top of page

Risk Management Exercise 2 - Risk Reviews

Updated: Feb 17, 2022

The second in our "Risk Management Toolkit" series looks at Risk Reviews.


Regular risk reviews should be a feature of any clinical study plan as specified in ICH E6(R2) Quality Management process step 5.06. In addition to regular scheduled review meetings, a full review of risks should be conducted when there is a significant change (e.g. a protocol amendment) or event occurrence (e.g. a risk

is triggered).

A significant benefit is that risk reviews help your team to understand what might go wrong, when, how, and what they should do about it. Talking about these things in advance improves communication and means teams are better prepared and able to execute correctly under pressure.

Review objective

The objective for this meeting is to review the previously identified study risks to see if they are still valid, and if they are, to review and assess any changes. Those changes could be to the risk itself, or in the risk-related data that indicates it is becoming more or less likely. If the likelihood of a risk occurring is increasing, you need to identify any mitigating or avoiding options.

The meeting should also identify any new potential or actual risks to the study.

Setting up the exercise for success

How you communicate, categorize, and manage risks is crucial. For example, most organizations make assessments on the likelihood and impact of a risk occurring. Typically, these are rated as high, medium, or low. The best organizations also include a third attribute: detectability. This is very important where risks are hard to detect. That’s obviously because if a risk is hard to detect, how will you know if it has occurred?

One key to success is sending out accurate and up-to-date data for review a week before the meeting to give participants time to review, reflect and prepare.

Ideally the meeting would be run by a facilitator who doesn’t have any direct involvement with the study to minimize bias and provide robust challenge to the team. As with other types of risk exercise, if there isn’t an objective external view, then there is a real possibility of biases affecting judgement. It’s practically impossible for people to mark their own homework objectively.

Running the exercise

Depending how many risks your study has, you may need to split the review over more than one session. That’s because you need time to review every risk and still have enough time to ‘horizon scan’ and discuss new potential or actual risks.

Start with your high likelihood, high impact, hard to detect risks for obvious reasons. For each risk, test the ratings through structured challenge questions tailored to your study and agreed in advance.

For example: Why is the likelihood high? What assumptions are we making? Why is the impact high? What are the implications (safety, cost, time etc.) if the risk does occur? Why is it hard to detect? What detection measures, proxies or indicators could we put in place? Are there any actions we could take that would avoid the risk happening? If the risk does occur, what mitigation actions could we take?

If you think about the time needed to discuss, debate, and agree on the answers to the questions above, you can see why this is not a quick exercise. You can also see why the independent challenge of an external facilitator is important. Too many of us have sat in risk reviews where someone senior says, “That’ll never happen” or “That’s not important” and any sensible discussion is squashed.

Once you have been through the documented risks, you need to ask the “Is there anything else?” question. There could be new risks emerging from competitors, suppliers, market conditions, regulation, or new technology. An open forum discussion is more likely to result in effective risk identification.

The output from the risk review should be an updated risk log. However, (and I’m sure you’ve all seen this) there is the potential for this document to be seen as an academic or tick-box exercise that gathers virtual dust in a long-forgotten shared folder. The risk log should be a living document, with actions, deadlines, resources attached, and managed to ensure delivery on the actions. Without those, you’re increasing your study risks through negligence.

A great question that focuses minds is this: “If this risk occurs, there will be a morning after. On that morning after, what will we wish we’d done?”


Running a risk review can be time-consuming and challenging. But it can save you when things go wrong. I say “when” and not “if” because studies take place in the real world and there isn’t a study yet that hasn’t had something go wrong. Minimizing the likelihood and impact through good risk management will minimize your regrets on ‘the morning after’.

And, as with other risk exercises, you’ll get better and faster at it the more you do. When people see good risk management is important to you and your organization, you’ll be creating the quality culture set out in ICH E8(R1).


bottom of page