Introduction: The Evolution of Risk Definition in Quality Standards
The concept of risk has undergone significant evolution in quality management standards, leading to important implications for how organizations approach risk assessment and management. ISO 9001:2015 introduced a paradigm shift by defining risk as “effect of uncertainty”—a definition that differs fundamentally from traditional risk frameworks used in product safety contexts. This evolution has created both opportunities and challenges for industries where patient safety is paramount, particularly in pharmaceutical manufacturing and medical device production.
Understanding these different approaches to risk is not merely an academic exercise. It has profound practical implications for how organizations structure their quality management systems, conduct risk assessments, and make critical decisions about product safety and quality. This article explores the conceptual foundations of risk, examines how different standards define and approach risk, and provides guidance for practitioners working at the intersection of quality management and patient safety.
Part 1: Risk Quiz – Understanding Risk Through Uncertainty
ISO 9001:2015 fundamentally changed how risk is defined in quality management systems. According to ISO 9001:2015, risk is defined as “effect of uncertainty” (not “effect of uncertainty on an expected result” as sometimes quoted). This definition represents a departure from traditional risk concepts and warrants careful examination.
Question 1: What is the Opposite of Risk?
Consider the following words and identify which best describes the opposite meaning of “risk”:
- “Peace of mind”
- “Safety”
- “Certainty”
- “Opportunity”
- “Returns”
Answer and Explanation
The correct answer is “Certainty.”
The fundamental nature of risk lies in its connection to uncertainty. Risk cannot exist where there is certainty. This concept is central to ISO 9001:2015’s approach to risk management and distinguishes it from other risk frameworks used in regulated industries.
However, this answer requires important contextualization. While ISO 9001:2015 emphasizes uncertainty as the core of risk, other standards used in pharmaceutical and medical device industries—specifically ISO 14971 (medical device risk management) and ICH Q9(R1) (pharmaceutical quality risk management)—define risk differently. These standards define risk as “the combination of the probability of occurrence of harm and the severity of that harm.” This probability-based definition recognizes uncertainty but structures risk assessment around quantifiable likelihood and impact.
Question 2: Identifying Low-Risk and High-Risk Scenarios
Examine the following scenarios and determine which represents the least risk and which represents the most risk:
Scenario A: A museum’s centerpiece exhibit is an Egyptian dynasty necklace valued at 1 billion yen with equivalent insurance coverage. International thieves are rumored to be targeting it.
Scenario B: Mr. A is a shareholder of a pharmaceutical company. The company has confirmed that one of its drugs has serious side effects, but this information has not been made public. Mr. A is unaware of this information.
Scenario C: A telecommunications equipment manufacturer has achieved breakthrough success with a new information terminal. In its earnings announcement, the company projects that next fiscal year’s sales will increase fivefold over the current fiscal year.
Scenario D: A small company faces bankruptcy unless it can raise 10 million yen by the end of the day. The company has exhausted all available options and has only 5 million yen in cash.
Scenario E: An individual happened to be ready early one day and took a train one departure earlier than usual. Upon arriving at the office, they learned that their usual commuter train had been involved in a derailment accident.
Answer and Analysis
The scenario with the least risk is Scenario D.
Why? Because for this company, bankruptcy is now a certainty, not an uncertainty. The company cannot raise the required funds by the deadline, and the outcome is determined. Since risk is fundamentally about uncertainty, a certain outcome—even a negative one—does not constitute risk.
The scenario with the most risk is Scenario C.
Why? The company’s projection of fivefold sales increase is highly uncertain. Multiple factors could affect this outcome: market conditions, competition, supply chain issues, regulatory changes, or technological disruptions. The projection involves significant uncertainty about future outcomes, making it a high-risk scenario.
The Critical Distinction: Events vs. Risks
These examples illustrate a fundamental principle: events that have already occurred (certainties) are not risks. This principle is often misunderstood in practice, particularly in regulated industries.
Events that have occurred are called “problems” or “nonconformities.”
When an event has materialized—such as a manufacturing deviation, a product defect, or a compliance issue—it transitions from being a risk (something that might happen) to being a problem (something that has happened). This distinction is crucial because it determines the appropriate management response.
Part 2: The Appropriate Response to Occurred Events
The CAPA Imperative
Problems or nonconformities that have occurred require implementation of Corrective and Preventive Actions (CAPA) to prevent recurrence. This response is fundamentally different from prospective risk management.
In consultations and audits across pharmaceutical and medical device companies, a common error frequently appears: conducting risk analysis (severity × probability of occurrence) for problems that have already occurred. This represents a misapplication of risk management principles.
For problems that have occurred, the focus should be on:
- Immediate containment of the problem to prevent further impact
- Root cause analysis to understand why the problem occurred
- Corrective action to address the root cause
- Preventive action to ensure the problem does not recur
- Effectiveness verification to confirm actions have worked
The Severity-Only Question for Occurred Events
When a problem has occurred, severity is the primary consideration for determining the appropriate response, not probability. The probability of occurrence is already established—it occurred, meaning the probability was 100% for that instance.
Consider a real-world analogy: When a train accident or aircraft accident occurs, the accident investigation committee does not conclude, “Although this accident was serious, the probability of recurrence is extremely small (rare), so we will not implement measures to prevent recurrence.” Such a response would be unconscionable.
Instead, the investigation focuses on:
- What happened (the event)
- Why it happened (root cause)
- How severe were the consequences
- What must be changed to prevent recurrence
The severity of consequences drives the rigor and extent of corrective actions, not a probabilistic calculation about whether it might happen again.
Current Industry Challenges: Misapplication of Risk Assessment
The Pharmaceutical Engineering journal (ISPE) has documented concerning trends in how some organizations misapply quality risk management (QRM) tools. Some companies have begun using risk assessment to “justify” decisions that should be based on fundamental GMP requirements—for example, using risk assessment to support batch release following a serious contamination incident, without proper reprocessing or rework.
This represents a dangerous misapplication. When a serious problem has occurred, the appropriate response is:
- Thorough root cause analysis using appropriate investigation tools
- Implementation of corrective and preventive actions based on good manufacturing practice principles
- Risk assessment may be used prospectively to prevent similar problems, but should not be used to minimize the significance of problems that have already occurred
Part 3: Understanding Risk Orientation – Positive and Negative Risks
Economic Perspectives on Risk
In economics, risk is understood to have two orientations:
- Upside risk: Uncertainty with potential for gain
- Downside risk: Uncertainty with potential for loss
In other terminology:
- Positive risk: Risk of favorable outcomes (opportunities)
- Negative risk: Risk of adverse outcomes (threats)
Example of Positive Risk
A positive risk might be: “If we had manufactured more beer in anticipation of unusually hot weather, we would have sold significantly more product.” The uncertainty about weather conditions represented a potential opportunity that, if pursued, could have resulted in increased revenue.
ISO 9001:2015 explicitly recognizes both types of risk. The standard requires organizations to determine risks and opportunities, acknowledging that uncertainty can have both positive and negative effects on achieving objectives.
Risk in Product Safety Contexts
However, product safety areas such as pharmaceutical and medical device industries operate primarily in the domain of negative risks (threats). When managing product safety, the focus is exclusively on:
- Hazards that could cause harm
- Events that could compromise product quality
- Situations that could endanger patients or users
In this context, “opportunities” refer to chances to improve safety or quality, not to potential commercial gains. The distinction is critical: in product safety risk management, the ultimate concern is always patient protection.
Part 4: Reconciling Different Risk Frameworks
ISO 9001:2015 and Quality Management System Risk
ISO 9001:2015’s definition of risk as “effect of uncertainty” serves the standard’s purpose of establishing an integrated quality management system (QMS). This definition:
- Encompasses all organizational risks: Quality, safety, commercial, environmental, strategic
- Promotes risk-based thinking: Making risk consideration part of strategic and operational planning
- Maintains flexibility: Allows organizations to apply risk concepts across diverse contexts
- Includes positive and negative effects: Recognizes that uncertainty can lead to opportunities or threats
The ISO 9001:2015 approach to risk does not require formal risk assessment using probability calculations. Organizations can implement risk-based thinking through various means, scaled to their size, complexity, and risk profile. For small organizations, this might mean simple documentation of risk considerations; for large organizations, it might involve comprehensive risk management programs.
ISO 14971 and Medical Device Risk Management
ISO 14971:2019, the international standard for medical device risk management, takes a fundamentally different approach. It defines risk as “combination of the probability of occurrence of harm and the severity of that harm.“
This definition:
- Focuses specifically on patient safety: Risk is explicitly tied to harm
- Requires probability assessment: Organizations must estimate likelihood of hazardous situations
- Demands systematic process: Risk management must follow structured methodology throughout device lifecycle
- Emphasizes benefit-risk analysis: Residual risks must be balanced against clinical benefits
ISO 14971 operates on key concepts:
- Hazard: Potential source of harm
- Hazardous situation: Circumstance where people, property, or environment are exposed to hazards
- Harm: Injury or damage to health of people, or damage to property or environment
- Risk: Combination of probability and severity of harm
The 2019 revision of ISO 14971 strengthened focus on benefit-risk ratio and enhanced requirements for post-production information gathering. It was harmonized with EU Medical Device Regulation (2017/745) and In Vitro Diagnostic Regulation (2017/746) through Amendment A11:2021.
ICH Q9(R1) and Pharmaceutical Quality Risk Management
ICH Q9, the pharmaceutical industry’s quality risk management guideline, similarly defines risk as “combination of the probability of occurrence of harm and the severity of that harm.“
The guideline was substantially revised in January 2023, with ICH Q9(R1) addressing four key improvement areas:
- Subjectivity: Reducing high levels of subjectivity in risk assessments and outputs through better-defined risk scales, structured team approaches, and data-driven decision-making
- Product Availability: Recognizing that manufacturing quality issues can create drug shortages, which represent a risk to patient health when patients cannot access needed medications
- Formality: Clarifying that formality in QRM exists on a spectrum, not as a binary choice. The appropriate level of formality should be determined by:
- Uncertainty: Degree of knowledge about the process or system
- Importance: Impact on product quality and patient safety
- Complexity: Number of interconnected factors and systems
- Risk-Based Decision-Making: Providing clearer framework for how risk should guide decisions throughout the product lifecycle
ICH Q9(R1) emphasizes two primary principles:
- Risk evaluation should be based on scientific knowledge and ultimately link to patient protection
- The level of effort, formality, and documentation should be commensurate with the level of risk
Comparison Table: Risk Definitions Across Standards
| Standard | Risk Definition | Primary Focus | Probability Required? |
|---|---|---|---|
| ISO 9001:2015 | Effect of uncertainty | Quality management system effectiveness | No – flexible approach |
| ISO 14971:2019 | Probability of harm × Severity of harm | Patient/user safety from medical devices | Yes – systematic assessment |
| ICH Q9(R1) 2023 | Probability of harm × Severity of harm | Patient safety and product quality | Yes – science-based assessment |
| ISO 31000:2018 | Effect of uncertainty on objectives | Enterprise risk management | Flexible – risk-based approach |
Part 5: Practical Implications for Industry
The Complementary Nature of These Standards
Rather than viewing these different risk definitions as contradictory, regulated industries should recognize them as complementary frameworks serving different purposes:
ISO 9001:2015 provides the overarching quality management system framework, requiring organizations to:
- Consider risks and opportunities in quality management system planning
- Apply risk-based thinking to processes and decision-making
- Maintain focus on meeting customer requirements and enhancing customer satisfaction
ISO 14971 and ICH Q9(R1) provide specialized product safety risk management frameworks, requiring organizations to:
- Systematically identify hazards associated with products
- Assess risks using probability and severity criteria
- Implement controls to reduce risks to acceptable levels
- Monitor effectiveness of controls throughout product lifecycle
Integration Strategy for Pharmaceutical and Medical Device Companies
Companies in regulated industries should implement a layered approach:
Layer 1: Quality Management System (ISO 9001/ISO 13485)
- Establish overall QMS with risk-based thinking
- Identify strategic and operational risks to business objectives
- Implement risk-based approaches to process control
- Consider opportunities for improvement
Layer 2: Product Safety Risk Management (ISO 14971/ICH Q9(R1))
- Implement formal risk management for product safety
- Use structured tools (FMEA, HAZOP, FTA, etc.) for hazard identification
- Conduct probability and severity assessments
- Document risk management activities in Risk Management Files
- Maintain post-market surveillance for emerging risks
Layer 3: Specific Domain Risk Management
- Cybersecurity risk management (IEC 81001-5-1, FDA guidance)
- Supply chain risk management
- Data integrity risk assessment
- Contamination control strategies (particularly relevant post-Annex 1 revision)
When to Apply Different Approaches
| Situation | Appropriate Framework | Key Considerations |
|---|---|---|
| Designing new medical device | ISO 14971 | Systematic hazard identification, FMEA, risk controls |
| Developing new pharmaceutical product | ICH Q9(R1) | Science-based risk assessment, process understanding, QTPP |
| Implementing new quality process | ISO 9001 risk-based thinking | Scaled to importance, flexibility in approach |
| Investigating manufacturing deviation | Root cause analysis + CAPA | Focus on severity, root cause, corrective action |
| Planning equipment maintenance | Risk-based approach | Consider failure probability, impact on product quality |
| Supplier qualification | Combined QMS + product safety | Both business risk and product quality impact |
Part 6: Common Errors and Best Practices
Common Error #1: Using Risk Assessment to Minimize Occurred Problems
Error: Conducting severity × probability analysis for deviations or nonconformities that have already occurred, particularly when the analysis is used to justify not taking corrective action because “the probability is low.”
Why this is wrong: The event has occurred, demonstrating that probability was sufficient for occurrence. The appropriate response is root cause analysis and corrective action based on severity and GMP requirements, not probabilistic risk calculation.
Best Practice:
- Treat occurred events as problems requiring CAPA
- Use severity to determine rigor of investigation
- Implement risk assessment prospectively to prevent similar issues
- Document rationale based on GMP principles, not risk scores
Common Error #2: Over-Formalizing Low-Complexity Risk Assessments
Error: Applying highly formal risk assessment methods (detailed FMEA, complex matrices) to every decision, regardless of uncertainty, importance, or complexity.
Why this is problematic: This approach consumes excessive resources, delays decision-making, and may not produce better outcomes than simpler approaches for low-complexity situations.
Best Practice (per ICH Q9(R1)):
- Assess the uncertainty, importance, and complexity of each situation
- Scale the formality of risk assessment accordingly
- Use simple risk assessment tools for routine decisions
- Reserve formal methods for high-uncertainty, high-importance, or high-complexity situations
- Document the rationale for the chosen approach
Common Error #3: Confusing Different Risk Frameworks
Error: Attempting to apply ISO 9001’s flexible “effect of uncertainty” concept to product safety risk management, or conversely, requiring formal FMEA-style probability assessments for all QMS risks.
Why this creates confusion: Different standards serve different purposes and require different approaches. Mixing them inappropriately leads to either inadequate product safety management or unnecessarily bureaucratic QMS processes.
Best Practice:
- Maintain clear distinction between QMS-level risks and product safety risks
- Use ISO 14971/ICH Q9(R1) for product safety
- Use scaled, proportionate approaches for QMS risks
- Ensure team members understand which framework applies to which decisions
Common Error #4: Neglecting Subjectivity in Risk Assessment
Error: Treating risk scores as objective facts rather than as subjectively-assigned values reflecting team judgment.
Why this is problematic: ICH Q9(R1) explicitly identifies subjectivity as a challenge. Risk scores can vary significantly based on who conducts the assessment, leading to inconsistent decisions.
Best Practice (per ICH Q9(R1) revision):
- Define clear, detailed criteria for each severity and probability level
- Include specific keywords and examples for each rating level
- Ensure cross-functional team participation
- Document assumptions and data sources
- Regularly calibrate teams to maintain consistency
- Review and update scales based on experience
Part 7: Future Directions and Emerging Considerations
Digitalization and Risk Management
ICH Q9(R1) acknowledges the role of digitalization and emerging technologies in risk management. Modern approaches include:
Digital Twins: Virtual replicas of manufacturing processes allow simulation and risk analysis before implementation
Real-Time Monitoring: IoT sensors provide continuous data on critical parameters, enabling immediate risk detection
Predictive Analytics: Machine learning algorithms can identify risk patterns and predict potential failures
Blockchain: Enhances supply chain traceability and reduces counterfeit risks
Cloud-Based Systems: Enable collaborative risk management across global operations
Integration with Lifecycle Management
ICH Q12 (Technical and Regulatory Considerations for Pharmaceutical Product Lifecycle Management) emphasizes risk-based approaches to post-approval changes. This creates important synergies with ICH Q9(R1):
- Risk assessment supports categorization of changes
- Change management systems integrate with risk management
- Product knowledge management informs risk assessments
- Continuous improvement is enabled through risk-based approaches
Emphasis on Product Availability
A significant addition in ICH Q9(R1) is recognition that product availability risks constitute risks to patients. When quality or manufacturing issues cause drug shortages, patients may be unable to access essential medications, creating patient harm.
This perspective requires companies to:
- Assess vulnerabilities in supply chains
- Evaluate single-source dependencies
- Plan for manufacturing disruption scenarios
- Implement robust supplier quality management
- Maintain appropriate inventory strategies
Conclusion: Toward Mature Risk Management
The evolution of risk concepts across different standards reflects the pharmaceutical and medical device industries’ growing sophistication in managing complexity while maintaining patient safety. Several key principles emerge:
1. Precision in Terminology: Understanding that “risk” means different things in different contexts is essential. ISO 9001’s “effect of uncertainty” serves quality management system purposes, while ISO 14971 and ICH Q9(R1)’s “probability × severity” serves product safety purposes.
2. Appropriate Application: Using the right framework for the right purpose ensures both effectiveness and efficiency. Not all risks require formal FMEA; not all decisions require detailed risk assessment. However, product safety risks consistently require systematic, probability-based assessment.
3. Clear Distinction Between Risks and Problems: Events that have occurred are problems requiring corrective action, not risks requiring probability assessment. This distinction prevents misuse of risk management tools to minimize the significance of actual problems.
4. Balance of Formality: ICH Q9(R1)’s emphasis on scaling formality to uncertainty, importance, and complexity provides crucial guidance. Organizations should avoid both under-formalization (inadequate patient protection) and over-formalization (resource waste, delayed decisions).
5. Scientific Foundation: Both ISO 14971 and ICH Q9(R1) emphasize basing risk assessments on scientific knowledge and data. Reducing subjectivity requires clear definitions, cross-functional expertise, and documented rationale.
6. Continuous Evolution: Risk management is not static. Post-market surveillance, periodic review, and incorporation of emerging knowledge ensure risk management remains effective throughout product lifecycle.
The pharmaceutical and medical device industries operate in a unique space where both business success and patient safety depend on effective risk management. By understanding the different risk frameworks, applying them appropriately, and avoiding common pitfalls, organizations can achieve both regulatory compliance and genuine improvement in patient safety outcomes.
The journey toward risk management maturity requires ongoing education, clear procedures, cross-functional collaboration, and—most importantly—unwavering commitment to patient safety as the ultimate objective of all risk management activities.
References and Further Reading
- ISO 9001:2015 – Quality management systems – Requirements
- ISO 14971:2019 – Medical devices — Application of risk management to medical devices
- ISO/TR 24971:2020 – Medical devices — Guidance on the application of ISO 14971
- ICH Q9(R1) Quality Risk Management (January 2023)
- ICH Q10 Pharmaceutical Quality System
- ICH Q12 Technical and Regulatory Considerations for Pharmaceutical Product Lifecycle Management
- FDA Guidance: Q9(R1) Quality Risk Management (May 2023)
- EU GMP Annex 1 (Revised 2022) – Manufacture of Sterile Medicinal Products
- PIC/S Aide-Memoire on Assessment of Quality Risk Management Implementation
- ISPE Pharmaceutical Engineering: Current Challenges in Implementing Quality Risk Management
Note: This article provides general guidance on risk management concepts and should not be considered as legal or regulatory advice. Organizations should consult with qualified professionals and refer to current regulatory requirements applicable to their specific products and jurisdictions.
Comment