Risk-Based Monitoring: Best Practices for 2025
10 min read · 2025-01-10 · AuditingLab Team
How to implement risk-based monitoring strategies that reduce site burden while maintaining data quality.
Risk-based monitoring (RBM) has matured from a cost-cutting concept into a regulatory expectation. ICH E6(R3) reinforces the principle that monitoring intensity should match the actual risks to subject safety and data integrity — not default to 100% source data verification. Effective RBM programs start with a documented risk assessment, define key risk indicators (KRIs) at the protocol level, and adapt monitoring plans as trial data accumulates.
What ICH E6(R3) Requires from Sponsors
ICH E6(R3), finalized in 2023 and now the operative GCP standard for most regulatory submissions, explicitly states that monitoring approaches should be proportionate to the risks inherent in the trial. The guidance moves away from prescriptive on-site SDV requirements and toward a quality management system (QMS) framing where sponsors document risk identification, evaluation, control, reporting, and review as a continuous process.
Critically, E6(R3) does not eliminate on-site monitoring. It requires that the decision to reduce on-site SDV be based on documented risk analysis — not cost savings alone. Sponsors whose monitoring plans cannot demonstrate that connection will find themselves exposed during inspections.
- Document the risk identification and evaluation process for each protocol
- Define which data points are critical to patient safety and primary endpoint integrity
- Record the rationale for your chosen monitoring intensity in the monitoring plan
- Build a risk review cadence into your QMS — at minimum quarterly for active studies
- Maintain evidence that monitoring plan adaptations were triggered by actual risk signals, not arbitrary decisions
Building a Protocol-Level Risk Assessment
A protocol-level risk assessment identifies the critical-to-quality (CTQ) factors for a specific trial — the data points and processes where errors would materially affect subject safety or trial conclusions. Not all data errors are equally important. A transcription error in a non-primary endpoint field is categorically different from a consent date inconsistency in a trial where eligibility criteria are time-sensitive.
The risk assessment should be completed before the monitoring plan is written and should directly inform monitoring frequency, SDV targets, and centralized monitoring rules. Studies with high-complexity endpoints or vulnerable populations will have more CTQ factors and require more intensive monitoring strategies.
- List all protocol endpoints and classify each as primary, secondary, or exploratory
- Identify which endpoints are critical to regulatory submission and patient safety decisions
- Assess the probability and detectability of errors in each critical data domain
- Score overall risk as high, medium, or low per domain with documented rationale
- Use the risk assessment to set SDV percentages and centralized monitoring trigger thresholds
Designing Key Risk Indicators (KRIs)
Key risk indicators are quantitative signals that alert the monitoring team when a site's performance has deviated from expected patterns. Good KRIs detect problems early — before they become protocol deviations or data integrity events. Poor KRIs either generate constant false positives (creating alert fatigue) or fail to trigger until problems are already serious.
KRIs should be defined at the protocol level before the study starts and calibrated against historical data from similar studies where available. Common starting points include missing data rates, protocol deviation rates, enrollment velocity versus projections, and SAE-to-enrollment ratios.
- Define 5–10 KRIs per protocol, focused on critical data domains and safety signals
- Set alert thresholds at both a 'flag for review' level and a 'trigger action' level
- Review KRI data at least monthly for active studies and document the review
- Escalate persistent KRI signals to the medical monitor and sponsor QA within defined timelines
- Adjust KRI thresholds during the study if the initial calibration proves to be miscalibrated
Centralized vs. On-Site Monitoring: Finding the Right Balance
Centralized monitoring — the review of data trends, outliers, and patterns across sites without on-site presence — is a cornerstone of RBM. When designed well, centralized monitoring catches site-level outliers that on-site monitors miss because they review data one site at a time. It also allows the sponsor to detect problems across the entire trial network faster than any on-site visit schedule can achieve.
That said, centralized monitoring cannot replace on-site activities for high-risk functions: consent verification, investigational product accountability, training record review, and delegation log confirmation require physical presence or direct interaction with site staff and source documents.
- Conduct centralized data reviews at least monthly, with a designated reviewer and documented output
- Use statistical outlier detection to flag sites with unusual data distributions
- Reserve on-site visits for high-risk sites, consent-heavy milestones, and protocol amendment implementation
- Document the trigger for every on-site visit in the monitoring plan deviation log
- Train site staff to understand that centralized monitoring is ongoing — it does not pause between visits
Key Takeaways
- ICH E6(R3) makes risk-based monitoring a regulatory expectation, not just a cost option
- Risk assessment must precede and directly inform the monitoring plan
- KRIs should be defined before the study starts and reviewed at least monthly
- Centralized monitoring catches cross-site patterns that on-site visits miss
- Document every monitoring decision — the rationale, the trigger, and the outcome