There is No Such Thing as Zero Risk

Published on: 
Pharmaceutical Technology, Pharmaceutical Technology-02-02-2009, Volume 33, Issue 2

To manage risk properly, industry must understand what it is and how to assess it

I recently saw a comment in a journal by a former United Kingdom-GMP inspector who concluded that discussion of structured risk management is stupid and dangerous for pharmaceuticals because "no risk is acceptable." I believe the view illustrates a common misunderstanding regarding the nature of risk. Risk is like variability; even though one wishes to reduce risk, it can never be eliminated. Everything we do in life carries some degree of risk.

Peter H. Gough

Outside of the laboratory, for example, some of us take up pastimes such as rock-climbing, free-fall parachuting, or bungee jumping. In doing so, we constantly assess the risks associated with our activities and attempt to control those risks. If we deem the risk too high, we undertake risk-reduction measures. For example, in free-fall parachuting, we might carry an emergency parachute in case the main chute fails to open.

For decades, the pharmaceutical industry and its regulators have labored under the false belief that risk can be entirely eradicated. We have been ignoring helpful tools and techniques such as Failure Modes and Effects Analysis (FMEA) that are widely used in other industries. We have come to accept large numbers of deviations as the norm and, therefore, risk has been managing us.

The advent of the US Food and Drug Administration's Pharmaceutical GMPs for the 21st Century inititaive and the subsequent quality initiatives of the International Conference on Harmonization have placed a spotlight on how we manage quality risks within the pharmaceutical industry. In the past, industry's approach to assessing and controlling quality risks has been largely empirical and, all too often, reactive rather than proactive. This approach, which does not adequately consider risk as part of the preventive component of corrective action and preventive action, has led to recurring deviations. This is not to say that full, structured risk management should be used in every situation. Rather, in more complex or hazardous situations, several helpful tools and techniques should be used.

ICH Q9 Risk Management was written to define structured quality risk management, to explain how it can be applied to pharmaceuticals, and to provide a common language with an agreed-upon process for pharmaceutical manufacturers and regulators. In many structured risk-management models, risk is defined as "the combination of the probability of occurrence of harm and the severity of that harm" (1). Harm is defined in Q9 as "damage to health, including the damage that can occur from loss of product quality or availability."


The first stage of the risk-management process addressed in ICH Q9 is risk assessment, which is subdivided into three steps:

  • Risk identification—identifying potential sources of harm (i.e., hazards).

  • Risk analysis—estimating the risk associated with the identified hazards (i.e., the severity and probability of occurrence).

  • Risk evaluation—comparing the estimated risk against the risk threshold to determine the significance of the risk. If the estimated risk is greater than the threshold, the risk must be reduced.

The second stage is risk control. This stage includes the identification of possible risk-reduction measures and, eventually, acceptance of the residual risk, which can never be zero.

The final stage is risk review, which is the process of reviewing the risk assessment and risk-control decisions based on experience to identify whether the risks have been adequately controlled and to take consequent actions. ICH Q9 makes it clear that other risk-review models can be used (e.g., ISO 14971: Application of Risk Management to Medical Devices) and that the emphasis on each component of the framework is likely to differ on a case-by-case basis.

Annex 1 to ICH Q9 provides details regarding the tools and techniques commonly used in risk management. The most common tool, FMEA, assesses the severity of risk, the probability of its occurrence, and the likelihood of detection. Other similar risk-management tools help to estimate relative risks so that priorities can be set. These tools also help to determine those areas where no action is required because the current level of risk is acceptable.

Simply put, structured risk management provides tools that enable effective prioritization of actions. It is, however, critical that risk-assessment tools be used appropriately. Tools such as FMEA, for example, typically use an assigned number scale (e.g., 1 to 10) to assess the severity, probability, and detectability of the risk associated with identified hazards. Multiplying these numbers results in a risk priority number (RPN) for each risk. Even though it may be tempting to set thresholds for the RPN, this approach is too simplistic and can lead to inappropriate decision-making. The real value of the RPN is that it allows the relativities between risks to be assessed and subsequent risk-control decisions to be made.

The hope behind ICH Q9 is that industry will take the opportunity to make greater use of a structured approach to quality risk management. An implementation strategy is key to achieving the guideline's business benefits. Some important tips for implementation are outlined below.

1) Make sure you have sufficient expert knowledge to assess risks. Any assessment of risk and related decisions can only be as good as the information available and the knowledge and expertise of the people who assess the information. Structured risk assessment should be a team activity with the most effective team assembled.

2) Ensure that your company understands ICH Q9 and the opportunity it affords, including the benefits and limitations of risk-management tools and techniques.

3) Encourage an open, risk-aware culture. The pharmaceutical industry, and those who regulate it, have long misunderstood the concept of risk. Comments such as "We are a zero-risk company" or "all risks must be eliminated" are heard too frequently. "Zero risk" cannot exist. All risks must be identified and assessed so that rational decisions can be made.

4) Keep quality risk management simple.

5) Integrate quality risk management with your existing quality systems. Risk management is not a "bolt-on" or "plug-in" to existing quality systems. Rather than establish separate risk-management departments within your company, educate personnel about all risk elements and, if necessary, revise the elements of your quality system to embed risk management in each.

ICH Q9 provides the pharmaceutical industry with an opportunity to be more proactive about managing risk in a structured way that will be understood by regulators. Combined with ICH Q8 Pharmaceutical Development and Q10 Pharmaceutical Quality System, Q9 will enable a new, more effective approach to the management of product quality and regulatory mechanisms. This approach will, in turn, benefit industry as a whole, regulators and, most importantly, patients.

Peter H. Gough, part of the expert working group on ICH Q9 Quality Risk Management, is a partner at David Begg Associates, tel. 617.342.3652 (US headquarters) and +44 1751 432999 (UK headquarters),


1. ICH, Q9 Quality Risk Management (Geneva, Switzerland, Nov. 9, 2005).