Skip to contents

riskassessment is an R package containing a shiny front-end to augment the utility of the riskmetric package within an organizational context. Recently awarded the title for “Best App” at Shiny Conf 2023 (see Recognition section below).

{riskassessment} app

riskmetric is a framework to quantify an R package’s “risk” by assessing a number of meaningful metrics designed to evaluate package development best practices, code documentation, community engagement, and development sustainability. Together, the riskassessment app and the riskmetric package aim to provide some context for validation within regulated industries.

The app extends the functionality of riskmetric by allowing the reviewer to:

  • analyze riskmetric output without the need to write code in R
  • contribute personalized comments on the value of individual metrics
  • categorize a package with an overall assessment (i.e., low, medium, or high risk) based on subjective opinions or after tabulating user(s) consensus after the evaluating metric output
  • download a static reports with the package risk, metrics outputs, and reviewer comments, and more
  • store assessments in a database for future viewing and historical backup
  • user authentication with with admin roles to manage users and metric weighting

Echo-ing {riskmetric}’s Approach to Validation

Validation can serve as an umbrella for various terms, and admittedly, companies will diverge on what may be the “correct approach”. The riskassessment app is built on a rismetric-foundation, whose deverlopers follow the validation philosophy proposed in this white paper published by the R Validation Hub. As such, the scope of riskassessment and riskmetric are only designed to support decision making from that view point. The full robustness and reliability of any software may (and likely will) require deeper inspection by the reviewing party.

Note: Development of both riskassessment and riskmetric were made possible thanks to the R Validation Hub, a collaboration to support the adoption of R within a biopharmaceutical regulatory setting.


If you are new to using the riskassessment app, welcome! We’d highly encourage you to start exploring the demo version of the app currently deployed on There, you’ll find a number of pre-loaded packages just waiting to be assessed. Hands on experience will help you become familiar with the general layout of the app as you poke around and explore.

With that said, you should immediately recognize that the app requires authentication, since it’s intended use is within an organization. There are two pre-defined roles: ‘nonadmin’ users and ‘admin’ users. The latter can add/delete users, download an entire copy of the database, and modify the metric weights used in calculation of risk scores. Initially, both share the same password: QWERTY1. If you log in with this credential, the app will immediately prompt you to change your password and repeat the the process with your new credentials.

If you want a quick overview of the project and demo of the application, you should watch this video walk through on YouTube from Shiny Conf 2023. At the conference, riskassessment was voted “best application” in the shiny showcase by conference attendees!

riskassessment at shinyConf 2023

If you desire a more comprehensive overview of riskmetric’s approach to validation in the context of this app, watch our talk at Rstudio::Global 2021. But don’t forget to take it for a spin!


We recommend to run/deploy this application in a controlled development environment. Of course, you can install the latest version from GitHub using the code below, but it doesn’t take into consideration other environment dependencies which means we can’t guarantee stability:

# install.packages("remotes") # if needed

# Run the application 

Instead, we’d recommend that you clone the repo’s R project locally and run the following code in order to take advantage of our renv.lock file which set’s up the project dependencies:

# First, clone the repo from GitHub, then...
# Get dependcies synced using {renv}

After this step is complete, you can simply run the contents of app.R to launch and/or deploy the application! For more information on our dev philosophy as it pertains to package management, please read the “Using renv article.

User Guides and User Feedback

We’re constantly improving the app and it’s documentation. Please explore the user guides that have been developed to date, available on the riskassessment documentation site. Be sure to read the ‘Get Started’ tab and perhaps an article or two!

Of course, if you ever have specific feedback for the developers, or if you encounter a problem / bug within the app, we recommend opening a new issue on GitHub and we’ll address it promptly.

We also want align with our users on big picture, strategic topics. Specifically, we want to hear from groups who’ve built (or are currently building) their R-package validation process, whether you use riskmetric / riskassessment or not! Ideally, our goal is to form a consensus from companies regarding their validation approach so we can make riskmetric and riskassessment better. For example, we’d love to understand how users are currently weighting the metrics used to calculate a package’s risk score. We’d also love to learn if companies leverage certain risk score thresholds to make GxP environment inclusion decisions for a set of packages. To facilitate the gathering of this information, we’ve created an incredibly brief questionnaire to let us know where you’re at.


As you might expect, certain deployment environments offer persistent storage and others do not. For example, does not. That means that even our demo app that’s hosted on contains a a package database that can’t be permanently altered. That’s not advantageous since an organization needs to continually add new packages, publish comments, and make decisions about packages. Thus, we’d recommend exploring these deployment options (which allow persistent storage):

  • Shiny Server

  • Posit Connect

  • ShinyProxy

For more information on each of these, we highly recommend reading our ‘Deployment’ article.


In March 2023, Appsilon hosted the 2nd annual Shiny Conf which was fully virtual, boasting approximately 4k registrants. Aaron Clark, package maintainer and R Validation Hub Executive member, presented the riskassessment app work in the “Shiny Showcase” among 20+ other app submissions. At the end of the conference, riskassessment was awarded the title of “Best App” by popular vote.

Shiny Conf 2023 winner