Mike, I fear you have opened a whole can of worms with that one.

For my tuppence worth. It is up to you (if your the senior H&S practitioner) to decide whether it suits you, your RAs and your organisation. There is no right or wrong, but you will get plenty of opinion on this, I'm sure.

Oddly, I have been having that exact conversation this morning. This followed a review of a large number of risk assessments from different departments within our organisation. This review has showed one thing to me, and that is, that using a 5x5 risk matrix with areas for unaceptable / review / and acceptable just means that assessors have fudged the numbers to sit in the review area, when clearly if they had followed the descriptor in the guidance, the task would be deemed unaceptable. Granted, the level for unaceptable is very low in my opinion, basically anything over 9 on a 5x5 falls into that bracket. In my industry it is nigh on impossible to reduce the severity below 5 for lots of tasks, and to have to then reduce the likelihood to 1 is just not realistic. 

For me, the most important thing is the cotrol measures and correct implemetation of these, rather than numbers in a matrix. 

Whichever way there will be disagreements.

and remember that sometimes anything in a Red Zone may be  deemed necessary - e.g. rescue of the children in Thailand.

equally that if in the Green Zone there could still be an easy hit to bring the risk down even further.

and if using a matrix with maximum severity say 5, if you assign this to a single fatality, what do you do if there could be many more deaths e.g. dam failure? 

We also use a 5 x 5 matrix.

While assigning numerical RA values can be useful, it does suggest that risk assessment is a "scientific" process rather than a qualitative one.

In my old job we didn't use the 5x5 matrix until our auditors started asking for it in which cast the company rolled over. Prior to this we used a task analysis sheet that had 4 columns. They stated the task, identified the hazards, who could be harmed and how and determined the controls.

Everybody who could understand English could understand the forms and they did a great job. When we went over to the 5x5 matrix nobody could understand them and nobody used them.

Edited by user 01 August 2018 21:01:26(UTC)  | Reason: Not specified

I hate risk ratings with a loathing that I cannot express using the polite language that we should use in a public forum.  In 20 years of being an auditor I have never seen a risk assessment process that was enhanced by a risk rating.  It tends to make people work to the numbers without thinking about the actual risk, I've seen assessments where the aim has been to make everything come out as a high risk (supervisor hates their boss) or as a low risk (management don't want to do any work or spend any money).  This defeats the object of a risk assessment which should be to "tell the story" of the risk so that you can identify clearly the actions that you need to take to control it. The initial idea of using a rating to prioritise actions has been perverted over time to the point where many people think that the aim of a risk assessment is to generate a risk rating, I have also seen and heard high level safety professionals say that a risk rating is a quantified risk assessment - no its not - quantified risk assessment is a much different and more searching technique and my heart sinks when I here a risk rating being referred to in that way.  I say scrap the whole of idea of risk rating and get back to describing the risk and really understanding it. 

Phew!!!  feel better for getting that off my chest.

I have always taken the view that risk ratings, assuming you get them right, are only really useful to indicate priorities for action on controls. They serve no other real purpose. As long as you appreciate this, it should avoid getting hung up on the numbers.

Originally Posted by: Hsquared14

I hate risk ratings with a loathing that I cannot express using the polite language that we should use in a public forum.  In 20 years of being an auditor I have never seen a risk assessment process that was enhanced by a risk rating.  It tends to make people work to the numbers without thinking about the actual risk, I've seen assessments where the aim has been to make everything come out as a high risk (supervisor hates their boss) or as a low risk (management don't want to do any work or spend any money).  This defeats the object of a risk assessment which should be to "tell the story" of the risk so that you can identify clearly the actions that you need to take to control it. The initial idea of using a rating to prioritise actions has been perverted over time to the point where many people think that the aim of a risk assessment is to generate a risk rating, I have also seen and heard high level safety professionals say that a risk rating is a quantified risk assessment - no its not - quantified risk assessment is a much different and more searching technique and my heart sinks when I here a risk rating being referred to in that way.  I say scrap the whole of idea of risk rating and get back to describing the risk and really understanding it. 

Phew!!!  feel better for getting that off my chest.

My feelings entirely, and also my experience. Interestingly, we have an audit next week, I will mention removing the risk rating for future assessments and see what response I get.

Blaming risk ratings in RAs for bad safety practices is like blaming increased ice cream sales on rising cases of sunburn. It is a tenuous link at best, skirts the issue and largely makes no sense.

Auditors like anything that gives them something to look for inconsistencies in, so the more complicated the better as far as they are concerned.  Imagine how excited an auditor would be on discovering that numbers had been incorrectly multiplied or the incorrect colour code had been assigned or a similar scenario in two separate risk assessments had received different risk ratings!

I had one auditor who asked me if it wouldn't be easier to give not just the residual risk rating as we were doing, but also the risk rating in the absence of controls.  'Easier' was his actual suggestion.  Er ... no.  Easier for an auditor to pick apart, but more difficult for those who create or consult the risk assessments!

Doesn't it depend on how you define a risk assessment and the end point that you are seeking. I rather like the following;

“A risk assessment is nothing more than a careful examination of what, in your work, could cause harm to people, so that you can weigh up whether you have taken enough precautions or should do more to prevent harm.”  Taken from: “Good Practice Information provided by EU-OSHA”, September 2009.

Chris

If you apply a risk rating score to a risk assessment and something does go wrong, when applying the Sentencing Guidelines during a prosecution the Judge may use your risk assessment to sentence you. i.e. you knew it was high risk etc.

The key is using reasonably practicable measures that are quite easily found in the relevent ACOP, Guidance Notes etc.

Remember that 'insignificant risks can usually be ignored, as can risks arising from routine activities associated with everyday life, unless the work activity compounds or significantly alters those risks' L21 (when it was actually still used!)

Originally Posted by: nic168

 The IOSH MS course is focussed on teaching Risk assessment using risk ratings, to be fair it easier to explain priorities and control measures using numbers . Numbers or values can also be useful when you have to convince managers of the need to take action, but I agree that in a well managed workplace they have no real value.

Current workplace are very hung up on them, the limited number of risk assessments I have seen are very orientataed towards getting the right score, which is one of the reasons I would like to do away with them- good at maths, rubbish at hazard spotting is my thought for the day.

Agreed. I think that IOSH Managing Safely course could be one of the reasons for the current obsession (said it again!) with the 5 x 5 matrix.

I inherited in a previous job risk assessment with a 5x5 matrix and the managers and employees liked them. The Managers seemed to feel that the matrix idea allowed them to consider (and prompt) each part of the process you and I would just do in our heads. None of them had any difficulty multiplying 5x5 or 3x5 or 4x2. Each page had the key on it in full so when any employee picked up an assessment page all the information was there and never seemed to have any issues understanding what the issue (hazards and risks and their extent) was. The numbers and score were well spelt out.

It sort of worked for me also, as any assessment done by one of the managers came to me and if I thought they were over or under judging the likelihood or potential harm I could go and have a word ( for the next time). This helped with the issues of people feeling everything ends with death or sever injury or conversely nothing being a problem. We have to remember risk assessments will be done by others who are trained but not foremost H&S people ( so it is what works best for them in my view). If a few small numbers help them judge if controls they have put in are adequate then fine.

In my view High, Medium and Low are just as subjective. What I may consider High someone else may consider medium etc. It sort of all depends to what you relate it to or your personal experiences. I would like to think a risk assessment I did would be better than that of a middle manager as I have greater H&S experience and therefore be more likely to consider issues not thought of by them. At the end of the day all that matters are the outcome of controls against specified hazards. The assessment is no more than a tool to allow your mental exercise to take form.

That was the previous place I worked, they liked it and it worked for them. I gave my current place the option and they went for H/M/L, so each perhaps has it place.

To answer the subtility of the Op’s question the answer is “No” as he is talking about non-complex tasks and I think if you are going to use a matrix it favours the more complex. However, I would not use both ways it would be Either / Or, just for consistency.

Chris

 I think Chris has nailed it- most of us can do the regonition and evaluation in our heads without too much effort, others less experienced need something to  get them started  and put things in context.

Where a matrix is helpful is when there is a turnover of staff- they are all working more or less to the same guidance.

The point about the RA being a tool not an end to itself is one I seem to be making a lot recently :(

Originally Posted by: Waz

For my contribution I consider the 5 x 5 matrix to be efficient as long as you look at the risk objectively in terms of severity and likelihood.  Another factor that I would suggest may want consideration is the 5 steps to Risk Assessment, which requires an 'Evaluation of the Risk' - the 5 x 5 grid demonstrates that a form of evaluation has indeed been conducted.  I agree, some may use the process established within an organisation on the values generated to get out of being the assessor per sai, e.g. the procedure stipulates that if score is x - then review is required.....

But overall, assess the risk, looking at the worst case scenario element as the severity measure - whats the worst thing that could happen?

I think if you look at worst case scenario for any severity measure you are unlikely to have many scoring less than a 5. I think a reasonable assessment of the severity based on past experience and previous incidents (if available) is much more realistic. For example, we have had a couple of staff members who have been cut by razors when searching baggage, if the risk assessor went for worst case scenario they cold score a 5 for severity, as they could be infected with HIV or hepatitis and die. In relaity, how likel is that to actually happen?

Originally Posted by: boblewis

For me the real problems with matrices are that they are used as a single iteration when in fact they should be repeated as control measures are put in place to ensure that the risk level is at the lowest level sfrp for each hazard of the task.  That is to say that each hazard has reached the level of optimum control.  They do then also identify those hazards which need additional measures to achieve control

That is how it is done in our system, a score prior to control measures being implemented, then the residual risk is calculated. This is for each hazard within the task, not the task as a whole. 

Originally Posted by: rick448

Originally Posted by: boblewis

For me the real problems with matrices are that they are used as a single iteration when in fact they should be repeated as control measures are put in place to ensure that the risk level is at the lowest level sfrp for each hazard of the task.  That is to say that each hazard has reached the level of optimum control.  They do then also identify those hazards which need additional measures to achieve control

That is how it is done in our system, a score prior to control measures being implemented, then the residual risk is calculated. This is for each hazard within the task, not the task as a whole. 

Your system is a rarity but I am advocating not just a single iteration but several until each hazard is identified as being as low as rp if not eliminated.  I have seen in my time the installation of welfare facilities being used to reduce the risks of a lifting operation on a public highway but nothing about traffic control

Add MAPS to that and a perfect storm is predicted.