Top 22 Reasons Why Risk Assessments are so Difficult?

We all know the story, we need to validate a process/equipment/software so let’s use a risk based approach to apply scientific rationale and just test the components that are critical and key to enhancing patient safety and product quality.

In reality performing a successful quality risk management approach is very difficult and often leads to “Let’s just test everything”.

So why are risk assessment so difficult to get right?

Below are some of the key reasons why:

  1.   Fear of resistance – people do not like the unkown and putting their head on the chopping block for something that appears to be subjective.
  2.   Often commitment from senior management is limited they just want to see action.
  3.   Has to be in-built to company policy but often SOP’s are not detailed enough or more often too complicated to follow.
  4.   More often than not a tool such as MS Excel is used which is hard to control and maintain accurately.
  5.   Critical process aspects are not focussed on.
  6.   The incorrect risk process is not used (FMEA, HAZOP, FTA etc)
  7.   A lot of subjectivity and uncertainty.
  8.   SME’s not available or don’t want to take a risk.
  9.   Scoring systems are subjective.
  10. What does a certain score actually mean?

  11. Insufficient challenging of the controls.

  12. Difficult to translate output to a validation protocol.

  13. Lack of consistency to determine risk scores.

  14. Judgements based on individual, personal impressions, feelings and opinions rather than external facts.

  15. Risk assessment forms are long and difficult to fill out.

  16. Collaboration on assessments is difficult - SEM’s always too busy.

  17. Easy to say everything is high risk – Cover your back syndrome.

  18. Inability to break down complex process into simple manageable units.

  19. No facilitator or independent entity to manage the process.

  20. Too many contributors that don‘t add value.

  21. Lack of training on how to successfully perform a risk evaluation.

  22. Inability to challenge assumptions.

Have you say, please leave comments below.

On 15 you said risk assessment forms are long and difficult to complete. What reference document can I use to create this forms?

Refer relevant section of following references…
viz.,implementation of methadology section of

viz., appendix 1 of

vi., section 3 of QRM applications

ref. annex b…

if you are looking for some FMEA / or example forms, there are adequate examples on net.

even ICH qrm-ppts carry examples of same.

in my opinion, forms as such don’t make it difficult or design of forms do not introduce difficulties…
following the letter and spirit of ‘brain storming’ - ‘facilitation’ and ‘making the agenda/session specific to the product’, is what makes it a good job.
and during the course of QRM, team has to wear different hats of problem identification - cause - resolution …
hope this helps…

Thanks you for your prompt replay. It made the thread a lot more valuable.

Dear all,

I am new to this forum,
Can anyone please guide me on this - I have a challenge on how to assess periodic temperature mapping for a refrigerator using risk assessment ?
which tool is suitable FMEA, FTA, risk ranking & filtering ? I read ICH Q9 but couldn’t get much clarity on my case !:confused:
I am literally confused, please help



I’ve validated refrigerators a long time ago, but I’ll give it a go. You want to ultimately identify what the risk issues may be, and categorize and prioritize. I would brain storm what are all the temperature related functions are and how can they go wrong. An FMEA is a “bottom-up” method that starts with the most nested subsystems/components/functions. It lends itself to starting your examine at the functional level of how the temperature reporting may fails. Risk ranking is important to prioritize top risks. You can go from there and estimate your period for assessment based on the outcome of your validation. Anyone chip in??

I think you hit the “nail on the head” with this one. One area that seems like it is critical and rarely done is training HOW to do risk assessment. A good program of training can mitigate many of the issues I see. I also see where risk scores are not defined as to how you get to that score, which creates non-consistency and confusion. If an organization would train well on risk, and define what consistutes various risk levels, it would go a long way in improving the process.