Quality Risk Management (QRM) provides a structured approach for identifying, assessing, controlling, communicating, and reviewing risks that may affect product quality, patient safety, data integrity, GMP compliance, or product availability. In pharmaceutical manufacturing, QRM supports decisions across development, technology transfer, qualification, validation, deviation management, CAPA, change control, supplier qualification, computerized systems, and batch certification.
The current regulatory expectation is largely shaped by ICH Q9(R1), which clarifies how risk-based decision-making should be applied in practice. The revision placed stronger emphasis on controlling subjectivity, selecting an appropriate level of formality, documenting the rationale for risk-based decisions, and considering risks linked to product availability.
Effective QRM is demonstrated by how well risk assessments support real GMP decisions, how clearly their outputs are linked to controls and actions, and how consistently they are reviewed when new process knowledge becomes available. This article explains how QRM should be applied in daily GMP practice, what changed with ICH Q9(R1), which tools are most useful in pharmaceutical operations, and how risk assessments can be made scientifically justified, traceable, and inspection-ready.
What Is Quality Risk Management?
Quality Risk Management is a systematic process for assessing, controlling, communicating, and reviewing risks that may affect the quality of medicinal products. In pharmaceutical operations, risk is generally assessed in terms of the severity of potential harm, the probability that harm may occur, and the ability of existing controls to prevent or detect a failure before it affects the product or patient.
The purpose of QRM is not to eliminate every possible risk, but to identify which risks are significant, determine whether current controls are adequate, and define the additional measures required when the residual risk is unacceptable. This may involve procedural controls, engineering controls, qualification or validation activities, additional monitoring, supplier oversight, training, or changes to the process or facility design.
A meaningful QRM process must be based on scientific knowledge, process experience, and documented evidence. The output should support a clear GMP decision, such as accepting a risk, reducing it through additional controls, escalating it through CAPA or change control, or reassessing it when new information becomes available. For this reason, QRM should be treated as part of routine pharmaceutical decision-making, not as a standalone document prepared only for inspection purposes.
Key Definitions: Risk, Hazard, and Harm
In ICH Q9(R1), a hazard is the potential source of harm. In pharmaceutical manufacturing, this may be a contaminated material, an uncontrolled process parameter, an equipment failure, a data integrity weakness, an unsuitable supplier, or any condition that could compromise product quality if not controlled. A hazard is therefore the source or situation that can lead to a quality failure.
Harm refers to the negative consequence that may result if the hazard is not adequately controlled. In the GMP context, harm is usually linked to potential impact on the patient, product quality, product safety, efficacy, or availability. For example, harm may include patient exposure to a contaminated product, reduced therapeutic effect due to an incorrect assay, use of a product manufactured under uncontrolled conditions, or delayed access to a critical medicine due to a quality failure.
Risk is the combination of the probability of occurrence of harm and the severity of that harm. In GMP practice, this means that a risk is defined not only by what can go wrong but also by how serious the consequences could be and how likely they are to occur. Many pharmaceutical risk tools also consider detectability, but detectability should be understood as an additional decision factor, not a replacement for severity and probability.
The distinction is important because hazards and risks are often mixed in risk assessments. For example, “microbial contamination” may describe a hazard or a potential failure, but the risk depends on the product type, route of administration, process step, bioburden limits, existing controls, detection capability, and potential patient impact. A well-written risk assessment should therefore clearly define the hazard, describe the possible harm, and evaluate the risk using justified criteria.
What Changed with ICH Q9(R1)?
ICH Q9 was first introduced as the main international reference for Quality Risk Management in the pharmaceutical industry. Over time, however, regulatory experience showed that QRM was not always being used as intended. In many cases, risk assessments were prepared as formal documents, but their outputs were not clearly linked to actual GMP decisions, controls, CAPAs, validation activities, or lifecycle review.
ICH Q9(R1) addressed these weaknesses by clarifying how QRM should support risk-based decision-making in practice. The revision placed stronger emphasis on four areas: managing subjectivity, applying an appropriate level of formality, documenting the rationale for risk-based decisions, and considering risks related to product availability. These points are important because they determine whether a risk assessment is a useful decision-making tool or only a completed template.
For manufacturers, ICH Q9(R1) should be viewed as a practical reset of QRM expectations. A risk assessment should show which risks were evaluated, what knowledge and data were used, which assumptions were made, how the conclusion was reached, and what actions or controls are required. The value of QRM lies not in the document itself, but in whether it leads to justified, traceable, and effective GMP decisions.
| ICH Q9(R1) Focus Area | What Changed or Was Clarified | Practical GMP Meaning |
|---|---|---|
| Managing subjectivity | More emphasis on reducing bias in risk assessments. | Scores should be supported by defined criteria, data, and clear rationale. |
| Level of formality | Not every risk-based decision needs the same depth of assessment. | The method should match the risk, complexity, and potential impact on patients or products. |
| Risk-based decision-making | QRM should support real GMP decisions, not only completed templates. | The assessment should lead to clear actions, controls, escalation, or risk acceptance. |
| Product availability | Supply continuity is more clearly recognized as a quality risk topic. | Companies should consider risks that may interrupt access to quality-assured medicines. |
| Documented rationale | Conclusions should be justified and traceable. | The assessment should show why the decision was made and what residual risk remains. |
| Lifecycle use of QRM | QRM should be revisited when new information becomes available. | Risks should be reviewed after deviations, trends, CAPAs, validation data, or supplier issues. |
Managing Subjectivity in Risk Assessments
Subjectivity cannot be completely removed from QRM, but it must be controlled. Risk assessments often depend on expert judgment, especially when limited data is available. This creates a risk of inconsistent scoring, optimistic assumptions, weak challenge of existing controls, or conclusions that reflect the preferred decision rather than the actual risk.
To reduce subjectivity, companies should clearly define scoring criteria, involve the right subject-matter experts, document assumptions, and use available data wherever possible. Severity, probability, and detectability should not be assigned as simple numbers without explanation. Each score should be supported by a rationale that explains why the rating is appropriate for the specific product, process, system, or activity being assessed.
Applying the Right Level of Formality
ICH Q9(R1) also clarifies that not every risk-based decision requires the same level of formality. A low-risk administrative change may require only a brief, documented rationale, whereas a change affecting a critical process parameter (CPP), sterilization cycle, cleaning process, computerized system, or a supplier of critical material may require a structured, cross-functional risk assessment.
This proportionality is important. Excessive formality can turn QRM into paperwork, while insufficient formality can leave critical decisions poorly justified. The Pharmaceutical Quality System should define how the required level of formality is determined, taking into account product impact, process complexity, uncertainty, novelty, patient risk, data integrity impact, and regulatory relevance.
Strengthening Risk-Based Decision-Making
The purpose of QRM is to support decisions. A risk assessment that identifies risks but does not lead to a clear decision is incomplete. Each assessment should conclude whether the risk is acceptable, whether additional controls are required, whether the activity should be changed, or whether the issue must be escalated through CAPA, change control, validation, supplier management, or management review.
The decision should also be traceable. It should be clear who approved the conclusion, what residual risk remains, what controls are relied upon, and how those controls will be verified or reviewed. Where a decision involves accepting residual risk, the justification should be documented with enough detail to withstand internal review and regulatory inspection.
Product Availability and Supply Risk
ICH Q9(R1) also places greater emphasis on product availability as part of quality risk management. This is important because patients may be harmed not only by defective products but also by the unavailability of medically necessary products. Quality defects, manufacturing failures, supplier disruptions, single-source materials, aging equipment, or a lack of qualified alternatives can all pose risks to supply continuity.
Manufacturers should therefore consider product availability risks within their QRM system. This may include assessment of critical suppliers, manufacturing capacity, equipment obsolescence, business continuity arrangements, second-source qualification, and regulatory implications of supply disruption. The goal is not to lower quality expectations to maintain supply, but to identify and control risks that could interrupt the availability of quality-assured medicines.
The Quality Risk Management Process
Quality Risk Management follows a structured process: risk identification, risk analysis, risk evaluation, risk control, risk communication, and risk review. These steps are often presented as a sequence, but in practice they are iterative. New information from deviations, complaints, validation data, supplier performance, process trends, or regulatory observations may require revisiting and updating the risk assessment.
Each step of the process should help the company make a justified GMP decision: what can go wrong, how serious the impact could be, whether current controls are sufficient, what additional controls are needed, and how the risk will be monitored over time.
Risk Identification
Risk identification is the starting point of the QRM process. Its purpose is to define what can go wrong and where the potential source of harm may arise. If this step is weak, the rest of the assessment becomes unreliable. A well-designed scoring system cannot correct a poorly defined hazard.
In pharmaceutical manufacturing, risks may arise from many sources, including the product, process, materials, equipment, facility, utilities, personnel, suppliers, analytical methods, computerized systems, and outsourced activities.
| Risk Source | Example of Risk | Possible GMP Impact |
|---|---|---|
| Process | Critical process parameter failure | Batch variability, CQA failure |
| Materials | Variable or unsuitable raw material | Impurity, potency, or performance issue |
| Equipment | Malfunction or poor maintenance | Process interruption, contamination, mix-up |
| Facility / Utilities | Inadequate environmental control | Microbial, particulate, or cross-contamination risk |
| Personnel | Manual error during operation | Mix-up, documentation error, process deviation |
| Supplier | Unapproved supplier change | Material quality or supply continuity issue |
| Analytical Method | Sample handling or method failure | Incorrect release or stability decision |
| Computerized System | Data integrity weakness | Unreliable GMP records or audit trail gaps |
Risk identification should be based on more than expert opinion alone. It should use available process knowledge and GMP data, such as deviation history, complaints, OOS/OOT results, audit findings, environmental monitoring trends, maintenance records, validation data, supplier performance, and previous product quality reviews.
Risk Analysis
Risk analysis examines the identified hazard and determines the nature and level of the risk. This usually includes consideration of severity, probability, and, where appropriate, detectability. The analysis should also consider existing controls and whether they can prevent, reduce, or detect the failure.
Severity should be assessed primarily in relation to patient safety and product quality. Operational inconvenience, cost, or delay may be relevant, but they should not replace patient and quality impact as the main basis for severity. For example, a failure that could affect sterility assurance, dose uniformity, impurity control, or data integrity should not be downgraded only because it is unlikely or because the batch can be reworked.
Probability should be based on evidence wherever possible. This may include historical deviation frequency, process capability, previous validation results, supplier performance, equipment reliability, environmental monitoring trends, or known process variability. Where limited data are available, the assessment should state the assumptions used and explain why they are reasonable.
Detectability should be treated carefully. A control should not be rated as highly effective simply because it is included in an SOP. The question is whether the control can realistically detect the failure before it affects the product, patient, or reliability of GMP data.
| Factor | Correct Interpretation | Common Weakness |
|---|---|---|
| Severity | Impact on patient safety, product quality, data integrity, or GMP compliance | Scored based on operational inconvenience instead of quality impact |
| Probability | Evidence-based likelihood of occurrence | Assigned based on opinion rather than data |
| Detectability | Real ability of controls to detect failure before impact | Rated highly only because an SOP or check exists |
| Uncertainty | Degree of confidence in available data and assumptions | Hidden through optimistic scoring |
tooImportant points to consider during risk analysis include:
- Is the control preventive, detective, or corrective?
- Does the control act before or after the product impact may occur?
- Is detection immediate or delayed?
- Is the control manual or automated?
- Is the control routinely verified?
- Has the control failed before?
- Is the control dependent on operator judgment?
- Is the available data sufficient to support the score?
Risk Evaluation
Risk evaluation determines whether the analyzed risk is acceptable, unacceptable, or requires further action. This is the decision point at which the company compares risk against predefined acceptance criteria, escalation rules, or quality expectations.
A common weakness in pharmaceutical risk assessments is over-reliance on numerical thresholds. For example, a risk may fall below an RPN action limit but still involve a high-severity failure. In such cases, the risk should not be accepted automatically. High-severity risks often require additional justification, even when the probability is low.
Risk evaluation should consider:
- the potential impact on patient safety;
- the potential impact on product quality;
- GMP and regulatory expectations;
- the strength of existing controls;
- the reliability of detection mechanisms;
- the level of uncertainty in the data;
- whether the risk is recurring or isolated;
- whether similar risks exist in other products, processes, or systems;
- whether residual risk can be justified.
The conclusion should be clear, and the assessment should state whether the risk is accepted, reduced through additional controls, escalated through CAPA or change control, or requires further investigation before a decision can be made.
Risk Control
Risk control defines how the company will reduce, manage, or monitor the identified risk. The selected controls should be proportionate to the risk and should address the actual failure pathway, not only the visible symptom.
Controls may be preventive, detective, or corrective. Preventive controls are generally stronger because they reduce the likelihood of failure occurring. Detective controls identify failures after they occur, while corrective controls define what will be done once a failure is detected.
Examples of risk controls include:
- engineering controls, such as closed systems, alarms, interlocks, or segregation;
- procedural controls, such as SOPs, line clearance, reconciliation, and independent checks;
- qualification and validation activities;
- cleaning validation or cleaning verification;
- additional in-process controls;
- increased environmental or process monitoring;
- supplier qualification or supplier requalification;
- incoming material testing;
- computerized system access controls;
- audit trail review;
- operator training and qualification;
- preventive maintenance;
- calibration and periodic checks;
- CAPA or change control actions.
Risk control should not automatically mean adding more documentation or more manual checks. In many cases, a stronger control may involve simplifying the process, removing unnecessary manual handling, improving equipment design, automating a critical step, or reducing opportunities for mix-up or contamination.
Where additional controls are required, they should be assigned to the appropriate GMP system. For example, a procedural gap may require SOP revision and training. An equipment weakness may require change control, qualification, or maintenance action. A recurring deviation may require CAPA. A supplier-related risk may require supplier requalification, an audit, or an update to the quality agreement.
SEE ALSO: Deviation Management Process in GMP
Risk Communication
Risk communication ensures that the outcome of the risk assessment is shared with the people and functions responsible for the decision, the controls, and the follow-up actions. This is often underestimated. A risk assessment may be technically correct, but ineffective if the output is not communicated to the right functions.
Communication should not be limited to signatures on the risk assessment form. The relevant functions should understand which risk has been accepted, which controls are required, which actions remain open, and which conditions would trigger reassessment.
This is especially important where the risk assessment affects batch release, validation scope, supplier oversight, contamination control, cleaning validation, data integrity, or regulatory commitments. In such cases, poor communication can result in controls not being implemented, actions not being tracked, or residual risks not being understood by decision-makers.
Risk Review
Risk review confirms whether the original risk assessment remains valid. This is a critical part of lifecycle management. A risk assessment should not be treated as permanently valid simply because it has been approved.
Risk assessments should be reviewed when new information becomes available, including:
- significant or repeated deviations;
- ineffective CAPA;
- complaints or adverse quality trends;
- OOS or OOT results;
- environmental monitoring excursions;
- process performance deterioration;
- supplier changes or supplier performance issues;
- equipment modifications or recurring breakdowns;
- changes to materials, methods, or process parameters;
- new regulatory expectations;
- audit or inspection findings;
- product quality review conclusions.
Periodic review may also be required for risk assessments linked to validation, cleaning, contamination control, computerized systems, data integrity, supplier qualification, utilities, and critical manufacturing processes.
The purpose of risk review is not only to confirm that the document still exists. The company should ask whether the original assumptions remain valid, whether the controls remain effective, whether residual risk remains acceptable, and whether new data require reclassification of risk.
A mature QRM system will demonstrate that risk assessments are updated as process knowledge changes. An immature system often contains approved assessments that remain unchanged for years, even though deviations, complaints, changes, or trend data indicate that the original risk position is no longer valid.
Quality Risk Management Tools
ICH Q9(R1) does not require companies to use one specific risk management tool. The selected tool should be appropriate for the decision being made, the complexity of the process, the level of uncertainty, and the potential impact on product quality or patient safety. In practice, the problem is usually not the absence of tools but the routine use of the same tool in every situation.
A formal FMEA may be appropriate for a complex manufacturing process, equipment system, or computerized system. It may not be necessary for a simple administrative change with limited impact on quality. Similarly, HACCP may be useful where contamination pathways and control points can be clearly defined, but less useful for broad supplier prioritization or portfolio-level risk ranking. The tool should therefore be selected based on the question the company needs to answer.
The following tools are commonly used in Pharmaceutical Quality Risk Management.
- FMEA / FMECA: process and equipment failure analysis, where failure modes are enumerable, and the question is which failures warrant control. Particularly suited to aseptic processing, sterile filtration, and equipment qualification.
- HACCP: process flows with definable critical control points, contamination pathways, and verifiable monitoring. Strong fit for biological manufacturing, sterile compounding, and material handling.
- HAZOP: process design reviews, particularly for chemical synthesis, solvent handling, and utility systems, where deviations from design intent can produce safety or quality consequences.
- FTA: investigations into specific undesired top events, a contamination excursion, a recall, a stability failure, where the analytical question is how that event could occur.
- Risk ranking and filtering: portfolio-level questions such as supplier prioritization, product transfer prioritization, or selection of validation lots, in which many candidates must be compared using consistent criteria.
- PHA: early-stage assessments where the process is not yet defined in sufficient detail for FMEA.
FMEA and FMECA in Practice
Failure Mode and Effects Analysis is one of the most frequently used QRM tools in pharmaceutical manufacturing. It evaluates potential failure modes, their causes, their effects, existing controls, and the residual risk after control measures are considered. FMECA follows the same logic but adds a more explicit criticality analysis.
Common failure patterns observed in inspection findings include:
- Failure modes are described at the level of consequences rather than mechanisms (“contamination” is not a failure mode; “elastomer degradation leading to particulate shedding” is)
- Severity scores assessed against operational impact rather than patient impact
- Detectability scores conflated with the existence of a control rather than the control’s capability to detect the failure before harm occurs
- Risk Priority Numbers (RPNs) used as an absolute threshold rather than a relative ranking
- No documented action threshold or, where present, no evidence that actions above the threshold were tracked to closure
- Re-scoring after mitigation that asserts reduction without verification
Manufacturers should govern FMEA practice through a procedure that defines scoring scales with anchored criteria, makes patient impact the primary basis for severity, prohibits inflating detectability, and requires verification of mitigation effectiveness before residual scores are recorded. Where RPN is used, the procedure should specify that it is an input to decision-making, not the decision itself; severity should generally take precedence regardless of probability.
HACCP and Critical Control Points
HACCP, originally developed for food safety, is well-suited to pharmaceutical processes where contamination pathways can be mapped to process flows and critical control points can be defined with measurable critical limits, monitoring procedures, and corrective actions.
Sterile manufacturing, aseptic filling, and biological upstream processing are typical applications. Manufacturers should not, however, force HACCP onto processes where critical limits cannot be operationally defined; the discipline of HACCP is its specificity, and a HACCP plan with vague monitoring requirements is worse than no plan.
The seven HACCP principles (hazard analysis, CCP identification, critical limit establishment, monitoring, corrective action, verification, and record-keeping) map cleanly onto GMP expectations and provide a useful structural reference even where HACCP is not formally adopted.
HAZOP
Hazard and Operability Analysis is particularly useful for process design, engineering systems, utility systems, and operations in which deviations from intended operating conditions may pose quality or safety risks. It examines what could happen when a process parameter or system condition deviates from its design intent.
HAZOP is commonly used for purified water systems, clean steam systems, HVAC systems, compressed gases, solvent handling, chemical synthesis, automated processing equipment, and other systems with defined operating parameters. It is especially useful during design review, design qualification, process safety review, and utility qualification.
The strength of HAZOP is that it challenges the robustness of the design before failures occur in routine operation. Its limitation is that it requires experienced facilitation and a strong technical understanding of the system. A superficial HAZOP, performed without the right engineering and process expertise, may identify generic deviations but miss the conditions that are most relevant to product quality.
Fault Tree Analysis
Fault Tree Analysis is useful when the assessment starts with a defined failure event and works backward to identify possible causes. Instead of asking broadly what can fail, it asks how a specific undesired event could occur.
This makes Fault Tree Analysis suitable for serious or recurring GMP problems such as contamination events, sterility assurance concerns, temperature excursions, cleaning failures, data loss, repeated equipment breakdowns, unexplained OOS results, and recurring product complaints. It can help identify combinations of technical failures, procedural weaknesses, human errors, and control gaps that may lead to the same event.
Manufacturers should use Fault Tree Analysis when the failure event is clearly defined. It is less useful as a broad process-mapping tool, but highly valuable when the objective is to understand the pathways leading to a specific failure and to define targeted preventive controls.
Risk Registers and Risk-Based Lifecycle Management
A risk register is the operational artifact through which QRM connects to the rest of the PQS. The register should be a living record, not a one-time output. Manufacturers should maintain risk registers at multiple levels: process, product, facility, supplier, computerized system, data integrity, with clear ownership, defined review periodicity, and linkage to the operational systems that act on the risks (change control, CAPA, deviation management, periodic review, management review).
A well-maintained register should answer, for any identified risk:
- The hazard, its potential consequence, and the affected product or process
- The current controls and their qualification or validation status
- The residual risk and the basis for accepting it
- The owner accountable for the risk
- The review date and trigger conditions for re-assessment
- The linked records in change control, CAPA, or deviations
Risk registers should be reviewed when triggering events occur, significant deviations occur, complaints arise, recalls occur, regulatory observations are made, process or product changes occur, supplier issues arise, and at defined periodic intervals during product quality reviews and management reviews. Stale registers are a recurring inspection finding; manufacturers should ensure that review evidence is contemporaneous and substantive rather than a clerical signature exercise.
Linking QRM to GMP Operational Systems
QRM is effective only when its outputs drive operational decisions. Manufacturers should explicitly link risk assessments to:
- Change control (EU GMP Chapter 1 §1.4(xiv), 21 CFR 211.100): every proposed change should be subject to a risk assessment proportionate to its potential impact; risk assessments should be approved before implementation and verified afterward.
- Deviation and CAPA management: deviation classification should reflect the risk to the patient and product; root cause analysis should consider whether the deviation reveals a previously unidentified hazard or a failed control.
- Qualification and validation (Annex 15 §2): validation strategy, scope, and lifecycle should be risk-based; the validation master plan should reference the risk assessments that justify its scope.
- Supplier quality management (EU GMP Chapter 5 §5.27–5.30): supplier qualification, audit frequency, incoming control, and supplier-related change management should all be based on a documented supplier risk assessment.
- Annual Product Quality Review / Product Quality Review (EU GMP Chapter 1 §1.10, 21 CFR 211.180(e)): PQRs should consider whether trend data and atypical events warrant updates to the risk profile of the product.
- Computerized system validation (Annex 11, 21 CFR Part 11): GAMP 5, second edition, risk-based scaling depends entirely on a defensible risk classification for each system.
The audit trail between a risk assessment and the operational record it supports should be navigable in both directions. Inspectors increasingly ask to trace, from a specific control in a master batch record or a specific test in a qualification protocol, back to the risk assessment that justified it. Manufacturers should ensure that this traceability exists and is demonstrable.
FAQ
Can Quality Risk Management be Used to Reduce Testing?
QRM can support a reduced testing strategy, but only when there is sufficient scientific and historical justification. The company must demonstrate that the reduced testing does not weaken control over critical quality attributes or patient safety.
This may require process capability data, supplier history, validation evidence, trend data, or previous testing results. A risk-based reduction in testing should also define review triggers, such as supplier changes, deviations, OOS results, or adverse trends. QRM should never be used simply to reduce workload without a defensible quality rationale.
How Should Risk Acceptance Criteria Be Defined?
Risk acceptance criteria should be defined before the assessment is performed, not after the results are known. They should be linked to patient safety, product quality, data integrity, GMP compliance, and regulatory expectations. Simple labels such as low, medium, and high are insufficient unless the meaning of each category is clearly defined.
The criteria should also explain when escalation, CAPA, change control, additional testing, or management review is required. Without predefined acceptance criteria, the final decision may appear subjective or outcome-driven.
What is Residual Risk in QRM?
Residual risk is the level of risk that remains after existing or additional controls have been applied. It is not enough to state that residual risk is “acceptable”; the assessment should explain why it is acceptable and which controls support that conclusion.
Residual risk may be accepted when controls are effective, verified, proportionate, and aligned with GMP expectations. For high-severity risks, residual risk should usually be supported by stronger justification and may require management or Quality approval. Residual risk should also be reviewed when new data or events challenge the original assumptions.
What Evidence Can Support Probability Ratings?
Probability ratings should be supported by objective evidence whenever possible. Useful sources include deviation history, complaints, OOS/OOT results, process capability data, validation results, environmental monitoring trends, supplier performance, maintenance history, audit findings, and historical batch data.
Where objective data are limited, expert judgment may be used, but the assumptions should be documented. The assessment should distinguish between known low probability and unknown probability due to insufficient data. A low occurrence score is weak if it is based only on confidence rather than evidence.
How Should Uncertainty Be Handled in a Risk Assessment?
Uncertainty should be openly documented rather than hidden in optimistic scoring. When data are limited, the assessment should state what is unknown, why it matters, and how the uncertainty will be managed.
This may require interim controls, additional monitoring, enhanced sampling, verification activities, or a defined review point after more data becomes available. High uncertainty may justify a more formal risk assessment even when the expected risk appears moderate. In GMP, uncertainty is itself an important factor in deciding the level of control.
Conclusion
Quality Risk Management, as defined by ICH Q9(R1) and operationalized through the GMP frameworks of the major regulators, is no longer a discrete activity but a property of the Pharmaceutical Quality System as a whole.
Manufacturers should assess their QRM programs against three tests: whether the outputs are reliable enough to support consequential decisions, whether the tools deployed are aligned with the questions being asked, and whether the system is integrated across the product lifecycle so that knowledge accumulates and controls evolve.
The regulatory trajectory is clear: QRM will continue to move from a compliance artifact to an operational discipline, and manufacturers whose systems are not built to that standard should expect their inspection experience to reflect the gap.
