Guest Column | July 10, 2019

A Tactical Approach To Risk Management At The System-Level

By Megan Marshall, Halloran Consulting Group

Risk Decision

Many biotechnology/pharmaceutical organizations are in the early stages of developing their risk management process. For the most part, we tend to see this process developing at the clinical trial level. The struggle with implementing these practices solely at the trial level is that it quickly becomes inconsistent and obsolete. Study teams are taking the time to assess risk as it applies to their trial, but the information gained is seldom shared cross-functionally or upward through an organization. It is more of a “going through the motions” type practice — which is then filed away, never to be utilized again.

There is certainly no major fault associated with this practice (thinking about risk at all is a step in the right direction), but the sustainability and consistency of that approach is extremely limited. If you only think about risks at a trial level, there is a chance there are elements of the big picture you aren’t capturing. It makes for a more difficult assessment, as you are essentially starting from scratch each time, instead of tapping into the wealth of knowledge that already exists organizationally.

If we begin to elevate these practices to the system (or sponsor) level, our line of sight into our potential risks immediately widens. By establishing risk management processes at that system level, we can start to define a consistent and sustainable approach that can be cascaded down into and across our organization through all our clinical trials. The questions then become “What does this look like, how do we do it, and who drives the process?”

Set The Stage By Assessing Current Organizational Capabilities

Let’s start with arguably the most difficult part of this process — establishing it. This is a substantial undertaking, and it certainly is not something that will happen overnight, but it is a necessary step to driving success. The biggest hurdle will without a doubt be getting the ball rolling and having a good understanding of your organizational capabilities in managing this process.

It is extremely important that when developing a cross-functional risk management program, you are “right-sizing” it for your organization. A lot of organizations try to adopt overarching risk management practices that they just don’t have the bandwidth to comply with — which is ultimately a risk in and of itself. Take the opportunity to really assess the current state of your organization and think about where you want to be in the future. This will be a great foundation to start building a successful process. Doing your homework and taking the time to build a strategic fit-to-size implementation plan may save some major headaches in the long run. 

It may also be beneficial to perform a mini gap assessment on your current organizational processes. Understand what processes you already have in place — you may be surprised! It is likely that your manufacturing team already has a risk management process, so this may be an opportunity to elevate that process consistently across the organization. At the very least, it gives you a good starting point to think about risk management and how it translates to other aspects of the business. This assessment will also help you to better understand what is feasible in the short term and what your wish list might be for longer-term risk management goals. 

It would be great if we could identify who owns and drives this process, but there really is no right answer. It is certainly a pain point for most organizations and somewhat of a double-edged sword. We have seen a shift in leadership buy-in when it comes to the acknowledgement of the necessity for risk management processes, but that acknowledgement doesn’t always come with resource allocation. It tends to end up on the shoulders of whoever wants to step forward, own it, and run with it.

In our experience, we have seen a wide range of drivers, including clinical operations, quality, project management, a designated risk management function, or a cross-functional team. In all cases, the theme has been an individual or group who recognizes the need for a more robust risk management process and has the willingness and bandwidth (take that with a grain of salt) to execute.

Develop Your Right-Sized Processes And Procedures

Once you have a better understanding of what your current capabilities are, you can begin to establish your process. Creating an overarching risk management procedure sets the stage for how your cross-functional teams are going to consistently perform risk management activities. Taking a tactical approach to this process is key — you aren’t trying to reinvent the wheel but rather ensure appropriate fit.

Develop a risk management procedure with consistency in mind, as you need the process to be adapted cross-functionally. By leveraging the knowledge gained in your organizational assessment, you can take any existing risk procedures and elevate them to be more applicable in the GxP setting or use your understanding of current processes to create a brand-new procedure. Adapting and defining a process takes time and refinement, so be patient and ensure your initial process is realistic for all parties involved.

Best practice would be to start with the basics and give yourself the opportunity for growth and development. Keep in mind that the struggles associated with risk management don’t necessarily come from understanding the concepts but rather application of the concepts. Taking a lean and concise approach to development of procedures will provide responsibility, accountability, and clarity to a seemingly intimidating process.

It is also important to ensure that the process has a cascading effect. The purpose of establishing this high-level risk management process is to be able to facilitate sharing of risk information up, down, and across the organization. The process should be harmonized with your organizational culture and governance structure. Take the opportunity to think about those “key players” and appropriate communication pathways. Are you going to utilize cross-functional risk assessment teams? Who are the players? How is this process initiated? How is this risk information going to be shared and where will it be kept? Can your company support a risk coordinator function?

Ensure that your process incorporates the need for risk review cycles. Risks are subjective and fluid, meaning that not only will the impact of risks change over time, but new risks will continue to emerge and need to be addressed. This is a key piece of ensuring a robust risk management process and maintaining oversight throughout clinical initiatives.

Assess And Adopt Risk Management Tools

When developing your processes and procedures, it will also be beneficial to assess what risk management tools (if any) you feel best fit your organizational style. There is no shortage of debate over what works in different organizations and this will absolutely be something you will experience when defining your risk management program.

You don’t have to nail down a tool right away — in fact, that may be less beneficial when piloting your process. We see organizations using TransCelerate’s RACT tool, which is free and can be downloaded from the internet. It is a well-defined and complex tool, but we have found that smaller organizations tend to struggle with it a bit, especially if risk management is a new concept. Some smaller organizations tend to prefer the Metrics Champion Consortium (MCC) Risk Assessment and Mitigation Tool, as it is very user friendly and comes with webinar instructions. However, this tool is not free, which may be a negative for some. AVOCA also offers a lot of really great risk assessment tools and information but does require a membership. Many organizations choose to create their own risk assessment tool to accommodate their process.  That may be a simplified RACT-style tool, a risk survey, or even a prepopulated risk assessment tool that is circulated to different departments for review and comment.

It is also beneficial to develop a risk library to document identified risks. Having a library gives you a jump start on your risk assessment as you move through feasibility and across study phases. This library is a great place to keep a record of the organizational knowledge (both internal and external) that you have gained over time.

Leverage the experience you have within your organization to build a risk library. Even if you are at the very early stages of development within your company, chances are there are multiple people with many years of experience to share. It is a very useful tool that can help prompt others to start thinking about potential risks in a more organized way. Using a risk library or a prepopulated risk assessment tool pushes people to begin to think more critically about how certain risks affect their areas. Identifying meaningful risk is a challenge and something that typically feels foreign to people initially, so any assistance in sparking that thought process is helpful.

Gather Feedback And Roll Out Training To Engage All Functions

Once you have defined your risk management methodology, it is important to ensure that your teams are able to provide their feedback. Circulate risk management procedures with teams across the organization and ask for their input on the process. Take the time to meet with different teams and understand their perspectives. Once you have established your procedures, it is important to take the time to train staff on the risk management process and risk management tools. You could even go as far as having different groups test out different tools prior to implementation. It is crucial to engage with cross-functional teams, so they understand not only the why but also the how. It may be useful to engage experts or hold risk management workshops when rolling out these programs to ensure that everyone is clear on the process and invested in the purpose and application.


Although difficult to picture, it is necessary to approach risk management from a hierarchical perspective. Establishing a strong and consistent process across your organization is key to the success of the initiatives. Taking a siloed approach cripples your ability to see across your studies, functional teams, and organization. By being tactical and creating that uniformity at the system level, you can drive sustainability and eventually mature your risk management practices across studies and programs. It is a crucial step in building quality by design and, furthermore, achieving a state of constant inspection readiness.

Keep an eye out for Part 3, our final and most granular article in the risk management series, where we will take a deep dive into the successful application of risk management in clinical trials.

About The Author:

Megan Marshall has more than three years of experience in quality assurance and clinical diagnostics, focusing in immunology and infectious disease testing. At Halloran, she is responsible for writing and evaluating procedures, identifying and executing process improvements, and assisting with CAPA development and various audits. Prior to joining Halloran, Marshall was employed by Oxford Immunotec, working as a quality assurance specialist, providing support across a diverse operations group that included diagnostics, device manufacturing, and R&D. Within this role she was responsible for various tasks that ensured compliance within the quality management system that included procedural reviews, internal/external auditing, supplier quality, CAPA and risk management, and driving continuous improvements.