At this point, we look at each risk and consider the likelihood of the risk occurring (probability) and the severity if it occurs.
Using the scoring system established previously, we calculate the initial risk value calculated based on multiplying the probability and severity scores together.
Detection Score
There are times when a “detection” score is also a useful input to scoring. This just takes one more step: multiplying the severity * likelihood of occurrence by the detectability score (detectability being valued from always detectable to never detectable).
GAMP®5
Note: GAMP®5 makes this a 2-step approach with severity * likelihood of occurrence establishing the risk class and then multiplying that by detectability to define the risk priority. Separating them allows you to decide if managing both values helps.
This establishes our pre-control risk score.
Let’s consider our ‘date’ example again.
If the system allows an invalid or incorrect date, we’ll have a GxP failure.
Initial Risk
We conclude that this ranks a 2 in severity (GxP minor failure) and a 3 in likelihood. This establishes our initial risk value of 6.
Going through all the risks, failures, and effects, we’ll have a range of initial risk values ranging from 1 to 9.
Obviously, the highest scores are the ones we’re most concerned about.
We need to define a standard by which we assess these risks.
Using the 3×3 matrix, we can establish a risk ranking.