What Is a Risk Matrix
A risk matrix is a tool you will use to assess safety concerns. The matrix allows you to rank risk and provide visual cues on safety acceptability.
The risk matrix is a standard tool for assessing safety issues in aviation SMS and is recommended by ICAO and other regulatory authorities for assessing issues.
You should develop your risk matrix at the onset of managing reported issues. It involves:
- Defining criteria for likelihood and severity;
- Defining acceptability; and
- Documenting your risk matrix for educational purposes.
Developing a risk matrix means both USING it and DOCUMENTING it to ensure consistency.
Related Aviation SMS Risk Matrix Articles
Process for Defining Acceptable Level of Safety
Acceptable Level of Safety (ALoS) is the level of risk your company is willing to “take on” or “tolerate” for any given safety issue. How you define ALoS will have wide-ranging implications for how you manage safety issues.
- Define the size and color scheme on your risk matrix, such as
- 4x4 grid, 5x5 grid, or 6x6 grid (5x5 is standard)
- Green, Yellow, Red scheme (this is standard color scheme)
- Green, Yellow, Orange, Red scheme
- Define and document each level of Severity on your risk matrix, such as
- Financial damage that defines each level of severity
- Human damage that defines each level of severity (i.e., minor injury, loss of life, multiple loss of life, etc.)
- Operational damage that defines each level of severity
- Define and document each level of Likelihood on your risk matrix, such as
- Likelihood based on frequency of occurrence (i.e., 1/1000 operations)
- Likelihood based on approximate chances of happening (i.e., “Has happened before in company,”)
- Document what risk assessments on the matrix are considered “acceptable”
- Provide further documentation guidance that department heads and other assessors can use the matrix.
How to Define Size of Risk Matrix
The size of your risk matrix is moderately important, but only so far as it allows you to:
- Make your risk matrix easy to use; and
- Be more detailed about each level of severity/likelihood.
The bigger your grid, the more specific each level of severity and likelihood can be.
Generally, most risk matrices are a 5x5 grid, though sometimes you may see organizations use:
- 4x4 grid; and
- 6x6 grid.
A 5x5 grid is the size we generally recommend you use and is the size provided as an example by ICAO. However, if you have a specific reason for making it smaller or bigger, you may do so.
On the risk matrix grid, you will have:
- The vertical side be labeled with numbers for each level of Severity; and
- The Horizontal side is labeled with letters for each level of Likelihood.
Thus, any grid is a composite of a letter and number, such as 2B, 5D, etc.
How to Document Each Level of Severity of Risk Matrix
You must define the criteria for each level of severity on your matrix. These definitions of each level will provide guidance during risk assessments. You should provide tangible definitions of severity for each level in terms of:
- How much financial damage is associated with each level;
- Level 1: < $1,000
- Level 2: $1,000 - $50,000
- Level 3: $50,000 - $200,000
- And so on.
- How much environmental damage is associated with each level;
- Level 1: Slight/no effect
- Level 2: Minor effect
- Level 3: Localized effect
- And so on.
- Personnel injury
- Level 1: Slight/no injury
- Level 2: Minor Injury, no hospitalization
- Level 3: Major injury, hospitalization
- And so on
- Mission
- No effect
- Minor degradation
- Single significant mission failure element
- And so on.
You may have an additional qualifying element you wish to define for Severity that is relevant to your organization.
Related Aviation SMS Risk Assessments Articles
How to Document Each Level of Likelihood of Risk Matrix
You also need to define the criteria for each level of likelihood. Generally, aviation service providers define criteria for likelihood by either:
- Number of expected occurrences per a given number of operations; or
- Relative chances.
For the number of expected occurrences, you might define it as:
- E (low likelihood): 1/20,000 operations;
- D (medium-low likelihood) 1/5,000 operations;
- C (medium likelihood): 1/1,000 operations;
- And so on.
This can be a good method if you have significant historical data to analyze occurrences per number of operations for specific hazards.
We recommend that most providers use a relative likelihood criteria, as it’s fairly straightforward and convenient for SMS of all ages and sizes. You might define these criteria as:
- A (low likelihood): Has happened in the industry, but very rare;
- B (medium-low likelihood): Has happened in the company in the last 5 years;
- C (medium likelihood): Has happened in the company in the last 2 years;
- D (medium-high likelihood): Has happened in the company in the last 9 months; and
- E (high likelihood): Has happened in the company in the last 3 months.
These are just loose examples, and you should define your chances based on the size, complexity, and number of operations in your company.
NOTE: You can set level A as your high likelihood or low likelihood, as there is no set direction your matrix needs to go.
How to Choose Color Scheme of Risk Matrix
You need to choose a color scheme for your risk matrix. This color scheme will give visual clues for which assessments are “acceptable” and which aren’t. Your colors will be assigned to each grid in a diagonal pattern, as you can see on the image to the right.
The standard color scheme is:
- Green (acceptable);
- Yellow (moderately acceptable, but may require further mitigation); and
- Red (unacceptable, emergency situation).
This being said, some organizations adopt a more specific matrix, usually being:
- Green (acceptable, no periodic review required);
- Yellow (moderately acceptable, requiring periodic review of issue); and
- Orange (unacceptable); and
- Red (emergency situation).
The color scheme matters because it affects how issues assigned with that risk level will be managed:
- “Acceptable” risks require no further action on the part of management to mitigate safety;
- “Unacceptable” risks require actions (CPAs) to mitigate risk.
How to Define Acceptable Level of Safety
Defining an acceptable level of safety is simply documenting which severity/likelihood composites on your risk matrix are acceptable, and which aren’t acceptable. Documenting this involves:
- Filling in your color scheme to reflect acceptability and unacceptability; and
- Actually writing out in plain terms which color(s) are and aren’t acceptable.
Related Articles about Acceptable Level of Safety
Providing Further Resources for the Risk Matrix
Finally, you should provide some further resources on how to use the risk matrix. This can simply be:
- Bullet points steps for using the risk matrix;
- Further considerations for using the risk matrix; or
- Which colors require which actions.
These types of further guidance should be documented in your Safety Policy so that new employees or department heads can consult it when they have questions about performing a risk assessment.
Last updated July 2024.