Blog Entry

Risk Assessing The Risks: Deliberations On Risk Prioritization

One of the dilemmas facing the quality risk management function is with a series of completed risk assessments and a series of multiple outcomes that require addressing, in the context of limited resources or other scheduling issues (1). When faced with multiple risks, how are these to be prioritized? This represents that part of risk management that assessed what needs to be managed and how much effort should be focused towards achieving adequate performance and avoiding undesirable events.

While The Elements Of Risk Assessment Are Well Documented, Namely:

  • Risk identification:
    • Defining the product
    • Identifying the hazard(s)
    • Identifying the subject(s) at risk
  • Risk analysis:
    • Describing how the hazard may harm the subject
    • Describing the potential harm
  • Risk evaluation
    • Determining the severity of harm
    • Determining the probability of harm
    • Determining the risk level by combining the severity of harm and the probability of that harm occurring in the scenario described

Dealing with competing risks is more complicated. This requires a risk prioritization step, where the overall set of identified risk events, their impact assessments, and their probabilities of occurrences are reviewed in order to derive a most-to-least-critical rank-order of identified risks. This involves the use of some form of risk comparison or risk ranking process (2). With risk ranking, this involves the rank ordering of different issues into a risk hierarchy. This requires a numerical application in order to create a decision model. The availability of quantitative data is not always available for this task; when presented with qualitative data, who can risks be ordered? This paper presents a possible approach for consideration. In doing so, the author is of the opinion there is no single best method for risk ranking. The method to be used should be selected on the basis of risk manager requirements, data availability, and the characteristics of the method. What is offered here is one possible method.

Risk Considerations

In the context of pharmaceuticals and healthcare, the important risk considerations are:

  1. Risk to patients
  2. Risk of an adulterated product
  3. On-going environmental risk, that might have a high likelihood of causing ‘1’ or ‘2’ in the near-future.

To the above, economic consequences also need to be considered. Where choices are required, areas to consider include:

  1. Stop the activity
  2. Reassess and reorder the activity
  3. Introduce new control measures

The above can be supported by the use of real-time monitoring that might indicate an issue that can either be corrected or the where the manufacturing process can be halted or terminated. In this context, a great deal of microbiological environmental monitoring is unsuitable due to limitations of detection (a product of sample size, instrument metrology, or organism viability) and the relatively low number of real-time instruments available. However, drawing on monitoring data cane help with assessing likelihood (3).

A Risk Prioritization Process

Arguably, because less information is known when assessing between relative risks the best approach is to use a qualitative process. Such a process, as proposed here, can involve the examination of the sources of risk (issue identification), the potential consequences (impacts) associated with each issue, and the likelihood (probability) of a particular level of consequence actually occurring (4). Each of these factors is considered in turn:

Issue Identification

The extent of issues depends on the scope or sub-scope of the inquiry. For example, a scope maybe a process area shutdown and the sub-scope might be door repairs. There are different means through which an issue can be identified, such as:

  • Engineering work request
  • QA inspection
  • Local area detection
  • Deviation
  • Change control
  • Out of specification or out of limits result investigation.

Multiple issues require prioritization, and this is a factor of consequence and likelihood.


  • 0 – Negligible: No risk to patients / product or on-going environmental issues.
  • 1 – Environmental interactions may be occurring, but this is unlikely to impact on product.
  • 2 – Measurable impact on the environment that could have a impact on product over time,
          especially if conditions deteriorate.
  • 3- Catastrophic risk to the product (and hence patients) exists, either directly or as significant
        environmental impact.

The factors are examined on an ordinal scale with impact ranging from negligible (virtually no impact with a score of 0) to a serious risk of product contamination (with a score of 3).


  • Remote (1)         Contamination is unlikely to occur
  • Possible (2)        There is some evidence or an apparent vector that contamination could occur
  • Likely (3)             Contamination is expected to occur

The qualitative likelihood list has three ordinal levels ranging from remote (contamination is considered unlikely, scored as 1); to likely (expected to occur; with a score of 3).

Assigning A Risk Value

The risk value for each issue can be calculated as the mathematical product of the consequence and likelihood levels, producing possible risk values between 0 and 9. Issues can then be assigned to an appropriate combination of consequence and likelihood levels. In making the assessment, it is important to consider that the likelihood of a consequence occurring is a conditional probability. For example, it is possible to assess the likelihood that, given a particular type of technology (e.g., such as a barrier system), a particular level of consequence (e.g., microbial contamination of a product vial). It is important that the assessment determines the likelihood that a particular consequence may happen sometime in the future, not just assess its current status. Where a non-permeant control can be put in place, the assessment can be re-run and the risk value may change. Typically, detection is not a factor that can be used to alter the risk value; detection can be used to provide evidence of likelihood (when applicable) but going forwards absence of evidence cannot be taken as evidence of absence, especially with forms of contamination that are difficult to detect (such as microorganisms). In other words, simply because failures are not being recorded this does not necessarily provide the basis for risk value reduction in the context of the likelihood of a risk becoming more likely over time.

Example risk values are:

  • Negligible:


The issue presents a low risk and can be assigned a low priority

  • Low:


No specific management actions needed; however, the issues should be resolved at the earliest opportunity.

  • Moderate:


Specific management is needed to control the situation; issue should be resolved as soon as is practicable.

  • Extreme


Immediate resolution required

Often the data available to make assessments is limited. In such circumstances, scientific inference from the literature, and management experiences associated with similar issues and impacts elsewhere, can be used effectively. As a further note of caution, any risk prioritization approach requires having available adequate descriptions for each level of consequence and likelihood. It follows that the more precise this is, then the less ambiguity there will be when assigning ratings. It is also important that risk assessments be based on sound scientific evidence and in appreciation of the relevant standards and guidelines. It would not be expected to use risk assessment to justify poor practice in relation to non-compliance.

As an example, data plots can be constructed to help work out the order of activity (as per figure 1):


There are complications with any approach. All risk methodologies rely to a degree on human judgment. With this, the perception of risk depends on several factors, including early experiences, education, controllability of the risk, the type of consequence, and the type of person(s) who makes the judgment. There are also aspects that create a level of fuzziness in any risk comparative recess, such as accuracy of methods, computational simplicity, large-scale problems, sensitivity to the parameters, discriminative measure, and inconsistency.

Sometimes, where there are competing high risks, different approaches or running separate risk value process may need to be employed. For example, between microbiological agents and chemicals, or for health and safety. This is because it can be difficult to rank differing items together using the same metrics.


The outcome of a risk value assessment should be documented. Reports should detail the risk values generated together with a justification of each of the risk levels selected. This may include references to data and to relevant scientific publications. It will be important that inspectors can understand why issues were accorded the values as well as for a far more effective review of risk values at a later date, including a means to compare a current assessment with a previous assessment.


When setting their priorities, risk managers face the challenge of there often being a large number of risks to be considered linked to various issues (5). The major purpose of prioritizing risks is to form a basis for allocating resources or for addressing priority issues, especially those that may cause patient harm.

One method has been presented here, providing a means for risk prioritization. By operating such a process, the intention is not to infer that risks are no longer important. In running such a process within the pharmaceutical context, the key considerations are patients and products, offset by the degree of control.


  1.  Caldwell, D., Mastrocco, F., Margiotta-Casaluci, L., Brooks, B. (2014) An integrated approach for prioritizing pharmaceuticals found in the environment for risk assessment, monitoring and advanced research, Chemosphere, 115: 4-12
  2. Lundberg, R., Chatterjee, S., Brigantic, R., Waterworth, A.  (2021) Comparative Risk Rankings in Support of Homeland Security Strategic Plans, Applied Risk Analysis for Guiding Homeland Security Policy, pp01-124
  3. Sobus J, Tan Y, Pleil J and Sheldon L (2011) A biomonitoring framework to support exposure and risk assessments, Science of The Total Environment, 409 (22): 4875-4884
  4. Francis R..,  Shotten R.. (1997) Risk” in fisheries management: a review, Canadian Journal of Fisheries and Aquatic Sciences, 54: 1699-1715
  5. Fischhoff, B. Morgan, G.  (2011) The science and practice of risk ranking. In  Fischhoff, B. (Ed.)  Risk Analysis and Human Behavior, Routledge, USA

Download the Blog Post

Product Added Successfully

This product has been added to your account and you can access it from your dashboard. As a member, you are entitled to a total of 0 products.

Do you want access to more of our products? Upgrade your membership now!

Your Product count is over the limit

Do you want access to more of our products? Upgrade your membership now!

Product added to cart successfully.

You can continue shopping or proceed to checkout.

Comments (0)

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Use to create page breaks.
Enter the characters shown in the image.
Validated Cloud logo