In our previous Risk-Based Quality Management (RBQM) newsletter, we looked at how to identify meaningful risks around each Critical to Quality Factor (CTQF) by clarifying three key elements: what could happen, why it could happen, and what the consequence would be if it does.

That step is essential. But once risks have been identified and described clearly, the next question is:

Which of these risks really need additional attention, and why?

This is where risk evaluation comes in. And this is a step that is sometimes misunderstood. Because risk evaluation is not just about assigning numbers. It is about stepping back and asking, in a structured way:

• How likely is this to happen?
• If it happens, how serious would it be?
• How easy or difficult would it be to detect early enough to act?

Only then can we start to prioritize risks proportionately and decide where additional controls may actually be needed.

Risk evaluation is about relative significance

After risk identification, risks need to be evaluated for their relative significance.

The goal is not to create a mathematical exercise for its own sake. The goal is to understand which risks matter most in the context of the trial, considering the organization’s risk tolerance and the controls that already exist. This point is important.

In clinical trials, many common risks are already partly managed through existing processes such as: SOPs, training, routine data checks, monitoring, QC activities, system validations, standard vendor oversight activities,…

So when we evaluate a risk, we should not do so in a vacuum. We should evaluate it considering the existing controls already in place. That is exactly what makes the evaluation more realistic, and much more useful.

What are we scoring?

A practical way to evaluate each identified risk is to look at three dimensions: Likelihood (or Probability), Impact (or Severity), and Detectability.

A practical scoring approach

One commonly used method is to assign a score to each of the three dimensions:

• Likelihood (L)
• Impact (I)
• Detectability (D)

and then calculate a Risk Priority Number (RPN): RPN = L × I × D

This helps compare risks in a more structured way and supports relative prioritization, especially when the scoring criteria and rationale are documented consistently in Risk-Based Quality Management RBQM software.

For example, many organizations use simple scoring scales such as 1 to 3, or more detailed ones such as 1, 4, 7, 10.

Refer to an example of Risk Scoring Scale below (Ref. Quality Risk Management Framework. Therapeutic Innovation & regulatory Science 2019. Vol 53(1) 36-44).

The exact scale is less important than the logic behind it. What matters is that the criteria are clear, consistently applied, and meaningful for the organization and the study.

What matters more than the score itself

It is tempting for teams to focus too much on the final number. But in practice, the most important part of risk evaluation is not the multiplication. It is the discussion behind the scoring.

That discussion should challenge questions such as:

• Are we scoring likelihood based on reality, or on assumptions?
• Are we considering the controls already in place?
• Are we being honest about detectability?
• Are we overestimating our ability to identify issues in time?
• Are we focusing impact on what matters most to participants and data reliability?

A well-facilitated evaluation discussion is often more valuable than the number it produces. The score is useful. But the reasoning behind it is what really strengthens the quality of the assessment.

Evaluating risks with existing controls in mind

This is one of the most important principles in risk evaluation. Risks should be evaluated considering existing controls already in place. Why? Because clinical trials are not built from zero. There are already many standard processes that reduce likelihood, improve detectability, or limit impact.

If we ignore those controls, we may overestimate risk and waste effort managing issues that are already adequately contained.

On the other hand, if we overestimate the effectiveness of existing controls, we may underestimate risks that actually deserve more attention.

So the real question is not simply “How risky is this event?”. It is “How risky is this event in this specific study, with these existing controls, and these operational realities?”. That is a much better RBQM question.

From evaluation to prioritization

Once risks are scored, they can be prioritized. The purpose of prioritization is simple: to focus additional risk control efforts on the risks that matter most.

In general, the risks that deserve the most attention are those that are more likely to occur, more difficult to detect in time or more serious in their potential impact.

This helps teams avoid two common problems: trying to control everything equally and spending too much time on low-value risks that are already adequately managed.

RBQM is not about creating more controls everywhere. It is about being more deliberate and proportionate in where you place your attention.

What often goes wrong in practice

A few common weaknesses tend to appear in risk evaluation exercises:

1. Scoring risks without considering existing controls. This usually leads to unrealistic prioritization.
2. Treating detectability too superficially. A risk is not low priority just because someone might notice it eventually. The question is whether it would be detected early enough to act.
3. Focusing too much on the number and not enough on the reasoning. A score without a good discussion behind it is not very useful.
4. Applying the same level of attention to all risks. That is not proportionate and does not reflect the real purpose of RBQM.
5. Forgetting that evaluation may change over time. Risk evaluation should be revisited as new information becomes available.

Final thoughts

Risk evaluation is where the risk assessment starts to become operational. It helps teams move from a list of identified risks to a more deliberate understanding of: which risks matter most, which are already reasonably controlled, and where additional effort is truly needed.

Used well, this step supports prioritization, proportionate control planning, and smarter oversight.

But it only works if teams evaluate risks realistically, with the existing controls in mind, and with an honest view of how detectable issues really are in practice.

Reflect on this

When your team evaluates risks, are you really considering the controls already in place and how detectable the issue would be early enough to act?

If not, your risk prioritization may be less robust than it appears.

—–

WiseCLIN is our purpose-built RBQM software designed to help sponsors implement risk based quality management in a structured, traceable, and inspection-ready way. Aligned with the principles of ICH E6(R3), WiseCLIN supports proactive RBQM by connecting risk identification, evaluation, mitigation, review, and oversight in one practical workflow.

Contact us here to learn more or request a demo.

Thank You,

Dr. Leire Zuñiga – PharmD PhD

Co-Founder and CQO, Qlarix | Founder and Managing Director, Pharmity | Risk-Based Quality Management (RBQM) Expert.

20+ years experience in Pharma, Biotech, CROs. Skilled in Quality Management, Good Clinical Practice and Computerised System Validation.

Connect on LinkedIn