A risk assessment is a systematic process for identifying, analyzing, and managing potential risks to the safety, health, and property of employees, customers, visitors, and other stakeholders. It includes the identification of hazards and the assessment of risks associated with those hazards. The goal of a risk assessment is to reduce or eliminate the risks identified through the application of effective control measures.
Health and safety legally require that risk assessments be done at certain points in the process, like when you’re starting out or changing things up. These documents help us understand what dangers might arise so we can try hard to prevent them from happening! The decision to use a risk assessment method is important as it determines the priorities and objectives for eliminating hazards.
Wherever possible, risks should be eliminated through the selection and design of facilities. If this is not an option for whatever reason (maybe because it would cause too much disruption), then minimize them by using physical controls or PPE as a last resort!
A company’s success depends on its ability to manage all types of accidents at work before they happen, so these events cannot cause major safety problems. This blog covers hazard identification, risk assessment, and appropriate control measures to protect against hazards.
Legal Aspects Of Risk Assessment
The general duties of employers to their employees in Section 2 of the HSW Act 1974 imply the need for risk assessment. This duty was also extended by Section 3 of the Act to anybody affected by the employer’s activities – contractors, visitors, customers, or public members. However, the Management of Health and Safety at Work Regulations are much more specific concerning the need for risk assessment. The following requirements are laid down in those Regulations:
- the risk assessment shall be ‘suitable and sufficient and cover both employees and non-employees affected by the employer’s undertaking (e.g. contractors, members of the public, students, patients, customers); every self-employed person shall make a ‘suitable and sufficient assessment of the risks to which they or those affected by the undertaking may be exposed;
- any risk assessment shall be reviewed if there is reason to suspect that it is no longer valid or if a significant change has taken place;
- where there are five or more employees, the significant findings of the assessment shall be recorded and any especially at-risk group of employees identified. (This does not mean that employers with four or fewer employees need not undertake risk assessments.)
The term ‘suitable and sufficient’ is important as it defines the limits to the risk assessment process. A suitable and sufficient risk assessment should:
- identify the significant risks and ignore the trivial ones;
- identify and prioritize the measures required to comply with any relevant statutory provisions;
- remain appropriate to the nature of the work and valid over a reasonable period of time;
- identify the risk arising from or in connection with the work. The level of detail should be proportionate to the risk.
The significant findings that should be recorded include a detailed statement of the hazards and risks, the preventative, protective, or control measures in place, and any further measures required to reduce the risks present.
When assessing risks under the Management of Health and Safety at Work Regulations, reference to other Regulations may be necessary even if there is no specific requirement for a risk assessment in those Regulations. For example, reference to the legal requirements of the Provision and Use of Work Equipment Regulations will be necessary when machinery operation risks are being considered. However, there is no need to repeat a risk assessment if it is already covered by other Regulations (e.g., a risk assessment considering personal protective equipment is required under the COSHH Regulations, so there is no need to undertake a separate risk assessment under the Personal Protective Equipment Regulations).
Apart from the duty under the Management of Health and Safety at Work Regulations to undertake a health and safety assessment of the risks to any person (employees, contractors, or members of the public) who may be affected by the activities of the organization, the following Regulations require a specific risk assessment to be made:
- Ionising Radiations Regulations;
- Control of Asbestos Regulations;
- Control of Noise at Work Regulations;
- Manual Handling Operations Regulations;
- Health and Safety (Display Screen Equipment) Regulations;
- Personal Protective Equipment at Work Regulations;
- Confined Spaces Regulations;
- Work at Height Regulations;
- Regulatory Reform (Fire Safety) Order (not under HSW Act);
- Control of Vibration at Work Regulations;
- Control of Lead at Work Regulations;
- Control of Substances Hazardous to Health Regulations.
Forms Of Risk Assessment
There are two basic forms of risk assessment.
Quantitative Risk Assessment
A quantitative risk assessment is used to assess the likelihood of a particular event occurring and the possible consequences of that event. This type of risk assessment is typically used when a potential malfunction could have serious consequences (e.g., aircraft design and maintenance or the petrochemical industry).
To perform a quantitative risk assessment, analysts typically consider the probability of an event occurring and the possible severity of the outcome. This information is then used to assign a numerical value to the risk. This value can then be used to compare different risks and decide how to best manage those risks.
Quantitative risk assessments can be complex and require significant data and analysis. However, they can be important for understanding and managing potentially serious risks.
Qualitative Risk Assessment
A qualitative risk assessment is a type of risk assessment that is based purely on personal judgment and is normally defined as high, medium or low. Qualitative risk assessments are usually satisfactory as the definition (high, medium or low) is normally used to determine the time frame over which further action is to be taken.
The term ‘generic’ risk assessment is sometimes used and describes a risk assessment that covers similar activities or work equipment in different departments, sites or companies. Such assessments are often produced by specialist bodies, such as trade associations. If used, they must be appropriate to the particular job, and they will need to be extended to cover additional hazards or risks.
Basic Definition Relevant To Risk Assessment
Risk assessment is a process of analyzing threats and vulnerabilities to help determine what level or severity they pose. To do this, we’ll need some basic definitions that are used in risk assessments:
Hazard and risk
A hazard can cause harm (this can include articles, substances, plants or machines, methods of working, the working environment, and other aspects of work organization). Hazards take many forms, for example, chemicals, electricity, or noise. A hazard can be ranked relative to other hazards or a possible danger level.
A risk is the likelihood of potential harm from that hazard being realized. Risk (or strictly the level of risk) is also linked to the severity of its consequences. A risk can be reduced and the hazard controlled by good management.
It is very important to distinguish between a hazard and a risk – the two terms are often confused, and activities often called high risk are, in fact, high risk. There should only be a high residual risk where poor health and safety management and inadequate control measures exist.
Electricity is an example of a high hazard as it has the potential to kill a person. The risk associated with electricity – the likelihood of being killed on coming into contact with an electrical device – is, hopefully, low.
Occupational or work-related ill-health
This concerns acute and chronic illnesses or physical and mental disorders that are either caused or triggered by workplace activities. Such conditions may be induced by the particular work activity of the individual or by the activities of others in the workplace. The time interval between exposure and the onset of the illness may be short (e.g., acute asthma attacks) or long (e.g., chronic deafness or cancer).
This is defined by the Health and Safety Executive (HSE) as ‘any unplanned event that results in injury or ill-health of people, or damage or loss to property, plant, materials or the environment or a loss of a business opportunity. Other authorities define an accident more narrowly by excluding events that do not involve injury or ill-health.
Incident and near-miss
The HSE states that an ‘Incident includes all undesired circumstances and “near misses” which could cause accidents. Knowledge of near misses is very important as research has shown that, approximately, for every 10 ‘near miss’ events at a particular location in the workplace, a minor accident will occur.
This is a ‘near miss’ or ‘Damage Incident,’ which could have led to serious injury or loss of life. Dangerous occurrences are defined in the Reporting of Injuries, Diseases, and Dangerous Occurrences Regulations (often known as RIDDOR) and are always reportable to the enforcement authorities. Examples include the collapse of a scaffold or a crane or the failure of any passenger-carrying equipment.
The Objectives Of Risk Assessment
The main objective of risk assessment is to determine the measures required by the organization to comply with relevant health and safety legislation and, thereby reduce the level of occupational injuries and ill-health. The purpose is to help the employer or self-employed person to determine the measures required to comply with their legal, statutory duty under the HSW Act 1974 or its associated Regulations. The risk assessment will need to cover all those who may be at risk, such as customers, contractors, and public members. In the case of shared workplaces, an overall risk assessment may be needed in partnership with other employers.
Any accident or incidence of ill-health will cause both direct and indirect costs and incur an insured and an uninsured cost. It is important that all of these costs are considered when the full cost of an accident is calculated. A study undertaken by the HSE showed that indirect or hidden costs could be 36 times greater than the direct costs of an accident. In other words, the direct costs of an accident or disease represent the tip of the iceberg when compared with the overall costs.
Direct costs are costs that are directly related to the accident. They may be insured (claims on employers and public liability insurance, damage to buildings, equipment, or vehicles) or uninsured (fines, sick pay, damage to product, equipment, or process).
Indirect costs may be insured (business loss, product or process liability) or uninsured (loss of goodwill, extra overtime payments, accident investigation time, production delays).
There are many reasons for the seriousness of a hazard not to be obvious to the person exposed to it. It may be that the hazard is not visible (radiation, certain gases, and biological agents) or has no short-term effect (work-related upper limb disorders). Some common causes of accidents include lack of attention, lack of experience, not wearing appropriate PPE, sensory impairment, and inadequate information, instruction, and training.
There are several categories of accidents. The principal categories are as follows:
- contact with moving machinery or material being machined;
- struck by a moving, flying, or falling object;
- hit by a moving vehicle;
- struck against something fixed or stationary;
- injured while handling, lifting, or carrying;
- slips, trips, and falls on the same level;
- falls from a height;
- trapped by something collapsing;
- drowned or asphyxiated;
- exposed to, or in contact with, a harmful substance;
- exposed to fire;
- exposed to an explosion;
- contact with electricity or an electrical discharge;
- injured by an animal;
- physically assaulted by a person;
- other kinds of accidents.
Risk assessment is not only concerned with injuries in the workplace but also needs to consider the possibility of occupational ill-health. Health risks fall into the following four categories:
- chemical (e.g., paint solvents, exhaust fumes);
- biological (e.g. bacteria, pathogens);
- physical (e.g., noise, vibrations);
- psychological (e.g., occupational stress).
There are two possible health effects of occupational ill-health.
They may be acute, which means that they occur soon after the exposure and are often of short duration, although in some cases, emergency admission to the hospital may be required.
They may be chronic, which means the health effects develop over time. The associated disease may take several years to develop, and the effects may be slight (mild asthma) or severe (cancer).
The Management Of Risk Assessment
Risk assessment is part of the planning and performance stages of the health and safety management system recommended by the HSE in its publication HSG65. All aspects of the organization, including health and safety management, need to be covered by the risk assessment process. This will involve assessing risk in areas such as maintenance procedures, training programs, and supervisory arrangements.
A general risk assessment of the organization should reveal the significant hazards present and the general control measures that are in place. Such a risk assessment should be completed first, followed by more specific risk assessments that examine individual work activities.
It is important that the risk assessment team is selected based on its competence to assess risks in the particular areas under examination in the organization. The Team Leader or Manager should have health and safety experience and relevant training in risk assessment. It is sensible to involve the appropriate line manager as a team member, responsible for the area or activity being assessed. Other team members will be selected based on their experience, technical and/or design knowledge, and any relevant standards or Regulations relating to the activity or process. At least one team member must have communication and report writing skills. A positive attitude and commitment to the risk assessment task are also important factors. It is likely that team members will require some basic training in risk assessment.
5 Steps to Risk Assessment
A risk assessment is a process of identifying, assessing, and managing risks to ensure that an organization operates within its risk appetite. A risk assessment helps an organization determine its level of exposure to potential losses and take steps to minimize those losses.
There are five steps in conducting a risk assessment:
- Look For The Hazards;
- Decide Who Might Be Harmed, And How;
- Evaluate The Risks And Decide Whether Existing Precautions Are Adequate Or More Should Be Done;
- Record The Significant Findings;
- Review The Assessment And Revise It If Necessary
Step 1 – Look For The Hazards
The essential first step in risk assessment is to seek out and identify hazards. Relevant sources of information include:
- legislation and supporting Approved Codes of Practice which give practical guidance and include basic minimum requirements;
- process information;
- the product information provided under Section 6 of the HSW Act;
- relevant British, European and international standards;
- industry or trade association guidance;
- the personal knowledge and experience of managers and employees;
- accident, ill-health, and incident data from within the organization, from other organizations or from central sources;
- expert advice and opinion and relevant research.
There should be a critical appraisal of all routine and non-routine business activities. People exposed may include not just employees but also others such as public members, contractors, and users of the products and services. Employees and safety representatives can make a useful contribution in identifying hazards.
In the simplest cases, hazards can be identified by observation and by comparing the circumstances with the relevant information (e.g., single-story premises will not present any hazards associated with stairs). In more complex cases, measurements such as air sampling or examining machine operation methods may be necessary to identify the presence of hazards from chemicals or machinery. Special techniques and systems may be needed in the most complex or high-risk cases (for example, in the chemical or nuclear industry) such as hazard and operability studies (HAZOPS) and hazard analysis techniques such as event or fault tree analysis. Specialist advice may be needed to choose and apply the most appropriate method. Only significant hazards, which could result in serious harm to people, should be identified. Trivial hazards are a lower priority.
A tour of the area under consideration by the risk assessment team is essential to hazard identification, as is consultation with the relevant workforce section.
Reviewing accident, incident and ill-health records will also help with the identification. Other sources of information include safety inspection, survey and audit reports, job or task analysis reports, manufacturers’ handbooks or data sheets and Approved Codes of Practice, and other forms of guidance.
It is important that unsafe conditions are not confused with hazards during hazard identification. Unsafe conditions should be rectified as soon as possible after observation. Examples of unsafe conditions include missing machine guards, faulty warning systems, and oil spillage on the workplace floor.
Step 2 – Decide Who Might Be Harmed And How
Employees and contractors who work full time at the workplace are the most obvious groups at risk, and it will be necessary to check that they are competent to perform their particular tasks. However, other groups may spend time in or around the workplace. These include young workers, trainees, new and expectant mothers, cleaners, contractor and maintenance workers, and public members. Public members will include visitors, patients, students, or customers, as well as passers-by.
The risk assessment must include any additional controls required due to the vulnerability of any of these groups, perhaps caused by inexperience or disability. It must also indicate the number of people from the different groups who come into contact with the hazard and the frequency of these contacts.
Step 3 – Evaluating The Risks And The Adequacy Of Current Controls
This step is really two steps – evaluating the risks and evaluating the adequacy of current controls.
Evaluating The Risks
During most risk assessments, it will be noted that some of the risks posed by the hazard have already been addressed or controlled. Therefore, the risk assessment’s purpose is to reduce the remaining risk. This is called the residual risk.
Risk assessment aims to reduce all residual risks to as low a level as reasonably practicable. This will take time in a relatively complex workplace, so a system of ranking risk is required – the higher the risk level, the sooner it must be addressed and controlled.
For most situations, a qualitative risk assessment will be perfectly adequate. During the risk assessment, a judgment is made as to whether the risk level is high, medium, or low in terms of the risk of somebody being injured. This designation defines a timetable for remedial actions to be taken, thereby reducing the risk. High-risk activities should normally be addressed in days, medium risks in weeks, and low risks in months, or in some cases, no action will be required. It will usually be necessary for risk assessors to receive some training in risk level designation.
A quantitative risk assessment attempts to quantify the risk level regarding the likelihood of an incident and its subsequent severity. Clearly, the higher the likelihood and severity, the higher the risk will be. The likelihood depends on such factors as the control measures in place, the frequency of exposure to the hazard, and the category of the person exposed to the hazard. The severity will depend on the magnitude of the hazard (voltage, toxicity, etc.).
The HSE has suggested simple 3 × 3 matrices to determine risk levels.
It is possible to apply such methods to organizational risk or the risk that the management system for health and safety will not deliver in the way it was expected or required. Such risks will add to the activity or occupational risk level. In simple terms, poor activity supervision will increase the overall level of risk. A risk management matrix that combines these two risk levels has been developed, as shown below.
Whichever type of risk evaluation method is used, the level of risk simply enables a timetable of risk reduction to an acceptable and tolerable level to be formulated. The legal duty requires that all risks be reduced to as low as reasonably practicable.
In established workplaces, some control of risk will be in place already. The effectiveness of these controls needs to be assessed so that an estimate of the residual risk may be made. Many hazards have had specific Acts, Regulations, or other recognized standards developed to reduce associated risks. Examples of such hazards are fire, electricity, lead, and asbestos. The relevant legislation and any accompanying Approved Codes of Practice or guidance should be consulted first and any recommendations implemented. Advice on control measures may also be available from trade associations, trade unions, or employers’ organizations.
Where there are existing preventative measures in place, it is important to check that they are working properly and that everybody affected clearly understands the measures. It may be necessary to strengthen existing procedures by introducing a permit-to-work system. More details on the principles of control are given below.
Evaluating The Controls
A hierarchy of risk controls should be considered when assessing the adequacy of existing controls or introducing new controls. The health and safety management system ISO 45001 (to replace OHSAS 18001 in 2016) states that the organization shall establish a process for achieving risk reduction based upon the following hierarchy:
- Eliminate The Hazard;
- Substitute With Less Hazardous Materials, Processes, Operations, Or Equipment;
- Use Engineering Controls;
- Use Safety Signs, Markings Warning Devices, And Administrative Controls;
- Use Personal Protective Equipment.
The organization shall ensure that the Occupational Health and Safety risks and determining controls are considered when establishing, implementing, and maintaining its Occupational Health and Safety management system.
The hierarchy reflects that risk elimination and risk control by using physical engineering controls, and safeguards can be more reliably maintained than those relying solely on people. These concepts are now written into the Control of Substances Hazardous to Health (COSHH) Regulations and the Management of Health and Safety at Work (MHSW) Regulations.
Where a range of control measures are available, it will be necessary to weigh up the relative costs of each against the degree of control each provides, both in the short and long term. Some control measures, such as eliminating risk by choosing a safer alternative substance or machine, provide a high degree of control and are reliable. Physical safeguards such as guarding a machine or enclosing a hazardous process must be maintained. In making decisions about risk control, it will therefore be necessary to consider the degree of control and the reliability of the control measures along with the costs of both providing and maintaining the measure.
Step 4 – Recording significant findings
It is very useful to keep a written record of the risk assessment even if there are less than five employees in the organization. For an assessment to be ‘suitable and sufficient, only the significant hazards and conclusions need to be recorded. The record should also include details of the groups of people affected by the hazards, the existing control measures, and their effectiveness. The conclusions should identify any new controls required and a review date.
The written record provides excellent evidence of compliance with the law to a health and safety inspector. It is also useful evidence if the organization should become involved in a civil action.
The record should be accessible to employees, and a copy of the safety manual containing the safety policy and arrangements.
Step 5 – Monitoring and review
A risk assessment is not a ‘one-off’ process but should be reviewed as part of the routine maintenance of the safety management system. Review is required:
- When there are significant changes in the workplace or type of work – for example, when new substances, processes, or equipment are introduced;
- When the arrangements for controlling risks are not working as intended – for example, if accidents or ‘near misses’ occur;
- When there is a change in the legal requirements.
In addition to the general requirement for review, some risk assessments will need to be carried out regularly because of the nature of the hazards involved. For example, assessments of manual handling risks and display screen equipment (DSE) workstation risks are likely to be carried out annually.
The review process should consider whether the assessment is still valid in light of any changes that have occurred since it was first carried out. It should also consider whether the control measures identified as being necessary are still adequate and effective.
The review should be carried out by someone who was not involved in the original assessment. This will ensure a fresh view of the risks and control measures.
When the review has been completed, any new control measures that are identified should be put in place as soon as possible. The existing control measures should continue to be used until they can be replaced by the new measures.
The review date should be recorded in the written assessment and brought to employees’ attention.
A risk assessment is a vital part of any organization’s health and safety management process. It provides a systematic way of looking at work activities and identifying what could cause harm. Doing this makes it possible to decide whether existing control measures are adequate or whether further action is needed to prevent injury or ill health.
The assessment should be carried out by someone familiar with the work activities and the workplace. It is also important to involve employees in the process to better understand the risks involved and can be involved in finding solutions.
Once the assessment has been carried out, the significant findings should be recorded. The record should be accessible to employees and reviewed regularly. Any new control measures that are needed should be put in place as soon as possible.