CAPA Best Practices

Seeking guidance on employing a risk based approach to executing root cause analysis? Does anyone determine level of investigatory activities based on overall risk determination (i.e. those with lowest potential for risk will receive lowest level of investigation)? Curious as to possible approaches.

7 Replies
Duke Okes
244 Posts

Absolutely. When problem is identified (whether audit finding, NCM, complaint, etc.) the risk related to the failure should be evaluated. In some cases the problem will simply be corrected (and no CAPA done), and in other cases and investigation will be done to determine the causes. Again, degree of risk will drive whether only physical/direct causes are pursued, as opposed to also going to root/system cause. Also consider whether investigation should pursue why the problem wasn't discovered earlier (why it escaped where it occurred), as well as why it hadn't been predicted (e.g., wasn't in the FMEA).

Here's a related article, and while it is written about audit NCs it can also apply to other failures.


The extent of Root cause analysis is can be determined by classifying the risk associated with the non compliance like low, medium,high and severe.

On the lowest risk classification you can have simple desk top review of 5 why analysis to a structured Cause and effect analysis for high and severe level.

Thank you Duke for the insight and the article. Very much appreciated.

Thanks Balan!

Anish Shah
3 Posts
Does your RISK assessment involve COSTs ( cost of failure and cost of delayed or no resolution )? Your approach might be different than/or a combination of as suggested by others in this thread.
Duke Okes
244 Posts

Here's the relevant slide from my RCA course (which ASQ offers in on-line, virtual and F2F formats).


Our CAPA process has each incident team score the event for severity, occurrence, and detection very similarly to how you would during an FMEA. We then established ranges for the total score that dictate different actions taken (no action up to a full blown FMEA event). It has helped us focus our efforts on our larger risk incidents.