In order to lay the foundations of a robust risk management program at your life science organization, many important activities must be undertaken. One particularly critical component worth considering is an iterative approach to risk management.
The process of iterative risk management helps in identifying high-priority risks early on in the design process. Resulting controls can be incorporated into the product design to ensure safety and effectiveness. Once these are controlled, lower-level risks can be better managed. By adopting this approach from the start of development, time is saved from otherwise having to do retroactive design work, and product quality can be improved.
There are five key steps in the iterative risk management process: evaluating product requirements, scoring/prioritizing risks, developing controls, performing impact analysis, and implementation. These steps repeat (sometimes in nonsequential order) and build more robust risk controls as a result. But what does each step look like?
1. Evaluate Product Requirements
Evaluating your product requirements seems straightforward, but there are a number of tools and factors that can play into this step of the iterative risk management process. Conducting activities such as fault tree analysis generate insights as to what it takes for a failure mode or error to occur; meanwhile, hazard analysis evaluates known or anticipated hazards, hazardous situations, and harms in relation to your product. Each of these generates different risk controls as a result.
2. Score and Prioritize Risks
Risk scoring comes in many shapes and sizes. Most organizations, however, use a simple matrix that assesses the severity of a risk in relation to its probability of occurrence. Each of these factors is assigned a numerical value, and the higher both are, the higher the risk control priority. Scoring and prioritization can additionally leverage a color scoring system associated with the numbers in the matrix to more easily delineate between risk priority levels.
3. Develop Risk Controls
After you evaluate your product requirements, apply scoring, and then prioritize accordingly, the next step is to develop risk controls and mitigations. There are five main approaches to formulating risk controls: assume, reduce, avoid, transfer, and monitor. How you decide which controls are most appropriate depends on the level of risk and how adequately it can be designed out of your product.
Assume
Assuming risk in your product design should only occur if all attempts to reduce or avoid it altogether have been made. Good faith efforts to control risks as much as possible are expected by FDA and other regulatory agencies.
Reduce
Risks that cannot be fully designed out of your product must be reduced or mitigated to acceptable levels. This is a common risk management approach in life sciences, and is reflected in both regulatory guidance and international standards.
Avoid
Controls for avoiding risk usually involve eliminating or reducing identified risks by adjusting product requirements. Through this method, exposure to hazards, hazardous situations, and harms of your product are bypassed before ever entering the hands of patients and users.
Transfer
Risk transfer essentially offloads product risks to other parties, and should only be undertaken when both sides clearly understand and communicate the risk versus benefits of the product. Parties onto which risk has been transferred must have skills and knowledge related to the product and its risks for appropriate accountability, authority, and responsibility to be assigned to them. They must additionally be willing to accept these risks in the first place.
Monitor
In the event a context-dependent risk cannot be adequately designed out of the product, an adequate risk control is monitoring. This approach is also vital for risks that cannot be fully reduced and some assumed level of risk must remain as result. Risk monitoring can take many different forms, and is most commonly seen as postmarket surveillance.
4. Impact Analysis
Once a risk control (of any type) has been identified and fleshed out, it’s important to evaluate its impact on your product’s design prior to implementation. Tools such as Critical-to-Quality (CTQ) Flowdown, CTQ Flowup, Monte Carlo simulations, trade study analysis, and so on can provide a solid foundation for evaluating and understanding the impact of risk control implementation. While doing impact analysis, there are four key areas of your product and its development to evaluate:
- Performance: How will the risk control impact product performance?
- Producibility: Is it feasible to produce the risk control?
- Affordability: Is producing the control affordable (for both you and the consumer)?
- Schedule/Time to Market: How long will it take to incorporate the control?
5. Implementation
Finally, once appropriate impact analysis has been done on the risk controls your team has identified and any resulting risk from that impact is mitigated, the controls can be applied into the product design. While it’s the final step in the iterative risk management process prior to repetition, this is by no means an easy activity; implementation should be done after rigorous evaluation and analysis. Otherwise, issues might arise in later-stage development that can compound and result in lost time or overwork.
Repetition is Key
The most powerful aspect of iterative risk management is repetition. Oftentimes, we treat risk management as a one-off activity when that’s simply not the case. Going through the steps multiple times generates more in-depth understanding of your product and leads to more robust risk controls. When developing an iterative risk management program, ensuring this is part of the defined process is vital to effective implementation.
