Example of procedure for Risk Assessment & Management


The purpose of this procedure

  • To define the process of risk assessment and control of risk in a manner that is consistent with the product quality & product delivery requirements.
  • To identify techniques, tools and their application for risk identification, assessment, and mitigation.


This procedure applicable to the risks associated with the impact on Product delivery & quality. This procedure is applicable to:

  • API Spec Q1, 9th edition/ ISO 29001: 2020
  •  API Spec …..
  • API Spec ……
  • API Spec ……
  • API Spec …..
  • API Spec ….

Applies to all process which has an influence on product quality & Product Delivery


  1. QA/QC Engineer
  2. Management Representative
  3. All concerned process heads


Identification of Risks from all processes, Departmental procedures,


Manpower, XXX Procedures


XXX has documented procedure to identify & control risk associated with impact on delivery & quality of products. This procedure identifies techniques, tools & their application for risk identification, assessment and mitigation.


Risk Assessment Associated with Delivery of product shall generally include, but not limited to following:

  1. Availability of facilities & their maintenance
  2. Availability of equipment
  3. Breakdown / preventive maintenance of equipment
  4. Material availability
  5. Timely Supply of material
  6. Quality of supplied material
  7. Suppliers performance in terms of Quality, Delivery & Other capabilities
  8. In adequate QA / QC activities

Risk assessment Associated with product Quality shall generally include, but not limited to following:

  1. Competencies & Performance of critical, non-critical suppliers, sub-contractors, and outsourced vendors
  2. Delivery of non-conforming products to customers
  3. Maintenance of  Facilities, equipment including testing equipment
  4. Incoming, Inprocess, and final inspection and its controls.
  5. Addressing the non-conformance of the product in process at all levels to avoid the effect or potential effects on the final product.
  6. Availability of competent personnel.

Risk assessment provides a structured process for analyzing risk in terms of consequences and likelihood before deciding on further actions. Records of risk assessment and management including actions taken are maintained. This structured process attempts to answer some fundamental questions:

  1. What may happen and why (risk identification)?
  2. What might be the consequences?
  3. What is the likelihood of them happening? And
  4. Is there anything that might mitigate the consequences or reduce the likelihood?

Risk identification:

It is defined as the process of finding, recognizing and describing risk. It could be a historical data or theoretical analysis which involves identification of risk sources, events, causes and their potential consequences which delay the originations objectives

Risk analysis:

It is the process of analyzing the nature of risk and determining the level of risk associated with the relevant activity. RPN (Risk Priority Number) is used for analyzing the impact. Risk analysis provides an input to risk evaluation and decisions on whether risks need to be treated and on the most appropriate risk treatment strategies and methods. Risk analysis also provides an input into making decisions where choices must be made and the options involve different types and levels of risk. Risk analysis involves consideration of the causes and sources of risk, their positive and negative consequences and the likelihood that those consequences can occur. Factors that affect consequences and likelihood identified. Risk is analyzed by determining consequences and their likelihood, and other attributes of the risk. An event can have multiple consequences and can affect multiple objectives. Existing controls and their effectiveness and efficiency are taken into account. The way in which consequences and likelihood are expressed and the way in which they are combined to determine a level of risk to reflect the type of risk the information available and the purpose for which the risk assessment output is to be used.

The significant risk associated with each process are segregated based on the below 5 categories,


Human resource is one of the important and mandatory requirements for product realization which includes workmen, staff and managers.


A machine is an important resource to meet the required product realization and possible risk like breakdown / out of tolerance is considered while carrying out risk analysis.


Risk related to material handling and preservation of the product is considered in method.


Risk related to material rejection, delayed shipment from the supplier, raw material shortage considered for carrying out risk assessment.


Risk related to natural disaster and their impact on quality or delivery of the product with required communication is considered.

Risk evaluation:

The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need control / mitigation and the priority for control / mitigation implementation. Risk evaluation involves comparing the level of risk found during the analysis process with risk criteria established. Based on this comparison, the need for control /mitigation can be considered

Risk control / mitigation involves,

  1. Deciding whether residual risk level are tolerable, if the XXX feels that the present non-significant risk become significant in future, then it is treated as significant.
  2. If not tolerable, generating a new risk treatment and assessing its effectiveness Further, activities pertaining to the below criteria is called as significant which requires proper action plan.


The guideline followed at XXX to determine RPN while performing risk assessment includes the following important terms.

Severity evaluation criteria (S):

Severity for the each activity / problem is worked based on the amount of impact it creates on the equipment / legal / customer satisfaction (delivery and product quality). The value range is between1 to 5. The tabulation 01 used to plot the applicable severity number for the relevant activity is given in Guideline 2. When the severity is 5, it is defined as critical class (CC), and for the values 4 it is called significant class (SC) and less than 3 are common activity are left unfilled.

Occurrences evaluation criteria (O):

Occurrence for each activity / problem is worked based on the number of repeated cases in the past history or assumptions based on experience. The value range is between 1 to 5.The tabulation 02 used to plot the applicable occurrences number for the relevant activity is given in Guideline 2.

Detection evaluation criteria (D):

Detection for each activity is defined as the possibility of capturing the problem / defect with the present existing controls. The value ranges from 1 to 5. The tabulation 03 used to plot the applicable detection number for the relevant activity.

Risk assessment output:

The output of risk assessment is used as an input for contingency planning and also the same is considered in corrective and preventive actions

Risk assessment Frequency

The Risk assessment at XXX is carried out once in a year for all the relevant processes and the records are documented with necessary actions. Re-evaluation can be done, whenever there is need due to Management requirement, major process change and customer request, changes in the RPN number and major quality or delivery issue.


EffectCriteria: Severity of Effect  Ranking
CatastrophicVery high severity & multiple effect on product quality or delivery. Severe & wide spread damage to the customer with respect to delivery & quality of product5
CriticalMajor Severity & Multiple  effect on product quality or delivery4
SeriousSingle severe impact & Multiple Minor impact on product quality and delivery3
 MinorLow or minor impact and short term effect on product quality and delivery2
LowNegligible or trivial effect and or impact on product quality and delivery1


Frequent : Persistent Failures (shall occur Several times )5
 Probable :  Frequent Failures (Occurs Repeatedly / an event to be expected ) 4
Occasional : Occasional Failures (Could take place or occur sometimes)3
 Remote : Relatively unlikely & Few Failures2
 Improbable : Failure so is unlikely that probability not there1


DetectionCriteriaSuggested Range of Detection MethodsRanking
Almost ImpossibleAbsolute certainty of non-detection of problemCannot detect or is not checked5
LowControl have poor chance of detection of problemControl is achieved with visual inspection only4
ModerateControls may detect the problemControl is based on variable gauging after parts have left the station, or Go/No Go gauging performed on 100% of the parts after parts have left the station3
HighControls have a good chance to detect the problemError detection in station or error detection in subsequent operations by multiple layers of acceptance: supply, select, install, verify. Cannot accept discrepant part2
Very HighControls certain to detect the problemDiscrepant parts cannot be made because the process or the equipment / item have been error-proofed by process / product design.1

Based on above criteria given in Table No. 1, 2 & 3 severity, occurrence and detection rating for each potential risk is determined. While determining this potential causes for failures are taken into account for severity rating, current process control prevention are considered while doing occurrence rating.

Risk Priority Number (RPN):    RPN = S X O X D where S – Severity Rating, O – Occurrence rating and D – Detection Rating. RPN no. for each potential risk is determined. Value of RPN is always from 1 to 125. The RPN value is used to rank the order of concern in the Product delivery and Product Quality.  Special attention is to be given when the value of RPN is 80 or more than 80 or alternatively if Severity value is more than 4. The highest severity of effect should be taken for calculating risk priority number.

In XXX we have set a cut off limit of RPN value as 80. Appropriate corrective actions are recommended & Implemented in all such cases where RPN value exceeds 80. And also risks having RPN number more than 80 are considered for contingency planning and entered in the risk assessment register.

Recommended action and or Mitigation

After completion of the steps described above, the RPNs are to be analyzed to identify the priority areas for control and mitigation.  Higher risk priority numbers generally requires immediate action and contingency planning, however the severity ranking more than 4 are to be considered with high priority irrespective of the RPN value.

The recommended actions are to be taken to prevent / eliminate the causes to reduce the occurrence ranking. The general steps for risk mitigation are:

  1. Where Possible risk elimination
  2. Substitution by alternate man , material , machine or method as applicable
  3. Segregation of products and or  material
  4. Changes in the system of working that reduces the risk to an acceptable level ( This includes having written procedure , adequate supervision , training and information & instructions

Verification of implementation:  QA / QC Engineer has to verify the action for implementation. After the corrective action have been implemented estimate & record the resulting ‘Severity’, ‘Occurrence’ and ‘Detection’ rankings. Calculate the “Resulting RPN”. If no actions are taken, leave the related ranking columns blank.

Risk Assessment review & updating: This document is a dynamic document, this is to be reviewed whenever there is a change in process, customer requirement, on identification of new failures & causes, when the process becomes unstable & / or incapable. Whenever Risk Assessment  is reviewed the concerned process related documents like Quality  plan, operating instructions, setup instructions, maintenance instructions etc. are to be reviewed and updated as required.


Completed Risk assessment format  


All risks controlled & mitigated


Risk Assessment and ManagementXXX / MR/18Quality Systems Manager

Leave a Reply