Risk Management Frameworks for Vendor Risk Management – Part 3

Featured post image
Published: 2023/10/11 Last updated: 2024/04/04 By: Tom Lazenby

Welcome back to the concluding part of our three-part series, “Risk Management Frameworks for Vendor Risk Management.” In [Part 1] we introduced you to fundamental risk management methodologies like flowcharts, check sheets, process mapping, cause and effect diagrams, and Failure Mode Effects Analysis (FMEA). [Part 2] delved into more advanced techniques such as Failure Mode, Effects, and Criticality Analysis (FMECA), Fault Tree Analysis (FTA), and Hazard Analysis and Critical Control Points (HACCP).

In Part 3, we will discuss another set of advanced risk management methodologies:

  • Hazard Operability Analysis (HAZOP)
  • Preliminary Hazard Analysis (PHA), and
  • Risk Ranking and Filtering.

We will round up with a comprehensive example of how all the tools in this series can be used to create robust risk management for your vendor management and oversight.

Hazard Operability Analysis (HAZOP)


HAZOP is a structured and systematic technique used for identifying risks in design and operation of processes, which can be applied to clinical trials.


HAZOP helps in identifying potential hazards and operability issues in your clinical trials before they can cause damage or compromise the trial’s integrity.


HAZOP is beneficial during the planning phase of clinical trials to identify and mitigate potential risks associated with operational and procedural aspects.


To conduct a HAZOP, first define the scope and boundaries of the study. Then, identify the potential deviations from the intended operational conditions. Assess the possible causes and consequences of each deviation and develop risk reduction measures accordingly.

In planning a clinical trial involving new data collection software, a team conducts a Hazard Operability Analysis (HAZOP). The focus areas include data backup and data entry, with identified deviations being “failure in data backup” and “inaccurate data entry.”
Potential causes for backup failure could range from software malfunction to insufficient storage or poor internet connectivity, while inaccurate data entry might result from human error, software bugs, or unclear protocols. These could respectively lead to loss of crucial trial data or incorrect data analysis, possibly resulting in trial delays or inaccurate results.
To mitigate these risks, the team decides to implement measures like regular manual checks for data backup, redundant storage systems, comprehensive staff training, and clear data entry instructions. This HAZOP process enables the team to proactively manage risks and ensure the smooth operation of the trial.

Preliminary Hazard Analysis (PHA)


PHA is a semi-quantitative analysis that is carried out to understand the possible hazards and their effects in the initial design and development phase.


PHA helps in early identification and ranking of potential hazards associated with a system or process, providing an opportunity for proactive risk management.


PHA should be conducted in the early stages of clinical trial design and vendor selection to identify possible hazards and implement necessary controls.


Begin a PHA by listing potential hazards associated with the system or process. Assess the severity and likelihood of each hazard, and determine the risk rating. Use these ratings to prioritize hazards for further detailed analysis and risk reduction efforts.

The trial team embarks on a collaboration with a new medical device vendor for a clinical trial and leverages a Preliminary Hazard Analysis (PHA) for risk management. Key potential hazards identified include equipment failure, due to manufacturing defects, wear and tear, or software issues, and incorrect device usage arising from inadequate training or user misunderstanding.
Both these hazards carry significant risks; equipment failure could compromise patient safety and the integrity of trial data, leading to serious trial delays. Incorrect device usage poses similar threats, possibly leading to invalid trial data and endangering patient safety.
To mitigate these risks, the team introduces stringent vendor vetting processes, emphasizing the vendor’s quality control practices and device failure rates. Additionally, comprehensive device training programs for trial staff are implemented, including hands-on training and continuous learning initiatives. This proactive approach, informed by the PHA, ensures trial safety and reliability.

Risk Ranking and Filtering


Risk ranking and filtering is a method used to prioritize and rank risks based on their relative significance.


This method allows you to focus your risk management efforts on the most significant risks to your clinical trials.


Risk ranking and filtering can be used throughout the vendor management process, but it’s particularly valuable during the risk evaluation stage after risks have been identified.


To perform risk ranking and filtering, first identify the risks. Then, determine their relative importance by considering factors like severity, likelihood, and detectability. Rank the risks based on these factors, and focus your risk management resources on the highest ranked risks.

In a collaboration with a clinical data management vendor, a clinical trial team identifies several potential risks, including data breaches, data loss, and inaccurate data entry. Each of these risks presents a unique challenge, such as compromising patient confidentiality, delaying trial outcomes, or skewing data interpretation, respectively.
To manage these effectively, the team employs a risk ranking and filtering technique. This systematic approach ranks risks based on criteria such as likelihood of occurrence, severity of impact, and ease of detection.
For instance, a high-risk data breach might be identified as having a high likelihood of occurrence, severe potential impact, yet low detectability. This ranking system allows the team to prioritize and allocate resources effectively, focusing first on the highest-ranked risks to ensure a successful trial execution.

Integrating All the Tools

In our scenario, a clinical trial team is working with a new Contract Research Organization (CRO) to conduct a multi-centre clinical trial for a novel cardiovascular drug.

The objective is to ensure the CRO maintains protocol compliance, regulatory standards, and quality measures across all sites, ensuring patient safety and data integrity.

1. Planning

The team defines the scope and objectives of the risk assessment. Utilising Flowcharts they visually map out the drug trial process, indicating steps like patient recruitment, drug administration, data collection, and reporting.

An identified risk is possible inconsistencies in patient recruitment procedures across different sites.

2. Identification

With a map of the process, the team uses Process Mapping and Check Sheets to gather more detailed data on potential risks. This includes tracking variables like patient demographics, the number of ineligible patients, and drop-out rates.

Using the Preliminary Hazard Analysis (PHA) technique, they identify potential hazards such as the risk of inaccurate data entry by the CRO.

3. Evaluation

The team then evaluate the identified risks, using the Failure Mode Effects Analysis (FMEA) methodology. For example, for the risk of inaccurate data entry, they assess the severity (e.g., the impact on trial results), occurrence (e.g., the likelihood of the risk happening), and detectability (e.g., how easy it would be to detect the issue).

4. Analysis

For a more detailed understanding, the team carries out Failure Mode, Effects, and Criticality Analysis (FMECA), which considers the criticality of each risk.

Additionally, they employ Hazard Operability Analysis (HAZOP) to study the impact of deviations from the planned process.

For instance, they might examine the implications if the CRO uses a different data entry system than what was agreed upon.

5. Decision/Mitigation

After a thorough analysis, the team uses the Risk Ranking and Filtering method to prioritise risks. They then decide that the risk of inaccurate data entry needs immediate action due to its high impact on the integrity of the trial results.

For such high-priority risks, they apply the principles of Hazard Analysis and Critical Control Points (HACCP) to create control points like regular data audits to ensure data quality.

6. Review

Finally, the team employs Fault Tree Analysis (FTA) and Cause and Effect Diagrams in their review process.

If inaccurate data entry does occur, FTA would help them identify its root cause, while Cause and Effect Diagrams help them understand how this risk interacts with other factors, enabling continuous improvement of their risk management process.

Through this detailed and dynamic approach, the clinical trial team ensures effective risk management, safeguarding the integrity, quality, and safety of the trial.


In this three-part series, we covered various risk management frameworks in detail, each uniquely equipped to handle specific facets of vendor risk management in clinical trials.

By interweaving fundamental methodologies with advanced techniques, we have demonstrated the importance of proactive and comprehensive risk management.

As we conclude, I hope this series has equipped you with the knowledge to manage vendor risks effectively, ensuring the success of your clinical trials and ultimately enhancing patient safety and data integrity.

Tom Lazenby

Tom is the Founder and CEO of Mayet. Using his experience in streamlining operations and driving innovation in clinical research, Tom is dedicated to enhancing the efficiency, cost-effectiveness, and risk mitigation strategies for vendor management and oversight.

See other posts »