Global

Risk-Based Monitoring (RBM) That Works: KRIs, Centralized Monitoring, and Documented Oversight

Chief Editor

08 Feb 2026 — 5 min read

KRI design that produces decisions (not dashboards)

Risk-Based Monitoring (RBM) often fails for one of two reasons: KRIs are chosen because they are easy to measure (not because they are meaningful), or thresholds are set without a documented clinical/operational rationale. The goal is to show documented oversight that is proportionate to risk and aligned with ICH expectations (see ICH E6(R3) Explained).

1) Use a “KRI definition card” for every metric

Standardize each KRI into a definition card so thresholds, data sources, and actions are unambiguous:

Name (e.g., “Late AE entry rate”)
Risk linked (e.g., under-reporting of safety events)
Critical data/process impacted (e.g., AE reporting timelines)
Denominator and calculation method
Data source (EDC, ePRO, CTMS, safety database)
Refresh frequency and cut-off time
Thresholds with rationale (green/amber/red)
Action playbook (who investigates, who approves, timelines)
Documentation outputs (central review note, issue log entry, CAPA)

2) Examples of KRIs that map to inspection questions

Consider selecting KRIs that align to common inspection themes (consent, safety, eligibility, endpoint integrity, protocol compliance):

Consent cycle time: % of subjects with consent signed after first protocol procedure; triggers immediate review of source and process (links to Informed Consent Compliance).
Protocol deviation rate per subject-month, categorized by impact; feeds CAPA and training (see Protocol Deviations and CAPA).
Data change rate after monitoring visit or after database lock milestones; may indicate late source entry or inadequate training (see ALCOA+ Data Integrity).
Endpoint window compliance: % of key assessments outside windows; triggers scheduling process review.
ePRO compliance (DCT trials): completion rate, missingness patterns by site/region (see DCT Compliance).

Centralized monitoring: how to document oversight without generating noise

Central monitoring should produce a clear chain: signal → assessment → decision → action → follow-up. If you can’t show that chain, inspectors may interpret the program as “monitoring theater.”

1) What to include in a Central Monitoring Plan (CMP)

Risk assessment summary and critical-to-quality factors
List of central review activities (data listings, statistical checks, trend analyses)
Roles and cadence (weekly review by central monitor; monthly governance; ad hoc escalation)
Data sources and access controls (EDC, eTMF, ePRO portals, safety DB)
Issue management workflow (issue log, severity, owner, due date, closure criteria)
Documentation expectations (central review notes, meeting minutes, reports filed to TMF)

2) Central review note template (example)

Use a structured note format to reduce variability and make review auditable:

Review period and data cut
Data reviewed (listings, dashboards, query reports)
Signals observed (what changed vs prior period)
Assessment (hypotheses; corroborating evidence)
Decision (no action / site contact / targeted visit / training / audit consideration)
Actions (owner, due date)
Follow-up plan and closure criteria

Issue management and escalation that connects RBM to CAPA

RBM only improves quality if issues are managed in a consistent system. A frequent gap is treating RBM signals as informal “FYIs” rather than quality events with documented investigation and closure.

1) Triage decision tree (practical)

Is the signal related to a critical data/process? If yes, proceed.
Does it indicate potential subject safety or rights risk? If yes, immediate escalation and potential PV linkage (see PV & Safety Reporting).
Is it isolated or systemic? (single subject vs multiple; single site vs region-wide)
Is there a plausible root cause? (training, staffing, data entry workflow, protocol complexity)
What is the minimal effective action? (query, remote review, targeted visit, process change)

2) When to open a CAPA

Define criteria for CAPA initiation, such as:

Repeat deviations of the same type within a defined window
Systematic consent errors or eligibility violations
Data integrity concerns (unexplained audit trail patterns, late mass edits)
Vendor performance failures against defined KPIs (see Vendor Oversight)

Ensure your CAPA documentation includes root cause, corrective/preventive actions, and effectiveness checks (see Protocol Deviations and CAPA).

Inspection-ready RBM evidence package

To demonstrate documented oversight, assemble an RBM evidence trail that can be retrieved quickly during an inspection:

Risk assessment and rationale for chosen monitoring strategy
Central Monitoring Plan + KRI definition cards
Central review notes and governance minutes showing decisions
Issue log with escalation and closure evidence
Targeted monitoring visit reports and follow-up documentation
Vendor dashboards and oversight notes (if RBM tooling is outsourced)

File key artifacts in your TMF/eTMF with a consistent naming convention and version history (see TMF/eTMF Excellence), and ensure system audit trails and access controls are supportable (see CSV vs CSA).

Threshold calibration: document why “red” is red

Thresholds are one of the most inspected RBM weaknesses. Teams often pick arbitrary cutoffs (e.g., 10% late entries) without documenting why that threshold indicates meaningful risk. A defensible approach documents the clinical/operational rationale and ties it to an action playbook.

Calibration approaches that work in practice

Baseline benchmarking: use early-study data (or prior similar studies) to establish expected ranges, then set thresholds relative to that baseline.
Risk-based cutoffs: stricter thresholds for CtQ-related metrics (consent timing, eligibility violations, SAE timeliness) than for lower-impact metrics.
Volume-adjusted thresholds: use denominators that reflect exposure (per subject-month, per visit) to avoid penalizing high-enrolling sites unfairly.
Tiered actions: define “amber” investigations vs “red” escalations so responses are proportionate and consistent.

Capture calibration decisions in a dated rationale note and revisit when major study changes occur (amendments, new regions, DCT components). This provides a clear record of why thresholds were set and how they evolved.

Integrating on-site monitoring: make visits targeted and evidence-driven

RBM does not eliminate on-site monitoring; it changes why and where you go. A strong hybrid model uses centralized monitoring to identify what to verify on-site and what to remediate through process changes.

Examples of targeted on-site verification triggered by signals

Consent anomalies (late consent, missing fields) → verify consent source packets and site workflow (see Consent Compliance).
Eligibility risk (borderline criteria, late baseline labs) → verify key eligibility source and documentation of decisions.
Endpoint method drift (outliers, inconsistent devices) → verify device calibration logs and assessment conditions.
Data integrity signals (mass edits, late entries) → review audit trails and site processes (see ALCOA+).

Document the linkage from signal to visit focus in your central review notes and monitoring visit report. That linkage is a key part of the “oversight story” in inspections.

Common RBM pitfalls (and practical mitigations)

Too many KRIs → keep a small set tied to CtQ factors; remove metrics that do not drive action.
No documented decisions → require structured central review notes and governance minutes showing actions and follow-up.
Over-reliance on vendor dashboards → retain sponsor interpretation, oversight, and escalation records (see Vendor Oversight).
Signals without CAPA linkage → define criteria for CAPA initiation and effectiveness checks (see CAPA).

Data cuts and tool assurance: keep your centralized review defensible

Central monitoring decisions are only as reliable as the data cut behind them. A common audit challenge is that teams cannot reproduce what the dashboard showed on a given date, or the data sources feeding the dashboard are unclear. To make centralized review defensible:

Define a data cut timestamp for each review cycle and document it in the central review note.
List data sources (EDC, CTMS, ePRO, safety DB) and any known refresh delays or limitations.
Control calculation logic: version dashboards or KRI scripts so changes are traceable and approved.
Reproducibility: retain exports/snapshots of key listings used for decisions, especially for CtQ signals.

If RBM tooling is vendor-managed, ensure the assurance approach covers access controls, audit trails, and change management (see CSV vs CSA). These controls support data integrity expectations and prevent “dashboard drift” during inspections (see ALCOA+).

Documentation discipline: the difference between “RBM exists” and “RBM worked”

In inspections, reviewers rarely challenge the concept of RBM; they challenge the execution evidence. A simple way to strengthen defensibility is to standardize what must be documented every cycle and where it is filed.

Central review note filed per cycle with signals, assessment, decisions, and action log.
Escalation record when thresholds are exceeded: what was investigated, who approved the action, and closure evidence.
Link to CAPA when signals recur or impact CtQ factors (see CAPA).
TMF/eTMF filing: ensure key RBM artifacts (plans, notes, minutes, targeted visit reports) are filed predictably for rapid retrieval (see TMF/eTMF Excellence).

This routine documentation makes the “signal → decision → action → effectiveness” chain visible, which is central to the E6(R3) quality management expectation (see ICH E6(R3)).

RBM quick wins that reduce noise

One owner per signal: assign a single accountable reviewer so follow-up does not stall.
Close the loop: every red/amber signal should have a documented closure decision.
Retire stale KRIs: remove metrics that are consistently green and not tied to CtQ risks.
Predefine action bundles: create standard response bundles (queries + site call + targeted review) so teams act quickly and consistently.