Risk evaluation is the phase of risk management in which decisions are made on whether or not to accept the risks based on the analysis that was just completed. It is the phase that can cause the most contention, as many competing issues – safety, time, money, perceptions, reputation – must be weighed and balanced.
When conducting a risk evaluation, there will be one of three potential results:
Acceptable risks. This does not mean that there is no risk; rather, it means that those actively or tacitly agreeing to it (or the decision makers who are managing the risk) feel that there is not a significant risk to them or their interests. Sometimes this is stated as “less than or equal to 1 event in one million events.“ lt still could occur, but most of us would say, “it won‘t happen to me.“ A term that is sometimes used in toxicology studies is “No Observable (Adverse) Effects Level“ or “NOEL.“ Another category of acceptable risk is, that if something does occur, its impact will not be serious. Perceptions about the risk and those communicating the risk influence the level of risk that a person or a population is willing to accept (see Chapter 4).
Unacceptable risks. Unacceptable risks are those that cannot be tolerated. In some cases, changes can be made that will put the risk into one of the other two categories; in other situations, the project or endeavor may need to be stopped temporarily (until, perhaps, new technology is available) or permanently.
“As low as readily achievable” (ALARA) risks. Usually, acceptable and unacceptable risks are easy to identify and the decisions or actions needed are obvious. On the other hand, risks that are ALARA (also known as ALARP, “as low as readily practicable”), are in an in-between gray zone. What precisely does “readily achievable” or “readily practicable” mean? There are several considerations in deciding if something should be done. (These same questions can be asked when trying to select between various control options.) These considerations include the following:
In setting up a risk management program, the organization needs to establish its criteria that will be used when evaluating the risks. The need for this is mentioned in the ISO standard for medical device risk assessment: “For each identified hazard, the manufacturer shall decide, using the criteria defined in the risk management plan…” (emphasis added) (ISO 14971:2000, p. 19).
The format of the criteria must be in keeping with the risk assessment tools that were used and how those results are presented (qualitatively, semi-quantitatively, or quantitatively). Some examples are shown in Figures 1 and 2.
For organizations starting a formal risk management program, the criteria can evolve as more experience is learned about the risk management process, the products, processes, and systems that are analyzed.
When evaluating specific risks after an analysis, the analyst would apply the criteria yielding a result or action (e.g., accept, do not accept, ALARA).
To provide a “cushion“ to compensate for lack of experience with a new process or product, for example, safety factors could be applied. The evaluation step is the appropriate place to apply these factors; safety factors should not be applied during the analysis. The reason for this is that the analysis should be as objective as possible so that the results between analyses and analysis teams remain as consistent as possible.
Evaluating a risk — accepting the risk as is, abandoning the project or product that would create the risk, or modifying the risk in some way so it is acceptable — requires more than just data and facts. Risk evaluation involves intangibles that are important to those who may be affected directly or indirectly by the risks. Risk evaluators need to understand the social, organizational, personal, environment, regulatory, political, and economic aspects of the decisions they are making.
This text is an excerpt from the PDA/DHI publication Risk Assessment and Risk Management in the Pharmaceutical Industry, Chapter 8 Risk Evaluation.
James L. Vesper