Risk Assessment: Definition & 5 Steps To Risk Assessment

A risk assessment is a systematic process for identifying, analyzing, and managing potential risks to the safety, health, and property of employees, customers, visitors, and other stakeholders. It includes the identification of hazards and the assessment of risks associated with those hazards. The goal of a risk assessment is to reduce or eliminate the risks identified through the application of effective control measures.

Health and safety legally require that risk assessments be done at certain points, like when you start or change things. These documents help us understand what dangers might arise so we can try hard to prevent them from happening! A risk assessment method is important as it determines the priorities and objectives for eliminating hazards.  Wherever possible, risks should be eliminated by selecting and designing facilities. If this is not an option for whatever reason (maybe because it would cause too much disruption), minimize them by using physical controls or PPE as a last resort!

A company’s success depends on its ability to manage all types of accidents at work before they happen so that these events cannot cause major safety problems. This blog covers hazard identification, risk assessment, and appropriate control measures to protect against hazards.

5 Steps to Risk Assessment

A risk assessment is a process of identifying, assessing, and managing risks to ensure that an organization operates within its risk appetite. A risk assessment helps an organization determine its level of exposure to potential losses and take steps to minimize those losses.

There are five steps in conducting a risk assessment:

  1. Look For The Hazards; 
  2. Decide Who Might Be Harmed, And How; 
  3. Evaluate The Risks And Decide Whether Existing Precautions Are Adequate Or More Should Be Done;
  4. Record The Significant Findings; 
  5. Review The Assessment And Revise It If Necessary

Step 1 – Look For The Hazards

The essential first step in risk assessment is to seek out and identify hazards. Relevant sources of information include:

  • Legislation and supporting Approved Codes of Practice which give practical guidance and include basic minimum requirements;
  • Process information;
  • The product information provided under Section 6 of the HSW Act;
  • Relevant British, European, and international standards;
  • Industry or trade association guidance;
  • The personal knowledge and experience of managers and employees;
  • Accident, ill-health, and incident data from within the organization, from other organizations or from central sources;
  • Expert advice and opinion, and relevant research.

There should be a critical appraisal of all routine and non-routine business activities. People exposed may include employees and others such as public members, contractors, and users of the products and services. Employees and safety representatives can make a useful contribution to identifying hazards. 

In the simplest cases, hazards can be identified by observation and by comparing the circumstances with the relevant information (e.g., single-story premises will not present any stair-related hazards). In more complex cases, measurements such as air sampling or examining machine operation methods may be necessary to identify the presence of hazards from chemicals or machinery. Special techniques and systems may be needed in the most complex or high-risk cases (for example, in the chemical or nuclear industry), such as hazard and operability studies (HAZOPS) and hazard analysis techniques, such as event or fault tree analysis. Specialist advice may be needed to choose and apply the most appropriate method. Only significant hazards, which could seriously harm people, should be identified. Trivial hazards are a lower priority.

A tour of the area under consideration by the risk assessment team is essential to hazard identification, as is consultation with the relevant workforce section.

Reviewing accident, incident, and ill-health records will also help identify. Other sources of information include safety inspection, survey and audit reports, job or task analysis reports, manufacturers’ handbooks or data sheets, Approved Codes of Practice, and other forms of guidance.

It is important that unsafe conditions are not confused with hazards during hazard identification. Unsafe conditions should be rectified as soon as possible after observation. Unsafe conditions include missing machine guards, faulty warning systems, and oil spillage on the workplace floor.

Step 2 – Decide Who Might Be Harmed And How

Employees and contractors who work full time at the workplace are the most obvious groups at risk, and it will be necessary to check that they are competent to perform their particular tasks. However, other groups may spend time in or around the workplace. These include young workers, trainees, new and expectant mothers, cleaners, contractor and maintenance workers, and public members. Public members will include visitors, patients, students, customers, and passers-by.

The risk assessment must include any additional controls required due to the vulnerability of any of these groups, perhaps caused by inexperience or disability. It must also indicate the number of people from the different groups who come into contact with the hazard and the frequency of these contacts. 

Step 3 – Evaluating The Risks And The Adequacy Of Current Controls

This step is really two – evaluating the risks and the adequacy of current controls.

Evaluating The Risks

During most risk assessments, it will be noted that some of the risks posed by the hazard have already been addressed or controlled. Therefore, the risk assessment’s purpose is to reduce the remaining risk. This is called the residual risk. 

Risk assessment aims to reduce all residual risks to as low a level as reasonably practicable. This will take time in a relatively complex workplace, so a system of ranking risk is required – the higher the risk level, the sooner it must be addressed and controlled.

For most situations, a qualitative risk assessment will be perfectly adequate. During the risk assessment, a judgment is made as to whether the risk level is high, medium, or low in terms of the risk of somebody being injured. This designation defines a timetable for remedial actions to be taken, thereby reducing the risk. High-risk activities should normally be addressed in days, medium risks in weeks, and low risks in months; in some cases, no action will be required. It will usually be necessary for risk assessors to receive some training in risk level designation.

A quantitative risk assessment attempts to quantify the risk level regarding the likelihood of an incident and its subsequent severity. Clearly, the higher the likelihood and severity, the higher the risk. The likelihood depends on such factors as the control measures in place, the frequency of exposure to the hazard, and the category of the person exposed to the hazard. The severity will depend on the magnitude of the hazard (voltage, toxicity, etc.). 

Evaluating The Risks And The Adequacy Of Current Controls

The HSE has suggested simple 3 × 3 matrices to determine risk levels.

Evaluating the Risks

It is possible to apply such methods to organizational risk or the risk that the management system for health and safety will not deliver in the way it was expected or required. Such risks will add to the activity or occupational risk level. In simple terms, poor activity supervision will increase the overall level of risk. A risk management matrix that combines these two risk levels has been developed, as shown below.

Risk Evaluation

Whichever type of risk evaluation method is used, the level of risk simply enables a timetable of risk reduction to an acceptable and tolerable level to be formulated. The legal duty requires that all risks be reduced to as low as reasonably practicable.

In established workplaces, some control of risk will be in place already. The effectiveness of these controls needs to be assessed so that an estimate of the residual risk may be made. Many hazards have had specific Acts, Regulations, or other recognized standards developed to reduce associated risks. Examples of such hazards are fire, electricity, lead, and asbestos. The relevant legislation and any accompanying Approved Codes of Practice or guidance should be consulted first, and any recommendations implemented. Advice on control measures may also be available from trade associations, trade unions, or employers’ organizations.

Where existing preventative measures are in place, it is important to check that they are working properly and that everybody affected clearly understands the measures. It may be necessary to strengthen existing procedures by introducing a permit-to-work system. More details on the principles of control are given below.

Evaluating The Controls

A hierarchy of risk controls should be considered when assessing the adequacy of existing controls or introducing new controls. The health and safety management system ISO 45001 (to replace OHSAS 18001 in 2016) states that the organization shall establish a process for achieving risk reduction based on the following hierarchy:

  • Eliminate The Hazard; 
  • Substitute With Less Hazardous Materials, Processes, Operations, Or Equipment; 
  • Use Engineering Controls; 
  • Use Safety Signs, Markings Warning Devices, And Administrative Controls; 
  • Use Personal Protective Equipment.

The organization shall ensure that the Occupational Health and Safety risks and determining controls are considered when establishing, implementing, and maintaining its Occupational Health and Safety management system.

The hierarchy reflects that risk elimination and risk control using physical engineering controls and safeguards can be more reliably maintained than relying solely on people. These concepts are now written into the Control of Substances Hazardous to Health (COSHH) Regulations and the Management of Health and Safety at Work (MHSW) Regulations.

Where a range of control measures are available, it will be necessary to weigh up the relative costs of each against the degree of control each provides, both in the short and long term. Some control measures, such as eliminating risk by choosing a safer alternative substance or machine, are reliable and provide a high degree of control. Physical safeguards such as guarding a machine or enclosing a hazardous process must be maintained. In making decisions about risk control, it will therefore be necessary to consider the control measures’ degree of control and reliability, along with the costs of providing and maintaining the measure.

Step 4 – Recording significant findings

It is very useful to keep a written record of the risk assessment even if there are fewer than five employees in the organization. For an assessment to be ‘suitable and sufficient, only the significant hazards and conclusions must be recorded. The record should also include details of the groups of people affected by the hazards, the existing control measures, and their effectiveness. The conclusions should identify any new controls required and a review date.

The written record provides excellent evidence of compliance with the law to a health and safety inspector. It is also useful evidence if the organization should become involved in a civil action.

The record should be accessible to employees, and a copy of the safety manual containing the safety policy and arrangements. 

Step 5 – Monitoring and review  

A risk assessment is not a ‘one-off’ process but should be reviewed as part of the routine maintenance of the safety management system. Review is required:

  • When there are significant changes in the workplace or type of work – for example when new substances, processes, or equipment are introduced;
  • When the arrangements for controlling risks are not working as intended – for example, if accidents or ‘near misses’ occur;
  • When there is a change in the legal requirements.

In addition to the general requirement for review, some risk assessments must be carried out regularly because of the hazards involved. For example, assessments of manual handling risks and display screen equipment (DSE) workstation risks will likely be carried out annually.

The review process should consider whether the assessment is still valid in light of any changes that have occurred since it was first carried out. It should also consider whether the control measures identified as being necessary are still adequate and effective.

The review should be done by someone not involved in the original assessment. This will ensure a fresh view of the risks and control measures. When the review has been completed, any identified new control measures should be put in place as soon as possible. The existing control measures should continue to be used until they can be replaced by the new measures. The review date should be recorded in the written assessment and brought to employees’ attention.

Basic Definition Relevant To Risk Assessment

Risk assessment is a process of analyzing threats and vulnerabilities to help determine what level or severity they pose. To do this, we’ll need some basic definitions that are used in risk assessments:

Hazard and risk

A hazard can cause harm (this can include articles, substances, plants or machines, methods of working, the working environment, and other aspects of work organization). Hazards take many forms, for example, chemicals, electricity, or noise. A hazard can be ranked relative to other hazards or a possible danger level.

A risk is the likelihood of potential harm from that hazard being realized. Risk (or strictly the level of risk) is also linked to the severity of its consequences. A risk can be reduced and the hazard controlled by good management.

It is very important to distinguish between a hazard and a risk – the two terms are often confused, and activities often called high risk are, in fact, high risk. There should only be a high residual risk where poor health and safety management and inadequate control measures exist.

Electricity is an example of a high hazard as it can kill someone. The risk associated with electricity – the likelihood of being killed on coming into contact with an electrical device – is, hopefully, low.

Occupational or work-related ill-health

This concerns acute and chronic illnesses or physical and mental disorders that are either caused or triggered by workplace activities. Such conditions may be induced by the particular work activity of the individual or by the activities of others in the workplace. The time interval between exposure and the onset of the illness may be short (e.g., acute asthma attacks) or long (e.g., chronic deafness or cancer).


This is defined by the Health and Safety Executive (HSE) as ‘any unplanned event that results in injury or ill-health of people, or damage or loss to property, plant, materials or the environment or a loss of a business opportunity. Other authorities define an accident more narrowly by excluding events that do not involve injury or ill health. 

Incident and near-miss

The HSE states that an ‘Incident includes all undesired circumstances and “near misses” which could cause accidents. Knowledge of near misses is very important as research has shown that, approximately, for every 10 ‘near miss’ events at a particular location in the workplace, a minor accident will occur.

Dangerous occurrence

This is a ‘near miss’ or ‘Damage Incident,’ which could have led to serious injury or loss of life. Dangerous occurrences are defined in the Reporting of Injuries, Diseases, and Dangerous Occurrences Regulations (often known as RIDDOR) and are always reportable to the enforcement authorities. Examples include the collapse of a scaffold or a crane or the failure of any passenger-carrying equipment.

Legal Aspects Of Risk Assessment

The general duties of employers to their employees in Section 2 of the HSW Act 1974 imply the need for risk assessment. This duty was also extended by Section 3 of the Act to anybody affected by the employer’s activities – contractors, visitors, customers, or public members. However, the Management of Health and Safety at Work Regulations are much more specific concerning the need for risk assessment. The following requirements are laid down in those Regulations:

  • The risk assessment shall be ‘suitable and sufficient and cover both employees and non-employees affected by the employer’s undertaking (e.g. contractors, members of the public, students, patients, customers); every self-employed person shall make a ‘suitable and sufficient assessment of the risks to which they or those affected by the undertaking may be exposed;
  • Any risk assessment shall be reviewed if there is reason to suspect that it is no longer valid or if a significant change has taken place;
  • Where there are five or more employees, the significant findings of the assessment shall be recorded, and any especially at-risk group of employees will be identified. (This does not mean employers with four or fewer employees need not undertake risk assessments.)

The term ‘suitable and sufficient’ is important as it defines the limits to the risk assessment process. A suitable and sufficient risk assessment should:

  • Identify the significant risks and ignore the trivial ones;
  • Identify and prioritize the measures required to comply with any relevant statutory provisions;
  • Remain appropriate to the nature of the work and valid over a reasonable period of time;
  • Identify the risk arising from or in connection with the work. The level of detail should be proportionate to the risk.

The significant findings that should be recorded include a detailed statement of the hazards and risks, the preventative, protective, or control measures in place, and any further measures required to reduce the risks present.

When assessing risks under the Management of Health and Safety at Work Regulations, reference to other Regulations may be necessary even if there is no specific requirement for a risk assessment in those Regulations. For example, reference to the legal requirements of the Provision and Use of Work Equipment Regulations will be necessary when machinery operation risks are being considered. However, there is no need to repeat a risk assessment if it is already covered by other Regulations (e.g., a risk assessment considering personal protective equipment is required under the COSHH Regulations, so there is no need to undertake a separate risk assessment under the Personal Protective Equipment Regulations).

Apart from the duty under the Management of Health and Safety at Work Regulations to undertake a health and safety assessment of the risks to any person (employees, contractors, or members of the public) who may be affected by the activities of the organization, the following Regulations require a specific risk assessment to be made:

  • Ionising Radiations Regulations;
  • Control of Asbestos Regulations;
  • Control of Noise at Work Regulations;
  • Manual Handling Operations Regulations;
  • Health and Safety (Display Screen Equipment) Regulations;
  • Personal Protective Equipment at Work Regulations;
  • Confined Spaces Regulations;
  • Work at Height Regulations;
  • Regulatory Reform (Fire Safety) Order (not under HSW Act);
  • Control of Vibration at Work Regulations;
  • Control of Lead at Work Regulations;
  • Control of Substances Hazardous to Health Regulations.
About Malik Imran

Hi, my name is Imran and I am a safety engineer currently working at ADNOC Company in the United Arab Emirates. I have over 6 years of experience in this field, which has allowed me to gain extensive knowledge and skills to ensure the safety of individuals and the environment in the workplace.

Leave a Comment