SOP on Quality Risk Management


To describe the procedure for management of risks, arising from different operations, activities and discrepancies.


This SOP shall cover overall management of risks that arise from different operations, activities, discrepancies, deviations and failures in the manufacturing operations of Pharmaceutical company.


Each Operating Manager and the Department Head shall be responsible for identification of operations and activities that pose potential risk, reporting and investigation of discrepancies, deviations and failures within the department and carrying out Risk assessment, control and review.

QA-Head shall be responsible for facilitating and evaluating the adequacy of Risk assessment and its

Risk Management Team shall be responsible for the overall Risk Management Program, its review and closure.


Risk Management Team (RMT) shall be accountable for the overall Risk Management Program.


RMT shall be formed comprising of at least one responsible member from each function (Quality Assurance, Production, Engineering, Quality Control, Warehouse, and Personnel & Administration).

The “Responsibilities of the Risk Management Team” shall be as follows:

Assuring the Risk Management Program continuity,

Providing directions to the user departments,

Verifying the identified cause(s) of risks,

Risk analysis (using various tools),

Endorsing the identified control measures,

Training and reporting to the senior management.

Assuring Risk Management Program related communication and

Providing guidance on implementation of control measures and time frame,

A Quality Risk Manager shall be assigned the responsibility of coordinating the entire Risk Management Program with all technical functions.

The “Responsibilities of the Quality Risk Manager” shall be as follows:

Coordinating the Risk Management Program between the user departments,

Organizing monthly meetings of the Risk Management Team,

Releasing minutes of meetings,

Risk communication

Facilitating the identification and categorization of risks,

Facilitating implementation of control measures,

Organizing follow-up and closure of risk implementation,

Organizing training related to Risk Management Program,

Preparing a annual report for the senior management and

Archival of related records and documentation.

RMT shall conduct regular monthly meeting coordinated by Quality Risk Manager. The meeting can be conducted with a minimum quorum of 3 members and the Quality Risk Manager. However, the presence of the QA member is essential in all such meetings.

The Risk Management Program shall cover following areas:

Facilities and Equipment,

Production, processing and packing,

Quality Control Laboratories, Testing and Analysis,

Materials and warehousing,

Engineering, Maintenance and Utilities,

Quality Assurance and Quality Management System,

HR related GMPs,

Environment, Health and Safety, and

Any other area, considered significant for the risk for running the business.

Each member of RMT shall ensure that any operation and activity that poses potential risk, or any discrepancy, deviation or failure discovered in the department or its processes / systems shall be reported by the operating personnel to the Senior Officer / Manager.

Each member of RMT shall initiate a “Risk Assessment Log” .

The department subject expert shall analyze the operation and activity, discrepancies, deviations or failures and categorize the potential risk and its impact on the process or system or operation and/or product quality, yield, purity, potency, identity, stability, safety or efficacy within 7 days, depending on the seriousness of the risk and the area or process affected.

The “Risk Assessment Report” shall be prepared and compiled.

All identified risks shall bear a unique Risk Reference number and shall be numbered as an alphanumerical number consisting of 14 characters. For example, R/DC/MM/YY/NNN.

In the format number ‘R/DC/MM/YY/NNN’, the first character ‘R’ represent the Risk.

The 2nd character is a forward slash as separator that represents ‘/’.

The next two characters ‘DC’ denotes ‘Department Code’.

The 5th character is a forward slash as separator that represents ‘/’.

Next two 6th and 7th alphabetic characters ‘MM’ denote the month in which the review is conducted.

The 8th character is again a forward slash as separator that represents ‘/’.

The next two 9th and 10th characters ‘YY’ denote the year say ‘23’ for 2023.

The 11th character is again a forward slash as separator that represents ‘/’.

The last three characters i.e. 12th to 14th are serial number of the risk in that particular area, starting with ‘001’ and continuing serially in increments of one unit, till 999 in a particular year. The number would restart from the next calendar

Risk Evaluation:

Risk Priority Number (RPN) is calculated by using the formula:

RPN = Occurrence (O) x Severity (S) x Detectability (D)

The risk shall be rated according to the table below:

CategoryLow RiskMedium RiskHigh Risk
RPN Range1 – 59 – 4575 – 125

As depicted above, the higher the risk priority number, higher is the risk and vice versa.

Occurrence (O)

Occurrence (O) refers to an assessment of the probability of the incident of a risk effect or discrepancy or deviation or failure. A higher probability of occurrence may be possible if the equipment or system or process is poorly designed or the operation is in manual mode instead of automation.

The lower the probability of occurrence, the lower is the risk involved. The rating scale for determining the probability of occurrence is given in the following Table.

1Remote probability of failure. One occurrence every six months to three years or one occurrence in one million events.
3Moderate probability of failure. One occurrence every three months or three occurrences in 1000 events.
5Very high probability / frequency of failure

Severity (S)

Severity (S) refers to an assessment of the seriousness of the risk effect or the discrepancy or deviation or failure as it affects the end-user.

A higher severity rating may be assigned to process steps that involved manual operations or interventions as compared to done by automation. The higher rating is necessary because of quality failure or introduction of contamination during these steps will result in a higher risk to the product safety and end-user. The lower the severity the lower the risk involved. The rating for determining severity is given in the following Table.

1Product quality is not affected. Or lesser deviation from the requirements which calls for moderate action (i.e. higher frequency of tests of the final products, additional tests etc.)
3Low severity. A deviation from the requirements which calls for strong action (i.e. quarantining of a batch, product recall, OOS- situation etc.)
5High to Very high severity. Affect to the patient or threat to the life.

Detection (D)

Detection is the ability to detect a risk or an incident of defect, discrepancy, deviation or a failure as it affects the end-user. The ability of detection depends on the system, equipment or operation – which, with advanced technology or automated inspection will have a higher ability to detect the defects, discrepancies or failures. In a manual mode of inspection the ability of detection will be poor.

Lower the ability to detect the defect, higher is the risk.

1Assured detection of failure. 100% automatic inspection with regular calibration and preventative maintenance of the inspection instrument. An effective Statistical Process Control (SPC) program is in place.
3Detection possibility is moderate. Some SPC is used in process and the product is finally inspected off-line.  Fault may get detected, not sure.
5Failure is not inspected or the failure is not detectable or difficult to detect.

The risks shall be categorized as Low, Moderate or High, depending on the product of probability of occurrence, degree of severity and ability of detection as the Risk Priority Number (RPN).

Low Risk: This risk has low potential and is less likely to impact directly or indirectly the process, system, operation, product quality, yield, purity, potency, identity, stability, safety or efficacy.

Moderate Risk: This risk has moderate potential and is likely to moderately impact directly or indirectly the process, system, operation, product quality, yield, purity, potency, identity, stability, safety or efficacy.

High Risk: This risk has high potential and is likely to highly impact directly or indirectly the process, system, operation, product quality, yield, purity, potency, identity, stability, safety or efficacy.

If the risk and impact is considered to be moderate or high, the discrepancies, deviations or failures shall be immediately reported to the QA and the Quality Risk Manager. After initial review and assessment, it must be reported to RMT members within 5 days.

If the risk and impact is Low, then it shall be only reported to the Quality Risk Manager within 10 working days.

For any such identified risk (Low, Moderate, High), necessary Risk Control Measures shall be identified and evaluated to mitigate / reduce the risk to an acceptance level.

RMT shall evaluate the risk of Moderate and High categories and examine the existing control measures and other immediate possible control measures.

RMT shall finalize the control measures and communicate to the department representative and the Quality Risk Manager to effect implementation within a pre-determined planned time-frame.

The determination and finalization of “Risk Control Measures, Implementation and Deviation Closure” shall be defined..

RMT shall also determine deployment of resources (personnel and funds) and time-frame for implementation of control measures.

The concerned department’s RMT member shall discuss with the department group the Risk Control Measures and the mechanism of implementation.

The Control Measures shall be implemented within the allowed time frame to complete satisfaction. In case, the controls are not completed within the time frame allowed, an extension can be sought in advance from RMT by the department concerned, after providing a valid reason for the extension.

The department RMT member along with the Quality Risk Manager shall examine the effectiveness of implementation of control measures.

The implementation activity shall be reported to RMT.

RMT in the next meeting shall do final evaluation of the implementation and order for Deviation Closure .

Risk Communication and Report:

RMT shall identify what communication shall be released to the employees from time to time on matters related to Risk Management and the actions undertaken.

It will also initiate the points to be included in the Risk related ‘Annual Report’ for the senior management review.

Management Review:

The senior management representative(s) shall review the activities related to Risk Management Program and the actions and follow-up being done by the Risk Management Team, periodically.

The Annual Report shall also be reviewed by the senior management representative(s) and a feedback will be sent to the Risk Management Team by the Quality Risk manager for providing necessary directions and facilitation in deploying resources and funds where necessary.

Flow Scheme:

The Flow scheme for the “Quality Risk Management” is depicted as per Annexure No. for reference and training purpose.

List of Annexure and Formats

Risk Assessment Log-Annexure-I

Risk Assessment Report-Annexure-II

Risk Control Measures, Implementation and Deviation Closure=Annexure-III

Flow Scheme for Quality Risk Assessment-Annexure-IV


ICH Q9, PIC’s Guideline

Reason for revision.

Not applicable due to first version.


  • GMP – Good Manufacturing Practices
  • OOS – Out of Specification
  • QA – Quality Assurance
  • RMT – Risk Management Team

Annexure I

Risk Assessment Log

Content of Risk Assessment Log

  • S. No.
  • Date
  • Risk Identified
  • Reported by
  • Affected Area :Operation/Process/System/Other
  • Risk Rating (RPN) : Occurrence x Severity x Detectability
  • Risk Category: [Low (L), Moderate (M) & High (H)
  • Control Measures Proposed
  • Implemented by
  • Efficacy of Control Verified by
  • Closure date

Annexure II

Risk Assessment Report

  • Reported on Date:____________
  • Assessment Reference No.:
  • Reviewed / Validated by:
  • Assessed by:
  • Venue:
  • Risk Reviewed on date:
  • Task / premises for which Risk assessed:
  • Activity reviewed
  • Hazard identified
  • Who might be harmed and how
  • Existing measures to control risk
  • Risk Rating (RPN)
  • Ref. No.

Annexure III

Risk Control Measures, Implementation and Deviation Closure

  • Month: ____________
  • Area: __________________
  • Assessment Ref. No.
  • Identified Hazard
  • Further Action Required
  • Action By Whom
  • Completion Date
  • Completed On
  • Verified By



Pharma More Jobs and post Please click here

About Pharmaceutical Guidanace

Ms. Abha Maurya is the Author and founder of pharmaceutical guidance, he is a pharmaceutical Professional from India having more than 18 years of rich experience in pharmaceutical field. During his career, he work in quality assurance department with multinational company’s i.e Zydus Cadila Ltd, Unichem Laboratories Ltd, Indoco remedies Ltd, Panacea Biotec Ltd, Nectar life Science Ltd. During his experience, he face may regulatory Audit i.e. USFDA, MHRA, ANVISA, MCC, TGA, EU –GMP, WHO –Geneva, ISO 9001-2008 and many ROW Regularities Audit i.e.Uganda,Kenya, Tanzania, Zimbabwe. He is currently leading a regulatory pharmaceutical company as a head Quality. You can join him by Email, Facebook, Google+, Twitter and YouTube

Check Also


VIRTUAL INSPECTION PURPOSE: To lay down the procedure for establishing a comprehensive system of virtual …