All the guidance documents published by the Regulatory Authorities during the COVID-19 Pandemic, highlight the need for risk assessments to be conducted by the clinical trials sponsors and Clinical Research Organizations (CRO). However, conducting risk assessments and developing adequate Risk Management Plans are not easy tasks.
This article pretends to provide guidance on how to use risk analysis and risk management techniques in Clinical Research as recommended by ICH GCP E6(R2).
Clinical Quality Risk Management Overview
Risk-based quality management methodologies allow for the use of objective data to prospectively and collaboratively identify areas of high-risk so that remediation can be performed to alleviate patient safety issues, data corruption and rapidly rising risk recovery costs before they occur.
Managing risks is iterative and assists organizations in setting strategy, achieving objectives, and making informed decisions.
ICH GCP E6 (R2) recommends a risk-based approach to quality management that should comprise the following key steps shown in the figure belowwhich we will summarize in the following paragraphs.
Critical Processes and Data Identification
Before setting out to identify and mitigate risks it is first necessary to establish the priorities. Since we cannot focus on everything, it is key to prioritize by focusing on critical processes and data.
Critical data and processes are those that potentially jeopardize human subject protection or reliability of trial results if not conducted as expected.
ICH GCP E6(R2) section 5.0, states that “sponsors should focus on trial activities essential to ensuring human subject protection and the reliability of trial results”.
The objective of the risk assessment must be understood and documented.
The priorities should be clear and should not be cluttered with minor issues (for example: extensive secondary objectives or processes or data collection not linked to the main trial objectives and/or proper protection of the trial subjects). The priorities should be continuously reviewed and adapted as deemed necessary.
Risk assessment should be conducted systematically, iteratively ad collaboratively, based on the knowledge and views of all relevant stakeholders. It should use the best available information, supplemented by further enquiry as necessary.
Risk assessment usually consists of three steps: risk identification, risk analysis, and risk evaluation, which are linked to three fundamental questions:
Risk Identification: What might go wrong? Also keep in mind “What MUST GO RIGHT”
Risk Analysis: What is the likelihood, the probability it will go wrong? This is the chance of occurrence.
Risk Evaluation:What are the consequences, the severity? What would be the impact on trial subjects’ right, well-being, safety and/or on the reliability of the trial results?
ICH GCP E6 (R2) covers risk identification and risk evaluation processes being the risk analysis portion embedded into the risk evaluation step.
ICH GCP requires with regards to risk identification that “the sponsor identifies risks to critical trial processes and data. Risks should be considered at both the system level (For example: standard operating procedures, computerized systems, personnel) and clinical trial level (For example: trial design, data collection, informed consent process)”.
Regarding risk evaluation ICH GCP E6(R2) section 5.0.3 specifies that the sponsor should evaluate the identified risks, against existing risk controls by considering:
The likelihood of errors occurring.
The extent to which such errors would be detectable, and
The impact of such errors on human subject protection and reliability of trial results
The risk assessment should be based on the risk question formulated at the beginning of the QRM exercise, which will focus the risk assessment team on the risk area to be assessed.
Several approaches may be used to evaluate risks including qualitative analysis, quantitative analysis, or a combination depending on the circumstances and intended use.
The outcome of the risk evaluation should be recorded, communicated and then validated at appropriate levels of the organization. A risk management log or risk register can be used for this purpose.
The Risk Management Log is the document where risks are mapped and prioritized according to their risk level.
Once the risks have been identified and analysed, the next step is to develop appropriate risk response strategies.
Risks may need to be controlled at the system and trial levels, only at the system level, or only at the trial level depending on the evaluation of the risk, the organization’s risk tolerance, and the required level of control.
The purpose of risk control is to select and implement options for addressing risk. A thoughtful approach to risks at both the system- and trial-levels results in more effective use of the resources available to control risks.
Risk Control is a decision-making activity. Its purpose is to mitigate the risk by avoiding it, reducing it to an acceptable level, or accepting it as is.
The selection of risk control measures should be made in accordance with the organization’s objectives, risk criteria and available resources.
During risk control activities the following key questions should be asked:
What is the acceptable level of risk?
Is the risk above an acceptable level?
What can be done to reduce or eliminate risks?
What is the appropriate balance among benefits, risks and resources?
Are new risks introduced as a result of the identified risks being controlled?
For each risk identified, an appropriate mitigation strategy (For example: Enhancing monitoring for important data such as inclusion/exclusion or primary endpoints) should be implemented or a determination made that the risk can be accepted or eliminated (for example: by modifying the protocol). If the risk is accepted, there should always be a scientific rationale as to why the risks are acceptable.
Keep always in mind that the amount of effort for risk control should be proportional to significance of the risk and importance of the process/outcome.
Remember that the goal is not to eliminate all risks, because every process has risks associated with it, but to control the most significant ones.
The Risk Management Plan is the output of the planning and risk control step.
The purpose of a risk management plan is to specify how the chosen risk control measures will be implemented, so the arrangements are understood by those involved, and progress against the plan can be monitored.
The document contains the risk control strategy and a detailed action plan on how to manage each risk.
Documenting and communicating a risk plan is an initial step in establishing ownership and effectively implementing controls. The success of quality risk management efforts resides on the implementation of the controls.
Once the risk and the related control actions have been determined, it is crucial in the QRM process to communicate those actions to the relevant stakeholders both at the system and trial levels.
The purpose of communication is to assist the relevant stakeholders in understanding the risks, the basis on which decisions are made and the reason why particular actions are required.
Communication planning includes the identification of the important stakeholders of quality risk management processes, the development of a communication plan, and the execution of that communication plan.
Clear action owners, implementation of timelines, and an effective documentation and review process are required to make the required changes happen.
The organization should evaluate whether actions taken to address risks are achieving the desired outcome as specified by ICH GCP E6(R2), section 5.0.6 “The sponsor should periodically review risk control measures to ascertain whether the implemented quality management activities remain effective and relevant, taking into account emerging knowledge and experience”.
The Monitoring and review step involves the review of risks, mitigation actions, and subsequent results. This step examines whether or not the identified risk was controlled appropriately and the result.
This step may also result in new risks being identified, and these risks would need to be managed.
Ongoing monitoring and review of the risk management process and its outcomes should be a planned part of the risk management process, with responsibilities clearly defined.
Risk reporting as per ICH E6(R2) is specific to reporting quality performance at the trial level.
In accordance with the ICH guidelines E3 Structure and Content of Clinical Study Reports (Section 9.6 Data Quality Assurance) and ICH E6 (R2) section 5.0.7, the sponsor should describe the quality management approach for the trial, the implemented risk adaptations and summarize important deviations from the predefined quality tolerance limits and remedial actions taken in the clinical study report.
The important deviations may be a summary of potentially important protocol deviations, quality events, quality metrics, or trial-specific metrics depending on the risk tolerance of the organization and the processes and data important to the trial.
Remember that the risk documentation including risk identification, evaluation, control, communication, review and reporting should be retained in the study trial master file.
The quality risk management methodology is an integral part of an effective quality management system. It can be applied to both the system and the trial levels.
ICH GCP asks for the protection of rights, safety and the wellbeing of study subjects, and the integrity of study data. Efficient quality assurance involves the systematic concentration on risks that compromise the safety of study patients and data quality and integrity.
Quality risk management is a systematic and proactive process for assessing, controlling, communicating, and monitoring risks that might affect the clinical trial during its life cycle. Proper risk management implies control of possible future events. It aims to reduce not only the likelihood of an event occurring, but also the magnitude of its impact. It is proactive rather than reactive.
The review process should be dynamic. It implies close performance measurement focused on quality in relation to pre-specified acceptance criteria or predefined ranges.
Remember that you can now access our ICH GCP E6 (R2) for Investigators and Clinical Research staff online course below: