Guidelines for Designing Risk Matrices
Paul Baybutt
Primatech Inc, Columbus, OH; [email protected] (for correspondence)
Published online 7 July 2017 in Wiley Online Library (wileyonlinelibrary.com). DOI 10.1002/prs.11905
Risk matrices are used widely in process safety to rate and
rank risks posed by processes to help with decision making.
For example, commonly they are used in process hazard
analysis to rate the risks of hazard scenarios and determine
the need for risk reduction. However, there are no standards
for risk matrices in process safety. Companies develop their
own without the benefit of established industry guidelines.
Risk matrices are deceptively simple but their design and use
are rife with pitfalls, even for experienced users. Some of
these pitfalls are not obvious and invalid risk ratings can
result which are unrecognized. Guidelines for constructing
risk matrices that address these pitfalls are provided. V C 2017
American Institute of Chemical Engineers Process Saf Prog 37: 49–55,
2018
Keywords: risk matrix; risk ranking; process hazard anal-
ysis; process safety
INTRODUCTION
Risk matrices provide a simple means of rating and rank-
ing the risks of events. They are used for decision making in
many areas to allocate resources appropriately to address
risks. Indeed, risk matrices are used by many companies for
their risk-based decisions. In process safety, they are used to
estimate the risks of events such as hazard scenarios. In par-
ticular, they have become a key aspect of performing pro-
cess hazard analysis (PHA) to risk rank individual hazard
scenarios to help determine the need for risk reduction and
to set priorities for risk reduction measures [1].
Risk matrices must be designed appropriately because
critical decisions on the need for recommendations to reduce
risk are predicated on their risk ratings. Flawed ratings trans-
late to poor decisions and mis-managed process risks. In
PHA, the results of an otherwise well-performed study may
be invalidated by use of poorly designed risk matrices. This
issue is important for any risk analysis method that employs
risk matrices.
The international standard on Risk Management Vocabu-
lary, ISO 73:2009, defines the term risk matrix [2] although
the international standard on Risk Management, ISO
31000:2009 does not specifically address the use of risk
matrices [3]. However, the international standard, IEC/ISO
31010, Risk Management—Risk Assessment Techniques, pro-
vides a description of the consequence/probability matrix,
that is, risk matrix, in an Annex on risk assessment techni-
ques [4]. The standard notes, “it is important that an appro-
priate design is used for the circumstances.”
Use of risk matrices finds favor because they appear to be
simple to understand, provide a clear rationale for risk esti-
mates, do not require specialized expertise, and are
C 2017 American Institute of Chemical Engineers
V  Highlighting high risk events for further study
Process Safety Progress (Vol.37, No.1)
graphically appealing. However, there are no industry or
government standards for risk matrices for process safety.
Consequently, risk matrices are constructed intuitively but
arbitrarily by companies.
On the face of it, risk matrices appear to provide a valid
basis for comparing the risks of different events. However,
there is little empirical evidence to show that risk matrices
produce valid estimates of risk or good risk decisions.
Largely, practitioners make these assumptions and do not
question whether the validity of using risk matrices has been
proven. Unfortunately, risk matrices often are flawed in vari-
ous ways, possibly because their development appears to be
deceptively simple but is actually more complicated than it
seems. Flaws in the underlying theoretical framework of risk
matrices have been identified [5,6]. Poorly designed risk
matrices make the process of risk rating difficult and produce
risk ratings ill-suited for decision making. Literally, the rec-
ommendations made by PHA and similar studies may be
incorrect.
Little attention has been paid in the literature to the devel-
opment of risk matrices in process safety. Guidelines for haz-
ard evaluation procedures from the Center for Chemical
Process Safety (CCPS) provide two examples of risk matrices
and briefly describe their use in PHA studies [7]. However,
the CCPS guidelines do not address the construction of risk
matrices. This article provides such guidelines.
RISK MATRICES AND RISK RATING
In risk rating, subjective estimates of consequence severity
and likelihood values for an event such as a hazard scenario
are assigned to levels corresponding to values or ranges of
values of severities and likelihoods for each type of conse-
quence, such as impacts on facility personnel, members of
the public, process equipment, on-site and off-site property,
and the environment (see Tables 1 and 2). A risk level is
determined for the event by lookup of the assigned severity
and likelihood levels in a risk matrix, grid, or table that dis-
plays risk levels (see Figure 1). Risk levels correspond to
cells in the risk matrix. The risk ratings obtained are for indi-
vidual events such as single hazard scenarios.
Risk matrices are used for multiple purposes including:
 Determining if further risk reduction is needed
 Resolving differences of opinion on the need for recom-
mendations to reduce risk
 Deciding on alternative recommendations for risk reduction
 Prioritizing the order of risk reduction recommendations
 Specifying the type of risk reduction action required
 Determining how quickly risk reduction actions should be
implemented
 Screening events or scenarios for more detailed analysis
March 2018 49
Table 1. Example of severity levels for various consequence types.

Business
Severity Level Safety Environmental Property Damage Interruption Public Relations
1 – None/ None None None None None
Insignificant
2 – Low 1 fatality Localized cleanup Minor ( $100,000)  1 day Queries to plant only
only
3 – Medium  10 fatalities Exceed permit Moderate ( $1MM)  10 days Complaints from
conditions neighbors
4 – High  100 fatalities Observable effects Major ( $10MM)  30 days Local media attention
on flora and fauna
5 – Very high  1,000 fatalities Remediation Extensive ( $100MM)  60 days National media attention
required

SEVERITY The types of casualty of concern also must be identified.

For people, for example, fatalities should always be add-
1 2 3 4 5
ressed of course but it must be decided whether lesser casu-
alty types, such as permanent disabilities, hospitalizations,
1 1 2 3 4 5 lost time injuries, and first aid cases, also should be included.
Most practitioners include at least the more severe nonfatality
LIKELIHOOD

2 2 4 6 8 10 casualty types.

3 3 6 9 12 15 Range of Scenario Severities and Likelihoods

4 4 8 12 16
5 5 10 15 20
Figure 1. Example of a Risk Grid.
 Complying with government regulations and industry
standards
Usually, a set of risk matrices is needed for process safety
studies. The set, together with the definitions for each matrix,
is denoted as a risk rating scheme herein.
GUIDELINES FOR DEVELOPING RISK MATRICES
The confidence practitioners place in a risk rating scheme
that uses risk matrices and their willingness to take it seri-
ously depend on its validity so the following issues should
be addressed carefully.
Consequence and Casualty Types to Be Addressed
Typically, multiple types of consequences are of concern
in process safety, for example, impacts on employees, the
public, and the environment. In PHA studies, the conse-
quence types required in a risk rating scheme will be dic-
tated by the purpose, scope, and objectives of a study [8].
Some practitioners place employees and members of the
public in the same category. However, separate categories
should be used because the tolerability of risks for employ-
ees, who accept risks voluntarily, usually is higher than for
members of the public, who do not. Regulators, such as the
United Kingdom Health and Safety Executive, have sug-
gested lower tolerable risk criteria for the public than for
facility personnel [9]. Companies also may be concerned
about impacts such as the costs of operability impairment,
process downtime, property damage (on-site and/or off-site),
cleanup and accident response, regulatory and legal actions,
and damage to their public image.
to Be Addressed
A risk matrix must cover the overall ranges of conse-
20 quence severities and likelihoods that may be encountered
and used in all studies that will use the risk matrix. Conse-
25 quence severities may range from the minor to the cata-
strophic and likelihoods may range from likely to extremely
unlikely. The endpoints of the overall ranges of severities
and likelihoods must be defined.
Usually, PHA studies capture any scenario that is viewed
as feasible and credible, however unlikely it may be. This
practice recognizes that a principal concern is with rare cata-
strophic scenarios which, by their nature, are of very low
likelihood and very high consequence. Scenarios that are
viewed as infeasible or incredible usually are not recorded.
Thus, a risk matrix must include the worst feasible conse-
quence (highest severity) that could occur and the lowest
credible likelihood at which an adverse consequence may
occur. Note that although rare catastrophic events are not
expected to occur at a frequency within the typical lifetime
of a process, that does not mean a process will not experi-
ence one.
Clearly, the meanings of “feasible” and “credible” are vital
to establishing a rating scheme. “Feasible,” as applied to a con-
sequence severity, means the consequence severity is possible.
Thus, if there are only 100 people who work in a facility, a
consequence that impacts more than 100 people on-site is
infeasible, that is, it is not possible. “Credible” may mean dif-
ferent things to different people. The dictionary definition is
“able to be believed.” In PHA, it means the scenario likelihood
is believed to be at or above a threshold value, for example, a
frequency of occurrence of 1 3 1026 per year. Note that
“incredible” does not mean an event absolutely cannot happen
but rather it occurs with a likelihood that is sufficiently low
that it can be excluded from consideration.
For severities, the lowest value can be set at the level of
minimal concern, even though few events or scenarios may
pose such impacts in process safety studies. The inclusion of
this level provides a lower bound that ensures any such sce-
narios that exist can be risk rated, for example, first-aid cases
for people. The highest value for severity should be the larg-
est impact feasible, for example, hundreds or possibly

50 March 2018 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.37, No.1)
Table 2. Example of likelihood levels.
Definition
Likelihood Level (Frequency Per Year)
9 – Very high  10 Up to
8 – High  1 Up to
7 – Medium  1E-1 Up to
6 – Low  1E-2 Up to
5 – Very low  1E-3 Up to once every 1000 years
4 – Exceptionally low  1E-4 Up to once every 10,000 years
3 – Extremely low  1E-5 Up to once every 100,000 years
2 – Barely possible  1E-6 Up to once in a million years
1 – Insignificant Negligible likelihood Effectively never
thousands of fatalities for impacts on people. The accident in
Bhopal, India certainly is a candidate for the worst-ever acci-
dent in the process industries and thousands of people were
killed [10]. Worst-case feasible severities must be included for
each consequence type in the risk rating scheme.
For likelihoods, the highest value usually starts with once
per year for process safety applications because even events
of the least severity considered in process safety would most
likely not be tolerated if they occurred at a greater fre-
quency. Put another way, the highest likelihood value
should be tolerable for the lowest severity value. For the
lowest likelihood, the lowest credible value is used, for
example, 1 3 1026 per year.
In using risk matrices, often practitioners assume all safe-
guards fail when estimating the severities and likelihoods of
scenarios. This assumption means that severities will be
higher and likelihoods lower than would otherwise be the
case. These values should be taken into account when set-
ting ranges.
The upper and lower bounds for severities and likeli-
hoods should provide bookends for the assignment of sce-
nario values by practitioners. If practitioners find a scenario
for which they believe the severity or likelihood falls outside
the overall range, the risk rating scheme is most likely inade-
quate and does not meet the needs of the study. For exam-
ple, the upper bound for impacts on people off-site may
have been set at 100 fatalities in the belief (or hope) that this
is the maximum consequence possible. However, if a study
team identifies a scenario that could result in many more
fatalities, the risk rating scheme will not accommodate it.
Upper and lower bounds for severities and likelihoods that
are outside the expected range may be included in risk rat-
ing schemes in anticipation of such situations.
Thus, the range of needed severity values may cover a
span greater than will apply to the majority of scenarios in
PHA. For example, in a facility that employs 1,000 people, it
is conceivable that one or more scenarios exist that could
cause the fatality of all employees. Thus, a severity level that
encompasses this number of fatalities should be included in
the risk rating scheme for the facility, even though few if any
scenarios are expected to be assigned to the level. The
objective in defining the overall ranges for severity and likeli-
hood values is to include any values that could possibly be
encountered. This objective is particularly important when
multiple processes exist at a site and PHA studies are to be
Process Safety Progress (Vol.37, No.1) Published on behalf of the AIChE
Meaning (Number
of Occurrences) Guidance
10 times per year Frequent occurrence
once per year Common occurrence
once every 10 years Occasional occurrence
once every 100 years Event may be observed but not
expected
Unlikely the event will be observed
but has occurred somewhere
Highly unlikely the event will be
observed. Never been observed.
Extremely unlikely the event will be
observed
Just conceivable the event may be
observed
No one believes the event would
ever be observed
performed on all of them using the same risk rating scheme
for consistency.
Practitioners may identify scenarios which they believe
are not credible or for which they believe there are no
impacts. To avoid the inappropriate assignment of such sce-
narios to the lowest likelihood and severity levels, or their
omission from a study, it is advisable to use lower bounds of
“not credible” for likelihood and “no impacts” for severity.
This practice is advisable because it is possible that, on
review, the assignments may be changed, or that future pro-
cess changes may result in reassignments.
Some practitioners use severity levels of “single fatality”
and “multiple fatalities.” Such practice is problematic. The
problem is that there is no way of discriminating between
events or scenarios that fall into the multiple fatalities level.
They may involve anywhere from a few fatalities to tens or
hundreds or more fatalities, if such scenarios prove possible.
Thus, an event or scenario such as the Bhopal accident that
arguably killed up to 8,000 people and permanently injured
100,000 people [10] would be assigned to the same severity
level as one that impacted a much smaller number of
people.
An upper severity limit that exceeds, for example, 10 or
20 on-site fatalities may not be considered feasible by pro-
cess safety practitioners, even if such scenarios are actually
possible. Certainly, a number of well-known accidents in
recent years have resulted in numbers of fatalities within that
range and a few accidents have occurred that resulted in
thousands of fatalities. Many analysts may not want to con-
sider the prospect of scenarios that could result in hundreds
or thousands of fatalities, perhaps in the mistaken belief that
they are not possible or because they do not want to con-
template such a catastrophic consequence. In this case, some
companies allocate all such scenarios to the highest severity
level and subsequently perform more detailed consequence
modeling studies to produce a better determination of sce-
nario consequences.
Number of Severity and Likelihood Levels
Scenario severities and likelihoods are defined as levels or
categories, typically, using numbers, or letters. Each level or
category represents a value, or part of the range of values, of
severity, or likelihood.
The number of severity and likelihood levels should be
consistent with the ability of practitioners to discriminate
DOI 10.1002/prs March 2018 51
between levels. For example, a 3 3 3 scheme is common in
simple risk analysis (high, medium, and low values are used
for severity and likelihood). However, the principal concern
in process safety is with catastrophic accidents. All such rare
event scenarios would likely be rated as high severity—low
likelihood in the three-level scheme, thus, providing no risk
discrimination between them. Such a situation is not very
useful for decision making on risk reduction measures. Risk
matrices that effectively force many scenarios into one risk
level should be avoided. More levels of severity and likeli-
hood are needed so that scenarios can be differentiated.
Enough levels must be used to provide sufficient discrimina-
tion across the spectrum of possible values.
However, risk rating is a subjective process that has its
limits [11]. There are significant uncertainties involved and
the level of discrimination must be commensurate with what
is practical, particularly when risk rating is performed in the
context of PHA which is intended as a qualitative analysis.
Large numbers of levels should be avoided because they
require more discrimination than can be accomplished by a
PHA team. Too many levels will leave practitioners in a
quandary regarding which level to assign when several seem
possible.
A decision on the number of severity or likelihood levels
entails deciding how their overall ranges of values will be
partitioned. Usually, the ranges are wide and span orders of
magnitude in process safety. Consequently, adjacent severity
and likelihood levels often are chosen to differ by an order
of magnitude. Such a choice makes it easier for analysts to
discriminate between levels and provides consistent risk lev-
els that also differ by orders of magnitude. The number of
severity and likelihood levels is determined when overall
ranges are specified and the ranges to be covered by each
level are defined.
Commonly, schemes in which the number of severity lev-
els is the same as the number of likelihood levels are used.
This produces a symmetric risk matrix. However, different
numbers of levels can be used producing an asymmetric
matrix.
Often, risk rating schemes use the same number of sever-
ity levels for each type of consequence but, of course, each
level for each type of consequence has its own definition
(see Table 1). Usually the same number of likelihoods and a
single set of likelihood definitions is used for all conse-
quence types (see Table 2). Different numbers of likelihoods
and definitions could be used but at the expense of making
risk rating more complicated.
Definitions of Severity and Likelihood Levels
Severity and likelihood levels defined in purely qualitative
terms such as “high,” “medium,” and “low” are of little value
in process safety other than for rough screening or possibly
for ranking risks within an individual project. Such schemes
are open to widely different assignments of severity and like-
lihood by team members owing to the subjectivity involved
in assigning levels. Consequently, companies typically pro-
vide definitions for each of the severity and likelihood levels
in more meaningful terms. Usually, the levels are described
more quantitatively. This does not mean that a quantitative
analysis is being performed; rather the definitions are used
to guide the assignment of levels by the analysts.
Definitions of levels should be kept simple and must be
understandable by typical team members. Any qualitative
terms should be clarified, for example, the meaning of
“severe injury.” When frequencies are used, the units should
be specified.
Some practitioners have developed rules to guide the
assignment of levels. Simple rules may be useful but
52 March 2018 Published on behalf of the AIChE
elaborate ones impede the process of risk rating and likely
do not improve the results. Specific examples to illustrate the
meaning of severity and likelihood levels for events can pro-
vide useful reference points for practitioners, for example, to
illustrate likelihood levels:
Level 1—Not expected to occur during the process life-
time: Simultaneous failures of two or more independent
pieces of equipment.
Level 2—Expected to occur only a few times during the
process lifetime: Piping rupture.
Level 3—Expected to occur multiple times during the life
of the process: Transfer hose rupture, pipe leaks, pump seal
failure.
Level 4—Expected to occur annually: Instrument compo-
nent failures, valve failures, transfer hose leaks.
To accommodate logical versus intuitive thinking by ana-
lysts, some practitioners express severity and likelihood defi-
nitions in both numerical and narrative terms (see Table 2
for an example). This practice may be particularly beneficial
for likelihoods because people have difficulty relating to
very low numerical values.
There should be no overlap in the endpoints of the
ranges for severity or likelihood levels to avoid ambiguity in
the assignment of values to levels. Definitions of severity and
likelihood levels must not be too close, otherwise analysts
will not be able to decide which level to assign. For exam-
ple, PHA team members may have difficulty distinguishing
scenarios that have 3 fatalities from ones that have only 1 or
2 fatalities.
The ranges of severity and likelihood covered by each
level should not be too large as this may force difficult
choices between adjacent levels. For example, if two adja-
cent severity levels cover the ranges 1 to 99 and 100 to 999,
and the number of fatalities is estimated to be around 100,
plus or minus, the choice of level is problematic because
assignment to the second level may be overly conservative.
Such a rating scheme may bias the choice if the decision
guidance for one selection is more onerous than another.
Analysts may feel justified in making the selection that pro-
duces the less onerous result since they are conflicted as to
which level is the appropriate one. The narrowest ranges
that permit discrimination between levels should be used.
It is useful to provide a likelihood level that denotes an
event or scenario is not credible so as to avoid the pro-
longed discussion by analysts that may otherwise occur. Sim-
ilarly, it is useful to provide a severity level for which there
is no adverse impact.
Risk matrices sometimes define severity and likelihood
levels as point values. Of course, the events and scenarios
that they are used to rate may not correspond exactly to
these values. For conservatism and pragmatism, such point
values are best interpreted as upper bounds. For example,
two adjacent likelihood levels in a risk rating scheme may be
defined as frequencies of once every 10 years and once
every 100 years and two adjacent severity levels may be
defined as 1 fatality and 10 fatalities. Thus, the likelihood
level defined as once every 10 years is interpreted to mean a
value in the range of greater than once every 100 years up
to once every 10 years and a severity level defined as 10
fatalities is interpreted to mean a value in the range of more
than 1 fatality up to 10 fatalities. Severity and likelihood lev-
els are best defined in terms of “up to” a defined value rather
than a defined value of “or more.”
Some practitioners view such assignments as producing
results that may be too conservative when severity and likeli-
hood levels differ by orders of magnitude. Intermediate lev-
els can be used, such as a level that corresponds to 5
DOI 10.1002/prs Process Safety Progress (Vol.37, No.1)
fatalities or a frequency of once every 5 years. However, as
successively greater precision is sought, the problem persists.
Also, while a PHA team may be able to offer an informed
opinion on the number of possible fatalities for a scenario in
the range from 1 to 10, or the likelihood of a scenario in the
range of once per year to once every 10 years, much greater
difficulty will be experienced for levels with a higher number
of fatalities and lower likelihoods. Indeed, the use of levels
that differ by orders of magnitude reflects uncertainties that
exist when estimating increasingly higher severities and
lower likelihoods.
Some practitioners subdivide order of magnitude ranges
into several smaller ranges for lower severities and higher
likelihoods for which estimates with greater precision are
achievable by practitioners. However, these scenarios occupy
a very small part of risk space and such discrimination is not
always useful for process safety purposes where rare events
(high severity and low likelihood) are the scenarios of major
concern.
Analysts tend to think of severity and likelihood values in
linear terms as the levels are frequently defined using cardi-
nal numbers. However, such levels actually represent severi-
ties and likelihoods in logarithmic space when the levels
differ by orders of magnitude. Thus, if scenario likelihoods
ranging from once per year to once every thousand years
were represented linearly, and the defined value for each
level represents the upper limit for that level, the levels rep-
resenting once per year, once every 10 years, once every 100
years and once every 1000 years occupy 0.001, 0.009, 0.09,
and 0.9% of the likelihood space. A similar situation applies
to consequence severities that differ by orders of magnitude.
Thus, scenarios that are assigned to high severity and low
likelihood levels (i.e., rare events) unfortunately have the
most uncertain risks in such risk rating schemes. These
uncertainties are inherent for rare events and the pursuit of
greater precision in risk rating such scenarios is not possible.
As severities increase and likelihoods decrease, the corre-
sponding part of risk space increases exponentially when
levels differ by orders of magnitude, as is common practice.
The risk matrix cell with the highest severity and lowest like-
lihood covers the largest part of the risk space.
When severity and likelihood level ranges that otherwise
would cover an order of magnitude are subdivided into two
ranges, a midpoint severity or likelihood value is sometimes
defined by calculating the logarithmic midpoint of the range
and taking its antilogarithm. Thus, for the severity range of 1
to 10 fatalities, a (rounded) value of 3 fatalities is used (100.5)
which is the midpoint between the two severity values on a
logarithmic scale.
Some practitioners provide definitions of different types
of casualties within the same severity levels, for example,
when a severity level is defined as one fatality or 10 severe
injuries. Such practice is problematic. It interferes with the
consideration of both individual and group risk to people.
Furthermore, analysts may not agree with the implied equiv-
alences, particularly if they are not maintained in other sever-
ity levels. Also, the maximum number of casualties for a
facility varies by casualty type so that while one on-site fatal-
ity may be equated to ten on-site severe injuries, it makes no
sense to equate 100 on-site fatalities to 1,000 on-site injuries
for a facility that employees only 100 people.
The use of the same severity levels for different conse-
quence types may or may not imply equivalent impacts for
the same level (see Table 1). If the impacts are intended to
be equivalent, risk ratings can be compared across conse-
quence types. Otherwise, such risk comparisons are not
meaningful. If the impacts are intended to be equivalent, the
value being placed on a human life can be inferred from the
risk matrix when the impacts of other consequence types are
Process Safety Progress (Vol.37, No.1) Published on behalf of the AIChE
defined in monetary terms. This inference can create difficul-
ties. Some people object to the concept of placing a value
on human life, even though there are many precedents.
Other people may debate the value that should be used.
The more consequence types that are included in the risk
rating scheme, the more difficult it becomes to equate
impacts at the same severity level for the different conse-
quence types. Possibly the only way this can be achieved is
to reduce all impacts to monetary terms and adjust the
assignment of impacts to severity levels accordingly. How-
ever, that is not easily accomplished.
Decision Requirements to Be Used
Decision requirements are associated with risk levels in a
risk matrix. They specify the actions required for events or
scenarios that fall into each risk level. Typically, the require-
ments specify the amount of risk reduction needed and/or
the type of action needed for risk reduction. Some practi-
tioners specify the number of independent protection layers
required. Also, priorities, time periods for actions to be com-
pleted, and the level of management attention required may
be defined for each risk level. Companies must decide on
the decision requirements to be incorporated into their risk
rating schemes so that suitable risk levels can be defined.
Examples of decision requirements are:
1. Risk intolerable. Must be mitigated immediately to risk
level 2 and if that cannot be accomplished, the process
must be shut down.
2. Risk undesirable. Must be mitigated within 2 months to at
least risk level 3.
3. Risk tolerable with controls (engineering and administrative).
4. Risk minimal. No further action required
Of course, decision requirements for risk levels must cor-
relate with the risks posed. Decision requirements usually
vary according to the type of consequence and the type of
casualty. The decision requirements and framework of the
As Low As Reasonably Practicable (ALARP) principle are
being used increasingly [12].
Decision requirements based on risk rating must be work-
able. For example, high severity scenarios in PHA often are
assigned the lowest likelihood value, usually on the basis
that many existing safeguards would need to fail. Thus, if the
decision requirement for such scenarios is other than “no
action needed,” nothing can be done to achieve tolerable
risk as the addition of a safeguard will only decrease the
likelihood since PHA assumes all safeguards fail and, there-
fore, no credit is taken for consequence severity mitigation
unless credit is taken for certain safeguards, such as passive
ones. However, crediting any safeguards in this way may
violate regulatory requirements in some jurisdictions. Thus,
risk matrices should contain a lowest likelihood level for the
highest severity level such that the corresponding risk level
does not require any further risk reduction.
Decision guidance must be appropriate to the underlying
risks. It must be viewed as reasonable in the eyes of the
practitioners whose confidence in their work may otherwise
be undermined. For example, decision guidance for the
highest risk level that allows continued operation of a pro-
cess rather than requiring immediate action to reduce risk
will be viewed with skepticism at best, particularly if the
highest risk level involves multiple fatalities per year. In such
situations, most companies would not question the need to
shut down the process immediately until remedial action
could be taken. Furthermore, decision guidance should be
considered from the perspective of public reaction if it were
disclosed, and the ability to justify it in any litigation that
may result from accidents in processes where it was used.
DOI 10.1002/prs March 2018 53
 Decision requirements also must be reasonably achievable
for the processes where they will apply. There is little point
in requiring risk reduction actions that are infeasible, imprac-
tical or nonsensical. Decision requirements also may be
structured differently for existing processes versus new pro-
cesses and for different types of processes. For example,
reduction within a specified time period for a specified risk
level is often used for existing processes while risk reduction
before the next stage of design may be used for new pro-
cesses. Similarly, decision requirements for continuous pro-
cesses operating with turnaround periods of several years
are likely to be different than those for batch processes.
Number of Risk Levels
Each combination of severity and likelihood levels is
assigned to a risk level. A sufficient number of risk levels
must be defined to provide discrimination for decision mak-
ing. A minimum of three levels should be used to cover the
decision requirements of action required, action desirable,
and action not needed. However, more levels are desirable
to provide additional options for decision making. Adjacent
risk levels must provide sufficient risk discrimination to per-
mit meaningful differences in the decision requirements for
the risk levels, recognizing the uncertainties in the severities
and likelihoods used in their estimation.
Each combination of severity level and likelihood level
does not necessarily require its own risk level. Multiple cells
in a risk matrix are assigned to the same risk level when
common decision requirements are applicable.
The desirable number of risk levels may vary according to
the types of consequences and types of casualties addressed.
The number of risk levels should be chosen to avoid problems
with the logical structure of risk matrices [13,14].
Assignment of Risk Levels
Different decision requirements are associated with each
risk level in risk matrices. Some risk matrices apply the same
decision guidance to events and scenarios of comparable
risk. In such cases, assignments must be consistent so that
combinations of severity and likelihood values that yield the
same risk values are assigned to the same risk level, that is,
the underlying risks for each risk level must be comparable
for all events or scenarios assigned to that level. For exam-
ple, a scenario with a severity of one fatality and a likelihood
of once every 100 years has the same risk value as a scenario
with a severity of 10 fatalities and a likelihood of once every
1,000 years. As the risk value is the same, the same risk level
can be assigned requiring the same decision requirements.
However, such assignments based on risk equivalence
ignore other risk characteristics that may be important. For
example, a high severity/low likelihood scenario may be
assigned to the same risk level as a low severity/high likeli-
hood scenario but the former will likely be of greater concern
and different decision requirements will be necessary due to
aversion to high severity consequences. Thus, some compa-
nies include such aversion in the risk matrix. In the example
above, the second scenario may be viewed as less tolerable
owing to its greater severity, even though the linear risk (S 3
L) is the same. To incorporate aversion to such higher-severity
consequence scenarios, they can be assigned to a higher risk
level that has more stringent decision requirements. Generally,
the risk rating scheme should not allow different scenarios
with comparable risks to be assigned to different risk levels
unless risk aversion is incorporated intentionally.
Adjustments in the assignment of decision requirements
to risk levels can be made to address other differences in
risk characteristics that exist when the risk values are the
same. For example, fear of the type of hazard exposure,
54 March 2018 Published on behalf of the AIChE
such as toxic exposure versus fire exposure. People may fear
one more than the other.
Different risk levels should not share the same underlying
risk values. Risk matrices can be designed to minimize this
problem and, in particular, avoid risk ranking reversals [14].
If the same number of severity, likelihood and risk levels
are defined for each consequence type, in principle, the
same risk matrix can be used for all consequence types.
However, companies may wish to vary decision guidance
from one consequence type to another for the same risk
level. In such cases, decision guidance can be defined for
each consequence type for each risk level allowing the same
matrix to be used. In other cases, separate risk matrices may
be used for each consequence type, each with its own deci-
sion guidance.
Calibration of Risk Matrices
The assignment of decision requirements to risk levels must
reflect a company’s risk tolerance criteria. For example, if the
numerical tolerable risk for a single fatality per scenario is 1 3
1026 per year, the risk level corresponding to a severity level
of a single fatality and a likelihood level of 1 3 1026 per year
would be assigned a decision requirement of no further action
needed. Risk matrices must be calibrated according to a com-
pany’s risk tolerance criteria through the appropriate assign-
ment of decision requirements to risk levels [15].
To calibrate risk matrices, the overall facility risk toler-
ance criteria must be allocated to events or scenarios by
estimating the number of hazardous events or hazard sce-
narios possible and dividing the overall facility risk toler-
ance criterion by that number [15,16]. For people, both
individual and group risk are of concern. Each has its own
risk tolerance criteria. Consequently, risk matrices are
needed for each type of risk to people. Also, the number of
events or scenarios may differ for different facilities and
therefore risk matrices must be calibrated for each facility.
Similarly, the number of scenarios for each consequence
type will vary and risk matrices may need to be calibrated
for each consequence type individually. Furthermore, the
reference risk tolerance criteria may differ for different facil-
ities and companies. Consequently, each facility and com-
pany will need to address its own appropriate calibration
and use of customized risk matrices.
Usage of Terms
Consistent use of terms in risk rating schemes is essential to
avoid confusion. Definitions of key terms that are used should
be provided, for example, unsatisfactory, satisfactory, pro-
longed, short-term, widespread, extensive, localized, immedi-
ate, delayed, sensitive, nonsensitive, major, minor, immediate,
and prompt. Absent clear definitions, one practitioner’s or
one team’s “widespread” will be another’s “extensive,” and
so forth.
Furthermore, different terms should not be used when
the same meaning is intended, for example, major injury
and significant injury, and media coverage and media atten-
tion, otherwise analysts will impute a difference assuming
one is intended, even if that is not the case. In the absence
of definitions, the matter cannot be resolved properly and
the ability of analysts to make consistent assignments likely
will be impaired.
Terms that may have legal connotations with unintended
implications should be avoided and any abbreviations, acro-
nyms, or initialisms should be defined.
CONCLUSIONS
Risk matrices appear to be simple and useful tools for risk
management. However, numerous pitfalls exist for unwary
DOI 10.1002/prs Process Safety Progress (Vol.37, No.1)
users. Their design must address their limitations to avoid
generating invalid risk ratings, even by experienced users.
Uncritical and cavalier design of risk matrices will lead users
astray and lead to poor decisions on requirements for risk
reduction and mis-managed risks in processes.
Various items must be considered in the construction of
risk matrices to avoid problems with their use. These items
include the overall ranges of scenario severities and likeli-
hoods, the number and definitions of severity and likelihood
levels, and the number of risk levels and their decision
requirements.
Companies should develop risk matrices that produce
consistent risk ratings across all their processes and facilities
to encourage consistent decisions on risk reduction and to
provide a rational basis for the compilation of risk reduction
recommendations into a centralized data base for their priori-
tization and management. The design and calibration of risk
matrices to a common standard and the performance of risk
rating in accordance with a defined procedure help to
ensure consistency.
LITERATURE CITED
1. P. Baybutt, “Analytical Methods in Process Safety Manage-
ment and System Safety Engineering – Process Hazards
Analysis,” Handbook of Loss Prevention Engineering, J.
M. Haight (Editors), Wiley-VCH, Weinheim, Germany
(2013), 501–553.
2. Risk management - Vocabulary, ISO Guide 73:2009, Inter-
national Organization for Standardization, Geneva,
Switzerland.
3. Risk management – Principles and guidelines, ISO
31000:2009, International Organization for Standardiza-
tion, Geneva, Switzerland.
Process Safety Progress (Vol.37, No.1) Published on behalf of the AIChE
4. Risk management - Risk assessment techniques, ISO/IEC
31010:2009, International Organization for Standardiza-
tion, Geneva, Switzerland.
5. L.A. Cox, D. Babayev, and W. Huber, Some limitations of
qualitative risk rating systems, Risk Anal 25 (2005), 651–
662.
6. L.A. Cox, What’s wrong with risk matrices? Risk Anal 28
(2008), 497–512.
7. Guidelines for Hazard Evaluation Procedures, 3rd Edition,
Center for Chemical Process Safety/American Institute of
Chemical Engineers, New York, NY, 2008.
8. P. Baybutt, The importance of defining the purpose, scope,
and objectives for process hazard analysis studies, Process
Safety Progress 34 (2015), 84–88.
9. Reducing Risks, Protecting People, United Kingdom Health
and Safety Executive, HSE Books, Sudbury, UK, 2001.
10. I. Eckerman, The Bhopal Saga - Causes and Conse-
quences of the World’s Largest Industrial Disaster, Univer-
sities Press, India, 2005.
11. P. Baybutt, Addressing Subjectivity and Uncertainty in
Using Risk Matrices. Loss Prevention Bulletin, Issue 252,
December 2016.
12. P. Baybutt, The ALARP principle in process safety, Pro-
cess Safety Progress 33 (2014), 36–40.
13. P. Baybutt, Addressing issues in the design and use of
risk matrices in process safety, 2015 Spring Meeting &
11th Global Congress on Process Safety, Austin, TX,
April, 2015.
14. P. Baybutt, Designing risk matrices to avoid risk ranking
reversal errors, Process Safety Progress 35 (2016), 41–46.
15. P. Baybutt, Calibration of risk matrices for process safety,
J Loss Prevention Process Ind 38 (2015), 163–168.
16. P. Baybutt, Allocation of risk tolerance criteria, Process
Safety Progress 33 (2014), 227–230.
DOI 10.1002/prs March 2018 55