As part of establishing risk criteria, the selection of a risk assessment matrix is significant, and should be included at the beginning of the process.
An organization should select or develop a risk assessment matrix that the stakeholders broadly agree upon to be used in the risk assessment process. This key component is used to define and determine risk levels within an organization. An example of a risk assessment matrix adapted is provided in Table 3.1.
Table 3.1 Example of a risk assessment matrix.
←Severity of injury or illness consequence→ | ||||
Likelihood of occurrence or exposure for select unit of time or activity | Negligible | Marginal | Critical | Catastrophic |
Frequent | Medium | Serious | High | High |
Probable | Medium | Serious | High | High |
Occasional | Low | Medium | Serious | High |
Remote | Low | Medium | Medium | Serious |
Improbable | Low | Low | Low | Medium |
The purpose of the risk assessment matrix is to provide “a method to categorize combinations of likelihood of occurrence and severity of harm, thus establishing risk levels” (ANSI/ASSP Z590.3, 2016). In essence, it is a risk “measuring stick” and communication tool used to help categorize and prioritize risks within the organization so that decision makers can take the most appropriate action in regard to risks and their treatment. There are a number of sources from which to select a risk assessment matrix. Notable examples are provided in the ANSI Z590.3 Prevention through Design standard, the US Military standard MIL‐STD‐882E, and the ANSI B11.TR3‐2000 technical report, among others.
It is important that the risk rating criteria and matrix used by an organization are consistent. When developing or selecting a risk assessment matrix which expresses numerical values, rating criteria should be standardized so that a lower risk score or risk priority number (RPN) value indicates a lower risk level. Thus, on a 10‐point risk scale, a risk score of 1 is considered the lowest level, while a 10 is considered the highest risk. For example, Table 3.2 provides an example of risk criteria reprinted with permission from ANSI/ASSP Z590.3. The example uses severity of consequence and occurrence probability factors which are multiplied to determine the risk level. Risk levels are defined as: Very High (15 or greater); High (10–14); Moderate (6–9); and Low (1–5). The corresponding Risk Scoring Levels and Actions Required shown in Table 3.3 are reprinted with permission from ANSI/ASSP Z590.3. The standard states that these numbers are judgmentally determined, are qualitative, and only have value in relation to each other.
Table 3.2 Example 5‐point risk assessment matrix.
Source: Adapted from ANSI/ASSP Z590.3‐2011(R2016)
Occurrence probabilities and values | |||||
---|---|---|---|---|---|
Severity Levels and values | Unlikely (1) | Seldom (2) | Occasional (3) | Likely (4) | Frequent (5) |
Catastrophic (5) | 5 | 10 | 15 | 20 | 25 |
Critical (4) | 4 | 8 | 12 | 16 | 20 |
Marginal (3) | 3 | 6 | 9 | 12 | 15 |
Negligible (2) | 2 | 4 | 6 | 8 | 10 |
Insignificant (1) | 1 | 2 | 3 | 4 | 5 |
Very high risk: 15 or greater High risk: 10–14 Moderate risk: 6–9 Low risk: 1–5 |
Table 3.3 Risk scoring levels and action required.
Source: Adapted from ANSI/ASSP Z590.3‐2011(R2016).
Category | Risk score | Action |
---|---|---|
Very high risk | 15 or greater | Operation not permissible. Immediate action necessary. |
High risk | 10–14 | Remedial actions to be given high priority. |
Moderate risk | 6–9 | Remedial action to be taken at appropriate time. |
Low risk | 1–5 | Remedial action discretionary. |
Notice that both matrix examples are in the upper right‐hand quadrant known as Quadrant I of the Cartesian coordinate system. It is the authors’ opinion that a risk assessment matrix should be positioned in the first quadrant (Quadrant I). This allows the user to read the matrix from left to right/bottom to top, with risk levels progressing from low to high accordingly, as indicated in Figure 3.4.