tacit, that design thinking’s post-it note workshops often fail to surface.

Why JTBD Is Invaluable for Process Design in Quality Systems

JTBD Enables Auditable Process Redesign

In pharmaceutical manufacturing, deviation management is a linchpin process—defining how organizations identify, document, investigate, and respond to events that depart from expected norms. Classic improvement initiatives target cycle time, documentation accuracy, or audit readiness. But JTBD pushes deeper.

Example JTBD Analysis for Deviations:

  • Trigger: A deviation is detected.
  • Job: “I want to report and contextualize the event accurately, so I can ensure an effective response without causing unnecessary disruption.”
  • Desired Outcome: Minimized product quality risk, transparency of root causes, actionable learning, regulatory confidence.

By mapping out the jobs of different deviation process stakeholders—production staff, investigation leaders, quality approvers, regulatory auditors—organizations can surface unmet needs: e.g., “Accelerating cross-functional root cause analysis while maintaining unbiased investigation integrity”; “Helping frontline operators feel empowered rather than blamed for honest reporting”; “Ensuring remediation is prioritized and tracked.”

Revealing Hidden Friction and Underserved Needs

JTBD methodology surfaces both overt and tacit pain points, often ignored in traditional process audits:

  • Operators “hire” process workarounds when formal documentation is slow or punitive.
  • Investigators seek intuitive data access, not just fields for “root cause.”
  • Approvers want clarity, not bureaucracy.
  • Regulatory reviewers “hire” the deviation process to provide organizational intelligence—not just box-checking.

A JTBD-based diagnostic invariably shows where job performance is low, but process compliance is high—a warning sign of process myopia and risk blindness.

Practical JTBD for Deviation Management: Step-by-Step Example

Job Statement and Context Definition

Define user archetypes:

  • Frontline Production Staff: “When a deviation occurs, I want a frictionless way to report it, so I can get support and feedback without being blamed.”
  • Quality Investigator: “When reviewing deviations, I want accessible, chronological data so I can detect patterns and act swiftly before escalation.”
  • Quality Leader: “When analyzing deviation trends, I want systemic insights that allow for proactive action—not just retrospection.”

Job Mapping: Stages of Deviation Lifecycle

  • Trigger/Detection: Event recognition (pattern recognition)—often leveraging both explicit SOPs and staff tacit knowledge.
  • Reporting: Document the event in a way that preserves context and allows for nuanced understanding.
  • Assessment: Rapid triage—“Is this risk emergent or routine? Is there unseen connection to a larger trend?” “Does this impact the product?”
  • Investigation: “Does the process allow multidisciplinary problem-solving, or does it force siloed closure? Are patterns shared across functions?”
  • Remediation: Job statement: “I want assurance that action will prevent recurrence and create meaningful learning.”
  • Closure and Learning Loop: “Does the process enable reflective practice and cognitive diversity—can feedback loops improve risk literacy?”

JTBD mapping reveals specific breakpoints: documentation systems that prioritize completeness over interpretability, investigation timelines that erode engagement, premature closure.

Outcome Statements for Metrics

Instead of “deviations closed on time,” measure:

  • Number of deviations generating actionable cross-functional insights.
  • Staff perception of process fairness and learning.
  • Time to credible remediation vs. time to closure.
  • Audit reviewer alignment with risk signals detected pre-close, not only post-mortem.

JTBD and the Apprenticeship Dividend: Pattern Recognition and Tacit Knowledge

JTBD, when deployed authentically, actively supports the development of deeper pattern recognition and tacit knowledge—qualities essential for risk resilience.

  • Structured exposure programs ensure users “hire” the process to learn common and uncommon risks.
  • Cognitive diversity teams ensures the job of “challenging assumptions” is not just theoretical.
  • True process improvement emerges when the system supports practice, reflection, and mentoring—outcomes unmeasurable by conventional improvement metrics.

JTBD Limitations: Caveats and Critical Perspective

No methodology is infallible. JTBD is only as powerful as the organization’s willingness to confront uncomfortable truths and challenge compliance-driven inertia:

  • Rigorous but Demanding: JTBD synthesis is non-“snackable” and lacks the pop-management immediacy of other tools.
  • Action Over Awareness: Knowing the job to be done is not sufficient; structures must enable action.
  • Regulatory Realities: Quality processes must satisfy regulatory standards, which are not always aligned with lived user experience. JTBD should inform, not override, compliance strategies.
  • Skill and Culture: Successful use demands qualitative interviewing skill, genuine cross-functional buy-in, and a culture of psychological safety—conditions not easily created.

Despite these challenges, JTBD remains unmatched for surfacing hidden process failures, uncovering underserved needs, and catalyzing redesign where it matters most.

Breaking Through the Status Quo

Many organizations pride themselves on their calibration routines, investigation checklists, and digital documentation platforms. But the reality is that these systems are often “hired” not to create learning—but to check boxes, push responsibility, and sustain the illusion of control. This leads to risk blindess and organizations systematically make themselves vulnerable when process myopia replaces real learning – zemblanity.

JTBD’s foundational question—“What job are we hiring this process to do?”—is more than a strategic exercise. It is a countermeasure against stagnation and blindness. It insists on radical honesty, relentless engagement, and humility before the complexity of operational reality. For deviation management, JTBD is a tool not just for compliance, but for organizational resilience and quality excellence.

Quality leaders should invest in JTBD not as a “one more tool,” but as a philosophical commitment: a way to continually link theory to action, root cause to remediation, and process improvement to real progress. Only then will organizations break free of procedural conservatism, cure risk blindness, and build systems worthy of trust and regulatory confidence.

Risk Blindness: The Invisible Threat

Risk blindness is an insidious loss of organizational perception—the gradual erosion of a company’s ability to recognize, interpret, and respond to threats that undermine product safety, regulatory compliance, and ultimately, patient trust. It is not merely ignorance or oversight; rather, risk blindness manifests as the cumulative inability to see threats, often resulting from process shortcuts, technology overreliance, and the undervaluing of hands-on learning.

Unlike risk aversion or neglect, which involves conscious choices, risk blindness is an unconscious deficiency. It often stems from structural changes like the automation of foundational jobs, fragmented risk ownership, unchallenged assumptions, and excessive faith in documentation or AI-generated reports. At its core, risk blindness breeds a false sense of security and efficiency while creating unseen vulnerabilities.

Pattern Recognition and Risk Blindness: The Cognitive Foundation of Quality Excellence

The Neural Architecture of Risk Detection

Pattern recognition lies at the heart of effective risk management in quality systems. It represents the sophisticated cognitive process by which experienced professionals unconsciously scan operational environments, data trends, and behavioral cues to detect emerging threats before they manifest as full-scale quality events. This capability distinguishes expert practitioners from novices and forms the foundation of what we might call “risk literacy” within quality organizations.

The development of pattern recognition in pharmaceutical quality follows predictable stages. At the most basic level (Level 1 Situational Awareness), professionals learn to perceive individual elements—deviation rates, environmental monitoring trends, supplier performance metrics. However, true expertise emerges at Level 2 (Comprehension), where practitioners begin to understand the relationships between these elements, and Level 3 (Projection), where they can anticipate future system states based on current patterns.

Research in clinical environments demonstrates that expert pattern recognition relies on matching current situational elements with previously stored patterns and knowledge, creating rapid, often unconscious assessments of risk significance. In pharmaceutical quality, this translates to the seasoned professional who notices that “something feels off” about a batch record, even when all individual data points appear within specification, or the environmental monitoring specialist who recognizes subtle trends that precede contamination events.

The Apprenticeship Dividend: Building Pattern Recognition Through Experience

The development of sophisticated pattern recognition capabilities requires what we’ve previously termed the “apprenticeship dividend”—the cumulative learning that occurs through repeated exposure to routine operations, deviations, and corrective actions. This learning cannot be accelerated through technology or condensed into senior-level training programs; it must be built through sustained practice and mentored reflection.

The Stages of Pattern Recognition Development:

Foundation Stage (Years 1-2): New professionals learn to identify individual risk elements—understanding what constitutes a deviation, recognizing out-of-specification results, and following investigation procedures. Their pattern recognition is limited to explicit, documented criteria.

Integration Stage (Years 3-5): Practitioners begin to see relationships between different quality elements. They notice when environmental monitoring trends correlate with equipment issues, or when supplier performance changes precede raw material problems. This represents the emergence of tacit knowledge—insights that are difficult to articulate but guide decision-making.

Mastery Stage (Years 5+): Expert practitioners develop what researchers call “intuitive expertise”—the ability to rapidly assess complex situations and identify subtle risk patterns that others miss. They can sense when a investigation is heading in the wrong direction, recognize when supplier responses are evasive, or detect process drift before it appears in formal metrics.

Tacit Knowledge: The Uncodifiable Foundation of Risk Assessment

Perhaps the most critical aspect of pattern recognition in pharmaceutical quality is the role of tacit knowledge—the experiential wisdom that cannot be fully documented or transmitted through formal training systems. Tacit knowledge encompasses the subtle cues, contextual understanding, and intuitive insights that experienced professionals develop through years of hands-on practice.

In pharmaceutical quality systems, tacit knowledge manifests in numerous ways:

  • Knowing which equipment is likely to fail after cleaning cycles, based on subtle operational cues rather than formal maintenance schedules
  • Recognizing when supplier audit responses are technically correct but practically inadequate
  • Sensing when investigation teams are reaching premature closure without adequate root cause analysis
  • Detecting process drift through operator reports and informal observations before it appears in formal monitoring data

This tacit knowledge cannot be captured in standard operating procedures or electronic systems. It exists in the experienced professional’s ability to read “between the lines” of formal data, to notice what’s missing from reports, and to sense when organizational pressures are affecting the quality of risk assessments.

The GI Joe Fallacy: The Dangers of “Knowing is Half the Battle”

A persistent—and dangerous—belief in quality organizations is the idea that simply knowing about risks, standards, or biases will prevent us from falling prey to them. This is known as the GI Joe fallacy—the misguided notion that awareness is sufficient to overcome cognitive biases or drive behavioral change.

What is the GI Joe Fallacy?

Inspired by the classic 1980s G.I. Joe cartoons, which ended each episode with “Now you know. And knowing is half the battle,” the GI Joe fallacy describes the disconnect between knowledge and action. Cognitive science consistently shows that knowing about biases or desired actions does not ensure that individuals or organizations will behave accordingly.

Even the founder of bias research, Daniel Kahneman, has noted that reading about biases doesn’t fundamentally change our tendency to commit them. Organizations often believe that training, SOPs, or system prompts are enough to inoculate staff against error. In reality, knowledge is only a small part of the battle; much larger are the forces of habit, culture, distraction, and deeply rooted heuristics.

GI Joe Fallacy in Quality Risk Management

In pharmaceutical quality risk management, the GI Joe fallacy can have severe consequences. Teams may know the details of risk matrices, deviation procedures, and regulatory requirements, yet repeatedly fail to act with vigilance or critical scrutiny in real situations. Loss aversion, confirmation bias, and overconfidence persist even for those trained in their dangers.

For example, base rate neglect—a bias where salient event data distracts from underlying probabilities—can influence decisions even when staff know better intellectually. This manifests in investigators overreacting to recent dramatic events while ignoring stable process indicators. Knowing about risk frameworks isn’t enough; structures and culture must be designed specifically to challenge these biases in practice, not simply in theory.

Structural Roots of Risk Blindness

The False Economy of Automation and Overconfidence

Risk blindness often arises from a perceived efficiency gained through process automation or the curtailment of on-the-ground learning. When organizations substitute active engagement for passive oversight, staff lose critical exposure to routine deviations and process variables.

Senior staff who only approve system-generated risk assessments lack daily operational familiarity, making them susceptible to unseen vulnerabilities. Real risk assessment requires repeated, active interaction with process data—not just a review of output.

Fragmented Ownership and Deficient Learning Culture

Risk ownership must be robust and proximal. When roles are fragmented—where the “system” manages risk and people become mere approvers—vital warnings can be overlooked. A compliance-oriented learning culture that believes training or SOPs are enough to guard against operational threats falls deeper into the GI Joe fallacy: knowledge is mistaken for vigilance.

Instead, organizations need feedback loops, reflection, and opportunities to surface doubts and uncertainties. Training must be practical and interactive, not limited to information transfer.

Zemblanity: The Shadow of Risk Blindness

Zemblanity is the antithesis of serendipity in the context of pharmaceutical quality—it describes the persistent tendency for organizations to encounter negative, foreseeable outcomes when risk signals are repeatedly ignored, misunderstood, or left unacted upon.

When examining risk blindness, zemblanity stands as the practical outcome: a quality system that, rather than stumbling upon unexpected improvements or positive turns, instead seems trapped in cycles of self-created adversity. Unlike random bad luck, zemblanity results from avoidable and often visible warning signs—deviations that are rationalized, oversight meetings that miss the point, and cognitive biases like the GI Joe fallacy that lull teams into a false sense of mastery

Real-World Manifestations

Case: The Disappearing Deviation

Digital batch records reduced documentation errors and deviation reports, creating an illusion of process control. But when technology transfer led to out-of-spec events, the lack of manually trained eyes meant no one was poised to detect subtle process anomalies. Staff “knew” the process in theory—yet risk blindness set in because the signals were no longer being actively, expertly interpreted. Knowledge alone was not enough.

Case: Supplier Audit Blindness

Virtual audits relying solely on documentation missed chronic training issues that onsite teams would likely have noticed. The belief that checklist knowledge and documentation sufficed prevented the team from recognizing deeper underlying risks. Here, the GI Joe fallacy made the team believe their expertise was shield enough, when in reality, behavioral engagement and observation were necessary.

Counteracting Risk Blindness: Beyond Knowing to Acting

Effective pharmaceutical quality systems must intentionally cultivate and maintain pattern recognition capabilities across their workforce. This requires structured approaches that go beyond traditional training and incorporate the principles of expertise development:

Structured Exposure Programs: New professionals need systematic exposure to diverse risk scenarios—not just successful cases, but also investigations that went wrong, supplier audits that missed problems, and process changes that had unexpected consequences. This exposure must be guided by experienced mentors who can help identify and interpret relevant patterns.

Cross-Functional Pattern Sharing: Different functional areas—manufacturing, quality control, regulatory affairs, supplier management—develop specialized pattern recognition capabilities. Organizations need systematic mechanisms for sharing these patterns across functions, ensuring that insights from one area can inform risk assessment in others.

Cognitive Diversity in Assessment Teams: Research demonstrates that diverse teams are better at pattern recognition than homogeneous groups, as different perspectives help identify patterns that might be missed by individuals with similar backgrounds and experience. Quality organizations should intentionally structure assessment teams to maximize cognitive diversity.

Systematic Challenge Processes: Pattern recognition can become biased or incomplete over time. Organizations need systematic processes for challenging established patterns—regular “red team” exercises, external perspectives, and structured devil’s advocate processes that test whether recognized patterns remain valid.

Reflective Practice Integration: Pattern recognition improves through reflection on both successes and failures. Organizations should create systematic opportunities for professionals to analyze their pattern recognition decisions, understand when their assessments were accurate or inaccurate, and refine their capabilities accordingly.

Using AI as a Learning Accelerator

AI and automation should support, not replace, human risk assessment. Tools can help new professionals identify patterns in data, but must be employed as aids to learning—not as substitutes for judgment or action.

Diagnosing and Treating Risk Blindness

Assess organizational risk literacy not by the presence of knowledge, but by the frequency of active, critical engagement with real risks. Use self-assessment questions such as:

  • Do deviation investigations include frontline voices, not just system reviewers?
  • Are new staff exposed to real processes and deviations, not just theoretical scenarios?
  • Are risk reviews structured to challenge assumptions, not merely confirm them?
  • Is there evidence that knowledge is regularly translated into action?

Why Preventing Risk Blindness Matters

Regulators evaluate quality maturity not simply by compliance, but by demonstrable capability to anticipate and mitigate risks. AI and digital transformation are intensifying the risk of the GI Joe fallacy by tempting organizations to substitute data and technology for judgment and action.

As experienced professionals retire, the gap between knowing and doing risks widening. Only organizations invested in hands-on learning, mentorship, and behavioral feedback will sustain true resilience.

Choosing Sight

Risk blindness is perpetuated by the dangerous notion that knowing is enough. The GI Joe fallacy teaches that organizational memory, vigilance, and capability require much more than knowledge—they demand deliberate structures, engaged cultures, and repeated practice that link theory to action.

Quality leaders must invest in real development, relentless engagement, and humility about the limits of their own knowledge. Only then will risk blindness be cured, and resilience secured.

Beyond “Knowing Is Half the Battle”

Dr. Valerie Mulholland’s recent exploration of the GI Joe Bias strikes gets to the heart of a fundamental challenge in pharmaceutical quality management: the persistent belief that awareness of cognitive biases is sufficient to overcome them. I find Valerie’s analysis particularly compelling because it connects directly to the practical realities we face when implementing ICH Q9(R1)’s mandate to actively manage subjectivity in risk assessment.

Valerie’s observation that “awareness of a bias does little to prevent it from influencing our decisions” shows us that the GI Joe Bias underlays a critical gap between intellectual understanding and practical application—a gap that pharmaceutical organizations must bridge if they hope to achieve the risk-based decision-making excellence that ICH Q9(R1) demands.

The Expertise Paradox: Why Quality Professionals Are Particularly Vulnerable

Valerie correctly identifies that quality risk management facilitators are often better at spotting biases in others than in themselves. This observation connects to a deeper challenge I’ve previously explored: the fallacy of expert immunity. Our expertise in pharmaceutical quality systems creates cognitive patterns that simultaneously enable rapid, accurate technical judgments while increasing our vulnerability to specific biases.

The very mechanisms that make us effective quality professionals—pattern recognition, schema-based processing, heuristic shortcuts derived from base rate experiences—are the same cognitive tools that generate bias. When I conduct investigations or facilitate risk assessments, my extensive experience with similar events creates expectations and assumptions that can blind me to novel failure modes or unexpected causal relationships. This isn’t a character flaw; it’s an inherent part of how expertise develops and operates.

Valerie’s emphasis on the need for trained facilitators in high-formality QRM activities reflects this reality. External facilitation isn’t just about process management—it’s about introducing cognitive diversity and bias detection capabilities that internal teams, no matter how experienced, cannot provide for themselves. The facilitator serves as a structured intervention against the GI Joe fallacy, embodying the systematic approaches that awareness alone cannot deliver.

From Awareness to Architecture: Building Bias-Resistant Quality Systems

The critical insight from both Valerie’s work and my writing about structured hypothesis formation is that effective bias management requires architectural solutions, not individual willpower. ICH Q9(R1)’s introduction of the “Managing and Minimizing Subjectivity” section represents recognition that regulatory compliance requires systematic approaches to cognitive bias management.

In my post on reducing subjectivity in quality risk management, I identified four strategies that directly address the limitations Valerie highlights about the GI Joe Bias:

  1. Leveraging Knowledge Management: Rather than relying on individual awareness, effective bias management requires systematic capture and application of objective information. When risk assessors can access structured historical data, supplier performance metrics, and process capability studies, they’re less dependent on potentially biased recollections or impressions.
  2. Good Risk Questions: The formulation of risk questions represents a critical intervention point. Well-crafted questions can anchor assessments in specific, measurable terms rather than vague generalizations that invite subjective interpretation. Instead of asking “What are the risks to product quality?”, effective risk questions might ask “What are the potential causes of out-of-specification dissolution results for Product X in the next 6 months based on the last three years of data?”
  3. Cross-Functional Teams: Valerie’s observation that we’re better at spotting biases in others translates directly into team composition strategies. Diverse, cross-functional teams naturally create the external perspective that individual bias recognition cannot provide. The manufacturing engineer, quality analyst, and regulatory specialist bring different cognitive frameworks that can identify blind spots in each other’s reasoning.
  4. Structured Decision-Making Processes: The tools Valerie mentions—PHA, FMEA, Ishikawa, bow-tie analysis—serve as external cognitive scaffolding that guides thinking through systematic pathways rather than relying on intuitive shortcuts that may be biased.

The Formality Framework: When and How to Escalate Bias Management

One of the most valuable aspects of ICH Q9(R1) is its introduction of the formality concept—the idea that different situations require different levels of systematic intervention. Valerie’s article implicitly addresses this by noting that “high formality QRM activities” require trained facilitators. This suggests a graduated approach to bias management that scales intervention intensity with decision importance.

This formality framework needs to include bias management that organizations can use to determine when and how intensively to apply bias mitigation strategies:

  • Low Formality Situations: Routine decisions with well-understood parameters, limited stakeholders, and reversible outcomes. Basic bias awareness training and standardized checklists may be sufficient.
  • Medium Formality Situations: Decisions involving moderate complexity, uncertainty, or impact. These require cross-functional input, structured decision tools, and documentation of rationales.
  • High Formality Situations: Complex, high-stakes decisions with significant uncertainty, multiple conflicting objectives, or diverse stakeholders. These demand external facilitation, systematic bias checks, and formal documentation of how potential biases were addressed.

This framework acknowledges that the GI Joe fallacy is most dangerous in high-formality situations where the stakes are highest and the cognitive demands greatest. It’s precisely in these contexts that our confidence in our ability to overcome bias through awareness becomes most problematic.

The Cultural Dimension: Creating Environments That Support Bias Recognition

Valerie’s emphasis on fostering humility, encouraging teams to acknowledge that “no one is immune to bias, even the most experienced professionals” connects to my observations about building expertise in quality organizations. Creating cultures that can effectively manage subjectivity requires more than tools and processes; it requires psychological safety that allows bias recognition without professional threat.

I’ve noted in past posts that organizations advancing beyond basic awareness levels demonstrate “systematic recognition of cognitive bias risks” with growing understanding that “human judgment limitations can affect risk assessment quality.” However, the transition from awareness to systematic application requires cultural changes that make bias discussion routine rather than threatening.

This cultural dimension becomes particularly important when we consider the ironic processing effects that Valerie references. When organizations create environments where acknowledging bias is seen as admitting incompetence, they inadvertently increase bias through suppression attempts. Teams that must appear confident and decisive may unconsciously avoid bias recognition because it threatens their professional identity.

The solution is creating cultures that frame bias recognition as professional competence rather than limitation. Just as we expect quality professionals to understand statistical process control or regulatory requirements, we should expect them to understand and systematically address their cognitive limitations.

Practical Implementation: Moving Beyond the GI Joe Fallacy

Building on Valerie’s recommendations for structured tools and systematic approaches, here are some specific implementation strategies that organizations can adopt to move beyond bias awareness toward bias management:

  • Bias Pre-mortems: Before conducting risk assessments, teams explicitly discuss what biases might affect their analysis and establish specific countermeasures. This makes bias consideration routine rather than reactive.
  • Devil’s Advocate Protocols: Systematic assignment of team members to challenge prevailing assumptions and identify information that contradicts emerging conclusions.
  • Perspective-Taking Requirements: Formal requirements to consider how different stakeholders (patients, regulators, operators) might view risks differently from the assessment team.
  • Bias Audit Trails: Documentation requirements that capture not just what decisions were made, but how potential biases were recognized and addressed during the decision-making process.
  • External Review Requirements: For high-formality decisions, mandatory review by individuals who weren’t involved in the initial assessment and can provide fresh perspectives.

These interventions acknowledge that bias management is not about eliminating human judgment—it’s about scaffolding human judgment with systematic processes that compensate for known cognitive limitations.

The Broader Implications: Subjectivity as Systemic Challenge

Valerie’s analysis of the GI Joe Bias connects to broader themes in my work about the effectiveness paradox and the challenges of building rigorous quality systems in an age of pop psychology. The pharmaceutical industry’s tendency to adopt appealing frameworks without rigorous evaluation extends to bias management strategies. Organizations may implement “bias training” or “awareness programs” that create the illusion of progress while failing to address the systematic changes needed for genuine improvement.

The GI Joe Bias serves as a perfect example of this challenge. It’s tempting to believe that naming the bias—recognizing that awareness isn’t enough—somehow protects us from falling into the awareness trap. But the bias is self-referential: knowing about the GI Joe Bias doesn’t automatically prevent us from succumbing to it when implementing bias management strategies.

This is why Valerie’s emphasis on systematic interventions rather than individual awareness is so crucial. Effective bias management requires changing the decision-making environment, not just the decision-makers’ knowledge. It requires building systems, not slogans.

A Call for Systematic Excellence in Bias Management

Valerie’s exploration of the GI Joe Bias provides a crucial call for advancing pharmaceutical quality management beyond the illusion that awareness equals capability. Her work, combined with ICH Q9(R1)’s explicit recognition of subjectivity challenges, creates an opportunity for the industry to develop more sophisticated approaches to cognitive bias management.

The path forward requires acknowledging that bias management is a core competency for quality professionals, equivalent to understanding analytical method validation or process characterization. It requires systematic approaches that scaffold human judgment rather than attempting to eliminate it. Most importantly, it requires cultures that view bias recognition as professional strength rather than weakness.

As I continue to build frameworks for reducing subjectivity in quality risk management and developing structured approaches to decision-making, Valerie’s insights about the limitations of awareness provide essential grounding. The GI Joe Bias reminds us that knowing is not half the battle—it’s barely the beginning.

The real battle lies in creating pharmaceutical quality systems that systematically compensate for human cognitive limitations while leveraging human expertise and judgment. That battle is won not through individual awareness or good intentions, but through systematic excellence in bias management architecture.

What structured approaches has your organization implemented to move beyond bias awareness toward systematic bias management? Share your experiences and challenges as we work together to advance the maturity of risk management practices in our industry.

Meet Valerie Mulholland

Dr. Valerie Mulholland is transforming how our industry thinks about quality risk management. As CEO and Principal Consultant at GMP Services in Ireland, Valerie brings over 25 years of hands-on experience auditing and consulting across biopharmaceutical, pharmaceutical, medical device, and blood transfusion industries throughout the EU, US, and Mexico.

But what truly sets Valerie apart is her unique combination of practical expertise and cutting-edge research. She recently earned her PhD from TU Dublin’s Pharmaceutical Regulatory Science Team, focusing on “Effective Risk-Based Decision Making in Quality Risk Management”. Her groundbreaking research has produced 13 academic papers, with four publications specifically developed to support ICH’s work—research that’s now incorporated into the official ICH Q9(R1) training materials. This isn’t theoretical work gathering dust on academic shelves; it’s research that’s actively shaping global regulatory guidance.

Why Risk Revolution Deserves Your Attention

The Risk Revolution podcast, co-hosted by Valerie alongside Nuala Calnan (25-year pharmaceutical veteran and Arnold F. Graves Scholar) and Dr. Lori Richter (Director of Risk Management at Ultragenyx with 21+ years industry experience), represents something unique in pharmaceutical podcasting. This isn’t your typical regulatory update show—it’s a monthly masterclass in advancing risk management maturity.

In an industry where staying current isn’t optional—it’s essential for patient safety—Risk Revolution offers the kind of continuing education that actually advances your professional capabilities. These aren’t recycled conference presentations; they’re conversations with the people shaping our industry’s future.