ICH Q9 Explained
The risk-based decision framework defined in ICH Q9 forms the foundation of Quality Risk Management (ICH Q9) and defines how decisions are expected to be justified in GMP systems.
It does not introduce new GMP requirements.
It defines how decisions about those requirements should be justified.
The expectation is not elimination of risk.
The expectation is controlled and explainable risk.
Risk is inherent in pharmaceutical operations.
QRM ensures that risk is understood, evaluated, and managed consistently.
What QRM Means in GMP
Quality Risk Management determines how much control is appropriate for a given situation. This requires consistent interpretation of core concepts such as severity, likelihood, and detectability.
It supports decisions such as:
Level of investigation required
Extent of validation studies
Depth of change control review
Prioritization of deviations
Frequency of monitoring and review
QRM does not execute these activities.
It defines the basis for decision-making.
When applied correctly, QRM creates consistency.
Similar risks lead to similar decisions, regardless of who performs the assessment.
What ICH Q9 Is Not
QRM is often misunderstood in practice.
It is not:
A documentation exercise
A completed template
A justification tool for pre-made decisions
Risk tools document decisions.
They do not replace them.
FMEA sheets, risk matrices, and scoring systems are only meaningful if they reflect actual reasoning.
Completed templates without clear logic do not demonstrate control.
What This Means In Practice
Decisions should not depend on templates or individual judgement alone.
They should be based on:
Defined criteria
Available data
Process understanding
Impact to product quality and patient safety
Similar risks should lead to similar decisions.
Differences should be explainable based on impact, data, and uncertainty.
Inconsistent decisions are a common inspection concern - even when documentation appears complete.
Risk Management Process (High Level)
ICH Q9 defines a structured process for risk-based decision-making.
This includes identification, analysis, evaluation, control, review and communication.
These steps are not independent activities.
They form a continuous cycle that evolves as new information becomes available.
Risk assessments should be revisited when:
Process conditions change
New data emerges
Deviations or trends indicate instability
Static risk assessments do not reflect actual system behavior.
Why Proportionality Matters
The level of effort, control, and documentation should be proportional to risk.
High-risk situations require:
Structured assessment
Clear justification
Stronger controls
Low-risk situations should not be over-engineered.
In practice, this requires:
Defined thresholds for escalation
Alignment between risk level and control strategy
Consistent treatment of comparable scenarios
Common failures include:
Applying full risk assessments to low-risk issues
Bypassing structured assessment for high-risk decisions
Defaulting to standard templates regardless of context
Both over-control and under-control indicate poor decision-making.
Proportionality is not about reducing effort.
It is about applying appropriate effort based on risk.
Where QRM Shows Up In Practice
QRM is not performed as a standalone activity.
It is embedded within existing GMP systems.
Examples include:
Change control —> determining level of review and approval
Deviations —> defining prioritization and escalation
CAPA —> determining scope and verification expectations
Validation —> defining study extent and acceptance criteria
Audits —> identifying areas of focus
In each case, QRM is visible through the decisions made - not through separate documentation.
When QRM is effective, decisions appear consistent and justified.
When it is weak, similar situations are handled differently without clear rationale.
How Inspectors Assess Risk-Based Decisions
Inspectors do not assess the presence of tools.
They assess the quality of decisions.
They evaluate whether decisions are:
Scientifically justified
Consistent across similar situations
Aligned with available data
Proportionate to impact
Inspection focus often includes:
How decisions were made
Whether similar cases were handled consistently
Whether justification reflects actual risk
In many cases, deficiencies arise not from missing risk assessments - but from weak reasoning.
Evidence of Effective QRM
Effective QRM is demonstrated through consistency.
Inspectors look for:
Alignment between risk assessment and actions taken
Consistent handling of similar risks
Clearly defined escalation thresholds
Justification linked to data and impact
Over time, this results in:
Predictable decision patterns
Reduced variability in response
Improved inspection confidence
Single documents do not demonstrate effectiveness.
Patterns across decisions do.
Common Failures in QRM
Recurring issues include:
Risk assessments performed after decisions
Scoring systems without defined meaning
Inconsistent application of risk criteria
Absence of defined acceptance thresholds
This often occurs when uncertainty is treated as certainty.
In other cases, decisions lack defined acceptance criteria.
These gaps reduce the credibility of risk-based decisions, even when documentation appears complete.
Decision Friction Points in QRM
Organizations rarely fail due to lack of tools.
They fail at points where decisions require judgement.
Common friction points include:
Defining risk acceptance criteria
Distinguishing uncertainty from severity
Determining when escalation is required
Aligning risk scores with actual decisions
In many cases, scoring systems exist but are not applied consistently.
Teams may assign similar scores but take different actions. This creates inconsistency that is difficult to justify during inspection.
QRM effectiveness depends on decision clarity, not scoring precision.
Regulatory Signals of Weak QRM
Inspectors rarely state “QRM is inadequate” directly.
They identify patterns that indicate weak risk management.
Common signals include:
Inconsistent decisions for similar events
Risk assessments completed after decisions
Lack of defined acceptance criteria
Over-reliance on templates without clear rationale
Failure to update risk assessments after new information
These signals often appear across systems rather than in a single document.
Inspectors assess whether decisions are reproducible and defensible.
When they are not, QRM is considered ineffective.
Regulatory Perspective
Regulators do not expect complex models.
They expect defensible decisions.
QRM is evaluated through how decisions are made - not how tools are completed.
Systems that rely on templates struggle to demonstrate control.
Systems that apply consistent decision logic are easier to defend.
Effective QRM is visible in decisions that remain consistent under scrutiny.
