LSIT Global Institute: Articles & White Papers

LSIT and Industry News

More Information

Calendar of Events

09.08 - 09.12.08:2008 PDA/FDA Joint Regulatory Conference: Harmonization, Implementation and Modernization: Achieving a Future Vision
11.05 - 11.07.08:DIA 7th Annual ECTD Electronic Submissions Conference

Applying Risk Management and Risk-based Approaches to IT Quality and Compliance

Risk-based approaches to compliance are today's norm (or at least they should be.) From the perspectives of regulators, as well as from a business sense perspective, applying the same rigorous model to everything in a regulated context doesn't make sense. Quality and compliance are not black and white issues, and an objective method for determining risk and translating that knowledge into the appropriate level and rigor of controls brings definition to how to handle the many shades of grey.

Risk analysis and determination should be based on the process that is automated or supported by technology (applies to shop-floor automation, laboratory instrumentation and the like), and/or the criticality of the records maintained by the technology (applies to information systems.) A process for performing risk analysis, and indeed overall risk management, should be implemented and used consistently to ensure objectivity. These terms are sometimes misused, therefore a clarifying graphic is provided in figure 1.

Risk Assessment is performed by analyzing risk (Risk Analysis), and then evaluating the identified risks for risk tolerance. Documentation resulting from the Risk Analysis activity should include, for each assessment item, a statement of intended purpose (functionality) and any associated hazard or risk. The Risk Evaluation is a determination then made, for each risk, based on a combination of impact or severity, probability or likelihood of occurrence, and likelihood of detection. Cross-functional stakeholders must agree to the conclusions of the Risk Evaluation.

Risk Management comprises the activities now performed based on the Risk Assessment, which are Risk Control and Periodic Review. Risk control is the analysis of options to remove or minimize the risk by affecting impact, likelihood, or detection through mitigations. Periodic Review is verification that the mitigations put in place are having the desired affect (minimizing or eliminating the risk) as expected.

For more information about Global Life Sciences, please visit www.glifesciences.com

© 2003-2008 The Life Sciences Information Technology Global Institute.
LSIT Global Institute, 14677 Via Bettona 110, Suite 800, San Diego, CA 92127 USA • Ph: (858) 759-4750 • Fx: (858) 759-6646

The LSIT Global Institute is a U.S. 501(c)(3) tax-exempt organization. Contributions are tax deductible as allowed by law.
Use of this site indicates your understanding and agreement to our Privacy Policy and Terms of Use.