Why most clinical trial risk assessments fail under ICH E6(R3) (and how to fix them)

Every quality professional has experienced it: your team spends days documenting risks, creating detailed matrices, and getting stakeholder sign-off. The risk assessment looks impressive. QA approves it. Everyone feels good.

Then you proceed to test, monitor, and manage everything exactly the same way you would have without the assessment.

"We are spending days doing risk assessments, going through all the functionalities of systems, and then afterwards, we test them all the same,"  observed Frank Henrichmann, Senior Executive Consultant at Qfiniti Quality Management. "There is not really a risk-based approach in it."

This is the fundamental problem with risk assessments in clinical trials today. They exist, they're thorough, they check regulatory boxes. But they don't actually change how teams work.

What is ICH E6(R3) Risk-Based Quality Management (RBQM)?

The ICH E6(R3) mandates Risk-Based Quality Management (RBQM), an approach where quality management activities including monitoring, auditing, and systems validation are scaled and focused based on identified risks to trial participants and data integrity. 

This fundamentally requires sponsors to define and act upon their Critical-to-Quality (CtQ) factors: the processes, data points, and systems that have the highest impact on subject safety and data reliability.

RBQM represents a shift from traditional, uniform monitoring approaches to a risk-proportionate model. Instead of applying the same oversight to all aspects of a trial, sponsors must identify which elements truly matter for their specific study, assess the risks to those elements, and allocate resources accordingly. 

The goal isn't to document every possible risk, but to focus quality management efforts where they'll have the greatest impact on protecting patients and ensuring reliable data.

The disconnect between risk and action

Under ICH E6(R3), risk-based quality management isn't optional. The guidance explicitly requires sponsors to identify Critical-to-Quality factors and apply proportionate oversight based on risk levels. Yet most organizations struggle to translate risk assessments into different behaviors.

Dawn Niccum, Executive VP of Quality Assurance at inSeption Group, sees this pattern repeatedly: "More often than not, I see risk registers that are essentially passive documents. They list every possible risk but don't link those risks to critical quality factors."

The documents exist. The risks are documented. But there's no clear connection between a "high risk" designation and what the team actually does differently as a result.

This creates several problems:

• Wasted effort: If teams spend days on risk assessments that don't inform decisions, that's pure overhead with no value.
• Missed opportunities: Risk-based approaches should allow teams to focus resources where they matter most. When everything gets the same treatment, high-risk areas don't get the attention they need, and Critical-to-Quality factors don't drive actual quality management decisions.
• Compliance theater: Risk assessments that look good on paper but don't drive actual decisions create what's known as "compliance theater", the appearance of following regulations without the substance. During inspections, auditors ask how risk assessments informed monitoring strategies, testing approaches, and resource allocation. "We documented risks" isn't an answer if nothing changed as a result.

Why risk assessments become checkbox exercises

Several factors contribute to ineffective risk assessments:

1. The "Get QA Approval" mindset

Many teams view risk assessments as documents that need to satisfy QA, not tools that guide their work. The goal becomes producing something that will be approved, not something that will be useful.

This leads to generic, comprehensive risk lists that cover every conceivable scenario. Everything looks thorough on paper. But when it's time to make decisions about monitoring frequency or testing depth, the risk assessment sits unused.

2. Template dependency without critical thinking

Templates can be helpful starting points. But many organizations create standardized risk assessment templates with pre-populated risks, then teams simply accept them without question.

During our recent Clinical QAI panel discussion, an audience member raised this exact concern: "Isn't it also the issue that we try to standardize the template rather than look at the individual study and its environment? "

Each trial has unique risks based on therapeutic area, patient population, protocol complexity, site capabilities, and vendor relationships. A template can't capture these nuances. Teams need to think critically about what's actually risky in their specific situation, particularly which factors are truly critical to quality.

3. Analysis paralysis in risk identification

When teams approach risk assessments, they often try to identify every possible thing that could go wrong. This leads to enormous risk registers that are impossible to manage meaningfully.

"Making these tough decisions and not getting hung up in too many what-ifs is critical," explained Henrichmann. "If there are 15 what-ifs between an event and patient harm, there is no real risk."

The challenge is distinguishing between theoretical risks (what could happen if a chain of unlikely events occurs) and actual risks (what's reasonably likely to impact trial quality or patient safety). This distinction is essential for identifying true Critical-to-Quality factors.

4. Lack of Clear Decision Criteria

Even when teams correctly identify high, medium, and low risks, they often don't define what those classifications mean for how they'll work.

Does "high risk" mean weekly monitoring instead of monthly? Does it mean 100% source data verification instead of sampling? Does it mean additional training for site staff?

Without clear criteria linking risk levels to specific Risk-Based Monitoring (RBM) activities, the classifications are meaningless labels.

5. Missing the right stakeholders

Effective risk assessments require input from people who understand what actually happens during trial conduct: clinical operations, data management, site staff, medical monitors.

But many risk assessments are developed primarily by quality teams or project managers who may not have visibility into day-to-day operational realities. The result is risk assessments that look good on paper but don't reflect where problems actually occur or which factors are genuinely critical to quality.

What risk management actually means

There's a fundamental misunderstanding about what risk management is trying to accomplish.

Risk management is not about laying out what all the risks are and then saying how risky do we want to be. It's identifying what are those potential risks that could derail my clinical trial or have a huge impact on safety or integrity. What are those big risks and how do we truly manage those?

Dawn Niccum

Executive VP of Quality Assurance at inSeption Group

Risk management isn't about documenting everything that might go wrong. It's about:

1. Identifying the few things that really matter for this specific trial
2. Understanding what could cause those things to go wrong
3. Putting controls in place to prevent or detect those problems
4. Allocating resources differently based on where risk is highest
5. Monitoring to confirm your risk assessment was correct

This requires making tough decisions about what to focus on and, equally important, what not to focus on.

Applying these principles to TMF management: One critical area where risk-based approaches drive immediate value is Trial Master File oversight. Our detailed guide walks through a 5-step methodology for implementing risk-based TMF quality control.

How to make risk assessments actually work

Based on discussions with quality leaders implementing effective risk-based approaches, several strategies consistently emerge:

1. Start small and specific

The biggest barrier to effective risk assessment is trying to do too much at once.

"Pick something and start somewhere," advised Donna Dorozinsky, Founder and CEO of Just In Time GCP.  "Pick some critical-to-quality things that you want to monitor that you know are easy to collect and can have a pretty big impact across all of your trials."

Starting at an organizational level with a few cross-study Critical-to-Quality factors accomplishes several things:

• Teams learn the process with lower stakes
• You can demonstrate value before asking for bigger changes
• You build momentum and expertise
• You create a foundation that study-specific assessments can build on

Once teams see risk assessment working on a small scale, expanding becomes easier.

2. Focus on prevention, not just detection

Many risk assessments focus on what could go wrong and how to catch it. Effective ones focus on how to prevent problems from occurring in the first place.

"What I try to do is get everybody focused on prevention over detection,"  Niccum noted. "How do we go from reactive to proactive? "

This shifts the conversation:

Prevention-focused risk management identifies root causes and addresses them proactively, rather than building elaborate detection systems for problems that could be avoided.

3. Document the "Why" behind risk decisions

Risk classifications need justification, not just labels. When a team designates something as high risk or identifies it as a Critical-to-Quality factor, they need to document why.

This serves multiple purposes:

• Defensibility during inspections. Auditors want to understand your reasoning. "It's high risk because the SOP says so" won't satisfy them.
• Knowledge transfer. When staff turn over, the next person needs to understand the thinking behind decisions.
• Quality of thinking. The act of articulating why something is high risk often reveals whether the classification makes sense.

One of the most important pieces in a risk assessment is writing down why you consider a risk to be high or low. Just saying 'it's high, it's medium, it's low' and designing a control for it is only half the work.

Frank Henrichmann

Senior Executive Consultant at Qfiniti Quality Management

4. Get the right people in the room

Risk assessments can't be developed in isolation. They require input from people who actually do the work and understand where things typically go wrong.

"You need to break up the silos," Henrichmann explained. "Only if the study team can explain what the really important data are, what the endpoints are, what systems are really involved, and where we should focus our testing. The techies don't have the medical or clinical expertise to make such assessments."

Effective risk assessment sessions include:

• Clinical operations (who understands site realities)
• Data management (who knows where data quality issues typically arise)
• Medical monitors (who understand what data actually matters for endpoints)
• Site personnel (who can speak to feasibility)
• Quality (who can facilitate and provide compliance perspective)

Having these perspectives together allows teams to identify risks they wouldn't have seen individually.

5. Use skilled facilitation

Not everyone can effectively facilitate a risk assessment. It requires someone who:

• Can keep the group focused on critical risks (not everything that could possibly go wrong)
• Has no vested interest in the outcome (to avoid bias)
• Can manage conflicting viewpoints
• Understands the difference between theoretical and practical risks
• Can prevent the session from devolving into checkbox completion

Many organizations find that quality teams make good facilitators because they understand risk management principles but aren't as attached to specific operational decisions. The key is positioning quality as a partner helping the team think through risks, not as police enforcing compliance.

Effective quality management systems streamline this facilitation process with built-in workflows and collaboration tools. Discover essential eQMS capabilities in our Buyers' Guide.

6. Define what risk levels actually mean

Risk classifications must connect to specific actions and inform your Risk-Based Monitoring approach. Before starting a risk assessment, define:

For high-risk areas:

• What monitoring frequency? (Weekly? Daily? Real-time?)
• What level of oversight? (100% review? Enhanced monitoring? Additional training?)
• What resources? (Dedicated personnel? Subject matter expert involvement?)
• What documentation? (Additional records? Enhanced audit trails?)

For medium-risk areas:

• Standard monitoring approaches
• Routine oversight
• Normal documentation requirements

For low-risk areas:

• Reduced monitoring frequency
• Lighter oversight
• Essential documentation only

When teams know that marking something "high risk" means weekly monitoring instead of monthly, they make more thoughtful risk classifications. It's no longer just a label, it's a resource commitment.

7. Make risk assessment a conversation, not a document

The most effective risk assessments aren't static documents created once and filed away. They're living tools that inform ongoing conversations.

This means:

• Discussing risk assessment findings in regular project meetings
• Updating assessments when circumstances change (protocol amendments, new sites, vendor changes)
• Using risk data to inform decisions throughout the trial
• Reviewing whether mitigations are working as intended

When risk assessment becomes part of team culture rather than a compliance requirement, it starts driving actual behavior change.

Moving from theory to practice

The ICH E6(R3) provides the framework for risk-based quality management. But the guidance can't tell you which risks matter most in your specific trial, which factors are truly Critical-to-Quality, or how to organize your team's thinking about them.

That requires:

• Starting with specific, manageable scope rather than trying to assess everything
• Bringing the right stakeholders together with skilled facilitation
• Documenting reasoning, not just conclusions
• Connecting risk levels to actual resource allocation and Risk-Based Monitoring decisions
• Making risk assessment an ongoing conversation, not a one-time document

Organizations that implement these practices find their risk assessments become genuinely useful tools. Teams reference them when making decisions. Monitoring strategies differ based on risk levels. Resources flow to the highest-risk areas.

Most importantly, the time invested in risk assessment creates value rather than just creating documentation.

The goal isn't perfect risk assessment. The goal is risk assessment that actually improves how trials are conducted and increases the likelihood of generating quality data that supports regulatory submissions.

As the industry implements E6(R3), the organizations that figure out how to make risk assessments actionable, not just approvable, will have a significant advantage. They'll focus resources more effectively, identify problems earlier, and demonstrate to regulators that their risk-based approaches are genuine, not performative.

The question isn't whether to do risk assessments. Under E6(R3), that's required. The question is whether those assessments will sit in the TMF gathering dust or actually guide how teams work.