Skip to content

The 3 Types of Quality Risk Management Tools and What They Do Best

Published on April 26, 2023
Reading time: -- minutes
Last updated on February 20, 2026
Reviewed by: Lisa Weeks

Summary

Quality risk management (QRM) is a structured, science-based approach to identifying, assessing and controlling risks throughout the pharmaceutical product lifecycle. Grounded in International Council for Harmonisation (ICH) principles, it ensures that risk evaluation and documentation are proportional to the level of risk while protecting patient safety and product quality.

The blog outlines three categories of QRM tools: brainstorming tools, risk analysis tools, and risk classification tools. Together, methods such as process mapping, fishbone diagrams, preliminary hazard analysis (PHA), and failure mode and effects analysis (FMEA) help organizations define problems, analyze root causes, and prioritize mitigation efforts.

Key Takeaways

  • Quality risk management should be grounded in scientific knowledge and focused on protecting the patient. The level of effort, documentation and control should always match the level of risk.

  • Brainstorming tools help define problems, risk analysis tools clarify cause-and-effect relationships, and advanced tools such as PHA and FMEA quantify and prioritize risks. Selecting the right tool depends on the process's complexity and stage.

  • Using severity, occurrence, and detection criteria enables organizations to calculate risk priority numbers (RPNs) and focus mitigation efforts where they matter most. A systematic approach improves decision-making, compliance, and overall product quality.

Who is this for

  • Quality assurance (QA) and quality management system (QMS) leads
  • Quality control (QC) managers and investigators
  • Process development and manufacturing engineers
  • Validation engineers and tech transfer teams
  • CMC / product development scientists
  • Regulatory affairs and compliance professionals
  • Cross-functional SMEs who run risk assessments and CAPA planning

Relevant Entities to this Post

International Council for Harmonisation (ICH) Q9(RI) guideline

U.S. FDA — Q9(R1) Quality Risk Management guidance document

European Medicines Agency (EMA) — ICH Q9 quality risk management scientific guideline

featured image

Quality risk management (QRM) is a crucial process for ensuring the safety and efficacy of drugs throughout their lifecycle, from development to commercial manufacturing. By proactively identifying and managing potential risks, manufacturers can minimize the likelihood of quality issues and ensure the final product is high-quality and safe for patient use. Implementing a QRM process involves a structured approach to risk assessment, management, and control, as well as ongoing monitoring and reassessment of identified risks. In this blog post, we dive deeper into the topic of QRM and explore its importance in the pharmaceutical industry.

Primary Principles of Quality Risk Management 

According to the International Council for Harmonisation (ICH), QRM foundations are supported by two primary principles:

  1. Scientific knowledge should be the basis for evaluating risk to quality, with the aim of protecting the patient.
  2. The level of effort, formality, and documentation in QRM activities should be proportional to the level of risk.

This process should be considered in a holistic, proactive, and systematic manner, meaning QRM should be an integral part of the pharmaceutical quality system, focused on identifying and evaluating potential risks throughout the product lifecycle. Being proactive involves anticipating and addressing potential risks before they occur, while a systematic approach requires a structured, consistent methodology for identifying, assessing, controlling, and communicating risks. Risk management should also include continuous monitoring and reassessment to ensure risk management strategies remain effective.

Figure 1 – Overview of a typical QRM Process (ICH, 2023)

Figure 1 – Overview of a typical QRM Process (ICH, 2023)

As an initial phase of a QRM process, subject matter experts (SMEs) must ensure a clear set of premises to guarantee an efficient risk assessment exercise, including the correct description of the problem, its scope, and the goal of the risk assessment. This characterization facilitates selection of the most appropriate QRM tools from the set of structured and standardized tools that any organization should have available.

This post divides these risk management tools into three categories, highlighting the benefits and limitations of each QRM strategy and providing suggestions for their ideal application:

  1. Simple brainstorming tools
  2. Simple risk analysis tools
  3. Complex risk classification tools

#1: Simple Brainstorming Tools

Simple brainstorming tools are the most commonly used tools in a QRM process, whether for gathering data and information or characterizing the process, product, or entity being assessed. These tools are often used in the initial steps of a QRM workflow and can serve as prerequisites to more risk-focused analysis and complex risk classification.

Process Mapping Decision Trees Mind Maps The 5 Whys
A schematic display of process steps presented sequentially, defining resources and potential outcomes.

A semi-linear, branched flowchart illustrating possible outcomes and decision alternatives for a specific problem.

 A diagram organized around a central concept, with branching elements that generate keywords and discussion points. A structured questioning technique that asks “Why?” five times, with each answer forming the basis of the next question.
Big Benefit: Completely standardizes work processes from beginning to end. Big Benefit: Assigns specific values to each problem, decision path or outcome. Big Benefit: Promotes meaningful learning by connecting new knowledge to existing knowledge. Big Benefit: Effectively identifies and analyzes the root cause of a problem or deviation.
Expert Advice: Include process measurements, such as the time required for each step. Expert Advice: Recognize that the final outcome of one decision tree often becomes the starting point for another decision. Expert Advice: Use mind maps when a less sequential, more associative approach than traditional process mapping is beneficial. Expert Advice: Clearly distinguish root causes from symptoms or contributing factors.

Although their influence is often less direct than risk analysis or risk classification tools, these simple brainstorming tools can be critical for planning subsequent QRM activities or serving as complementary follow-ups to more in-depth analyses. For example, describing multiple associations between a problem and potential impacts using a mind map can support later cause-and-effect analysis, allowing ranking of those associations and focus on the most impactful ones.

#2. Simple Risk Analysis Tools

Despite being referred to as "simple tools," these offer a much more sophisticated approach than basic brainstorming by enabling cause-and-effect risk analysis. This analytical process is crucial for identifying potential risks and understanding the relationships among various risk factors, thereby facilitating a comprehensive and effective risk management strategy.

Ishikawa (“Fishbone”) Diagram Cause-and-Effect Matrix
A simple branching diagram that focuses on the most influential inputs affecting each output. A matrix that evaluates all possible inputs and outputs to establish and quantify their relationships.

Benefits:

  • Encourages group participation
  • Utilizes an orderly, easy-to-read format
  • Identifies possible causes of variation
  • Maintains focus on the defined problem

Benefits:

  • Enables numerical quantification
  • Ranks the most important factors according to product quality
  • Serves as a foundation for a more structured design of experiments (DOE)

Limitations:

  • Not suitable for highly complex problems or those with multiple effects
  •  Often based on expert opinion rather than empirical evidence
  •  Does not prioritize which problems require immediate action

Limitations:

  • Not suitable for problems with multiple effects
  • Most effective as an input method for subsequent risk management tools

The fishbone diagram, originally developed by Kaoru Ishikawa in the 1960s, has become a valuable tool for quality management in drug manufacturing and development. It maps potential quality control issues and identifies contributing causal factors, represented as “bones,” that lead to a defined outcome, represented by the “head.” By utilizing the fishbone diagram, manufacturers can identify and manage potential risks throughout the product lifecycle.

Figure 2 – Example of a fishbone diagram

Figure 2 – Example of a fishbone diagram

Similarly, the cause-and-effect matrix evaluates the relationships between causal factors and their effects. While it is well suited for assessing problems involving multiple causal factors, it may not illustrate interrelated patterns as effectively as visual tools. Nonetheless, both simple risk analysis tools are important for informing more advanced QRM tools and building an effective quality management system (QMS).

#3. Complex Tools for Severity, Occurrence, and Detection (SOD)

The most complex QRM tools are designed to classify previously identified by assessing their severity, occurrence, and detection (SOD). Using the gathered knowledge about each process parameter, correlation, and potential hazard, the goal is to answer these three questions:

  1. How severe is it?
  2. How likely is it to occur?
  3. How likely is it to be detected?

The result is the risk priority number (RPN), a combined calculation of SOD used to quantify and prioritize the risk of each failure mode.

Preliminary Hazard Analysis (PHA)
Ideal for analyzing different systems during the early stages of product development.		 Failure Mode and Effects Analysis (FMEA)
An assessment of possible failure modes and their effects on product quality and performance.

Steps:

  1. Select the process for analysis.
  2. Identify hazards and general causes of danger.
  3. Assess the extent of damage and/or severity value.
  4. Define occurrence and document the findings.
  5. Calculate the RPN and implement mitigation actions.

Steps:

  1. Identify known and potential failure modes and their related effects.
  2. Determine severity, occurrence, and detectability values.
  3. Calculate RPN and prioritize failure modes.
  4. Define mitigation actions based on prioritization.
  5. Assess residual risk and produce a summary report.

Benefits:

  • Provides a primary record of hazards and potential damage
  • Supports informed resource allocation
  • Enables quick review and clear delineation of specific risks

Benefits:

  • Breaks complex processes into manageable steps
  • Stimulates open communication
  • Prioritizes risk as the underlying measurement
  • Monitors the effectiveness of risk control activities

Limitations:

  • Highly dependent on team knowledge and expertise
  • Does not identify highly improbable risks
  • Does not assess the risk of combined hazards of coexisting failure modes

Limitations:

  • Time-consuming due to the level of detail i
  • Requires significant scoring upon completion

PHA is especially useful in early design phases when modifications are more cost-effective and easier to implement. By anticipating delays and addressing them earlier in the development pipeline, the PHA can also reduce design time.

Similarly, FMEA proactively identifies and addresses potential problems before they arise. Although FMEA is the most resource-intensive and time-consuming of the QRM tools, it can serve as the foundation for system design elements and process controls across the entire product pipeline. By utilizing PHA and FMEA, manufacturers can optimize their development processes and produce higher-quality products with improved safety profiles.

Managing QRM in a Systematic Way

Managing risk effectively can be challenging, particularly when the QRM process is not systematically organized across the organization. This underscores the need for a dedicated QRM system that streamlines and centralizes all activities related to identifying, quantifying, and prioritizing risks.

Quality risk management digitalization consolidates these activities into a single platform. When implemented correctly, this approach enables a centralized and holistic QRM process that connects the organization, ensures process coherence, and facilitates knowledge preservation and reuse.

By optimizing your QRM process through digitalization, you can improve efficiency and elevate your product development and manufacturing operations.

 

Ready to learn more? Read Digital Quality Risk Management: A ValGenesis Story or watch the webinar featured below.

Featured

Quality Risk Management

Margarida Ventura

Senior Consultant in Delivery

 

Table of Contents

    References

    1

    International Council for Harmonisation. (2023). https://www.ich.org/page/quality-guidelines

    ICH Q9(R1) Guideline: Quality Risk Management. Accessed Date: 17 February 2026.

    2

    U.S. Food & Drug Administration. (2023). https://www.fda.gov/regulatory-information/search-fda-guidance-documents/q9r1-quality-risk-management

    Q9(R1) Quality Risk Management Guidance Document. Accessed Date: 18 February 2026.

    3

    European Medicines Agency. (2023) https://www.ema.europa.eu/en/ich-q9-quality-risk-management-scientific-guideline

    ICH Q9 Quality risk management - Scientific guideline. Accessed Date: 18 February 2026.

    The opinions, information and conclusions contained within this blog should not be construed as conclusive fact, ValGenesis offering advice, nor as an indication of future results.

    FAQs

    Use scientific knowledge to evaluate risk to quality with patient protection as the aim, and scale the effort, formality, and documentation to the level of risk.

    Use process mapping, decision trees, mind maps, or 5 Whys to capture how the process works and frame the issue. Use fishbone diagrams or cause-and-effect matrices to connect causes to effects. Use PHA or FMEA when you need SOD scoring and prioritization via an RPN.

    PHA supports early development and system-level hazard identification, with quick risk delineation. FMEA goes deeper by listing failure modes, scoring severity, occurrence, and  detectability, prioritizing by RPN, and defining mitigation plus residual risk—at the cost of more time and scoring effort.

    Related Blog Posts

    Prevention Over Reaction: Why Modern CPV Requires Automated Process Monitoring

    Prevention Over Reaction: Why Modern CPV Requires Automated Process Monitoring

    Discover how automated process monitoring in CPV ensures continuous control, early risk detection, and improved quality oversight in modern manufacturing.

    By Sofia Santos

    Read
    6 Ways to Make Your Risk Management More Effective

    6 Ways to Make Your Risk Management More Effective

    Improve the efficacy of your risk management process with these 6 strategies inspired by the ICH Q9 quality risk management guideline.

    By Margarida Ventura

    Read
    Should You Use QRM Software for ICH Q9 (R1) Compliance? Yes!

    Should You Use QRM Software for ICH Q9 (R1) Compliance? Yes!

    Quality risk management software ensures compliance with ICH Q9(R1) guidelines, enhancing risk assessments, decision-making, and product safety in pharma.

    By Margarida Ventura

    Read