At PDA 2010 in Orlando, Jeffrey Hartry, Director of Quality Systems and Information for Cangene Corp., outlined in great detail his company’s risk management strategy. Cangene is a small, Canadian biotech company which develops and manufactures immune therapeutics.
Risk is something we all must address, Hartry began. “We encounter risk every day, and do it fairly subconsciously,” Hartry noted. “The question is, how do we go about managing it?”
From the patient perspective, there may always be unexpected, unpredictable outcomes, Hartry said, but more relevant to the manufacturer is patient injury related to product defects and medication errors. “What can we do to moderate and mitigate that situation? This is where ICH Q9 and Q10 come into play. . . . to drive defects down, and to prevent the overall risk to our patient group.”
Some of the drivers at Cangene for pursuing a formal risk management program, along with the ICH guidelines, included:
- The need for a systematic risk management process
- A desire for science-based decision making
- EU regulations such as EU Annex 20 QRM of March 2008, and Vol. 4 EU GMP Pt. 1 Ch. 1 Quality Management (July 2008). “Canada aligns heavily with the EU,” Hartry reminded the audience, and thus these regulations take on added significance.
The risk management model that Cangene chose was “fairly straightforward, and has been identified in the ICH Q9 documents,” said Hartry. The core principles are aligned with Q9, that risk management be based on scientific knowledge. In additioin, Cangene has a few specific rules of thumb:
- Accept no unnecessary risk
- Make risk decisions on the appropriate level
- Accept risk when benefits outweigh the harms. “That’s not to say we’re going to put patients in harm’s way,” Hartry cautioned, but that these situations deserve increased thought and consideration.
- Integrate QRM into planning at all levels. “The level of effort and formality should be commensurate with the level of risk you’re dealing with,” Hartry said. Some key steps in the process:
Defining the Risk Question. “This is one of the most difficult steps in the process,” said Hartry. “If you miss this, it’s going to skew your entire process. We spend a fair amount of time” making sure the elements of risk management are defined well and understood. They include periodic safety reviews, system trending, public complaints, and so on.
Establish a Team. “There will be a core group,” Hartry said. “Not all of these people will be actively involved on a day to day basis, but you need to know that you have support and involvement of key stakeholders.”
Define the Scope. Avoiding scope creep is critical, he said. Teams must define the problem and risk question, including: the possible associated risks; and any assumption and constraints should be validated at this stage.
Identify Risks. What can go wrong? “We do preliminary risk scenarios, related to requirements, test and evaluation, and technology,” Hartry explained. “A lot of technology doesn’t have a lot of history and this can present risk to your overall process.”
Analyze the Risk. Cangene does not specify that a particular method be used. What is more important is developing a risk-randing matrix. “What we’ve done is provided a number of samples to the risk management team in terms of what these categories translate to,” Hartry said. “Extreme risk, for example, requires immediate action from senior management.” It also requires that progress is reported to executive management and QA until the issue is resolved.
Evaluate Each Risk. The process is “more than scientific,” Hartry noted. The significance or impact of the risk to patients, families, regulators, shareholders, employees and company can yield one of three results:
1. The risk is accepted as is (Acceptable Risk)
2. The risk is not accepted (Unacceptable Risk)
3. The risk may be acceptable once a strategy has been devised to reduce the risk to where it’s “reasonably tolerable” within the organization.
Establish Control Measures. They include: elimination, engineering controls, validation, reduction of consequences if event occurs, sharing of transferring of risk, standardized procedures, training, monitoring
A Mitigation Plan includes:
- success criteria for each plan event and subsequent
- fallback approach
- a management recommendation
- identified approval levels
- identified resource needs
Re-evaluate Controls. “I have to admit that we don’t always do this sometimes,” Hartry said. Among the categories that must be considered include residual risk, secondary risk, and risk financing.
Implement. “It’s our risk-acceptability matrix,” Hartry said. “We follow the process to make sure that we’re consistent” in terms of managing risks, that they are accepted at the appropriate responsible level, that the process is formal and documented, and that controls get implemented
Monitor. Monitoring has four primary functions:
- to detect and adapt to changing circumstances;
- to ensure that the risk controls achieve the expected results;
- to ensure implementation of control, financing, and communication strategies have all been executed properly;
- to validate the assumptions used in the analyses. “You’ve got to go back and say, ‘These are the things we thought: Are they true, and did we miss anything?’”
Regularly Review. The environment, including regulatory, continues to change, and the nature of the hazard (natural, economic, technical, human) will always change as well, Hartry noted.
To sum up his talk, Hartry listed risk management lessons to remember:
- Establish a common understanding throughout the organization. “This was a three-month endeavor to get everyone on the same page regarding Risk Management,” Hartry recalled. “Many thought is was just, for example, the execution of FMEA . . . .”
- Evaluate existing practices.
- Focus on the outcomes, not on the tools.
- Do not establish a new risk department. There was push in Cangene to make Hartry the risk guru, but he resisted. “It belongs at the floor level with the managers” and their people, he asserted.
- Deploy to the operational level.
- Be open to new/old ideas.
And he left the audience with a few final thoughts:
- If you’re going to do risk management, do it properly.
- Poor risk management will not impress regulators!
- Ultimately, it is about credibility.