Roxane Napoli, Marketing Manager, Pilgrim Quality Solutions
If you’re responsible for planning and carrying out your company’s internal audits, you know how much planning and effort it takes to monitor your quality system for GMP and ISO compliance. As your quality system has matured, you’ve probably noticed that certain sites, departments, or processes require more of your attention, while others are consistently in compliance and don’t need as much assistance. If this is the case in your organization, it’s time for you to consider a risk-based approach to your internal quality system audits.
The Value of a Risk-based Approach
In previous posts, we’ve discussed the value of risk-based approaches to other quality processes (such as incoming inspection and CAPA). A risk-based approach to internal audits allows you to assess the importance and performance of each area to be audited and to use your results to devote your auditing time and resources to these critical business areas. Based on this risk assessment, you may also decide that certain areas of your business don’t need as much oversight. The value in a risk-based approach frequently comes in the form of higher product quality, since trouble areas will receive the time and attention they need to improve. Risk-based quality audits also improve your productivity. You will spend more time discovering and solving problems rather than auditing areas that are already performing well.
Let’s take a look at how you can incorporate risk into your internal ISO and GMP audit processes.
Step 1: Assess Risk throughout the Organization
When you’re assessing risk, consider the departments and processes you normally audit. As you work through these areas, you may choose to quantify each area’s risk level. Or you can use other standard risk analysis tools such as FMEA.
There are many areas to consider when assessing risk, but three key areas include:
- Risk to Product Quality and/or Patient Safety — Rank each department or process according to its criticality in terms of producing a safe, high-quality product.
- Performance Risk — Review the history of nonconformances, CAPAs, recalls, or adverse events for each area to be audited. Areas with a higher number of these incidents should be given a higher risk score.
- Compliance Risk — Look at past recommendations and findings to determine if a process or department poses a risk to GMP or ISO compliance. This score can also factor in how well the area has corrected previous audit observations.
Once you’ve considered these areas (and other risk areas specific to your business), you can combine their individual risk scores to create an overall risk score for each department or process. This can help you quickly understand your high-risk areas so you can create your audit plan accordingly.
This assessment forms the basis for your risk-based audit plan, so it should be documented in a list or spreadsheet as you work through it.
Step 2: Incorporate Risk into Your Audit Plan
As you’ve ranked each department’s risk, you’ve probably begun to form a mental picture of your audit plan. Now it’s time to take a closer look at each area and its corresponding risk score.
A key part of your planning will be your audit schedule. Higher risk areas will need to be audited more frequently (at least annually, but possibly more often). But for low-risk areas, it is important to remember that an annual audit is not always required. In either case, you need to define how often you will audit each department based on the risk assessment, document that schedule, and stick to it.
There are other pieces of your audit plan that are also affected by risk. These can include the audit duration and the size and skill of your audit team. You may need to plan for longer, more detailed audits of high-risk areas. And areas involving more complex products or processes may require auditors with special skills or knowledge.
Step 3: Conduct risk-based audits
Risk-based auditing doesn’t stop with your audit plan. Once you’ve determined an area to audit, you can incorporate a risk-based approach into each audit you conduct. The first step is to review each department’s existing procedures. These documents provide you with a jumping off point for understanding which processes a department views as high-risk, so you can focus your questions in these areas.
If you’ve audited this area before, you should review the data you already have from previous audits and work from there. Some items to review include:
- Observations from previous audits
- Previous corrective action plans and their effectiveness
- Areas that were not inspected during previous audits
- Defects, adverse events, or recalls related to this department
- Changes to processes or personnel since the last audit
Understanding these areas will help you hone in on potential areas of concern. This will help you focus your questions properly and get the most value from your time spent auditing.
Step 4: Risk-based Follow-Up
Once you’ve completed the audit, you will assign recommendations and/or findings. Using a risk-based approach to follow up, you will assign a risk level to each finding to clarify which findings need a quick response or escalation. This allows you to address critical findings more quickly, rather than just following up to findings in the order they were discovered. This, of course, feeds your CAPA process. High-risk findings can trigger a CAPA process while low-risk can be resolved quickly and closed with the audit.
Step 5: Monitor changes to your risk picture
Your initial risk assessment was a snapshot of your quality, performance, and compliance risks. Changes to products, processes, or defect history will cause this snapshot to evolve over time. That’s where automated quality management software can help keep you aware of emerging risks. Solutions like our SmartSolve® quality management system will help you monitor defects, CAPAs, customer complaints, changes, and other processes that will affect your overall risk. You will be able to quickly understand the performance of your various sites and processes, and modify your audit plan and other quality processes accordingly.
Implementing Your Risk-Based Audit Program
The idea of implementing a risk-based GMP audit program, or any type of risk-based process, can be intimidating. But keep in mind that you don’t need to change your entire audit process all at once. Take it one site, department, or process at a time; document your plan; and you will keep your audit program moving in the right direction.
How do you incorporate risk into your ISO and GMP audit programs? Let us know in the comments below.
6 Strategies for Internal Audit Success E-Book
Download this free e-book