R3 compliance, built-in: Risk-based oversight with eTMF Connect

Every TMF lead knows the theory. Risk-based oversight should be risk-driven, proportionate, continuous, and documented.

ICH E6(R3) sets clear expectations for what risk-based oversight requires of sponsors. The hard part is the mechanics: how a risk signal turns into a documented, defensible response, and how the evidence of that process becomes part of the workflow instead of something assembled the night before an inspection.

At TMF Week 2026, I walked through an early look at how we are building this into eTMF Connect. What follows is the substance of that session, focused on what these mechanics actually look like in practice.

You can watch the full R3 Compliance session from TMF Week 2026 on demand here:

The problem most organizations are sitting with right now

Oversight today tends to happen outside the eTMF. Risk assessment lives in a spreadsheet, or in someone's judgment, or in a meeting that was not documented. The signal exists. The outcome sometimes exists. What is missing is the middle: the documented rationale for why a specific review happened, at a specific scope, at a specific point in the study.

That middle piece is exactly what ICH E6(R3) asks you to show. An inspector does not just want your actions. They want your thinking.

Three things need to stay visible at all times:

• The signal that was captured
• The decision made in response
• What changed as a result

If any one of those is missing, you have a gap. Most organizations lose the second one. The signal exists in a safety report or a CTMS flag. The outcome exists in an updated plan or a site action. The rationale for what happened in between lives in an email, or worse, in no record at all.

What a risk-based approach actually requires

The risk assessment is a documentation assessment, not a clinical one. It measures where in the TMF evidence is weak, incomplete, or missing. The methodology, which we detailed in our risk-based TMF management framework, works across three signals: completeness, quality, and timeliness. Each issue type carries a configurable weight on a scale from one to five. Missing dates, for example, carries a weight of five, which is the highest. These weights are subscriber-configurable, meaning your organization sets them based on your own view of relative risk. Every weight change is logged with before and after values, even if changes are made throughout the study. That matters because the scoring logic itself stays auditable as it evolves.

The score works across five dimensions: process zone, document type, country, site, and owner. The higher the issue rate for a heavily weighted issue type, the more it drives up the overall score for that dimension. That is what makes the score a meaningful signal rather than just a count of problems. A high completion rate and a low-risk TMF are not the same thing.

Site-level breakdowns matter because they move the question past which zones carry risk to exactly where in the study that risk concentrates. Two sites with similar zone-level profiles can look identical in aggregate and be very different in practice.

A quick illustration from the scenario we walked through at TMF Week: two convergent signals appeared on the same two sites. Three SAEs had been processed through the safety reporting chain over the past two months, generating investigator notifications, SUSAR filings, and health authority and IRB submissions. At the same time, operational reporting from the CTMS flagged two sites for elevated protocol deviation rates, Montreal General in Canada and Barcelona Clinical in Spain.

The risk assessment confirmed it at the documentation level. Three zones flagged elevated risk: Zone 07, Safety Reporting, at 94 percent; Zone 05, Site Management, at 91 percent; and Zone 04, IRB or IEC, at 88 percent. At the site level, Montreal General carried the highest site-level risk score in the study at 92 percent, with missing artifacts and content quality issues contributing the most. Barcelona Clinical scored 89 percent, with a similar profile of missing documents and quality issues.

The operational signals told the TMF lead where to look. The risk assessment gave her the documented, scored justification for what came next. That distinction between oversight built on instinct and oversight built on evidence is where ICH E6(R3) compliance gets built or lost.

Building the oversight activity before the review starts

This is the step most organizations skip or do informally. The rationale for a review needs to exist in the system before the first document is opened. Not in a follow-up email. Not in a narrative written at closeout. Before.

A structured activity record captures the type of review, the rationale, a description of why it exists, and the selection criteria that translate the risk assessment directly into scope. In the scenario, the selection criteria drew from the three flagged zones, document types including IRB safety notifications, delegation logs, visit reports and safety reports, and both sites. Given the regulatory context of an active SAE cluster, the sample was set at 100 percent. For a lower-risk area, a smaller sample size would be appropriate and defensible, provided the rationale is documented.

The activity also captures who is assigned to the review and the duration given to complete it. In the scenario, both a CRO reviewer and a sponsor reviewer were assigned to the same activity, working from the same queue.

When a regulatory authority asks why these documents were reviewed, at these sites, at this point in the study, the answer already exists, timestamped, before any work began. ICH E6(R3) says to show your work. This is showing your work.

Execution and the shared record

The review itself generates findings, queries, resolutions, and closures. None of that should live outside the system. The moment a finding is made, it exists in the record. The moment a query is raised, it is visible to everyone assigned to the activity. Every decision is documented. Every step is attributed. The full thread, query raised, resolution proposed, closure confirmed, is part of the activity record.

The sponsor and CRO working from the same system matters here more than it might appear. Separate records mean re-explaining work after the fact, and the handoff is where that cost becomes most visible. A unified record means the oversight program is visible to both parties in real time, and when an inspector looks at the study from either side of the relationship, the record is the same record.

When the sponsor is not in the same system, the export becomes the deliverable. It is a structured report covering who requested it and when, the full oversight activity configuration, an artifact-level record of every review outcome, and an activity log timestamping every event from creation to closure. That is the complete record of oversight. It was not assembled after the fact.

What closeout actually proves

At the end of a review, the person performing the closeout writes a summary narrative covering findings, escalations, and remediation actions. What remains after closeout is the complete record: from the risk assessment that justified the scope, through every artifact reviewed, every query raised and resolved, straight to the outcome summary. Connected, timestamped, in the system where the study lives.

The evidence of compliance is the natural output of doing the work this way. You do not assemble it after the fact. It is already there because of how the work got done.

The standard, in one line

Risk-driven. Proportionate. Documented. That is what ICH E6(R3) sets. The mechanics described here are how you meet it, not as extra work stacked on top of oversight, but as the natural way oversight gets done.

If it was not documented, it did not happen.

On the questions that came up in Q&A

How can organizations demonstrate a clear line of sight from operational risk signals to oversight decisions, and ultimately to risk mitigation outcomes, in a way that satisfies both ICH E6(R3) expectations and inspector scrutiny?

Three things need to stay visible: the signal that was captured, the decision made in response, and what changed as a result. If any one of those is missing, you have a gap. Most organizations lose the middle one. The signal exists in a safety report or a CTMS flag. The outcome exists in an updated plan or a site action. The rationale for what happened in between lives in an email, or worse, in no record at all. The regulation expects you to show your thinking, not just your actions.

When multiple risk signals emerge simultaneously, such as an SAE cluster and increased protocol deviations, what criteria should a TMF lead use to prioritize oversight actions and document the rationale?

Patient safety leads first, and the signals themselves set the order. From the TMF perspective, the job is making sure the response is documented: who identified the issue, when, what was escalated, and what changed in the oversight plan as a result. The activity record is not enough without that trail of evidence behind it.

Is the risk signal always centered around sites, or can it look globally across classifications?

Site-level signals are the most common entry point, but not the full picture. Oversight frameworks built only around site monitoring miss the pattern that becomes visible in aggregate. Three sites each showing one deviation of the same type looks manageable in isolation. The same deviation type clustering across all three points to a systemic issue that needs a different response. The site-level finding gets a site-level response. The cross-cutting signal needs to be escalated and documented at the program level.

What is the timeline to respond to a new oversight activity?

No single regulatory mandate exists. The expectation is that a timeline is defined somewhere, typically in an SOP, and that you can demonstrate you meet it. If your SOP says 30 days, an inspector will look for evidence you responded in 30 days. The bigger risk sits with organizations that have not defined a timeline at all, leaving nothing to measure against and nothing to show at inspection.

Is the detection of cross-cutting risk signals dependent on how the risk criteria are set upfront?

Yes, directly. If criteria are defined only at the site level from the start, the thresholds and triggers stay site-level by design, and systemic issues stay out of view. ICH E6(R3) pushes sponsors to define risk criteria at the study level before the study starts, and to ask explicitly what a cross-cutting pattern would look like before one appears. If that is not defined upfront, detection tends to be reactive, and the documentation trail to support the oversight decision gets muddy.