Risk Assessment 101 "What is Risk?"

"Based on your risk" or "... as per your risk assessment"; they are two common definitions in most of the cleanroom standards and various cleanroom regulations. Both standards and regulations do not give us exact values and parameters but ask us to define them "based on our risk". Okay, but, what is a risk? And how do we do the assessment?

What is Risk?

There are various descriptions;

Individual:? Risk is a cognitive and emotional response to expected loss

Technical: Risk is usually based on the expected value of the conditional probability of the event occurring multiplied by the consequences of the event given that it has occurred

Organizations: Might use many different meanings of risk (product, quality, sustainability, profit, image?)

For pharmaceutical applications, ICH guideline Q9 on Quality Risk Management (ICH Q9) defines as;

Risk: Combination of the probability of occurrence of harm and the severity of that harm

Risk = Probability X Severity

Many of us define risk as the combination of the probability of occurrence of harm and the severity of that harm. But one thing is obvious and without understanding its basics, it is not always that easy; how severe and how probable?

Let's take a look at this great example from Gerd Gigerenzer, from Max Planck Institute to better understand these terminologies;

Which consequence is more severe?

• 300 lives were lost in a single, fiery plane crash.
• 300 lives were lost on US roads over a weekend.
• 300 lives potentially lost from cancer within the next 20 years

Which probability is probable?

What does a “30% chance of rain tomorrow” mean?

• 30% of the days like tomorrow will have at least a trace of rain.
• 30% of the area will have rain tomorrow.
• 30% of the time tomorrow, it will rain.??????

Gigerenzer, et. al (2005)?

What if we add another level? Assume that we can "see" that risk at an early stage thanks to the data/information that we can collect. A feedback mechanism that gives us early "detection". This will be our 3rd dimension. Different than the first two (probability and severity) when this detectability increases our risk will be reduced;

What is RPN "Risk Priority Number"?

Risk priority number (RPN) is a function of the three parameters discussed above; the severity of the effect of failure, the probability of occurrence, and the ease of detection for each failure mode. RPN is calculated by multiplying these three numbers. Simple but also quite risky; especially when you are not objective!

(Dis)advantage of Calculated Numbers & Data

"Does the “Risk Priority Number” tell the truth?" This is the most common question. To reduce that risk, it is always better to evaluate probability first, then severity for all items that you have listed and starting from the first line, detectability value. You are free to use 1 to 5 or 1 to X values however, if you go by column instead of lines, your task group will not get distracted with the value that you will find.

Keep a robust data set for further evaluation!

• Is the data set comparable?
• Are the data plain and concise?
• What about trending and use of statistics including extrapolation?
• What amount of data is enough? e.g. start with the existing data set

Watch out for your trends!

Collecting data is good but analyzing your trend is the best! Maybe you are safe and secure today but if things are changing over time and your trend is calling you but you skipped that call, tomorrow will be too late to respond.

Remember; entropy changes everything, even your values over time. Better to get ready for this before it's too late!

Final word; change your behavior from a tick-box checking approach for compliance to systematic risk-based thinking.

Please share this content if you think that your colleagues will also find it useful. If you haven't, make sure you subscribe to this newsletter so that the new edition can hit your mailbox! See you next time!..