Safety risk management (SRM) is one of the four components of a Part 5 Safety Management System, defined in §5.3 as “describing the system, identifying the hazards, and analyzing, assessing, and controlling risk.” In practice it is a five-step process — describe the system (§5.53(b)), identify hazards (§5.53(c)), analyze the risk (§5.55(a)), decide acceptability (§5.55(b)), and control then re-assess (§5.55(c)–(d)). The 5x5 risk matrix — five levels of likelihood crossed with five levels of severity — is the most common tool for the analysis step, but it is an industry/ICAO method, not a 14 CFR requirement: the rule requires a defined process to determine acceptable risk, not a specific grid. Every pass of SRM produces a documented risk assessment, and under §5.97(a) those outputs must be retained for as long as the resulting control remains relevant to the operation.
Safety risk management is the component of the SMS that people most often picture when they hear “safety management” — it is the part where you look at a hazard and decide what to do about it. But it is also the part most often misunderstood, because the search results are full of 5x5 matrices presented as if the FAA mandated them. They didn't. This guide separates what the regulation actually requires (a defined, documented SRM process) from the popular tool used to satisfy it (the matrix), walks the process step by step against the CFR text, and then focuses on the part that survives a surveillance evaluation: the risk-assessment records the process produces.
One distinction up front, because the two get conflated constantly: a Part 135 SMS gap analysis asks “which parts of Part 5 am I missing?” A safety risk assessment — the subject of this page — asks “how severe and how likely is this specific hazard, and what control do I need?” The gap analysis is how you stand up your SMS; safety risk management is the ongoing process a running SMS performs every time the operation changes.
The SRM Process: 5 Steps, Mapped to 14 CFR §5.51–§5.55
“The SRM process in aviation” is one of the most-searched phrases behind this topic, and the honest answer is that the process is not a mystery — it is the structure written directly into the regulation. The Safety Risk Management subpart (§5.51 through §5.55) lays out, in order, what you must do. Below is each step, paired with the CFR section that requires it.
Describe the system
§5.53(b)Before you can find hazards you have to define what you are looking at. §5.53(b) lists five things your system analysis must consider: the function and purpose of the system; its operating environment; an outline of its processes and procedures; the personnel, equipment, and facilities needed to operate it; and the system's interfaces (how it touches other systems). Skipping this step is the most common reason a hazard list is incomplete.
Identify the hazards
§5.53(c)§5.53(c) requires a process to identify the hazards in the system you just described. A hazard is a condition that could foreseeably cause or contribute to an aircraft accident or incident — not the event itself. “Icing on a non-deiced wing” is a hazard; “loss of control” is the outcome. Good hazard identification draws on reports, prior occurrences, and the system description, and it captures hazards in plain, specific language.
Analyze the risk (likelihood × severity)
§5.55(a)§5.55(a) requires processes to analyze the safety risk associated with each identified hazard. This is where likelihood (how often the hazard's outcome is expected) meets severity (how bad that outcome would be). The 5x5 risk matrix is the most common tool for this step — but remember it is a method, not a mandate. The rule requires the analysis; it does not specify the grid.
Assess and decide acceptability
§5.55(b)§5.55(b) requires a defined process for conducting risk assessment that allows you to determine acceptable safety risk. This is the decision: is the risk green (accept), yellow (accept with mitigation / monitor), or red (do not proceed)? The threshold and the labels are yours to define — what the FAA wants is that your acceptability process is written down, applied consistently, and produces a clear, defensible decision.
Control the risk — then re-assess
§5.55(c)–(d)§5.55(c) requires developing the risk controls that the assessment shows are necessary, and §5.55(d) requires you to evaluate whether the risk will be acceptable with the proposed control applied before you implement it. In other words, you don't just add a control and move on — you re-run the assessment with the control in place to confirm it actually moves the risk into an acceptable cell. Then you document the residual risk and put the control into service.
The 5 elements of a system description (§5.53(b))
Step 1 is the one operators rush. §5.53(b) is specific about what your system analysis must consider before you start listing hazards:
A hazard is not the same as the outcome — and not the same as risk
Three words get used loosely. A hazard is a condition that could foreseeably cause or contribute to an accident (icing on a non-deiced wing). The outcome is what the hazard could lead to (loss of control). The risk is the combination of how likely that outcome is and how severe it would be. The SRM process moves left to right across all three: identify the hazard, picture the outcome, then assess the risk. Mislabeling a hazard as an outcome is the most common reason a risk assessment reads cleanly but misses the actual exposure.
The 5x5 Risk Matrix: What It Is, and Why It Isn’t Required
The 5x5 risk matrix is the single most-searched artifact in aviation SMS — “sms risk matrix,” “aviation sms risk matrix,” and “5x5 risk matrix” all lead here. It deserves a precise treatment, because it is genuinely useful and widely misrepresented as a regulatory requirement.
The matrix is a method, not a mandate
14 CFR §5.55(b) requires “a process for conducting risk assessment that allows for the determination of acceptable safety risk.” It does not say 5x5. It does not say what the likelihood or severity labels must be, or how many cells the grid needs. A 3x3 matrix, a 4x4 matrix, a numeric risk index, or a defensible narrative method can all satisfy the rule. The 5x5 is simply the most common shape, used in FAA and ICAO guidance examples, because it is simple and visual. Choose it because it works for you — not because you think the regulation demands it.
How a 5x5 matrix works
A 5x5 matrix crosses two axes. One axis is likelihood — how often the hazard’s outcome is expected to occur. The other is severity — how bad that outcome would be. Each cell where a likelihood meets a severity carries a risk level, usually color-coded: green (acceptable as-is), yellow (acceptable with mitigation, or requires management review), and red (unacceptable — do not proceed until controlled). You assess a hazard’s risk, place it in a cell, and the cell tells you what to do. The labels below are a common set — yours are whatever you define in your SMS.
Likelihood (a common 5-level scale)
- Frequent — Likely to occur many times in the life of the operation
- Occasional — Likely to occur sometimes
- Remote — Unlikely, but possible, to occur
- Improbable — Very unlikely to occur
- Extremely improbable — Almost inconceivable that it will occur
Severity (a common 5-level scale)
- Catastrophic — Multiple fatalities / loss of aircraft
- Hazardous — Serious injury / major equipment damage; large safety-margin reduction
- Major — Significant reduction in safety margins; injury
- Minor — Slight reduction in safety margins; nuisance
- Negligible — Little to no effect on safety
A 5x5 risk matrix (illustrative color zones)
| Severity ↓ / Likelihood → | Frequent | Occasional | Remote | Improbable | Extremely improbable |
|---|---|---|---|---|---|
| Catastrophic | High | High | High | Med | Med |
| Hazardous | High | High | Med | Med | Low |
| Major | High | Med | Med | Low | Low |
| Minor | Med | Med | Low | Low | Low |
| Negligible | Med | Low | Low | Low | Low |
Illustrative only. The cell colors, thresholds, and labels are not specified by 14 CFR Part 5 — you define them in your SMS and apply them consistently. This grid is a teaching example, not a regulatory standard.
Worked example
Suppose you are adding a winter night-IFR route into a mountainous, non-towered field. A hazard is “structural icing in the approach environment with limited deicing capability.” The credible outcome is loss of control on approach — Catastrophic severity. Before controls, you judge the likelihood Occasional — that lands in a red cell, unacceptable. You then develop controls under §5.55(c): higher weather minimums for that field, a dispatch hold below a temperature/visible-moisture threshold, and recurrent icing-recognition training. Re-assessing under §5.55(d), the likelihood drops to Improbable, moving the risk to an amber/acceptable-with-mitigation cell. You document the residual risk, put the controls into service, and the whole analysis — hazard, pre-control risk, controls, post-control risk — becomes a risk-assessment record.
The matrix is the easy part; the record is the durable part. A color on a grid is a decision. What a FAA principal inspector verifies during a surveillance evaluation is the documented assessment behind it: the hazard, the analysis, the acceptability decision, and the controls. That document is a Safety Risk Management output under §5.97(a).
See where your SMS records actually stand
FileFlo’s free FAA readiness score takes 3 minutes and flags the document gaps most likely to surface in a Part 5 SMS surveillance evaluation — including whether your safety risk assessments are organized and retrievable. No signup required. Free.
5-day free trial · No credit card required · Cancel anytime
When Must You Run Safety Risk Management? The Four §5.51 Triggers
SRM is not a calendar event. §5.51 lists the four situations that require you to apply the SRM process — and the fourth is the one that ties the whole SMS together.
Implementation of new systems
Adding an aircraft type, opening a new base, standing up a new operational capability (HEMS, single-engine IFR, international ops). A new system has new hazards — assess them before it goes live.
Revision of existing systems
Changing a maintenance provider, modifying a route structure, restructuring crews, or adopting new equipment. A change to a system you already run can introduce or shift hazards.
Development of operational procedures
Writing or materially changing how a task is performed — a new dispatch procedure, a new fueling process, a revised approach profile. New procedures are assessed before they become standard.
Hazards or ineffective controls found through Safety Assurance
When the Safety Assurance processes in Subpart D (monitoring, audits, investigations, the confidential reporting system) surface a hazard or a control that isn’t working, that finding is fed back into SRM to be re-assessed. This is the loop that keeps the SMS alive.
SRM and Safety Assurance are a loop, not two silos
§5.51(d) is the hinge between the two operational components. Safety Risk Management (§5.51–§5.55) produces controls; Safety Assurance (§5.71–§5.75) monitors and verifies them; and when assurance finds a problem, it routes back into risk management. If you are mapping the whole system, read this alongside our Safety Assurance guide and the Part 135 SMS requirements overview.
Single-pilot operators run SRM too — just scaled down
Under §5.9(e), a single-pilot operator is exempted from a specific list of Part 5 items — but the core SRM sections (§5.51, §5.53, §5.55) are not on that list. A one-pilot operation still describes its systems, identifies hazards, assesses risk, and documents controls, proportional to its size. The deadline is the same May 28, 2027. See our single-pilot Part 135 SMS guide for the full applicability breakdown.
The SRM Output: Risk-Assessment Records and the §5.97(a) Retention Rule
Everything above produces one thing the FAA can ask to see: the risk assessment. §5.97(a) calls these “the outputs of safety risk management processes,” and it attaches an unusual retention rule that operators routinely get wrong.
SMS records and retention under 14 CFR §5.97
| Record category | CFR | Retention |
|---|---|---|
| Safety Risk Management outputs (your risk assessments) | §5.97(a) | As long as the control remains relevant to the operation |
| Safety Assurance outputs (audits, evaluations, monitoring) | §5.97(b) | Minimum of 5 years |
| Training records (per individual, §5.91) | §5.97(c) | As long as the individual is employed |
| Safety communications (§5.93 / §5.57) | §5.97(d) | Minimum of 24 consecutive calendar months |
Look at the highlighted row. Unlike almost every other compliance record in aviation — which carries a fixed retention in months or years — a Safety Risk Management output has no fixed expiry. The clock is tied to the life of the control. If you adopted a control three years ago to keep a hazard acceptable, and you are still relying on that control today, the risk assessment that justified it is a live record the FAA can request — even though the assessment itself is years old. The moment a control is retired (the route is dropped, the procedure is replaced), the related assessment can age out. Practically, that means an operator can’t treat risk assessments as one-and-done paperwork: each one stays retrievable for as long as its control is in force, and you have to know which controls are still in force to know which records are still live.
A complete risk-assessment record generally captures: the system description (§5.53(b)), the hazard(s) identified (§5.53(c)), the pre-control likelihood/severity analysis (§5.55(a)), the acceptability decision and the method used (§5.55(b)), the risk controls developed (§5.55(c)), and the post-control re-assessment (§5.55(d)). Keep the dated, versioned document — not just the final matrix cell. This sits inside the broader Part 135 / Part 5 recordkeeping picture covered in our Part 135 SMS recordkeeping requirements guide and the wider what records a Part 135 operator must keep overview.
Where FileFlo Fits: Your SRM Records, Kept Audit-Ready
FileFlo holds the proof — it does not run your SMS or perform your risk assessments
FileFlo is a compliance document intelligence platform — the proof layer. It classifies, indexes, version-controls, and tracks the documents your SRM process produces, and it generates an inspector-format evidence binder on demand. It is not an SMS platform, does not run your safety management system, does not perform safety risk management or fill in your risk matrix, does not author your SMS manual, does not replace a safety manager or director of safety, and does not give legal or safety-program advice. You (and your safety organization) run SRM; FileFlo keeps the resulting risk assessments organized, versioned, and retrievable.
The §5.97(a) retention rule — keep the risk assessment as long as its control is relevant — is exactly the kind of open-ended, control-linked obligation that breaks down in a shared drive. Assessments get superseded, controls get retired, versions multiply, and two years later nobody can confidently say which assessment is the live one for a given control. That is a document-management problem, and it is the one FileFlo is built for.
Classify each risk assessment against the right §5.55 step
Upload a completed risk assessment and FileFlo classifies it against the Safety Risk Management component, so your SRM outputs are organized by hazard and control rather than buried in a folder tree — ready to produce when an inspector asks.
Version control so the live assessment is always obvious
When a hazard is re-assessed or a control changes, FileFlo keeps the version history. You can always show the current assessment for a control — and the trail of how it evolved — instead of guessing which copy of the spreadsheet is authoritative.
Track the control-linked retention clock
Because §5.97(a) ties retention to the life of the control, FileFlo helps you keep risk assessments retrievable for as long as their control is in force, alongside the fixed clocks for Safety Assurance (5-year), training (employment), and communications (24-month) records.
One-click Part 5 evidence binder
When your FAA principal inspector asks for SMS documentation, FileFlo generates a Part 5-organized evidence binder — indexed by component — in seconds. The same binder supports ACSF, IS-BAO, and ARGUS audit preparation.
Starter Plan
$89/mo
Up to 100 documents/month · 3 users
For solo owner-operators and small teams organizing their first SMS risk assessments and documentation.
Professional Plan
$299/mo
Unlimited documents + users · audit trail · employee auto-detection
For Part 135 operators managing the full SMS evidence load across all four components.
Frequently Asked Questions
What is safety risk management in an SMS?
Safety risk management (SRM) is one of the four components of a Safety Management System under 14 CFR Part 5. The regulation defines it (in §5.3) as “a process within the SMS composed of describing the system, identifying the hazards, and analyzing, assessing, and controlling risk.” In plain English, SRM is the structured way a Part 135 operator looks at a new system, a change, or a procedure; figures out what could go wrong (the hazards); decides how bad and how likely each resulting risk is; and then puts controls in place to bring the risk down to an acceptable level before proceeding. SRM lives in §5.51 through §5.55. It is the “think before you fly it” engine of the SMS, and every time you run it, it produces records the FAA expects you to keep.
What is the SRM process and what are its steps?
The SRM process follows the structure embedded in 14 CFR §5.51–§5.55, and it is commonly described as five steps. (1) Describe the system: §5.53 says your analysis must consider the function and purpose of the system, its operating environment, an outline of its processes and procedures, the personnel, equipment, and facilities needed, and its interfaces. (2) Identify the hazards: §5.53(c) requires a process to find hazards in the system you just described. (3) Analyze the risk: §5.55(a) requires processes to analyze the safety risk associated with each identified hazard — this is where likelihood and severity come in. (4) Assess and accept (or not): §5.55(b) requires a defined process for determining what counts as acceptable safety risk. (5) Control the risk: §5.55(c) requires developing risk controls, and §5.55(d) requires evaluating whether the risk will be acceptable with the proposed control applied before you implement it. The output of each pass is a documented risk assessment — a record, not just a meeting.
What is a 5x5 risk matrix in aviation SMS?
A 5x5 risk matrix is a five-by-five grid that crosses five levels of likelihood (how often a hazard's outcome is expected to occur — e.g., frequent, occasional, remote, improbable, extremely improbable) against five levels of severity (how bad the outcome would be — e.g., negligible, minor, major, hazardous, catastrophic). Each cell carries a risk level — typically green (acceptable), yellow (acceptable with mitigation / review), or red (unacceptable) — so once you place a hazard's risk in a cell, the matrix tells you whether you can accept it, must mitigate it, or must stop. It is the most widely used tool for the §5.55 risk-assessment step. Critically, the 5x5 matrix is a common industry and ICAO method, NOT a 14 CFR Part 5 requirement: the rule requires you to have a defined risk-assessment process that determines acceptable risk (§5.55(b)), but it does not mandate a 5x5 grid, those specific labels, or any particular number of cells. A 3x3 or 4x4 matrix, or another defensible method, can satisfy the rule.
Is the 5x5 risk matrix required by the FAA?
No. The 5x5 risk matrix is not required by 14 CFR Part 5. What the regulation requires is a defined, documented process for assessing safety risk that allows you to determine acceptable safety risk (§5.55(b)) — the rule is deliberately performance-based and does not prescribe the tool. The 5x5 matrix is simply the most common way operators meet that requirement because it is simple, visual, and well understood, and the FAA's and ICAO's own guidance materials illustrate matrices of that shape. You could use a 3x3 matrix, a 4x4 matrix, a numeric risk-index, or a narrative method — what matters is that your method is defined in your SMS, applied consistently, and produces a documented, defensible acceptability decision. Whatever method you choose, the assessment it produces is a Safety Risk Management output you must retain under §5.97(a) for as long as the resulting control remains relevant to the operation.
When does a Part 135 operator have to run safety risk management?
Under §5.51, an operator must apply safety risk management to four triggers: (a) the implementation of new systems, (b) the revision of existing systems, (c) the development of operational procedures, and (d) the identification of hazards or ineffective risk controls through the safety assurance processes in Subpart D. In practice that means you run the SRM process when you add an aircraft type, open a new base, change a maintenance provider, adopt a new operational procedure, take on a new kind of mission (say, HEMS or single-engine IFR), or when your safety assurance monitoring surfaces a hazard that your existing controls aren't catching. SRM is not a once-a-year exercise — it is the process you reach for whenever the operation changes or a new hazard appears, and each pass generates a risk-assessment record.
What is the difference between safety risk management and safety assurance?
They are two of the four SMS components and they work as a loop. Safety risk management (§5.51–§5.55) is the forward-looking process: describe the system, identify hazards, assess the risk, and put controls in place before something changes. Safety assurance (§5.71–§5.75) is the backward-looking process: monitor operations, audit, investigate, and run a confidential reporting system to confirm that the risk controls you put in place are actually working. The connection is explicit in §5.51(d) — when safety assurance finds a hazard or an ineffective control, that finding is fed back into safety risk management to be re-assessed. So SRM produces controls; safety assurance verifies them and feeds new hazards back to SRM. Both components produce records, but with different retention clocks under §5.97: SRM outputs are kept as long as the control is relevant, while safety assurance outputs are kept for a minimum of five years.
What records does the SRM process produce, and how long must I keep them?
The SRM process produces what §5.97(a) calls “the outputs of safety risk management processes” — in practice, your documented risk assessments: the system description, the hazards identified, the likelihood/severity analysis, the acceptability decision, and the risk controls adopted. Under §5.97(a), those outputs must be retained as long as the safety risk control they support “remains relevant to the operation.” That is an unusual retention rule: there is no fixed number of years — the clock is tied to the life of the control. As long as you are relying on a control to keep a hazard acceptable, the risk assessment that justified that control is a live record the FAA can ask to see. This is different from safety assurance outputs (five-year minimum, §5.97(b)) and from training records (kept while the individual is employed, §5.97(c)). The practical takeaway: SRM records are not a one-time deliverable you file and forget — they are evidence you must be able to retrieve for as long as the underlying control exists.
Do single-pilot Part 135 operators have to do safety risk management?
Yes. Single-pilot Part 135 operators are subject to the same May 28, 2027 SMS compliance date as every other Part 135 certificate holder, and the Safety Risk Management component (§5.51–§5.55) applies to them. Under §5.9(e), a single-pilot operator — where one pilot is the sole individual performing all necessary functions — is exempted from a specific list of Part 5 line items (including §5.21(a)(4)–(5), §5.21(c), §5.23(a)(2)–(3), §5.23(b), §5.25(b)(3), §5.25(c), §5.27(a)–(b), §5.71(a)(7), §5.93, and §5.97(d)), but none of the core SRM sections (§5.51, §5.53, §5.55) are on that exemption list. So a single-pilot operator still describes the system, identifies hazards, assesses risk, and documents controls — just at a scale proportional to a one-pilot operation. See our single-pilot Part 135 SMS guide for the full applicability breakdown.
Your risk matrix is a decision. Your risk assessment is the record.
FileFlo classifies every safety risk assessment your SRM process produces, version-controls it, tracks the control-linked retention under §5.97(a), and generates an FAA-organized evidence binder on demand. Run safety risk management with your SMS — keep the proof audit-ready with FileFlo. Starter at $89/mo · Professional at $299/mo · No credit card required.
5-day free trial · No credit card required · Cancel anytime