Defining HAZOP Risk Assessment Criteria - A Practical Guide
- Soter Software Team
- Jan 25
- 7 min read
Risk Assessing a Hazard and Operability (HAZOP) study can add enormous value to an organisation. By strengthening traditional qualitative findings with structured risk ranking, teams gain a clearer understanding not only of what could go wrong, but which process safety issues matter most and why.
Despite its potential advantages, this value is only realised when the organisation has clear, consistent, and well-designed risk assessment criteria. Without this foundation, risk ranking can become subjective and inconsistent, making it difficult to compare performance across sites or even compare one HAZOP to the next on the same site. This makes it harder to see how risk is changing over time — one of the most powerful advantages of risk-assessed HAZOPs.
Consistent, corporate-level criteria ensure that risk is evaluated the same way everywhere, giving leadership and technical teams a reliable basis for prioritisation, resource allocation, and long-term process safety planning.
This guide outlines
how organisations can establish robust HAZOP risk assessment criteria,
why this must be done at a corporate level, and
how consistent application strengthens visibility, governance, and decision-making across an asset portfolio.
Click on each of these items to jump to the relevant section in this post:
What is Meant by “Risk”?
In the context of process safety, risk is the combination of the likelihood of a hazardous event and the severity of its consequences, and is expressed quantitatively as:
Risk = Likelihood × Severity
where:
Likelihood = How probable it is that a hazardous scenario will occur.
Severity = How serious the consequences would be if it did occur.
This simple formula underpins almost all process safety risk ranking methods. By scoring each scenario, organisations can determine whether it falls into a low, medium, or high risk category — with some adopting 5- or 7-tier scales where more granularity is needed.
Risk ranking also provides the foundation for demonstrating ALARP (As Low As Reasonably Practicable) — by showing whether existing safeguards reduce risk to a tolerable level and whether additional controls are reasonably justified. Clear scoring creates a transparent decision-making trail, which is especially important in regulated industries.
Why Establish Consistent HAZOP Risk Assessment Criteria?
When there is inconsistency in the definition of likelihood, severity or risk, comparison across sites becomes nearly impossible. For example, a scenario identified as “high-risk” in one HAZOP study may be classed as “medium-risk” at another site, or even by another facilitator reviewing the same system.
This inconsistency creates organisational blind spots, The decisions made by leadership, operations, and asset management teams depend on clarity about relative risk. The resultant lack of clarity undermines governance, confuses decision-makers, and creates significant challenges for achieving clear, organisation-wide visibility of risk and process safety management.
Clear, consistent risk assessment criteria:
Ensures hazards are evaluated on a like-for-like basis,
Strengthens governance by allowing risk-based resource allocation,
Prevents critical issues from being unintentionally deprioritised,
Reduces subjectivity in interpretation of risk,
Make trends visible across individual sites and across a portfolio of sites.
Clear, well-defined criteria are the foundation of meaningful HAZOP risk assessment and organisation-wide visibility of process safety risk — enabling decisions that are consistent, defensible, and aligned with real operational priorities.
Defining Your HAZOP Risk Assessment Criteria
To get meaningful, consistent, and comparable risk insights from your HAZOPs, you first need a well-designed set of risk assessment criteria. These criteria define how your organisation measures risk — including how likelihood and severity are interpreted, how risk levels are categorised, and what thresholds determine whether a scenario is considered low, medium, or high risk.
Risk assessment criteria establish the basis for how risk is evaluated. If an organisation has not defined its own criteria, it will inevitably end up using someone else’s — usually, a generic set of criteria suggested by an external HAZOP chair, which may not reflect your organisation’s operational and strategic goals, or corprate risk appetite.
Ideally, HAZOP risk assessment criteria should align with — or feed into — an organisation’s wider risk management framework. When “high risk” in a HAZOP means the same thing as “high risk” in business continuity, operations, or corporate risk reporting, decision-makers gain a clearer, more unified view of where risk truly lies. If that alignment isn’t available at corporate level, criteria can still be defined at the process-safety level, giving teams a robust, consistent foundation from which to work.
With well-designed criteria in place:
all sites use the same language, definitions, and thresholds for estimating risk,
the organisation’s risk appetite is reflected in process safety management
HAZOP outputs can be compared, aggregated, and trended over time for the same site and or across similar sites in a large portfolio of assets
decision-makers can consistently interpret findings
Once defined, these criteria must be applied universally.
Building the Components of Your HAZOP Risk Assessment Criteria
Once the need for consistent, organisation-wide criteria is clear, the next step is to define the individual components that make up your HAZOP risk assessment framework. Each element plays a role in how risk is interpreted, prioritised, and communicated.
1. Identify the Risk “Receptors” of Concern
Every organisation must first determine what it is trying to protect. These are your risk receptors — the areas where harm may occur if a scenario materialises, and for which you want to ensure that robust safeguards are in place to protect the receptors.
Common receptors include:
Safety (injury or fatality)
Environmental impact
Asset or equipment damage
Reputation
Ability to supply / business continuity
Regulatory or financial exposure
Some organisations assess only one receptor (usually safety of persons) within their HAZOPs; others take a broader, multi-receptor approach.
Pro Tip: Select the top three receptors that matter most to your organisation and apply them consistently across all HAZOP studies. This ensures clarity without unnecessary complexity and minimises the additional time that risk assessment may add to a HAZOP workshop.
2. Define the number of risk categories
Risk categories represent how finely you want to distinguish levels of risk within your operations. Common structures are:
3 tier risk: Low, Medium, High
5 tier risk: Very Low, Low, Medium, High, Very High
7 tier risk: For highly nuanced or complex operations
Pro Tip: For most organisations, a 3-tier model offers the right balance — providing clear prioritisation without overcomplicating the assessment.
3. Select an Appropriate Risk Matrix Size
Your matrix size should reflect the number of likelihood and severity bands you plan to use:
3×3: Suitable for simple contexts or early conceptual design
5×5: The most widely used; offers good granularity and clarity
7×7: Typically reserved for highly complex or risk-mature organisations
Pro Tip: A 5×5 matrix is the most common choice, particularly when applying three overall risk levels (Low/Medium/High).
4. Establish Likelihood and Severity Boundaries
Once the matrix size has been selected (e.g., 3×3, 5×5, 7×7), the next step is to define the likelihood and severity levels that will populate it. The number of levels must match the size of your matrix.
A 3×3 matrix requires 3 likelihood levels and 3 severity levels.
A 5×5 matrix requires 5 likelihood levels and 5 severity levels, and so on.
For each receptor (e.g., Safety, Environment, Assets), define:
Clear likelihood levels
Clear severity levels
Numerical or descriptive boundaries for each band
These boundaries must be specific enough to support consistent scoring across sites, teams, and facilitators.
Pro Tip: Where useful, organisations can add time-based descriptors for likelihood or severity to improve clarity and reduce subjectivity during HAZOP workshops.
5. Finalise and Approve Risk Criteria
Once all components are established:
Receptors
Risk level categories
Matrix size
Likelihood boundaries
Severity boundaries
Risk rating ranges
…you now have a coherent, organisation-wide risk assessment criteria for HAZOPs. This becomes the single reference point ensuring that every study evaluates risk using the same assumptions, definitions, and thresholds.
This creates a transparent, auditable, and repeatable method for scoring risk across the entire organisation — a prerequisite for consistent, portfolio-level visibility and decision-making.
What to Do After the Criteria Is Established
Once the HAZOP risk assessment criteria are defined, the next step is ensuring they are consistently applied across the organisation. Well-designed criteria only create value if they are embedded into everyday practice.
1. Document the criteria within corporate risk governance frameworks
The full set of criteria - risk receptors, matrix, likelihood and severity boundaries, and scoring rules should be formally documented — typically within the organisation’s HAZOP procedure, process safety management standard, or risk management policy. This ensures the criteria are treated as approved, controlled requirements.
2. Communicate the criteria broadly across the organisation
Everyone involved in HAZOP studies should understand how risk is defined and scored. This includes engineering teams, operations, maintenance, leadership, and external facilitators. Clarity upfront prevents inconsistent interpretation during studies.
3. Provide practical guidance and training
Even the best-designed criteria may be applied inconsistently if teams interpret them differently. Short training sessions, worked examples, calibration exercises, and facilitator briefings help ensure that likelihood and severity levels are used as intended across all studies, sites, and contractors.
4. Use a single digital system to enforce consistency
Managing HAZOPs in spreadsheets or similar siloed systems can makes consistency difficult to achieve. Using one digital platform with the organisation’s risk matrix, definitions, and scoring logic built in allows teams to:
Apply criteria consistently across all sites and study teams• Prevent local variation or “criteria drift”
Compare and aggregate risk across facilities• Identify trends in process risk across the portfolio
Track risk reduction over time
When the criteria are embedded, understood, and applied consistently — and supported by the right digital tools — organisations can unlock the full value of risk-assessed HAZOPs: comparability, transparency, and enhanced visibility of process safety risk.
Risk-assessing HAZOPs delivers real value only when the criteria behind the scoring are well-designed, consistent, and understood across the organisation. Getting this foundation right unlocks clearer insight, better prioritisation, and more reliable risk visibility across teams and sites.
Here are 5 key takeaways to guide your approach:
1. Consistency is essential for meaningful risk insight. Without organisation-wide risk criteria, HAZOP scoring becomes subjective, making cross-site comparison, governance oversight, and trend analysis difficult.
2. Risk assessment criteria should be defined at corporate level. Setting receptors, matrices, and scoring boundaries at corporate or risk-governance level ensures alignment with organisational risk appetite and promotes consistent risk determination.
3. Choosing the right receptors, matrix size, and scoring levels shapes how risk is understood. Clear likelihood and severity definitions provide transparency, traceability, and a repeatable basis for risk ranking.
4. Alignment with broader corporate risk frameworks strengthens decision-making. When “high risk” means the same thing in process safety, asset management, and corporate reporting, leadership can prioritise with confidence.
5. Embedding the criteria — through governance, communication, training, and software — unlocks the real value. Once consistently applied, organisations can compare, aggregate, and trend risk across the portfolio, improving visibility and operational resilience.
