Guest Column | May 16, 2019

4 Key Ingredients Of A Robust Risk Management Framework

By Paola Murphy, Megan Brickley, and Sheila Gwizdak, Halloran Consulting Group


It is certainly no surprise that risk management continues to hold the spotlight as a hot topic within the biotechnology/pharmaceutical industry. With the increased focus by regulatory authorities on an organization’s ability to identify, mitigate, and control risks, the industry remains in a state of growth, developing and evolving practices to ensure proper alignment with industry best practices and regulators’ expectations. Many organizations are finding it difficult to establish and embed risk management practices, as doing so requires a paradigm shift from a traditional risk-averse industry culture.

Establishing risk management practices enables companies to make proactive, data-driven decisions focused on critical data and processes and allows organizations to focus their resources on the integrity of processes that protect the safety and welfare of participants and the reliability and accuracy of data produced. However, the reality surrounding risk management programs is that many of our industry colleagues are feeling the pressure and are struggling to establish a robust and consistent framework. There is no gold standard practice for crafting risk management processes within clinical and quality systems. Although the necessity for risk management has been apparent for many years, organizations continue to find it difficult to make the cultural shift from the old traditional process methods to newer systematic risk-based and data-driven approaches. While the basic principles of risk management are relatively instinctual and well known, they are continually overanalyzed to the point of exhaustion and loss of direction, with no established process to redirect. Before we apply risk management to our clinical and quality processes, it is important to think more holistically and broadly about risk management and how the framework is developed to support the process.

1. Leadership Commitment To Building Risk-Management Culture

Like all successful initiatives, risk management needs to be integrated into an organization’s culture. That starts at the top. The ability of an organization to design a risk management framework and filter it throughout all organizational levels is crucial for success. Leadership buy-in is a necessary step in establishing this framework. Leadership must align business practices with risk initiatives and allocate resources to implement, monitor, and improve. We find that it is very useful to derive parallels between GMP and GCP risk management practices to tell the story to executives. We tend to find that the well-established risk management practices that are ingrained in the GMP world similarly now apply to what we are doing on the clinical development side and help bring that risk management focus to all GxP practices. Ultimately, leadership must be committed to design, evaluate, and improve products that are critical to patients, and the new risk management process within clinical trials reinforces this discipline and commitment.

2. An Understanding Of How Risk Management Fits Within Your Organization

Risk management is not a one-time activity, but rather it is a life cycle that spans across sponsor systems, programs, and clinical studies. Generally, we see organizations going through the motions of a risk assessment without having a framework in place to support a meaningful and sustainable process. Risk management should be used to drive decision-making across an organization and address risks by creating plans that support identification of risks and the mitigations that address them. There needs to be a process in place that is capable of not only driving action but also that supports the filtering of information across all levels of the organization. Building and engaging risk management during early stages of development across the organization provides the opportunity to forecast and prevent potential roadblocks or issues. The goal is to craft a risk management process that fits within your organizational infrastructure without reinventing the wheel. We generally see companies struggling to implement borrowed processes that don’t fit into their mold, which leads to failure or unintentional deviations. The process needs to fit the organization; if it is too cumbersome or requires resources that are unavailable, it will be ineffective.

3. An Organizational Infrastructure That Supports Risk-Management Initiatives

To effectively implement risk management processes, organizational roles and responsibilities that include decision-making capabilities need to be established. By allocating resources to support risk management initiatives, organizations can focus on creating a well-defined and consistent process across the entire organization. This risk management process should include establishing training programs and cross-functional risk management teams and, when possible, using risk management experts. This also includes establishing processes and procedures around risk management. The goal is for all functional levels to be performing risk management activities in a consistent way. This allows for the integration of risk management with key QMS and clinical processes.

This infrastructure should be built at the system (sponsor), program, and clinical study levels. At the system level, risks include SOPs, computerized systems, and personnel. As you move to the program level, risks will change and may focus on risks across all clinical studies, such as risks related to investigational product or critical data impacting clinical and medical risks. At the study level, risks from programs are assessed in greater detail. This is an effort to provide functional-level mitigation throughout the life cycle of the study. It is here primary endpoints and critical safety parameters are assessed and alignment with quality standards occurs.

Identified risks continue to filter through your organization. Designing a risk library is a great opportunity to ensure transparency and consistency in the identification, assessment, and mitigation of risks. Establishing risk predictability over time is the appropriate way to mature the process.

4. Cross-Functional Outlets To Facilitate Information Sharing

Information sharing is essential for the development of a robust risk management process. This is an opportunity for organizations to retrospectively review risks and share pitfalls and successes regarding execution. The information that is shared within and across the organization provides a kickstart for moving into the next phase of planning or starting a new initiative. The knowledge gained through “lessons learned” and other similar activities is valuable insight that can be used across all organizational levels. This is also a great opportunity to evaluate and engage your vendors and sites. Did your vendors meet the agreed-upon expectations? What were the positives and the pitfalls? Was your protocol too robust and difficult to carry out? Were the procedures and plans that you had in place effective? Was your selection process appropriate? Having this feedback from sites and vendors allows you to improve your processes and further mature your organization’s ability to anticipate and mitigate future risks.


With the advent of ICH E6 R2, risk management processes have arrived in the planning and execution of clinical trials, and they are here to stay. It is important for organizations to obtain leadership buy-in that their clinical organizations need to adopt the changes in regulations and this new way of thinking. To do this, companies need to arm themselves with a solid understanding of the fundamentals and the why, how, and when risk management principles are applied to clinical research and by whom. Once this is understood, the changes can begin to take shape and one can begin to slowly build the new processes and develop the skills required. It is a journey, and organizations need to be patient as they embark on building new risk management processes. You cannot expect to have cascading risk management processes across studies, programs, and system levels right off the bat, but you can expect that regulators will be looking to see that companies are moving in the right direction, with a) conversations taking place early in study design to identify key risks affecting patient safety and data integrity, b) a plan for mitigating and controlling these key risks, and c) information sharing across the study teams and organization. While we intentionally did not get into the specifics in this article, we wanted to sketch the overall big picture, so organizations do not to fall into the trap of overbuilding their risk management process by applying “industry-standard” tools and losing the main purpose for which it is intended.

Be on the lookout for our next article in this three-part series, which will dive into the details on how to establish a cascading risk management process at the system level, facilitating a sustainable process.

About The Authors:

Paola Murphy, managing director, joined Halloran Consulting Group in 2010. She has over 17 years of medical device experience and focuses on the following areas: global clinical program development and project management, strategic planning, due diligence and integration, organizational development, change management, infrastructure augmentation, continuous improvement, quality systems, and regulatory strategy. Murphy is Regulatory Affairs Certified (RAC) by Regulatory Affairs Professionals Society. She earned a master of public health in epidemiology and biostatistics at Boston University School of Public Health and a bachelor of science in biology at Providence College.

Megan Brickley, consultant, joined Halloran Consulting Group in 2018. Her expertise is concentrated in quality assurance and clinical diagnostics, focusing in immunology and infectious disease testing. At Halloran, she is responsible for providing quality support across multiple practice areas, which includes inspection readiness activities and QMS framework development. Prior to joining Halloran, Brickley was employed by Oxford Immunotec, working as a quality assurance specialist, providing support across a diverse operations group that included diagnostics, device manufacturing, and R&D. Within this role she was responsible for various tasks that ensured compliance within the quality management system that included procedural reviews, internal/external auditing, CAPA and risk management, inspection readiness and driving process improvements.

Sheila Gwizdak, principal consultant at Halloran Consulting Group, has over 25 years of experience in the biotechnology and pharmaceutical industry. Her career has focused on quality, process improvement, and training, including the execution of corporate and department-level quality assurance initiatives such as SOP development, compliance, gap analyses and remediation, inspection readiness, audits, and training. Gwizdak also has specific experience in inspection readiness activities (FDA, EMA, MHRA, and PMDA) including storyboard development, coaching, and conducting mock inspections. Before joining Halloran, she was a director at Alexion, where she supported the development and implementation of a quality management framework that included the standardization of procedures, systems, training, and processes.