Guest Column | April 7, 2017

Integrating Risk Management In The Quality Management System — A Primer

By Mark Durivage, Quality Systems Compliance LLC

Probably the most significant concern for anyone responsible for implementing, deploying, and maintaining a quality  management system is the integration of risk-based thinking. While the concept of risk management is not new, previous practice was more reactionary, primarily focusing on detection after the fact — root cause analysis, corrective actions, and preventing recurrence of the failure. Contemporary thinking places the emphasis on considering risks up front (prevention) and having a solid approach to address risk in planning, managing, and driving actions.

This article will first present the definitions and requirements regarding risk and then introduce some tools that can be utilized to incorporate and integrate risk management techniques in and throughout the QMS. Subsequent articles in this series will provide practical applications of risk management techniques to the various subparts/elements of the QMS.

Definitions And Background

There several International Organization for Standardization (ISO) standards, FDA regulations, and international guidance documents that provide direction and lay out the framework for successfully implementing, maintaining, and sustaining an effective and robust quality management system regardless of its type or size, or the products and services it provides, requiring the use of risk-based thinking.

ISO 9001:2015 Quality management systems — Requirements states the QMS “needs to demonstrate the organization’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.”

ISO 9004:2009 Managing for the sustained success of an organization — A quality management approach clause 9.3.5 Risks provides the following guidance: “The organization should assess the risks related to planned innovation activities, including giving consideration to the potential impact on the organization of changes, and prepare preventive actions to mitigate those risks, including contingency plans, where necessary.”

ISO 9000:2015 Quality management systems — Fundamentals and vocabulary, defines risk as the effect of uncertainty. ISO 9001:2015 further explains the concept of risk-based thinking. Risk-based thinking enables an organization to determine the factors that could cause its processes and its quality management system to deviate from the planned results, to put in place preventive controls to minimize negative effects, and to make maximum use of opportunities as they arise. In fact, the word “risk” is mentioned 50 times within the standard, demonstrating the significance and importance of the term.

ISO 13485:2016 Medical devices — Quality management systems — Requirements for regulatory purposes, defines as risk the combination of the probability of occurrence of harm and the severity of that harm. The standard further requires that organizations apply a risk-based approach to the control of the appropriate processes needed for the quality management system. Furthermore, the standard requires the controls shall be proportionate to the risk involved.

ANSI/AAMI/ISO 14971:2007 Medical devices — Application of risk management to medical devices, defines risk as the combination of the probability of occurrence of harm and the severity of that harm. The standard further defines risk management as the systematic application of management policies, procedures, and practices to the tasks of analyzing, evaluating, controlling, and monitoring risk.

ISO 31000:2009 Risk management — Principles and guidelines defines risk as an effect of uncertainty on objectives. The standard further defines the risk management process as a systematic application of management policies, procedures, and practices to the activities of communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring, and reviewing risk.

FDA’s Quality Systems Approach to Pharmaceutical CGMP Regulations Guidance for Industry states “Quality risk management is a valuable component of an effective quality systems framework. Quality risk management can, for example, help guide the setting of specifications and process parameters for drug manufacturing, assess and mitigate the risk of changing a process or specification, and determine the extent of discrepancy investigations and corrective actions.”

FDA’s Medical Devices; Current Good Manufacturing Practice (cGMP) Final Rule; Quality System Regulation from:

  • Comment 13. The extent of the documentation necessary to meet the regulation requirements may vary with the complexity of the design and manufacturing operations, the size of the firm, the importance of a process, and the risk associated with the failure of the device, among other factors.
  • Comment 31. Manufacturing materials should be controlled in a manner that is commensurate with their risk.
  • Comment 81. The extent of testing conducted should be governed by the risk(s) the device will present if it fails.
  • Comment 83. When conducting a risk analysis, manufacturers are expected to identify possible hazards associated with the design in both normal and fault conditions. The risks associated with the hazards, including those resulting from user error, should then be calculated in both normal and fault conditions. If any risk is judged unacceptable, it should be reduced to acceptable levels by the appropriate means, for example, by redesign or warnings. An important part of risk analysis is ensuring that changes made to eliminate or minimize hazards do not introduce new hazards.
  • Comment 159. FDA agrees that the degree of corrective and preventive action taken to eliminate or minimize actual or potential nonconformities must be appropriate to the magnitude of the problem and commensurate with the risks encountered.

The International Conference on Harmonization (ICH) Q9 Quality Risk Management Guidance for Industry states “it is becoming evident that quality risk management is a valuable component of an effective quality system.” It goes on to say “Quality risk management supports a scientific and practical approach to decision making. It provides documented, transparent, and reproducible methods to accomplish steps of the quality risk management process based on current knowledge about assessing the probability, severity, and, sometimes, detectability of the risk.”1 The document provides a quality risk management process, which is shown in Figure 1. The model is comprised of three primary areas — risk assessment, risk control, and risk review — contained in a framework of using risk management tools and risk communications.

Figure 1: Overview of a typical quality risk management process1

Brainstorming, Affinity Diagrams, And Multi-Voting

Before presenting some of the tools used for risk management, it should be stated that risk management tools are the most useful and complete when applied using a team-based approach. Brainstorming is one tool to generate lists of ideas on what risks may be present and how to manage and mitigate those risks.

Brainstorming involves a group of individuals generating ideas without consideration for whether the idea is good or bad. The technique relies on the free flow of ideas; those ideas will typically trigger additional ideas that an individual working alone may not have thought about. A good method for brainstorming is to write the ideas on sticky notes.

Once the list of ideas is generated an affinity diagram can be completed to group ideas into logical categories. The process involves having the individuals place the brainstorming session’s sticky notes into logical groups. The process usually works best when a set time limit is used.

The last step is to prioritize the groups generated from the affinity diagram. One technique that can be used to prioritize the groups is multi-voting, in which each participant ranks the groups. For example, there may be 10 groups, so each person would rank each group 10, 9, 8, 7, etc. by assigning the most important group the highest number. After that, the scores for each group are tallied and the groups are prioritized by the average ranking they received.

Failure Mode And Effects Analysis

Failure mode and effects analysis (FMEA) is a step-by-step approach to identify all possible failures in a design or in a manufacturing or assembly process, or in a product or service. It methodically breaks down the analysis of complex products and processes into manageable steps; risk reduction can then be used to eliminate, contain, reduce, or control failures and risks. Figure 2 shows the process for determining the appropriate actions.

Figure 2: Risk process for determining the appropriate actions

The potential areas of use for FMEA are to prioritize risks and monitor the effectiveness of risk control activities. It can be applied to user needs, products (design and manufacture), processes (quality and service), equipment, facilities, and can even be used to analyze a manufacturing operation and its effect on product or process. FMEA identifies elements/operations within the system that render it vulnerable to risks.

The output or results of FMEA can be used as a basis for:

  • Design and development activities
  • Inspection activities (incoming, in-process, and release)
  • Commissioning and validation activities
  • Supplier management
  • Audit findings (internal and external)
  • Complaints
  • Nonconformances
  • Corrective and preventive action (CAPA)

Generally, I prefer to use three levels of risk outputs that can be provided by a FMEA: high, medium, and low. Using three levels provides separation between each level, which facilitates the determination of the risk level. Table 1 provides an example of risk level definitions. It should also be stated that when determining the risk level, it is generally best practice to be conservative and when in doubt assign a higher level.

Table 1: Example of Risk Level Definitions

The use of FMEA is fundamental to the application of management policies, procedures, and practices to the tasks of analyzing, evaluating, controlling, and monitoring risk. The output of the FMEA process is the basis for risk-based thinking that can be readily applied throughout the QMS.

Strengths, Weaknesses, Opportunities, And Threats Analysis

Strengths, weaknesses, opportunities, and threats (SWOT analysis is a planning tool that can be used to identify internal and external strengths and weaknesses. SWOT can be used for short-term tactical planning such as processes and systems, and for long-term strategic organizational planning. An example SWOT analysis is shown in Figure 3.

Figure 3: Example SWOT analysis

Political, Social, Economic, and Technological Analysis

Political, social, economic, and technological (PEST) analysis is a planning tool that is like the SWOT analysis but is more focused on long-term strategic organizational planning rather than short-term tactical planning. An example PEST analysis is shown in Figure 4.

Figure 4: Example PEST analysis

Fault Tree Analysis

Fault tree analysis (FTA) evaluates system (or subsystem) failures individually, represented pictorially in the form of a branching tree of various fault modes. Each level of the tree represents combinations of fault modes that are described with logical operators (e.g., AND, OR). A potential area of use for FTA can be to establish the pathway to the root cause of the failure. FTA can be used to investigate complaints or deviations to fully understand their root cause and to ensure that intended improvements will resolve the issue and not lead to other issues. FTA is an effective tool for evaluating how multiple factors affect a given issue. The output of an FTA includes a visual representation of failure modes. It is useful both for risk assessment and in developing monitoring programs. Figure 5 depicts a basic FTA.

Figure 5: Example FTA

Hazard Analysis And Critical Control Points

Hazard analysis and critical control points (HACCP) is used to manage risks with physical, chemical, and biological hazards. HACCP has seven steps:

  1. Conduct a hazard analysis
  2. Determine the critical control points
  3. Establish critical limits
  4. Establish a system to monitor the critical control points
  5. Establish corrective actions
  6. Establish a system to verify that the HACCP system is working effectively
  7. Establish a record-keeping system

HACCP principles can used be to identify, mitigate, and manage risks. HACCP is useful when product and process understanding is sufficiently comprehensive to support identification of critical control points.

The output of an HACCP analysis is risk management information that facilitates monitoring of critical points not only in the manufacturing process but also in other life cycle phases.

Preliminary Hazard Analysis

Preliminary hazard analysis (PHA) is a simple, inductive method of analysis whose objective is to identify the hazards that can cause harm for a given activity, facility, or system. It is usually carried out early in the development of a product or process, when there is little information on design details or operating procedures. It can be used to help identify the hazards or risks for the development of FMEAs and facilitate specification development activities.

The tool consists of:

  • Identification of the likelihood that the risk event will happen
  • Qualitative evaluation of the extent of possible injury or damage to health that could result
  • A relative ranking of the hazard using a combination of severity and likelihood of occurrence
  • Identification of possible remedial measures


These are just some of the tools to aid the process of identifying and integrating risk management throughout the QMS. There are many more tools available to identify, analyze, mitigate, and monitor risk.

The importance of proceduralizing the tools and methods used cannot be overemphasized. Best practice includes providing rationale for your organization’s use of risk management tools and activities. The requirements and risk management tools presented in this article can and should be utilized based upon industry practice, guidance documents, and regulatory requirements.


  1. International Conference on Harmonisation, (ICH) Harmonised Tripartite Guideline, June 2006, ICH Q9: Quality Risk Management,

About The Author:

Mark Allen Durivage is the managing principal consultant at Quality Systems Compliance LLC and an author of several quality-related books, including Practical Engineering, Process, and Reliability Statistics (ASQ Quality Press, 2014). He earned a B.A.S. in computer aided machining from Siena Heights University and a M.S. in quality management from Eastern Michigan University. Durivage is an ASQ Fellow and holds several ASQ certifications including CQM/OE, CRE, CQE, CQA, CHA, CBA, CPGP, and CSSBB. He also is a Certified Tissue Bank Specialist (CTBS) and holds a Global Regulatory Affairs Certification (RAC). Durivage resides in Lambertville, Michigan. Please feel free to email him at with any questions or comments, or connect with him on LinkedIn.