R is for risk matrix
If we could assign a precise value for likelihood, such as one in 100 years or one in 10,000 events, and we could quantify the severity of all harmful outcomes on a single measure, such as loss of quality-adjusted life years (for an explanation of these see www.nice.org.uk), or a monetary value, we would not need a risk matrix. The risk associated with each hazard could be calculated and compared with set values, and we could determine that it was a trivial, manageable or unacceptable risk.
Since in most cases it is not possible to quantify either the likelihood or the severity with such accuracy, we make relative judgements – a broken leg is worse than a cut, and an accident that has never happened seems less likely than one we’ve seen several times.
A risk matrix puts these judgements into a table, where one dimension represents categories of severity, and the other categories of likelihood. Typically, numbers are then applied to each category, and multiplied together to give a score for the combination of likelihood and severity. The scores are categorised and labelled.
The illustration here shows a typical 3 x 3 risk matrix where a score of 1 is considered trivial or insignificant, a score of 9 as intolerable, and anything in between is tolerable provided it is managed to as low a risk as reasonably practicable. For a 5 x 5 matrix, a score above 12 might be regarded as intolerable, and a score below 4 trivial.
Can anyone in your organisation explain why you use the matrix you use? Is it appropriate for everything you need to risk assess?
The Health and Safety Executive offers a sample risk matrix (bit.ly/2qNgr40) using the categories of likelihood and severity shown in the illustration.
Any organisation that adopts this model should define these categories to match risk profile and risk appetite, and the definitions must be capable of distinguishing between the different hazards an organisation faces – if they all end up in one or two boxes, the matrix no longer helps with prioritisation of risk control. For example, a small children’s nursery might define anything involving a visit to hospital as extreme harm; if the same definition were used for European motor racing, there would be no useful way of distinguishing between a broken leg, a single fatality and a multiple fatality.
One curiosity of the risk matrix is the dependence people place on numbers. Although we can say the score of 4 means something has less risk than the 9 and more than the 1, in reality we know nothing about the relationship between the risks in a diagonal band. It is not possible to prove that a risk of 2 x 2 is higher than a risk of 3 x 1. We don’t even know that 3 x 1 is the same as 1 x 3. Think about shoe sizes. A size 7 is larger than a size 3, but if you had a size 7 and a size 3 end to end you can’t know whether this would be longer or shorter than a size 6 and a size 4 end to end. You can’t know that 7+3 = 6+4 if the numbers represent categories rather than interval numbers.
Any organisation that adopts this model should define these categories to match risk profile and risk appetite
To avoid confusion, ditch the numbers and replace “mostly harmful”, “unlikely” and so on with descriptions that match your organisation’s risk profile, and simply use the coloured areas to categorise the risk bands.
Then test your risk matrix – ask colleagues to independently place the same hazards on the matrix and see if they come up with the same answers. Are you all happy with the prioritisation that the matrix gives you? Are you really equally as tolerant of the high likelihood of a harmful event as you are of the medium likelihood of an extremely harmful event? You might extend the red or the green area, and you can create a less symmetrical pattern to match your risk appetite.
Risk matrices can be a useful tool for determining acceptability and priorities for risk management – but we must test the matrices we are using to make sure they are telling us what we think they are telling us. Poorly understood severity and likelihood categories and arbitrary risk bands will lead us to draw the wrong conclusions.
Bridget Leathley is a freelance health and safety consultant, providing risk management support in facilities, retail and office environments. She delivers face-to-face safety training including IOSH and bespoke courses, and contributes to e-learning courses through evaluations and design work. She has been writing for health and safety publications since 1996.