Guest Column | June 11, 2018

Integrating Risk Management Into Your QMS — An Essential Toolkit

By Mark Durivage, Quality Systems Compliance LLC

Probably the most significant concern for anyone responsible for implementing, deploying, and maintaining a quality  management system is the integration of risk-based thinking. Risk-based thinking can and should be applied to the organization's strategic and tactical planning processes.

This article will first present the definitions and requirements regarding risk and planning and then introduce some tools that can be utilized to incorporate and integrate risk management techniques in and throughout the organization's strategic and tactical planning processes.

Definitions and Background

There are several ISO standards, FDA regulations, and international guidance documents that provide direction and lay out the framework for successfully implementing, maintaining, and sustaining an effective and robust quality management system, regardless of its type or size or the products and services it provides, requiring the use of risk-based thinking and planning.

ISO 9001:2015 Quality management systems —Requirements states the QMS "needs to demonstrate the organization's ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements and aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements."

ISO 9004:2009 Managing for the sustained success of an organization — A quality management approach, clause 9.3.5 Risks provides the following guidance: "The organization should assess the risks related to planned innovation activities, including considering the potential impact on the organization of changes, and prepare preventive actions to mitigate those risks, including contingency plans, where necessary."

ISO 13485:2016 Medical devices — Quality management systems — Requirements for regulatory purposes, defines as risk the combination of the probability of occurrence of harm and the severity of that harm. The standard further requires that organizations apply a risk-based approach to the control of the appropriate processes needed for the quality management system. Furthermore, the standard requires the controls shall be proportionate to the risk involved.

ISO 31000:2009 Risk management — Principles and guidelines defines risk as an effect of uncertainty on objectives. The standard further defines the risk management process as a systematic application of management policies, procedures, and practices to the activities of communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring, and reviewing risk.

The FDA's Quality Systems Approach to Pharmaceutical CGMP Regulations Guidance for Industry states "Quality risk management is a valuable component of an effective quality systems framework. Quality risk management can, for example, help guide the setting of specifications and process parameters for drug manufacturing, assess and mitigate the risk of changing a process or specification, and determine the extent of discrepancy investigations and corrective actions."

From the FDA's Medical Devices; Current Good Manufacturing Practice (CGMP) Final Rule; Quality System Regulation:

  • Comment 13. The extent of the documentation necessary to meet the regulation requirements may vary with the complexity of the design and manufacturing operations, the size of the firm, the importance of a process, and the risk associated with the failure of the device, among other factors.
  • Comment 31. Manufacturing materials should be controlled in a manner that is commensurate with their risk.
  • Comment 81. The extent of testing conducted should be governed by the risk(s) the device will present if it fails.
  • Comment 83. When conducting a risk analysis, manufacturers are expected to identify possible hazards associated with the design in both normal and fault conditions. The risks associated with the hazards, including those resulting from user error, should then be calculated in both normal and fault conditions. If any risk is judged unacceptable, it should be reduced to acceptable levels by the appropriate means, for example, by redesign or warnings. An important part of risk analysis is ensuring that changes made to eliminate or minimize hazards do not introduce new hazards.
  • Comment 159. FDA agrees that the degree of corrective and preventive action taken to eliminate or minimize actual or potential nonconformities must be appropriate to the magnitude of the problem and commensurate with the risks encountered.

Brainstorming, Affinity Diagrams, And Multi-Voting

Before presenting some of the tools used for risk-based planning, it should be stated that risk management tools are the most useful and complete when performed using a team-based approach. Brainstorming is one tool to generate lists of ideas on what risks may be present and how to manage and mitigate those risks.

Brainstorming involves a group of individuals generating ideas without considering whether the ideas are good or bad. The technique relies on the free flow of ideas and that ideas will trigger additional ideas that an individual working alone may not have thought about. A good method for brainstorming is to write the ideas on sticky notes.

Once the list of ideas is generated, an affinity diagram can be completed to group ideas into logical categories. The process works by having the individual team members place the ideas generated during the brainstorming session (captured on sticky notes) into logical groups. The process usually works best when a time limit is set.

The last step is to prioritize the groups of ideas in the affinity diagram. One technique that can be used for this step is multi-voting, which can be done by having everyone rank the groups. For example, there may be 10 groups, so each person would rank each group 10, 9, 8, 7, etc., by assigning the most important group the highest number. After the scores are tallied, the groups are ranked by their average rankings.

Figure 1: The process of generating, organizing, and prioritizing ideas      


Benchmarking can be used to measure your organization's performance against that of other companies that are successful, determine what makes those companies successful, and use the information to improve performance. The benchmarking process, which can be used to assess other organizations, systems, processes, services, and products, can be competitive or technical. Competitive benchmarking measures how an organization is performing as compared to its competitors. Technical benchmarking is conducted to determine the features of products or services. The output of the benchmarking process can be used to perform a strengths, weaknesses, opportunities, and threats (SWOT) analysis or a political, social, economic, and technological (PEST) analysis.

Strengths, Weaknesses, Opportunities, And Threats (SWOT) Analysis

SWOT analysis is a planning tool that can be used to identify internal and external strengths and weaknesses. SWOT can be used for short-term tactical planning for processes and systems and for long-term strategic organizational planning. An example SWOT analysis template is shown in Figure 2.

Figure 2: Example SWOT analysis template


  • What do you do well?
  • What unique resources can you draw on?
  • What do others see as your strengths?


  • What could you improve?
  • Where do you have fewer resources than others?
  • What are others likely to see as weaknesses?


  • What opportunities are open to you?
  • What trends could you take advantage of?
  • How can you turn your strengths into opportunities?


  • What threats could harm you?
  • What is your competition doing?
  • What threats do your weaknesses expose you to?

Figure 3: Example SWOT analysis

Political, Social, Economic, And Technological (PEST) Analysis

PEST analysis is a planning tool is like the SWOT analysis but is more focused on long-term strategic organizational planning rather than short-term tactical planning. An example PEST analysis template is shown in Figure 4.

Figure 4: Example PEST analysis template


  • What are the political factors that are likely to affect the business? (Consider risks and opportunities.)


  • What are the economic factors that will affect the business? (Consider risks and opportunities.)


  • What social/cultural aspects are likely to affect the business? (Consider risks and opportunities.)


  • What technological changes may affect the business? (Consider risks and opportunities.)

Figure 5: Example PEST analysis

A variation of PEST analysis is the PESTLE analysis. PESTLE analysis is simple PEST analysis with the additional topics of legal and environmental.


  • What current and impending legislation will affect the business? (Consider risks and opportunities.)


  • What are the environmental considerations that may affect the business? (Consider risks and opportunities.)


The discussion above describes various tools to aid the process of identifying and integrating risk management throughout the QMS. There are many more tools available to identify, analyze, mitigate, and monitor risk.

I cannot emphasize enough the importance of documenting the tools and methods used. Best practice includes providing rationale for your organization's use of risk management tools and activities. The requirements and risk management tools presented in this article can and should be utilized based upon industry practice, guidance documents, and regulatory requirements.


  1. Durivage, M.A., 2017, Contingency Plans: An Essential Quality Management System Risk Tool, Life Science Connect.

About The Author:

Mark Allen Durivage is the managing principal consultant at Quality Systems Compliance LLC and an author of several quality-related books. He earned a BAS in computer aided machining from Siena Heights University and an MS in quality management from Eastern Michigan University. Durivage is an ASQ Fellow and holds several ASQ certifications, including CQM/OE, CRE, CQE, CQA, CHA, CBA, CPGP, CSQP, and CSSBB. He also is a Certified Tissue Bank Specialist (CTBS) and holds a Global Regulatory Affairs Certification (RAC). Durivage resides in Lambertville, Michigan. Please feel free to email him at with any questions or comments, and connect with him on LinkedIn.