Twenty years on, risk management in the pharmaceutical world continues to be challenging. Ensure that risk assessments are systematic, structured, and based on scientific knowledge. A large part of the ICH Q9(R1) revision was written to address continued struggles with subjectivity, formality, and decision-making. And quite frankly, it’s clear to me that we, as an industry, are still working to absorb those messages these last two years.
A big challenge is that we struggle to measure the effectiveness of our risk assessments. Quite frankly, this is a great place for a rubric.
Luckily, we have a good tool out there to adopt: the Risk Analysis Quality Test (RAQT1.0), developed by the Society for Risk Analysis (SRA). This comprehensive framework is designed to evaluate and improve the quality of risk assessments. We can apply this tool to meet the requirements of the International Conference on Harmonisation (ICH) Q9, which outlines quality risk management principles for the pharmaceutical industry. From that, we can drive continued improvement in our risk management activities.
Components of RAQT1.0
The Risk Analysis Quality Test consists of 76 questions organized into 15 categories:
- Framing the Analysis and Its Interface with Decision Making
- Capturing the Risk Generating Process (RGP)
- Communication
- Stakeholder Involvement
- Assumptions and Scope Boundary Issues
- Proactive Creation of Alternative Courses of Action
- Basis of Knowledge
- Data Limitations
- Analysis Limitations
- Uncertainty
- Consideration of Alternative Analysis Approaches
- Robustness and Resilience of Action Strategies
- Model and Analysis Validation and Documentation
- Reporting
- Budget and Schedule Adequacy
Application to ICH Q9 Requirements
ICH Q9 emphasizes the importance of a systematic and structured risk assessment process. The RAQT can be used to ensure that risk assessments are thorough and meet quality standards. For example, Category G (Basis of Knowledge) and Category H (Data Limitations) help in evaluating the scientific basis and data quality of the risk assessment, aligning with ICH Q9’s requirement for using available knowledge and data.
The RAQT’s Category B (Capturing the Risk Generating Process) and Category C (Communication) can help in identifying and communicating risks effectively. This aligns with ICH Q9’s requirement to identify potential risks based on scientific knowledge and understanding of the process.
Categories such as Category I (Analysis Limitations) and Category J (Uncertainty) in the RAQT help in analyzing the risks and addressing uncertainties, which is a key aspect of ICH Q9. These categories ensure that the analysis is robust and considers all relevant factors.
The RAQT’s Category A (Framing the Analysis and Its Interface with Decision Making) and Category F (Proactive Creation of Alternative Courses of Action) are crucial for evaluating risks and developing mitigation strategies. This aligns with ICH Q9’s requirement to evaluate risks and determine the need for risk reduction.
Categories like Category L (Robustness and Resilience of Action Strategies) and Category M (Model and Analysis Validation and Documentation) in the RAQT help in ensuring that the risk control measures are robust and well-documented. This is consistent with ICH Q9’s emphasis on implementing and reviewing controls.
Category D (Stakeholder Involvement) of the RAQT ensures that stakeholders are engaged in the risk management process, which is a requirement under ICH Q9 for effective communication and collaboration.
The RAQT can be applied both retrospectively and prospectively, allowing for the evaluation of past risk assessments and the planning of future ones. This aligns with ICH Q9’s requirement for periodic review and continuous improvement of the risk management process.
Creating a Rubric
To make this actionable we need a tool, a rubric, to allow folks to evaluate what goods look like. I would insert this tool into the quality oversite of risk management.
Category A: Framing the Analysis and Its Interface With Decision Making
| Criteria | Excellent (4) | Good (3) | Fair (2) | Poor (1) |
|---|---|---|---|---|
| Problem Definition | Clearly and comprehensively defines the problem, including all relevant aspects and stakeholders | Adequately defines the problem with most relevant aspects considered | Partially defines the problem with some key aspects missing | Poorly defines the problem or misses critical aspects |
| Analytical Approach | Selects and justifies an optimal analytical approach, demonstrating deep understanding of methodologies | Chooses an appropriate analytical approach with reasonable justification | Selects a somewhat relevant approach with limited justification | Chooses an inappropriate approach or provides no justification |
| Data Collection and Management | Thoroughly identifies all necessary data sources and outlines a comprehensive data management plan | Identifies most relevant data sources and provides a adequate data management plan | Identifies some relevant data sources and offers a basic data management plan | Fails to identify key data sources or lacks a coherent data management plan |
| Stakeholder Identification | Comprehensively identifies all relevant stakeholders and their interests | Identifies most key stakeholders and their primary interests | Identifies some stakeholders but misses important ones or their interests | Fails to identify major stakeholders or their interests |
| Decision-Making Context | Provides a thorough analysis of the decision-making context, including constraints and opportunities | Adequately describes the decision-making context with most key factors considered | Partially describes the decision-making context, missing some important factors | Poorly describes or misunderstands the decision-making context |
| Alignment with Organizational Goals | Demonstrates perfect alignment between the analysis and broader organizational objectives | Shows good alignment with organizational goals, with minor gaps | Partially aligns with organizational goals, with significant gaps | Fails to align with or contradicts organizational goals |
| Communication Strategy | Develops a comprehensive strategy for communicating results to all relevant decision-makers | Outlines a good communication strategy covering most key decision-makers | Provides a basic communication plan with some gaps | Lacks a clear strategy for communicating results to decision-makers |
This rubric provides a framework for assessing the quality of work in framing an analysis and its interface with decision-making. It covers key aspects such as problem definition, analytical approach, data management, stakeholder consideration, decision-making context, alignment with organizational goals, and communication strategy. Each criterion is evaluated on a scale from 1 (Poor) to 4 (Excellent), allowing for nuanced assessment of performance in each area.
To use this rubric effectively:
- Adjust the criteria and descriptions as needed to fit your specific context or requirements.
- Ensure that the expectations for each level (Excellent, Good, Fair, Poor) are clear and distinguishable.
My next steps will be to add specific examples or indicators for each level to provide more guidance to both assessors and those being assessed.
I also may, depending on internal needs, want to assign different weights to each criterion based on their relative importance in your specific context. In this case I think each ends up being pretty similar.
I would then go and add the other sections. For example, here is category B with some possible weighting.
Category B: Capturing the Risk Generating Process (RGP)
| Component | Weight Factor | Excellent | Satisfactory | Needs Improvement | Poor |
|---|---|---|---|---|---|
| B1. Comprehensiveness | 4 | The analysis includes: i) A structured taxonomy of hazards/events demonstrating comprehensiveness ii) Each scenario spelled out with causes and types of change iii) Explicit addressing of potential “Black Swan” events iv) Clear description of implications of such events for risk management | The analysis includes 3 out of 4 elements from the Excellent criteria, with minor gaps that do not significantly impact understanding | The analysis includes only 2 out of 4 elements from the Excellent criteria, or has significant gaps in comprehensiveness | The analysis includes 1 or fewer elements from the Excellent criteria, severely lacking in comprehensiveness |
| B2. Basic Structure of RGP | 2 | Clearly identifies and accounts for the basic structure of the RGP (e.g. linear, chaotic, complex adaptive) AND Uses appropriate mathematical structures (e.g. linear, quadratic, exponential) that match the RGP structure | Identifies the basic structure of the RGP BUT does not fully align mathematical structures with the RGP | Attempts to identify the RGP structure but does so incorrectly or incompletely OR Uses mathematical structures that do not align with the RGP | Does not identify or account for the basic structure of the RGP |
| B3. Complexity of RGP | 3 | Lists all important causal and associative links in the RGP AND Demonstrates how each link is accounted for in the analysis | Lists most important causal and associative links in the RGP AND Demonstrates how most links are accounted for in the analysis | Lists some causal and associative links but misses key elements OR Does not adequately demonstrate how links are accounted for in the analysis | Does not list causal and associative links or account for them in the analysis |
| B4. Early Warning Detection | 3 | Includes a clear process for detecting early warnings of potential surprising risk aspects, beyond just concrete events | Includes a process for detecting early warnings, but it may be limited in scope or not fully developed | Mentions the need for early warning detection but does not provide a clear process | Does not address early warning detection |
| B5. System Changes | 2 | Fully considers the possibility of system changes AND Establishes adequate mechanisms to detect those changes | Considers the possibility of system changes BUT mechanisms to detect changes are not fully developed | Mentions the possibility of system changes but does not adequately consider or establish detection mechanisms | Does not consider or address the possibility of system changes |
I definitely need to go back and add more around structure requirements. The SRA RAQT tool needs some more interpretation here.
Category C: Risk Communication
| Component | Weight Factor | Excellent | Satisfactory | Needs Improvement | Poor |
|---|---|---|---|---|---|
| C1. Integration of Communication into Risk Analysis | 3 | Communication is fully integrated into the risk analysis following established norms). All aspects of the methodology are clearly addressed including context establishment, risk assessment (identification, analysis, evaluation), and risk treatment. There is clear evidence of pre-assessment, management, appraisal, characterization and evaluation. Knowledge about the risk is thoroughly categorized. | Communication is integrated into the risk analysis following most aspects of established norms. Most key elements of methodologies like ISO 31000 or IRGC are addressed, but some minor aspects may be missing or unclear. Knowledge about the risk is categorized, but may lack some detail. | Communication is partially integrated into the risk analysis, but significant aspects of established norms are missing. Only some elements of methodologies like ISO 31000 or IRGC are addressed. Knowledge categorization about the risk is incomplete or unclear. | There is little to no evidence of communication being integrated into the risk analysis following established norms. Methodologies like ISO 31000 or IRGC are not followed. Knowledge about the risk is not categorized. |
| C2. Adequacy of Risk Communication | 3 | All considerations for effective risk communication have been applied to ensure adequacy between analysts and decision makers, analysts and other stakeholders, and decision makers and stakeholders. There is clear evidence that all parties agree the communication is adequate. | Most considerations for effective risk communication have been applied. Communication appears adequate between most parties, but there may be minor gaps or areas where agreement on adequacy is not explicitly stated. | Some considerations for effective risk communication have been applied, but there are significant gaps. Communication adequacy is questionable between one or more sets of parties. There is limited evidence of agreement on communication adequacy. | Few to no considerations for effective risk communication have been applied. There is no evidence of adequate communication between analysts, decision makers, and stakeholders. There is no indication of agreement on communication adequacy. |
Category D: Stakeholder Involvement
| Criteria | Weight | Excellent (4) | Satisfactory (3) | Needs Improvement (2) | Poor (1) |
|---|---|---|---|---|---|
| Stakeholder Identification | 4 | All relevant stakeholders are systematically and comprehensively identified | Most relevant stakeholders are identified, with minor omissions | Some relevant stakeholders are identified, but significant groups are missed | Few or no relevant stakeholders are identified |
| Stakeholder Consultation | 3 | All identified stakeholders are thoroughly consulted, with their perceptions and concerns fully considered | Most identified stakeholders are consulted, with their main concerns considered | Some stakeholders are consulted, but consultation is limited in scope or depth | Few or no stakeholders are consulted |
| Stakeholder Engagement | 3 | Stakeholders are actively engaged throughout the entire risk management process, including problem framing, decision-making, and implementation | Stakeholders are engaged in most key stages of the risk management process | Stakeholders are engaged in some aspects of the risk management process, but engagement is inconsistent | Stakeholders are minimally engaged or not engaged at all in the risk management process |
| Effectiveness of Involvement | 2 | All stakeholders would agree that they were effectively consulted and engaged | Most stakeholders would agree that they were adequately consulted and engaged | Some stakeholders may feel their involvement was insufficient or ineffective | Most stakeholders would likely feel their involvement was inadequate or ineffective |
Category E: Assumptions and Scope Boundary Issues
| Criterion | Weight | Excellent (4) | Satisfactory (3) | Needs Improvement (2) | Poor (1) |
|---|---|---|---|---|---|
| E1. Important assumptions and implications listed | 4 | All important assumptions and their implications for risk management are systematically listed in clear language understandable to decision makers. Comprehensive and well-organized. | Most important assumptions and implications are listed in language generally clear to decision makers. Some minor omissions or lack of clarity. | Some important assumptions and implications are listed, but significant gaps exist. Language is not always clear to decision makers. | Few or no important assumptions and implications are listed. Language is unclear or incomprehensible to decision makers. |
| E2. Risks of assumption deviations evaluated | 3 | Risks of all significant assumptions deviating from the actual Risk Generating Process are thoroughly evaluated. Consequences and implications are clearly communicated to decision makers. | Most risks of significant assumption deviations are evaluated. Consequences and implications are generally communicated to decision makers, with minor gaps. | Some risks of assumption deviations are evaluated, but significant gaps exist. Communication to decision makers is incomplete or unclear. | Few or no risks of assumption deviations are evaluated. Little to no communication of consequences and implications to decision makers. |
| E3. Scope boundary issues and implications listed | 3 | All important scope boundary issues and their implications for risk management are systematically listed in clear language understandable to decision makers. Comprehensive and well-organized. | Most important scope boundary issues and implications are listed in language generally clear to decision makers. Some minor omissions or lack of clarity. | Some important scope boundary issues and implications are listed, but significant gaps exist. Language is not always clear to decision makers. | Few or no important scope boundary issues and implications are listed. Language is unclear or incomprehensible to decision makers. |
Category F: Proactive Creation of Alternative Courses of Action
| Criteria | Weight | Excellent (4) | Satisfactory (3) | Needs Improvement (2) | Poor (1) |
|---|---|---|---|---|---|
| Systematic generation of alternatives | 4 | A comprehensive and structured process is used to systematically generate a wide range of alternative courses of action, going well beyond initially considered options | A deliberate process is used to generate multiple alternative courses of action beyond those initially considered | Some effort is made to generate alternatives, but the process is not systematic or comprehensive | Little to no effort is made to generate alternatives beyond those initially considered |
| Goal-focused creation | 3 | All generated alternatives are clearly aligned with and directly address the stated goals of the analysis | Most generated alternatives align with the stated goals of the analysis | Some generated alternatives align with the goals, but others seem tangential or unrelated | Generated alternatives (if any) do not align with or address the stated goals |
| Consideration of robust/resilient options | 3 | Multiple robust and resilient alternatives are developed to address various uncertainty scenarios | At least one robust or resilient alternative is developed to address uncertainty | Robustness and resilience are considered, but not fully incorporated into alternatives | Robustness and resilience are not considered in alternative generation |
| Examination of unintended consequences | 2 | Thorough examination of potential unintended consequences for each alternative, including action-reaction spirals | Some examination of potential unintended consequences for most alternatives | Limited examination of unintended consequences for some alternatives | No consideration of potential unintended consequences |
| Documentation of alternative creation process | 1 | The process of alternative generation is fully documented, including rationale for each alternative | The process of alternative generation is mostly documented | The process of alternative generation is partially documented | The process of alternative generation is not documented |
Category G: Basis of Knowledge
| Criterion | Weight | Excellent (4) | Satisfactory (3) | Needs Improvement (2) | Poor (1) |
|---|---|---|---|---|---|
| G1. Characterization of knowledge basis | 4 | All inputs are clearly characterized (empirical, expert elicitation, testing, modeling, etc.). Distinctions between broadly accepted and novel analyses are explicitly stated. | Most inputs are characterized, with some minor omissions. Distinctions between accepted and novel analyses are mostly clear. | Some inputs are characterized, but significant gaps exist. Limited distinction between accepted and novel analyses. | Little to no characterization of knowledge basis. No distinction between accepted and novel analyses. |
| G2. Strength of knowledge adequacy | 3 | Strength of knowledge is thoroughly characterized in terms of its adequacy to support risk management decisions. Limitations are clearly articulated. | Strength of knowledge is mostly characterized, with some minor gaps in relating to decision support adequacy. | Limited characterization of knowledge strength. Unclear how it relates to decision support adequacy. | No characterization of knowledge strength or its adequacy for decision support. |
| G3. Communication of knowledge limitations | 4 | All knowledge limitations and their implications for risk management are clearly communicated to decision makers in understandable language. | Most knowledge limitations and implications are communicated, with minor clarity issues. | Some knowledge limitations are communicated, but significant gaps exist in clarity or completeness. | Knowledge limitations are not communicated or are presented in a way decision makers cannot understand. |
| G4. Consideration of surprises and unforeseen events | 3 | Thorough consideration of potential surprises and unforeseen events (Black Swans). Their importance is clearly articulated. | Consideration of surprises and unforeseen events is present, with some minor gaps in articulating their importance. | Limited consideration of surprises and unforeseen events. Their importance is not clearly articulated. | No consideration of surprises or unforeseen events. |
| G5. Conflicting expert opinions | 2 | All conflicting expert opinions are systematically considered and reported to decision makers as a source of uncertainty. | Most conflicting expert opinions are considered and reported, with minor omissions. | Some conflicting expert opinions are considered, but significant gaps exist in reporting or consideration. | Conflicting expert opinions are not considered or reported. |
| G6. Consideration of unconsidered knowledge | 2 | Explicit measures are implemented to check for knowledge outside the analysis group (e.g., independent review). | Some measures are in place to check for outside knowledge, but they may not be comprehensive. | Limited consideration of knowledge outside the analysis group. No formal measures in place. | No consideration of knowledge outside the analysis group. |
| G7. Consideration of disregarded low-probability events | 1 | Explicit measures are implemented to check for events disregarded due to low probabilities based on critical assumptions. | Some consideration of low-probability events, but measures may not be comprehensive. | Limited consideration of low-probability events. No formal measures in place. | No consideration of events disregarded due to low probabilities. |
This rubric, once done, is a tool to guide assessment and provide feedback. It should be flexible enough to accommodate unique aspects of individual work while maintaining consistent standards across evaluations. I’d embed it in the quality approval step.
Investigations of a Dog 