Do We Really Understand Risks?

The FDA risk-based approach standardizes a very subjective process

A recent article in the Norwegian paper Aftenposten had me laughing. It compared the risks of being killed by certain happenings.

Are you more afraid to be killed by a poisonous spider (or by a shark) or by a champagne cork? Most people would say the dangerous animals. However, according to the article, the corks are significantly more dangerous than the spiders!

Throughout the world, there are supposedly 24 people killed by corks and only 12 by spiders each year. It has been impossible for me to verify the exact numbers, and I assume that quite a few deaths from spiders may be unreported. The article also stated that only 15 persons a year die from shark attack (most of them provoked), while 150 people die every year from falling coconuts. But how many people are afraid of coconuts and champagne corks, as compared to sharks and spiders?

I am convinced that most people do not understand risks. People’s perceptions of risk are influenced more by what “sounds scary” than by how likely it is to happen.

In Norway, some 350 persons die each year in traffic accidents. About 350 persons also win one million kroner (approximately 200.000 USD) in national lotteries each year. Everyone who spends money on the lotteries is certain that they will be one of the lucky persons who will win. On the other hand, no one ever thinks they will be among those killed in traffic, even though the likelihood is the same.

There is also a big discussion in Norway about how dangerous wolves are. Many people are scared of them, although there are less than 100 wolves scattered over the country, and no person has been killed by wolves during the last 150 years. At the same time, nearly everyone is in traffic every day, where 350 are killed and many thousands more are wounded each year. The likelihood of being injured in a traffic accident is incredibly high compared to the danger of a wolf accident. Nevertheless, if a wolf is seen in a neighborhood, people rush to take their kids as far away as possible. Why are they scared of wolves and not of traffic?

According to a master’s thesis by Kate Dockery at the University of Florida, we are afraid of things that might happen but most likely are not going to happen. However, we are optimistic when it comes to situations that are likely to happen. One example she uses is marriage. People get married thinking that the 50 percent divorce rate is going to happen to others than themselves.

Pharmaceutical regulations state that a “risk-based approach” should be used so that high-risk areas are prioritized before low-risk areas. Thank goodness this is not up to each person to have an opinion on what is high-risk and what is low-risk! In that case, we could end up with solutions like “getting rid of wolves” instead of “getting rid of traffic,” even if wolves, in this case, are low-risk and cars are high-risk.

The FDA started to advocate the risk-based approach around 2000, and other regulatory agencies have followed. Today this is the way to do validation of production, laboratory work, IT systems and everything else.

In order to understand and manage risks, one must understand the processes of which they are a part. Risks vary in different processes, and it is not possible to transfer the assessment of risk from one process to the other.

Risk management involves two main steps:
• Risk assessment — where risks are identified and defined
• Risk management — where decisions are made as to how to handle the risks

The overall risk reference in the pharmaceutical industry is based on the risk to the patient’s health. The principle of risk assessment is to see risk as a function of likelihood and impact. In order to do this, the risks must first be identified.

The identification step is the determination of whether the system function or sub-function represents a risk when assessed against a series of criteria. The outcome of the discussions is documented, even if the result is it is not a risk.

The next step is to determine the likelihood, also called frequency or probability, of an adverse event occurring. The total function of impact, probability of the risk, and likelihood of detection gives the status for the risk (high / medium / low). Following this risk-based approach will give a scientific answer to what is the highest risk.

The functions and processes with the highest risks need to be managed first. If people understood this, they would do something about the cars and not about the wolves.

Recommended Reading
1. ICH, Q9 Quality risk management, 2006, ICH,
2. GAMP 5 Good Automated Manufacturing Practice (GAMP) Guide for A Risk-Based Approach to Compliant GxP Computerized Systems, February 2008, International Society for Pharmaceutical Engineering (ISPE), Fifth Edition, ISBN 1-931879-61-3,
3. GAMP Good Practice Guide: A Risk-Based Approach to Compliant Electronic Records and Signatures, 2005, International Society for Pharmaceutical Engineering (ISPE), First Edition, ISBN 1-931879-38-9,
4. ISO 14971:2007 Medical devices -- Application of risk management to medical devices, 2007, ISO,
5. Jones, A. and Ashenden, D., Risk Management for Computer Security: Protecting Your Network & Information Assets, 2005, Elsevier, ISBN 0-7506 7795 3
6. Kumamoto H. and Henley, E.J., Probabilistic Risk Assessment and Management for Engineers and Scientists, 1996, Institute of Electrical and Electronics Engineers, Inc., New York, NY, USA,
ISBN 0-7803-6017-6

Siri Segalstad is Principal, Segalstad Consulting AS and author of International IT Regulations and Compliance (Wiley, 2008). She may be reached at