You have a customer with product ready to be lyophilized. The new lyophilizer has arrived and is ready to be installed at your facility. One engineer who works for your company is skilled in lyophilization, and many other supporting staff members are eager to learn. Your customer is working under a tight timeline, but is willing to assist you in any way possible. How will you ensure that the lyophilization process will be successful? What risks are you up against? What mitigation do you need to put in place to ensure success? This article provides an overview of risk management, and aims to change the way you plan for processes in your work environment.
Risk is the possibility that human activities or natural events will lead to consequences that negatively affect success. It is a measure of the potential ability to achieve overall program objectives within the defined quality, performance, cost, and schedule criteria. Risk has three components: What could go wrong in attempting to achieve a particular outcome? What is the probability of failing to achieve a particular outcome? What is the impact of failing to achieve a particular outcome? These three questions are answered using six basic processes: risk planning, risk identification, risk analysis, risk mitigation and tracking, risk contingency planning, and risk communication. We address each of these in this article.
The Food and Drug Administration (FDA) supports integrating risk management into decisionmaking. The Code of Federal Regulations (CFR) 21, Part 820 and the Global Harmonization Guidelines define “risk management throughout the devices lifecycle” as a regulatory requirement. Additionally, with industry input, the Agency [updated: published] their regulatory approach to product quality: “Current Good Manufacturing Practices (cGMPs) for the 21st Century: A Risk-Based Approach.” Tighter budgets, fewer resources, and faster time-to-market constraints affect regulatory agencies, necessitating much more efficient reviews of new drug applications, inspection practices, and correspondence with industry. To help firms identify risks and mitigate errors and omissions in their development plans well in advance of document filings, the Agency strives to establish lines of communication with biotechnology firms early in the drug or device development process.
The concept of risk management is simple, but its application can be daunting. Time-to-completion issues have a strong influence on most projects and tend to affect our judgment in implementing common sense project management practices. We often rush into activities prior to performing sufficient planning disciplines. Risk management is one of these activities. It is important to remember that the cost and time of not performing risk management could compromise the safety and efficacy of a product, could result in project inefficiencies, or could even cause a project to fail.
Stakeholders execute a project only after having an idea of how much it will cost, how long it will take, and exactly what will be delivered at the end; however, the benefits of risk management are more difficult for stakeholders to understand. There are many reasons for this, but probably the most common misconception surrounds the time it takes to perform risk management correctly. A fully trained risk manager will save hours of time and create clear and measurable value. Below, the basics of risk management are explained using the lyophilization effort discussed in the first paragraph.
Risk planning is about being prepared to perform risk analysis, including the development of well-documented risk management processes. There are distinct inputs associated with planning for the risk management process:
- Determine who will act as the Risk Manager. The risk manager has key input into both the risk planning and risk management processes. This individual must be an organized and responsible person who is committed to continually developing his or her knowledge and understanding of risk management. The risk manager is responsible for facilitating the risk planning, assessment, and management processes, and for acting as a conduit for risk communication, ensuring that stakeholders are kept well informed of risk issues and mitigation plans.
- Write procedures that define how risk events will be identified, assessed, managed, and monitored.
- Establish numeric definitions that represent high, medium, and low levels for the probability and impact of risk events. (Impact has three elements: cost, quality, and schedule.)
Note: As represented in this article, numeric definitions ranging from one to ten are used to assess the risk event, with each number representing ten percent.
- Identify project objectives, goals, and constraints.
- Prepare project schedule and cost estimates.
- Define technical approach to the project and its specifications.
- Compile lessons learned, team member insights, and published data from similar projects.
These inputs to risk management planning help ensure the risk management program will be robust and responsive to the project(s) being managed.
Risk identification begins with a team composed of the scientist(s), program manager(s), financial analyst(s), quality assurance personnel, regulatory affairs personnel, and technical support staff responsible for the effort. These individuals are engaged after the risk manager has been appointed and risk procedures have been defined. Their work begins as the project planning effort is initiated. The lyophilization case study at the introduction of this article explains that the company is being asked to perform lyophilization for the first time. Because the company has never lyophilized a product, it is likely that there may be a wide variety of uncertainties, naturally implying that risk is present.
The cross-functional team members use the outputs of the risk planning process to discuss the work scope and recognize the risks associated with performing lyophilization. Examples of these risks include: the incorrect installation or qualification of the lyophilizer; the inability to qualify the technicians or validate the process, or the preventive maintenance of the equipment; problems with melt back; and other issues that would contribute to a failed run. Identifying and documenting each risk event elevates awareness of the foreseeable problems that the project may encounter. This allows the team to analyze the risks and develop effective mitigation strategies.
Risk analysis is the most critical portion of a successful risk management program. It includes using well-defined numeric definitions that define low, medium, and high risk levels to estimate the probability of the risk event occurring, and the potential impact of the risk on project quality, schedule, and cost. Under the facilitation of a risk manager, members of a cross-functional team use their understanding of the requirements and their knowledge of program performance goals to assess each risk event.
First, the cross-functional team draws from prior experience, available data, research, and industry standards. In the lyophilization case study, the team identified “the inability to qualify the lyophilizer” as a risk event. The inputs to risk planning are used to discuss and come to a consensus on the probability that this event will occur. Because the company has never performed lyophilization, the team determines that the probability of encountering problems qualifying the lyophilizer is ‘medium.’ If more or less data and experience on the process were available, the probability would be adjusted accordingly.
The second step in risk assessment is to determine the impacts the risk event would have on the project’s quality, schedule, and cost. Using the definitions for the risk impact, the lyophilization team determines that the inability to qualify the lyophilizer on the first attempt would not impact the quality of the final drug product, because material would not be lyophilized until the qualification was successful. Alternatively, because the qualification activities would require repetition, the impact to the schedule and cost of the project would be ‘high.’
The level of a risk, or its overall severity, is the product of two factors, and is determined by multiplying the risk probability times the highest of the risk impacts. This number will allow you to determine which risks most justify the continued expenditure of time and effort on mitigation planning and execution. For example, in Figure 1, the probability and impacts have been rated using a scale of one to ten. If the highest impact on the risk event is a five, and the probability of that same risk event is a six, the risk severity index for the risk is 30 (5 x 6).
The risk identified in Figure 1 is ‘medium,’ and should be handled as defined in Figure 2.
Figure 1: Impact x Probability = The Severity Index
|Highest Impact of the Risk Event|
Figure 2: Risk Severity Index Definitions.
|Concerted and continual emphasis and coordination may not be sufficient to overcome major difficulties. These events are likely to cause significant disruption in the schedule, increase in cost (relative to the total production cost of the product), or degradation of technical performance. Mitigation and contingency for these events must be placed in the program and be fully funded.|
|Special emphasis and close coordination will be required to mitigate this risk. Should this risk occur, significant disruption of schedule, increase in cost (relative to the production cost of the product) and degradation of technical performance is likely. Create a management reserve to fund the contingencies for these events.|
|Normal emphasis and close coordination should be sufficient to mitigate major difficulties. However, should these risks occur, there is potential for disruption of schedule, increase in cost (relative to the production cost of the product), and degradation of technical performance. Create a management reserve to fund the contingencies for these events.|
In the definitions presented in Figure 2, risks that have a severity index of 60 or greater are classified as high risks because they are extremely likely to occur and would have a grave impact on the project if they did occur; therefore, the contingency plans associated with these risks should be placed within the scope of the product plan. A risk management reserve should be created to fund the medium and low risks, which have a severity index between 1 and 59.
Risk Mitigation and Tracking
Once the risks have been identified, their probability established, and their impacts determined, the severity index would point to the risks that demand attention. The next step in the risk management process begins with the development of mitigation. Risk mitigation surrounds us, but we do not often pay attention to it. It is found at home, in the office, and in our cars. Locks on doors and windows mitigate against intruders. School crossings and colored vests increase the visibility of children to motorists and protect children against being hit by an automobile. Seatbelts, turn signals, and brake lights help us avoid accidents and injuries while driving. From the clothes we wear to the rules we learned from our parents and caregivers, the results of sound risk management planning and mitigation are experienced every day.
Risk mitigation plans, the heart of risk management, work to control the occurrence of risk events and eliminate or reduce the impact of risks to the program. Mitigation activities help control the likelihood that a risk will happen and must be implemented to successfully control the occurrence of risk. In the case of the lyophilization example, mitigations to an unsuccessful qualification may include hiring a consultant, employing quality assurance oversight, and soliciting the help of the vendor in the installation of the equipment. Although unknown risks may occur from time to time, risks of which we are not aware tend to be far more disruptive than those that are identified and managed.
Use the risk severity index to help prioritize risk events that warrant mitigation, and then evaluate each mitigation option carefully. When a risk is medium on the risk severity index chart, the mitigation plan must be well detailed and well managed. A team member who is responsible and accountable for managing a specific risk event must be assigned to ensure that the mitigation is implemented as planned. As the mitigation activities are put into action, the individual responsible for the risk event tracks the effect of the risk mitigation and takes the lead on the reassessment of the risk event, ensuring that mitigation activities are added or adjusted as needed. Keep the risk severity index in mind as you weigh the feasibility, associated cost, and secondary risks that may result from the mitigation activity. A simple cost-benefit analysis exercise is a good tool for an evaluation of this type.
Risk Contingency Planning
As risk events are identified and analyzed, it sometimes becomes evident that in addition to mitigating a risk, a plan to recover from the event should also be developed. When risks are of a particularly high probability or impact, they warrant preliminary contingency planning. A preliminary contingency plan contains a rudimentary description of actions for responding to an undesirable occurrence. Such a plan should be used to introduce ideas that could be developed into mature contingency plans, as required, and should always include investigations into the cause of any nonconformance related to the product, processes, or the quality systems. When risks occur, incorporate corrective and preventive actions into your contingency plan to further minimize future risks to the program.
If the qualification of the lyophilizer were not successful, the qualification would be repeated. Upfront preparation for this contingency may include ensuring that the queue in the laboratory would not prohibit this, ensuring that there would be adequate personnel to complete this effort, and stocking any raw materials that would be required.
A triggering event, such as failure to meet a technical specification, is used to identify the conditions under which the contingency plan is to be activated. Identify the team member responsible for setting the contingency plan into motion at the time the risk event is assessed. This will ensure that someone is held accountable, and corrective actions are implemented in a timely manner, minimizing further impact to the project.
Because the risk plan is a living document, continual communication with the stakeholders is critical. Risk planning is developed over time and continues to evolve, so risk communication is at the heart of risk tracking and control. Risk identification and assessment happen early on so the details may not be precise when risk(s) are identified; therefore, risk assessments must be revisited throughout the life of the project so that they can be improved as more information is acquired.
Risk is all around, in every project we work on. We can choose to ignore it, or we can choose to manage it. As risk-related decisions are made, keep in mind that ignoring risk does not eliminate it. Lessons learned show us that the time and energy associated with implementing a risk management program can help to ensure the safety and efficacy of a product, can eliminate project inefficiencies, and may even prevent project failure.
- Department of Defense, “Risk Management Guide for DoD Acquisition (2003)” Defense Acquisition University.
- FDA, Pharmaceutical CGMPS for the 21st Century — A Risk-Based Approach.
- McClellan, M., “Food, Drugs, and Economics,” Economist, Vol. 368, No. 8338, 2003, p54.
- Buxton, S and Rudolph, H., “Common Themes in the Global Regulatory Milieu,” IVD Technology, Jan/Feb 2004.
- Global Harmonization Task Force, “Status Report on GHTF - SG4 Activities and Work Plan: 2005 – 2006.”