Quick Summary: A hazard is anything with the potential to cause harm. A risk assessment is the structured process of identifying those hazards, evaluating how likely they are to cause harm and how severe that harm could be, and determining what controls are needed to bring the risk to an acceptable level.
In the United States, hazard identification and risk assessment are embedded in OSHA regulations, sector-specific safety standards, and voluntary frameworks like ISO 45001 and ANSI/ASSP Z10.
This guide explains both concepts in plain terms, walks through the five-step risk assessment process, compares assessment methods, introduces the hierarchy of controls, and covers the most common mistakes organizations make.
Hazard vs. Risk: Why the Distinction Matters
These two terms are used interchangeably in everyday conversation but carry very different meanings in professional risk management, and confusing them leads directly to poor decisions.
A hazard is a source of potential harm. It is something that exists — a condition, substance, energy source, or situation — that could cause injury, illness, or damage under the right circumstances. A risk is the probability that the hazard will actually cause harm, combined with the severity of that harm if it does.
Here is a concrete example. A bottle of concentrated hydrofluoric acid is a hazard. It is corrosive, absorbed through skin, and capable of causing systemic toxicity that is fatal at surprisingly small doses.
But how much risk does it actually present in a given workplace? That depends on a series of contextual factors: Is it stored in a properly labeled, locked ventilated cabinet accessible only to trained personnel? Or is it sitting unlabeled on an open shelf in a crowded laboratory?
Is there emergency eyewash and safety shower equipment nearby? Are workers who handle it trained and equipped with the right PPE? The hazard is the same in both scenarios. The risk is completely different.
This distinction drives the entire logic of hazard and risk assessment. Identifying hazards tells you what could go wrong. Assessing risk tells you how likely and how serious — and therefore what level of control is actually warranted. A hazard with a low probability of exposure and minor consequences does not justify the same investment in controls as one with high probability and catastrophic potential.
OSHA’s General Duty Clause (Section 5(a)(1) of the OSH Act) captures this logic precisely: employers must provide a workplace free from recognized hazards that are causing or likely to cause death or serious physical harm. The legal standard is not that hazards must be absent — it is that the risks they present must be addressed. (Source: OSHA General Duty Clause)
The Six Categories of Workplace Hazards
OSHA and occupational health professionals organize workplace hazards into six broad categories. A thorough hazard identification program examines all of them — not just the ones that are most visible or most recently cited in an inspection.
| Hazard Category | Common Examples | Typical Industries Affected | Key OSHA Standard |
| Physical | Noise, vibration, radiation, temperature extremes, slippery surfaces, unguarded machinery | Manufacturing, construction, mining, utilities | 29 CFR 1910.95 (noise); 1910.212 (machine guarding) |
| Chemical | Toxic, corrosive, flammable, or reactive substances; dusts; fumes | Chemical processing, lab settings, agriculture, manufacturing | 29 CFR 1910.1200 (HazCom); 1910.119 (PSM) |
| Biological | Bacteria, viruses, fungi, bloodborne pathogens, mold | Healthcare, wastewater, agriculture, food processing | 29 CFR 1910.1030 (bloodborne pathogens) |
| Ergonomic | Repetitive motion, awkward postures, heavy lifting, poorly designed workstations | Healthcare, warehousing, manufacturing, office work | General Duty Clause; OSHA ergonomics guidance |
| Psychosocial | Workplace violence, harassment, excessive workload, chronic stress, shift work | Healthcare, retail, law enforcement, social services | General Duty Clause; OSHA workplace violence guidelines |
| Safety (Energy / Fall) | Fall risk, electrical exposure, confined spaces, struck-by, caught-in/between | Construction, utilities, warehousing, maintenance | 29 CFR 1910.146; 1926.502; 1910.333 |
The hospital emergency department illustrates why all six categories matter simultaneously. It presents biological hazards from infectious patients, chemical hazards from cleaning agents and pharmaceuticals, ergonomic hazards from patient lifting and transfer, psychosocial hazards from high-stress situations and shift work, physical hazards from noise and radiation, and safety hazards from aggressive patients and sharps injuries. A hazard identification program that only looks at the most obvious category will miss most of what actually harms healthcare workers.
The same principle applies to seemingly lower-risk settings. An office environment might appear hazard-free compared to a construction site, but it still presents ergonomic hazards from extended seated work, psychosocial hazards from workplace stress and harassment, indoor air quality hazards, and safety hazards from slips and electrical equipment. Underestimating hazards in low-visibility environments is one of the most consistent patterns in occupational injury data.
What Is a Risk Assessment? The Five-Step Process
A risk assessment is a structured evaluation of the risks created by identified hazards. It is not an inspection, though inspection data feeds into it. It is not a compliance checklist, though it produces outputs that satisfy regulatory requirements. It is a decision-making tool: the process of determining which hazards are most dangerous in context and what needs to be done about them.
The five-step process is recognized across OSHA guidance, ISO 45001:2018 (the international standard for occupational health and safety management systems), and ANSI/ASSP Z10.0 (the U.S. consensus standard for OHS management systems). The steps are consistent even when the specific tools and documentation formats vary.
Step 1: Identify the Hazards
Effective hazard identification requires looking systematically at everything in the work environment that could cause harm, using multiple input sources rather than relying on a single method.
Practical techniques include physical workplace inspections using structured checklists, review of injury and near-miss incident records (which reveal hazards that have already materialized), review of Safety Data Sheets (SDS) for all chemical substances under OSHA’s Hazard Communication standard, job hazard analyses (JHAs) that examine each task step-by-step, and — critically — direct input from the workers who actually perform the tasks being assessed.
That last point deserves emphasis. Frontline workers know their work environment in ways that a safety officer conducting a periodic inspection cannot fully replicate.
They know which machine vibrates in a way that suggests something is wrong, which procedure nobody actually follows the written way because it is impractical, and which new chemical was introduced last month that nobody got around to updating the SDS for. Hazard identification that excludes worker input is systematically incomplete.
Step 2: Determine Who Might Be Harmed and How
The same hazard can present very different risks to different people. New employees are less familiar with procedures and warning signs than experienced ones. Contractors working in an unfamiliar environment face hazards they have not been briefed on. Workers with certain health conditions may be more susceptible to specific chemical or ergonomic hazards. Visitors and members of the public may be present in areas where hazardous conditions exist.
This step also considers exposure patterns: who works near the hazard, how often, and for how long. A maintenance technician who enters a confined space once a month faces a different exposure profile than one who does it daily. A warehouse worker who occasionally lifts heavy items differs from one who spends an entire shift in manual handling. Exposure frequency and duration directly affect risk magnitude.
Step 3: Evaluate the Risks — Likelihood, Severity, and Existing Controls
Risk evaluation combines two dimensions: how likely is it that the hazard will result in harm, and how severe would that harm be? The evaluation must account for controls already in place — engineering controls, administrative procedures, PPE — because those controls change the risk level even though they do not change the hazard itself.
This is where the risk matrix becomes useful. A standard 5×5 matrix rates likelihood and severity on separate scales, then combines them to produce a risk rating that drives prioritization. The matrix below illustrates a typical structure:
Sample 5×4 Risk Matrix (Likelihood x Severity):
| Likelihood \ Severity | Insignificant (1) | Minor (2) | Moderate (3) | Major (4) |
| Almost Certain (5) | 25 — HIGH | 20 — HIGH | 15 — HIGH | 10 — MED |
| Likely (4) | 20 — HIGH | 16 — HIGH | 12 — MED | 8 — MED |
| Possible (3) | 15 — HIGH | 12 — MED | 9 — MED | 6 — LOW |
| Unlikely (2) | 10 — MED | 8 — MED | 6 — LOW | 4 — LOW |
| Rare (1) | 5 — LOW | 4 — LOW | 3 — LOW | 2 — LOW |
The value of a risk matrix is consistency: it forces different assessors to apply the same standard when deciding whether a hazard is high priority or low priority. Without it, prioritization becomes a function of whoever is most persistent in advocating for their particular concern.
See also: Definition of Formal Risk Assessment: What It Is, How It Works, and Why It Matters on RiskPublishing.com for a deeper look at qualitative vs. quantitative rating approaches.
Step 4: Record Findings and Implement Controls
Documentation serves two purposes: it creates an operational record that guides implementation, and it provides legal evidence of a good-faith, systematic effort to identify and control hazards. In a post-incident investigation or OSHA enforcement action, documented risk assessment findings and a verifiable corrective action program are significant.
Controls are selected and implemented using the hierarchy of controls, which OSHA’s Recommended Practices for Safety and Health Programs formally recognizes as the standard framework for control selection. The hierarchy prioritizes eliminating hazards entirely over protecting workers from hazards that remain.
| Level | Control Type | How It Works | U.S. Workplace Example |
| 1 | Elimination | Remove the hazard from the workplace entirely | Discontinue use of a toxic solvent; automate a manual lifting task |
| 2 | Substitution | Replace the hazard with a less dangerous alternative | Use water-based paint instead of solvent-based; use a less toxic cleaning agent |
| 3 | Engineering Controls | Isolate workers from the hazard through physical modification | Machine guarding; local exhaust ventilation; noise enclosures; interlocks |
| 4 | Administrative Controls | Change how work is done to reduce exposure | Job rotation to limit repetitive motion; permit-to-work systems; shift scheduling |
| 5 | PPE | Protect the worker at the point of contact when other controls are insufficient | Respirators; gloves; hard hats; hearing protection; safety glasses |
PPE is at the bottom of the hierarchy because it protects only the individual wearing it, only if it is worn correctly, only if it fits properly, and only if it does not fail. Engineering and elimination controls protect everyone, regardless of behavior or compliance. This is why OSHA inspectors look unfavorably on workplaces that rely primarily on PPE when engineering controls are feasible.
Step 5: Review and Update the Assessment
A risk assessment is a snapshot of conditions at a point in time. Conditions change: new equipment is introduced, new chemicals are added to processes, work procedures are modified, personnel change, and incidents or near-misses reveal hazards that were not previously identified. A risk assessment that is not kept current becomes a liability document rather than a management tool.
At a minimum, risk assessments should be reviewed annually and following any significant change in the work environment, introduction of new substances or equipment, change in personnel or work patterns, or after any incident or near-miss. The trigger for review should not only be the calendar — any material change in conditions should prompt reassessment of the affected areas.
Risk Assessment Methods: Choosing the Right Approach
The right risk assessment method depends on the nature of the hazards, the complexity of the work environment, available data, and regulatory requirements. Most U.S. workplaces use qualitative or semi-quantitative methods for routine hazard programs. High-consequence industries use quantitative techniques for their most significant process risks.
| Method | How It Works | Best Used For | Limitation |
| Qualitative | Descriptive ratings (rare/possible/likely; minor/major/catastrophic) combined in a risk matrix | General workplace safety; routine hazard programs; initial screening | Inconsistent ratings across assessors; subjective without calibration guidance |
| Semi-Quantitative | Numerical scores assigned to qualitative categories (1–5 scales); risk = likelihood x severity | Most general industry and healthcare settings; OSHA compliance programs | Scores can create false precision if underlying judgments are not calibrated |
| Quantitative (QRA) | Probability distributions; fault tree analysis; event tree analysis; bow-tie analysis; Monte Carlo simulation | Chemical process safety; nuclear; aerospace; oil and gas; high-consequence infrastructure | Data-intensive; requires specialist expertise; expensive for routine hazards |
| Job Hazard Analysis (JHA) | Task-by-task breakdown of a job to identify hazards at each step and specify controls | Construction; manufacturing; maintenance tasks; new process introduction | Only covers identified tasks; misses systemic or organizational hazards |
| HAZOP | Structured team review using guide words (no, more, less, reverse, other than) to identify deviations from design intent | Chemical and process industry; piping and instrumentation design | Resource-intensive; requires P&ID drawings and experienced facilitator |
| FMEA / FMECA | Systematic analysis of each component failure mode and its effect on system performance | Manufacturing quality; medical device design; aerospace; automotive | Bottom-up approach may miss systemic interactions between components |
The choice of method should be proportionate to the risk. Using a full quantitative risk analysis for every routine workplace hazard is unnecessarily expensive and slow. Using only a qualitative checklist for a major chemical process with catastrophic potential is inadequate. The governing principle is that the rigor of the assessment should match the severity of the potential consequences.
See also: Monte Carlo Simulation in Risk Assessment: A Practical Tutorial on RiskPublishing.com for how probabilistic modeling applies to higher-stakes risk assessments.
Legal and Regulatory Requirements in the United States
OSHA does not mandate a single risk assessment methodology for general industry, but its enforcement framework makes clear that employers must identify foreseeable hazards and implement reasonable controls — which is the functional definition of hazard and risk assessment.
OSHA Standards With Explicit Risk Assessment Requirements
- Process Safety Management (29 CFR 1910.119): Requires process hazard analyses (PHAs) for facilities handling highly hazardous chemicals above threshold quantities. PHAs must use one of several specified techniques: what-if, checklist, HAZOP, FMEA, fault tree analysis, or an appropriate equivalent
- Hazard Communication (29 CFR 1910.1200): Requires chemical hazard assessment by manufacturers and importers, with results communicated to downstream employers and workers through labels and SDS
- Permit-Required Confined Spaces (29 CFR 1910.146): Requires hazard assessment before entry and ongoing atmospheric monitoring during entry operations
- Personal Protective Equipment (29 CFR 1910.132): Requires employers to conduct a hazard assessment to determine the need for PPE and certify that the assessment has been performed
- Construction standards (29 CFR 1926): Multiple subparts require hazard assessments for excavation, scaffolding, fall protection, and electrical work
Beyond OSHA, sector-specific regulatory requirements include: Nuclear Regulatory Commission (NRC) probabilistic risk assessment requirements for nuclear facilities; Mine Safety and Health Administration (MSHA) hazard management requirements for surface and underground mines; Joint Commission environment of care risk assessments for healthcare facilities; DOT hazardous materials risk assessments for transportation; and FAA safety management system requirements for aviation.
State OSHA plans (covering 22 states and two territories) must be at least as effective as federal OSHA and may impose additional requirements. California, for example, requires Injury and Illness Prevention Programs (IIPPs) with specific hazard assessment components that exceed federal minimums.
How Hazard Identification and Risk Assessment Work Together in Practice
In a well-functioning safety management system, hazard identification and risk assessment are not separate discrete events — they are connected processes that feed each other continuously.
Hazard identification generates the inventory of potential harms. Risk assessment evaluates which of those harms are most likely, most severe, and most in need of control. The risk assessment output drives the hierarchy of controls selection and the corrective action program. Implementation of controls changes the residual risk profile, which feeds back into the risk assessment at the next review cycle. Incidents and near-misses that escape the control system are analyzed to identify whether the hazard identification missed something or the risk evaluation underestimated a hazard — and the assessment is updated accordingly.
This feedback loop is what makes the difference between a safety program that learns and improves and one that produces documentation without reducing harm. Organizations with low injury rates are not typically those with the most comprehensive initial risk assessments — they are those with the most disciplined review and update cycles, the strongest near-miss reporting cultures, and the clearest accountability for corrective action follow-through.
The integration also extends to enterprise risk management. Workplace safety risks assessed through the hazard and risk assessment process feed into the broader enterprise risk register as operational and compliance risks. A pattern of ergonomic injuries in a warehouse operation is not just a safety problem — it is a workers’ compensation liability risk, an operational continuity risk, and potentially a regulatory enforcement risk. Enterprise risk managers and safety professionals who work in the same framework rather than parallel silos get a more complete picture of total organizational exposure.
See also: Key Risk Indicators: How to Build an Early Warning System on RiskPublishing.com — leading safety KRIs (near-miss frequency, hazard observation rates, corrective action closure rates) belong in your risk monitoring dashboard alongside financial and operational indicators.
Common Mistakes in Hazard and Risk Assessment Programs
Treating Assessment as Documentation Rather Than Decision-Making
The most consequential failure mode in hazard and risk assessment is producing paperwork that satisfies regulators without influencing actual safety decisions. A risk assessment that identifies 40 hazards and rates them all as “medium” with identical boilerplate controls is not a risk assessment — it is a compliance artifact. When OSHA investigators arrive after a serious injury, they will look at whether the risk assessment was specific enough to have flagged the hazard that caused the incident and whether the controls it specified were actually implemented.
The test of a credible risk assessment is simple: does it inform decisions? If the findings changed nothing about how work is done, which controls are in place, or how resources are allocated, something went wrong in the process.
Excluding Frontline Workers
Risk assessments conducted entirely from behind a desk or by safety professionals who do not consult with the people actually doing the work are reliably incomplete. Workers know the real hazards — including the informal workarounds, the equipment quirks, and the production pressures that safety documentation rarely captures. OSHA’s Recommended Practices for Safety and Health Programs explicitly identifies worker participation as a core program element, not a nice-to-have.
Focusing Only on Physical Safety Hazards
Many hazard identification programs default to visible, physical safety hazards — unguarded machinery, fall risks, blocked exits — while underweighting or ignoring chemical health hazards, ergonomic hazards, and psychosocial hazards. These categories cause substantial harm in U.S. workplaces: musculoskeletal disorders account for approximately 30% of all workers’ compensation costs, occupational illnesses from chemical exposures are chronically underreported, and workplace violence is the leading cause of occupational fatality for women in the United States.
Failing to Update After Changes
New equipment, new chemicals, process modifications, facility changes, and personnel turnover all change the hazard profile of a workplace. An annual review cycle is a minimum standard, not a complete program. The trigger for reassessment should be any material change in conditions — not the next scheduled review date.
Underestimating Low-Frequency, High-Consequence Events
Qualitative risk assessments that rely primarily on historical experience tend to underestimate rare but catastrophic events. If something has not happened recently in your facility, it does not appear in your incident data — but that does not mean the hazard does not exist. Process safety programs in chemical and manufacturing industries specifically address this through techniques like HAZOP and fault tree analysis, which evaluate what could go wrong based on process characteristics rather than historical incident rates alone.
See also: Definition of Exposure in Risk Assessment: A Practical Guide on RiskPublishing.com for how exposure duration and frequency affect risk magnitude in both occupational and environmental contexts.
Key Standards and Frameworks for Hazard and Risk Assessment in the U.S.
- ISO 45001:2018: The international standard for occupational health and safety management systems. Requires organizations to determine and assess OHS risks and opportunities as part of the management system. Replaces OHSAS 18001 and widely adopted in U.S. organizations seeking third-party certification
- ANSI/ASSP Z10.0-2019: The U.S. national consensus standard for occupational health and safety management systems. Functionally aligned with ISO 45001 and provides sector-specific guidance for U.S. workplaces
- OSHA Recommended Practices for Safety and Health Programs: Non-mandatory guidance that provides a comprehensive framework for building safety management systems around hazard identification and risk assessment as core activities
- NFPA 652/654: Combustible dust hazard assessment standards for specific industries (wood, grain, pharmaceutical, metal)
- API RP 754: Process safety performance indicators for the refining and petrochemical industries, built on a hazard identification and risk assessment foundation
See also: Definition of Financial Risk Assessment: A Complete Guide for U.S. Organizations for a parallel treatment of how formal risk assessment applies in financial contexts
Final Thoughts
Hazard and risk assessment is where safety management moves from philosophy to practice. The logic is simple: you cannot control hazards you have not identified, and you cannot prioritize controls without understanding which hazards present the most significant risks. Everything downstream in a safety program — controls, training, emergency planning, incident investigation — depends on the quality of this foundational process.
The organizations with the strongest safety records are not always those with the most sophisticated assessment tools or the thickest documentation binders. They tend to be organizations where hazard identification is genuinely embedded in how work is planned and reviewed, where risk assessment findings actually drive control decisions, where frontline workers are meaningful participants rather than subjects of the process, and where the system learns from incidents and near-misses rather than treating them as isolated anomalies.
Getting hazard and risk assessment right does not require perfection on the first attempt. It requires honesty about what the hazards are, rigor about evaluating the risks they present, and discipline about acting on what the assessment reveals. Start there, build the review and update cycle, and the program compounds in value over time.
Explore related risk management resources on RiskPublishing.com:
- Definition of Formal Risk Assessment: What It Is, How It Works, and Why It Matters
- Monte Carlo Simulation in Risk Assessment: A Practical Tutorial
- Key Risk Indicators: Building an Early Warning System
- Definition of Exposure in Risk Assessment: A Practical Guide
- Definition of Fire Risk Assessment: A Practical Guide
- Business Continuity Planning and Risk Management Frameworks
Sources and Further Reading
- OSHA: General Duty Clause (Section 5(a)(1) of the OSH Act)
- OSHA: Recommended Practices for Safety and Health Programs
- OSHA: Hazard Identification and Assessment
- OSHA: Process Safety Management (29 CFR 1910.119)
- OSHA: Hazard Communication Standard (29 CFR 1910.1200)
- ISO 45001:2018 Occupational Health and Safety Management Systems
- ANSI/ASSP Z10.0-2019: Occupational Health and Safety Management Systems
- NIOSH: Hierarchy of Controls
- ISO 31000:2018 Risk Management Guidelines
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.