Risk management is more than just a regulatory requirement that pharmaceutical companies are obligated to as part of the risk-based approach. Risk management is a constant effort, requiring proactive activities and continuously improving processes. It’s a methodology whereby we identify, analyze, evaluate, mitigate and monitor risk across the lifecycle. Most importantly, it should be a part of the culture.
Effective risk management means attempting to control, as much as possible, future outcomes by acting proactively rather than reactively. Therefore, effective risk management offers the potential to reduce both the possibility of a risk occurring and its potential impact.
The Risk Revolution series, part of the Voices in Validation podcast, uncovers the latest challenges in risk management, with the goal of advancing the maturity of risk management practices within the industry by covering topics that challenge quality professionals to seek opportunities to improve and advance the ways in which they perceive and manage risk. This article will cover the top 6 themes around risk management, providing questions and answers from our sessions with hosts Nuala Calnan and Lori Richter, including commentary from industry thought leaders and regulators.
1: RISK CULTURE
What Is Risk Culture And How Do We Achieve It?
That's something we've struggled with across the industry, and in cases don't necessarily try to build or acknowledge at times. A couple of components to consider when thinking of risk culture at a very high level.
- What is our attitude or perception of risk?
- How do we view risk, across teams, across companies, across the lifecycle?
- Are we identifying risk? What are we looking for and how do we recognize it?
- When we do identify risk, are we afraid of them? Do we ignore them?
Behavior is the second piece when we identify a risk.
- Do teams understand that risk and exploring mitigations for that risk or forming risk acceptance rationale for that risk is essential.
- Do we hide from it, not acknowledging the risk or putting it back under that rock that we lifted up?
Those are the two major components that then equate to building a risk culture. But the most critical piece is in what ways are senior leadership driving that culture from above? Are they open to identifying and talking about risk - escalating risk up through their governance structure? Or would they rather us just move forward and not stop and think about those potential problems that could arise?
Once those forecasted risks are identified, allocating resources where they are needed to mitigate those risks is also a challenge. We oftentimes are really excited about firefighting. When issues arise, we put all our time, talent and money toward it. But when it's a potential risk, we over qualify - “Could it really be realized? How much money do we want to invest in that? If we don't know if it's really going to happen?”
Sometimes we need to accept the risk, ensuring that metrics are in place to benchmark our success at effectively managing that risk throughout the whole life cycle. Being comfortable with the process, accepting that identifying risk can make us better, and teaching teams to use the data and leverage their strength to minimize risk are all factors in fostering the risk culture.
2: RISK CURIOSITY
What is this concept of risk curiosity and how important is it in terms of building a healthy risk culture?
It begins with defining what a risk culture looks like amid a cross functional team. Avoiding risk is very much programmed into us as a human, from a primitive level, risk is associated with survival. “I must survive this risk, I must fight this risk, I must arm up against it.” Risk is scary.
Risk can also be an opportunity. Discussions around risk, the risks that are necessary - or worth taking – like the speed at which we produced a vaccine in the face of a global pandemic, can lead to amazing discoveries. Teams that are encouraged to use risk as a catalyst for improvement can be more proactive and less fearful of the deviation.
Being risk curious is also a positive thing, and it should be encouraged. With a healthy risk culture, employees are encouraged to speak up. There should also be any open culture where constructive challenge is welcomed too. This can increase the transparency and acknowledgement of risk, either that are identifiable or foreseeable. In addition, risk curiosity allows leadership to gain more respect and confidence in their employees and to inspire them to develop trusting relationships and more collaborative efforts with colleagues.
We've got to create a workforce of proactive problem solvers and perpetual learners. Proactive problem solving, means encouraging people, empowering them, supporting the concept of “if you see something - raise the flag.”
3: RISK-BASED DECISION MAKING
What is the definition of risk-based decision and how are regulators describing it?
After reviewing several companies, each typically have at the very end of their SOP, something to the effect of, “then make a risk-based decision.” We are left to interpret that on our own – what does it really mean? Before we move forward, let’s step back and discuss this ia an idea beginning with ICH Q9 nine in terms of risk based decisions. There we uncover a few places where it's sort of quoted and here we will call those out. 1) Effective quality risk management can facilitate better and more informed decisions. Sit with that phrase. Sometimes we get so wrapped up in the tactical aspects of performing a risk assessment and whether something's red, yellow, or green, that we forget that this exercise is really providing us with information to help us make that decision.
The regulatory guidance is not a magical book that when the Excel spreadsheet opens lights are shining from the heavens and answers are provided. Nowhere in ICH Q9 does it say, “this is how to make a risk based decision,” it Isn't written that way. It's not going to provide those instructions. Rather, It's giving you information in some sort of standardized approach. That's going to help the decision maker in making the decision, but they will still need to make that decision.
The lack of a definition or clear cut explanation on risk-based decisions is a challenge. We have no consensus of what that means, and it means different things to different people within our industry and even further themes. For example, if you're in the military, a risk based decision might mean, “how much would you, or how far would you risk your team or your crew to complete the mission?” If you were in finance it's, “how much money you would risk perhaps for some payday?”
Finding a definition that might might suit our industry a little better we turn to ISO 31010, the 2019 standard. Actually, buried in there is a little attempt at defining what they mean about decisions - in depth. There they discuss two types of decisions.
- One is decisions about the significance of risk. So perhaps there are the types of decisions we make within quality risk management. For example, when we're deciding what tool to use or what risk ranking approach to take, or how to rank a risk score.
- The second type of decision they have said is that decisions that involve comparing options when there's some level of uncertainty, which likely these are the decisions we use QM or RM to inform.
4: Bias and Heuristics
How does bias and heuristics impact our day to day decision-making and how does this play into risk-based decisions?
Heuristics and biases is a very interesting subject in regard to risk management and how it impacts our decision-making and our thinking in general. Risk management is all about the decisions that are being made, so this concept is really important to understand as we move forward.
Before we dive in, we must understand the difference of bias and heuristics. These terms are often used interchangeably or used together, however there's actually some distinction between the two.
Bias – this is when we favor some “thing” over another “thing.” That favor may not actually have any sort of data support behind it. It may be based on experiences we've had where one thing gave us a more positive outcome than the other. So that becomes our favor, and this behavior is innate, a part of us being human.
Heuristics - This is a mental short-cut to a decision, based on previously successful outcomes. This decision is not always based on data either. For example, employing trial and error, rule of thumb or an educated guess.
The first step to addressing bias in our decision-making is to acknowledge that it exists, and it does affect us. Next is becoming educated on the topic. To understand it, identify it, and then addressing some of the impacts to your risk management activities and your decision-making. It’s important to take the negative connotation of the term bias. Biases are not necessarily good or bad, they are just part of our daily experience and looking at them and being aware of them is what's important. In the context of risk management, it's really made up of a number of micro decisions that culminate in one final risk acceptance decision.
Therefore, it's really critical to understand how bias and heuristics can be influencing you along the way, because you don't just apply all this work and then eventually make this decision to accept the risk, right along the way. You're deciding what information to include, what information not to include in your risk assessment. What risks you've identified and what risks you don't identify. When it comes to scoring, that's an area where there's often a lot of opportunity, especially if you're using a more subjective method on how to do that.
The last thing is that our perceptions can be influenced by bias, for example, there's a bias called the status quo bias, which is a preference for the current state of affairs. A person impacted by this may think, we've always done it this way. We know this works; we've done this for a long period of time. I don't think there's an issue here. So, I'm not going to necessarily evaluate that. That's an opportunity, you know, where we may miss something. In general, bias and heuristics are a key consideration in understanding the impact of your decision-making and what you as a human being bring to the table that's outside of the data and the hard facts.
What is the importance of facilitation in the risk management process and how does it lead to the success of the risk assessment?
Just like root cause analysis activities, the right facilitator is so such a critical factor in the whole risk management process of getting to those right answers. The facilitator role is even more important today than it used to be. The risk facilitator is really meant for instances where we have a formal risk assessment, as you get a little bit less formal, or when you have simple things for quality systems input or change control, something simple, you wouldn't necessarily need one.
The facilitator will wear a lot of hats throughout the process of the facilitation. They start out as a project manager. So, they run the prep work, help coordinate the team necessary to carrying out the assessment, determine the owners, and sometimes ascertain what data needs to be brought in, and they contact those people ahead of time to make sure that it's ready. A good facilitator also has the ability to manage a group of SMEs, and helps the SMEs understand the burden of FMEA methodology is not on them.
The work of the facilitator starts well before the risk assessment activities. From setting up the schedule of events and who needs to be there, speaking to the risk owner, establishing who that owner is, making sure you've got the leaders involved. Then with that risk owner getting the scope, mitigating scope creep which can happen when people are not clear on what problem they're solving for.
6: The Risk Mindset
Dreading the risk process is something we see across industry, for many teams. How can we change that mindset to embrace the risk process and make it a part of daily activity?
Typically, people approach the concept of risk as something that has to be avoided at all costs, that it's a bad thing. The thought that we have to survive it, rather than thrive with it, but of course every business is operating on a risk threshold. It’s important to begin to spin risk a little differently. It starts with being risk curious, and really looking at that risk. It doesn't mean we love talking about risk management, or that we're running out, taking risks all over the place with reckless abandon. Rather, understanding where the risks are, talking about them, and planning around them.
We talk about risk mitigation all the time. Often when talking about risk mitigation, what we’re really trying to talk about is risk prevention or, risk reduction. Actually, the term that gets used all the time refers to how we can mitigate that risk. How are we going to do risk mitigation?
When, you look at the term risk mitigation, it is simply about managing the aftermath of the risk event. It is assuming the risk event has happened or will happen. therefore, Risk mitigation is about reducing the impacts or the consequences of that, and it immediately jumps into what can we do after the fire has broken out, rather than again, moving over to the left of our bow tie or our barrier analysis model that we talk about. We focus in on risk reduction and risk avoidance and risk acceptance, those other terms, not realizing that they've already given up the ghost and accepted that the risk event is going to happen in the first case. That's where we feel the dread.
To correct for that dread, we need to encourage people to get back to being curious. It's curiosity, creativity and innovation that we want to bring into risk assessments, rather than a scenario where we're all sitting in a room looking at a hundred lines of an Excel spreadsheets at 0.6 font. The number one behavior we really need comes in providing some sense of encouragement around the cross-functional element. If that means having individual risk practitioners that are out there that are cross functional and helping enable that, to create a team that feels comfortable talking about their vulnerabilities together. We can use the risk assessment as an opportunity to see that there's a spectrum, that is inherently terrifying to people who spend their lives in the scientific, just in a scientific discipline where there's a right answer and navigating this land of uncertainty and allowing people to do that with curiosity. Our best effort at creating these behaviors of moving forward to a more positive mindset.