A risk is the amount of harm that can be expected to occur during a given time period due to specific

harm event (e.g., an accident). Statistically, the level of risk can be calculated as the product of the
probability that harm occurs (e.g., that an accident happens) multiplied by the severity of that harm
(i.e., the average amount of harm or more conservatively the maximum credible amount of harm). In
practice, the amount of risk is usually categorized into a small number of levels because neither the
probability nor harm severity can typically be estimated with accuracy and precision.
A Risk matrix is a matrix that is used during risk assessment to define the various levels of risk as
the product of the harm probability categories and harm severity categories. This is a simple
mechanism to increase visibility of risks and assist management decision making.
Although many standard risk matrices exist in different contexts (US DoD, NASA, ISO),[1][2][3] individual
projects and organizations may need to create their own or tailor an existing risk matrix.
For example, the harm severity can be categorized as:

• Catastrophic – Multiple Deaths

• Critical – One Death or Multiple Severe Injuries
• Marginal – One Severe Injury or Multiple Minor Injuries
• Negligible – One Minor Injury
The probability of harm occurring might be categorized as 'Certain', 'Likely', 'Possible', 'Unlikely' and
'Rare'. However it must be considered that very low probabilities may not be very reliable.
The resulting Risk Matrix could be:
The probability of harm occurring might be categorized as 'Certain', 'Likely', 'Possible', 'Unlikely' and
'Rare'. However it must be considered that very low probabilities may not be very reliable.
 The resulting Risk Matrix could be:

Negligible Marginal Critical Catastrophic

Certain High High Extreme Extreme

Likely Moderate High High Extreme

Possible Low Moderate High Extreme

Unlikely Low Low Moderate Extreme

Rare Low Low Moderate High

The company or organization then would calculate what levels of Risk they can take with different
events. This would be done by weighing up the risk of an event occurring against the cost to
implement safety and the benefit gained from it.
How do you do a risk assessment?
1. Step 1: Identify the hazards. In order to identify hazards you need to understand the
difference between a 'hazard' and 'risk'. ...
2. Step 2: Decide who might be harmed and how. ...
3. Step 3: Evaluate the risks and decide on control measures. ...
4. Step 4: Record your findings. ...
5. Step 5: Review your assessment and update as and when necessary.

Risk Assessment: Creating a Risk Matrix

1. 1. CONFIDENTIAL: This document contains information that is confidential and proprietary to
EtQ, Inc. Disclosure, copying, distribution or use without the express permission of EtQ is
prohibited. Copyright 2013 EtQ, Inc. All rights reserved. 5 minutes on< Risk Assessment:
Creating a Risk Matrix Tim Lozier, EtQ, Inc.
2. 2. Risk is the new Benchmark • Business are moving at a faster rate • Compliance needs to
be maintained – need a systematic, quantitative measure • Risk is becoming the new
benchmark for compliance – Objective, Repeatable – Helps to make better, more informed
decisions
3. 3. Step 1. Defining Risk • Not easy! Companies spend time and money building a risk
taxonomy • Risk comes from Hazards and Harms – Hazards = A situation that poses a level
of threat to life, health, property or environment (an undesired event) – Harms = resulting
damages from the Hazard – Risk = The potential that a chosen action or activity will lead to an
undesirable event – Control = A method of evaluating potential losses and taking action to
reduce or eliminate the potential for an undesired event
4. 4. Step 2. Quantifying Hazards and Harms • We need a scale – Severity and Frequency –
Define the level of Risk on a pre-defined Scale: Severity Description Catastrophic Likely to
result in death Critical Potential for severe injury Moderate Potential for moderate injury Minor
Potential for minor injury Negligible No significant risk of injury Frequency Description
 Frequent Hazard likely to occur Probable Hazard will be experienced Occasional Some
manifestations of the hazard are likely to occur Remote Manifestations of the hazard are
possible, but unlikely Improbable Manifestations of the hazard are very unlikely
5. 5. Step 3. Build it all into a Risk Matrix • The Risk Matrix: tool used in the Risk Assessment
process, it allows the severity of the risk of an event occurring to be determined. • Graphically
displays the total of each of the hazards/harms that contribute to the risk – Severity = X –
Probability = Y – Risk Score = XY Y X RISK (XY)
6. 6. Hold On – There are some “gray areas” • Risks are not always “black and white” • When
defining risk management, some organizations find it convenient to categorize risks into the
following three regions: • The broadly acceptable region (Generally Acceptable - GA) • The
ALARP (As Low As Reasonably Practicable) region; and • The intolerable region (Generally
Unacceptable - GU) GU GA ALARP But how many zones? How to determine ALARP?
Probability Severity
7. 7. Step 4. Test your Risk Matrix • You must vet the matrix – Risk score is a mathematical
measure – Use “real world” examples to ensure validity of the matrix – Example: False
symmetry in risk matrix – needs to be validated with real world situations 5 10 15 20 25 4 8 12
16 20 3 6 9 12 15 2 4 6 8 10 1 2 3 4 5 PROBABILITY SEVERITY 10 10
8. 8. A Vetted Risk Matrix is just a Tool • Risk Matrix is designed as a tool, not a solution – Risk
is only quantifying the result – Organizations need to work on interpreting the decision • Risk
Teams review events to make decisions, using the Risk Matrix as a tool for the decision-
making process
9. 9. How to Apply The Risk Matrix - Example • Use Risk Assessment to filter adverse events –
What is the risk of the event, versus when it came into the system – Prioritize events by their
RISK not their due date • Resolve low-priority events at the source where they are found –
Minor Complaints/Nonconformances/Audit findings – Events with little impact can be
immediately resolved • Risk Mitigation: Applies risk assessment to verification and
effectiveness in Corrective Action – Are we reducing the risk to the right level? – Are we truly
mitigating risk of recurrence? Where’s the Risk here?
10. 10. Conclusion • Risk Assessment is great tool for making informed decisions • Understand
your Hazards and Harms within the organization • Build a scale that makes sense to your
organization • Plot the scale on a graph to form a Risk Matrix • Determine where the
acceptable and unacceptable risk lie • Then, vet that matrix with real-world historical
examples • Use the Risk Matrix as a tool within a Risk team to filter adverse events by their
Risk