top of page
  • Lorrie D. Divers, President, QRCP Solutions, Inc.

Risk Averse?

Sometimes, when I start talking about ‘risk assessment’ and ‘risk management’ in GCP settings, looks of confusion or fear stare back at me (with an occasional yawn of boredom). Fear is a normal reaction to something new or complex that seems deeply unknowable. But risk assessment and risk management are neither of those. In fact, we all carry out risk assessments and risk management on a daily basis, multiple times a day. Here’s just one simple example:

If you drive to/from work, unless you live in a utopia where there are no bad drivers and all the roads are perfectly smooth with no black ice, traffic jams, or malfunctioning traffic lights ever, well, then at least twice a day you are performing risk assessment and risk management. In split seconds, every day!

Wait, what about all the probability calculations and predictive modeling and equations stuff that has to be done to quantify risk? Deep breath, let’s break it down to the basics first.

In any given situation, risk assessment essentially is:

  1. Defining the possible unintended occurrences, consequences, outcomes specific to the conditions of that situation

  2. Determining how likely or unlikely it is that these may occur and how often they might occur (for example, it snows once-every-ten-years or every day)

  3. Evaluating what the impact would be, particularly on the areas of most significance

  • So, in the daily drive to work example, these could be defined as a crash with injuries or multiple vehicles involved as the most serious and being a few minutes late to work as the least significant (well, depending on where you work…), with some others defined in the middle

  1. Understanding how easy or hard it would be to detect the issues identified in Step 1

  • Tip: This is often overlooked but can be quite important. It’s rather obvious in the case of traffic but may be less so in other situations.

  1. Ranking the risks from high (critical) to low (minimal).

Keep in mind that there is really no such thing as “no risk.” Unless, for this example you don’t drive to work. But remember, then your risk assessment relates to the specific conditions of your commute: taking the train, subway, or stairs up to your home office, so those are different risks.

For purposes of analysis, the outputs of Steps 1 through 4 are quantified numerically so that the risks can be more readily ranked in Step 5. But that doesn’t necessarily require an advanced degree in statistics (thankfully!) to do and there are several standard methods and resources available to help with that math-y part of risk assessment. Or you can ask your favorite statistician for assistance.

The more challenging part of risk assessments in complex situations like the GCP environment can be defining Steps 1 through 4 sufficiently but not ‘perfectly.’ It should not become an endless do-loop of ‘what ifs’ that paralyze your ability to manage the most likely and most significant risks. If you can’t make good choices when you encounter the unexpected while driving, it generally doesn’t end well.

That’s where risk management comes in as well, which is also not as scary or mysterious as it might sound. You do this every day during you commute too.

The basics of risk management are two steps:

  1. Developing and executing actions to maximally control for the impact and occurrence of especially (but not exclusively) the highest risk areas identified in the risk assessment

  • Which routes sound the worst in the traffic report? What alternate routes could I take?

  • Uh-oh, the car in front of me just stopped suddenly, what can I do to avoid this crash?

  • What tools and training do I have readily available to use? For example, proper application of anti-lock brakes.

  1. Executing the actions, including evaluating their effectiveness and making adjustments as conditions change

  • Yikes, I applied the brakes correctly but now I’m headed for the ditch, what do I do next?

Sound familiar? Perhaps like ‘risk management plans’ and SOPs and training and, well, you get the idea.

In next week’s blog, we’ll discuss GCP specific examples of both the assessment and management of risks. In the meantime, drive carefully!

Let’s start a conversation! Follow QCRP Solutions, Inc. on LinkedIn for more quality assurance, regulatory compliance and process excellence topics. Contact me at

to learn more about our consulting services.

Image Credit: By Bart Everson (originally posted to Flickr as Traffic) [CC BY 2.0 (], via Wikimedia Commons


37 views0 comments

Recent Posts

See All
bottom of page