OHS Risk Matrix: How to Build and Use One

An OHS risk matrix is one of the most practical tools in workplace safety management, yet it is also one of the most commonly misunderstood. Many organisations have a risk matrix sitting in their safety manual, but few use it consistently or correctly. If you are a WHS manager, HSE professional, or someone preparing for an ISO 45001 audit, understanding how to build a risk matrix that actually works, and how to apply it in practice, is a skill worth developing properly.

This article walks through the full process: what a risk matrix is, why it matters under ISO 45001, how to design one suited to your workplace, how to use it when assessing hazards, and the mistakes that trip people up in audits. We will also look at what auditors check when they review your risk assessment process, because that is where the rubber meets the road.

What Is an OHS Risk Matrix?

A risk matrix is a tool that helps you evaluate the level of risk associated with a identified hazard. It does this by combining two factors: the likelihood that a harmful event will occur, and the consequence (or severity) if it does. The combination of these two factors produces a risk rating, which then guides your decision about what controls are needed and how urgently.

The output is typically a colour coded grid, often using a 3x3, 4x4, or 5x5 format. Low risk ratings sit in one corner, extreme or critical ratings in the opposite corner. The matrix does not make decisions for you, but it gives you a structured, repeatable way to compare risks and prioritise action.

Under ISO 45001, clause 6.1.2 requires organisations to identify hazards and assess the OH&S risks associated with them. The risk matrix is the most widely used method for doing this, particularly in Australian workplaces where it aligns well with the requirements of the model WHS legislation and the Safe Work Australia guidance on risk management.

Why Your Risk Matrix Matters in an ISO 45001 Audit

When an auditor reviews your OHS management system, the risk matrix is central to understanding whether your hazard identification and risk assessment process is credible. A well built and consistently applied matrix tells the auditor that your organisation has a systematic approach to managing risk, not just a document that lives in a drawer.

Auditors will typically look for evidence that:

• The risk matrix is defined and documented
• It has been applied consistently across hazards in your risk register
• Workers and relevant personnel understand how to use it
• Risk ratings have influenced the controls selected
• The matrix is reviewed and updated when circumstances change

A common finding in ISO 45001 audits is that organisations have a risk matrix in their procedure, but the hazard register shows risk ratings that appear to have been assigned without genuine thought. All hazards rated the same, extreme risks with no controls, or controls listed but risk ratings not recalculated after controls are applied. These are red flags that suggest the matrix is a paper exercise rather than a working tool.

For a deeper look at what auditors examine during an OH&S audit, the article on auditing occupational health and safety under ISO 45001 covers the key areas in detail.

Choosing the Right Matrix Format

Before you build a risk matrix, you need to decide on its dimensions. The most common formats used in Australian workplaces are:

3x3 Matrix

Three levels of likelihood and three levels of consequence. Simple and fast to use, but it lacks the granularity needed for complex or high hazard workplaces. A 3x3 matrix tends to push most risks into the medium category, which makes prioritisation difficult. It suits very small, low hazard businesses.

4x4 Matrix

A good middle ground. Four levels of likelihood and four levels of consequence give you enough differentiation to be meaningful without becoming unwieldy. Many Australian organisations in construction, manufacturing, and logistics use a 4x4 format.

5x5 Matrix

Five levels of likelihood and five levels of consequence. This is the most commonly recommended format for medium to high hazard industries including mining, utilities, and chemical processing. It gives the most resolution and allows you to distinguish between risks that a smaller matrix would group together.

The right choice depends on your industry, the complexity of your hazards, and the maturity of your safety management system. For most organisations pursuing or maintaining ISO 45001 certification, a 4x4 or 5x5 matrix is appropriate.

Step by Step: Building Your OHS Risk Matrix

Step 1: Define Your Likelihood Scale

The likelihood scale describes how probable it is that a hazardous event will occur. Each level needs a clear, plain language definition that workers can apply consistently. Vague descriptors like possible or likely without further definition lead to inconsistent ratings across different assessors.

A well defined 5 level likelihood scale might look like this:

• Level 1: Rare Could happen but has not in this industry or organisation. Expected less than once in 10 years.
• Level 2: Unlikely Has occurred in this industry but not at this site. Expected once in 5 to 10 years.
• Level 3: Possible Has occurred at this site before. Expected once in 1 to 5 years.
• Level 4: Likely Occurs regularly at this site. Expected once per year or more frequently.
• Level 5: Almost Certain Occurs frequently or is expected to occur in most circumstances. Multiple times per year.

The key is specificity. Tie each level to a timeframe or frequency, and include reference to whether the event has occurred at your site, in your industry, or only in rare circumstances elsewhere. This gives assessors an anchor point rather than asking them to guess.

Step 2: Define Your Consequence Scale

The consequence scale describes the severity of harm if the event occurs. In an OHS context, this typically focuses on physical injury or illness, but for some organisations it may also include environmental or financial consequences. For ISO 45001 purposes, the focus is on harm to workers and other persons.

A 5 level consequence scale for OHS might be:

• Level 1: Negligible First aid only. No lost time. Worker returns to normal duties immediately.
• Level 2: Minor Medical treatment required. Short term lost time of up to a few days. Reversible injury.
• Level 3: Moderate Significant injury requiring medical treatment and extended lost time. Reversible but serious injury, such as a fracture.
• Level 4: Major Serious injury with long term or permanent effects, such as permanent disability or serious illness. May involve hospitalisation.
• Level 5: Catastrophic Fatality or multiple serious injuries. Irreversible harm to multiple workers.

Be careful not to water down your consequence descriptors. Organisations sometimes define catastrophic as something so extreme it almost never applies, which artificially suppresses their risk ratings and understates the true level of risk.

Step 3: Build the Risk Rating Grid

Once you have your likelihood and consequence scales, you combine them in a grid. Each cell in the grid gets a risk rating. The rating is typically calculated by multiplying likelihood by consequence (for a numerical matrix) or by using a pre defined lookup table.

For a 5x5 matrix, the resulting ratings are typically grouped into four bands:

• Low (scores 1 to 4): Manage through routine procedures. Review periodically.
• Medium (scores 5 to 9): Requires documented controls and monitoring. Management awareness needed.
• High (scores 10 to 16): Significant controls required. Senior management attention. Timely action needed.
• Extreme (scores 17 to 25): Immediate action required. Activity should not proceed until risk is reduced. Executive level awareness.

The colour coding (green, yellow, orange, red) that goes with these bands makes the matrix easy to interpret at a glance, which is important when you are reviewing a hazard register with dozens of entries.

Step 4: Define Action Requirements for Each Band

A risk matrix without action criteria is incomplete. For each risk band, your procedure should specify what is required. This typically includes the level of management sign off needed, the timeframe for implementing controls, and the review frequency.

For example, an extreme risk might require work to stop immediately and controls to be implemented before any resumption, with sign off from the site manager or HSE manager. A low risk might simply require standard operating procedures to be followed and a review at the next scheduled hazard register update.

How to Use the Risk Matrix in Practice

Assessing Inherent Risk First

When you first assess a hazard, you rate the risk before controls are applied. This is called the inherent risk or pre control risk. It tells you how serious the hazard is in its uncontrolled state. This step is important because it forces you to acknowledge the true nature of the hazard, not the watered down version that exists after you have added controls.

For example, working at height has a catastrophic consequence potential (a fall from 5 metres can be fatal) and, without controls, a reasonably high likelihood. That gives you an extreme inherent risk rating, which is appropriate and honest.

Identifying and Applying Controls

Once you have the inherent risk rating, you identify controls following the hierarchy of controls. Elimination first, then substitution, engineering controls, administrative controls, and personal protective equipment as a last resort. The hierarchy matters because it reflects the effectiveness of different control types.

Document the controls clearly in your hazard register. Not just PPE required but specifically what PPE, when it is required, who is responsible for ensuring it is used, and how compliance is monitored.

Calculating Residual Risk

After controls are applied, you reassess the risk using the same matrix. This gives you the residual risk, the level of risk that remains after controls are in place. The residual risk rating should be lower than the inherent risk rating. If it is not, your controls are not adequate.

The residual risk rating is what drives your decision about whether the risk is acceptable and what ongoing monitoring is required. In ISO 45001 audits, auditors will check that residual risk ratings have been calculated and that they are realistic given the controls described.

A common mistake is applying controls that are weak (for example, a sign and some training) to a high severity hazard and then rating the residual risk as low. An auditor will challenge this because administrative controls and PPE do not reduce the consequence of the hazard, they only reduce the likelihood of exposure. The consequence rating should remain the same or close to the same unless you have actually eliminated or engineered out the hazard.

Keeping the Risk Register Current

The risk matrix is only useful if the hazard register it feeds into is kept current. Under ISO 45001, hazard identification is an ongoing process, not a once a year exercise. New tasks, new equipment, changes to work methods, and incident data all trigger a need to review and update risk assessments.

Build a review trigger into your procedure. At minimum, review the hazard register annually and after any significant change or incident. For high and extreme rated hazards, consider more frequent review cycles.

Common Mistakes That Auditors Flag

Having reviewed risk assessment processes across many different industries, the same problems appear repeatedly. Here are the ones most likely to attract an audit finding:

• Generic risk ratings: Every hazard is rated medium with no justification for why. This suggests the matrix was applied without genuine thought.
• No residual risk calculation: The hazard register shows inherent risk ratings but no residual risk after controls are listed.
• Controls that do not match the risk rating: A hazard rated extreme has only a sign and a toolbox talk as controls. The controls do not justify the residual risk rating shown.
• Workers cannot explain the matrix: When asked how they assess a risk, workers have no idea what the matrix is or how to use it. This suggests it is a management document with no practical connection to the work.
• Matrix not referenced in the hazard identification procedure: The risk matrix exists but the procedure does not explain when and how to use it.
• Likelihood definitions are absent or vague: Assessors are left to interpret words like possible without any anchor, leading to inconsistent ratings across assessors and sites.

Understanding what auditors look for when they review hazard identification processes is covered in detail in the article on hazard identification methods that auditors trust.

Integrating the Risk Matrix with Your ISO 45001 System

Your risk matrix should not exist in isolation. It needs to connect with several other parts of your OH&S management system:

• Hazard identification records: Every hazard in your register should have a risk rating derived from the matrix.
• Operational controls: The controls you implement under clause 8.1 should be driven by the risk ratings in your register.
• Objectives and targets: High and extreme risks should inform your OH&S objectives. If you have extreme risks in your register, your objectives should reflect efforts to reduce them.
• Incident investigation: When incidents occur, the risk assessment for the related hazard should be reviewed and updated. This closes the loop between what happened and what the risk register said.
• Management review inputs: Risk assessment outcomes, particularly changes to high and extreme risk ratings, should be reported to top management as part of the management review process.
• Worker participation: Workers should be involved in hazard identification and risk assessment. Under clause 5.4 of ISO 45001, this is not optional. The risk matrix should be a tool that workers understand and can use, not just a document that management fills in.

For context on how hazard identification connects to the broader ISO 45001 audit trail, the article on understanding the ISO 45001 hazard identification audit trail is worth reading alongside this one.

A Practical Example: Risk Assessment for Working at Height

To make this concrete, here is how a risk assessment for working at height might look using a 5x5 matrix.

Hazard: Working at height on a roof structure during installation works.

Inherent risk:

• Consequence: Level 5 (Catastrophic). A fall from roof height can cause fatality.
• Likelihood: Level 4 (Likely). Without controls, workers on an unprotected roof are likely to be exposed to fall risk during normal work.
• Inherent risk rating: 20 (Extreme).

Controls applied (following the hierarchy):

• Engineering: Perimeter edge protection installed before work commences. Roof anchor points rated and installed for fall arrest.
• Administrative: Safe work method statement (SWMS) developed and signed by workers. Toolbox talk conducted. Access restricted to trained workers only.
• PPE: Full body harness and lanyard required when working within 2 metres of an unprotected edge.

Residual risk:

• Consequence: Level 5 (Catastrophic). The consequence of a fall has not changed. A fall can still be fatal.
• Likelihood: Level 2 (Unlikely). With edge protection, anchor points, trained workers, and PPE, the likelihood of a fall occurring is significantly reduced.
• Residual risk rating: 10 (High). Still a high risk, which is appropriate for this type of work. Requires ongoing monitoring and supervision.

Notice that the consequence rating did not change. This is correct. Edge protection and harnesses reduce the likelihood of a fall, but if a fall does occur, the consequence can still be catastrophic. An auditor would question a residual risk rating that reduced the consequence rating without any engineering control that actually prevents the hazard (such as eliminating the need to work at height entirely).

Reviewing and Improving Your Risk Matrix Over Time

A risk matrix is not a set and forget document. Review it when:

• A serious incident or near miss occurs
• New equipment, chemicals, or work methods are introduced
• There are changes to legislation or industry codes of practice
• Workers or supervisors raise concerns about the accuracy of existing ratings
• An audit or management review identifies gaps

Also consider whether your matrix format still suits your organisation as it grows. A 3x3 matrix that worked when you had 10 employees may not be adequate once you have 100 employees across multiple sites with a wider range of hazards.

If you are building or improving your OH&S management system and want to understand the full picture of what ISO 45001 requires, formal training makes a significant difference. At Audit Workshop, the ISO 45001 internal auditor and lead auditor courses cover risk assessment requirements in depth, including how to evaluate whether a risk matrix is fit for purpose during an audit. Courses are available in live and self paced formats, so you can fit training around your work schedule.