A Risk-Based Approach to Quality Processes

Many of the challenges inherent in developing regulated products fall into the realm of risk that manufacturers need to examine and mitigate prior to going to market. Numerous drugs and medical devices are recalled each year, which underscores the importance of risk management in product design, development, and manufacturing.

Controlling risk is an important requirement for companies developing regulated products. International standards and regulations include guidelines specific to enforcing product safety and risk management processes. The guidances leave the “how” of risk management up to the company. The following is a high-level overview of the tasks involved in risk management: 1

  • Risk identification — Uses aggregated data and information to identify hazards with a product throughout its life cycle. The information can include historical data, theoretical analysis, informed opinions, and the concerns of stakeholders. Risk identification addresses these three fundamental questions: What might go wrong? What is the likelihood it will go wrong? What are the consequences if the hazard occurs?
  • Risk analysis — Involves estimating the risk and the potential consequences associated with the identified hazards. When required, this must be a qualitative or quantitative process that includes linking the likelihood of the hazard to its severity of harm.
  • Risk evaluation — Compares the identified and analyzed risk against a preestablished criteria. This process considers the strength of evidence for all three of the fundamental questions in the risk identification task.
  • Risk acceptance — Determines the output of a risk assessment. It is either a quantitative estimate of risk or a qualitative description of the range of risk. When risk is expressed quantitatively, a numerical probability is used. Alternatively, risk can be expressed using qualitative descriptors regarding the impact on patient safety and product quality: low (minor impact), medium (moderate impact), or high (severe impact) and should be defined in as much detail as possible.
  • Risk control — The process of reducing risk to an acceptable level. The amount of effort applied to risk control should be proportional to the significance and severity of the risk.
  • Risk review — Upon completion of a quality risk management process, organizations should continue to use that process for events that might impact the original quality risk management decision. The events can be planned (e.g., results of product review, inspections, audits, change control) or unplanned (e.g., root cause from failure investigations, recall).

The tasks involved in risk management become more granular based on the organization’s products and processes. Still, simply meeting the minimum obligations for compliance does not equal effective risk management. It needs to be a continuous iterative process. Risk management should involve a structured, technology-driven approach to monitoring trends and behaviors that potentially result in deviations, nonconformances, delays, and possibly product recalls.

Product manufacturing problems such as out of specification (OOS), deviations, outdated data, design issues, etc. are easy to overlook as part of a larger risk. There also might be a new or unforeseen hazard that was missed earlier in the product’s life cycle that will need to be monitored. That said, risk management is not a responsibility exclusive to the quality team — it needs to be integrated into all areas of the company. Therefore, an effective approach to risk management is to embed risk-based thinking into the entire company culture by employing digitized technology and connected quality.

The U.S. Food and Drug Administration (FDA) has been a long-time advocate of using modernized technology for improving product quality and safety. “Advanced analytical tools such as machine learning and AI strengthen the FDA’s predictive capabilities, thereby enhancing [its] ability to detect potential safety issues with products and more effectively prioritize inspections and work based on modern risk prioritization techniques,” said Stephen Hahn, former FDA commissioner. 2

To successfully implement this type of all-inclusive risk management system means all stakeholders need the ability to access and share data in real time. This enables everyone to effectively track and trend risk data. The need for this level of interaction, speed, and efficiency renders paper-based and spreadsheet data collection and analysis impracticable.

Using technology to proactively monitor and control risk reduces regulatory interaction, which makes sense on a compliance and business level as it contributes to getting products approved and out the door faster. Implementing a connected, data-driven quality platform allows you to manage all quality processes from anywhere, creating a unified risk management framework.

View the trend brief “ Shaping the Next Normal for Quality and Compliance “ to learn more about risk-based thinking and other trends shaping quality and compliance in 2021.


  1. “Quality Risk Management ICH Q9,” Pharmaceutical Updates, Nov. 5, 2020.
  2. “Statement by Stephen Hahn, M.D. Commissioner of Food and Drugs, Food and Drug Administration Before the Subcommittee on Agriculture, Rural Development, Food and Drug Administration, and Related Agencies Committee on Appropriations, U.S. House of Representatives,” Mar. 11, 2020.

David Jensen is a content marketing specialist at MasterControl, where he is responsible for researching and writing content for web pages, white papers, brochures, emails, blog posts, presentation materials and social media. He has over 25 years of experience producing instructional, marketing and public relations content for various technology-related industries and audiences. Jensen writes extensively about cybersecurity, data integrity, cloud computing and medical device manufacturing. He has published articles in various industry publications such as Medical Product Outsourcing (MPO) and Bio Utah. Jensen holds a bachelor’s degree in communications from Weber State University and a master’s degree in professional communication from Westminster College.

Originally published at https://www.mastercontrol.com.




Our cloud-based solutions make quality and compliance processes faster and help bring life-changing innovations to more people sooner.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to get the PSPO II? Tips on how to pass the Professional Scrum Product Owner II Certification.

Lazy-Loading as a Project Development Approach

Product Manager, have you built your Portfolio?

9 Steps To Building A New Product — From Idea to Launch

Top 15 Newsletters for Product Managers

UX Research: Unearthing your design’s success levers (and inhibitors)

Person holding a compass

How to turn a Customer's problem into a Product

Organize Your Product Teams as Mini-Startups

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Our cloud-based solutions make quality and compliance processes faster and help bring life-changing innovations to more people sooner.

More from Medium

Chaos Engineering — if you’re not failing, you’re not learning


How Soft your Software is for Environment!

Why should we study algorithms? — [Introduction to Algorithms]

Single Responsibility Principle