Category: risk management

Risk Based Thinking

Risk-based thinking is a crucial component of modern quality management systems and consists of four key aspects: anticipate, monitor, respond, and learn. Each aspect ensures an organization can effectively manage and mitigate risks, enhancing overall performance and reliability.

Anticipate

Anticipating risks involves proactively identifying and analyzing potential risks that could impact the organization’s operations or objectives. This step is about foreseeing problems before they occur and planning how to address them. It requires a thorough understanding of the organization’s processes, the external and internal factors that could affect these processes, and the potential consequences of various risks. By anticipating risks, organizations can prepare more effectively and prevent many issues from occurring.

Monitor

Monitoring involves continuously observing and tracking the operational environment to detect risk indicators early. This ongoing process helps catch deviations from expected outcomes or standards, which could indicate the emergence of a risk. Effective monitoring relies on establishing metrics that help to quickly and accurately identify when things are starting to veer off course. This real-time data collection is crucial for enabling timely responses to potential threats.

Respond

Responding to risks is about taking appropriate actions to manage or mitigate identified risks based on their severity and potential impact. This step involves implementing the planned risk responses that were developed during the anticipation phase. The effectiveness of these responses often depends on the speed and decisiveness of the actions taken. Responses can include adjusting processes, reallocating resources, or activating contingency plans. The goal is to minimize the organization’s and its stakeholders’ negative impact.

Learn

Learning from the management of risks is a critical component that closes the loop of risk-based thinking. This aspect involves analyzing the outcomes of risk responses and understanding what worked well and what did not. Learning from these experiences is essential for continuous improvement. It helps organizations refine risk management processes, improve response strategies, and better prepare for future risks. This iterative learning process ensures that risk management efforts are increasingly effective over time.

The four aspects of risk-based thinking—anticipate, monitor, respond, and learn—form a continuous cycle that helps organizations manage uncertainties proactively. This approach protects the organization from potential downsides and enables it to seize opportunities that arise from a well-understood risk landscape. Organizations can enhance their resilience and adaptability by embedding these practices into everyday operations.

Implementing Risk-Based Thinking

1. Understand the Concept of Risk-Based Thinking

Risk-based thinking involves a proactive approach to identifying, analyzing, and addressing risks. This mindset should be ingrained in the organization’s culture and used as a basis for decision-making.

2. Identify Risks and Opportunities

Identify potential risks and opportunities. This can be achieved through various methods such as SWOT analysis, brainstorming sessions, and process mapping. It’s crucial to involve people at all levels of the organization since they can provide diverse perspectives on potential risks and opportunities.

3. Analyze and Prioritize Risks

Once risks and opportunities are identified, they should be analyzed to understand their potential impact and likelihood. This analysis will help prioritize which risks need immediate attention and which opportunities should be pursued.

4. Plan and Implement Responses

After prioritizing, develop strategies to address these risks and opportunities. Plans should include preventive measures for risks and proactive steps to seize opportunities. Integrating these plans into the organization’s overall strategy and daily operations is important to ensure they are effective.

5. Monitor and Review

Implementing risk-based thinking is not a one-time activity but an ongoing process. Regular monitoring and reviewing of risks, opportunities, and the effectiveness of responses are crucial. This can be done through regular audits, performance evaluations, and feedback mechanisms. Adjustments should be made based on these reviews to improve the risk management process.

6. Learn and Improve

Organizations should learn from their experiences in managing risks and opportunities. This involves analyzing what worked well and what didn’t and using this information to improve future risk management efforts. Continuous improvement should be a key goal, aligning with the Plan-Do-Check-Act (PDCA) cycle.

7. Documentation and Compliance

Maintaining proper documentation is essential for tracking and managing risk-based thinking activities. Documents such as risk registers, action plans, and review reports should be updated and readily available.

8. Training and Culture

Training and cultural adaptation are necessary to implement risk-based thinking effectively. All employees should be trained on the principles of risk-based thinking and how to apply them in their roles. Creating a culture encouraging open communication about risks and supporting risk-taking within defined limits is also vital.

Risk Management is a Living Process

Living and adhoc risk assessments

ISO 31000-2018 “Risk Management Guidelines” discusses on-going monitoring and review of risk management activities. We see a similar requirement in ICH Q9(r1) for the pharmaceutical industry. In many organizations we can take a lot of time on the performance of risk assessments (hopefully effectively) and a lot of time mitigating risks (again, hopefully effectively) but many organizations struggle in maintaining a lifecycle approach.

To do appropriate lifecycle management we should ensure three things:

  1. Planned review
  2. Continuous Monitoring
  3. Incorporate through governance, improvement and knowledge management activities.

Reviews are a critical part of our risk management process framework.

This living risk management approach effectively drives work in Control Environment, Response and Stress Testing.

At heart lies the ongoing connection between risk management and knowledge management.

Risk Management in the Clinical Study

With ICH E6(r3) in draft, I think it is important to look at the current state of risk management expectations in a clinical study.

Risk management is an essential part of any clinical study, and is a critical component of the ICH E6 and E8 guidelines for Good Clinical Practice (GCP). These guidelines provide a framework for ensuring the safety and well-being of study participants, as well as the integrity and reliability of the study data. By following the principles outlined in these guidelines, researchers can help to ensure that their study results are reliable and can be used to inform clinical practice.

Through risk management we ensure the four main goals of the GCPs are obtained.

The ICH E6 guideline provides recommendations for the conduct of clinical trials, emphasizing the importance of risk management, specifying that a risk management plan should be developed and implemented for each study. The guideline also provides recommendations for the content of the risk management plan, including the identification of potential risks, the assessment of their likelihood and potential impact, and the development of strategies for managing or mitigating those risks.

Risk management is a key enabler and result of the quality management system.

The ICH E8 guideline, which focuses on the conduct of clinical trials also emphasizes the importance of risk management. It specifies that the risk management plan should include a comprehensive evaluation of the risks associated with the study interventions, as well as a plan for managing or mitigating those risks. The guideline also recommends that the risk management plan be regularly reviewed and updated as needed, to ensure that it continues to effectively address the risks facing the study.

When planning a clinical study, sponsors must carefully consider the potential risks involved and take steps to minimize them. Sources of the risk assessment include performing a thorough literature review to identify any known risks associated with the study interventions, as well as conducting pre-study assessments to identify potential risks specific to the study population. E8 also state sthe importance of a wide variety of stakeholders, including the patient population.

Once the study is underway, it’s important to closely monitor for potential risks and have a plan in place for managing them.

In addition to protecting the safety of study participants, effective risk management is also essential for maintaining the integrity of the data being collected. Risks to the study data might include things like errors in data entry or missing data, which can compromise the validity of the study results. To address these risks, sponsors must have robust quality control measures in place, such as regular data audits and checks for missing or inconsistent data.

Overall, the role of risk management in a clinical study is to ensure the safety and well-being of study participants, while also protecting the integrity of the data being collected. By carefully considering and managing potential risks, researchers can help to ensure that their study results are reliable and can be used to inform clinical practice.

Risk Based Monitoring

Risk-based monitoring is a approach to monitoring the quality of a clinical study that focuses on identifying and addressing potential risks to the study. This approach involves regularly assessing the risks associated with a study and implementing strategies to manage or mitigate those risks.

In a risk-based monitoring approach, the study team typically uses a risk register to identify and assess potential risks to the study, such as the potential for errors in data collection or analysis, or the potential for adverse events in study participants. The team then develops a plan for addressing these risks, which might involve implementing additional quality control measures or training for study staff.

During the study, the team regularly monitors for potential risks and takes action to address them as needed. This might involve conducting regular audits or reviews of the study data to identify potential errors, or monitoring the health and well-being of study participants to identify and address any adverse events.

Overall, the goal of risk-based monitoring is to ensure the quality and integrity of a clinical study by proactively identifying and addressing potential risks. By using a risk-based approach, the study team can help to ensure that the study results are reliable and can be used to inform clinical practice.

Risk Register

A risk register is a document that is used to identify, assess, and track potential risks in a clinical study. It typically includes a list of identified risks, along with information about their likelihood and potential impact, as well as the actions that are being taken to manage or mitigate the risks.

In a clinical study, a risk register might include risks such as the potential for errors in data collection or analysis, the potential for adverse events in study participants, or the potential for the study to be impacted by external factors, such as changes in regulatory requirements.

The purpose of a risk register in a clinical study is to help the study team identify and prioritize potential risks, and to develop strategies for addressing them. By having a clear and comprehensive overview of the risks that a study is facing, the team can take proactive steps to manage or mitigate those risks, and can monitor their progress over time.

Overall, a risk register is an essential tool for managing risks in a clinical study. By providing a clear and comprehensive overview of potential risks, it helps the study team identify and address risks in a proactive and effective way.

  1. Identifying potential risks: The first step in implementing a clinical risk management program is to identify potential risks to the study, such as the potential for errors in data collection or analysis, or the potential for adverse events in study participants. This might involve reviewing the study protocol and data collection tools, consulting with the study team and other stakeholders, and conducting a thorough assessment of the study environment.
  2. Assessing risks: Once potential risks have been identified, the next step is to assess their likelihood and potential impact. This will help to prioritize the risks and determine the appropriate level of response. For example, a risk with a high likelihood and a high potential impact might require more immediate action, while a risk with a low likelihood and a low potential impact might not require as much attention.
  3. Developing strategies for managing risks: Based on the assessment of risks, the next step is to develop strategies for managing or mitigating those risks. This might involve implementing additional quality control measures, providing training to study staff, or conducting regular audits or reviews of the study data. The goal is to develop a comprehensive and effective plan for addressing the identified risks.
  4. Monitoring for potential risks: Once the risk management plan is in place, it’s important to regularly monitor for potential risks and take action to address them as needed. This might involve conducting regular audits or reviews of the study data, or monitoring the health and well-being of study participants. By proactively monitoring for potential risks, the study team can help to ensure the safety and well-being of study participants, as well as the integrity and reliability of the study data.
  5. Follow-up and corrective action: If potential risks are identified during the study, it’s important to take prompt action to address them. This might involve implementing corrective action plans, such as retraining study staff or revising the study protocol. It’s also important to track the progress of these plans and ensure that they are effective in addressing the identified risks. By taking timely and effective action to address potential risks, the study team can help to ensure the safety and well-being of study participants, as well as the integrity and reliability of the study data.

Risk Management in the Clinical Study Process

To summarize, each clinical study should:

  1. Identify Risks
  • Before the study begins, the sponsor should perform a thorough review of the study protocol, data collection tools, and other study-related documents to identify potential risks to the study.
  • The cross-functional study team, CROs and other relevant stakeholders, such as the sponsor and regulatory authorities, to identify additional potential risks.
  • All identified risks should be documented in the study’s risk register.

2. Assess Risks

  • For each identified risk, assess its likelihood and potential impact on the study.
  • The risks should be prioritized based on their likelihood and potential impact, with a focus on the highest-priority risks.

3. Manage Risks

  • For each identified risk, the sponsor should develop a plan for managing or mitigating the risk. This plan should be documented in the study’s risk register.
  • The plan for managing or mitigating each risk should include specific actions to be taken, as well as the individuals or groups responsible for implementing those actions.

4. Monitor Risks

  • Regularly monitor key risk indicators and the study for success of the study risk plan and to identify new potential risks and take action to address them as needed. This might involve conducting regular audits or reviews of the study data, or monitoring the health and well-being of study participants.
  • Any significant risks that arise during the study should be reported to the sponsor and relevant regulatory authorities.

4th GxP Cloud Compliance Summit – September 5-7

I am looking forward to speaking at the GxP Cloud Compliance Summit in Boston in September on Implementing a Lifecycle Risk Management Approach to the Cloud. I’ll be discussing some of my favorite topics:

  • Best practices to harness a life cycle risk management approach to protect product quality and patient data
  • What does a living risk assessment look like when key parts of your IT infrastructure is maintained by cloud service providers
  • How does Q9 R1 impact functional and usage assessments around cloud applications

I am looking forward to meeting and discussing some of the critical questions in our heady embrace of the cloud.

Cloud based GxP systems have shifted in the last few years from “Something I guess we should figure out” to “Well guess we have it now” to “Well that is all I seem to have now.” And where 5 years ago it seemed we were obsessed about the fine details of Open vs Closed systems and what cloud-based applications are, we are now looking at much more mature questions around a risk based strategy that evaluates and ensures appropriate controls around Data Integrity, Privacy, and Security. Through a risk-based approach, we drive activities such as auditing, change control, qualification/validation, and oversight.

I am looking forward to having this discussion with my peers and sharing best practices and experiences. It is only though this type of event that we can grow as a professional.

I hope to see you there.

Expert Intuition and Risk Management

Saturday Morning Breakfast Cereal source http://smbc-comics.com/comic/horrible

Risk management is a crucial aspect of any organization or project. However, it is often subject to human errors in subjective risk judgments. This is because most risk assessment methods rely on subjective inputs from experts. Without certain precautions, experts can make consistent errors in judgment about uncertainty and risk.

There are methods that can correct the systemic errors that people make, but very few organizations implement them. As a result, there is often an almost universal understatement of risk. We need to keep in mind a few rules about experience and expertise.

  • Experience is a nonrandom, nonscientific sample of events throughout our lifetime.
  • Experience is memory-based and we are very selective regarding what we choose to remember,
  • What we conclude from our experience can be full of logical errors
  • Unless we get reliable feedback on past decisions, there is no reason to believe our experience will tell us much.

No matter how much experience we accumulate, we seem to be very inconsistent in its application.

Experts have unconscious heuristics and biases that impact their judgment, some important ones include:

  • Misconceptions of chance: If you flip a coin six times, which result is more likely (H= heads, T= tails): HHHTTT or HTHTTH? They are both equal, but many people assume that because the first series looks “less random” than the second, it must be less likely. This is an example of representativeness bias. We appear to judge odds based on what we assume to be representative scenarios. Human beings easily confuse patterns and randomness.
  • The conjunction fallacy: We often see specific events as more likely than broader categories of events.
  • Irrational belief in small samples
  • Disregarding variance in small samples. Small samples have more random variance that large samples is considered less than it should be.
  • Insensitivity to prior probabilities: People tend to ignore the past and focus on new information when making subjective estimates.

This is all about overconfidence as an expert, which will consistently underestimate risks.

What are some ways to overcome this? I recommend the following be built into your risk management system.

  • Pretend you are in the future looking back at failure. Start with the assumption that a major disaster did happen and describe how it happened.
  • Look to risks from others. Gather a list of related failures, for example, regulatory agency observations, and think of risks in relation to those.
  • Include Everyone. Your organization has numerous experts on all sorts of specific risks. Make the effort to survey representatives of just about every job level.
  • Do peer reviews. Check assumptions by showing them to peers who are not immersed in the assessment.
  • Implement metrics for performance. The Brier score is a way to evaluate the result of predictions both by how often the team was right and by the probability the estimated for getting a correct answer.

Further Reading

Here are some sources that discuss the topic of human errors and subjective judgments in risk management: