What is a Risk Matrix
A risk matrix is probably the inter-industry safety standard for the tool used in risk evaluation. In aviation SMS programs are ubiquitous. They use “probability” and “severity” to quantify the scope of a real or hypothetical safety scenario. The quantification is generally broken into 3 categories:
- Acceptable risk (green);
- Unacceptable risk (red); and
- Ideally risk that is as low as reasonably possible (ALARP) (yellow), though risk in this middle section should be monitored carefully to ensure that reasonable controls are in place.
Some organizations use more colors, such as light green and/or orange. Extra colors only provide further “aesthetic” rather than quantification. The risk matrix is ultimately used risk management tools used to rank risks with the risk grid.
The Risk Matrix Grid
Risk matrices are broken into a grid. Matrices grids are usually 5×5, though it can be larger or smaller depending on company needs. The grid is used to assign a “number” to the risk, which is combination of Probability x Severity, and represents the scope of the risk.
The risk matrix grid:
- Usually increases in severity from left (low) to right (high);
- Usually increases in probability from bottom (low) to top (high); but
- A risk matrix can move in any direction, so you may see risk matrices that move from right to left and top to bottom, right to left and bottom to top, or left to right and top to bottom.
As you can see, there is a lot of flexibility about how the risk matrix “appears.” What matters most is what is consistent and comfortable in your organization.
Despite the fact that a risk matrix only contains two variables, there is a surprising amount confusion or misunderstanding about how to use it. I constantly see different opinions about how to use it – some of these opinions are better than others. We will look at probability and severity below, and then consider the 2 “best use cases” of a risk matrix during risk assessment.
What is a Probability in Risk Matrix
Risk matrix probability is used in different ways depending on how the organization defines “probability.” Probability usually means likelihood or frequency, and is ranges from “very rare in industry” to “reported several times a year in company.” Probably can be used to quantify:
- The likelihood of a risk event, such as a runway incursion;
- The likelihood of negative consequences materializing, such as aircraft damage from bird strike; or
- An overall probability of a risk scenario, including the likelihood of a risk event and negative consequences materializing.
Many companies understand probability as likelihood of consequences, though you can also use it to assess probability of risk events. Likelihood is assigned a letter value for each increment in likelihood. Low probability is assigned A. High likelihood (in a 5×5 grid) is assigned an E.
What is Severity in Risk Matrix
Severity in risk matrices is more streamlined in use than probability. Severity consists of:
- The severity of impacts in safety events; and
- Only accounts for “likely” outcomes.
Severity is given in a range of numbers, starting at 1 (low severity), and incrementing up by 1 each row. In a 5×5 risk matrix grid, high severity would be assigned a value of 5.
Severity is generally considered as ranging from:
- Negligible (1 rating): slight injury/damage, low financial consequences, and/or little effect on mission; to
- Catastrophic (5 rating): multiple fatality, extremely high financial consequences, and/or mission failure
High severity risk assessments should require extensive investigations by a company and every available resource to mitigate the exposure of the safety incident.
Using a Risk Matrix in a Risk Assessment
When it comes to using a risk matrix on a risk assessment, there are 2 primary approaches that companies adopt. It’s important remember the purpose of using risk matrices in risk assessments:
- NOT USED to make decisions; but
- USED to rank safety events, as in to say, “here’s basically what we are looking at with this safety incident.”
A risk matrix bad is a bad tool to used in making decisions. It is designed to provide a number/letter combination to rank an event. During risk assessment, the combination of probability and severity that is decided upon will provide the number/letter combo. Some examples for a 5×5 grid are:
- Low probability and low severity: 1A
- High probability and high severity: 5A
- Medium-low probability and medium-high severity: 4B
- Medium probability and medium severity: 3C
The numbers provide a powerful way to assess a company’s historical exposure to risk. For example, by tracking each issue’s severity and probability in an aviation safety database or Excel spreadsheet a company could easily assess averages and frequency of certain severities and/or probabilities occurring.