January 4, 2022

There’s no question that quality risk management is becoming an indispensable tool for ensuring compliance across the globe. Risk has become a centerpiece of  ISO standards, as well as regulations like the EU Regulation (MDR/IVDR), FDA 21 CFR 820, and ICH Q10 in the pharmaceutical and biotech industry.

Unfortunately, many companies fail to effectively close the loop on the risk management process. As a result, the risk isn’t mitigated, and the door is left open for customer complaints and increasing costs.

This article looks at four steps you must follow to create a truly closed loop-risk management process. We’ll apply this process within the enterprise quality management system (EQMS), including where to best incorporate quality risk management.

Quality Risk Management Step 1: Identify Risk

Step one of the risk management process is to identify risks or safety hazards. Tracking risk in a centralized location is critical to ensuring you’re addressing your biggest risks, rather than addressing risk on an ad-hoc basis.

Risk items to capture include a wide variety of processes, events and situations such as:

In the EQMS, risks are captured in a centralized risk register. This allows you to see all of your risks in one place to help determine which need priority.

Quality Risk Management Step 2: Conduct Risk Assessment

Once you’ve identified a risk, the next step is to perform a risk assessment. One common risk assessment tool is the risk matrix. A risk matrix lets you quickly determine whether a risk needs action or whether you can just continue to monitor.

An item that falls into the red area of the risk matrix, for example, would be deemed unacceptable. This is in contrast to a risk in the green area, defined as an acceptable level of risk.

So how do you come up with the scores for each? It’s actually quite simple.

Risk is comprised of two dimensions: likelihood (or probability) and impact (or severity). Likelihood and impact are scored from one to five on each axis of the risk matrix, allowing you to multiply the two to calculate overall risk. In the EQMS, you simply enter the likelihood and impact scores and it calculates the risk for you.

For example, a papercut might rate a five on the likelihood scale, but a one on the impact scale. Thus, it falls in the acceptable range and you don’t need to do anything. Conversely, a struck-by incident on a newly installed machine might rate a two on the likelihood scale, but a five on the impact scale, falling in the unacceptable range. As a result, you decide to install additional machine guarding to address this risk.

The idea is to apply internal criteria as to what level of risk is acceptable vs. unacceptable in creating risk matrix scoring. You do this by building your risk matrix around historical data. Internal subject matter experts evaluate scoring of past events to determine whether, in hindsight, they were an acceptable or unacceptable risk based on likelihood and impact scores.

Quality Risk Management Step 3: Implement Controls

Having scored individual risk items, you can now determine which need new controls right away, and which can wait.

Those that fall into the area of unacceptable risk should be tackled first, starting with the highest risk scores. From there, you might look at those in the yellow region. To do this effectively, your internal process should include deciding what risk score is the official dividing line above which a new control is needed.

Controls should be both validated and verified. Validation requires going back to the original risk assessment and calculating whether the new control brings risk down to the acceptable level. If not, you need a new control. Verification requires checking to see that the new control was, in fact, implemented as intended. In most cases, this will require an actual visit to the manufacturing floor.

The EQMS helps make this process more effective by creating a compliance record showing linking individual risk items to controls. It also lets you create action items for validation and verification, closing the loop so these important tasks don’t slip through the cracks.

Quality Risk Management Step 4: Monitor and Adjust

One of the biggest mistakes in risk management is stopping at step two or step three. Validating and verifying your corrective action once is not always enough to minimize the recurrence of the risk. Therefore, corrective actions for high-quality management risks should be monitored and reviewed over time.

For example, you might add effectiveness checks for six months to eight months, leveraging your EQMS for trends and reporting analytics. The objective is to make sure you’re not just filing the problem away. Instead, you’re looking at multiple points to see whether the risk has been effectively addressed. The EQMS makes this kind of follow-up simpler, whether it’s creating an action item for a specific individual to go to the plant floor or adding an audit question.

Once you calculate the residual risk after the corrective action, you can decide whether additional checks are needed. If the risk is still unacceptably high, the problem should be expedited back to the beginning of the risk management process.

Risk Management Four Step Process

Applying general principles of risk management within the quality value chain helps regulated companies systematically and appropriately measure and mitigate risk, deliver safer products to market, resolve issues faster, and facilitate compliance with regulatory requirements.

Applying general principles of risk management within the quality value chain helps regulated companies systematically and appropriately measure and mitigate risk, deliver safer products to market, resolve issues faster, and facilitate compliance with regulatory requirements.


Closing the loop is essential to creating a “living” risk management process. Hazard identification, risk analysis, and control implementation are only the beginning of that process. To effectively reduce risk, manufacturers must also take steps to validate, verify, monitor, and adjust corrective actions as key strategies of their continuous improvement journey.

The EQMS helps standardize and efficiently update the steps, so you can incorporate risk management into corrective action, change control, and more. The end goal: making processes more reliable, reducing risk, and creating a stronger quality risk management.


Find out how to lead your company to EQMS success with our free report on EQMS Implementation: How to Lead Organizational Change


About the Author

Sal Lucido is Co-Founder and Executive Vice President AssurX. Sal is an unequivocal product evangelist and an expert in the area of quality process automation. He holds a broad array of responsibilities, ranging from overseeing strategic plans and operational improvements to managing tactical alliances.