Risk Scenarios

Owned by Henry Farris (Unlicensed)
Last updated: Feb 23, 2022 by HB Farris
4 min read

The VERA Risk Scenario Assessment Process

VERA provides a GAMP 5-based risk assessment feature in the Requirements module of QC/ALM. This feature enables authors to:

  1. Identify and document risk scenarios
  2. Trace the scenarios to one or more system requirements
  3. Assess the risk variables and calculate a risk rating for each scenario (using GAMP 5 risk calculations)
  4. Document a mitigation strategy for higher-risk scenarios
  5. Trace the scenarios to test cases
  6. Submit the completed risk assessments for approval

Identify and Document Risk Scenarios

Start the risk assessment process by creating a new Risk Scenario record for each identified system risk.


Step 1: Analyze the system's intended functionality to identify potential risk scenarios. A risk scenario is any scenario that could have a negative impact on business processes, product quality, data integrity, system security, human safety, regulatory compliance, or any other important system function.

Step 2: For each identified risk scenario, create a new requirement entity in QC/ALM. Use the Risk Scenario requirement type when creating the new record. Provide a description of the scenario in the

Description field and a GxP assessment in the GxP field. Complete other data fields, as applicable.

Figure: Use the 'Risk Scenario' requirement type to document risks

Trace to System Requirements

Risk scenarios can be linked to system functions using QC/ALM's native requirement traceability feature.

Step 1: Select to view the Requirement Traceability tab of a risk scenario record.

Step 2: For each system function associated with the risk scenario, use the Trace From command to add traceability between the risk scenario and another requirement representing the associated function. The other requirement can be of any relevant requirement type (Functional, User, Business, Design, etc.)

Figure: Use the 'Trace From' command to create traceability between a risk scenario and the associated system functions.

Traceability can be added from the other direction, too. If the user is viewing the associated requirement and would like to add a link to a risk scenario, use the Trace To command in the Requirement Traceability view (as opposed to the Trace From command).

Calculate Risk Values

Evaluate each identified risk scenario and assess its probability of occurrence, the likely severity of harm caused by an occurrence, and the likely detectability of an occurrence. Then update the risk scenario record by providing a value of High, Medium, or Low for each of the three risk variables: Risk Probability, Risk Severity, and Risk Detectability.
The system will automatically calculate and update the Risk Class and Risk Priority fields as the risk variables are selected. The values are calculated in accordance with GAMP 5's risk matrices:

Figure: GAMP 5 Risk Matrices


There are three recommended views for completing the risk assessment information: Requirement Details dialog, Requirement Details view, and the Requirement Tree view:

Figure: The 'Requirement Details' dialog. Use the Risk Fields tab in this dialog to view and update the fields of the record's risk assessment.


Figure: The 'Requirement Details view. The Risk Fields tab is also available directly in the Requirement Details view.



Figure: The 'Requirement Tree' view. The user can easily navigate between requirements, view relevant information, and edit risk data in a single view.

Document a Mitigation Strategy

As needed, use the Mitigation Strategy field of a risk scenario to document a strategy for reducing the risk rating. Additional system functions or design elements, enhanced monitoring and alerting, specialized user training, and more rigorous system testing are all examples of strategies that might be used to mitigate a given risk scenario.
NOTE: In accordance with GAMP 5 recommendations, a mitigation strategy is mandatory for risk scenarios with a Risk Priority of High. The user will not be able to submit a risk scenario for approval when it has a high-risk rating and no mitigation strategy.

If new functional or design requirements are added to help mitigate identified risks, the user can leverage QC/ALM's requirement traceability feature to create links between the risk scenario and its mitigating requirements. Instead of using the Trace From feature, use the Trace To feature to link the mitigating requirements downstream from the risk scenario.

Add Test Coverage

Test cases that are associated with a risk scenario can be linked to the risk scenario record using QC/ALM's Test Coverage feature.
Step 1: Select to view the Test Coverage tab of a risk scenario record.
Step 2: For test case from the Test Plan module that is associated with the risk scenario, use the Add to Coverage command to add traceability between the risk scenario and test.

Figure : Use the 'Test Coverage' feature to associate one or more test cases with a risk scenario.


When using risk-based testing, a best practice is to design more test conditions for higher-risk items than lower. For example, a higher-risk item might warrant a combination of straight path testing, boundary testing, performance testing, and other modes of testing; while a lower-risk item may only require straight path testing, or in some cases, no testing. Test Designers can use the rating of a risk scenario—and also the traceability between risk scenarios and other requirements—to determine an appropriate rigor of testing for the system's requirements.


 Test Set Designers can use QC/ALM's cross-filter feature to identify test cases that are associated with High and Medium risk requirements. This will support a risk-based approach to test planning. Tests that are associated with higher-risk items can be scheduled before tests associated with lower-risk items.

Submit for Electronic Approval

Once a risk scenario has been assessed, calculated, mitigated, and covered by appropriate testing, it will be ready for approval.
Reference Electronic Record Approvals for more information about VERA's approval features. Reference Start Approval Routes in Requirements module for specific details on submitting a risk scenario for approval.

Table of Contents