Quiz on Risk

The definition of risk was changed in ISO 9001:2015.

ISO 9001:2015 defines risk as “the effect of uncertainty on an expected result.”

Please understand this definition well and answer the following questions.

Question 1

From the following word group, select the word that best represents the opposite meaning of “risk”:

1. “Peace of mind” (安心)
2. “Safety” (安全)
3. “Certainty” (確実)
4. “Chance” (チャンス)
5. “Return” (リターン)

Answer

The correct answer is 3. “Certainty.”

This is because risk refers to what is “uncertain.”

Question 2

Please answer the following additional question.

Among the examples listed below, which has the smallest risk? Conversely, which has the largest risk?

Case 1: The highlight of this museum exhibition is a necklace from an Egyptian dynasty. There are rumors that an international theft ring is targeting it. It is valued at 1 billion yen, and insurance for the same amount has been taken out.

Case 2: Mr. A is a shareholder of a pharmaceutical company. Serious side effects of that pharmaceutical company’s drug have been confirmed internally. Since this information has not been disclosed, Mr. A is unaware of it.

Case 3: A certain telecommunications equipment manufacturer has had a huge hit with a new information terminal, and sales are extremely strong. In the earnings announcement, it was announced that next fiscal year’s sales are expected to increase five times compared to this fiscal year.

Case 4: A certain small enterprise has been driven to the point where it will go bankrupt if it cannot raise 10 million yen by today. The funds on hand that have been scraped together after exhausting all options amount to only 5 million yen.

Case 5: On that particular day, preparations were completed earlier than usual, so the person took a train one departure earlier than their usual commute train. When they arrived at the company, they learned that their usual commute train had derailed.

Answer

The correct answer is:

The smallest risk is Case 4. This is because bankruptcy is “certain.” For this company, bankruptcy is confirmed and not uncertain.

The largest risk is Case 3. This is because “next fiscal year’s sales are expected to increase five times compared to this fiscal year, but this is uncertain.”

Key Learning Points

What can be understood from these two questions is that “what has already occurred (something certain) is not called risk.”

Events that have already occurred are called “problems” or “issues.”

For “problems,” it is necessary to implement CAPA (Corrective Action and Preventive Action) to prevent recurrence.

Common Mistakes in Risk Management Practice

The author conducts consultations and audits on risk management at many pharmaceutical and medical device companies. I often encounter cases where risk analysis (severity × probability of occurrence) is being performed for problems that have already occurred.

This is incorrect.

For problems that have already occurred, corrective actions for recurrence prevention must be implemented rather than risk analysis.

For problems that have occurred, only severity becomes a subject of consideration. Probability of occurrence is generally not calculated.

For example, suppose there was a train accident or aircraft accident. How would you feel if the accident investigation committee judged, “This accident was serious, but the probability of occurrence is extremely low (rare), so recurrence prevention will not be carried out”?

It is obvious that such a response would be unacceptable.

Positive Risk and Negative Risk

In economics, uncertainty with gain is called upside risk, and uncertainty with loss is called downside risk. In other words, there are positive risks and negative risks.

A positive risk example would be: “We could have sold more if we had manufactured more beer.”

Product safety fields such as the pharmaceutical and medical device industries focus only on negative risks.

Negative risk refers only to things that have a negative impact; positive impacts are generally not considered. Only hazard-related risks are targeted.

Important Note on Risk Definition in Regulated Industries

In other words, in the pharmaceutical and medical device industries, the definition of “risk” = “uncertainty” alone is inappropriate. In these industries, risk management specifically focuses on uncertain events that could result in harm (negative risks associated with hazards). While ISO 9001:2015’s definition of risk as “the effect of uncertainty on an expected result” is broad and encompasses both positive and negative uncertainties, regulatory frameworks such as ICH Q9 (Quality Risk Management) and ISO 14971 (Application of risk management to medical devices) emphasize the assessment and control of potential harm.

Therefore, when applying risk management principles in pharmaceutical and medical device sectors, practitioners should understand that the focus is on hazard-based negative risks while maintaining awareness of the broader ISO 9001:2015 definition for quality management system purposes.

Risk Type	Definition	Example	Applicability in Pharma/Medical Device
Positive Risk (Upside Risk)	Uncertainty that could lead to beneficial outcomes	Increased sales opportunity from higher demand	Generally not the focus of product safety risk management
Negative Risk (Downside Risk)	Uncertainty that could lead to harmful outcomes	Adverse drug reactions, device malfunctions	Primary focus of regulatory risk management (ICH Q9, ISO 14971)
Certainty (Not Risk)	Events that have already occurred or are definitively known	Confirmed product defect, bankruptcy with insufficient funds	Subject to problem-solving and CAPA, not risk assessment

Conclusion

Understanding the proper definition and application of risk is essential for effective risk management in regulated industries. Remember that risk management applies to uncertain future events, while problems that have already materialized require corrective and preventive action (CAPA) approaches focused on severity and root cause analysis.