The Safer Choice

Chapter 9: Your own risk matrix

9.1 Why you shouldn’t read this chapter

.I hope that most of my readers won’t read this chapter. If you’ve read chapters 7 and 8, I’d prefer you to go with clear “harm statements” that don’t average, sum or integrate the different outcomes your assessments should consider. However, if you (or your employer) insist on a risk matrix, this chapter shows you how to think through what it does and how it works

There are occasions when you might need to prioritise. For example, you take on a project where almost nothing has been done to assess risks and manage hazards. You have limited resources, so you need to decide what comes first. Will you fill the holes in the pavement first, or cut down the dangerous trees? The right matrix could help you to prioritise – and to justify those priorities.

9.2 Devising a matrix

If you have a matrix that you usually use, have it in front of you, as I’m going to ask you lots of questions about it. If you don’t have one, or can’t find it, take a look again at the HSE (2019) matrix in Figure 7.1. I will assume that the lowest likelihood and lowest consequence are in the bottom left-hand corner, so if your matrix is oriented differently, you might have to adjust the questions.

Although I’m going to present examples of matrices, I don’t want you to use any of them. I don’t want you to use the HSE matrix, or any other off-the-shelf example. If you need a matrix (or have been told by your organisation that you must have one) use the ideas in this chapter and the next to create, and then test, your own.

9.3 Reduce your axes

Ask yourself:

Think of a hazard, and the hazardous event that could result. If your mind goes blank, think about the next journey you are going to take, and about something that could go happen on that journey (a crash, a tree falling on you, a delay, a chance meeting with an ex). Without any scale, how likely is that event? Now rank the likelihood of that event on each of the following likelihood scales (circle one rating in each line).

ImpossibleRemoteUnlikelyPossibleUnusualKnownLikelyUsualCertain

Almost impossibleHighly unlikelyUnlikelyPossibleEven chanceProbableLikelyCertain

RareUnlikelyPossibleLikelyAlmost certain

NegligibleRemotePossibleProbable

LowMediumHigh

Table 9.1: Likelihood labels

If it was easy to select one of the extremes on each occasion, find something that will be nearer the middle, and try again. Which was the easiest scale to use?

People often find scales with an even number of options the hardest, because we tend to want to select the middle option. I’m guessing that the 8- and 9-point scales were the hardest to apply. An event that would easily be categorised as low or negligible or rare on the shorter scales might be impossible, almost impossible, remote or highly unlikely on the more detailed scales. If someone was explaining the likelihood of an accident to you, would you be more concerned if they said it was possible or likely?

I haven’t invented any of these – they are all lifted from schemes I’ve seen in use. In all these schemes possible is less likely than probable. In most cases, likely is more likely than possible. But in one case probable is the top category, and in another there are two further scores above that. The next few examples will use a 3-point scale for both severity and likelihood. If this short section hasn’t convinced you of the virtue of this simplicity, read on and I hope to convince you by the end of the chapter.

HS managers lined up holding cards with probability terms on

Even health and safety professions can't agree on the same order for qualitative labels (IOSH Metropolitan event, 2014)

9.4 Simplify the outcomes

Ask yourself:

  1. How many outcomes are there on your risk matrix (or on the HSE one)?
  2. How many things are you going to do as a result of assessing the risk?
  3. Are these two numbers the same?

1. The HSE (2019) risk matrix in Figure 7.1 had five outcomes: Trivial, Tolerable, Moderate, Substantial and Unacceptable. How many does yours have? 

2. How many things might you do as a result of assessing the risk? I’ve usually only consider three options. Read through these and tell me what else you might do:

1) I think the risk is low enough with what we’re currently doing to control the risk. I’m going to continue to monitor the hazard and how we control it.

2) Carry on for now, but identify ways to make it safer. Can I make the current controls more effective? Is there something else we can do?

3) Stop doing it. This is too dangerous to carry on doing like this. If we can’t find a way of making it safer, we should stop doing it, now.

3. If I used the HSE risk matrix I would have five different outcomes from which to make just three decisions. This might have involved hours of discussion to decide which of five likelihood categories to assign, and which of five severity categories to assign, and at the end all that detail is thrown away because we only have three courses of action we can take.

 

If I only need three outcomes, I can use a 3×3 grid and show the actions required directly on my grid without needing an intermediate label like ‘trivial’ or ‘moderate’.

HighManageManageStop now
Potential severity of harmMediumMonitorManageManage
LowMonitorMonitorManage
LowMediumHigh
Likelihood of harm occuring

Figure 9.1 Simplified risk matrix

Notice two things about this grid (and the others in this chapter).

First, I haven’t put any numbers on it. As soon as you start assigning numbers to the labels and multiplying them, some people will think they have a quantitative risk assessment. You could number the categories 1, 2, 3 or 1, 10, 100. You could multiply them or add them together. It won’t make any difference. What we’re trying to do is prioritise spending on reducing harm. You can see how that works in the matrix without numbers.

Second, instead of requiring a coding-decoding book to decide on outcomes, you only need one table. Often I see this done in three stages.

a) Numbers assigned to likelihood and severity ratings

b) Magical meaningless formulae given to risk = L x S

c) Number for risk interpreted as Trivial, Tolerable, Moderate, High (or whatever scheme is in use)

d) Another table to explain what needs to be done for each of the risk labels in c).

In all these risk grids we’ve gone straight from our simple ratings of low, medium and high to the judgement about prioritising risk.

Where I have changed the colouring from green to amber, and amber to red depends on my risk appetite. I could have taken a more risk-averse approach and decided that only low-low should be green, and that where a high severity outcome is possible, I’m going to stop the activity unless I am sure the likelihood is low. Figure 9.2 shows this more risk-averse version.

High severityManageStop nowStop now
Medium severityManageManageManage
Low severityMonitorManageManage
LowMediumHigh
Likelihood of harm occuring

Figure 9.2 Risk averse matrix

Notice that the matrix in Figure 9.2 is not symmetrical – in this grid I’ve decided to treat a medium risk of a high severity outcome with more urgency that a high likelihood of a medium severity outcome. If that shocks you, stop and think about why you believe it should be symmetrical. Is it because you are used to putting numbers in those cells – so 3×2 = 6 and so does 2×3, and therefore the ‘risk’ is the same for medium/high as for high/medium. But as explained in Chapter 7 (7.1.4) those numbers were ordinal numbers, not ratio, so you never should have assumed that the product of those numbers had any meaning. We’ll return to this when we consider how to check the boundaries in Chapter 10.

Ask yourself:

Given three colours, how else might you colour these blocks? Here’s one without colours for you to play with. Compare your alternative with some of the options in this chapter, and in Chapter 10.

High severity
Medium severity
Low severity
LowMediumHigh
Likelihood of harm occuring

Figure 9.3: A blank risk matrix for you to colour in

If you want to use a bigger matrix – say a 5×5 – you need to be convinced that you want to tie yourself down to more than five courses of action. More often, if we’re in the ‘manage’ zone the timescales are determined by practicality, not by any phoney maths. Can you really insist that the fire door is replaced within 24 hours but give someone six weeks to move some boxes, because that’s where the hazards fall in your complex grid? See the box ‘ALARP and ASARP‘.

Box 9.1: ALARP and ASARP

In Chapter 5 I explain the terms ALARP and RP. To explain what I mean by ‘Manage’ in Figure 9.1 and Figure 9.2, and why I don’t need multiple time categories, I’ve invented my own term ‘ASARP’ – as soon as reasonably practicable. If a risk is tolerable (not in the red zone) then while you might carry on with the activity, you need to know you are doing everything reasonably practicable to manage the hazard. For low-risk hazards, that might involve monitoring what you’re already doing, but taking no additional action. For the middle-zone (in orange) it might mean additional controls, but at a time that sits inside the RP scales in Figure 5.1. You can move the boxes from in front of the fire door today, you can arrange for the shelf to be lowered by maintenance in the next few days, but it will take several months to raise the budget and arrange the contract for a non-slip floor surface. You might need to take some temporary actions in the short term – extra cleaning while you wait for a new floor, and temporary storage while you wait for the new shelf. But a risk matrix that assigns specific timescales based on narrow risk decisions could tie you up in knots.

9.5 'But I need more than 3 outcomes'

Perhaps in your organisation there are more decisions. Before you decide how many categories of likelihood and severity you need, write down all the decisions you might make. Perhaps you have some budget left for this year, and some that won’t be available until next year. You might decide on 4 outcomes:

1) Low enough risk to leave and monitor.

2) Identify practical ways to make it safer in next year’s budget.

3) Identify practical ways to make it safer with this year’s budget.

4) Stop now.

Even if you came up with 5 options (perhaps you have a longer planning cycle, and want to prioritise spending for 2 years) a 3×3 grid is big enough. 

Figure 9.4 shows how you can assign five outcomes on a 3×3 grid.

High severityNext year’s budgetThis year’s budgetStop now
Medium severityWithin two yearsNext year’s budgetThis year’s budget
Low severityMonitorWithin two yearsNext year’s budget
LowMediumHigh
Likelihood of harm occuring

Figure 9.4: 3x3 risk matrix with five outcomes

9.6 Understand your axes - likelihood

Ask yourself:

What do your different likelihood categories mean? Are they mutually exclusive?

Given some frequency data such as “this might happen once in ten years” would different people in your organisation agree on how to score the likelihood of harm?

When I was studying for my Masters, a tutor asked a class to assign probability numbers to some terms, such as rare, infrequent, likely, unlikely, improbable. The scenario was that you had to explain to a pregnant mother that there was a chance her baby would have a particular genetic condition.

Ask yourself:

If parents were told that it was “unlikely” that their child would have a given genetic condition, what probability would you associate with that?

I predict that you came up with a number for unlikely within the range of answers in that classroom. The reason I can make this prediction is that the range of values suggested was from 10% to 0.0001%. Given the scenario, I was astonished that a Masters student could think that if 1 in 10 babies suffered from a condition, you could tell a parent that the condition was “unlikely.” There wasn’t even any agreement in the class as to what order the terms should be – is “improbable” more or less likely than “rare”? I ran an experiment with health and safety professionals where they had to agree on a risk order for similar terms. They didn’t agree either.

Adding numbers as some organisations do, is not the solution. 

Ask yourself:

Think of (at least) two problems with applying this scheme for likelihood:

  • Very unlikely – 1 in a million
  • Unlikely – 1 in 10,000
  • Likely – 1 in 100

The first problem is, 1 in a million what? If it’s years, then even 1 in 100 years sounds so unlikely, I wonder why it’s in a risk assessment. So perhaps operational days or hours? Or worker hours? Or the number of times the thing is done?

If I said it was worker hours, and you had 1000 workers, does 1 in a million still sound ‘unlikely’? If you do the maths, that’s now around twice a year. Suddenly one in a million isn’t so rare.

Let’s assume instead it’s operational hours. I’ve looked at data for my industry and estimated that a particular hazardous event occurs about once in 100,000 operational hours. Is that closer to unlikely or to likely? This is perhaps why people add more categories, but that’s not the solution.

I’m not convinced there is a solution, as likelihood is such a difficult concept to grasp, and unless we base a judgement on statistical data (which happens in fully quantitative risk assessments) we are usually basing it on our own experience. One ‘least bad’ approach is to consider how often this accident tends to happen in your organisation (or across your industry if you have that level of relevant information). So we might have:

  • Very unlikely = Once in 20 years, or less often in our organisation.
  • Unlikely = Less than once a year, but more than once in 20 years in our organisation.
  • Likely = Once a year, or more often in our organisation.

However, I’ve never seen sufficient data at the level of detail that would be needed to determine the statistical likelihood of the types of incidents considered in occupational health and safety (like a trip or a fall). If you could gather historical data, how would you apply this to changed circumstances or the use of new technology?

9.7 Understand your axes - severity

Ask yourself:

What do the consequence categories mean? Are they mutually exclusive?

Given the description of a likely outcome such as “a broken leg” or “noise-induced hearing loss” would different people in your organisation agree on how to score the severity of harm?

Schemes for consequence, where they are defined, tend to be better than those for likelihood. In the UK, RIDDOR categories are often adopted, which makes it easier to categorise existing accident data. However, these schemes are designed to categorise outcomes after an accident, rather than to predict likely outcomes before the accident. Experienced risk assessors argue as to whether the assessment should be predicting the worst-case outcome or the most-likely outcome. Re-read the vehicle accident example in Section 7.2.2 if that’s not already clear.

The 3×3 risk matrix in Figure 7.1 was within an FAQ on the HSE website until around 2019. The only matrix on the HSE website in 2024 is not intended for businesses to assess risks, but for HSE Inspectors to use as part of their internal processes.

The harm categories include examples of health effects as well as injuries:

  • Serious: Serious personal injury (fatal or major) or serious health effect (permanent, progressive or irreversible condition, or permanently disabling).
  • Significant: Significant injury (RIDDOR reportable) or significant health effect (non-permanent, reversible or non-progressive condition, or temporary disability)
  • Minor: Minor injury (non-RIDDOR, first aid only) or minor health effect (conditions not included above).

Each injury type is then subdivided into multiple casualties at one time or ‘single or low’. It is not clear when ‘low’ becomes multiple, but you could assign your own numbers depending on the size of your organisation. As a result, the HSE presents six categories of severity. These are more useful than the descriptions ‘low’, ‘medium’ and ‘high’ we’ve used until now. They might not be the right categories for your organisation, but the examples make consistent decisions more likely, and remind us to consider health impacts as well as physical safety.

Be careful with the categories you create. They need to be able to scale to your organisation – is a single death the worst thing you could imagine happening, or is your organisation capable of killing dozens, or hundreds of people in one go? And what is your risk tolerance – is a cut or a bruise a routine injury, that while seeking to avoid, is part of working life? Or would it be regarded as significant? Think of the difference between how a children’s nursery might rank injuries compared to a forestry operation.

We’ll look at an example to identify other mistakes to avoid.

Ask yourself:

What’s wrong with this scheme? Find at least two problems.

  • Insignificant – no injury
  • Minor – minor injuries needing first aid
  • Moderate – up to three days’ absence
  • Major – more than seven days’ absence
  • Catastrophic – death.

Problem one. We’re at the stage of assessing the risk for hazards identified in step 1. Why would we have an insignificant category? If there is a high probability of no injury, I’m not interested. An argument for having this rating might be that if you have sufficient controls you have reduced the worst outcome to insignificant, but it is hard to think of an example of a control (other than eliminating a hazard) that reduces the most-likely worst injury to “no injury.” For example, a safety net when working at height can reduce the most likely consequence from catastrophic or major to minor, but it is unlikely to result in no injury. If you have a trivial category, consider how and when you will use it. Keep it if you can justify it, but don’t keep it without asking the question.

Problem two. If assessing the most likely consequence of a stomach bug I read in a medical book that most people need 5 days off work, is that moderate or major? If my staff work in jobs where experience has shown that people can carry on working at desk jobs with broken arms or ribs, and take no time off work, would I really classify that as minor? There are historical reasons why some UK-based organisations record 3-day and 7-day absences, but they are not useful categories for estimating severity.

9.8 Understand your axes - an alternative

The HSE inspectors’ matrix mentioned earlier had six categories of severity and four categories of likelihood. This suggests another asymmetry we should consider with a risk matrix – there is no reason to increase the number of likelihood categories just because you need to consider additional categories of severity

Here then is one suggestion for a slightly improved risk matrix. It still relies on judgement, but at least now for the same judgement you’ll get the same number each time. It might not be right for your organisation. I’ve added an extra severity category, not because this is essential, but so that you can see it’s alright to have an asymmetric grid.

Catastrophic: extreme harm to more than one personManageTake action or stopTake action or stop
Potential severity of harmExtremely harmful: death or permanent damage to health or well being of individualManageManageTake action or stop
Harmful: requires treatment elsewhere or time off (or both) but recoverableMonitorManageManage
Slightly harmful: treatable locally and no time off workMonitorMonitorManage
Very unlikely: Once in 20 years, or less oftenUnlikely: Less than once a year, more than once in 20 yearsLikely:
Once a year, or more often
Likelihood of harm occuring in the organisation

Figure 9.5: 4x3 risk matrix with three outcomes

Ask yourself:

Given the new grid in Figure 9.5, work out where you would place the following hazards?

ScenarioMonitorManageTake action
Office staff using a stepladder to reach a bookshelf
Infant children crossing a busy road alone from the school to the playing field.
Trained technicians using tools for routine maintenance

Table 9.2: What action would you suggest for each scenario?

When you’ve got three answers, you can look at my suggested outcomes. If we have different answers we probably have different experiences of the workplace. If you felt you needed more context to provide an answer, that’s a good sign as you’re thinking about the need for a scope definition from Chapter 1.

But was it any more difficult to make the judgement without the numbers? How would numbers have helped? I hope you’re convinced they wouldn’t. If you’re still not with me on this one, I have one last opportunity to persuade you when we discuss how to test the matrix.

9.9 Conclusion

Risk matrices with numbers come from high hazard industries, such as COMAH sites. They were never meant to be used for occupational health and safety arrangements. In process safety the numbers relate to measured probabilities, such as the failure rate of a valve, or the distance over which an explosion will cause damage. In OSH, the numbers just cause confusion.

Please DO NOT take any of the matrices in this book away and say “hey, this is the matrix we should be using.” If you want to use a risk matrix, work through these steps to produce something tailored to the risk profile of your organisation. Make sure have a shared understanding with your colleagues of what it means, and how it can be used. This means:

  • Agree what the categories on each axis mean.
  • Use as few categories as you can for the range of decisions you have available.
  • Use action-oriented outcome descriptions, and have as few as you can.
  • Test the matrix with some typical hazard situations from your organisation.

Testing the matrix is what we’ll look at in Chapter 10.

You can use the Contact form to send me feedback. If you’d like to receive an email when I add or update a chapter, please subscribe to my ‘book club’

Alternatively, you can go back to the book contents page.