What is a 5x5 risk matrix?

A 5x5 risk matrix is a grid that plots five levels of likelihood against five levels of consequence to produce 25 possible risk ratings. Each cell in the matrix is colour-coded (green, yellow, orange, red) to indicate whether the risk is low, moderate, high or extreme. It is the most widely used risk assessment format in Australian workplaces and is aligned with ISO 31000 and SafeWork Australia guidance.

How do you calculate risk using a risk matrix?

Risk is calculated by multiplying the likelihood rating (1 to 5) by the consequence rating (1 to 5). For example, a hazard that is likely (4) with a moderate consequence (3) produces a risk score of 12, which falls in the high-risk range. The resulting score maps to a risk level (low, moderate, high or extreme) that determines the required response and approval level.

What is the difference between a risk matrix and a risk assessment?

A risk assessment is the overall process of identifying hazards, evaluating the risk and determining controls. A risk matrix is a tool used within the risk assessment process to rate the level of risk by comparing likelihood and consequence. The risk matrix provides a consistent, visual method for the evaluation step, but it is only one part of the broader risk assessment process.

What is the difference between inherent and residual risk?

Inherent risk is the level of risk before any controls are applied. Residual risk is the level of risk that remains after controls are in place. A proper risk assessment rates both. The difference between inherent and residual risk demonstrates the effectiveness of your control measures. If the residual risk is still rated high or extreme, additional controls are required.

Do I need a risk matrix for every task?

Not every task requires a formal 5x5 risk matrix. Low-risk, routine tasks are typically covered by standard operating procedures and pre-start checklists. However, any task involving high-risk work, non-routine activities, changed conditions or significant hazards should include a risk assessment with a matrix. In Australian construction, a SWMS with risk ratings is legally required for all high-risk construction work as defined in the WHS Regulations.

How often should a risk matrix be reviewed?

The risk matrix itself (the scales and risk levels) should be reviewed annually or whenever a significant incident, regulatory change or operational shift occurs. Individual risk assessments should be reviewed whenever conditions change, after an incident involving the assessed hazard, or at defined review intervals set by your safety management system. A risk assessment for a SWMS should be reviewed before each time the work is performed.

What is a 5x5 risk matrix?

A 5x5 risk matrix is a grid that plots five levels of likelihood against five levels of consequence to produce 25 possible risk ratings. Each cell in the matrix is colour-coded (green, yellow, orange, red) to indicate whether the risk is low, moderate, high or extreme. It is the most widely used risk assessment format in Australian workplaces and is aligned with ISO 31000 and SafeWork Australia guidance.

How do you calculate risk using a risk matrix?

Risk is calculated by multiplying the likelihood rating (1 to 5) by the consequence rating (1 to 5). For example, a hazard that is likely (4) with a moderate consequence (3) produces a risk score of 12, which falls in the high-risk range. The resulting score maps to a risk level (low, moderate, high or extreme) that determines the required response and approval level.

What is the difference between a risk matrix and a risk assessment?

A risk assessment is the overall process of identifying hazards, evaluating the risk and determining controls. A risk matrix is a tool used within the risk assessment process to rate the level of risk by comparing likelihood and consequence. The risk matrix provides a consistent, visual method for the evaluation step, but it is only one part of the broader risk assessment process.

What is the difference between inherent and residual risk?

Inherent risk is the level of risk before any controls are applied. Residual risk is the level of risk that remains after controls are in place. A proper risk assessment rates both. The difference between inherent and residual risk demonstrates the effectiveness of your control measures. If the residual risk is still rated high or extreme, additional controls are required.

Do I need a risk matrix for every task?

Not every task requires a formal 5x5 risk matrix. Low-risk, routine tasks are typically covered by standard operating procedures and pre-start checklists. However, any task involving high-risk work, non-routine activities, changed conditions or significant hazards should include a risk assessment with a matrix. In Australian construction, a SWMS with risk ratings is legally required for all high-risk construction work as defined in the WHS Regulations.

How often should a risk matrix be reviewed?

The risk matrix itself (the scales and risk levels) should be reviewed annually or whenever a significant incident, regulatory change or operational shift occurs. Individual risk assessments should be reviewed whenever conditions change, after an incident involving the assessed hazard, or at defined review intervals set by your safety management system. A risk assessment for a SWMS should be reviewed before each time the work is performed.

What Is a Risk Matrix? The Complete 5x5 Guide

What Is a Risk Matrix?

A risk matrix is a visual tool used to evaluate and prioritise risks by plotting them on a grid based on two factors: the likelihood of a hazard occurring and the consequence (or severity) if it does. Each risk sits at the intersection of a likelihood row and a consequence column, producing a colour-coded rating that tells you whether the risk is low, moderate, high or extreme.

Risk matrices are a foundational tool in workplace health and safety (WHS), project risk management and operational planning. They are referenced extensively in Australian WHS legislation, international standards such as ISO 31000 (Risk Management) and ISO 45001 (Occupational Health and Safety), and industry-specific frameworks including Safe Work Method Statements (SWMS) and Job Safety Analyses (JSAs).

The matrix does not eliminate risk. It provides a structured, repeatable method for comparing risks against each other so that your team can focus resources on the hazards that matter most. Without a risk matrix, risk assessments tend to default to gut feel, which is inconsistent across assessors and difficult to defend in an audit or investigation.

How a 5x5 Risk Matrix Works

A 5x5 risk matrix uses five levels of likelihood and five levels of consequence to produce 25 possible risk ratings. It is the most widely used format in Australian WHS risk assessments and is recommended by SafeWork Australia, state-based WHS regulators and standards such as AS/NZS ISO 31000:2018.

Likelihood scale

Likelihood describes how probable it is that a hazard event will occur, given existing controls. A common five-level scale used across Australian workplaces is:

Rare (1): Could occur in exceptional circumstances only. No history of occurrence in the organisation or industry.
Unlikely (2): Could occur but is not expected. May have occurred once in the industry under unusual conditions.
Possible (3): Could occur and has occurred in the industry or similar operations. Reasonable to expect it may happen at some point.
Likely (4): Will probably occur in most circumstances. Has occurred multiple times in the organisation or frequently in the industry.
Almost certain (5): Expected to occur in most circumstances. Has occurred repeatedly and there is a clear pattern.

Consequence scale

Consequence describes the worst credible outcome if the hazard event occurs. The scale should reflect both health and safety outcomes and operational impacts:

Insignificant (1): No injury or first aid treatment only. Negligible operational impact.
Minor (2): Minor injury requiring medical treatment. Short-term disruption to operations.
Moderate (3): Injury requiring hospitalisation or significant medical treatment. Moderate operational disruption or regulatory notification required.
Major (4): Serious injury or permanent disability. Major operational disruption, regulatory investigation likely.
Catastrophic (5): Fatality or multiple fatalities. Complete operational shutdown, prosecution likely.

The 5x5 risk matrix

The risk rating is calculated by multiplying likelihood by consequence. The resulting score maps to a risk level that determines the required response:

Likelihood / Consequence	Insignificant (1)	Minor (2)	Moderate (3)	Major (4)	Catastrophic (5)
Almost certain (5)	5 - Moderate	10 - High	15 - High	20 - Extreme	25 - Extreme
Likely (4)	4 - Moderate	8 - Moderate	12 - High	16 - High	20 - Extreme
Possible (3)	3 - Low	6 - Moderate	9 - High	12 - High	15 - High
Unlikely (2)	2 - Low	4 - Moderate	6 - Moderate	8 - High	10 - High
Rare (1)	1 - Low	2 - Low	3 - Low	4 - Moderate	5 - Moderate

Interpreting risk levels

Each risk level requires a different response. A common action framework used alongside the 5x5 matrix is:

Low (1-4): Manage through routine procedures. Monitor periodically. No additional controls required beyond existing measures.
Moderate (5-8): Management attention needed. Implement additional controls where reasonably practicable. Review at defined intervals.
High (9-16): Senior management attention required. Implement controls before work proceeds. Documented risk treatment plan required.
Extreme (17-25): Immediate action required. Work must not proceed until risk is reduced to an acceptable level. Executive or board-level oversight may be required.

When to Use a Risk Matrix

A risk matrix is not a once-a-year exercise. It is a tool that should be embedded in daily, weekly and project-level decision making across your operation. The following scenarios are where risk matrices add the most value:

Formal risk assessments

Under Australian WHS legislation, a Person Conducting a Business or Undertaking (PCBU) must identify hazards, assess risks and implement controls. The risk assessment process defined in the WHS Regulations 2011 and the associated Codes of Practice explicitly references likelihood and consequence as the basis for evaluating risk. A 5x5 matrix provides a consistent, documented method for this evaluation.

Safe Work Method Statements (SWMS)

Every SWMS for high-risk construction work includes a risk rating for each identified hazard. The 5x5 matrix is the most common tool for assigning these ratings. It ensures that risk levels are assessed consistently across different work crews and projects, rather than varying with whoever wrote the SWMS.

Job Safety Analyses (JSAs)

A Job Safety Analysis breaks a task into steps, identifies hazards at each step and rates the risk before and after controls are applied. The 5x5 matrix provides the rating mechanism. Using the same matrix across all JSAs in your organisation ensures that risk ratings are comparable and that high-risk steps are consistently identified.

Take 5 pre-task assessments

Take 5 safety assessments are rapid, pre-task risk checks conducted before starting any job. While the Take 5 process is faster and less formal than a full risk assessment, many organisations use a simplified likelihood-consequence rating as part of the Take 5 form. Workers who understand how a 5x5 matrix works can make better risk judgements during Take 5 checks.

Change management and new projects

Whenever operations change, whether it is a new piece of equipment, a different work method, a new site or a modified process, the risk profile changes with it. Risk matrices are used during project planning, management of change reviews and pre-commissioning assessments to evaluate whether new risks are acceptable or require additional controls.

Incident investigations

After an incident or near miss, the risk matrix helps evaluate whether the original risk rating was appropriate and whether the controls in place were adequate. It also helps rate the residual risk after corrective actions are implemented, providing a documented basis for closing the investigation.

How to Build a Risk Matrix: Step by Step

Building a risk matrix for your organisation is straightforward, but it requires careful calibration to ensure the scales are meaningful for your specific operations, hazards and workforce. A matrix that is too abstract will not be used. One that is too complex will slow down the assessment process. Here is how to build one that works.

Step 1: Define your consequence categories

Start with consequence, not likelihood. Consequence categories anchor the matrix to outcomes that your team understands. For a construction or mining operation, the categories should cover:

People: Injury severity ranging from first aid through to fatality.
Operational: Disruption ranging from minor delay through to complete shutdown.
Regulatory: From informal guidance through to prosecution and prohibition notices.
Financial: Direct costs ranging from under $1,000 through to losses exceeding $1 million.
Reputational: From internal awareness through to national media coverage and contract loss.

Use the most serious applicable consequence when rating a risk. If a hazard could cause both a minor injury and a major operational shutdown, rate the consequence based on the operational shutdown.

Step 2: Define your likelihood scale

Likelihood should be defined in terms your workforce understands. Avoid abstract probabilities like “1 in 10,000”. Instead, use descriptions that relate to experience: “has happened here before”, “happens in the industry”, “could happen under unusual conditions”. The five-level scale described above (rare, unlikely, possible, likely, almost certain) works for most operations.

Step 3: Assign risk levels to the matrix cells

Multiply likelihood by consequence for each cell and assign a risk level. The most common approach uses four levels: low, moderate, high and extreme. The cut-off points should reflect your organisation's risk appetite. A mining operation with significant safety-critical assets may set a lower threshold for “extreme” than a facilities management operation.

Step 4: Define required actions for each risk level

Each risk level must have a clear, actionable response that your team can follow without ambiguity. This includes who needs to approve the work, what controls must be in place, and within what timeframe additional controls must be implemented. Without defined actions, the risk rating is a number with no practical effect.

Step 5: Document and communicate

The matrix should be documented as part of your safety management system and communicated to every person who conducts risk assessments, writes SWMS or completes Take 5 forms. It should be included in site inductions, toolbox talks and supervisor training. A matrix that lives in a filing cabinet and is only reviewed during audits is not serving its purpose.

Step 6: Review and calibrate

Review your matrix annually or whenever a significant incident, regulatory change or operational shift occurs. Check whether the likelihood and consequence definitions still match your operational reality. If every risk assessment in the organisation is rating everything as “moderate”, the scale is not differentiating effectively and needs recalibrating.

Risk Matrix Examples by Industry

While the 5x5 structure remains consistent, the specific hazards, consequences and likelihood assessments vary significantly by industry. Here are practical examples showing how the matrix applies in construction, mining and fleet operations.

Construction

Construction operations involve high-risk activities including working at heights, excavation, crane lifts, hot work and demolition. A typical risk matrix application on a construction site:

Working at heights without edge protection: Likelihood: Likely (4). Consequence: Catastrophic (5, fatality). Rating: 20, Extreme. Work must not proceed until edge protection or fall arrest systems are installed.
Manual handling of heavy materials: Likelihood: Almost certain (5). Consequence: Minor (2, musculoskeletal strain). Rating: 10, High. Implement mechanical aids, team lifts, and task rotation.
Silica dust from concrete cutting: Likelihood: Almost certain (5). Consequence: Major (4, chronic illness). Rating: 20, Extreme. Wet cutting, on-tool extraction and respiratory protection required.

Mining

Mining operations present hazards including ground instability, heavy mobile equipment interaction, hazardous atmospheres, and fatigue in remote locations. Risk matrices in mining are typically governed by state mining safety legislation and principal hazard management plans:

Light vehicle and heavy vehicle interaction at intersections: Likelihood: Possible (3). Consequence: Catastrophic (5). Rating: 15, High. Controls include traffic management plans, positive communication protocols, separated roadways and priority rules.
Ground failure in an open pit: Likelihood: Unlikely (2). Consequence: Catastrophic (5). Rating: 10, High. Geotechnical monitoring, exclusion zones and slope design verification required.
Heat stress during summer operations: Likelihood: Likely (4). Consequence: Moderate (3). Rating: 12, High. Hydration protocols, adjusted shift schedules and buddy systems required.

Fleet operations

Fleet operations face risks including vehicle collisions, driver fatigue, vehicle mechanical failure and load restraint failures. The Heavy Vehicle National Law (HVNL) and Chain of Responsibility framework impose specific risk management obligations on fleet operators:

Driver fatigue on long-haul routes: Likelihood: Possible (3). Consequence: Catastrophic (5). Rating: 15, High. Fatigue management plans, electronic work diaries, scheduled rest stops and fit-for-work declarations required.
Tyre blowout at highway speed: Likelihood: Unlikely (2). Consequence: Major (4). Rating: 8, Moderate. Regular tyre inspections, pressure monitoring and replacement schedules.
Unsecured load shifting during transport: Likelihood: Possible (3). Consequence: Major (4). Rating: 12, High. Pre-start checks including load restraint verification, driver training and standardised loading procedures.

Common Mistakes with Risk Matrices

Risk matrices are simple tools, but they are frequently misused in ways that undermine their value. Recognising these mistakes helps you avoid them in your own organisation.

Using the matrix without defined scales

The most common mistake is using a 5x5 grid without clearly defined likelihood and consequence descriptions. When “likely” and “possible” are not defined, different assessors interpret them differently. One supervisor's “possible” is another's “likely”. The result is inconsistent risk ratings across the organisation, which defeats the purpose of using a matrix in the first place.

Rating risks after controls (not before and after)

A proper risk assessment rates the risk twice: the inherent risk (before controls) and the residual risk (after controls are applied). Many organisations only rate the residual risk, which makes it impossible to evaluate whether the controls are actually reducing the risk. Always rate both. The difference between inherent and residual risk demonstrates the effectiveness of your control measures.

Defaulting to moderate

When assessors are unsure, they tend to rate everything as moderate. This clusters all risks in the middle of the matrix, eliminating the differentiation that the matrix is supposed to provide. If a significant proportion of your risk assessments produce moderate ratings, the likelihood and consequence scales may need recalibrating, or your assessors need additional training on how to apply them.

Treating the matrix as a one-off exercise

A risk matrix rating is valid for the conditions at the time of assessment. If conditions change, whether it is the weather, the workforce, the equipment or the work method, the risk rating must be reviewed. Risk matrices should be living documents, not laminated cards that are filed after induction and never revisited.

Confusing likelihood with frequency

Likelihood is not the same as frequency. A task performed once per year can still have an “almost certain” likelihood if the hazard is present every time the task is performed and existing controls are inadequate. Conversely, a task performed daily can have a “rare” likelihood if robust controls are in place and consistently followed.

Ignoring the hierarchy of controls

A risk matrix tells you the risk level, but it does not tell you what controls to apply. The hierarchy of controls (elimination, substitution, engineering, administrative, PPE) should always be used alongside the matrix to select the most effective control measures. Jumping straight to PPE without considering higher-order controls is a common failure.

Digital vs Paper Risk Assessments

Many organisations still conduct risk assessments on paper forms, printed spreadsheets or laminated cards. While paper forms are familiar and require no technology, they create significant limitations as the operation scales.

Limitations of paper risk assessments

Data loss: Paper forms get damaged on site, lost in the back of utes or filed in boxes that nobody searches. When a regulator asks for the risk assessment for a specific task six months ago, finding it in a paper system can take days.
No version control: When a risk assessment is updated, the previous version should be retained for audit purposes. Paper systems make version control impractical.
No real-time visibility: Site managers and safety teams cannot see which risk assessments have been completed today without physically collecting and reviewing paper forms.
No trend analysis: Paper records cannot be aggregated to identify patterns such as which hazards are rated highest, which sites have the most extreme risks, or whether risk ratings are improving over time.
No integration: Paper risk assessments exist in isolation from the asset register, the maintenance schedule and the compliance system. A risk identified on a piece of equipment cannot automatically trigger a corrective action, work order or inspection schedule change.

Advantages of digital risk assessments

Digital risk assessment tools, whether standalone forms apps or integrated modules within an asset tracking platform, solve the limitations above:

Every completed risk assessment is stored, searchable and exportable from a central system.
Supervisors and safety managers see real-time completion rates across all sites and teams.
Historical data enables trend analysis, identifying recurring hazards and measuring whether control measures are reducing risk ratings over time.
Risk assessments can be linked to specific assets, so the risk profile of a piece of equipment is visible alongside its maintenance history and service records.
High or extreme risk ratings can automatically trigger notifications to supervisors, generate corrective actions or flag work for additional review before proceeding.

The transition from paper to digital does not need to happen overnight. Many organisations start by digitising their most common risk assessment forms (SWMS, JSAs, Take 5 forms) and expand from there as the team builds confidence with the system.

How MapTrack Helps Manage Risk Assessments

MapTrack is an Australian-built asset tracking platform used by construction, mining, fleet and facilities teams to manage risk assessments alongside asset tracking, maintenance scheduling and compliance monitoring. The platform is purpose-built for field-based operations where risk assessments happen on site, not at a desk.

Digital risk assessment forms

MapTrack's digital forms engine supports customisable risk assessment templates with built-in risk matrix scoring. Your team completes risk assessments on their smartphones, with the likelihood and consequence ratings calculated automatically. Photo capture, GPS location stamps and digital signatures are included for evidentiary completeness.

Asset-linked risk records

Risk assessments completed in MapTrack are linked to the specific asset or site where the work is being performed. This means the risk history of a crane, excavator or work area is visible alongside its maintenance history, pre-start inspection records and compliance status. When reviewing an asset, you can see every risk assessment ever conducted on it, sorted by date and risk level.

Automated escalation

When a risk assessment produces a high or extreme rating, MapTrack can automatically notify the supervisor, safety manager or site manager via the mobile app or email. This ensures that high-risk work is not proceeding without the required level of oversight and approval, even when the safety manager is not physically present on site.

Trend reporting

MapTrack's reporting module aggregates risk assessment data across sites, teams and time periods. Safety managers can identify which hazards are rated highest, which sites have the most extreme risks, and whether control measures are reducing risk ratings over time. This data supports WHS committee reporting, management reviews and ISO 45001 internal audits.

Templates to get started

MapTrack provides free, downloadable risk assessment templates to help you standardise your processes:

Getting Started

A risk matrix is only useful if it is understood, used consistently and reviewed regularly. The organisations that get the most value from risk matrices are not the ones with the most elaborate scoring systems. They are the ones where every worker on every site uses the same scales, applies them honestly, and acts on the results.

Start by defining your likelihood and consequence scales in language your workforce understands. Build your 5x5 matrix. Document the required actions for each risk level. Train your supervisors and front-line workers. Then digitise the process so that every risk assessment is captured, searchable and actionable.

If you are managing physical assets across multiple sites and want to integrate risk assessments with your asset register, maintenance schedules and compliance system, start a free trial of MapTrack to see how it works for your operation.