Risk Assessment or Risk Illusion? What the Risk Matrix Doesn’t Tell You

By Florin Necula, PhD | Maintenance Manager & Lecturer in Safety & Human Factors
Jun 6^th, 2025

Risk assessments are everywhere in aviation maintenance today.

Switch suppliers? Assess the risk.

Change tooling? Assess the risk.

Move a cabinet? Yes, you guessed it — assess the risk.

It’s become a default checkbox for almost everything. But here’s the hard truth no one wants to say out loud:

The output of a risk assessment says more about the assessor than the risk.

When Risk Assessments Become Rituals

I’ve seen it across EASA Part 145 organisations:

Auditors increasingly demand documented risk assessments — sometimes even for trivial tasks. It’s understandable; documentation is easy to audit.

But here’s the danger: the more we overuse the tool, the more we undermine its value.

Risk assessment isn’t meant to be paperwork for its own sake.

It’s meant to support intelligent decision-making.

Yet we now have a situation where forms are completed, boxes are ticked and risks — the real ones — are misunderstood or overlooked.

The Illusion of Objectivity

On the surface, a risk matrix feels scientific: red, amber, green, probabilities, severities, control measures, structured, repeatable, objective. Except it isn’t.

Because the moment you ask:

“What’s the probability of occurrence?”

“How severe would the outcome be?”

…you’ve entered the world of subjective human judgment.

And that judgment varies wildly. Two assessors. Same scenario.  One rates it as “High Risk.” The other as “Tolerable.”

What’s the difference?

Not the hazard — the mindset, experience and perception of the assessor.

The Core Problem: Risk Perception ≠ Risk Control

We like to believe that documenting a risk assessment improves safety.

But in reality, it only works if the assessor has the competence to perceive, understand, and contextualize that risk. And that’s something a matrix alone can’t deliver. A junior engineer may undervalue a latent human factor. A rushed manager may copy-paste yesterday’s control measures. A stressed team may unintentionally game the scoring to avoid raising flags. It’s not bad intent. It’s just bad assumptions.

The Fix? Competence Over Compliance

Instead of asking “Have you assessed the risk?”

We should ask: “Did someone competent assess the risk — and was it meaningful?”

Because here’s the truth:

A beautifully filled risk assessment done by someone who doesn’t understand operational context is just a colourful lie.

Effective risk management demands: technical experience, operational familiarity, human factors awareness, the courage to challenge assumptions, not just templates and traffic-light charts.

Final Thought: From Risk Ticking to Risk Thinking

Risk assessment isn’t broken.

Our use of it is.

It’s not supposed to be about satisfying auditors — it’s supposed to help prevent accidents.

Let’s stop pretending that the form is the fix and start investing in the people who can actually interpret and manage the risk. Because at the end of the day, you don’t assess risk — you manage it.

Agree or disagree?

Do you think we’ve gone too far in risk-assessing the routine — or is this just what maturity in safety looks like?

Drop your thoughts in comments.