Understanding Quality Risk Management

Quality Risk Management (QRM) is not a new concept. It has been used in several industries and businesses e.g. aviation industry, finance, insurance businesses.

Lab Testing Laboratory
Picture: Pixabay
Former Dy Drugs Controller, Govt. of Delhi |
Email ID: mail.ppsharma@gmail.com
P P Sharma
Latest posts by P P Sharma (see all)

Last Updated on January 28, 2024 by The Health Master

Quality Risk Management (QRM) is not a new concept. It has been used in several industries and businesses e.g. aviation industry, finance, insurance businesses.

It was introduced in GMPs of ICH countries i.e. USA, Europe and Japan based on ICH document, ICH Q9 (Quality Risk Management). Recognizing this, WHO reviewed main principles of GMP and included the QRM concept in its guidelines.

Ministry of Health and Family Welfare, Govt of India published the new draft of schedule M to bring it up to the level of WHO GMP. Therefore, it is necessary for regulatory officers to understand the concept of QRM.

ICH brought out three interrelated documents, namely the following:

  • ICH Q8 – Pharmaceutical Development
  • ICH Q9 – Quality Risk Management
  • ICH Q10 – Pharmaceutical Quality System

Also read another article: Suggestion: G.S.R No. 223 (E) 18-03-2019, Form 39(A)

  • These documents are the outcome of vision statement of ICH developed at the meeting held in Brussels in July 2003. The vision statement is “Develop a harmonized pharmaceutical quality system applicable across the life cycle of the product emphasizing an integrated approach to risk management and science”. Thus, it is an integral part of Pharmaceutical Quality System (PQS) and GMP is also a part of the PQS.
  • Under ICH Q9, two primary principles have been mentioned and these are:
Video: YouTube
  • The evaluation of the risk to the quality should be based on scientific knowledge and ultimately linked to the protection of the patient; and
  • The level of effort, formality and documentation of the quality risk management process should be commensurate with the level of risk.
    Quality Risk Management is a systematic process for the assessment, control, communication and review of the risks to the quality of medicinal product across the life cycle of the product. A general QRM process includes the following elements:
  • Responsibilities;
  • Initiating a QRM process;
  • Risk assessment;
  • Risk control;
  • Risk communication;
  • Risk review.


Selection of persons and assigning the responsibilities is the first step in the general QRM process. WHO recommendations are that whether it is pharmaceutical manufacturer or regulatory agency, persons with appropriate product specific knowledge and expertise should be selected to ensure effective planning and completion of QRM activities. It is recommended that a multidisciplinary team is constituted and their responsibilities are defined.

Also read another article: Suggestions for amendment of Rule 64 & Sch-N

Initiating a QRM Process

To initiate a QRM process, the following activities should be undertaken:

  • Define the problem and/or risk identifying the potential for risk;
  • Collect background information and/or data on potential hazard, harm or human health impact relevant to the risk assessment;
  • Identify a leader and the necessary resources;
  • Specify a timeline, the deliverables and an appropriate level of decision making for risk management process.

Risk Assessment

For risk assessment, WHO recommendations are:

  • All the risks that may reasonably be expected to occur under evaluation should be listed;
  • An analysis should be carried out to identify which risk(s)can be eliminated or reduced to an acceptable level;
  • A review should be made of materials, operations, equipment, storage, distribution and intended use of the product;
  • Risk assessment methodology is out of scope of this article

Risk Control

After risk assessment, the next step is risk control. The purpose of the risk control is to reduce the risk to an acceptable level or to eliminate it. The WHO guidelines recommend the following questions to be asked:

What can be done to reduce or eliminate the identified risk;
What is the balance between benefits, risk and the resources;

Are new risks introduced as a result of the identified risk being controlled?
Usually, risk control activities involve identifying controls and measures that would reduce or control the risk associated with a failure mode or negative event.

The control measures should ensure that the risk is brought under control as soon as possible in compliance with the established deviation handling procedures.

Risk Communication

QRM process should be communicated to all the stakeholders. Involvement of the stakeholders in both the data collection and process for the risk assessment and the decision making for risk control will ensure their commitment and support for QRM.

The result of QRM process and associated risk analysis should be endorsed by the quality unit and the management of the organization. This information should be shared with the stakeholders.

Risk Review

The WHO guidelines recommend that output of QRM should be monitored periodically and reviewed, as appropriate, to assess new information which may have impact on the QRM decision. Examples of such changes include, changes:

To control systems;
To equipment;
In suppliers and contractors;

It has been further recommended in the guidelines that all records and documents of risk review should be signed and dated by the person(s) carrying out the review and by a responsible person of the quality unit of the company.

For informative videos by The Health Master, click on the below YouTube icon:

YouTube Icon

For informative videos on Medical Store / Pharmacy, click on the below YouTube icon:

YouTube Icon

For informative videos on the news regarding Pharma / Medical Devices / Cosmetics / Homoeopathy etc., click on the below YouTube icon:

YouTube Icon

For informative videos on consumer awareness, click on the below YouTube icon:

YouTube Icon
YouTube Icon