Developing an Optimized Risk Assessment Portfolio—The Quality Risk Management Master Plan

Published on: 
Pharmaceutical Technology, Pharmaceutical Technology, January 2024, Volume 48, Issue 1
Pages: 28–33

A thoughtfully constructed QRM Master Plan translates the strategy and enables a risk-based approach.

In 2009, the pharmaceutical and biopharmaceutical industry’s quality risk management (QRM) journey was still in its infancy. The industry had begun performing risk assessments, lots of risk assessments. Consider, for example, this December 2009 quote from Roche’s Wallace Torres in The Gold Sheet: “[following the initiation of the company’s QRM program], we performed more than 100,000 full FMEA [failure mode and effects] analyses worldwide in the first year” (1). Industry has since learned that excessive numbers of risk assessments can bog down the system and minimize the value that can be extracted from the assessments. Thankfully, with the release of the International Council for Harmonisation’s (ICH) Q9(R1), industry can better plan what risk assessments are needed, when, why, and how (2).

Medical device risk management plans

As is often the case, the pharmaceutical industry was not the first to learn this lesson. ISO 14971, “Medical devices—Application of risk management for medical devices,” first described the use of a risk management plan for device risk management in 2007 and has retained this requirement through each subsequent revision. Among other things, this standard obliges medical device developers and manufacturers to define a plan for risk management activities throughout the product lifecycle. As noted by ISO 14971, “a risk management plan is required because (a) an organized approach is essential for good risk management, (b) the plan provides the roadmap for risk management, [and] (c) the plan encourages objectivity and helps prevent essential elements from being forgotten” (3).Similarly, validation master plans, in use throughout industry for many years, are designed to achieve the same goals.

The requirements for a risk management plan in ISO 14971 read like what one might envision as a QRM procedure for the pharmaceutical and biopharmaceutical industries. Roles and responsibilities are defined and delineated, the scope of the plan with regard to the product lifecycle is outlined, a governance structure and associated processes are established, risk and residual risk acceptance criteria are defined, and requirements and data sources for the use of production and post-production information (similar to the risk review phase of the ICH Q9(R1) lifecycle) are described. In addition to these standard requirements, ISO 14971 notes that the risk management plan may be used to define milestones, plan risk management activities, and outline risk tools to be employed for the various activities. In this way, the risk management plan has an inherently flexible structure with the goal of better enabling the organization to plan for what risk management activities must be done to align with certain product-realization goals (3).

While ICH Q9(R1) does not explicitly address the use of a risk management plan, the QRM lifecycle begins with a “QRM Initiation” step, the primary focus of which is a process of gathering the information needed to begin a risk assessment and continue throughout the remaining lifecycle stages (2). Considering the learnings from ISO 14971, this initiation step can be enhanced through an outline of strategic goals for the QRM program and a detailed plan on how the firm intends to reach them. While the first version of ICH Q9 paid little attention to planning and organization, the current version of ICH Q9 highlights the application of thoughtful and objective decision-making throughout the QRM lifecycle, including the often overlooked “QRM Initiation” step.

The historic lack of emphasis on QRM planning is a plausible reason why the industry has struggled with the administration of the QRM program and the creation of myriad risk assessments with no holistic vision. The lack of strategic planning could also contribute to a siloed approach to QRM application and risk assessment performance. By outlining overarching objectives for the QRM program, the use of a risk management plan can enable the pharmaceutical and biopharmaceutical industries to spend less time “doing QRM” and more time managing risk to the patient. This plan would be a living document over time to demonstrate the current state of the program, as well as updating the future of QRM implementation. Depending on the firm’s level of maturity and experience with QRM, strategic objectives for the QRM program may include:

  • Hire/develop QRM experts to enable the implementation of the program and the risk assessment portfolio
    • head of QRM
    • facilitators
  • Author QRM policy, procedures, and work instructions
  • Establish a risk register
  • Design and implement role-based QRM training
    • leadership/decision makers
    • facilitators
    • system/process owners
    • subject matter experts
    • quality
  • Integrate QRM principles and practices into quality and operational systems
  • Select and validate QRM software
  • Define and create portfolio of living risk assessments.

To distinguish from the medical device risk management plan and the clinical/medical risk management plans in use for drugs with unique risk profiles, and to capitalize on the familiarity with validation master plans, such a plan is best termed a QRM Master Plan. The remainder of this article focuses primarily on the last bullet listed above—the creation of a living risk assessment library.

Living vs. ad hoc risk assessments

Two more welcomed additions to the 2023 ICH Q9(R1) include an expansion on the concept of risk-based decision making and the acknowledgement, in the context of QRM formality, that under certain circumstances only a portion of the complete QRM lifecycle needs to be applied. For example, one might apply the risk assessment portion of the QRM lifecycle to help determine a commensurate depth of investigation for a process deviation or complaint, or to evaluate the appropriate frequency for preventive maintenance, calibration, or self-inspection. These applications of QRM do not necessarily require the totality of the lifecycle to be followed; rather, a risk assessment may be conducted to facilitate a decision without continuing into the risk reduction, risk acceptance, and risk review portions of the lifecycle. It is therefore necessary for firms to distinguish between living risk assessments, which follow the full breath of the QRM lifecycle and are generally more formal in nature, and ad hoc risk assessments, which may only address a portion or portions of the lifecycle and are generally (but not always) less formal in nature, depending on the risk question. This alleviates some of the administrative burden of a QRM program by focusing energy and resources (particularly within risk review) on the applicable portions of the lifecycle.

Living risk assessments should represent the core of the QRM program. These are performed on a product, process, or system, with the objectives of understanding the associated risks, controlling them to an acceptable level, and reviewing the risks in light of changing conditions to evaluate the continued relevance of the identified risks and the effectiveness of risk controls. Ad hoc risk assessments are likely to be performed as part of an integrated quality system to support risk-based decision making within specific contexts. These risk assessments need not be subject to risk review, but are often the input into the review of living risk assessments. Many companies struggle as they attempt to review risk assessments intended for risk-based decision making rather than for the QRM lifecycle, because related decisions have been taken and resultant next steps enacted. A mature QRM program addresses and embraces both types of risk assessments.

It follows, of course, that the products manufactured by a firm, as well as the facilities where these processes occur, should be subject to the full rigors of the QRM lifecycle, and therefore have living risk assessments associated with them. These represent the most direct link to the patient and should be continually evaluated in a QRM framework throughout their lifecycle. The question then becomes, what living risk assessments are necessary to ensure that risks to the patient are fully understood and controlled?

QRM Master Plan–proactively designing the portfolio of living risk assessments

A mature QRM program would have a clear picture of the minimum scope required to achieve holistic risk knowledge and would have established a QRM Master Plan to achieve this. For example, a firm may elect to use the approach commonly employed by medical devices, with one risk assessment (and QRM lifecycle initiation) each for the product, process, and use. Such a living risk assessment library might leverage platform processes and technologies and similarities in design and construction to cover the totality of product considerations and would be mindful to the myriad regulatory requirements and expectations for topics to be evaluated through QRM. An example of a complete living risk assessment library for current good manufacturing practice (CGMP) operations is provided in Table I.

Some firms may already have an established portfolio of living risk assessments and be seeking to close gaps with new or changed regulatory requirements, expansion of product lines, or process variations.This is common, for example, with companies that manufacture sterile products as they seek to align with the updated Annex 1 requirements in the European Union. In this instance, the scope of the QRM Master Plan may be limited to the development of living risk assessments to support the contamination control strategy (CCS) as required by the Annex (4). To address the breadth of aseptic activities and information flow necessary to enable the CCS, a firm may focus their QRM Master Plan on three separate risk assessments: one focused on classifying interventions into the critical zone (ISO 5/Grade A), one focused on assessing hazards associated with all manufacturing and support processes, and one focused on assessing hazards associated with the classified areas of the facility and colocated clean utility distribution systems (drop points). Given the more narrow scope of this sort of QRM Master Plan, more detailed information such as the applicable risk question and QRM tool to be employed may be included, as illustrated in Table II.

While the scope and contents of a QRM Master Plan may vary based on a firm’s level of QRM maturity and specific objectives, the critical thinking and planning necessary to compose the plan will serve as a guidepost for the organization’s activities, mobilizing personnel toward a common goal.

Contents of a QRM Master Plan

Purpose section. The purpose section of the QRM Master Plan should describe the goal and intent of the plan. Depending on the individual firm’s current level of risk maturity and specific objectives, the goals might differ. For example, less mature firms may elect to focus on the development of a QRM process, governance structure, and training, while more mature firms may wish to focus on expanding an existing QRM program to additional aspects of the quality system. Similarly, some firms may need to develop living risk assessments only on a certain topic (such as contamination control) while others may need to develop the holistic risk library from scratch.

Scope. The scope section should describe the boundaries of the QRM Master Plan and should use exclusionary language where necessary to describe elements or areas that are out of scope. This section may include, for example:

  • the site (or sites, buildings, etc.) to which the QRM Master Plan applies
  • products, product lines, and/or
    systems to which the plan applies
  • product lifecycle phases to which the plan applies (e.g., development through Phase I,
    commercial only, etc.)
  • types of risks covered by the plan (e.g., contamination related risks)
  • quality system elements included in the plan, if any (e.g., change control, deviation management, etc.)
  • timeframe covered in the plan.

It is recommended that the QRM Master Plan cover a timeframe spanning one to three years, enabling both short-term “quick wins” as well as longer-term strategic objectives to be outlined.

Roles and responsibilities section. This section of the QRM Master Plan should outline the roles and responsibilities for those working or interacting with the QRM program. Many firms have experienced success with the use of a responsibility assignment (RACI) matrix, which maps each role to a given activity according to whether they are Responsible, Accountable, Consulted, and/or Informed. The responsibilities and tactics or activities outlined in this section should directly correlate to the content of the plan; that is, all activities within the plan should be assigned to a specific role, and each responsibility listed should likewise have specific actions associated with it. This practice ensures clarity is provided to both the readers and users of the plan (Table III).

Activity list. The bulk of the QRM Master Plan should include a discussion of objectives and activities that will be completed under the plan, as discussed in the prior sections. This activities list can be composed both of new assessments to be performed in addition to risk review of existing assessments. Where many activities comprise the QRM Master Plan, it may be prudent to prioritize work using a risk-based approach, such that all stakeholders will understand the rationale for the cadence of tasks. One example of such a risk-based prioritization tool might involve the ranking of each activity for the criticality of the topic and the complexity of the effort (see Tables IV and V).

The intersection of the individual rankings for topic criticality and effort complexity can then located in the prioritization matrix to determine the relative priority of the activity (Table VI).

The relative priority of each QRM activity can be used, in addition to an analysis of activity interdependencies, critical path identification, and other considerations, to determine an appropriate timeframe for completion. This enables the firm to allocate resources toward the most appropriate activities to enhance QRM maturity and deliver a direct benefit to the patient. An example activity list using the above principles is shown in Table VII.

A thoughtfully constructed QRM Master Plan translates the strategy established by leadership into actionable, prioritized tasks and enables a risk-based approach to the “QRM Initiation” step of the ICH Q9(R1) lifecycle, thereby ensuring the organization remains centered upon the things that matter most—protection of the patient.


  1. Cox, B. Roche Builds Quality Risk Management Program in Response to Viracept Crisis. The Gold Sheet.
    Dec. 1, 2009.
  2. ICH. Q9(R1) Quality Risk Management (ICH, 2003).
  3. ISO 14971.“Medical Devices–Application of Risk Management to
    Medical Devices.” 2019.
  4. EC. Annex 1: Manufacture of Sterile Medicinal Products. EudraLex.
    Aug. 22, 2022.
  5. Baseman, H. and Long, M. Risk Management of Microbial Contamination Control in Aseptic Processing and Interventions Risk Assessment Model (IREM): The Use of Critical Thinking to Make Informed Decisions. In Contamination Control in Healthcare Product Manufacturing, Vol. 3, eds. Russell Madsen and Jeanne Moldenhauer, 341-404. Bethesda: PDA/DHI, 2014.

About the Authors

Kelley Waldron, PhD, is business unit manager, Quality and Manufacturing Science Consulting, at ValSource.

Tiffany Baker, MBA, is senior consultant at ValSource.

Article Details

Pharmaceutical Technology

Volume 48, No. 1

January 2024

Pages 28–33


When referring to this article, please cite it as Waldron, K and Baker, T. Developing an Optimized Risk Assessment Portfolio—The Quality Risk Management Master Plan. Pharmaceutical Technology 2024 48 (1) 28–33.