By Phillip Power

Risk assessments are a common requirement in many industries today. But what’s not common is an understanding of who owns risk assessments, when they are needed, and how to perform them. In this brief article, I hope to help answer some of these questions and provide useful insights along the way.

So, You Need a Risk Assessment?

Risk assessments are rarely done proactively; even proactive risk assessments are usually being done to satisfy a regulatory requirement, such as ISO 9001 or 21CFR. They can spring from just about anywhere:  process failures, customer complaints, audit findings- you name it. Companies oftentimes underestimate how frequently risk assessments need to be completed and, because of that, struggle when they start rolling in. I propose a few useful recommendations to roles and responsibilities to help with this adjustment later on. 

Who Owns the Risk Assessment?

All too often, a risk assessment begins with an argument on who should own it. If you ask Quality, it should be Operations, because they are familiar with the processes. If you ask Operations, it should be Quality because they are the group reminding everyone it’s a regulatory requirement. Who usually ends up winning out is the party that writes the procedure on risk management; since it’s a rare day someone from Operations volunteers to write a Quality procedure, to the victor go the spoils. But is this effective management? In my opinion, just as it is true that everyone owns quality, with Quality a bit more than everyone else, so too with risk assessments. Quality is responsible for ensuring they are completed (it is a requirement after all) but that does not absolve them from taking part in them. Risk assessments must be a multi-disciplinary approach where people from various departments include their perspective and expertise. By design, not everyone within a company shares the same vested interests. A risk to one person may seem insignificant to another, but it is only by combining a spectrum of knowledge and experience that you begin to assess the full risk.

Does a Risk Assessment Need a Leader?

While risk assessments can belong to any department, I don’t necessarily think anyone should lead one. It takes a strong leader to manage a risk assessment team, preferably one with a solid understanding of risk analysis and decision making. Not every member of the team will understand how the assessment comes together. For example, the difference between a severity rating of 3 and 5 can be the difference between wearing gloves or a hazmat suit. Developing people from within each department to lead risk assessments should be a priority of every company that is required to have a risk management system. Companies can create their own training materials, but I think the most economical solution is to provide the resources for select employees to study the Engineering Management Handbook and take the CPEM exam. This will give the employees an industry-recognized credential in return for their willingness to take on the additional responsibility, as well as giving them the tools they need to professionals in risk management.

Who to Pick for The Team?

Most people don’t associate risk assessments with teamwork but it’s a critical factor in determining how well and how quickly a risk assessment can be completed. Risk assessment teams are often groups of people who are not in the same team to begin with and haven’t had time to develop the same kind of relationship as they would with people whom they regularly work with. People may be unfamiliar with each other’s personalities and management styles. On top of all of that, everyone is being asked to provide their input and come to a consensus on somewhat subjective tasks. This is one of the reasons a strong leader is imperative. The leader’s role is not to determine the risk so much as to steer discussion and be a moderator when things get heated. If you haven’t been on a risk assessment team, you might be surprised at how passionately some people defend their opinions. There is not enough time in a risk assessment to go through the five stages of team development so the leader is often left with a poorly formed team stuck in the storming phase. Input should be weighed in proportion to the expertise of the team member providing it; oftentimes, the leader is not the subject matter expert.

What Risk Assessment Tool Should I Use?

There are several tools available for risk assessments; the key is selecting the right one. A mistake I have observed is to prescribe a single risk assessment form that everyone must follow. This inevitably makes the form an improper tool for most jobs, thereby discouraging its use and, consequently, the use of risk assessments altogether. If the people performing the risk assessment are nott trained well enough to select an appropriate risk assessment tool, don’t expect the risk assessments they complete to be of much help. The tool can be as simple as a gap analysis or as complex as a failure mode effects analysis (FMEA), depending on the nature of what is being assessed. Once the appropriate risk assessment tool is selected, walk everyone on the team through how it works and what input is expected of them. This is often the most frustrating part of risk assessments:  getting consensus. At the end of the day, you can only put in a single number or category for a risk. How probable is it that a failure will occur again on a scale of 1-5? Should the failure occur, how severe are the consequences on a scale of 1-5? These are highly subjective questions, even when the scale is well defined, and everyone’s perspective will be different. Healthy debate is encouraged but it’s important that no one person dominates the discussion. Everyone must feel comfortable sharing their opinion and disagreeing with the consensus. One suggestion to help with this is to have everyone write down their assessments at the beginning of the exercise without anyone discussing them openly. Then each person shares their risk numbers or categories with the team one at a time. This helps prevent a strong personality from biasing input.

Am I Done Yet?

Once the team has come to a consensus on the ratings and categories, a process that can take several meetings, it’s the job of the leader to polish up the assessment and submit it to the appropriate location, typically controlled and attached to an investigation. It’s important that, wherever the risk assessment ends up being stored, it is linked and accessible. It is not uncommon for multiple risk assessments to be completed for the same risk because no one could find the previous assessment- sometimes there is no one left who even knows it exists. As the risk assessment leader for your department, you will be grateful if this was done for you by others and others will thank you when you do it for them!

About the Author

Phillip Power, CPEM is a Pharmaceutical Technical Specialist for Zoetis, the world’s leading animal health company. In this role, Phillip manages investigations and CAPAs, operational improvement projects, and risk assessments to ensure the market has access to the highest quality medicines for companion animals and livestock. He earned his B.Sc. in Chemical Engineering and his M.E. in Engineering Management from the University of Nebraska- Lincoln. Phillip lives in Lincoln, Nebraska, with his wife and two sons.