Seeking the Golden Mean: Optimizing Your QRM Program


Recall the struggle that Goldilocks experienced when she was trying out chairs to rest her feet:1

“This chair is too big!” she exclaimed.

So she sat in the second chair.

“This chair is too big, too!” she whined.

So she tried the last and smallest chair.

“Ahhh, this chair is just right,” she sighed.

If you were tasked with assessing your Quality Risk Management (QRM) program, would you find yourself in the “just right” category? Characterizing the maturity of a QRM program includes the assessment of multiple parameters including the people, risk culture, QRM initiation, risk assessment, risk control, risk review, risk communication, infrastructure, and governance.2 Two foundational elements are examined in this article: process and accountability. The process perspective evaluates the relative effectiveness of the QRM program strategy, documentation and the ability of the organization to derive value from the program. The accountability perspective considers program ownership and organizational engagement. Process and accountability perspectives, in combination with understanding the cultural climate, can help us shape the Golden Mean or “just right” program size.

Quality Risk Management Program Strategies

At its core, Quality Risk Management program development and deployment are no different than the implementation of any quality system. To achieve success, the combination of a well-defined process and a mechanism that triggers accountability are critical. Figure 1 outlines the spectrum of process and accountability strategies.

The scenarios at the lower end of the continuum are situations in which the organization can expect to yield little tangible value from risk management. When evaluating the effectiveness of the strategies on the lower end of the process spectrum, there may be instances of risk management activity across the organization; however, there is little to bind them together or a structure which ensures consistency. From an accountability perspective, the undefined or grassroots eff ort approach may yield isolated benefits; however, the program will fall short in having an organizational impact. Tossing ownership of QRM to the Quality organization may serve a program for a limited amount of time; however, this strategy runs the risk of disregarding the cross-functional nature of QRM activities and isolates the responsibility to a single part of the whole. Another pitfall at this stage of the continuum is the lack of formalized risk assessment tools selection. For example, a team that has only had exposure to Failure Modes and Effects Analysis (FMEA), is more likely to lean upon that tool as their “go-to” approach - even if the use of FMEA is not the most optimized approach for the risk question at hand. To overcome this barrier, the organization is advised to begin to codify approaches to tool selection and training on available risk tools.

Moving to the midpoint of the continuum, the organization begins to realize some of the benefits of a QRM program when the process and accountability strategies are more completely defined. For example, organizations define the “when, where, and how” of risk management will see a measured growth of their risk management portfolio as well as oversight to ensure the program is working as anticipated. Additionally, a defined role for QRM oversight sends a clear message that QRM is important to the organization.

Quality Risk Management Process and Accountability Continuum

The most complex strategies move beyond developing a policy and establishing a singular point of accountability. Two key benefits of these strategies include procedurally defined ways of working and standardized criteria for ranking risks. Consider this scenario: an organization has two facilities that are responsible for manufacturing the same API. Both facilities execute process risk assessments with dramatically different results. Due to the nature of the facilities, there is expected to be a reasonable amount of variation from a likelihood of failure perspective. This variation may be accounted for when examining the facility/equipment design and the relative effectiveness of the controls in place to prevent failures. The two facilities, however, should be aligned relative to the impact of potential failures (i.e., severity ranking). The development of customized QRM work instructions with defined risk tolerance and consistent application of acceptable risk tools will prevent such disparity. Furthermore, consistent tool application and risk ranking criteria will allow the organization to differentiate between isolated and systemic failures.

Overcoming Perceptions

In a perfect world, having all the proper documentation in place and qualified people to execute against a program would yield success but this is not the complete recipe for QRM realization. Consider the way that risk management is perceived in an organization that is starting on the implementation journey. During the early phases of implementation, it isn’t uncommon for the QRM activities to be viewed as nonvalue add and a means to “tick the box”. Over time and with program investment, these viewpoints are expected to evolve. On the other end of the spectrum, where the QRM program is optimized from the process and accountability perspective, QRM is likely to be viewed as a value add and the benefits of QRM are realized by the organization.

Figure 2 demonstrates some QRM program perceptions common to both types of programs. If the late-stage and early-stage programs perceive QRM as a barrier, time-consuming, and burdensome, what has gone wrong? To answer this question, consider the intent of quality risk management. One of the purposes of QRM is to identify, evaluate and mitigate risks associated with a drug or medicinal products to protect patient safety.3 To achieve this goal, execution of risk management for new and existing processes requires our teams to explore risks from multiple dimensions and to navigate the data objectively - this is not a simple task. Let’s look at the reality of the common perceptions, how they weigh against the program goal and ways to overcome the perceptions.

Risk Management is Time Consuming

True. Risk management activities require an investment of time and the investment is warranted to protect patient safety.

Decrease the anxiety by...

  • Communicating the importance of risk assessments from a patient perspective.
  • Letting the organization know that risk assessments take time because they are critical for demonstrating process understanding and knowledge management.
  • Providing the support needed to ensure robust assessments are executed.

Risk Management is a Barrier

False. When risk management activities are appropriately delegated and timely, they will not be a barrier to success, they will be a part of the solution.

Break down the barriers…

  • Streamline your process to integrate proactive risk management activities into project plans so that you won’t be assessing failures retrospectively.

Risk Management is Burdensome

True, when the QRM is poorly integrated!

Dissect burden…

  • Evaluate your quality systems to determine if there are activities in place which have been inadvertently duplicated through the risk management process.
  • Identify ways to ensure that risk assessments are offering the utility intended. For example, using living risk assessments to inform change request(s) or for investigations.
  • Determine if the organization’s requirements for risk assessment or risk-based approaches are appropriately defined. Are there areas where risk assessments/risk-based approaches are required but a documented scientific rationale is sufficient?
Quality Risk Management Perception Venn-Diagram

Culture Factors Derailing your QRM Program

The tricky and less definable part of building a “just right” QRM program is understanding how information collected in risk assessments will be received by the organization. This requires exploring some of the cultural factors at play which may be disrupting a well-constructed QRM program.

Uncertainty and Fear

One of the elements examined through any decision-making process is uncertainty. Sources of uncertainty include “knowledge gaps in the pharmaceutical science and process understanding, sources of harm (e.g., sources of variability) and probably of detection of problems”.3 The human response to uncertainty is commonly that of fear and anxiety4 - the fear of failing to fully identify all possible risks and the anxiety of uncovering previously unknown vulnerabilities. Deming proposed that we assess the performance of systems, not people, to help drive fear out of organizations.5 This means that when there are process failures or vulnerabilities exposed, they are evaluated as system failures rather than failures attributed to a specific risk owner or system owner.

Subscribe to our e-Newsletters
Stay up to date with the latest news, articles, and events. Plus, get special offers
from American Pharmaceutical Review – all delivered right to your inbox! Sign up now!

Challenging the Status Quo

Risk assessments can present situations where individuals are challenged in their current way of thinking. There may be a tendency for people to lean on what is known or familiar. Continuous process improvement and innovation are only possible when we challenge the status quo and evaluate alternatives. One way to ensure that risk assessments appropriately challenge the current way of thinking is to appoint a Chief Contrarian or Devil’s Advocate whose responsibility is to oppose, identify shortcomings and brainstorm alternatives with the team.


Consider this scenario… You have been working on a risk assessment for several weeks with a cross-functional team to assess the manufacturing process. A report has been completed and communicated to leadership. Leadership reviews the assessment and tells the team to lower the risk scores. While this is a sad tale, it is not an uncommon sequence of events when there is a lack of organizational trust. Cross-functional teams must be empowered to perform risk assessments and know that leadership will embrace the outcomes (even unpopular outcomes).

Curiosity and Critical Thinking

The benefits of curiosity include “fewer decision-making errors, more innovation and positive changes in both creative and noncreative jobs, reduced group conflict, more-open communication and better team performance”6 For risk assessments to be successful, curiosity and critical thinking need to be regarded as imperative inputs to the risk management process and attributes of the people executing the assessments.

Golden Mean

When developing a new or evaluating an existing QRM program, remember that programs are not “one size fits all” (and be wary of those that will tell you otherwise). Ultimately, each organization is seeking a Golden Mean - the combination of efforts that yield a risk management program which is: value add, right-sized, pragmatic, trusted and understood by all layers of the organization. Golden Mean can be achieved through a variety of combinations of process and accountability strategies outlined in Figure 1. For example, an organization new to risk management may find that having a semicustomized QRM policy is providing value. As the organization executes against that policy and matures, areas of specificity will be identified. The same is true for program ownership; a small organization may have the ability to fully execute a risk management program with a single point of contact owning the program while larger organizations may require a larger team of individuals to effectively manage the QRM program.

While the path to achieving the Golden Mean is variable, there are strategies that can ensure that your program is as successful as possible.

  • Perform a gap assessment to determine the strengths and weaknesses of your QRM program. In the areas where risk management is executed well, determine what factors are enabling the positive performance and identify means of replicating those factors in less successful areas.
  • If deploying a new QRM program or amending an existing one, leverage change management principles to prepare, manage and reinforce the change.
  • Assess your quality culture and risk maturity to help inform the level of program formality and oversight appropriate for your organization.
  • Listen to the Voice of the Customer:
    • Identify if there are negative perceptions of the program and develop a plan to change the perception. Walker and Soule’s “Changing Company Culture Requires a Movement, Not a Mandate”7 provides excellent strategies for assisting organizations in becoming more adaptive and innovative.
  • Routinely evaluate QRM program health and measure the successes.


Shaping a successful QRM program is not just about flooding your document management system with QRM procedures, assigning individuals to execute risk assessments or purchasing an “off the shelf” strategy. QRM programs will mature as the organization adopts risk management practices and gains proficiency in executing risk management. A Golden Mean program, one that is “just right”, evolve over time and only when the cultural contributions to risk management are well-understood.


  1. Little Red Riding Hood. London: Kaye & Ward; 1973.
  2. 2017-10; Managing Risk to the Patient: Recoding Quality Risk Management for the Pharmaceutical and Biopharmaceutical Industries; Kelly Waldron; Technological University Dublin
  3. September 2015 EMA/CHMP/ICH/24235/2006; Committee for Human Medicinal Products; ICH guideline Q9 on quality risk management
  4. How Uncertainty Fuels Anxiety; An inability to live with life’s unknowns can lead to worry and distress; JULIE BECK; MARCH 18, 2015; The Atlantic
  6. The Business Case for Curiosity; Francesca Gino; Harvard business review; September / October 2018 issue
  7. Changing Company Culture Requires a Movement, Not a Mandate; Bryan Walker and Sarah A. Soule Harvard business review; June 20, 2017

Author Biography

Amanda Bishop McFarland is a QRM and Microbiology Senior Consultant with ValSource, Inc. and in this role assists companies with the design and implementation of CGMPs, Microbiology, and Quality Risk Management programs. She specializes in the creation and implementation of risk management programs, developing custom risk-based strategies and risk facilitation. Ms. McFarland currently serves as the PDA QRM interest group co-lead, the PDA SE chapter Secretary and is a faculty member of the QRM Certificate Training Series at PDA training institute. She has a B.S. in entomology and an M.S. in mycology, both from the University of Florida.

  • <<
  • >>