Phil Johnson, Senior Director, Quality & Compliance Services, IQVIA
If you’re responsible for planning and carrying out your company’s internal audits, you know how much planning and effort it takes to monitor your quality system for GMP and ISO compliance. As your quality system has matured, you’ve probably noticed that certain sites, departments, or processes require more of your attention, while others are consistently in compliance and don’t need as much assistance. If this is the case in your organization, it’s time for you to consider a risk-based approach to your internal quality system audits.
The Value of a Risk-based Audit Approach
A quality risk-based approach to internal audits allows you to assess the importance and performance of each area to be audited, and to use your results to devote your auditing time and resources to these critical business areas. Based on this risk assessment, you may also decide that certain areas of your business don’t need as much oversight.
The value in a risk-based approach frequently comes in the form of higher product quality, since trouble areas will receive the time and attention they need to improve. Risk-based quality audits also improve your productivity. You will spend more time discovering and solving problems rather than auditing areas that are already performing well.
Get Started with Risk-based Auditing
How you can incorporate risk into your internal ISO and GMP audit processes?
- Step 1: Assess Organizational Risk
When you’re assessing risk, consider the departments and processes you normally audit. As you work through these areas, you may choose to quantify each area’s risk level. Or you can use standard risk analysis tools such as Hazard Analysis, Fault Tree Analysis, or Failure Mode Effects Criticality Analysis (FMEA).
There are many areas to consider when assessing risk including:
- Risk to Product Quality and/or Patient Safety — Rank each department or process according to its criticality in terms of producing a safe, high-quality product.
- Performance Risk — Review the history of nonconformances, CAPAs, recalls, or adverse events for each area to be audited. Areas with a higher number of these incidents should be given a higher risk score.
- Compliance Risk — Look at past recommendations and perform a gap analysis on existing regulatory requirements across all countries where you have market approval. This score can also factor in how well the area has corrected previous audit observations.
Once you’ve considered these areas (and other risk areas specific to your business), you can combine their individual risk scores to create an overall risk score for each department or process. This can help you quickly understand your high-risk areas so you can create your audit plan accordingly. This assessment forms the basis for your risk-based audit plan, so it should be documented in a list or spreadsheet as you work through it.
- Step 2: Incorporate Risk into Your Audit Plan
As you’ve ranked each department’s risk, you’ve probably begun to form a mental picture of your audit plan. Now it’s time to take a closer look at each area and its corresponding risk score. A key part of your planning will be your audit schedule. Higher risk areas will need to be audited more frequently (at least annually, but possibly more often). For low-risk areas, it is important to remember that an annual audit is not always required. In either case, you need to define how often you will audit each department based on the risk assessment, document a schedule, and stick to it.
There are other pieces of your audit plan that are also affected by risk. These can include the audit duration and the size and skill of your audit team. You may need to plan for longer, more detailed audits of high-risk areas. Areas involving more complex products or processes may require auditors with special skills or knowledge.
- Step 3: Conduct Risk-based Audits
Risk-based auditing doesn’t stop with your audit plan. Once you’ve determined an area to audit, you can incorporate a risk-based approach into each audit you conduct. The first step is to review each department’s existing procedures. These documents provide you with a jumping off point for understanding which processes a department views as high-risk, so you can focus your questions in these areas.
If you’ve audited an area before, you should review the data you already have from previous audits and work from there. Some items to review include:
- Observations from previous audits
- Previous corrective action plans and their effectiveness
- Areas that were not inspected during previous audits
- Defects, adverse events, or recalls related to this department
- Changes to processes or personnel since the last audit
Understanding these areas will help you hone in on potential areas of concern. This will help you focus your questions properly and get the most value from your time spent auditing.
- Step 4: Risk-based Follow Up
Once you’ve completed the audit, you will assign recommendations and/or findings. Using a risk-based approach to follow up, you will assign a risk level to each finding to clarify which findings need a quick response or escalation. This allows you to address critical findings more quickly, rather than just following up to findings in the order they were discovered.This, of course, feeds your CAPA process. High-risk findings can trigger a CAPA process, while low-risk can be resolved quickly and closed with the audit.
- Step 5: Monitor Changes in Risk
Your initial risk assessment was a snapshot of your quality, performance, and compliance risks. Changes to products, processes, or defect history will cause this snapshot to evolve over time. That’s where automated quality management software can help keep you aware of emerging risks.Solutions like SmartSolve® quality management system will help you monitor and control defects, CAPAs, customer complaints, changes, and other processes that will affect your overall risk. You will be able to quickly understand the performance of your various sites and processes, and modify your audit plan and other quality processes accordingly.
Implementing Your Risk-based Audit Program
The idea of implementing a risk-based GMP audit program, or any type of risk-based process, can be challenging. But keep in mind that you don’t need to change your entire audit process all at once. Take it one site, department, or process at a time, document your plan, and you will keep your audit program moving in the right direction. Global regulatory agencies are expecting manufacturers to become more “self-regulating.” Taking a good risk-based approach to internal audits is a significant step towards this.
Practical Tips in Managing Life Sciences Supplier Risks
View this webinar to discover key attributes of supplier risk management and best practices for maintaining a high-performance supplier base.