Using the IOSH 5x5 Risk Matrix to Improve Workplace Safety

The IOSH 5x5 risk matrix is a structured tool used in risk assessment to combine the likelihood and severity of hazards into a single risk score. This approach helps organizations prioritise hazards, select proportionate control measures, and track residual risk over time. The method aligns with common safety management practices and regulatory expectations for documented risk assessment.

Overview: purpose and context

Risk matrices are a component of risk assessment frameworks used in occupational safety. The IOSH 5x5 risk matrix provides a visual and numeric way to sort hazards by risk level so that resources can be applied where they reduce the most harm. While not a legal requirement by itself, using a recognised method supports compliance with duties under regulators such as the Health and Safety Executive (HSE) and demonstrates a systematic approach to managing workplace hazards.

How the IOSH 5x5 Risk Matrix works

The matrix has two axes: likelihood (how probable an event is) and severity (the potential consequence if the event occurs). Each axis is scored from 1 (lowest) to 5 (highest). The product of the two scores produces a risk rating, typically categorised into bands (low, medium, high, extreme) to guide action priorities.

Likelihood and severity definitions

Consistency requires written definitions for each score. Likelihood may be described in terms such as rare, unlikely, possible, likely, and almost certain. Severity categories often range from negligible (minor first aid) to catastrophic (multiple fatalities). Definitions should reference workplace context and historical data where available.

Risk bands and decision thresholds

After scoring, a risk matrix table is used to assign risk bands. For example, a score of 4 (likelihood) times 5 (severity) gives 20, which might fall in the high-risk band and require immediate action. Decision thresholds should reflect organisational tolerance and legal duties; many organisations adopt ALARP (as low as reasonably practicable) principles when determining acceptable residual risk.

Applying the matrix in practice

Step-by-step implementation

1) Identify hazards through walk-rounds, task analysis, and incident records. 2) Assess the initial (inherent) likelihood and severity using agreed definitions. 3) Calculate the initial risk score and prioritise. 4) Select controls following the hierarchy of controls (elimination, substitution, engineering, administrative, PPE). 5) Reassess to calculate residual risk and record outcomes.

Documentation and review

Maintain records that show the rationale for scores, assumptions, and chosen controls. Review assessments periodically and after changes to processes, equipment, or incidents. Regulators and auditors commonly expect evidence that controls are working and that risk assessments are kept up to date.

Common strengths and limitations

Benefits

The approach is simple to teach, supports prioritisation, and produces clear, documented outputs for management and inspectors. It integrates with safety management systems and can be used alongside quantitative measures when available.

Limitations and mitigations

Risk matrices can give a false precision and may differentially weight likelihood and severity in ways that obscure true risk. Subjective scoring can lead to inconsistent results across teams. Mitigations include: providing clear scoring definitions, training assessors, using incident data to calibrate scores, and supplementing the matrix with task-specific analysis or probabilistic tools where needed.

Tools, training and governance

Templates and digital tools

Templates help standardise wording and assumptions. Many organisations use spreadsheets or safety software to store assessments, automate scoring, and track actions. Regardless of format, version control and access permissions are important so that assessments remain authoritative.

Training and competence

Effective use depends on assessor competence. Training should cover hazard identification, the matrix scoring system, the hierarchy of controls, and incident investigation basics. Governance should ensure senior oversight, audit of assessments, and management of high-risk items.

Further resources

Guidance on risk assessment and risk management is available from professional bodies and regulators. The Institution of Occupational Safety and Health (IOSH) provides competency frameworks and guidance for safety practitioners. For regulatory expectations, see material from the Health and Safety Executive (HSE) and national regulators relevant to specific jurisdictions.

Authoritative resource: Institution of Occupational Safety and Health (IOSH)

When to use other methods

The IOSH 5x5 risk matrix suits many routine assessments, but complex systems with interdependent hazards or high-consequence low-frequency events may require quantitative risk assessment, fault tree analysis, or safety case methodologies. Consider specialist input for major hazard installations or when legal standards specify specific assessment approaches.

Practical tips for consistent results

• Create written scoring guides with examples tied to local operations.
• Use cross-team workshops to align interpretations of likelihood and severity.
• Record why a score was chosen and next review date.
• Link assessments to business processes such as change control and procurement.