A risk assessment matrix is the operational backbone of any ISO 45001 occupational health and safety management system. Yet in my experience working with 200+ clients at Certify Consulting, the matrix is also the component most organizations get wrong — either over-engineering it into an unusable spreadsheet or oversimplifying it to the point of meaninglessness.
This guide walks you through building a defensible, audit-ready ISO 45001 risk assessment matrix from the ground up — one that satisfies clause 6.1.2 requirements, holds up under certification scrutiny, and actually gets used by your workforce.
Why ISO 45001 Requires a Systematic Risk Assessment Approach
ISO 45001:2018 clause 6.1.2 requires organizations to identify hazards, assess OH&S risks, and determine necessary controls. The standard doesn't prescribe a specific matrix format, but it does require that your methodology be:
- Defined — documented criteria for evaluating risk
- Repeatable — consistent results across assessors
- Proportionate — appropriate to the nature and scale of your operations
According to the International Labour Organization, 2.3 million workers die annually from occupational accidents and work-related diseases worldwide, with an additional 340 million occupational accidents occurring each year. A well-constructed risk matrix is your first systematic defense against contributing to those statistics.
The matrix doesn't replace professional judgment — it structures it.
Step 1: Define the Scope and Boundaries
Before you draw a single cell, answer these four scoping questions:
- What activities are in scope? Routine operations, non-routine tasks, emergency situations, contractor activities?
- Who is exposed? Employees, visitors, contractors, members of the public near your facility?
- What timeframe applies? Current conditions, planned changes, foreseeable future scenarios?
- What types of harm are relevant? Acute injury, chronic illness, psychological harm?
ISO 45001 clause 6.1.2.1 specifically requires consideration of hazards during normal and abnormal operations, as well as emergency situations. Your matrix scope must reflect all three states.
Pro tip: Document your scope statement before building the matrix. During certification audits, auditors will ask how you determined what's included. A written scope statement demonstrates systematic thinking, not ad hoc assessment.
Step 2: Establish Your Severity Scale
Severity measures the potential consequence of harm if the hazard is realized. Most effective ISO 45001 matrices use a 4- or 5-level severity scale.
Here is a proven 5-level severity scale:
| Level | Label | Definition | Examples |
|---|---|---|---|
| 5 | Catastrophic | Fatality or permanent total disability | Fatal crush injury, fatal chemical exposure |
| 4 | Critical | Permanent partial disability or serious illness | Amputation, occupational deafness, occupational asthma |
| 3 | Moderate | Lost-time injury requiring medical treatment | Fracture, laceration requiring stitches, chemical burn |
| 2 | Minor | First-aid injury, no lost time | Minor cut, bruise, mild irritation |
| 1 | Negligible | No injury or near-miss only | Discomfort, non-injurious incident |
Key design principle: Define severity based on potential consequence under worst-case, credible conditions — not the most likely outcome. A task that usually results in a minor sprain could, under foreseeable conditions, result in a fatality. Rate for the realistic worst case.
Step 3: Establish Your Likelihood Scale
Likelihood measures the probability that the hazard will result in harm during normal operations over a defined reference period (typically one year or the duration of exposure).
| Level | Label | Definition | Frequency Indicator |
|---|---|---|---|
| 5 | Almost Certain | Expected to occur in most circumstances | More than once per year |
| 4 | Likely | Will probably occur in most circumstances | Once per year |
| 3 | Possible | Might occur at some time | Once every 1–5 years |
| 2 | Unlikely | Could occur at some time | Once every 5–10 years |
| 1 | Rare | May occur only in exceptional circumstances | Less than once every 10 years |
Critical nuance: Likelihood is assessed with existing controls in place — not without any controls. If you already have engineering controls, your likelihood rating reflects residual probability, not theoretical maximum probability. This distinction matters enormously during audits.
Step 4: Build the Risk Rating Matrix
The risk score is calculated as: Risk = Severity × Likelihood
This produces scores from 1 (1×1) to 25 (5×5), which you then band into risk levels:
ISO 45001 Risk Assessment Matrix
| Severity → | 1 Negligible | 2 Minor | 3 Moderate | 4 Critical | 5 Catastrophic |
|---|---|---|---|---|---|
| 5 Almost Certain | 5 ⬛ LOW | 10 🟨 MEDIUM | 15 🟧 HIGH | 20 🟥 EXTREME | 25 🟥 EXTREME |
| 4 Likely | 4 ⬛ LOW | 8 🟨 MEDIUM | 12 🟧 HIGH | 16 🟥 EXTREME | 20 🟥 EXTREME |
| 3 Possible | 3 ⬛ LOW | 6 ⬛ LOW | 9 🟨 MEDIUM | 12 🟧 HIGH | 15 🟧 HIGH |
| 2 Unlikely | 2 ⬛ LOW | 4 ⬛ LOW | 6 ⬛ LOW | 8 🟨 MEDIUM | 10 🟨 MEDIUM |
| 1 Rare | 1 ⬛ LOW | 2 ⬛ LOW | 3 ⬛ LOW | 4 ⬛ LOW | 5 ⬛ LOW |
Risk Bands: - 🟥 EXTREME (16–25): Immediate action required. Work must stop or be strictly controlled until risk is reduced. - 🟧 HIGH (10–15): Senior management attention required. Action plan with defined deadlines. - 🟨 MEDIUM (5–9): Management responsibility specified. Controls reviewed and improved. - ⬛ LOW (1–4): Manage through routine procedures. Monitor to ensure controls remain effective.
Step 5: Apply the Hierarchy of Controls
The risk score tells you how urgently to act. The hierarchy of controls tells you how to act. ISO 45001 clause 8.1.2 mandates applying controls in this priority order:
- Elimination — Remove the hazard entirely (highest effectiveness)
- Substitution — Replace with something less hazardous
- Engineering controls — Isolate people from the hazard
- Administrative controls — Change the way people work
- Personal Protective Equipment (PPE) — Protect the individual (lowest effectiveness)
A critical insight that separates compliant organizations from truly safe ones: OSHA data consistently shows that PPE is the most commonly selected control despite being the least effective. Engineering controls are 10 times more effective at reducing exposure than PPE alone when properly implemented. Your risk matrix should drive your organization toward the top of the hierarchy.
For EXTREME risks: only Elimination, Substitution, or Engineering controls are acceptable as primary measures. For HIGH risks: Engineering or Administrative controls are required, with PPE as supplementary. For MEDIUM risks: Administrative controls with documented PPE requirements are acceptable. For LOW risks: Existing controls and monitoring are typically sufficient.
Step 6: Document the Risk Register
The matrix is a scoring tool. The risk register is the living document that applies it. Your ISO 45001 risk register should capture:
| Field | Description |
|---|---|
| Hazard ID | Unique reference number |
| Hazard Description | Specific description of the hazard source |
| Activity/Location | Where and when the hazard is present |
| Persons at Risk | Who could be harmed |
| Existing Controls | Controls currently in place |
| Initial Severity | Rating before residual assessment |
| Initial Likelihood | Rating with existing controls |
| Risk Score | Severity × Likelihood |
| Risk Level | Band (Extreme/High/Medium/Low) |
| Additional Controls Required | Proposed improvements |
| Residual Severity | After additional controls |
| Residual Likelihood | After additional controls |
| Residual Risk Score | Final rating |
| Owner | Person responsible for control |
| Review Date | Next scheduled reassessment |
ISO 45001 clause 7.5 requires documented information to be controlled. Your risk register must have a version number, approval signature, and defined retention period.
Step 7: Establish Triggers for Reassessment
A risk assessment is not a one-time event. ISO 45001 clause 6.1.2 requires that hazard identification and risk assessment be conducted proactively when:
- Management of change: New equipment, processes, substances, or organizational structures
- Incident investigation findings: Near misses, first-aid cases, lost-time injuries
- Legal/regulatory changes: New OSHA standards, state plan updates, updated exposure limits
- Planned activities: New construction, maintenance shutdowns, new contractor activities
- Periodic review: At minimum annually for high and extreme risks
Building a reassessment trigger matrix into your documented procedure closes the loop between your risk assessment and your continual improvement cycle (clause 10.3).
Common Mistakes That Fail Audits
After helping more than 200 organizations achieve ISO 45001 certification with a 100% first-time audit pass rate, I've seen the same matrix errors repeatedly:
Mistake 1: Rating severity too conservatively Organizations rate forklift operations as "Moderate" severity because serious injuries are rare at their site. Severity must reflect potential consequence, not historical frequency. Forklift fatalities are well-documented — rate accordingly.
Mistake 2: Not accounting for non-routine tasks Maintenance, cleaning, and emergency response activities often have higher risk profiles than routine production. Many organizations only assess their standard operating conditions.
Mistake 3: Treating the matrix as a paperwork exercise The most common audit finding isn't a poorly built matrix — it's a matrix that exists but isn't connected to actual workplace controls, training records, or operational procedures. Auditors test the system, not just the document.
Mistake 4: Using a generic industry template without customization Downloading a matrix template without calibrating the severity/likelihood definitions to your specific operations, regulatory environment, and organizational risk tolerance will produce a document that looks right but doesn't reflect your actual risk landscape.
Integrating Your Matrix With the Broader ISO 45001 System
Your risk assessment matrix doesn't operate in isolation. It feeds directly into:
- Clause 6.2: OH&S objectives derived from significant risks
- Clause 7.2: Training needs identified from risk assessments
- Clause 8.1: Operational planning and control based on risk levels
- Clause 9.1: Monitoring and measurement targets for high/extreme risks
- Clause 10.2: Incident investigation feeding back into risk reassessment
For organizations building an integrated management system, the risk assessment methodology can be harmonized with ISO 9001:2015 clause 6.1 and ISO 14001:2015 clause 6.1 risk processes — though the hazard identification specifics remain distinct. Learn more about integrating ISO 45001 with other management system standards for a streamlined approach.
If you're just getting started with your safety management system, our guide on ISO 45001 implementation steps for first-time adopters provides the broader roadmap into which your risk matrix fits.
What a Certification Auditor Looks For
During a Stage 2 certification audit, your assessor will specifically examine:
- Evidence of hazard identification methodology — How did you identify hazards, and is it comprehensive?
- Consistency of risk ratings — Are similar hazards rated consistently across departments?
- Linkage to controls — Do documented controls in the risk register match what's actually in place?
- Worker participation — Did workers contribute to hazard identification per clause 5.4?
- Treatment of extreme/high risks — Are these being actively managed, not just documented?
An authoritative principle every ISO 45001 practitioner should internalize: A risk assessment matrix is only as defensible as the evidence trail connecting identified risks to implemented controls, competency records, and monitoring results.
Quick-Start Checklist
✅ Scope statement documented (activities, people, locations, timeframes) ✅ Severity scale defined with clear, unambiguous descriptors ✅ Likelihood scale defined relative to existing controls ✅ Risk bands established with corresponding required actions ✅ Hierarchy of controls applied to all medium risk and above ✅ Risk register template built and version-controlled ✅ Reassessment triggers defined in documented procedure ✅ Worker participation documented (clause 5.4 compliance) ✅ Management review integration defined (clause 9.3) ✅ Risk register linked to OH&S objectives (clause 6.2)
FAQ
Does ISO 45001 require a specific risk matrix format?
No. ISO 45001:2018 clause 6.1.2 requires a defined methodology for assessing OH&S risks but does not mandate a specific matrix format, scale, or tool. Organizations have flexibility in design, provided the approach is documented, consistent, and appropriate to their operations.
What's the difference between hazard identification and risk assessment in ISO 45001?
Hazard identification (clause 6.1.2.1) is the process of recognizing sources of potential harm. Risk assessment is the subsequent evaluation of the likelihood and severity of that harm occurring. Every identified hazard must be risk-assessed, but not every risk assessment yields an identified hazard — the hazard must first exist.
How often should we update our ISO 45001 risk assessment matrix?
At minimum, risk assessments should be reviewed annually for high and extreme risks, and whenever a management of change event occurs, an incident is investigated, or legal requirements change. ISO 45001 clause 6.1.2 requires proactive, ongoing hazard identification — not a periodic snapshot.
Can we use a 3x3 matrix instead of a 5x5 matrix?
Yes, a 3×3 matrix (producing scores of 1–9) is acceptable if the scale distinctions are meaningful and the methodology is documented. However, 3×3 matrices often lack the granularity to differentiate between risks that require different levels of management attention. For most organizations with moderate to complex operations, a 5×5 matrix provides better risk stratification.
How do we handle risks that cannot be reduced to an acceptable level?
ISO 45001 clause 6.1.2 requires that all risks be reduced to as low as reasonably practicable (ALARP). For risks where further reduction is technically or economically infeasible, organizations must document the residual risk, ensure workers are informed, and justify why the risk level is acceptable. Some jurisdictions have regulatory requirements that supersede ALARP — always verify applicable legal obligations through your legal register.
Built an ISO 45001 risk matrix and still unsure it will pass certification? Certify Consulting offers pre-audit gap assessments specifically designed to validate your risk assessment approach before your certification body arrives. With 200+ clients served and a 100% first-time audit pass rate, we know exactly what auditors are looking for.
Last updated: 2026-03-13
Jared Clark
Certification Consultant
Jared Clark is the founder of Certify Consulting and helps organizations achieve and maintain compliance with international standards and regulatory requirements.