Quality Risk Management


Risk management principles are effectively utilized in many areas of business and government including finance, insurance, occupational safety, public health, pharmaceutical, pharmacovigilance, and by agencies regulating these industries. Risk is defined as the combination of the probability of occurrence of harm and the severity of that harm. However, achieving a shared understanding of the application of risk management among diverse stakeholders is difficult because each stakeholder might perceive different potential harms, place a different probability on each harm occurring and attribute different severities to each harm.


Two primary principles of quality risk management are:

  • The evaluation of the risk to quality should be based on scientific knowledge  and
  • The level of effort, formality, and documentation of the quality risk management process should be commensurate with the level of risk.


Quality risk management is a systematic process for the assessment, control, communication, and review of risks to the quality of product across the product life-cycle.  A model for quality risk management is outlined in the diagram. Other models could be used. The emphasis on each component of the framework might differ from case to case but a robust process will incorporate consideration of all the elements at a level of detail that is commensurate with the specific risk.

Overview of a typical quality risk management process

Decision nodes are not shown in the diagram above because decisions can occur at any point in the process. These decisions might be to return to the previous step and seek further information, to adjust the risk models, or even to terminate the risk management process based upon information that supports such a decision. Note: “unacceptable” in the flowchart does not only refer to statutory, legislative, or regulatory requirements but also indicates that the risk assessment process should be revisited.


Quality risk management activities are usually, but not always, undertaken by interdisciplinary teams. When teams are formed, they should include experts from the appropriate areas such as quality unit, business development, engineering, regulatory affairs, production operations, sales and marketing, legal, statistics,  in addition to individuals who are knowledgeable about quality risk management process.

Decision-makers should

  • take responsibility for coordinating quality risk management across various functions and departments of their organization and
  • ensure that a quality risk management process is defined, deployed, and reviewed and that adequate resources are available.

Initiating a Quality Risk Management Process

Quality risk management should include systematic processes designed to coordinate, facilitate and improve science-based decision making with respect to risk. Possible steps used to initiate and plan a quality risk management process might include the following:

  • Define the problem and/or risk question, including pertinent assumptions identifying the potential for risk
  • Assemble background information and/or data on the potential hazard, harm or human health impact relevant to the risk assessment
  • Identify a leader and critical resources
  • Specify a timeline, deliverables, and appropriate level of decision making for the risk management process

Risk Assessment

Risk assessment consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards. Quality risk assessments begin with a well-defined problem description or risk question. When the risk in question is well defined, an appropriate risk management tool and the types of information that will address the risk question will be more readily identifiable. As an aid to clearly defining the risk for risk assessment purposes, three fundamental questions are often helpful:

  1. What might go wrong?
  2. What is the likelihood (probability) it will go wrong?
  3. What are the consequences (severity)?

Risk identification

Risk identification is a systematic use of information to identify hazards referring to the risk question or problem description. Information can include historical data, theoretical analysis, informed opinions, and the concerns of stakeholders. Risk identification addresses the “What might go wrong?” question, including identifying the possible consequences. This provides the basis for further steps in the quality risk management process.

Risk analysis

Risk analysis is the estimation of the risk associated with the identified hazards. It is the qualitative or quantitative process of linking the likelihood of occurrence and severity of harm. In some risk management tools, the ability to detect harm (detectability) also factors in the estimation of risk.

Risk evaluation

Risk evaluation compares the identified and analyzed risk against given risk criteria.  Risk evaluations consider the strength of evidence for all three of the fundamental questions. In doing an effective risk assessment, the robustness of the data set is important because it determines the quality of the output. Revealing assumptions and reasonable sources of uncertainty will enhance confidence in this output and/or help identify its limitations. Uncertainty is due to a combination of incomplete knowledge about a process and its expected or unexpected variability. Typical sources of uncertainty include gaps in knowledge, gaps in process understanding, sources of harm (e.g., failure modes of a process, sources of variability), and the probability of detection of problems.

The output of a risk assessment is either a quantitative estimate of risk or a qualitative description of a range of risks. When the risk is expressed quantitatively, a numerical probability is used. Alternatively, risk can be expressed using qualitative descriptors, such as “high,” “medium,” or “low,” which should be defined in as much detail as possible. Sometimes a risk score is used to further define descriptors in risk ranking. In quantitative risk assessments, a risk estimate provides the likelihood of a specific consequence, given a set of risk-generating circumstances. Thus, quantitative risk estimation is useful for one particular consequence at a time. Alternatively, some risk management tools use a relative risk measure to combine multiple levels of severity and probability into an overall estimate of relative risk. The intermediate steps within a scoring process can sometimes employ quantitative risk estimation.

Risk Control

Risk control includes decision-making to reduce and/or accept risks. The purpose of risk control is to reduce the risk to an acceptable level. The amount of effort used for risk control should be proportional to the significance of the risk. Decision-makers might use different processes, including benefit-cost analysis, for understanding the optimal level of risk control. Risk control might focus on the following questions:

  • Is the risk above an acceptable level?
  • What can be done to reduce or eliminate risks?
  • What is the appropriate balance among benefits, risks, and resources?
  • Are new risks introduced as a result of the identified risks being controlled?

Risk reduction focuses on processes for mitigation or avoidance of quality risk when it exceeds a specified (acceptable) level. Risk reduction might include actions taken to mitigate the severity and probability of harm. Processes that improve the detectability of hazards and quality risks might also be used as part of a risk control strategy. The implementation of risk reduction measures can introduce new risks into the system or increase the significance of other existing risks. Hence, it might be appropriate to revisit the risk assessment to identify and evaluate any possible change in risk after implementing a risk reduction process.

Risk acceptance is a decision to accept risk. Risk acceptance can be a formal decision to accept the residual risk or it can be a passive decision in which residual risks are not specified. For some types of harm, even the best quality risk management practices might not entirely eliminate risk. In these circumstances, it might be agreed that an appropriate quality risk management strategy has been applied and that quality risk is reduced to a specified (acceptable) level. This (specified) acceptable level will depend on many parameters and should be decided on a case-by-case basis.

Risk Communication

Risk communication is the sharing of information about risk and risk management between the decision-makers and others. Parties can communicate at any stage of the risk management process. The output/result of the quality risk management process should be appropriately communicated and documented.  Communications might include those among interested parties (e.g., regulators, industry, within a company, industry, or regulatory authority). The included information might relate to the existence, nature, form, probability, severity, acceptability, control, treatment, detectability, or other aspects of risks to quality. Communication need not be carried out for each and every risk acceptance. Between the industry and regulatory authorities, communication concerning quality risk management decisions might be affected through existing channels as specified in regulations and guidance.

Risk Review

Risk management should be an ongoing part of the quality management process. A mechanism to review or monitor events should be implemented. The output/results of the risk management process should be reviewed to take into account new knowledge and experience. Once a quality risk management process has been initiated, that process should continue to be utilized for events that might impact the original quality risk management decision, whether these events are planned (e.g., results of the product review, inspections, audits, change control) or unplanned (e.g., root cause from failure investigations, recall). The frequency of any review should be based upon the level of risk. Risk review might include reconsideration of risk acceptance decisions.


Quality risk management supports a scientific and practical approach to decision-making. It provides documented, transparent, and reproducible methods to accomplish steps of the quality risk management process based on current knowledge about assessing the probability, severity, and, sometimes, detectability of the risk. Traditionally, risks to quality have been assessed and managed in a variety of informal ways (empirical and/or internal procedures) based on, for example, a compilation of observations, trends, and other information. Such approaches continue to provide useful information that might support topics such as handling of complaints, quality defects, deviations, and allocation of resources. An organization can assess and manage risk using recognized risk management tools and/or internal procedures (e.g., standard operating procedures). Below is a non-exhaustive list of some of these tools

  1. Basic Risk Management Facilitation Methods

    Some of the simple techniques that are commonly used to structure risk management by organizing data and facilitating decision making are:

    • Flowcharts
    • Check Sheets
    • Process Mapping
    • Cause and Effect Diagrams (also called an Ishikawa diagram or fishbone diagram)
  2. Hazard Analysis and Critical Control Points (HACCP)

    HACCP is a systematic, proactive, and preventive tool for assuring product quality, reliability, and safety). It is a structured approach that applies technical and scientific principles to analyze, evaluate, prevent, and control the risk or adverse consequence(s) of hazard(s) due to the design, development, production, and use of products.

    HACCP consists of the following seven steps:

    1. conduct a hazard analysis and identify preventive measures for each step of the process
    2. determine the critical control points
    3. establish critical limits
    4. establish a system to monitor the critical control points
    5. establish the corrective action to be taken when monitoring indicates that the critical control points are not in a state of control
    6. establish a system to verify that the HACCP system is working effectively
  3. Preliminary Hazard Analysis (PHA)

    PHA is a tool of analysis based on applying prior experience or knowledge of a hazard or failure to identify future hazards, hazardous situations, and events that might cause harm, as well as to estimate their probability of occurrence for a given activity, facility, product, or system. The tool
    consists of:

    1. the identification of the possibilities that the risk event happens,
    2. the qualitative evaluation of the extent of possible injury or damage to health that could result,
    3. a relative ranking of the hazard using a combination of severity and likelihood of occurrence, and
  4. Supporting Statistical Tools

    Statistical tools can support and facilitate quality risk management. They can enable effective data assessment, aid in determining the significance of the data set(s), and facilitate more reliable decision making. A listing of some of the principal statistical tools commonly used  is provided:

    • Control charts, for example, Acceptance control charts, Control charts with arithmetic average and warning limits, Cumulative sum charts, Shewhart control charts, Weighted moving average.
    • Design of experiments (DOE)
    • Histograms
    • Pareto charts
    • Process capability analysis

3 thoughts on “Quality Risk Management

  1. Dear Author,
    This is an excellent document. could you please indicate how this can be applied to a Higher Educational Institution? What is the difference between ISO 9001:2015 and ISO 31000 for Risk Management in a University or College?
    I shall be much obliged, you could make it applicable to a Higher Education system.

  2. Dear sir,
    Thanks so much for good article and example of each procedure. I hv learnt the quality system management from your document. It s very super perfect…
    Thankz & Regards,

Leave a Reply