Risk management in clinical trials is an ever-changing and improving process that’s all the more critical with the increases in trial complexity and reductions in R&D budgets.

As trials grow, so do the principles of thought and action that go into mitigating risks in trial design and execution.

  • Are you struggling to identify and mitigate risks effectively in your clinical trials?
  • Do you find it challenging to prioritize risks and allocate resources accordingly?
  • Are you unsure how to adapt your risk management strategies to evolving regulatory requirements?

This article is for:

  • Clinical trial project managers seeking practical guidance on enhancing risk management processes.
  • Regulatory affairs professionals responsible for ensuring compliance with industry regulations related to risk assessment and mitigation.
  • Researchers and clinicians involved in clinical trial design and execution, eager to minimize potential risks to patient safety and data integrity.

Risk Management in Clinical Trials: Why Does It Matter?

Risk is a part of life, whether personal or professional and in the professional world of clinical trials, these risks are a strong focus of the study design. They have to be, because the entire foundation of medicine, let alone the safety of the patients and practitioners involved is at stake.

Risks relating to quality, timeliness, safety, or budgets can affect the overall outcome of trials in several ways and it’s important when designing a study to be aware of them and to have a planned procedure for categorizing and mitigating them where possible.

Managing risk involves identification, assessment, planning, monitoring, and reacting to threats to the safe and efficacious desired outcomes of clinical trials and is a practice that is entirely necessary to maintain a standard of care and safety to the medical and patient communities.

As clinical trials become more complex, new risks emerge, and the essential nature of risk management is emphasized and put to the test. Every stakeholder in trials benefits from good risk management, from those interested in an ROI to those looking to further the science, and of course, those in need of urgent new treatments.

Risk assessment, therefore, means two, intimately-related things: it is both the program and its goal. A robust risk assessment program underlies effective management of risk, and it does this by comprising a series of activities or processes that follow the entire lifecycle of the product or treatment and striving to identify and remove or avoid any factor or process that threatens its quality.

Risk assessment achieves this by way of a risk management plan.

Forming a Clinical Trial Risk Management Plan

Risk management needs to begin at the moment of the trial’s conception. In this way, mitigation of risk will be woven into the protocol of the study itself, and the power of risk management is maximized throughout the trial. Before we get started on how to design this plan, the relevant documentation deserves a brief mention.

In terms of reference documents, there are two particularly useful sources of information to help with this:

  • ICH Q9 – This is a guideline on quality risk management that covers areas such as hazard identification and risk ranking and filtering.
  • ISO 14971 – This is specifically aimed at medical devices, but contained a structured approach for effective risk management that applies to most studies as a whole.

It’s worth mentioning here, the ICH E6 R2, which covers some of the best practices of a more formal risk management process, and is discussed at the end of this article. There are also many other documents to refer to for more specific or generalized information, such as ISO 13485, which focuses on integrating active risk management in quality processes.

clinical trial risk management planThe first step to forming a risk management plan is to be aware of and present with these documents. This will make it far easier to go through the following stages thoroughly.

1 – Identify and Define the Objectives of Each Category

Now, risks need to be considered and broken down into categories based on the parts of the study they fall under. There are two ways to approach this. If you begin with the risks and work backward, you end up forming the objectives off the back of those risks. The other way is to start with objectives and allocate risks to each of them.

For example, objectives throughout the study may fit into one of the following categories:

  • Timelines – This could be meeting set patient recruitment rates or regulatory approval timelines.
  • Safety – Safety objectives may cover limiting the number of adverse effects or the number of patients dropping out due to these adverse effects.
  • Quality – The target number of protocol deviations or cases of incomplete subject diaries would be under this category.
  • Compliance – E.g., minimizing missing or incomplete ICF files, inadequate monitoring of investigations.
  • Budget – Increases in clinical trial duration or sites’ budgets could be an objective here.

This forms a foundation for the identification of risks under each category, and how these risks might affect the success of each objective. This stage could represent a section of its own, as it involves a thorough assessment and identification procedure, in which internal and external processes, people, systems, and technologies are all examined for their impact on the risk of the study.

However, these details will be specific to each case, so a summary will suffice here. Clear identification of these risks takes time and should involve multiple different stakeholders depending on the context but the objective should be the same: find and categorize each risk that may jeopardize the ideal outcome of the objectives you have set.

2 – Conduct a Root Cause Analysis (RCA)

The next step is a deeper assessment of the events and risks that you’ve identified, and a discussion about the tolerance limits. RCA is a critical component of risk assessment as it is a process of making everything more efficient. Starting by finding the cause of each risk, you’ll then be able to work out how to address it and whether or how critically it really needs to be addressed.

For example, if you identify an objective to keep recruitment rates above a certain threshold, you may then find that the rarity of the disease is a potential root cause of the risk that patients may be hard to find in time, which would therefore threaten your objective.

While this is part of the separate RCA process, doing a thorough job in the identification of objectives can include a lot of root cause identification organically. This stage is essentially about completing the thorough risk statement with the cause included, so some risks will be easier than others in this regard.

This completes a chain between risk and objectives and helps to pad out and illuminate the specific areas that will be involved in risk mitigation and action planning sections of the later process. This is then part of the overarching goal of either minimizing or eliminating risk entirely and is described by the FDA Guidelines as the necessary step of identifying and understanding the nature, locations, and causes of risks that affect the course of the trial.

Data is one of the core focuses of a robust risk assessment plan, as it carries with it some of the highest risks to multiple categories of objectives. Monitoring efforts, therefore, need to be focused on the most likely sources of error in the conduct of collecting and storing said data, and thresholds need to be set based on tolerance limits, as a way of setting trigger points of action, should the risk reach unacceptable levels.

3 – Assess the Likelihood and Impact of the Risks

As an offshoot of the RCA, a deeper dive into the impact of each risk and the chances of it occurring can be performed. Broken into its likelihood and impact, each risk can then be analyzed further. Different contexts will define the scale used for this, but each can typically be ranked from 1 to 5 or 1 to 3 on a risk matrix.

The purpose of this stage is to set yourself up to define your responses. Before you can respond to the risks, you need to know what severity rating they have in order to set priorities of action into your plan. A simple 1 to 5 scale may use impact rankings of Insignificant, Minor, Significant, Major, and Severe. These can be set against the likelihood rankings of Rare, Unlikely, Moderately Likely, Likely, and Almost Certain.

Using this matrix, you’ll immediately see how your risks group together in different priority rankings. Risks ranking at the top of both indices will be the ones that need to most immediate and involved attention, while risks at the other end of the spectrum will be ones that can be bumped down the priority list and potentially accepted.

When you have your rankings, it’s time to decide on what your course of action will be in response to each one.

4 – Decide on Your Risk Responses

You can divide your responses into categories too, in order to make it easier to define the specifics of each. Consider four categories of response:

  • Avoid – These are the risks that must be dealt with immediately. For example, if there can be no approval due to a design element of the trial, this is the highest impact of risk as the trial itself can’t continue and the design must be altered.
  • Transfer – If the team involved finds the risk outside of their control, it can be transferred to a more qualified group for decision-making in regard to its impact and the necessary responses.
  • Mitigate – These are risks that can be removed or reduced to a more comfortable ranking, either by reducing the likelihood or the impact. Mitigation could also involve increasing the risk detection chances.
  • Accept – Some risks are simply worth taking. If an objective is threatened by a risk that will pay off in the long run, and this risk can’t be mitigated in any other way, it’s classed as an acceptable risk.

For some specific examples, let’s say that a site offers significant benefits to the overall study (for example, a unique participant pool) but it’s in a location that could delay regulatory approval and the staff may not be as qualified as you would like to hit your compliance targets.

The delays in acceptance might be considered worthwhile to reach your target population, so you consider that risk acceptable. On the other hand, compliance issues jeopardize the entire outcome of the study, so staff monitoring becomes an important focus of mitigation in terms of the risk to GCP. Assigning deeper monitoring to this part of the trial increases the risk detection rate and minimizes its impact ranking to acceptable levels.

Risk Dynamics: The Importance of an Ongoing Assessment of Risk

While the clinical trial risk management plan should be a key focus of the early-stage trial design, it’s important to understand the dynamic nature of risks and how they change and evolve as the trial is ongoing.

Assessment should be maintained at intervals throughout the trial conduct and to its closing phases too. Some risks have a cascade effect, so if they show up, they create other areas that need to be assessed. Others can have one root cause at one stage of the trial and another later on, meaning the responses might need to be adjusted.

It’s important to consider risk management in clinical trials an ongoing practice and to design your management plan with this in mind.

ICH E6 R: Risk Management in Clinical Trials – Two Best Practices to Mitigate Risk

As risk management is a diverse practice that needs to be tailored specifically to each case, there are many factors that cannot be generalized. However, there are practices worth following that relate to risk management as a whole and some areas of the process worth getting into in more detail as they pertain to clinical trials of all kinds and are of particular significance to the risk management process.

In 2016, ICH published a document that represents a new formal standard of risk-based approaches to clinical trials. In the Quality management section of this revision, the document covers the concept of risk-based thinking and divides this into two fundamental aspects:

  1. Define what is critical to successFocus on what matters. In the development stages of the trial protocol, and at the “Identify and Define” stage of the management plan, it’s important to clearly identify specific data and processes that are critical to human protection and the reliability of the results of the trial. This is a matter of how to think in a way that prioritizes the desired outcome of risk management, rather than the process. Your risk management plan is about the return on the significant investment into clinical trials from every stakeholder, whether it’s money, time, or therapeutic treatment. A study’s risk management helps bring these returns to life, resulting in a safe, effective, and powerful set of data that covers the needs of everyone involved.
  1. Manage the critical elements of a clinical trial – This relates to the ongoing and dynamic nature of the risks involved in clinical trials. During the whole lifecycle of the study, it’s important to maintain an effort of identifying, evaluating, controlling, communicating, reviewing, and reporting on risks.

Having everyone involved on the same page is a key component to successful risk management. Breaking down the thinking around risk into these two categories opens up the way for all stakeholders to take part in the following suggested best practices:

  • Provide adequate support to clinical trial teams – Consider assigning a Risk Manager as a champion of the risk management process. They can be responsible for guiding thought processes and controlling appropriate documentation.
  • Start early – Since risk presents itself at every stage of the trial, including protocol design, risk management should precede it.
  • Balance critical thinking and available resources – It’s important to use the available resources to help identify risk, but beware of relying on them too rigidly. Risk managers should be able to navigate these documents while maintaining critical thinking in the RM team.
  • Promote cross-organizational risk identification – Include as many perspectives as possible, including even the sponsors and vendors, where appropriate.
  • Set appropriate thresholds – Setting between 3 and 5 predefined quality tolerance limits is key to keeping things from getting over-complicated and to illuminate systemic, protocol-level issues that can impact outcomes.
  • Integrate multiple data sources when rereviewing risk registers to drive the right downstream decisions – And perform risk assessment at regular intervals to assess if mitigations are effective and whether new risks are emerging.
  • Communicate regularly internally and externally – Ensure real-time access to the risk register is available to reduce latency and improve communications access to the most current information.
  • Apply lessons learned – Adapt in response to root cause analyses in the form of lessons-learned activities.


Risk assessment is a systematic process of identifying, analyzing, and responding to events or processes that jeopardize a trial’s objectives. Risks come in many shapes and forms, and from all directions, and it is in the effective management of these risks that trial design and execution is able to run with the best possible outcomes for all stakeholders.

Start early, and break the process into stages of identification, root cause analysis, likelihood and impact evaluation, and tolerance thresholds. From there, follow some best practices and maintain critical thinking while applying these principles throughout the study.