Risk Management

Identifying Risks

Post by
Identifying Risks

Since ICH GCP was revised to include requirements for quality and risk management, sponsors have struggled to implement it in a meaningful way. When I review RACT (Risk Assessment Categorization Tool) output and risk management plans, I feel like I'm an English teacher again, and my students don't really understand the assignment, but are hoping that if they write down everything that comes into their heads, they'll hit the five-page minimum and achieve a passing grade.

The first step to risk management is being able to articulate risks. To do that, we need to name three components:

  • The condition that elevates the likelihood of a negative outcome
  • The negative outcome
  • The critical element that is being affected

It helps to start backward, by identifying the critical elements of our study.  Patient safety is always critical, but critical data is protocol-specific. Typically, critical data are key safety and efficacy data.

Next, we need to identify potential negative impacts on patient safety and critical data. What's the worst that could happen? On the safety side, patients could have avoidable serious adverse events--for example, because they were enrolled with a prohibited condition, or took a prohibited medication, or were mis-dosed, or underwent a risky study procedure that resulted in harm. Data integrity could be compromised if data were lost or corrupted, if sites did not comply with the protocol, or if patient did not comply with the dosing regimen. These issues could apply to almost every study; our job is to get specific in imagining how they might apply to our study.

Finally, we need to look at the conditions that could elevate the likelihood of the negative outcome. Below are some conditions that elevate risks:

  • Novelty. Anything new could elevate risks - new vendors, technology, processes, assays.
  • Delegation. Handoffs increase risks. When your vendors subcontract, the handoffs are multiplied, increasing risks further.
  • Deficits in expertise. Small sponsors can have small teams that lack expertise in key areas, such as biostatistics or clinical supply; lack of expertise correlates to increased risk. Similarly, any time you hire a CRO to do something that is not in their wheelhouse, risks are elevated.
  • Outsized interests. Sites with financial interest in the sponsor and site management organizations whose sites enroll a significant proportion of the subjects are two examples of outsized interests that could lead to bias which - you guessed it - increases risk.
  • Cutting corners. Deviating from or shortcutting your usual process increases risk.
  • "The new normal." Climate change, pandemics, and political unrest are seemingly permanent risk elevators.

Put these three components together and we have a fully articulated risk:

"Using a new ePRO vendor that we didn't qualify via an audit [condition] increases the risk of data loss or corruption [negative outcome] to one of our key efficacy endpoints [critical element]."

Later in the series, we'll look at why articulating the risk in this manner is critical in our efforts to mitigate it.