Applying Principles of FDA Guidance for Industry Q9 Quality Risk Management 2023 to Vendor Risk Management

Featured post image
Published: 2023/07/19 Last updated: 2023/10/31 By: Tom Lazenby

The FDA guidance on quality risk management released in May (2023) offers principles and examples applicable to various pharmaceutical quality aspects.

The principles of quality risk management in this guidance can be extended to clinical trial vendor risk management, covering different stages of a clinical trial.

When applied to clinical trial vendor risk management, the principles of quality risk management can help identify and control potential quality issues in vendor services, from development and manufacturing to distribution.

It’s essential to achieve a shared understanding of risk among all stakeholders and manage subjectivity to enhance the effectiveness of risk management activities.

The degree of formality applied in quality risk management should reflect the importance of the decision, as well as the level of uncertainty and complexity present.

Key Principles – What, Why, When, How?

Principle 1:

The evaluation of the risk to quality should be based on scientific knowledge and ultimately link to the protection of the patient.

  • What: This principle emphasises the importance of basing risk evaluation on scientific knowledge and the ultimate objective of patient protection. This includes risks where product availability may be impacted, potentially causing patient harm.
  • Why: Clinical trials are crucial in ensuring the safety and efficacy of drugs for patients. Therefore, the risk to quality in clinical trial vendor services can directly impact patient safety. Evaluating these risks using scientific knowledge provides an objective, credible basis for decision-making.
  • When: This evaluation should take place at every stage of vendor involvement in a clinical trial, from the initial selection and onboarding of a vendor, during the trial’s execution and even post-trial activities.
  • How: In the context of clinical trial vendor risk management, this can be done through a systematic approach like Fault Tree Analysis (FTA). Potential risks are identified, their impacts on the quality and patient safety are evaluated, and appropriate mitigation strategies are implemented.

Principle 2:

The level of effort, formality, and documentation of the quality risk management process should be commensurate with the level of risk.

  • What: This principle suggests that the resources allocated to the risk management process, including the effort put in, the formality of the process, and the extent of documentation, should align with the severity of the risk.
  • Why: Not all risks are equal. Some pose a more significant threat to clinical trial integrity and patient safety than others. By aligning resources with risk severity, clinical trial sponsors can ensure the efficient use of resources, focusing more on high-priority risks.
  • When: This principle should guide the risk management process throughout the entire clinical trial, from the planning phase to the execution and even in the post-trial phase.
  • How: This principle can be applied by first categorising risks according to their severity using a risk matrix or a similar tool. More resources can then be directed towards managing high-severity risks, with more formal processes and thorough documentation, while lower-severity risks can be managed with less formality and documentation.

Overview of Quality Risk Management Process

The diagram represents a model for quality risk management, although other models may also be applicable.

A thorough process will consider all elements at a detailed level corresponding with the specific risk. In the context of clinical trial vendor risk management, this systematic approach ensures comprehensive evaluation and management of risks associated with vendor services, enhancing overall trial quality and patient safety.


Quality risk management activities are carried out by interdisciplinary teams comprising experts from various domains. There should be key decision-makers with the responsibility for coordinating quality risk management activities across the organisation, ensuring the process is well-defined, deployed, and reviewed.

Initiating a Quality Risk Management Process

Designing a systematic process to facilitate science-based decision-making about risk. Key steps include defining the risk/problem, collecting background information, identifying a leader and necessary resources, and specifying a timeline and deliverables for the risk management process.

Risk Assessment

Identifying hazards, analysing and evaluating risks associated with those hazards. It requires a well-defined problem or risk question and employs a suitable risk management tool or program.

The process includes hazard identification, risk analysis, and risk evaluation, aiming to answer three critical questions:

  • What might go wrong?
  • What is the likelihood of it going wrong?
  • What are the consequences?

Risk Control

Risk control involves decision-making to reduce or accept risks, with the goal of bringing the risk to an acceptable level. This process may involve risk reduction strategies and evaluating whether new risks are introduced as a result of controlling identified risks.

Risk acceptance is a decision made when risk can’t be eliminated, even with the best practices.

Risk Communication

Risk communication is sharing information about risk and risk management between decision-makers and other stakeholders at all stages of the risk management process. This process ensures all relevant parties are informed about the existence, nature, probability, severity, and acceptance of risks to quality.

This is crucial in the area of vendor management, where all parties need to be working in unison to ensure that mitigation strategies are implemented as intended.

Risk Review

Risk management is a continuous activity within the quality management system and requires a mechanism for reviewing or monitoring events. Reviews should account for new knowledge and experiences.

The frequency of these reviews should be based on the level of risk. Risk reviews could involve revisiting previous risk acceptance decisions.

Formality in Quality Risk Management

Formality in quality risk management varies and is influenced by factors such as the uncertainty, importance, and complexity of the risk-based decision. A higher degree of formality is characterised by:

  • structured quality risk management processes,
  • the use of tools,
  • cross-functional teams,
  • and experienced facilitators.

A lower degree of formality may not require these aspects.

In clinical trial vendor risk management, the level of formality in quality risk management can be determined by the significance and complexity of the vendor’s role. For instance, a vendor providing:

  • services that impact a study Critical to Quality Factor like data management;
  • or performing a regulatory responsibility such as the writing of an Investigators Brochure.

These require a higher level of formality, involving a cross-functional team, structured processes, and detailed documentation to ensure comprehensive risk assessment and control.

Risk-Based Decision-Making

Risk-based decision-making is integral to quality risk management and is influenced by the level of formality in the process. It involves making decisions based on: hazards, risks, risk controls, residual risk acceptance, and communication.

In the context of clinical trial vendor risk management, risk-based decision-making is essential when choosing vendors, determining the level of oversight required, and deciding on mitigation strategies for identified risks.

For instance, a vendor handling sensitive patient data may require a higher level of oversight and stricter data security controls due to the high importance and potential risks associated with data breaches.

Managing and Minimising Subjectivity

Subjectivity impacts the quality risk management process and must be controlled by addressing bias and assumptions, using quality risk management tools effectively, and utilising relevant data and sources of knowledge to mitigate bias and assumptions.

In clinical trial vendor risk management, subjectivity can be minimised by ensuring clear definitions of risk questions, designing effective risk scoring scales, and incorporating diverse perspectives from cross-functional teams.

For instance, potential bias in vendor selection can be mitigated by using a standardised scoring system based on objective criteria such as past performance, cost-effectiveness, and data security measures.

In Summary

The new FDA guidance on quality risk management provides valuable principles and tools that can be applied to clinical trial vendor risk management. Through evaluation of:

  • risk to patient safety,
  • risk to study data integrity,
  • allocation of resources proportional to risk severity and,
  • comprehensive quality risk management process.

Clinical trial sponsors can identify, assess, and control potential risks associated with vendor services.

The importance of formality, risk-based decision-making, and managing subjectivity in quality risk management are crucial aspects. The level of formality is determined by the significance and complexity of the risk, with more crucial risks requiring more structured processes and experienced teams.

Risk-based decision-making is fundamental, as it helps decide on vendor selection, the degree of oversight, and mitigation strategies. Meanwhile, managing subjectivity helps ensure objective and unbiased decisions.

The use of standardised risk management tools and the incorporation of diverse perspectives from cross-functional teams can help minimise potential bias and subjectivity in risk assessment and decision-making processes.

A robust quality risk management process with a focus on continuous review and improvement and effective risk communication can significantly enhance the effectiveness of clinical trial vendor risk management.

In a world where the quality and integrity of clinical trials are of paramount importance, effective vendor risk management, ensuring that every step taken is in the best interest of patient safety, and overall trial quality is the objective.

This approach ensures a high level of assurance in the safety and data quality of the clinical trials, ultimately leading to improved patient outcomes.

A word on Mayet

If you made it this far, thank you, and I hope that there was value for you in this article. We designed Mayet’s centralised risk management module for vendors to achieve all the aspects that are detailed in this guidance from the FDA and previous other guidance and regulations for quality risk management. It is a single point of truth for assessing and controlling risks related to outsourced activities. If this can be of value to you, check out our website or contact us.

Tom Lazenby

Tom is the Founder and CEO of Mayet. Using his experience in streamlining operations and driving innovation in clinical research, Tom is dedicated to enhancing the efficiency, cost-effectiveness, and risk mitigation strategies for vendor management and oversight.

See other posts »