Risk matrix

A risk matrix has two basic dimensions:

• Severity — how bad the consequence is if the risk materialises (typically 1–5 scale).
• Likelihood / Probability — how often the risk would be expected to materialise (typically 1–5 scale).

The product (Severity × Likelihood) is the Risk Score; the grid cells are coloured Green / Amber / Red to drive an action threshold. FMEA extends to three dimensions by adding Detectability, with the product becoming the Risk Priority Number (RPN = S × O × D).

A defensible matrix includes:

• Scale definitions — each Severity level has a written, concrete description (e.g. S5 = patient death or permanent disability; S4 = serious injury requiring intervention; S3 = injury requiring medical attention; S2 = temporary discomfort; S1 = no patient impact).
• Likelihood definitions — anchored in numbers wherever possible (e.g. L5 = > 1 in 10 batches; L4 = 1 in 100; L3 = 1 in 1,000; L2 = 1 in 10,000; L1 = < 1 in 100,000).
• Detectability definitions (FMEA) — D5 = not detectable before product reaches patient; D3 = detected by routine in-process test; D1 = detected by hard-stop interlock.
• Acceptance criteria — what makes a residual risk acceptable; defined BEFORE the assessment, not after.
• Action thresholds — Red = immediate action required + cannot release; Amber = mitigation required + tracked; Green = monitor.
• Risk-benefit analysis (ISO 14971 §8) — for residual unacceptable risk that cannot be reduced further, document the benefit that justifies acceptance.

The 2023 revision of ICH Q9 introduced four key emphases that affect how matrices should be built:

• Subjectivity acknowledged — Q9(R1) §V.A explicitly recognises subjectivity in QRM and requires explicit measures to reduce it (pre-defined scales, calibration training for assessors, peer review).
• Hazard identification first — before scoring, the team must do a proper hazard analysis; scoring without hazard identification is QRM theatre.
• Risk-based decision-making across product lifecycle — matrices are tools, not deliverables; the decision is the deliverable.
• Linkage to formality of approach — minor risks can use simple matrix; high-impact risks deserve formal HACCP / HAZOP / FTA / FMECA.

For medical devices the matrix lives inside the Risk Management File:

• Hazardous situations + harms identified per intended use + reasonably foreseeable misuse (§5.4–5.5).
• Severity + probability scored for each harm; combined into estimated risk (§5.5).
• Risk acceptability evaluated against the criteria in the Risk Management Plan (§5.6).
• Risk control measures applied per inherent-safety / protective-measures / information-for-safety hierarchy (§7.1).
• Residual risk re-evaluated; if still unacceptable, benefit-risk justification under §8 — or the design cannot proceed.
• Overall residual risk evaluation across the device (§8 + 9); post-production information (§10) feeds back into the matrix throughout the lifecycle.

Risk matrices have been peer-reviewed extensively (Cox 2008, Hubbard + Evans 2010, Smith 2009). The major documented flaws:

• Range compression — a 1–5 scale forces orders-of-magnitude differences in likelihood into the same bucket. A 1-in-10 risk and a 1-in-100 risk both score L3 if scales are not anchored.
• Lie factor — a 5 × 5 grid gives only 25 unique cells, suggesting more discrimination than the underlying judgement supports.
• Risk reversals — under standard colouring, a lower-true-risk hazard can score in a worse-coloured cell than a higher-true-risk hazard, leading to wrong prioritisation.
• Centering bias — assessors gravitate to the middle of the scale; the distribution loses its tails.
• Anchoring — first scorer's vote dominates the team consensus.
• Detectability double-counting in FMEA — high detectability reduces RPN, but a hazard reaching the patient is not less severe just because someone might catch it.

ICH Q9(R1) §V.A explicitly endorses these critiques and requires controls — anchored scales, calibration training, peer review, blind individual scoring before group consensus, and using matrices as one input into a wider decision rather than the decision itself.

• Anchor every scale point in concrete, observable criteria — not adjectives like "moderate" or "significant".
• Use logarithmic likelihood scales (each step ~10× the previous) so range compression is explicit.
• Define acceptance thresholds before scoring, not after.
• Score individually, then converge — reduces anchoring bias.
• Include a sanity-check question: "Would a regulator agree with this score given the same facts?"
• Review residual risk after mitigation; document benefit-risk for any residual that remains unacceptable.
• Re-evaluate periodically — risk profiles change as products mature, complaints accumulate, processes drift.
• For high-impact risks, supplement the matrix with deterministic methods (FTA, HAZOP) — don't rely on a 5×5 grid as the only evidence.

• Scales defined in adjectives only, with no anchoring criteria.
• Acceptance thresholds defined after scoring to make the result fit.
• Detectability included in FMEA without recognising the double-counting effect on safety-critical risks.
• Risk assessment treated as a one-time exercise rather than a living document.
• Risk reduction claimed but not evidenced ("training" listed as a mitigation without a measurable effect on probability).
• Risk-benefit analysis missing for residual unacceptable risk.
• Same matrix template used for patient-safety risks and supplier-business risks — categories don't translate.
• Score arithmetic done by spreadsheet without governance; later edits not audit-trailed.