28.04.2015 |

LOGFILE No. 28/2015 - Risk Evaluation - more than just data and facts

Risk Evaluation - more than just data and facts

An excerpt from the PDA/DHI publication Risk Assessment and Risk Management in the Pharmaceutical Industry - Clear and Simple

by James L. Vesper

Risk evaluation is the phase of risk management in which decisions are made on whether or not to accept the risks based on the analysis that was just completed. It is the phase that can cause the most contention, as many competing issues – safety, time, money, perceptions, reputation – must be weighed and balanced.

Three Possible Outcomes of a Risk Evaluation

When conducting a risk evaluation, there will be one of three potential results:

  • The risk is accepted as is (an acceptable risk)
  • The risk is not accepted (an unacceptable risk)
  • The risk could be acceptable but a strategy should be considered to reduce the risk further (“as low as readily achievable“ or ALARA)

Acceptable risks. This does not mean that there is no risk; rather, it means that those actively or tacitly agreeing to it (or the decision makers who are managing the risk) feel that there is not a significant risk to them or their interests. Sometimes this is stated as “less than or equal to 1 event in one million events.“ lt still could occur, but most of us would say, “it won‘t happen to me.“ A term that is sometimes used in toxicology studies is “No Observable (Adverse) Effects Level“ or “NOEL.“ Another category of acceptable risk is, that if something does occur, its impact will not be serious. Perceptions about the risk and those communicating the risk influence the level of risk that a person or a population is willing to accept (see Chapter 4).

Unacceptable risks. Unacceptable risks are those that cannot be tolerated. In some cases, changes can be made that will put the risk into one of the other two categories; in other situations, the project or endeavor may need to be stopped temporarily (until, perhaps, new technology is available) or permanently.

“As low as readily achievable” (ALARA) risks. Usually, acceptable and unacceptable risks are easy to identify and the decisions or actions needed are obvious. On the other hand, risks that are ALARA (also known as ALARP, “as low as readily practicable”), are in an in-between gray zone. What precisely does “readily achievable” or “readily practicable” mean? There are several considerations in deciding if something should be done. (These same questions can be asked when trying to select between various control options.) These considerations include the following:

  • Effectiveness – How effective will the control be? Will it eliminate the risk or only reduce the impact of the event should it occur? A way to determine this would be to do a comparison of the “as-is“ situation to what it would be with added controls.
  • Benefits – What are the benefits of the controls? These may be tangible (cycle time reduction or fewer defects) or intangible (customers may sense they are not getting a quality product because the label is a bit askew). Will the controls provide any advantages compared to not having special controls?
  • Costs – What are the costs of the controls versus the cost of not having special controls in place?
  • Risks – Will the added controls create any new or different hazards? For example, by changing from one cleaning agent to another, are you reducing toxicity problems but causing a higher potential of fire or explosion?
  • Residual risks – These are the risks that remain after the controls have been applied. Residual risks for each remaining hazard and also for the entire system need to be considered.

Evaluating Risk

In setting up a risk management program, the organization needs to establish its criteria that will be used when evaluating the risks. The need for this is mentioned in the ISO standard for medical device risk assessment: “For each identified hazard, the manufacturer shall decide, using the criteria defined in the risk management plan…” (emphasis added) (ISO 14971:2000, p. 19).

The format of the criteria must be in keeping with the risk assessment tools that were used and how those results are presented (qualitatively, semi-quantitatively, or quantitatively). Some examples are shown in Figures 1 and 2.



For organizations starting a formal risk management program, the criteria can evolve as more experience is learned about the risk management process, the products, processes, and systems that are analyzed.

When evaluating specific risks after an analysis, the analyst would apply the criteria yielding a result or action (e.g., accept, do not accept, ALARA).

Safety Factor

To provide a “cushion“ to compensate for lack of experience with a new process or product, for example, safety factors could be applied. The evaluation step is the appropriate place to apply these factors; safety factors should not be applied during the analysis. The reason for this is that the analysis should be as objective as possible so that the results between analyses and analysis teams remain as consistent as possible.


Evaluating a risk — accepting the risk as is, abandoning the project or product that would create the risk, or modifying the risk in some way so it is acceptable — requires more than just data and facts. Risk evaluation involves intangibles that are important to those who may be affected directly or indirectly by the risks. Risk evaluators need to understand the social, organizational, personal, environment, regulatory, political, and economic aspects of the decisions they are making.

This text is an excerpt from the PDA/DHI publication Risk Assessment and Risk Management in the Pharmaceutical Industry, Chapter 8 Risk Evaluation.


James L. Vesper