A quality risk assessment is a structured way to find what could go wrong with a product or process, rate each risk by how bad and how likely it is, and decide which risks need controls. It turns gut feel into a ranked, documented, actionable list.

Every plant already does risk assessment; most just do it informally, in the head of the one engineer who "knows where the bodies are buried." That works until the engineer retires or the failure they were quietly guarding against finally happens on a shift they were not on. A formal quality risk assessment writes that knowledge down, scores it consistently, and points resources at the risks that actually matter instead of the ones that shout loudest. This post covers how to score risk, how to build the register, and how to connect it to the tools you already run.

What is a quality risk assessment?

A quality risk assessment is the process of identifying potential quality failures, estimating the risk each one carries, and deciding what to do about it. Risk here has a specific meaning: the combination of how severe a failure would be and how likely it is to occur. Many frameworks add a third factor, detectability, which is how likely you are to catch the failure before it reaches the customer.

Two big standards frame the practice. ISO 9001:2015 built "risk-based thinking" into the whole quality system: clause 6.1 requires you to determine the risks and opportunities that could affect conformity and address them, though it deliberately does not mandate a specific method. In the pharmaceutical world, ICH Q9 makes quality risk management explicit and formal, defining risk as the combination of the probability of harm and its severity. The tools differ by industry; the logic is the same everywhere. This is the same risk-based thinking that underpins a good FMEA.

How do you score severity and likelihood?

You score each risk on simple scales and multiply. Most plants use a 1-to-5 or 1-to-10 scale for each factor. Severity asks: if this failure happened, how bad is the consequence, from a minor cosmetic issue up to a safety recall? Likelihood asks: how often would we expect it, from once-in-a-decade up to every batch? The product of the two is the risk score that ranks your list.

The trick that makes scoring honest is a rated scale with words, not just numbers. "Severity 4" means nothing until the table says severity 4 is "customer complaint and return, no safety impact." Without those anchors, two people score the same risk three points apart and the whole register becomes noise. Write the scale once, post it, and make everyone score against the same words.

A five by five quality risk matrixSeverity multiplied by likelihood ranks the listLIKELIHOOD →SEVERITY → ABacceptact now
Risk A (severe, likely) sits in the rust corner and gets a control now. Risk B (moderate) is monitored. The low-left corner is accepted as-is.

What is the risk priority number and when should you use detectability?

When you add detectability as a third factor, you get the risk priority number (RPN) used in FMEA: severity multiplied by occurrence multiplied by detection, each on a 1-to-10 scale, giving a value from 1 to 1000. Detection is scored backwards from intuition: a 10 means the failure is nearly impossible to catch before it escapes, a 1 means you will almost certainly catch it. A failure that is severe, common, and invisible earns the highest RPN and the first action.

Use the two-factor severity-by-likelihood matrix for a fast, high-level pass across many risks, projects, or suppliers. Use the three-factor RPN when you are doing a detailed process or design study and detection genuinely varies from step to step. Do not force RPN everywhere; a 1000-point number carries false precision that a five-by-five grid honestly avoids. Match the tool to the depth of the question.

The risk priority number formulaWhen detection matters: the RPNSEVERITYhow bad (1-10)×OCCURRENCEhow often (1-10)×DETECTIONhow hidden (1-10)=RPN = 1 to 1000detection 10 = nearlyimpossible to catch
RPN is severity times occurrence times detection. Rank by RPN, but always act on any high-severity item regardless of its total.

How do you run a quality risk assessment step by step?

The process is a loop, not a one-time event. Run it when you launch a product, change a process, investigate a recurring problem, or review at a set interval.

  1. Define the scope. One process, one product line, one change. A risk assessment that tries to cover the whole plant covers nothing well. Name the boundaries before you start listing failures.
  2. Assemble a cross-functional team. The operator who runs the line sees risks the engineer never will, and vice versa. Quality, production, maintenance, and someone from the customer-facing side each spot different failures.
  3. Identify the failure modes. Walk the process step by step and ask "what could go wrong here?" for each. Draw on complaint history, non-conformance reports and near-misses so you are listing real risks, not imagined ones.
  4. Score each risk against the rated scale. Severity and likelihood (and detection if you are using RPN), everyone scoring against the same posted definitions. Argue the scores; the disagreement is where the learning is.
  5. Rank and set a threshold. Sort by score. Draw a line: risks above it get an action, risks below it are monitored or accepted. The line makes the assessment finite and honest.
  6. Assign controls and owners. For each risk above the line, decide the control (a poka-yoke, an added check, a spec change) and name who owns it by when. A risk with no owner is a risk you have merely admired.
  7. Re-score after the control and review on a cadence. Estimate the residual risk once the control is in. Then put the register on a review schedule, because processes drift and new risks appear.

What goes in a risk register?

The register is the deliverable. It is a living table, not a report you file. Each row is one risk, and the columns force you to think all the way through to an action. A workable minimum looks like this.

Risk / failure modeCauseSevLikelihoodScoreCurrent controlAction / owner
Undetected seal leak shipsWorn sealing bar5315Random leak checkAdd inline leak test / Maint. lead
Wrong label on cartonManual changeover4416Operator verifyScan-to-confirm poka-yoke / QA
Fill weight under specPump drift339SPC chartMonitor, no action / Line lead

The two columns people skip are "current control" and "residual after action," and skipping them is what turns a risk register into a list of worries. The point of the exercise is not to enumerate everything that could go wrong; it is to move the high risks down the matrix by putting real controls in place, then prove the move with a fresh score. When a control fails or a new risk shows up, it feeds straight into CAPA and, where you dig for causes, into root cause analysis.

What do the standards say about quality risk management?

The frameworks behind quality risk assessment

  • ICH Q9(R1) Quality Risk Management defines risk as the combination of the probability of occurrence of harm and the severity of that harm, and lists risk-ranking, risk matrices, and FMEA/FMECA among its recognized tools (ICH, Quality Guidelines (Q9)).
  • ISO 31000:2018 provides the general principles and process for risk management that a quality risk assessment can be built on, independent of industry (ISO 31000 Risk management).
  • ISO 9001:2015 builds risk-based thinking into the quality system in clause 6.1, requiring organizations to determine and address the risks that could affect conformity of products and services (ISO 9001:2015).

How is a quality risk assessment different from FMEA?

They overlap, and people use the terms loosely, but the relationship is clean: FMEA is one method of quality risk assessment, the detailed three-factor one. A quality risk assessment is the broader activity, which might use a quick two-factor matrix for a supplier review, a full FMEA for a new process, or a hazard analysis for a food line. Think of the risk assessment as the question ("what are our risks and which matter?") and FMEA as one of the more rigorous ways to answer it for a process or design.

In practice you often nest them. A high-level risk assessment across a product line flags the two processes that carry the most risk, and each of those gets a detailed FMEA. Running FMEA on everything is expensive and dilutes attention; the risk assessment is what tells you where the deep dive is worth it. The same records feed your quality audit and your traceability so risk, control, and evidence line up.

Why do quality risk assessments end up as shelfware?

Because they are treated as a document to produce rather than a control to maintain. A risk register built once for an audit, scored by one person in an afternoon, and never reopened is worse than none, because it creates the illusion that risk is managed. The assessments that earn their keep are the ones tied to live data: a control's effectiveness is visible in the defect and complaint numbers, so when a control quietly stops working, the register's assumptions get challenged by reality.

That is a data problem before it is a quality problem. If your defect, hold, and complaint records are trapped on paper, you cannot see a control decaying until it fails outright, and you cannot cheaply re-score the register. Capturing those events as structured data at the point of work, which is what Harmony's station-level digitization does with no rip-and-replace, keeps the register honest and links each risk to the traceability record that proves whether the control held. See it in the CLS case study. A risk register that breathes with the floor data catches the next failure; one in a binder just documents the last one, and often not even that. Start narrow, score honestly, control the top risks, and re-score. That loop, run regularly, is worth more than the fattest one-time report.