Improve your Quality Risk Management System, QRMS

Quality Risk Management System



“A quality risk management is a systematic process for the assessment, control, communication, and review of risks to the quality of the drug product across the product lifecycle.”   Risk management continues throughout the lifecycle of a product.

Software validation typically also has a risk assessment that follows the URS/FRS process in a logical, traceable way.


ISO 31000:2018, Risk Management – Principles and Guidelines

It helps organizations to establish a risk management strategy to define and mitigate risks, enhancing the likelihood of achieving their objectives, and increasing the protection of their assets.

It can be used by any organization regardless of its size, activity, or sector.


ISO 14971:2019, Medical devices — Application of risk management to medical devices

— Application of risk management to medical devices

The acceptance criteria and risk levels can be established using the risk management methodologies of ISO 14971.


ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements

It establishes the requirements to implement, maintain, and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to, and recover from disruptions when they arise.



Please, do not confuse risk management with a risk assessment document.

Since a risk management system can contain and handle many risk assessment documents.


The risk assessment is a document that contains and describes the potential business and compliance risks associated with a system failure or malfunction consistent with ICH Q9 and ISO 31000, Risk Management — Principles and Guidelines.  It shall establish the strategies and actions that will be used to mitigate those risks. Risk assessments justify the allocation of validation efforts and resources. Moreover, it can streamline the testing process.

The most relevant key terms are:

  • Harm: Damage to health, including the damage that can occur from loss of product quality or availability.
  • Hazard: The potential source of harm.
  • Risk: The combination of the probability of occurrence of harm and the severity of that harm.
  • Severity: A measure that indicates the possible consequences of a hazard.
  • Occurrence: A measure that indicates the probability that the event will actually occur sometime during the system’s life. Also, called Likelihood or the chance that something might happen.
  • Detectability: A measure that indicates the probability that a risk event is detected, via other system or manual activities, prior to the time that the risk event causes an impact, that detection likelihood reduces the risk.
  • Priority Number (RPN) An standardized risk value calculated by multiplying three (3) risk level values described before.

RPN = Severity Risk Number x Occurrence Risk Number x Detectability Risk Number

What is Risk Assessment?

According to the FDA Guidance for industry: ICH Q9 Quality Risk Management,

 “a Risk assessment is a systematic process of organizing information to support a risk decision to be made within a risk management process.” The risk assessment is an evaluation done and documented at one specific moment of time, not continuous throughout the lifecycle of a product.  httpss://

According to ISO 31000, the risk is the

effect of uncertainty on objectives” and an effect is a positive or negative deviation from what is expected

When use a Risk Assessment?

The risk assessment is most commonly used as part of:

  • CSV Computerized System Validation projects.
  • Change Control Evaluation
  • CAPA Investigations, Out Of Specifications analysis, Non-conformance incidents, etc.
  • Audit Assessment
  • Complaint Evaluation
  • BCP – Business Continuity Plan
  • Other quality-related projects.

How to prepare a risk assessment document

The risk assessment document could contain (but not limited to) the following sections and parts.

  • Approval
  • Revision History
  • Purpose
  • Scope
  • Background
  • Roles and Responsibilities
  • Definitions and Abbreviations
  • Applicable Documents/References
  • Regulatory and Standard related requirements
  • Equipment / System / Process Description and Intended Use
  • Inclusions / Exclusions
  • Risk Analysis Determination
  • Describe any potential health risk severity and Likelihood/ Probability:
  • Describe any potential regulatory compliance risk severity and Likelihood/ Probability:
  • Describe any potential business risk severity and Likelihood/ Probability:
  • Electronic Records/Electronic Signatures Impact Assessment
  • QSR and GxP Impact Assessment
  • Detectability
  • Risk Assessment Calculations
  • Conclusion and Recommendations – mitigations
  • Attachments and Appendixes

Please, do not confuse risk assessment with risk analysis.

Since a risk assessment can contain and handle many risk analyses.

Please not confuse a risk assessment with a risk analysis.

Want to learn more about the


Subscribe and follow us on social media.

More details on specific FDA expectations for risk management can be found in the guidance document below.

Three (3) options to create a risk management procedure or protocol.

Option 1. You can create a great protocol, using a template.

You can download a free sample of a risk management template in .pdf format. 

To see the complete list of the most popular risk management templates, click here.

In addition, you can request a quotation to buy online a full risk management template document in MS Word format that is completely editable, ready to fill and adapt to your needs.

Option 2. We can bring you a formal training on how to create your own risk management using our template(s).

This option is recommended if you want to learn more about how to build a robust risk management protocol. One of our expert(s) will provide online step-by-step training to your team (unlimited assistance) on how to build a reliable risk management using a template. You can improve your corporate validation procedures and policies incorporating our template sections.  It includes the template, an exam, and a training certificate for each assistant.  Request a quote now.

Option 3. We can create a customized risk management system for your company.

One of our expert(s) will create and prepare for you a customized risk management procedure with the inputs and specific information of your company. It may include, online support in document creation, execution, or final reporting, Request a quote online.



Companies are expected to establish the applicability of the Part 11 rules to their systems using a risk-based analysis to identify the most

critical electronic records.


ISO 31000:2018, Risk management

– Guidelines, provides principles, framework, and a process for managing risk.


ISO 14971:2019 Medical devices

— Application of risk management to medical devices


Risk Evaluation and Mitigation Strategy (REMS)

A required risk management plan that uses risk mitigation strategies beyond FDA‐approved FDA professional labeling.

  • FDA Amendments Act of 2007 authorized the FDA to require sponsors to develop and comply with REMS programs if determined necessary to ensure the benefits outweigh the risks. – FDA does not directly regulate healthcare professionals or patients who may be impacted by a REMS.
  • Applies to NDAs, BLAs, and ANDAs. • REMS can be required pre‐ or post‐approval.
  • Designed to achieve specific goals to mitigate risks associated with the use of a drug.
  • FDA specifies the required elements of a REMS.
  • Drug sponsors develop the REMS program based on the required elements. FDA reviews and approves the REMS.
  • Each REMS has specific safety measures that are targeted to the serious risk(s) associated with the drug or class of drugs.
  • All REMS include elements, communication, and/or educational materials to communicate risk information to various stakeholders.

More details on specific risk management systems can be found in:


















For medical devices, the 21 CFR 820.65 – Traceability controls lay down requirements for product and quality data traceability


Related topics and resources:

Validation Plan, Installation Qualification, Operational Qualification, Performance Qualifications, Component Qualification, Traceability Matrix, Ppk, Control Charts, Cpk, User Requirements, Functional Requirement Specifications, GAMP5, risk assessment

Picture of Ramon Cayuela, MS, BS, Chemical Engineering

Ramon Cayuela, MS, BS, Chemical Engineering

CIQA President and CEO.
I've been working in validation engineering since 1992 with many multinational pharmaceutical companies. I love sharing my passion and knowledge with others. If you have any questions about anything (or just have general questions). I will be more than happy to assist you. You can count on the BEST customer service on CIQA. I go to great lengths to make sure my clients are 100% satisfied with their purchases and check emails/messages consistently throughout the day. You can rest assured that everything being sold here is as-described or your money back. I look forward to working with you!