From Reactive to Proactive Approach to Risk Management in the Pharma Industry

Lately, during my experience in a pharma company, I had the opportunity to design and implement the future state of the Quality Risk Management (QRM) process. What I noticed and this seems common across the industry—is that QRM often becomes just another process within the QMS, rather than being truly embedded in how we operate.

The result? The process stays immature, and risk reporting is often reactive instead of proactive. Too many times, risks are identified after they’ve happened, becoming deviations or non-conformances. By that point, it’s no longer a risk—it’s an issue.

In my experience, a mature QRM process should identify risks before they occur. One practical tool I like to use is a triage questionnaire—just a few simple questions to check if a potential event is really a risk:

1. Has the event already occurred? Yes → It’s an issue, not a risk.
2. Could it impact patient safety, data integrity, or study compliance? No → Monitor, no further action.
3. Is there uncertainty about its likelihood or impact? No → Likely manageable under current processes.
4. Can we take proactive action to prevent or reduce its impact? No → Document for information, but it’s not actionable.

If the answers point to a future, uncertain, and preventable event, you have a true risk that should go through the full QRM process: Risk Assessment, Risk Mitigation, Review, and Communication.

One approach I’ve found really effective is identifying risk champions within different R&D functions—GCP, GVP, GLP, and others. These champions act as ambassadors of the QRM process, representing it within their areas of expertise. Once a risk is identified and confirmed, the reporter collaborates with the risk champion to answer the triage questions and report it in ServiceNow QRM software.

From there:

• The risk is assigned to a risk owner for review and assessment of likelihood, detectability, and severity (detectability is required by ICH E6(R3)).
• The risk owner then assigns a mitigation owner to develop a plan to reduce the risk to an acceptable level.

This way, ownership of the risk shifts from the R&D Quality to the R&D function where the risk actually emerges, while Quality serves as a reviewer, ensuring the process is followed correctly.

The biggest benefit? QRM becomes embedded in how R&D operates, rather than existing as a standalone process. Risk champions make sure the process is living in the business, risks are managed where they emerge, and communication between functions improves. The organization moves from a reactive posture to a proactive, integrated risk culture—supporting better compliance, efficiency, and patient safety and data integrity.

‍