How to Perform a Risk Assessment

Identify, analyze, and mitigate potential hazards and the risks associated with them by conducting risk assessments.

What is a Risk Assessment?

A risk assessment is a systematic process used to identify potential hazards and risks in a situation, then analyze what would happen should these hazards take place. As a decision-making tool, risk assessment aims to determine which measures should be implemented to eliminate or control those risks, as well as specify which of them should be prioritized according to their likelihood and impact on the business.

Risk assessment is one of the major components of a risk analysis. Risk analysis is a process with multiple steps that intends to identify and analyze all of the potential risks and issues that are detrimental to the business or enterprise.

Why is it Important?

Risk assessments are essential to identify hazards and risks that may potentially cause harm to workers. Identifying hazards by using the risk assessment process is a key element in ensuring the health and safety of your employees and customers. OSHA requires businesses to conduct risk assessments. According to regulations set by OSHA, assessing hazards or potential risks will determine the personal protective gears and equipment a worker may need for their job.

Risk analysis framework includes risk assessment, risk management, and risk communication

Risk Analysis Framework

When Do You Perform a Risk Assessment?

Beyond complying with legislative requirements, the purpose of risk assessments is to eliminate operational risks and improve the overall safety of the workplace. It is the employer’s responsibility to perform risk assessments when:

  • new processes or steps are introduced in the workflow;
  • changes are made to the existing processes,
  • equipment, and tools; or new hazards arise.

Risk assessments are also performed by auditors when planning an audit procedure for a company.

Create your own Risk Assessment checklist

Build from scratch or choose from our collection of free, ready-to-download, and customizable templates.

Browse Risk Assessment checklists

3 Types

HSE distinguishes three general risk assessment types:

Large Scale Assessments

This refers to risk assessments performed for large scale complex hazard sites such as the nuclear, and oil and gas industry. This type of assessment requires the use of an advanced risk assessment technique called Quantitative Risk Assessment (QRA).

Required specific assessments

This refers to assessments that are required under specific legislation or regulations, such as the handling of hazardous substances (according to COSHH regulations, 1998) and manual handling (according to Manual Handling Operations Regulations, 1992).

General assessments

This type of assessment manages general workplace risks and is required under the management of legal health and safety administrations such as OSHA and HSE.


Here is an example of a completed risk assessment. See more risk assessment examples in various industries.

How to Perform Risk Assessment in 5 Steps

Below are the 5 steps on how to efficiently perform risk assessments:

1. Identify hazards

Survey the workplace and look at what could reasonably be expected to cause harm. Identify common workplace hazards. Check the manufacturer’s or suppliers’ instructions or data sheets for any obvious hazards. Review previous accident and near-miss reports.

2. Evaluate the risks

Risk evaluation helps determine the probability of a risk and the severity of its potential consequences. To evaluate a hazard’s risk, you have to consider how, where, how much, and how long individuals are typically exposed to a potential hazard. Assign a risk rating to your hazards with the help of a risk matrix.

3. Decide on control measures to implement

After assigning a risk rating to an identified hazard, it’s time to come up with effective controls to protect workers, properties, civilians, and/or the environment. Follow the hierarchy of controls in prioritizing implementation of controls.

4. Document your findings

It is important to keep a formal record of risk assessments. Documentation may include a detailed description of the process in assessing the risk, an outline of evaluations, and detailed explanations on how conclusions were made.

5. Review your assessment and update if necessary

Follow up with your assessments and see if your recommended controls have been put in place. If the conditions in which your risk assessment was based change significantly, use your best judgment to determine if a new risk assessment is necessary.

Risk Assessment Tools and Techniques

There are options on the tools and techniques that can be seamlessly incorporated into a business’ process. The four common risk assessment tools are: risk matrix, decision tree, failure modes and effects analysis (FMEA), and bowtie model. Other risk assessment techniques include the what-if analysis, failure tree analysis, and hazard operability analysis.

Improve your GRC management

Simplify risk management and compliance with our centralized platform, designed to integrate and automate processes for optimal governance.

Explore now

How to use a Risk Matrix?

Likelihood Very Likely Likely Unlikely Highly Unlikely
Consequences Fatality High High High Medium
Major Injuries High High Medium Medium
Minor Injuries High Medium Medium Low
Negligible Injuries Medium Medium Low Low

A risk matrix is often used to measure the level of risk by considering the consequence/ severity and likelihood of injury to a worker after being exposed to a hazard. Two key questions to ask when using a risk matrix should be:

  1. Consequences: How bad would the most severe injury be if exposed to the hazard?
  2. Likelihood: How likely is the person to be injured if exposed to the hazard?

The most common types are the 3×3 risk matrix, 4×4 risk matrix, and 5×5 risk matrix.

How to Assess Consequences?

It is common to group the injury severity and consequence into the following four categories:

  • Fatality – leads to death
  • Major or serious injury – serious damage to health which may be irreversible, requiring medical attention and ongoing treatment
  • Minor injury – reversible health damage which may require medical attention but limited ongoing treatment). This is less likely to involve significant time off work.
  • Negligible injuries – first aid only with little or no lost time.

How to Assess Likelihood?

It is common to group the likelihood of a hazard causing worker injury into the following four categories:

  • Very likely – exposed to hazard continuously.
  • Likely – exposed to hazard occasionally.
  • Unlikely – could happen but only rarely.
  • Highly unlikely – could happen, but probably never will.

We recommend OSHA’s great learning resources in understanding how to assess consequence and likelihood in your risk assessments.

Risk Assessment Training

“Safety has to be everyone’s responsibility… everyone needs to know that they are empowered to speak up if there’s an issue.” – Captain Scott Kelly, at the SafetyCulture Virtual Summit.

A good and effective hazard identification and risk assessment training  should orient new and existing workers on various hazards and risks that they may encounter. It should also be able to easily walk them through safety protocols. With today’s technology like SafetyCulture’s Training feature, organizations can create and deploy more tailored-fit programs based on the needs of their workers.

Risk Assessment Templates

Risk assessments are traditionally completed through checklists, which are inconvenient when reports and action plans are urgently needed. Streamline the process with SafetyCulture, a mobile app solution. Get started by browsing this collection of customizable Risk Assessment templates that you can download for free.

FAQs About Risk Assessment

The key difference between a risk assessment and a JSA is scope. Risk assessments assess safety hazards across the entire workplace and are oftentimes accompanied with a risk matrix to prioritize hazards and controls. Whereas a JSA focuses on job-specific risks and is typically performed for a single task, assessing each step of the job.

The three main tasks of risk assessment include identifying the hazards, assessing the risks that come along with them, and placing control measures to either eliminate them totally or at least minimize their impact on the business and its people.

The five most common categories of operational risks are people risk, process risk, systems risk, external events risk or external fraud, and legal and compliance risk. Operational risks refer to the probability of issues relating to people, processes, or systems negatively impacting the business’s daily operations.

As stated above, risk assessments are ideally performed when there’s a new process introduced or if there are changes to the existing ones, as well as when there are new equipment or tools for employees to use. Outside of these instances, however, it is recommended that businesses schedule risk assessments at least once a year so that the procedures are updated accordingly.

Risk assessments should be carried out by competent persons who are experienced in assessing hazard injury severity, likelihood, and control measures.

Jairus Andales
Article by

Jairus Andales

SafetyCulture Content Specialist
Jai Andales is a content writer and researcher for SafetyCulture since 2018. As a content specialist, she creates well-researched articles about health and safety topics. She is also passionate about empowering businesses to utilize technology in building a culture of safety and quality.