• Peter Bateman
    In the May/June edition of Safeguard magazine we pose three questions based on stories in the magazine. One of them is this:

    Steve Young suggests the widely used colour-coded risk matrix encourages us to focus on the probable risks while glossing over the improbable (but, one day, inevitable and fatal) risks.
    Should we abandon the matrix?

    Feel free to respond here on the Forum, or privately here via a Survey Monkey form.

    An edited selection of responses will be published in the July/Aug edition, but with no names attached. One randomly selected person will receive a prize, namely a copy of the booklet The Courage to Speak Out, by Dr Bill Glass and Grace Chen.
  • Sandra Nieuwoudt
    I have been working for big to small companies and have not seen the benefits of the colored matrix. It creates different opinions for the same hazard that are assessed e.g. testing asbestos samples vs mining and or demolishing asbestos.
    These matrixes are not based on real data it is based on opinion with my opinion being that a matrix with numbers and or colors are not keeping people safe but training, competency, supervision, and engagement in H&S is the key and how you record that.
    However, the risk assessment itself determines which risks should take priority and needs robust controls.
    In addition, the act does not mention that a risk score or matrix is required to identify, assess or mitigate.
    I can provide the same scenario to two different teams and the outcome of the risk matrix will be different.
  • KeithH
    Hmmm. My ramblings.
    Consider the context that the outputs of risk matrixes are displayed.

    Outputs go into hazardous substances registers and risk assessments to determine the effectiveness of activities based on the hierarchy of controls. So based on the 'traditional' approaches, the outputs of risk matrixes are required.

    But are risk matrixes based on objective and agreed criteria? Here in NZ, possibly not. Qualitive and generic assessments are frequently used. Less common are quantitative and dynamic. I believe site specific assessments are included in qualitive.

    So back to qualitive assessments. Because they are based on personal opinions and experience, these types of risk matrixes will definitely vary between industries and even contractors within the same industry. Because they are subjective and personal, are they worth the paper they are printed on? Or are they relevant for the organisation?

    And who are the outputs for? Really for? If it's for workers - and in a format relevant for them - kool. But most of the time it's not. And usually that's because documentation is requested by management and written with little or no engagement with workers.
    And then presented to workers. Keeping in mind that as a result of disengagement, these same workers view H&S as negative, bureaucratic and compliance exercise. Hence no buy-in.

    Is the problem the risk matrix or the way outputs are determined and presented? Personally, I don't believe it is the matrix but you are free to differ.
  • Aaron Marshall
    The risk matrix is simply one way of communicating where risks are perceived. It is a communication tool, and in no way should it ever to be seen as an exact calculation of a risk. After all, every hazard has multiple outcomes. It may have minor consequences most of the time, but a major consequence very rarely. So a risk actually lives in an area within the matrix, not a single point.
    My opinion is that we, as humans are horribly bad at understanding, and acknowledging extremely high consequence, extremely low likelihood risks (think Covid Pandemic). This is the root of the failure to adequately deal with these risks, not a communications tool.
  • Steve H
    So a risk actually lives in an area within the matrix, not a single point.Aaron Marshall

    Totally agree Aaron, Sandra's comments reinforce this.

    I can provide the same scenario to two different teams and the outcome of the risk matrix will be different.Sandra Nieuwoudt

    But they look pretty and gives the appearance that we've considered the possibilities, and done something to reduce/control them
  • Greg Sutton
    I believe the risk matrix scoring should be the same across all industries to have a common starting point. The discussion, which should be done by workers at the coal face, is imperative over being done by someone behind the scenes. We find the thought process in assessing the risk as a good start to getting staff to verbalise the risks but...

    There is no common denominator in calculating the residual risk value. The weighting of control factors needs to be also based on a standard format. Yes we ask staff to weight consequences & likelihood, but we do not guide them on how to weigh control measures.

    I.E. Training, PPE, maintenance, housekeeping, SWP, equipment checks etc need to have a standard points awarding structure.

    Possibly we should re-access the risk once control measures are decided upon, use those values to calculate initial risk and then subtract them as controls to get the residual.

    Example. Engine Exhaust Fumes
    Initial Risk = likely x major = 4 x 4 = 16
    Controls = training / extraction system / maintenance
    So instead of asking if those controls are in place, what is the estimate of residual risk ;
    unlikely x minor = 2 x 2 = 4 (our example)

    Rather ask..
    Initial Risk :
    Training removed; extraction & maintenance remain in place = occasional x moderate = 3 x 3 = 9 ( training reduction 7 points ).
    Extraction removed; training & maintenance remain in place = likely x major = 4 x 4 = 16 ( extraction reduction 0 points ).
    Maintenance removed; training & extraction remain in place = unlikely x major = 2 x 4 = 8 ( maintenance reduction 8 points ).

    Initial - Training - Extraction - Maintenance = Residual
    16 - 7 - 0 - 8 = 1
    Which equates to rare x insignificant

    Is this formula giving a residual risk that is too low ?
    I am not formally trained but do feel my residual risks are more of a thumb suck than being calculated in some logical or standard format...

    Someone write an App please.
  • MattD2
    Any tool is dangerous when used in the wrong way...

    A risk rating system / risk matrix is a tool to help with prioritising actions in response to multiple risks - in other words a tool to help determine where our limited effort and resources are best allocated at that time. And in my opinion they have no purpose at the task management level in the way that they are now commonly used (e.g. JSAs). And in fact they are causing more harm than good as they very often distracts and dominates the conversation over the discussion of the actual management of the risks (i.e. it has become more about getting to the "green" than managing the risk to as low are reasonably practicable). Taking your example , imagine the additional effort to work through that calculation for every risk and every set of controls, especially if you include the points that and have made that these "risks scores" aren't just a single point on a matrix but a spectrum of possible outcomes. And in the end how much "safer" is the situation by having the number 1 written down somewhere as oppose to actually just talking about the risk management requirements, e.g. "that exhaust fume extraction is a critical control, so if it is not working we aren't working - so we need to be keeping a constant watch on that"... "well then if it is that critical why don't we get this alternative extraction system instead which has an audible alarm when there is not enough flow?"

    So to answer the ; no we should not get rid of the risk matrix, but we should get better at using them appropriately... including not using them at all in a lot of cases that we currently are using them!
  • Mike Massaar
    Not many people are skilled at undertaking risk assessments - it's a specialist area. Risk assessments are open to manipulation to get the result that one wants. Often like minded people do the assessment, and therefore know the outcome they are after, and of course will arrive at that. Good risk assessments need social process so you get multiple views in the room.
    So in my view it doesn't really matter if and what sort of matrix they use, as long as what they use is in the organisational context.
  • Riki Brown
    MattD2 I agree with your answer, thank you.

    I have never really understood/seen the utility of them (it is possible they were being used poorly/incorrectly in all my experiences).

    I always thought it was just me being slow and not understanding them when everyone else was.

    I was confused by the subjectivity of them, the need to put risks on a single point when in reality there could be a range of likelihoods and consequences of a hazard on any given day.

    I was confused by assigning numbers to things and then everyone talked about numbers and not about the actual thing were trying to manage.

    I was confused by a lack of definition of terms such as 'likely' and 'severe'.....and then when likelihood parameters were added, such as "likely = 1 in a 1000 chance of happening" I was no more informed as there is no data on how many times its happened before, or how many people are carried out the work, or how many people have been exposed to the hazard.

    I was confused by the seeming ease of being able to adjust one value and move the risk from 'red' to 'orange' so we can go about our work.

    I recently did a risk assessment for a client for a new adventure activity they are setting up. I didn't use a matrix, I simply listed all the hazards that I (as the contracted expert) believe have the ability to kill people (this included things like height, extreme weather, driving, gear failure, incorrect rigging). I didn't need to rate them, they could all kill. We then applied control measures, in line with industry good practice guidelines until we believe the risk is minimised to an acceptable level.

    I really don't feel I needed a matrix.

    Feel free to rip my approach apart and tell me where you think a matrix would strengthen things......thats a genuine statement, not an arrogant one, I want to learn from others with more experience, I'm here to grow.


  • Greg Sutton
    Thank you for the responses...there are some excellent points.
  • MattD2
    Feel free to rip my approach apart and tell me where you think a matrix would strengthen things......thats a genuine statement, not an arrogant one, I want to learn from others with more experience, I'm here to grow.Riki Brown

    Don't see any reason to rip that approach apart at all - reasonable approach and I don't think a risk matrix would realistically help in any way (and as I said before using one may have resulted in a less than optimum result). One question I am keen to hear your viewpoint on is how are you determining that the "risk is minimised to a acceptable level"?

    Reason that I am keen to hear your answer is I am expecting that without using a risk matrix/score you have removed the common trap of stopping at an arbitrary pre-defined point (getting to the green) rather than actually managing the risk so far as reasonably practically.
  • Riki Brown

    Cheers Matt, valid question.
    To gauge whether the risk is minimised to an acceptable level/ to measure the 'residual risk' there a few measures I use......I kind of do this 'naturally', but now that you ask me to write this down I think I should have this documented as an actual procedure/process I follow, that will be a useful tool to communicate my approach to others....thanks for helping me realise that Matt.

    1. I use my experience and the experience within the organisation to assess whether I/we think its safe enough/the risk is low enough. Which is exactly what we do when we use a matrix, but instead of getting caught up on if its 1:1000 or 1:10,000, or yellow or orange.....its simply "does that, in my experience ,seem to provide an appropriate level of safety?
    1.b we will have a discussion to answer the question "are we taking all reasonably practicable here to keep the staff and clients safe during this adventure activity?" if not, what more could we be doing.

    2. I use guidance material from the industry or Worksafe or internationally to measure what we propose. I read up and see if what I propose is still accepted within the industry, or perhaps its outdated and the gear or systems have be upgraded/changed/moved on.

    3. I look to other operators in the industry and see if what I/we are proposing is common practice, or am I bing a renegade/cowboy.

    4. If I want more info I will run it past other technical experts that I know in the field, i'll ask them, "what do you think about this?" "should we be doing more?"

    So yea, I have a good amount of experience in running adventure activities, but I'm new to the "safety-science" side of things........thats the process of risk management that comes natural to me.

    Again, I'm here to learn, so anyone feel free to give feedback.


  • KeithH
    Why don't H&S people manage risks? Dump irrelevant paperwork including risk matrixes. Talk with the guys in the field. Discuss what will kill or injure them. Find out when things go pear-shaped what will stop them from getting killed or harmed.

    IMHO, most controls utilised are from the bottom two levels of the Hierarchy of controls usually because of ease, simplicity and cost. How many come from the top three levels?

    Why not start really managing risks rather than manipulating people.
  • Steve H
    IMHO, most controls utilised are from the bottom two levels of the Hierarchy of controls usually because of ease, simplicity and cost. How many come from the top three levels?KeithH

    Yes on the money Keith, pretty much none are of the top three levels are controllable by the folk being asked to use them.
  • Tony Donahoe
    I find the risk matrix to be an excellent tool.
    It enables you to define risk in a way that people understand.
    Stuff that kills you will always be Critical or Extreme but other than this its all about qualitative assessment which for 95% of risk is probably all we have.
    Riki Brown did exactly that, he just didn't label his assessments but he started at Critical and presumably ended at High, Medium or Low.
    The end result is then determined by what the controls are and this in turn controls how often the controls need to be checked. Easier if they have labels (eg high = 3 monthly, low = 12 monthly, etc)
    When dealing with Critical risk, scenarios should be considered, then the controls for those scenarios, the supporting controls, specific responsibilities; also where to find the specifications/procedures.
    All of this is best achieved, in my opinion, with the use of a risk matrix. If nothing else, the process is at least consistent.
    Once at this point, the residual rating can always be changed if the controls are found to have gaps upon review.
    But it is not the rating that counts its the controls and how you can measure whether they are working.
    Safety risks are pretty straight forward based on how many injuries occur despite controls. But when it comes to health risk, measurement practices are also controls - eg: eyesight, hearing, lung function testing, etc - whatever is required to measure the effectiveness of any controls designed to prevent acute/chronic health issues.
    I would like to see a standard risk matrix, one not only specified by WorkSafe but also by ISO and used across all standards (9001, 14001, 45001, etc). I believe this would make risk more understandable and people would develop a greater in-built sense of risk, a bit like they have an in-built ability to determine distance, time, etc.
  • Chris Peace
    A few bulleted comments:
    Design of a matrix
    • Some matrices were "found on Google" or got from a friend in a different industry
    • A risk matrix cannot be designed to accommodate all the possible data points
    • Some designers will design a matrix to make sure it gives the results they want
    • Most matrices I have seen use a likelihood scale using words such as "quite likely"; each user will interpret such words differently.
    • A better approach is to use ranges of probabilities (eg, 60-80%) but numbers scare many people and they prefer to use words to fudge the results
    • Asking for a single matrix to cover all situations is like going to a clothing shop to buy the one-size-fits-all trousers ("Guaranteed to fit all women, men and children").
    Use of a matrix
    • Each user or group will be concerned about the views of executive management and so will skew the results to give give an acceptable result and avoid adverse comment
    • Each user of a matrix will have different biases and experiences, so each result will be purely personal
    • Matrices look scientific so people believe they are accurate
    • Matrices are used for analysis without actually analysing the possible consequences and the probability of each consequence.
    • They are only really useful for reporting that one risk is greater or smaller than another (IEC/ISO31010 Risk management - Risk assessment techniques downgraded the matrix from an analysis tool to a reporting tool)
    When we grow up we might accept that risk is about uncertainty. But that's a big word so flip the sentiment and use a short word.
    Get managers to ask "How sure are you that nobody will be harmed in this activity?" Anything less than 80-90% sure will not be acceptable to a judge.
    And stop using the matrix.
    I wrote most of this (and then some) in an academic article published in 2017.
    Peace, C. (2017). The risk matrix: uncertain results? Policy and Practice in Health and Safety, 15(2), 131-144. https://doi.org/10.1080/14773996.2017.1348571
  • Steve H
    But they look pretty and gives the appearance that we've considered the possibilities, and done something to reduce/control themSteve H

    But they look so pretty Chris, however I agree with every word in your post
  • Tony Donahoe
    Risk assessment is not scientific, its subjective (and personal), which is why it should include a number of people.
    It not the the definition of risk that counts but the controls used to mitigate it.
    It is quite easy for those that prefer, to flip "quite likely" to 70-80% if that's helpful.
    Its a tool to be used to gain the results.
    Any HS professional that "will be concerned about the views of executive management and so will skew the results to give give an acceptable result and avoid adverse comment" instead of focusing on the health and or safety of their subject is in the wrong job.
  • Dianne Campton
    Risk matrix may not be perfect but they channel individuals to think about what might happen and take steps accordingly. Will they get it right every time? Probably not. It is however a good starting point for the work team to discuss and agree on the controls they should implement to protect themselves and everyone around them.
    I haven't come across anything else that would work any better. Would be interested to see if there is anything others have come across
  • MattD2
    It is however a good starting point for the work team to discuss and agree on the controls they should implement to protect themselves and everyone around them.Dianne Campton
    But why does "scoring" the risk need to be part of that conversation?

    I haven't come across anything else that would work any better. Would be interested to see if there is anything others have come acrossDianne Campton
    Why does a replacement need to be proposed to stop using something when it has a detrimental affect - in other words (in some / a lot of cases) doing nothing is better than using a risk matrix.
  • Dianne Campton
    I don't think doing nothing is a better option when faced with risks in business.
    I also disagree that using a risk matrix has a detrimental affect. It helps guide people to understanding the implications of risk and what outcomes might happen if they do nothing.
    If they come up with different scores it doesn't matter. The benefit is they are working through a thought process and coming out the end with something tangible they can understand.
    Do they get it right all the time? No. That's one of the things we are for - to help them understand the process and get better at it. It's no use saying its rubbish and not having a different way of assessing and controlling risks. We need to either continue coaching people in how to do it with robustness or develop something else they can use. Doing nothing is not an option.
  • MattD2
    Doing nothing is not an option.Dianne Campton
    I think you may have misunderstood my point.

    I am not advocating for not managing risk. What I am saying is the common subtask in the majority of task risk assessments of "using a risk matrix to risk assess the risk" is normally a non-productive subtask, which is highlighted by your comment that "If they come up with different scores it doesn't matter.", especially when the benefits that you have assigned to the risk matrix can just as easily come from a similar conversation that only differs in there was no matrix and therefore no risk scoring to get hung up on.

    In my opinion the detrimental effects are that:
    • this part of the risk assessments process commonly takes up the majority of effort, with getting agreement on the initial and residual risks scores, and
    • it commonly limits the scope of risk management applied as some basic controls are typically stated, the residual risk calculated (which must go down since controls are applied) and since it has gone down (typically into the green region of the matrix) then the job is done.

    When looking at individual risks we can understand the implications of not managing those risk without needing a risk matrix to do it. And the effort that was previously lost to the risk matrix can now be better used to consider and understand how the risk can be managed as best as reasonably practicable.
  • Steve H
    But they look pretty and gives the appearance that we've considered the possibilities, and done something to reduce/control themSteve H

    What about something pretty to replace them Matt? it's all very well to actually reduce the level of risk,but justice must be seen to be done. Said somewhat tongue in cheek, I agree with you.
  • Dianne Campton
    We can agree to disagree :) Legislation requires a process to assess and control risks. This is what the risk matrix helps with. Until some other way is developed keeping them simple is the best option
  • KeithH
    If they don't assist managing hazards, IMO, place risk matrices with TRIFRs, LTIIFRs and such in File 13.

    I finally read Steve Young's article - https://safeguard.co.nz/current-magazine/a-chance-in-a-million/;
    Read the evolution of the OHS profession in New Zealand twice - Safety Science article by Greg Chris Felicity Helen;
    And listened to Todd Conklin - Critical Risk Controls.

    The underlying focus for me is the same - move the focus from outcomes for people to proactively managing hazards.
    HSWA S30 may be incorrect - perhaps it should read Management of Hazards. :wink:

    Phil Parkes' presentation on the NZISM site - Better Work from 30 June 2020 - is, IMHO, worth listening to.
  • Chrissy Hansen
    Interesting topic as we have been reviewing this process at the moment. Risk Assessments are commonly used in my industry and the Risk Matrix can cause confusion with a few of our team. The need for additional training is what I have identified with some completing them well and others not so and use it for a point of arguing the outcome, at least it is generating discussion. The main problem is the difference between reducing the likelihood of an accident occurring with the appropriate risk controls to ensure it is safe to proceed, dropping the likelihood from say red to yellow or green and the consequence remaining the same, still catastrophic if it occurred
  • Mark Taylor
    How can risk be calculated using a simple binary formula?
    People’s perceptions are based on current knowledge, experience and lessons and this is often missed during the risk assessment process
    Also, changes to working conditions, changes to the workforce and ongoing alterations to processes due to delays can effect decision making.
    Where in a risk matrix does it include heuristics, biases and coherence?
    I am not a fan of measuring anything in safety as it does not reflect what is actually going on at the coalface and diverts time that can be better spent to thinking about actions people take and providing better solutions to proactively improve workplaces
  • KeithH
    Possibly an answer for retaining the risk matrix.
    This is an area for NZISM and HASANZ to take the lead for adoption - MDPI
  • MattD2
    Possibly an answer for retaining the risk matrix.
    This is an area for NZISM and HASANZ to take the lead for adoption - MDPI
    I've only have managed to scan the paper quickly, but I have some concerns that (in terms of this threads questions) it deals more with "redesigning the mouse-trap" than "addressing the vermin infestation".

    One big red flag for me its the following sentence:
    Executives or the board may like to be involved with this as they are personal liable for organisational risk appetite. Is it acceptable or not for a certain number of minor harm injuries to occur?Alignment of the Safety Assessment Method with New Zealand Legislative Responsibilities, Dr. Dirk Pons
    This is a clear indication that they are missing the point of the main issue they are trying to address
    - the alignment of risk assessment practices to NZ legislative requirements.

    This is an example of the problem we have created by directly transferring "risk management" techniques from a non-legislative based financial/economical/quality model to a model that is trying to manage an aspect that primarily is concerned about statutory compliance. Using "risk appetite" in a safety context is a specific example of the problems this causes - a business cannot just simply determine for itself what is "reasonably practicable" for safety by deciding what their own "risk appetite" for safety is in the same way it does when deciding acceptable plans/actions under the organisation's strategy for business growth. "Reasonably practicable" is defined in HSWA S22 and therefore H&S "risk appetite" has also been effectively set, the difficulty that this creates is that tools typically used to manage risk in other contexts no longer work as effectively in the context of safety, such as H&S risk matrixes where organisations can end up in a situation where "getting to the green" doesn't necessarily mean they have actually done what is "reasonably practicable".
  • KeithH
    Personally I agree with you.
    I don't like Risk Matrices - numerical, alphabetical or traffic light style - to set the outcome of hazard. gave them up a few years ago.

    I think the OHS profession here has got hung up on justifying positions rather than providing value. Also that business management has driven changes to suit themselves while not engaging with workers.
    As an aside, the earliest reference in NZ I can find to using risk matrices is in SiteSafe's 2016 SSSP when initial and residual risk rating appeared in the task analysis. That the release of this version matches closely with the implementation of HSWA is, for me, more than a coincidence.

    For me the consequence of an activity is not if it will happen, but when it will happen. And the consequences I worry about are death (HSWA S25) or a notifiable injury or illness (HSWA S23). So for me, I look at the activity, identify the hazard(s), determine the consequence(s) and work through the hierarchy of controls.

    I don't consider the likelihood. Progress down the HoC automatically takes care of that. Once the controls for each level have been identified, it's up to the officers and workers of the PCBU to choose and find their own balance. There's only so much money in the kitty and so much time to get the job done.

    There's more, but probably better for a new post.

    PS - who says the legislation is perfect?
  • Tracy-Lynn Richardson
    Working with clients I find the matrix useful and find thing that is would be a good idea to standardize the risk matrix as I also take the approach to initial and residual risk rating. It is easier using pre-populated templates to start off with and then after the training give the client the template to work with it some more to it ensure it is fit for purpose. Keeping it simple usually works the charm
Add a Comment

Welcome to the Safeguard forum!

If you are interested in workplace health & safety in New Zealand, then this is the discussion forum for you.