Risk Assessment Methodology
Methodology for conducting comprehensive clinical risk assessments
This methodology provides a standardized approach for identifying, evaluating, and mitigating risks in clinical research operations. Covers risk scoring, heat map development, control mapping, and ongoing risk monitoring — consistent with ICH E6(R3) risk-based quality management expectations.
Methodology Overview and Regulatory Basis
This risk assessment methodology is grounded in ICH E6(R3)'s quality management system (QMS) framework, which requires sponsors to identify risks to critical trial processes and data, evaluate the probability and impact of those risks, and implement proportionate controls. The methodology applies equally to pre-study risk assessments (performed before first patient in) and ongoing risk monitoring (performed throughout the trial).
The methodology uses a five-step process: Risk Identification, Risk Evaluation and Scoring, Risk Control Mapping, Risk Heat Map Development, and Ongoing Risk Monitoring. Each step produces a documented output that contributes to the overall risk register.
Step 1: Risk Identification
Risk identification is systematic — it should examine every critical process in the trial, not just those that have historically produced problems. Use the protocol, monitoring plan, and applicable SOPs as the source documents for identifying processes and data points that could fail in ways that affect subject safety or primary endpoint integrity.
- Review the protocol to identify all primary and secondary endpoints and the processes that generate them
- List every critical process: consent, randomization, IP dispensing, data entry, SAE reporting, laboratory procedures
- For each critical process, identify specific risk events: what could go wrong?
- Include both internal risks (process failures, system outages, staff turnover) and external risks (supply chain disruption, site staffing changes, regulatory changes)
- Document identified risks in the risk register before moving to evaluation
Step 2: Risk Scoring
Each identified risk is scored on two dimensions: probability of occurrence (how likely is this risk to materialize?) and impact severity (if this risk materializes, how significant are the consequences?). Use a 1–3 or 1–5 scale for each dimension, defined in advance and applied consistently across all risks.
The overall risk score is calculated as Probability × Impact. Risks that score above your defined threshold require active risk controls. Risks below the threshold are documented but may be managed through standard quality practices rather than dedicated controls.
- Probability: 1 = Unlikely (< 10% chance in this trial), 2 = Possible (10–50%), 3 = Likely (> 50%)
- Impact: 1 = Minor (no patient safety or data integrity effect), 2 = Moderate (data quality degraded or subject welfare concern), 3 = Critical (patient safety event or loss of primary endpoint data)
- Risk Score = Probability × Impact: scores of 4–9 require active risk controls
- Score risks before controls are applied (inherent risk) and after controls are applied (residual risk)
- Residual risk above your threshold requires escalation to senior management or sponsor QA
Step 3: Risk Control Mapping
Risk control mapping links each high-scoring risk to a specific control — the practice, process, or monitoring activity that reduces the probability of occurrence or limits the impact if the risk materializes. Effective controls are specific, owned, verifiable, and proportionate to the risk score.
Controls fall into four categories: Preventive (prevents the risk from occurring), Detective (identifies when the risk has materialized), Corrective (limits the impact after the risk materializes), and Directive (sets standards that reduce risk exposure). A robust risk control map uses a combination of all four control types.
- Map at least one control to every risk with a score above your threshold
- Assign each control to a named owner responsible for ensuring it is in place and functioning
- Define how each control will be verified — what evidence demonstrates it is working?
- Set a review frequency for each control appropriate to the risk score (monthly for high, quarterly for medium)
- Document control mapping in the risk register alongside the risk scores
Step 4: Risk Heat Map Development
A risk heat map is a visual representation of your risk register, plotting probability on one axis and impact on the other. The resulting grid immediately communicates the relative severity of risks across the trial and makes risk prioritization decisions transparent to sponsors, monitors, and QA teams.
Use the heat map in risk review meetings to focus discussion on the highest-scoring risks and to visualize how residual risks compare to inherent risks after controls are applied.
- Plot both inherent and residual risk scores for each identified risk
- Use color coding: red for high-risk (score 7–9), amber for medium-risk (score 4–6), green for low-risk (score 1–3)
- Share the heat map with the sponsor and monitoring team at study initiation and at each periodic risk review
- Update the heat map whenever new risks are identified or risk scores change
- Use the heat map to justify monitoring plan intensity decisions in the monitoring plan narrative
Step 5: Ongoing Risk Monitoring
Risk assessment is not a one-time exercise at study start. ICH E6(R3) requires ongoing risk review throughout the trial. As data accumulates, key risk indicators (KRIs) signal whether actual risk levels are tracking with the initial assessment — or whether risks that were scored as low are materializing at higher rates than anticipated.
- Schedule formal risk reviews at defined milestones: study start, 25% enrollment, 50% enrollment, and close-out
- Review KRI data at each risk review meeting and document the findings
- Update the risk register when new risks are identified or when KRI data changes a risk score
- Escalate changes in risk profile to sponsor QA and the monitoring team within a defined timeframe
- Retain all risk register versions as evidence of ongoing risk management for regulatory inspection
Browse all resources or contact us to discuss your QA needs.