Risk Management (QRM) – Risk Register & Controls

Q: RPN vs. risk matrix—which is better?

Either can work if consistently defined. Many prioritize by Severity × Occurrence while using Detectability as a gate directing engineered detection for high‑S items.

Q: Who approves residual risk?

Define in policy. Process owners and QA sign low/medium risks; high severity escalates to QA leadership and, if applicable, the QP for EU markets.

Q: How often should we review the Risk Register?

At least annually and whenever there are triggers like new products, major changes, repeated deviations, audit findings, or trend breaks in CPV/SPC.

Q: When is PPE acceptable as the primary control?

Only when higher‑order controls (elimination, substitution, engineering) are not feasible. Justify in the register and ensure training and compliance monitoring.

Q: How does supplier risk plug into our QRM?

Use the same scales and criteria. Capture supplier hazards, require controls in the Quality Agreement, monitor via ASN accuracy and incoming defects, and escalate with SCAR when needed.

This topic is part of the SG Systems Global regulatory & operations glossary.

Updated October 2025 • QMS, Compliance & Operations • QA, Manufacturing, Engineering, Supply Chain, IT/OT

Quality Risk Management (QRM) is the structured, documented approach for identifying, assessing, controlling, and monitoring risks that could impact product quality, patient/user safety, regulatory compliance, or supply performance. In a modern, digital operation, QRM lives as a governed record—often a Risk Register—and connects directly to SOPs, CAPA, MOC/Change Control, and routine monitoring such as CPV and SPC. It is recognized across frameworks including QMSR, ISO 13485, GMP and ICH Q10.

“QRM is not a paperwork exercise—it is how an organization decides where to build controls, how strong to make them, and how to prove they work.”

TL;DR: QRM turns uncertainty into managed action. Build a living Risk Register that catalogs hazards, rates severity/occurrence/detectability, defines controls (engineering, administrative, PPE), and links to CAPA, MOC, and monitoring (CPV/SPC). Prioritize with FMEA/PFMEA, HAZOP, or HACCP. Govern it under Document Control with unalterable audit trails per 21 CFR Part 11/Annex 11. Success = fewer incidents, faster changes, stable capability, and clean inspections.

1) What QRM Is—and Isn’t

Is: A repeatable, evidence-based method to focus limited resources on the most significant risks to quality and compliance. It connects strategy (tolerability criteria) to operations (controls in MES/WMS/labs) and to governance (approvals, training, trending). Isn’t: A one-time workshop, a static spreadsheet, or a way to justify weak controls. If a “risk acceptance” doesn’t survive Internal Audit or QA disposition, it isn’t QRM—it’s wishful thinking.

2) Where QRM Applies

Product & Process Design: tie QRM to QbD and Recipe Formulation; ensure the Master Recipe encodes controls.
Manufacturing Execution: interlocks, line clearance, IPC, signature checks in MES/eBMR.
Warehousing & Logistics: WMS bin/zone controls, FEFO/FIFO, label verification, SSCC, Serialization, and compliant pack & ship.
Labs & Testing: MSA, OOS/OOT pathways, sampling plans, method capability.
Suppliers & External Parties: Quality Agreements, SCAR, ASN, and GDP risks.
Release & Market: Hold/Release status, QP Release, complaint trending, RMA feedback.

3) The Risk Register—Your Living Source of Truth

A practical Risk Register is more than a list; it’s a model of your controls. Typical fields include:

Risk ID & Title (unique code; concise, outcome-oriented title).
Process/Scope (e.g., “Weigh & Issue,” “Aseptic Fill,” “Directed Picking,” “Dock Loading”).
Hazard & Harm (what can go wrong, who/what is impacted—patient, consumer, operator, compliance, brand, supply).
Causes/Failure Modes (link to FMEA/PFMEA entries).
Current Controls (engineering interlocks in MES/WMS, SOP steps, PPE, monitoring, supplier controls).
Ratings (Severity, Occurrence, Detectability), RPN or risk matrix position; rationale and evidence.
Residual Risk after proposed actions, with acceptance criteria aligned to QMS policy.
Actions/Owners/Due Dates (CAPA/Change Control links; training references to SOP updates).
Effectiveness Checks (SPC charts, capability targets Cp/Cpk, audit schedules, EM limits).
Traceability (links to eBMR steps, Lot Traceability, SSCC flows).

Keep the register under Document Control with complete audit trails; require signed approvals per Part 11/Annex 11. Version the register and maintain a change history so you can show how risk posture evolved following incidents or product changes.

4) Risk Language—Scales, Criteria, and Evidence

Define your scales once and apply consistently:

Severity—impact to patient/user safety, quality, compliance, or supply. Calibrate the top of the scale with worst credible harms.
Occurrence—likelihood before/after controls; anchor with data (SPC, field complaints, supplier PPM, OEE loss modes).
Detectability—chance to detect/prevent before release (automated interlocks score better than manual checks).
Acceptance Criteria—what counts as “low,” “medium,” “high,” and who can approve residual risk. Tie to escalation (MRB, QA leadership, QP).

Every rating must cite evidence: control charts, MSA results, sampling plans, inspection data, device logs, or audit outcomes. “Because we think so” is not an acceptable rationale in regulated industries.

5) Identification & Assessment Techniques

FMEA / PFMEA: enumerate failure modes, effects, causes, and controls. Prioritize by RPN or hybrid (SxO matrix plus detectability gate). See FMEA and PFMEA.
HAZOP: node‑by‑node process deviations using guidewords (more/less/of/other). See HAZOP.
HACCP: hazard analysis, CCPs, and monitoring limits for food safety environments; integrate with Allergen Control.
Historical Signals: deviations/NCRs, NCMRs, OOS/OOT, returns, customer complaints.
Scenario Analysis: what‑if cases across NPI, scale‑up, equipment change, supplier change, or software upgrades (CSV).

6) The Hierarchy of Controls—Design Before Procedure

Effective QRM favors the top of the hierarchy:

Elimination/Substitution—remove the hazard or choose safer materials.
Engineering Controls—machine guards, recipe‑driven interlocks, scanner checks, automated set‑points in MES/WMS.
Administrative Controls—SOPs, training, LPAs, line-clearance.
PPE—last line of defense (PPE requirements encoded in work instructions and enforced by sign‑offs).

Whenever an administrative control is selected over an engineering control, record the justification and residual risk—auditors will ask why “procedure” was chosen over “design.”

7) Design for Quality—QRM Meets QbD & Recipes

Build controls into the product and process design, not around them. Use QbD to identify critical material attributes and process parameters early; encode them in the Master Recipe and eBMR with verifiable limits, device configurations, and identity checks. The result: consistent execution with digital proof of control.

8) Operational Controls in MES & WMS—From Paperless to Proof

Identity & Status: lot/serial/SSCC scans; Quarantine blocks; calibration/expiry interlocks (Asset Calibration Status).
Right Material/Right Time: Directed Picking, Dynamic Lot Allocation, Dock‑to‑Stock, Goods Receipt.
Right Label: barcode/UDI checks, EPCIS alignment, country rules (COO, COI).
Flow & Capacity: schedule risk via Production Scheduling, finite capacity, Kanban, and One‑Piece Flow.
Paperless Evidence: digitize with Paperless Manufacturing and enforce audit trails.

9) Monitoring, Trending & Verification

Risk control is proven in data. Monitor with SPC, capability targets (Cp/Cpk), CPV, environmental counts (EM), inventory accuracy, and outbound DPPM. Integrate signals from NCRs, NCMRs, RMAs, and customer complaints. Tie effectiveness checks back to the register item that drove the CAPA or change.

10) Governance—Roles, Reviews, and Records

QA owns methodology, acceptance criteria, and approvals; escalates high risks.
Process Owners own controls in their areas and the ongoing evidence that those controls work.
QC owns analytical risk (methods, MSA, OOS/OOT pathways).
Supply Chain/SCM owns supplier risk, Quality Agreements, and SCAR.
IT/OT owns data integrity, access control, and system validation (CSV).

Run periodic QRM reviews as part of management review under QMSR. All risk records must sit under Document Control with audit trails and e‑signatures.

11) Lifecycle—From Identification to Effective Control

Identify (signals, workshops, design reviews, supplier changes).
Assess (FMEA/HAZOP/HACCP, scale/rationale documented with data).
Control (choose controls per hierarchy; encode into MES/WMS/SOPs).
Change via MOC/Change Control with training and effectiveness plan.
Verify (SPC/CPV trends, audits, LPAs, layered audits).
Review (periodic risk review; update the register; retire controls that no longer add value).

12) Supplier & Logistics Risk—Beyond the Factory Walls

Supplier changes ripple into your risk profile. Encode expectations in Quality Agreements, enforce ASN data quality (ASN), and track performance issues with SCAR. Downstream, transportation and labeling risks are mitigated through SSCC, compliant fulfillment, and bin/zone topology that prevents mix‑ups.

13) KPIs—Is Your QRM Working?

Risk Reduction Velocity: % high risks reduced to medium/low per quarter.
Action Timeliness: on‑time completion for CAPA/changes tied to high risks.
Effectiveness Rate: % actions passing predefined effectiveness checks.
Recurrence: repeat deviations for risks marked “controlled.”
Detection Health: % controls automated vs manual; missed scan/step rates.
Audit Outcomes: number and severity of QRM‑related observations.

14) How This Fits with V5 by SG Systems Global

V5 Solution Overview. The V5 platform is designed for risk‑based control. Configuration is versioned, evidence is attributable, and cross‑module interlocks (identity, status, signatures) are testable and reportable—ideal for QRM governance and life‑cycle control.

V5 QMS. In the V5 QMS, Risk Registers, FMEA/PFMEA, CAPA, and MOC live under Document Control with e‑signatures and audit trails. Periodic reviews, KPIs, and effectiveness checks are generated from the same system that governs production.

V5 MES. In the V5 MES, risk‑derived controls become executable steps: line‑clearance challenges, mandatory scans, recipe limits, device integrations, and signature holds—exactly the controls regulators expect to see enforced in the eBMR.

V5 WMS. In the V5 WMS, risk controls are operationalized as bin/zone rules, FEFO/FIFO allocation, label verification, SSCC/serialization flows, and quarantine prevents release of nonconforming stock.

Bottom line: V5 turns QRM from a spreadsheet into a living control system—the same interlocks proven in risk assessment are enforced every minute in manufacturing and warehousing.

15) FAQ

Q1. Do we need separate Risk Registers for design, process, and warehouse?
Use a single, governed register with views by domain (design/process/lab/warehouse). Link to domain FMEAs and controls in MES or WMS.

Q2. RPN vs. risk matrix—which is better?
Either can work. Many organizations prioritize by Severity × Occurrence while using Detectability as a gate (e.g., high‑S items must gain engineered detection). Whatever you choose, define thresholds and apply consistently.

Q3. How is QRM different from CAPA?
QRM proactively prevents issues by designing controls; CAPA reacts to specific failures. They meet when a high risk triggers CAPA or when an RCA recommends changes to the register, controls, or SOPs.

Q4. Who approves residual risk?
Define in policy. Typically the process owner and QA sign low/medium; high‑severity items escalate to QA leadership and, when applicable, the QP for EU markets.

Q5. How often should we review the Risk Register?
At least annually, and ad‑hoc for triggers: new product, major change, repeated deviation, audit finding, or trend break in CPV/SPC.

Q6. When is PPE acceptable as the primary control?
Only when higher‑order measures (eliminate/substitute/engineer) are not feasible. Justify in the register and ensure training and compliance monitoring.

Q7. How do we show QRM to inspectors?
Present the policy, the register, examples of high‑risk items with actions and effectiveness checks, and how those controls appear in the eBMR/WMS with signed records and audit trails.

Q8. How does supplier risk plug into our QRM?
Use the same scales/criteria. Capture supplier hazards, require controls in the Quality Agreement, monitor via ASN accuracy and incoming defects, and escalate with SCAR as needed.