General Risk Management Process

Risk management is an important process not only in the pharmaceutical and medical device industries but also in many other industries.

Even though regulatory requirements and international standards vary greatly from industry to industry, the fundamental risk management process remains largely the same.

The general risk management process is illustrated in the diagram below.

[Conceptual diagram showing the risk management process flow]

Although the risk management process may appear complex and difficult to understand, it essentially consists of only the following three steps:

1. Risk Assessment
2. Risk Control
3. Risk Review

Practical Example: Railway-Road Crossing

Let us consider an example where a road and a railway line intersect.

[Conceptual diagram showing a railway crossing a road]

The first thing to identify is the hazard (source of harm). Looking at the above diagram, please consider what the hazards are.

In this case, the hazards are the train and the automobile. However, to be precise, neither the train nor the automobile would cause harm if they were not moving. Therefore, the hazards are more accurately defined as the speed of the train and the speed of the automobile.

So what constitutes the harm? The harm could be injury or death to the driver and passengers of the automobile, as well as injury to the train operator and passengers. In other words, risk (health damage) is expected to occur.

Now, let us implement risk management.

[Conceptual diagram showing the risk management process]

Risk Assessment

First comes risk assessment. The definition of risk according to ISO 14971:2019 and ISO 31000:2018 is “the combination of the probability of occurrence of harm and the severity of that harm.”

The severity would be classified as “critical” or “5” since fatal or serious injury accidents are anticipated.

On the other hand, estimating the probability of occurrence is challenging. The reason is that it is unclear where this railway-road intersection is located.

If this intersection exists in an urban area, the probability of occurrence would be “frequent” or “5.”

If this intersection exists in a rural area, the probability of occurrence would be “occasional” or “3.”

In any case, the estimated probability of harm occurrence is multiplied by its severity to determine the “risk level.”

Location	Severity	Probability	Risk Level
Urban area	5 (Critical)	5 (Frequent)	25 (Very High)
Rural area	5 (Critical)	3 (Occasional)	15 (High)

Risk Control

Next comes risk control. Risk control refers to the design of safety measures.

If this intersection exists in an urban area, the best approach would be to elevate either the road or the railway. This would reduce the probability of occurrence to zero.

However, constructing an elevated structure in a rural area would be cost-ineffective.

Therefore, a “railroad crossing” with warning signals and barriers would be installed. This would reduce the probability of occurrence to nearly zero.

What is important to note here is that even with risk control measures, it is difficult to reduce the severity. In risk management, please note that the focus is primarily on reducing the probability of occurrence rather than reducing severity.

After implementing risk control measures, residual risk must be evaluated. According to ISO 14971:2019, residual risk should be evaluated against benefit-risk criteria and be as low as reasonably practicable (ALARP).

Risk Review

Finally comes risk review. Since the results of the initial risk assessment may change over time, periodic review is necessary. In other words, the effectiveness of risk control measures must be constantly monitored.

Even areas that were once considered rural may eventually become lined with commercial facilities and develop into bedroom communities. As a result, automobile traffic will increase, and the frequency of train operations will also increase. Consequently, railroad crossing accidents may begin to occur more frequently.

In such cases, the risk management process must be repeated, and the construction of an elevated structure should be reconsidered.

Continuous Improvement and Lifecycle Management

Risk management process is fundamentally based on the PDCA (Plan-Do-Check-Act) cycle and must be continuously updated throughout the product lifecycle. This approach aligns with:

• ISO 31000:2018 (Risk management — Guidelines)
• ISO 14971:2019 (Medical devices — Application of risk management to medical devices)
• ICH Q9 (Quality Risk Management) for pharmaceutical products

Modern risk management emphasizes not just compliance with regulations but also:

• Integration with quality management systems
• Use of risk-based thinking in decision-making processes
• Documentation and traceability of risk management activities
• Communication of risks to relevant stakeholders
• Continuous monitoring of changes that may affect risk profiles

The risk management process should be viewed as a dynamic, iterative process rather than a one-time activity. Organizations must establish systems to capture post-market information, including adverse events, near-misses, and changing use conditions, which may necessitate reassessment of previously evaluated risks.

In conclusion, effective risk management requires a systematic approach that balances safety, efficacy, and practicality while remaining responsive to changing circumstances throughout the entire lifecycle of products and services.