As someone who has been involved in risk management for a number of years, it has been interesting during COVID-19 to step back and reflect on some of my recent decisions and actions: Do we host a holiday party for 80 people? How about a smaller event for 30 people who all claim to have been fully vaccinated? Do we go to a restaurant that requires proof of vaccination? What about that gathering with some friends we haven’t seen in nearly two years but haven’t been vaccinated?
The responses to these questions – and many others – are based on how much risk we are willing to accept or reject, or more specifically in the vocabulary of risk management, our risk appetite and risk tolerance.
This article describes and differentiates risk appetite and risk tolerance and discusses why these two concepts are foundational to how we make risk-based decisions.
Risk Appetite And Risk Tolerance Defined
While these two concepts are fundamental to the risk-based decisions we make, they are not defined in the original ICH Q9 Quality Risk Management guideline or in the ISO 14971:2019 standard: Medical devices – Application of risk management to medical devices. For our definitions, we go to an organization outside of pharmaceuticals and medical devices, the Committee of Sponsoring Organizations of the Treadway Commission* (COSO).
Risk appetite: The types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value.
Risk tolerance: The acceptable level of variation relative to the achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective.1
These definitions provide some sense of the concepts but may benefit from a bit more detail. Risk appetite is viewed as more strategic, providing high-level guidance to an organization or individuals on what choices to accept and which ones to reject that helps people at all organizational levels make more consistent risk-based decisions. Risk appetite can evolve or change over time with or without those involved explicitly knowing about the change.
Risk tolerance is more tactical, guiding or applying the strategy in a particular situation, for instance, an alert or action level. Risk tolerance is more prone to variation depending on the circumstances.
Perhaps several examples can help here:
My risk appetite for getting a speeding citation when driving is quite low –– I don’t want to have to pay the fine or get “points” that could increase the cost of my car insurance. But I will typically drive 74 miles per hour (mph) on the highway where the speed limit is 65 mph. In some situations, when passing a truck or keeping up with the flow of traffic, my tolerance may expand to a slightly higher speed. A friend, however, is not as concerned about getting a speeding citation (he has a higher risk appetite), which is reflected in the speed he usually drives – 80 mph – on that same highway.
Pharmacopeias of the U.S. (USP) and the European Union (EP) require that injectable products be “essentially free” and “practically free,” respectively, from visible up articulates. These requirements need to be made actionable through specifications; however, “the specifications and acceptance criteria for visible particles in new drug applications submitted to the U.S. Food and Drug Administration (FDA) are inconsistent or non-existent.” In other words, a risk appetite has been established in the pharmacopeias, but the risk tolerances as evidenced by specifications that firms communicate to regulators are quite variable or not disclosed.
The FDA requires that drugs be “safe and effective” (risk appetite), which is demonstrated through extensive clinical testing and evaluated as the agency makes its decisions for drug approval or licensing (risk tolerance). However, in certain situations such as during the COVID-19 public health emergency, the FDA can issue an Emergency Use Authorization (EUA) that shows flexibility in their risk tolerance:
The “may be effective” standard for EUAs provides for a lower level of evidence than the “effectiveness” standard that FDA uses for product approvals. FDA intends to assess the potential effectiveness of a possible EUA product on a case-by-case basis using a risk-benefit analysis, as explained below. If, based on the totality of the scientific evidence available, it is reasonable to believe that the product may be effective for the specified use, FDA may authorize its emergency use, provided that other statutory criteria for issuing an EUA also are met.5
Something you may notice in the first and third examples is how different factors can affect risk tolerance: personal risk appetite, extrinsic factors like traffic flow, or public health emergencies. In some cases (like EUAs), the decision to expand tolerance from its typical range is very deliberate and directed by policies, regulations, and guidances. In other, often personal situations, it occurs without much conscious thought. Additionally, personal choice can affect risk appetite: When the risk is imposed from an external source, we tend to be less willing (i.e., tolerant) to accept a level of risk than when it is a self-made decision.6 Cigarette smoking and alcohol use are examples of this.
A Spectrum Of Risk Appetite
Figure 1 presents a five-level scale of risk appetite that considers four different factors. Using COVID-19 as an example, one’s answer to a question like whether to eat at a restaurant depends on how open or averse to risk a person is. An important point here is the risk question that is being asked: “What is the risk of going to a restaurant?” versus “What is the risk of taking a walk outside with a person?” A variety of factors affect the answer given. (An interesting aside: Thinking about COVID-19 again, you probably could put the name of someone you know in each of the spectrum categories based on how much social interaction they have had during the pandemic.)
Figure 1. Spectrum of risk appetite
Adapted from Quail (2012)
Risk Appetite, Risk Tolerance, And ICH Q9 QRM
There are several phases in the ICH Q9 Quality Risk Management (QRM) model8 where risk appetite and risk tolerance influence the risk-based decisions that are made. Specifically, this occurs in:
The initiation phase when defining the levels of severity used when ranking the impact of the harm in risk analysis.
- Risk analysis when ranking the situation using the defined severity levels.
- Risk evaluation when determining which risks need to be reduced through control and mitigation activities.
- Risk acceptance when a decision is made concerning the residual risk that remains after control and mitigation activities have been implemented.
- Risk communication when deciding who in the organization or which stakeholders (e.g., regulators) are informed of the situation.
Let’s look at these in more detail.
Most QRM practitioners have moved from simple “low – medium – high” risk ranking categories to those with key words that are more clearly descriptive of different levels of the components of risk (i.e., usually severity, likelihood, and sometimes detectability). Creating or reviewing these ranking scales is usually done before the risk assessment is started (in risk initiation) or when beginning risk analysis. For example, if one is using a five-level scale for the risk domain of “compliance” (other risk domains may be quality, product availability, operational), Table 1 shows two different companies’ approaches in defining the significance of compliance events.
Table 1. Comparison of severity levels and events from two different perspectives.
In this example, you can see that Company A considers FDA 483s and Warning Letters as more significant events than Company B. In working with different companies, consulting colleagues and I have seen that some organizations want to avoid an FDA-483 at all costs (sometimes because of repeated past compliance failures), while others recognize that 483s occasionally occur and are willing and prepared to take the risk.
Risk analysis is when hazards (the source of potential harm) are rated for severity, likelihood of occurrence, and, sometimes, detectability. If a risk assessment team is not using scales with clear definitions, the conversation during risk analysis can go something like this:
Facilitator: “How would you rate the severity if we received an FDA-483?”
Team member #1: “Inspectors give those out all the time. They aren’t generally that bad and we can usually make a strong case for our practices. I’d rate them a “two,” or moderate in terms of severity.”
Team member #2: “But we really don’t want one and need to take all the steps we can to avoid a 483. They are bad news. So, I’d rate that a three or maybe even four.”
The team members here have different risk appetites, with member #2 being more risk averse for such an inspection outcome. Without agreed-upon scale definitions that have keyword descriptors, the result of the assessment will often be biased by the loudest voice in the room or the person who has the highest organizational position.
Risk Evaluation And Acceptance
Risk evaluation involves making a decision on which risks need to be reduced through a combination of risk controls and mitigations. Evaluation often involves a risk matrix that, based on the results of the assessment, identifies the appropriate actions to be taken.
Figure 2 shows two different risk matrices. Figure 2B, which illustrates a lower risk appetite, has more severity/frequency combinations in red, meaning that the risk must be reduced. (Green represents risks that are acceptable; yellow represents the risks that, if possible, should be reduced.)
When accepting risk, the situation is reevaluated considering the effectiveness of the additional controls that have been implemented using the same matrices or criteria that were used in risk evaluation.
Running throughout the ICH Q9 QRM model is risk communication, which involves escalating information concerning a risk “up” to higher levels within the organization. This is done to keep leadership informed of a particular sensitive possible problem or to request their assistance in providing additional resources to reduce the risk.
Risk communication may also provide information to stakeholders like regulators (for example, a Field Alert Report based on a serious complaint or a “Dear Health Care Provider” (formerly called a “Dear Doctor”)) letter. Guidance issued by regulators gives concrete examples (and timeframes) for these communications.9 There are other situations, such as internal data integrity issues where firms might decide it is in their best interest to give the regulatory authority a “heads up” of a problem – an example of when there is a lower level of risk tolerance.
Having a formal set of criteria to use in deciding what level and type of communication is appropriate helps to provide consistency to what communication needs to be done when.
With this look at how risk appetite and risk tolerance are used when making risk-based decisions, let’s now consider some of the implications that come from this.
When there are conflicts between differing explicit statements or implicit “understandings” concerning risk appetite, a tension will often become apparent. Those involved need to talk through their concerns, the risk, and the benefits. For example, a firm may state that they want to be in full compliance will all regulations, but sometimes there are gray areas: Should they communicate to the health authority about a potential data quality issue or not? Not everything can be identified and addressed through procedures up front; those gray areas can prompt healthy debates that draw on company values and organizational culture, and a focus on the patient/customer can help set a path forward.
Events And Conditions Can Shape Risk Appetite & Tolerance
Where there is a significant issue, be it in the quality, compliance, or another domain, it can place more attention on risk appetite and risk tolerance. If, for example, a product is made and a deviation is discovered, a firm may determine it is the best interest of everyone to reject the product. If, however, it is a medically necessary product that, if rejected, could result in a significant drug shortage, a risk-benefit analysis would be performed to determine if the risk to patients of not having the product available to those who need it is less significant than supplying a product with the potential defect. (Risk communication with health authorities often occurs in these situations to help identify options.)
Internal and external factors can have an impact on how risk-based decisions are made. Sometimes this can be a slow, subtle evolution; in other cases, it can be a significant change. For example, in the recent past, some drug manufacturers would reject a batch of raw materials for even a very small variance from specifications. Now, because of supply chain delays and/or financial limitations, firms will consider the implications of that rejection – can they get a re-supply in time? Is there a way that the material can legitimately be approved for use? What might a delay mean to production schedules and availability of the drug product? Changes in an organization’s financial position or in leadership can change the calculus of risk assessment and evaluation.
The raw material example above invokes another risk concept: risk capacity, which is the risk that can be absorbed. Rejecting a batch of raw material is much easier when you have a storeroom filled with other batches that you know meet specifications.
Risk Appetites & Tolerances Are Not The Same For All Risk Domains
An organization may have different risk appetites and risk tolerances for different domains or categories of risk (e.g., quality, regulatory, operational, product availability). For example, a firm that has a strong financial position may have a large appetite for taking on financial risks but a small appetite for regulatory/cGMP type risks. Or, it could be the other way around. It is important to understand the context surrounding risk appetite.
How does your organization describe and communicate the level of risks that it is willing to take? If your firm states on its website that it wants to “push boundaries” and “be the first to commercialize…,” those words imply a large appetite for risk; the organization’s culture would encourage risk taking and willingness to accept the failures that may occur.
Communication about risk appetite allows for transparency and helps everyone in an organization know lines that must not be crossed. For instance, some firms have data integrity policies saying that if someone backdates a document, turns off instrument audit trails, or intentionally misidentifies samples, they are subject to immediate termination. Communication about risk appetite and risk tolerance contributes to an organizational culture where people understand not just the what but the why.
Multiple times a day we each make risk-based decisions that affect us personally, those around us, our organizations, and the patients we serve. Whether we recognize it or not, the basis for how much risk we are willing to accept is our sense of risk appetite and risk tolerance. It is important for leadership to actively discuss and communicate what these concepts practically mean to the organization in order to provide a context, understanding, and a level of consistency for the decisions that are made.
Appreciation to Hal Baseman, Stephen Langille, and Amanda McFarland for their review and suggestions that improved this article.
- Martens, Frank J. and Larry Rittenberg. (2020) Risk appetite – Critical to success. COSO. Accessed 24 January 2022: https://www.coso.org/Documents/COSO-Guidance-Risk-Appetite-Critical-to-Success.pdf
- Madsen, Russel E., Roy T. Cherris, John G. Shabushnig, and Desmond G. Hunt. (2009) Visible Particulates in Injections—A History and a Proposal to Revise USP General Chapter Injections <1>. Pharmacopeial Forum Vol. 35(5) [Sept.–Oct. 2009]. Accessed 24 Jan 2022: http://www.baipharma.com/documents/PF35-5-_StimArticle-3Chapter1VisibleParticulatesinInjections.pdf
- Langille, Stephen. (2013) Particulate matter in injectable drug products. J Pharm Sci and Tech 2013, 67 186-200. Accessed 24 January 2022: https://journal.pda.org/content/early/2019/11/15/pdajpst.2019.010462
FDA. (1995) 21 Code of Federal Regulations, Part 314.2. Accessed 24 January 2022: https://www.ecfr.gov/current/title-21/chapter-I/subchapter-D/part-314
- FDA. (2017a) Guidance document: Emergency use authorization of medical products and related authorities – Guidance for industry and other stakeholders. Accessed 24 January 2022: https://www.fda.gov/regulatory-information/search-fda-guidance-documents/emergency-use-authorization-medical-products-and-related-authorities.
- Slovic, Paul. (1987) Perception of risk. Science 236 (17 April): 280-285. https://doi.org/10.1126/science.3563507
- Quail, Rob. (2012) Defining your taste for risk. Corporate Risk Canada. Spring. Accessed 24 Jan 2022: https://erm.ncsu.edu/az/erm/i/chan/library/338_Corporate_Risk_Canada_Risk_Appetite_2012.pdf
ICH. (2005) ICH Harmonised Tripartite Guideline: Quality Risk Management Q9. November 2005. Accessed 24 January 2022: https://database.ich.org/sites/default/files/Q9%20Guideline.pdf
- FDA. (2017b) Guidance document: Dear health care provider letters: Improving communication of important safety information. Accessed 24 January 2022: https://www.fda.gov/regulatory-information/search-fda-guidance-documents/dear-health-care-provider-letters-improving-communication-important-safety-information.