Risk management comprises of a series of activities or processes that are undertaken throughout the life cycle of a clinical trial to identify, evaluate, monitor, control, prevent, mitigate, communicate and review, any factor (or process) that threatens the quality of the trial. This pertains to risks undertaken by participants as well as all other steps related to the trial especially the quality, reliability and integrity of the trial data. Risk management should start at the beginning of the trial (at the time of protocol design) so that risk mitigation can be a part of the protocol and other essential documents and processes. Risks are defined as the combination of probability of occurrence of harm and the severity of that harm.
Figure 1 below illustrates the basic steps of risk management:
The ICH Q9 document on Risk Management outlines the basic principles and process of risk management as applicable to the pharmaceutical industry. However, these principles and practices apply to all clinical trials. These processes help facilitate a robust clinical trial with a focus on quality and participant safety. Figure 2 illustrates the process for risk management for clinical trials in detail.
As outlined in the figure, the key steps in risk management are:
This step involves the identification of potential harms or hazards that might pose a threat to the quality of the trial or the participants safety and well-being or compromise the reliability of the results of the trial. Thus, it requires an in-depth review of the factors critical for ensuring the quality of a trial and to systematically identify the risks to these factors. The three steps that are recommended for risk assessment include:
- Risk Identification (What might go wrong?): This involves a systematic review of information that is available. Some examples of this information are historical data, data from previous analyses, concerns identified by the various stakeholders, etc. This information will form the basis of the risk management process for the trial. There are two levels at which information can be gathered to identify risks in clinical trials, i.e. at the systems level, and at the project level.
At the systems level, potential risks may arise when critical information is moved or shared between stakeholders. Institutes, agencies or researchers involved in the conduct of clinical trials, should have systems in place to restrict or minimise such risk. For example, having a set of SOPs, secure IT facilities and trained competent staff.
At the project level, potential risks may include those related to trial design, protocol specific requirements like a particular equipment or procedure, the investigational product, resources, timelines, etc.
- Risk can be categorised based on the type of risk identified such as: Operational risk, Timelines risk, Financial risk, Quality risk.
- Risk Analysis (What is the likelihood or the chance or probability, it will go wrong?): Risk analysis is the process which maybe qualitative or quantitative, of linking the likelihood (probability) of occurrence of the risk and its severity.
- Risk Evaluation: This step considers the impact of the identified harm, on the quality of the trial and the safety of the participants. Risk evaluation also includes establishment of priorities, and identification of those risks that matter. Prioritisation should be aligned with the GCP guidelines and the overarching objectives of the trial, such as reliable data, safety of the participants, scientific credibility, etc. This prioritisation should be reflected in all stages of the trial, beginning with trial planning (including the design), trial documents, resources, data collection methods, monitoring, etc. However, a continuous review of these priorities should be carried out throughout the lifecycle of the trial.
Ideally, the outcome of risk assessment should be a risk score that is assigned to each identified risk. Each of the risk can be assessed for the level of risk associated (low, medium and high).
This includes the decision to reduce and/or accept the risks. The primary reason for risk control is to reduce the risk, to an acceptable level. During this step, a plan for risk control should be developed and implemented. Risks are deemed acceptable when they have limited (or low) impact on the rights and safety of the trial participants, and reliability and integrity of data. However, if a risk is not acceptable, then an appropriate risk mitigation strategy or tool should be used, for risk reduction.
Risk mitigation strategies can be implemented at both the systems level and the project level. For example, agencies or researchers involved in the conduct of clinical trials, might develop general SOPs or plans, to control or manage risks for clinical trials. However, these plans and SOPs should be customised as per the requirements of the specific trial.
Some examples of risk mitigation strategies implemented at the system level are:
- Formal contracts between stakeholders, with clear definition of their roles and responsibilities pertaining to the trial.
- Established plans for oversight and monitoring of trials (performance driven quality checks).
Some examples of risk mitigation strategies at the project level are:
- Planning and design of trial specific training material, data management plan, audits, etc. aligned with the identified risks and assigned priorities.
Risk Communication is the sharing of information between the various stakeholders of a trial, about the risks and their management. It is recommended that there is a risk communication plan in place, which details on what has to be communicated, with whom and when. This plan should ideally be developed as part of the risk management process and continually reviewed through the course of the trial. Communication of identified risk is dependent on the category and level of risk. The risk need to be communicated to stakeholders and escalated as per the risk escalation pathway for the project. Example:
Risk Review is basically the process of monitoring and evaluation of strategies and tools that have been implemented as part of risk management. This continuous review of the process is recommended to ensure that new risks are identified and managed; and risk management tools implemented are effective.
Risk Management Tools
There are certain tools and strategies that one can implement as part of the risk management process. Some examples of recognised risk management tools are:
- Some basic tools that can be used for the identification of potential risks include flowcharts, check lists, process mapping, cause and effect diagrams (like the Ishikawa or fishbone diagram), risk ranking and filtering, etc. For clinical trials, clinical trial management system helps in risk management process.
- Some strategies that might be helpful in risk evaluation and management include fault tree analysis, failure mode analysis, etc.
- Supporting Statistical Tools such as control charts, histograms, pareto charts, process capability analysis, etc.
References (further reading)
- ICH Harmonised Tripartite Guideline, Quality Risk Management, Q9, current step 4 version, dated 9th November 2005, available online (last accessed on 26.02.2019).
- Reflection Paper on risk based quality management in clinical trials by the European Medicines Agency.
- For categories of risk – National Ethical Guidelines for Biomedical and Health Research involving Human Participants, Indian Council of Medical Research, 2017, available online (last accessed on 26.02.2019).