Risk management, Risk-based monitoring
Jane Tucker is an independent consultant and trainer. With over 25 years’ experience in clinical research, Jane has worked in data management, system validation and training, most recently specialising in risk assessment and management. She has worked for several major pharmaceutical companies and CROs, before recently retiring from GlaxoSmithKline. She is a member of the ICR Associate Trainers Network, and presents ICR’s training courses “Risk Management Principles”, “Study Level Risk Management” and “Risk-Based Monitoring”.
First of all, what is risk-based monitoring? Is it simply doing less than 100% SDV at site visits?
Risk-based monitoring is when you target your monitoring activities, which might sometimes include 100% Source Document Verification (SDV) in certain cases, where they are going to deliver the greatest benefit to the study. You can do this by looking at the risks to the study represented by each site and by the type of data that you’re collecting to decide where you monitoring effort would be best used.
How do you decide what level of monitoring to do at which site, or on which study?
You start off by doing a risk assessment at the beginning of the study. This will identify various things about the study, and certain actions will lead on from that which will be aligned with monitoring. You will also find out information about your sites as the study progresses: an incident may occur at a site, which might be a trigger for risks to occur. This could require you to change your monitoring strategy for that site, such as doing a site visit whereas previous you hadn’t planned to do so.
This really isn’t anything new, but now we have a proper title for it, and a formal way of deciding how you’re going to do it and, more importantly, where you’re not going to put as much monitoring effort because there aren’t significant risks. For example, for certain types of study that are less complex or are not using new technology, but also for certain sites within a study that are performing well and don’t have any issues, new staff or things like that. In this way, you can use your monitoring resource more effectively by targeting the areas where the risks are greatest.
So, it’s about putting the level of monitoring into the context of a broader risk assessment and management plan?
The principles of risk management are equally applicable across pretty much any industry or situation. That said, several sectors including ours have particular terminology, definitions, measurement scales etc. that are a little different to what you’d come across in other industries, so specific background education in pharmaceutical risk management would certainly be beneficial. Concepts like the five steps of risk management and how to structure a risk statement are fairly common across sectors. These sound fairly basic, but if you can structure a risk statement you can identify and document risks. Once you’ve identified a risk, you can assess it and allocate scores for impact and likelihood, look at detectability and use all of these factors in a general structure in all sorts of scenarios.
What does industry have to gain from risk-based monitoring, and from better structured risk management in general?
By embracing risk-based monitoring, industry is going to become more effective in using what is, in effect, a diminishing resource. We have less money and fewer people, and are continually being required to “do more with less”. You can achieve this and work more efficiently if you use a risk-based approach, because your limited resources can be used where you’re sure they will deliver the greatest benefit, whether it’s to the study, the site, the drug development programme etc.
In the past, we could afford to simply “throw” people and resource at a study and do 100% of everything. In the current economic climate, that’s not sustainable, and these are tools that we’ve developed to enable us to achieve the desired quality of outcome without throwing money and time at the activity. Crucially, we will still get the good quality outcome. That is a clear gain for industry.
Can that also apply in a non-commercial context?
Absolutely. We are required to take a “risk-based approach”; this is a term that comes up in many of the regulations that both the pharmaceutical industry and the wider clinical research profession as a whole have to work to. We’re required to take a risk-based approach to financial management, or to health and safety, just as we’re required to take a risk-based approach to compliance with clinical regulations. These basic principles can be used in any context: you can even take a risk-based approach to booking a holiday!
You have recent experience of big pharma’s view on risk-based monitoring. Is it viewed as a “nice to have” or is it becoming part of the mainstream? What do you think is holding it back from being used more widely?
It’s not a “nice to have”: it’s essential, because the regulators are now telling us that we have to do risk-based monitoring. We have, in the past, had to take a risk-based approach in certain other areas, and recently-published1,2,3 regulations and guidelines now require us to apply this sort of approach to monitoring.
In terms of what’s previously held the industry back, I think it was simply that we were too wedded to “what we’ve always done”, making everyone slightly nervous about letting go and saying that we won’t do 100% SDV, or that we won’t always handle all our risks. But the only way to go forward and for the industry to be sustainable is to ensure that the resource we have is used where it will deliver the greatest benefit. If people are doing an activity within a clinical trial that isn’t managing one of the most significant risks of the trial, why are they doing it? That is wasting their effort.
It’s about prioritisation: given that resource is finite, how do you best allocate it? Risk management gives you a formal, documented methodology for capturing what your risks are, for analysing, scoring and prioritising them, and for deciding which things you’re not going to do in order to ensure that efforts are put into managing the most significant risks.
What about the regulators? A few years ago, we would have assumed this sort of thing might have been frowned upon, but that’s not the case now, is it?
The regulators have realised that they can’t expect us to be 100% perfect at everything, that they have to set us pragmatic, achievable requirements in the regulations, and that a risk-based approach delivers this. So rather than inspectors looking for everything to be perfect, which isn’t viable, they will be looking for evidence that a robust process was used to determine which risks required managing and what actions were taken to manage them.
Who needs to understand risk-based monitoring and, more generally, be aware of how to take a risk-based approach?
Obviously, the people who are writing monitoring plans need to know, because there is really no point in writing a monitoring plan that says you have to visit each site every 3 weeks and do 100% SDV at each visit. The monitoring plan has to be written in compliance with the suggested contents in the new guideline.
But equally, the people who will be involved in implementing the plan and making it work in real life need to understand why the plan has been written in that way. The monitors also need to know how they can identify exactly what they are supposed to do on each site visit, and the processes they need to follow if they do find something is not working. They need to have a route to escalate risks that are not being managed back up to the team.
It’s also important that everyone is reassured that it’s okay to “let go” in this way. If someone is simply told that they only need to do 70% SDV, or that they need to check this and this but not that, without actually appreciating the underlying methodology, why you don’t need to count every tablet at every visit, and why this is actually beneficial, then some individuals could find it difficult to let go.
- International Conference on Harmonisation (ICH, 2005) “Guideline Q9 Quality Risk Management”, available via www.ich.org/products/guidelines/quality/quality-single/article/quality-risk-management.html
- US Food and Drug Administration (FDA, 2011): “Guideline on Risk-Based Monitoring”, available via www.fda.gov/downloads/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/UCM269919.pdf
- European Medicines Agency (EMA, 2011): “Reflection paper on risk based quality management in clinical trials”, available via www.ema.europa.eu/docs/en_GB/document_library/Scientific_guideline/2011/08/WC500110059.pdf
Jane Tucker (email@example.com) is an independent consultant and trainer. She presents ICR’s training courses on “Risk Management Principles”, “Study Level Risk Management” and “Risk-Based Monitoring”.