Skip to content

From CTQFs to Risks: Understanding Cause-and-Effect in Risk-Based Quality Management (RBQM)

Dr. Leire Zúñiga, PharmD, PhDLeire Zúñiga

From CTQFs to Risks: Understanding Cause-and-Effect in Risk-Based Quality Management (RBQM)

In our previous issue, we focused on the first foundational step of Risk-Based Quality Management (RBQM): identifying Critical to Quality Factors (CTQFs). That was the starting point. But once a CTQF has been identified, the next question is just as important: What could go wrong around it?

This is where risk identification begins. And in practice, this is where many teams struggle. They know what is critical. But when they try to define the risks, the discussion often becomes too vague, too generic, or too focused on operational issues without clearly explaining why those issues matter.

From CTQFs to Risks: Understanding Cause-and-Effect in Risk-Based Quality Management (RBQM)

To identify risks properly, teams need to understand something very basic, but very important: Cause-and-effect. In other words:

  • What must work properly.
  • What could actually happen.
  • Why it could happen.
  • What the consequence would be if it does.

That is the logic that turns CTQFs into a meaningful risk assessment.

What are we identifying?

Before going further, it helps to keep the key concepts clear:

  • CTQF: what must work properly.
  • Risk event: what could actually happen. The event that, if it occurs, triggers the issue.
  • Hazard (cause): the potential source of harm. The cause or causes that may lead to the risk event.
  • Harm (negative impact): the damage or consequence that may result if the issue occurs.

This distinction matters. Because if we mix up the event, the cause, and the consequence, the risk statement becomes weak. And if the risk statement is weak, everything that follows becomes weaker too: scoring, mitigation, oversight, and review.

From CTQFs to Risks: Understanding Cause-and-Effect in Risk-Based Quality Management (RBQM)

Start with the event and the impact

A practical way to approach this for each selected CTQF is:

  1. Focus first on the risk event and its negative consequences.
  2. Draft the risk statement with this information.
  3. Insert the causes by asking: What are some of the causes of the risk event?.

I find this order particularly useful in workshops. Why? Because teams often start with causes like lack of training or protocol complexity, but those are not the risk itself. Those are contributing factors. It is usually much easier first to define: What could actually happen? Why would that matter?

And only then ask: What may cause that event to happen?

A hazard can lead to one or more harms

This is an important point. A hazard can lead to one or more harms, and the risk is what links the two. It describes how that hazard could lead to meaningful harm in the context of the trial.

The focus should always be on potential harm to:

  • Trial participants, including their rights, safety, and well-being.
  • The reliability of trial results.

And the focus should be on risks for the specific trial, not on generic risks that are common across all studies. That is where real RBQM starts to become useful, and where RBQM software such as WiseClin can help teams keep risk identification focused, consistent, and traceable.

A practical format for the risk statement

A simple format that works very well is:

If [RISK EVENT] occurs due to [CAUSE(S)], then this may lead to [NEGATIVE IMPACT].

This structure forces clarity. It helps the team describe the risk in a way that is specific enough to be evaluated, mitigated, reviewed, and linked to oversight later on.

Example

Let’s take a simple example:

  • CTQF: Valid enrollment of the appropriate study population.
  • Risk event: Ineligible participants are enrolled.
  • Harm: Participants may be exposed inappropriately, and study data may become unreliable.
  • Hazard: Inclusion and exclusion criteria are complex and may be misinterpreted by site staff.

Risk statement: If ineligible participants are enrolled due to misinterpretation of complex inclusion and exclusion criteria, then this may compromise participant safety and the reliability of study data.

Again, this is much more useful than writing something vague like: “Enrollment risk” or “Site eligibility issue”. Those statements are too broad to support meaningful action.

This is a useful risk statement because it is clear, logical, and specific to the study. It tells us: what could happen,  why it could happen, and why it matters.

What often goes wrong in practice

There are a few common weaknesses I see during RBQM discussions:

  • Teams describe the cause, but not the event. For example, they say “insufficient training” instead of explaining what that insufficient training may lead to.
  • Teams describe the impact too vaguely. For example, this may cause problems or may affect quality.
  • Teams stay too generic. They often identify common risks that apply across studies and are already controlled through routine processes, rather than focusing on the trial-specific risks that really matter.
  • And sometimes teams focus too much on operational inconvenience, rather than on the real impact on participant protection or reliability of trial results.

This is why the quality of the initial risk wording matters so much.

A simple prompt for teams

For each selected CTQF, ask:

  • What could actually happen?
  • What would be the consequence if it does?
  • What are some of the causes of that event?

Then express it as: If [RISK EVENT] occurs due to [CAUSES], then this may lead to [NEGATIVE IMPACT].

Simple, but extremely effective.

Final thought

Identifying CTQFs is the first step in RBQM. But the real value starts when teams can translate each CTQF into a clear understanding of cause-and-effect: what must work properly, what could go wrong, why,  and with what consequence.

That is what makes risk identification more robust. And that is what gives the next steps, risk evaluation, mitigation, review, and oversight, a much stronger foundation. Because if the risk is not clearly described at the start, it becomes very difficult to manage it well later.

Reflect on this

For each CTQF in your study, can your team clearly describe: what could actually happen, what the impact would be, and what may cause it?. If not, your risk assessment may still be too vague to support meaningful RBQM.

In our next issue, we will look at how to evaluate identified risks in a structured and proportionate way.

—–

WiseCLIN is our purpose-built RBQM software designed to help sponsors implement risk based quality management in a structured, traceable, and inspection-ready way. Aligned with the principles of ICH E6(R3), WiseCLIN supports proactive RBQM by connecting risk identification, evaluation, mitigation, review, and oversight in one practical workflow.

Contact us here to learn more or request a demo.

 

Thank You,

Dr. Leire Zuñiga – PharmD PhD

Co-Founder and CQO, Qlarix | Founder and Managing Director, Pharmity | Risk-Based Quality Management (RBQM) Expert.

20+ years experience in Pharma, Biotech, CROs. Skilled in Quality Management, Good Clinical Practice and Computerised System Validation.

Connect on LinkedIn

Related content