GxP Lifeline

Risk Management in Clinical Trials: Process and Application

Recently, two key pieces of guidance were released from Food and Drug Administration (FDA) and European Medicines Agency (EMA) regarding risk based approaches to clinical research. These documents include FDA's “Guidance for Industry: Oversight of Clinical Investigations—A Risk-Based Approach to Monitoring” and EMA's “Reflection paper on risk based quality management in clinical trials”.  The focus of the regulators on this concept initiates a discussion of how to introduce, implement, and apply risk management principles to clinical trials. The applicable guidances for good clinical practice (GCP), ICH E6 and ISO14155, state explicitly that the sponsor is responsible for quality assurance and quality control. One aspect of quality involves how risks are approached and managed throughout the course of a clinical trial, and is the focus of this article.

Risk Management Process

Risk management concepts can be extracted from the ISO 14971: Risk Management for Medical Devices and ICH Q9: Quality Risk Management. The first step is to define a procedure for conducting this activity. The basic steps to risk management include: identify and assess risks, mitigate risks, and review risks. Additional steps that are required throughout the process include communication of risks and documentation activities. A general flow chart is shown in Figure 1.

Figure 1. Basic risk management steps.

Identify and assess risks

To begin the risk assessment process, the identification and assessment of risks is the first task. The identification and assessment of risks focus on questions from ICH Q9 such as:

  • What might go wrong?

  • What is the likelihood (probability) it will go wrong?

  • What are the chances we will discover (detectability) the issue?

  • What are the consequences (severity)?

The process to identify risks is based on information from individuals, historical data, previous analyses, and concerned parties. This data collection approach can either be quantitative or qualitative.

Mitigate risks

The next step in the risk management process for clinical trials is to evaluate whether or not a risk is within an acceptable level or whether it can be reduced or eliminated. Some risks are accepted based on this premise and some may be mitigated through specific actions. The mitigation of risks focus on questions from ICH Q9 such as:

  • What is the acceptable level of risk for the clinical study?

  • Is the risk above an acceptable level?

  • What can be done to reduce or eliminate risks?

  • Are new risks introduced as a result of the identified risks being controlled?

Review risks

Review of risks is a continual process throughout the project life cycle. This portion of the process will depend on the type of project that is being examined and its parameters. This step involves the review of risks, mitigation actions, and subsequent results; this step examines whether or not the identified risk was controlled appropriately and the result. This step may also result in new risks being identified, and these risks would then join the flow chart at the assessment and mitigation steps.

Communicate and document risks

Throughout the entire risk management process, steps for risk communication and documentation of activities have to be incorporated. The method of risk communication will vary depending on the organization. Documentation of activities and this process is required.

Continuous evaluation

The risk management process requires continuous evaluation. The listed steps are repeated regularly throughout the entire project; however, it is important to note that an event may occur that initiates the evaluation process outside of a regularly scheduled risk session. The constant nature of risk evaluation is important to understand so a project is appropriately managed and issues are addressed.

Application to clinical research studies

As ISO14971 explores the application of risk throughout an investigational product's lifecycle, these concepts can also be applied to the clinical trial lifecycle. The identification of risks begins with examining risks to subject safety and data integrity, and is well described in the FDA Guidance Document on the topic. This is the recommended starting point for identification, prompted by reviewing the annual BIMO findings posted by the FDA or other regulatory agencies for clinical sponsors, sites, and IRBs. This list can assist in creating discussions of topics that would apply to a specific trial. It is important to brainstorm all risks and then move toward classification and mitigation. Some key questions to ask may include:

  • How complex is the study design? Is it an adaptive design trial?

  • Does the study have any interpretive or subjective data endpoints?

  • Does the study population include a vulnerable population or subset?

  • Are sites located in a region of the world there are differences in the standards of medical practice and/or infrastructure of clinical research practice?

  • What is the experience of the clinical investigator? What is the sponsor's experience working with the clinical investigator?

  • Is the site using electronic data capture (EDC) systems?

  • Does the investigational product have any safety concerns?

  • What is the stage of the study? Is the study in the enrollment stage or the follow-up stage?

After asking and answering the questions above, risks are identified. In clinical research, studies are dependent on so many factors and subsequently the control tactics for each risk are going to be project, sponsor, and site dependent. The following two examples illustrate how risk management can be applied to issues commonly observed within clinical trials for each phase of the clinical project. To explore the listed examples in more detail, please download our whitepaper.

Example 1, Clinical Study with Non-standard of Care Testing. This example explores a clinical study that includes a primary endpoint that is a non-standard of care test.

Identify and Assess

There is a potential for missed tests because the sites are not used to collecting these tests and/or results for this type of subject.


To mitigate this risk, the traditional approach is to ensure personnel involved are educated and trained appropriately. Study personnel will be trained on the protocol; however, the extended personnel of the core laboratory or central laboratory may also have to be trained. Another option would be to conduct early on-site monitoring visits that incorporate a specific focus on the non-standard testing; these visits would ensure proper process steps were being followed to collect this data.


For this study, the risk of missed tests has to be evaluated throughout the duration of the study for each site. As the study progresses, some sites may not have any issues and some sites may require additional actions, such as continual retraining, through additional on-site monitoring visits, or even a site audit. The sponsor has to track and evaluate where more mitigation activities would be required.

Example 2, Training of Clinical Research Sites with Varying Experience. This example examines a multi-year clinical study that has two sites. In the first year of the study, it is noted that Site A has little experience and Site B has many years of experience conducting clinical studies. 


and Assess

Site A is at risk from an overall clinical study management perspective and their inexperience could create challenges from Day 1 of the study. Site B has been conducting clinical research for many years and has a seasoned research coordinator and therefore no significant risk is noted at the onset of the study.


Throughout the study, both sites will be remotely monitored for data discrepancies and trends. For Site A, extensive training is planned to ensure they have proper instruction on how to conduct study tasks. Early and frequent on-site monitoring visits can also occur. Site A should be continually evaluated the first year of the study.


Site A is doing well upon entering the second year of the study. The initial risk for this site has decreased significantly and now Site A is a leading site in managing study conduct, data, and documentation. No further mitigation strategies are needed at this time.

In the second year of the study, some anomalies were discovered through remote monitoring at Site B. It was discovered a new research coordinator is joining the study. This changes the site's risk status and requires the identical approach of identification and assessment, mitigation, and review.


and Assess

Data issues have already been noted at Site B and there is potential for further issues with the new research coordinator.  


The first step will be to conduct extensive training on the protocol and good clinical practice for the new research coordinator. In addition, adding more frequent on-site monitoring visits with a senior monitor would assist the site in getting on track.


Site B should be evaluated continuously by the monitor and the study manager, similarly to how Site A was during the first year of the study. As Site B addresses issues and improves on the previously noted data discrepancies, it can be determined if additional training may be necessary or if fewer on-site monitoring visits can be conducted. This study will require a diligent approach to evaluate what happens in year three for both sites.

In summary, risk management strategies can and should be applied to the clinical research industry. FDA and EMA have released guidance documents that discuss and reference the incorporation of these principles into the clinical trial development, execution, and closure. The advantage of incorporation of these quality principles is an investment into the overall success of the clinical trial and will save time, resources, and likely eliminate, prevent, and/or minimize subject safety and data integrity risks.


ICH E6: Good Clinical Practice, 1996.


ISO14155: Clinical investigation of medical devices for human subjects — Good clinical practice, 2011.


FDA Guidance Document, Guidance for Industry: Oversight of Clinical Investigations —A Risk-Based Approach to Monitoring, August 2013.


EMA Reflection Paper, Reflection paper on risk based quality management in clinical trials, November 2013.


FDA BIMO Inspection Metrics,


ISO14971: Medical devices -- Application of risk management to medical devices, 2007.


ICH Q9: Quality Risk Management, 2005.


Emily Haglund, MS, CCRP is a Clinical Auditor for IMARC Research, Inc. IMARC is a medical device CRO, specializing in monitoring, auditing, training and consulting services.  Along with conducting quality assurance activities and audits, Emily had worked with clinical teams in the medical device industry and healthcare policy research. She is a member of the Society for Quality Assurance (SQA) and the Society for Clinical Research Associates (SoCRA). Contact her at ehaglund@imarcresearch.com.

[ { "key": "fid#1", "value": ["GxP Lifeline Blog"] } ]