Risk Assessments Module
Explore this topic in more depth to build a complete picture of your quality and compliance operations.
Explore
Glossary Term
Quality Risk Management
The structured process for identifying, assessing, controlling, communicating, and reviewing risks to product quality and patient safety across the product lifecycle.
ICH Q9(R1) reframed quality risk management around subjectivity, hazard identification, and risk-based decision-making. The point isn't to produce risk registers. It's to make better decisions about where to put scarce quality and validation effort.
On this page
What quality risk management is
Quality risk management (QRM) is the structured process for identifying, assessing, controlling, communicating, and reviewing risks to product quality and patient safety across the lifecycle of a regulated product.
It's not a one-time activity. It's a way of making decisions: where to put validation effort, how often to audit a supplier, what controls a new process needs, what depth of testing to apply, when to escalate a change. The risk view should inform those decisions, not just be a binder that sits next to them.
For pharmaceuticals, the canonical framework is ICH Q9. The 2023 revision (Q9(R1)) addresses four areas the original glossed: assessor subjectivity, hazard identification, right-sized formality, and risk-based decision-making in the actual lifecycle. For medical devices, ISO 14971 is the equivalent standard, with more prescriptive structure around hazard sequences, risk controls, residual risk, and post-production feedback.
QRM is decision support, not documentation
The output of QRM isn't a risk register. It's better decisions about where quality and validation effort goes. If your risk assessments don't visibly change how you allocate that effort, the assessments aren't doing their job.
Why risk management gets inspected so closely now
Two trends pushed QRM up the inspector priority list. First, the move toward risk-based GMP across modern regulator guidance (ICH Q10, Annex 15, CSA, MDR) means risk evaluation is now an explicit input to decisions like validation depth, audit frequency, change classification, and supplier oversight. Inspectors look for the trail from risk to decision.
Second, the ICH Q9(R1) revision in 2023 raised the bar on what acceptable QRM looks like. The R1 explicitly calls out the problem that risk scoring is subjective and that different assessors produce different scores for the same hazard. Programs that haven't addressed this — calibration, training, consensus methods, documented rationale — are running an older version of QRM than current expectations.
Inspector note: When I ask a firm about QRM, I'm not asking to see the methodology document. I'm asking to see one specific decision: this supplier audit went from annual to every two years, why? That validation OQ used three runs instead of seven, why? That change was classified minor, why? The risk assessment should be the evidence. If it isn't, the QRM program isn't connected to the work.
The QRM references inspectors apply
QRM appears in pharmaceutical, medical device, and combination product frameworks, with overlapping but distinct standards:
- ICH Q9(R1) (Step 4, January 2023; EU GMP adoption effective July 2023): current pharmaceutical QRM framework. Replaces 2005 Q9 with strengthened expectations on subjectivity, hazard identification, formality, and risk-based decision-making.
- ICH Q10 §1.5 + §3.2: pharmaceutical quality system uses QRM as core enabler.
- EU GMP Annex 20: adopts ICH Q9 into EU GMP.
- EU GMP Chapter 1 §1.13: QRM as part of quality system.
- EU GMP Annex 15 §1: qualification and validation are risk-based.
- 21 CFR §211.220: post-implementation evaluation; risk-based justification.
- 21 CFR Part 820 — QMSR (effective February 2, 2026) / former §820.30(g) (QSR): device design validation includes risk analysis. QMSR reaches this through ISO 13485:2016 §7.3 (incorporated by reference) and ISO 14971:2019.
- ISO 14971:2019: canonical medical device risk management standard.
- ISO 13485 §7.1: planning of product realization includes risk management.
- EU MDR Annex I §3: risk management is continuous iterative process throughout the entire lifecycle.
- WHO TRS 981, Annex 2: WHO guidance on quality risk management.
- ICH Q12: post-approval changes use risk-based categories.
The QRM cycle that connects to operations
Q9(R1) describes QRM as a cycle, not a one-off. The cycle that actually delivers value in operations:
- Define the question. Start with a specific decision needed. Vague risk assessments drift.
- Pick a methodology that fits. FMEA for forward-looking known failure modes. Fault tree for backwards-from-event. HACCP for process-step controls. A simple matrix when the question is structured.
- Identify hazards. Q9(R1) raised the bar — deliberate, multi-source, documented.
- Estimate and evaluate risk. Score initial risk against acceptance criteria.
- Apply controls, re-estimate residual risk. Document control, re-score, confirm residual is acceptable. Most-skipped step.
- Communicate. Share the assessment with the people whose work it should change.
- Review. Trigger-based: deviations, complaints, regulation changes, audit findings, periodic cadence.
What good QRM programs do that weak ones don't
Mature QRM programs share consistent procedural and engineering controls:
The 'numbers without rationale' finding
A risk score of 12 on a 5×5 matrix isn't a risk assessment. The reasoning behind that score is. Q9(R1) sharpened this. Pure-numeric scores with no narrative are increasingly cited as inadequate.
- Methodology defined per question type — different matrices for design vs process vs supplier risk
- Subjectivity addressed explicitly — per Q9(R1), calibration / consensus / facilitator approach with documented rationale
- Acceptance criteria defined in advance — not negotiated after the score
- Residual risk evaluated and documented — most-skipped step
- Connected to decisions — assessment referenced by name in change control, validation plan, audit schedule, CAPA, MR
- Updated on trigger, not just on calendar
- Assessor competence demonstrable — training, certification, or qualified facilitator
- Approval routing matches risk level — high-risk needs senior approval; system enforces
- Versioned and retained — version history + audit trail per assessment
- Trending — aggregate views feed Management Review
How Complere supports quality risk management
ICH Q9(R1) sharpened the bar on what real risk management looks like, and most platforms still treat it as a forms exercise. Complere is built the other way around. Your risk register, your methodologies, your treatments, and the decisions they drive all live together — and they connect to the places where those decisions actually get made: change control, validation, CAPA, supplier oversight, and management review.
Your team configures the methodology that fits the question. FMEA with severity, probability, and detectability for forward-looking failure analysis. A two-dimensional matrix for simpler decisions. Custom field sets for HAZOP, fault-tree, or your in-house hybrid. The scoring structure isn't a hard-coded universal template; it adapts to how your risk function actually works, with separate methodologies for design risk, process risk, supplier risk, and system risk.
Each risk item carries its hazard description, source evidence, initial score, the treatment plan, the controls applied, and the residual score after those controls. The residual step — the one that gets skipped most often in inspection findings — is built into the workflow, not an optional field your team has to remember. Templates let new assessments inherit the right methodology and approval routing automatically, so a high-risk assessment routes to senior approval without anyone deciding case-by-case.
The piece that turns a risk register from a binder into a working tool is the linkage. When a risk item triggers a CAPA, the link is direct — the risk record references the CAPA, the CAPA references the risk, and the closed-loop view (risk identifies the gap, CAPA delivers the control, residual confirms the outcome) is visible from either side. The same applies to change control: changes carry their risk assessment, and high-risk classification drives deeper approval and validation. Risk decisions stop living in a separate world from the work they're supposed to influence.
Approvals are role-based and meaning-attributed, history is captured per record with a complete audit trail, versions are retained as assessments evolve, and notifications keep overdue reviews visible. Aggregate views feed your management review with the trends you need — areas with most CAPAs, residual risks at or near acceptance, overdue review cadence.
For decisions about how deeply to validate the Complere platform itself, the Vendor Validation Package gives your team a risk-assessed starting point — requirements mapped, evidence pre-built, scope defined — so your QRM drives validation depth rather than defaulting to maximum effort.
Complere handles the workflow, the evidence, and the structure; the risk judgement — what to assess, what's acceptable, how much control is enough — stays with the experts on your team.
Frequently asked questions
Common questions about Quality Risk Management sourced from regulatory references and inspection patterns.
What changed in ICH Q9(R1)?
The 2023 revision addresses four areas the 2005 original glossed: assessor subjectivity (different assessors producing different scores for the same hazard), hazard identification (the upstream step that determines what gets assessed), right-sized formality (avoiding over-elaborate documentation for low-stakes decisions and under-documentation for critical ones), and risk-based decision-making across the actual product lifecycle. The R1 explicitly expects programs to address subjectivity through calibration, training, consensus methods, or qualified facilitators — not just sharper scoring matrices.
What's the difference between ICH Q9 and ISO 14971?
ICH Q9(R1) is the pharmaceutical quality risk management framework and is intentionally technology-neutral about the tools used. ISO 14971:2019 is the medical-device risk management standard and is more prescriptive about structure: hazard sequences (hazard → hazardous situation → harm), risk controls applied in a defined order of preference (inherent safety > protective measures > information for safety), residual risk evaluation, and post-production monitoring as a closed-loop input. Combination products typically need both.
Do we have to use FMEA, or can we use other tools?
Other tools are explicitly allowed. ICH Q9(R1) is technology-neutral — the tool should match the question. FMEA suits forward-looking analysis of known failure modes. Fault-tree analysis suits working backwards from a defined undesired event. HACCP suits process-step hazard analysis. A simple two-dimensional matrix often suits structured supplier or change-control decisions. The most-cited finding is using the wrong tool, not failing to use FMEA.
What is residual risk and why does it matter?
Residual risk is the risk that remains after the controls applied to address an initial risk. It's evaluated against the same acceptance criteria as the initial risk. ISO 14971:2019 makes residual risk evaluation explicit and required; ICH Q9(R1) reinforces it for pharmaceutical QRM. The recurring finding pattern is the same: initial risk assessed, controls applied, residual step skipped, and the risk register never confirms whether the controls actually brought the risk to acceptable.
How do risk assessments connect to CAPA?
Bi-directionally. Risk assessment to CAPA: when a risk item scores above acceptance or when residual risk remains unacceptable after planned controls, the gap routes to CAPA for structured corrective or preventive action. CAPA to risk assessment: when investigation surfaces a hazard or a recurring root cause that the existing risk register didn't anticipate, the risk record is updated and may trigger reassessment of related items. The closed-loop view — risk identifies the gap, CAPA delivers the control, residual confirms the outcome — is what regulators look for.
How often should risk assessments be reviewed?
Trigger-based first, periodic second. The triggers are the events that change the underlying risk picture: deviations or complaints in the area, regulatory changes (Q9(R1), MDR, MHRA DI guide), audit findings, supplier changes, process or product changes, and the post-production data ISO 14971 expects to feed back into the assessment. Periodic review on a defined cadence (often annual for low-risk items, more frequent for high) catches what the triggers missed. Annual-only programs are usually out of date with the operational reality.
What's the biggest QRM finding pattern in inspections?
Risk registers disconnected from the decisions they should be informing. The trail from a specific risk to a specific decision — this supplier audit frequency, this validation depth, this change classification, this CAPA priority — is what inspectors want to see. Programs with comprehensive registers and no traceable downstream decisions get cited for QRM that exists on paper but doesn't drive the work.
What does ICH Q9(R1) expect for assessor training?
The R1 sharpens expectations around the people doing the assessment. Either certified assessors with documented competence in the methodology being used, or qualified facilitators running assessments where the technical experts contribute domain knowledge. The point is to address the subjectivity problem the R1 names explicitly: untrained assessors with the same matrix produce different scores for the same hazard, and the program needs to actively manage that variability rather than ignore it.
Continue Exploring
Explore related topics, modules, and compliance resources for a deeper understanding of your quality system.
See Quality Risk Management in action during a Complere demo
Walk through how Complere operationalizes this concept inside a validation-ready quality system.