Risk Matrix
A risk matrix is a fundamental risk management tool that characterises and prioritises workplace hazards by plotting the likelihood of an event occurring against the severity of its potential consequences. By transforming qualitative judgements into a structured grid, organisations can generate risk ratings that dictate the urgency and level of authorisation required for hazard control, ensuring resources are directed toward the most critical threats.
In 2024, vehicle incidents accounted for 42% of all worker fatalities in Australia, while body stressing caused 33% of serious workers' compensation claims. A properly calibrated risk matrix helps organisations identify these high-consequence and high-frequency hazards before an incident occurs, making it a primary defence against workplace tragedy.
What is a Risk Matrix?
At its core, a risk matrix is a visual decision-support aid that enables Persons Conducting a Business or Undertaking (PCBUs) to standardise how they evaluate diverse hazards—from a slip hazard in a kitchen to a catastrophic chemical containment failure. It transforms the complex task of risk evaluation into a systematic, repeatable process that can be applied consistently across an organisation following proper hazard identification.
While not explicitly mandated by the Work Health and Safety Act 2011 (WHS Act), the risk matrix is the industry-standard methodology for meeting the regulatory duty to manage risks so far as is reasonably practicable. It provides evidence of a systematic approach to risk assessment, which is admissible in court under Codes of Practice such as How to Manage Work Health and Safety Risks.
The matrix serves two critical functions in the Australian regulatory context. First, it provides prioritisation by separating "acceptable" risks that can be managed via routine procedures from "intolerable" risks that require immediate intervention or cessation of work. Second, it facilitates communication by providing a common language for workers, management, and safety regulators to discuss the magnitude of a risk, supporting the consultation duties required under Section 47 of the WHS Act.
Generate consistent risk ratings with digital templates and automated workflows
How a Risk Matrix Works
The mechanics of a risk matrix rely on the intersection of two specific dimensions that together determine the overall risk level.
Likelihood (Probability)
This axis measures the chance of the hazard causing harm. To ensure consistency, organisations must define timeframes for these descriptors rather than relying on subjective interpretation. The standard five-level scale provides sufficient granularity for most workplaces:
| Level | Definition | Timeframe Example |
|---|---|---|
| Almost Certain | Expected to occur in most circumstances | >90% chance within 12 months |
| Likely | Will probably occur | Occurs annually |
| Possible | Might occur at some time | Once every 5 years |
| Unlikely | Could occur but is not expected | Rare occurrence |
| Rare | May occur only in exceptional circumstances | Exceptional events only |
Consequence (Severity)
This axis measures the reasonably foreseeable impact if the event occurs. It typically considers human safety but may also include financial, environmental, and reputational impacts in comprehensive risk frameworks.
| Level | Impact |
|---|---|
| Catastrophic | Fatality, permanent disability, or irreversible environmental damage |
| Major | Serious injury requiring hospital admission or significant long-term health effects |
| Moderate | Medical treatment injury requiring professional care but no permanent disability |
| Minor | First aid treatment only; minor cuts or bruising |
| Insignificant | No injury or near-miss only |
The Risk Rating
By cross-referencing a hazard's likelihood with its consequence, the matrix yields a risk rating that determines the required response. The industry-standard 5×5 matrix produces four risk levels:
| Risk Level | Required Action |
|---|---|
| Extreme Risk | Stop work immediately. Requires senior management intervention and detailed risk control plans. |
| High Risk | Urgent action required. Work usually cannot proceed without high-level approval and interim controls. |
| Medium Risk | Monitor and manage. Implement controls as soon as reasonably practicable. |
| Low Risk | Manage via routine procedures and standard operating guidelines. |
Why Risk Matrices Matter
Regulatory Compliance
Under the WHS Act 2011 and harmonised state laws like the OHS Act 2004 in Victoria, PCBUs have a primary duty of care to eliminate or minimise risks so far as is reasonably practicable. While the legislation does not prescribe a specific matrix format, using one demonstrates a systematic approach to meeting "reasonably practicable" obligations. Codes of Practice are admissible in court as evidence of what is known about risk assessment, making documented risk matrix processes valuable legal protection.
Resource Allocation
Organisations have finite resources for safety improvements. A risk matrix ensures that capital expenditure and management attention are directed toward "High" and "Extreme" risks first, rather than being dissipated on "Low" risks that are easily managed. This creates a defensible framework for investment decisions and demonstrates due diligence to regulators and stakeholders.
Track risk ratings and control implementation with automated escalation workflows
Practical Considerations
Inherent vs. Residual Risk
Understanding the distinction between inherent and residual risk is critical for effective hazard control. Inherent risk is the risk level associated with a hazard before specific additional controls are applied (or sometimes defined as the risk with only standard existing controls). Identifying inherent risk highlights the raw danger of an activity—for example, working at heights is inherently "Extreme" regardless of current practices.
Residual risk is the risk remaining after control measures are implemented. The goal is to reduce residual risk to an acceptable level through engineering controls, administrative measures, or PPE. It's important to note that residual risk typically cannot be higher than inherent risk unless a control introduces a new, worse hazard.
Common Pitfalls
Range compression occurs when matrices group vastly different risks into the same category. A "Rare" event might be a 1-in-100-year flood or a 1-in-10,000-year earthquake; treating them identically can lead to poor planning for true "Black Swan" events that have catastrophic consequences.
False precision emerges when numbers are assigned to the axes (e.g., 3 × 4 = 12), suggesting a mathematical accuracy that doesn't exist. Qualitative descriptors (Low, Medium, High) are generally preferred to avoid misleading decision-makers into believing the assessment is more precise than it actually is.
Subjectivity remains the most persistent challenge. Different people often rate the same hazard differently based on their experience, familiarity with the task, and risk tolerance. A worker familiar with a task might rate likelihood as "Rare" due to confidence, while a supervisor might rate it "Possible" based on industry-wide incident data.
Best Practice Mitigation
To mitigate subjectivity, risk assessments must be done in consultation with workers—a legal requirement under Section 47 of the WHS Act. A diverse team including operators, safety representatives, and managers ensures a more accurate "triangulated" rating that balances multiple perspectives. Documented definitions for each likelihood and consequence level further reduce inconsistency across different assessments.
Frequently Asked Questions
Should I assess risk before or after controls?
You should assess both. Inherent risk is assessed first to understand the severity of the hazard and justify the investment in controls. Residual risk is assessed after controls are applied to verify they are effective and that the remaining risk is tolerable. Work should only proceed based on the residual risk rating, not the inherent risk level.
What if the same hazard could have different consequences?
Assess the reasonably foreseeable worst case. Do not fixate on the absolute worst imaginable outcome if it is statistically negligible (such as a meteorite strike), but do not underestimate the risk by assuming "best case" luck. For example, if a heavy object drops, assess the consequence as if it hits a person (Major or Catastrophic), unless you have isolation controls that make human presence impossible.
Is a 3×3 matrix acceptable or do I need 5×5?
There is no regulatory requirement for a specific size. However, a 5×5 matrix is the industry standard used by Safe Work Australia and most state regulators because it offers enough granularity to differentiate between "High" and "Extreme" risks. A 3×3 matrix is often too blunt for high-risk industries like construction or mining, as it may lump too many distinct risks into a single "Medium" category.
References
- University of Western Australia. (n.d.). Guide: General Safety Risk Assessment.
- RANZCO. (2021). Risk Management Framework.
- Safe Work Australia. (2024). Model Code of Practice: How to manage work health and safety risks.
- Safe Work Australia. (2018). Code of Practice: How to manage work health and safety risks.
- Safe Work Australia. (n.d.). Code of Practice: Work health and safety consultation, cooperation and coordination.
- Safe Work Australia. (2025). Behind the numbers: What's causing harm at work.