Customizing the {riskassessment} App based on your organization's needs makes validating R packages in regulated industries like pharma more efficient and compliant.

Strict compliance rules and best practices mean organizations need a reliable way to assess and approve packages. The {riskassessment} App, built on {riskmetric}, provides a structured, user-friendly approach that can be tailored to your specific risk assessment requirements.

Building Shiny apps for regulatory review? Here's what you need to know about creating validated, submission-ready applications.

At our recent Shiny Gathering x Pharmaverse webinar, Aaron Clark and Jeff Thompson from Arcus Biosciences shared how the app helps teams simplify package validation. 

This post breaks down how it works and why it's useful for organizations navigating the complexities of R package approval. The recording of the webinar is available below.

Watch the Video

What is the {riskassessment} App?

The {riskassessment} app is an R package containing a Shiny front-end that augments the utility of the {riskmetric} package within an organizational context.

It provides an interactive interface for evaluating key quality indicators like:

• License availability
• Bug reporting mechanisms
• Test coverage
• Documentation completeness
• Community engagement (downloads, dependencies, etc.)

Many organizations rely on scripts for package risk assessment, but this app simplifies the process with a structured, user-friendly approach.

Why Use the {riskassessment} App?

The app bridges the gap between package users and system administrators. Instead of informal requests to add a package, users can generate a structured risk report, making it easier for admins to make informed decisions.

Take Bob, a data scientist who wants to use {gtsummary} for an analysis. He tries to load the package but finds it’s not available in his company’s controlled environment. Instead of just asking for approval, he turns to the {riskassessment} App to assess it first.

Tired of over-validation slowing you down? Learn how to shift from myth-based to risk-based validation in regulated environments.

How the Validation Process Works

Step 1: Logging into the App

Bob logs into the {riskassessment} App and enters {gtsummary} for evaluation. The app runs its checks based on his organization’s predefined rules.

Step 2: Reviewing Package Metrics

The app assigns {gtsummary} a low-risk classification. 

Bob reviews key attributes:

• Five vignettes available
• High closure rate for reported bugs
• Adequate test coverage
• 500,000+ downloads in the last 12 months
• 21 reverse dependencies

These indicators show {gtsummary} is well-maintained and widely used, making it a strong candidate for approval.

Step 3: Checking Dependencies

Since {gtsummary} depends on nine other packages, Bob also needs to evaluate those. Most are classified as approved or low risk, but one—{cards}, needs further review because it has only three reverse dependencies, which is below his organization’s threshold.

Looking deeper, Bob finds:

• {cards} has only been around for 11 months
• It already has 250,000 downloads
• One of its dependencies is a tidyverse package, signaling strong ecosystem support

Step 4: Justifying the Package Request

Bob documents his findings in the app, noting that while {cards} has a low number of reverse dependencies, its quick adoption and connection to the tidyverse make it a good choice.

Step 5: Submitting the Request

With everything reviewed, Bob generates a Risk Summary Report and submits it to the system admin team. Instead of just asking, “Can we add this?” he presents:

• {gtsummary} meets all requirements.
• {cards} needs review but has strong adoption signals.

This shifts the discussion from a yes/no decision to an informed risk assessment.

Customizing the {riskassessment} App

One of the {riskassessment} app’s biggest advantages is its ability to be customized to match an organization's risk assessment framework. Since every company has different standards for package approval, the app allows teams to configure key settings based on their specific validation needs.

1. Define Custom Risk Assessment Rules

Instead of using a one-size-fits-all approach, organizations can define custom decision rules that determine how packages are classified. For example:

• Automatically flagging a package as "Needs Review" if it has fewer than five reverse dependencies.
• Rejecting a package if it lacks a public bug tracker.
• Categorizing a package as "Low Risk" if it meets a set of predefined conditions, such as a high download count and strong documentation.

These rules can be fully customized in the configuration file, ensuring that package approval aligns with internal policies.

2. Automate Risk-Based Decision-Making

The app applies decision automation by running all package assessments against predefined rules. If a package fails a critical requirement, it is automatically flagged for further review. 

This eliminates manual guesswork and ensures consistent, transparent decision-making.

3. Manage Roles & Privileges for Better Governance

The app supports role-based access control, meaning different users have different permissions. This ensures that it caters to different stakeholders, such as data scientists and system administrators, who are interested in specific aspects of the package validation process. For example:

• Reviewers can assess and submit package requests.
• Admins can configure decision rules and manage package approvals.
• Viewers can browse the database but cannot modify package statuses.

This structure prevents unauthorized modifications while ensuring that only qualified individuals can approve package usage.

4. Store & Maintain Organization-Specific Settings

The app saves all assessments in a centralized database, ensuring consistency across teams. Even if a package is reassessed in the future, past evaluations remain accessible, reducing duplicate efforts.

How Does {riskassessment} App Stand Out?

The {riskassessment} App provides a simplified approach to evaluating R packages with features that make validation more efficient and reliable:

1. Automated Package Assessments: Instantly evaluates packages based on predefined organizational rules, reducing manual review time.
2. Decision Automation: Applies risk classification rules to help standardize and speed up approval workflows.
3. Dependency Analysis: Automatically assesses all required dependencies and flags potential risks.
4. Built-in Commenting & Justification: Allows users to document findings and add context for admins to review before approval.
5. Role-Based Access: Supports different user roles, such as reviewers, admins, and viewers, ensuring controlled decision-making.
6. Comprehensive Risk Summary Reports: Generates structured reports that help inform decisions about package adoption.
7. Historical Tracking: Stores previous assessments, making it easy to track package changes over time and reassess risk as needed.

Navigating R package validation in pharma? Get our step-by-step guide to compliant implementation.

Addressing Common Challenges

Risk Scores vs. Individual Metrics

Many organizations prefer evaluating individual package metrics over a single "risk score" to avoid black-box decision-making. {riskassessment} provides transparency by allowing users to focus on meaningful validation criteria.

Code Coverage Limitations

Since {riskassessment} pulls data from CRAN, it cannot assess test coverage directly. Organizations should run {riskmetric} separately in their validated environments to ensure accurate results.

Summing Up R Package Quality with {riskassessment}

The {riskassessment} App makes R package validation clearer and more structured. Instead of relying on scattered manual reviews, it provides a centralized way to assess package risk, helping teams make smarter decisions.

Want to learn more? Visit pharma.r.org for details and ways to get involved with the R Validation Hub.

For more information, check out:

• Slides: https://pharmar.github.io/events-shinygathering2025/‍
• GitHub: https://github.com/pharmaR/riskassessment/‍
• Documentation: https://pharmar.github.io/riskassessment/‍
• Presentation Demo App: https://rinpharma.shinyapps.io/riskassessment_shinygathering2025/

Stay on top of the latest Shiny developments and community insights. Join thousands of Shiny developers by subscribing to Shiny Weekly