Key Takeaways
✓ A health and safety risk assessment is the systematic process of identifying workplace hazards, analyzing the likelihood and severity of harm, evaluating risks against tolerance criteria, and implementing controls using the Hierarchy of Controls.
✓ ISO 45001:2018 (Clause 6.1.2) requires organizations to establish a systematic hazard identification and risk assessment process as the foundation of the occupational health and safety management system.
✓ OSHA’s Recommended Practices for Safety and Health Programs align with the same core steps: identify hazards, assess risks, implement controls, and monitor effectiveness through ongoing worker participation.
✓ The Hierarchy of Controls (elimination, substitution, engineering controls, administrative controls, PPE) is the universally accepted framework mandated by ISO 45001 Clause 8.1.2 to prioritize control effectiveness.
✓ 65% of covered employees in the US are in self-funded health plans, making workplace injury prevention a direct financial interest to employers who bear the claims cost.
✓ Health and safety risk assessments must be documented, communicated to all affected workers, reviewed at least annually, and updated whenever processes, equipment, personnel, or regulations change.
What Is a Health and Safety Risk Assessment?
A health and safety risk assessment is the structured process of identifying hazards in the workplace, analyzing the risk each hazard presents to workers and other people, and determining the controls needed to eliminate or reduce that risk to an acceptable level.
ISO 45001:2018, the international occupational health and safety management system standard, defines a hazard as “a source with the potential to cause injury and ill health” and risk as “the combination of the likelihood of a hazardous event or exposure and the severity of injury or ill health that can be caused by the event or exposure.”
The assessment connects those two definitions: hazard exists → risk is analyzed → controls are implemented.
In the United States, OSHA’s Recommended Practices for Safety and Health Programs reinforce the same methodology.
OSHA does not prescribe a single assessment format but requires employers to identify and correct hazards under the General Duty Clause (Section 5(a)(1) of the OSH Act). A documented risk assessment is the most defensible way to demonstrate compliance.
This guide walks through the complete health and safety risk assessment process, from hazard identification through control implementation and review. The methodology aligns with ISO 45001 and OSHA while integrating the broader ISO 31000 risk management principles that apply across all risk domains.
How to Perform a Health and Safety Risk Assessment: The Five-Step Process
| Step | What Happens | Key Outputs | Standards Alignment |
| 1. Identify Hazards | Survey the workplace systematically. Walk through every area, activity, and process. Review past incident reports, near-miss logs, safety inspection findings, workers’ compensation claims, and illness records. Consult with workers who perform the tasks daily. Consider all hazard types: physical, chemical, biological, ergonomic, psychosocial, and environmental. | Hazard identification register listing every identified hazard, its location, the tasks/activities involved, and the people exposed | ISO 45001 Clause 6.1.2; OSHA Recommended Practices Step 1 |
| 2. Assess the Risks | Evaluate each hazard using a Likelihood × Severity matrix. Determine the probability that harm will occur (considering frequency of exposure, number of people exposed, and existing controls) and the potential severity of injury or ill health (from first aid to fatality). Assign a risk rating to each hazard. | Completed risk matrix; risk ratings (Low, Medium, High, Extreme) assigned to every hazard; prioritized hazard list | ISO 45001 Clause 6.1.2.2; ISO 31000 Clause 6.4.3 |
| 3. Implement Controls | Select and implement controls following the Hierarchy of Controls: elimination first, then substitution, engineering controls, administrative controls, and PPE as the last resort. Document each control, the person responsible, implementation timeline, and verification method. | Control implementation plan with assigned owners and due dates; updated safe work procedures; training records; procurement records | ISO 45001 Clause 8.1.2; OSHA Hierarchy of Controls; NIOSH Hierarchy |
| 4. Document and Communicate | Record the entire assessment: hazards identified, risk ratings, controls selected, responsible persons, and review dates. Communicate findings to all affected workers, supervisors, and management. Make the assessment accessible at the point of work. | Documented risk assessment report; worker communication records (toolbox talks, safety briefings, posted summaries); management sign-off | ISO 45001 Clause 7.4 and 7.5; OSHA recordkeeping requirements |
| 5. Review and Update | Review the assessment at least annually and whenever significant changes occur: new processes, new equipment, new chemicals, workplace modifications, incident findings, regulatory changes, or workforce changes. Verify that controls remain effective through inspections, audits, and worker feedback. | Updated risk assessment with revision history; review meeting minutes; corrective action records; effectiveness verification documentation | ISO 45001 Clause 9.1 and 10.2; OSHA Recommended Practices Step 6 |
This five-step process is cyclical. Workplaces change. New hazards emerge. Controls degrade. The assessment must be a living document, not a filing cabinet artifact. Build the review cadence into your risk management lifecycle.
Types of Workplace Hazards: The Complete Classification
| Hazard Type | Definition | Examples | Common Industries |
| Physical | Hazards from energy sources that can cause injury through contact, impact, vibration, noise, temperature, or radiation | Unguarded machinery, fall hazards, electrical exposure, excessive noise, extreme temperatures, confined spaces, struck-by/caught-between risks | Construction, manufacturing, mining, oil and gas, utilities, warehousing |
| Chemical | Hazards from exposure to hazardous substances through inhalation, skin contact, ingestion, or injection | Toxic gases, corrosive liquids, flammable solvents, dusts and fibers (silica, asbestos), carcinogens, cleaning chemicals, laboratory reagents | Chemical manufacturing, agriculture, healthcare, laboratories, cleaning services, painting/coating |
| Biological | Hazards from exposure to living organisms or their products that can cause infection, allergic reaction, or toxic response | Bloodborne pathogens (HIV, Hepatitis B/C), airborne pathogens (TB, COVID-19), mold, animal waste, insect vectors, contaminated sharps | Healthcare, laboratories, agriculture, wastewater treatment, veterinary services, food processing |
| Ergonomic | Hazards from workplace conditions that impose physical stress on the musculoskeletal system through posture, repetition, force, or vibration | Repetitive motion injuries, manual handling injuries (lifting, pushing, pulling), prolonged static postures, vibration exposure, awkward workstation design | Office work, manufacturing, warehousing, construction, healthcare (patient handling), agriculture |
| Psychosocial | Hazards arising from work organization, management practices, and interpersonal dynamics that affect psychological health and wellbeing | Excessive workload, bullying and harassment, workplace violence, shift work, job insecurity, lack of autonomy, poor supervisor support, traumatic event exposure | Healthcare, emergency services, education, retail, hospitality, social services, law enforcement |
| Environmental | Hazards from the natural or built environment that affect workplace safety, including weather events, air quality, and facility conditions | Extreme weather (heat stress, cold stress), poor indoor air quality, inadequate lighting, slippery surfaces, structural instability, flooding, wildfire smoke exposure | Construction, agriculture, outdoor utilities, transportation, any industry in disaster-prone regions |
A thorough hazard identification covers all six categories. Teams that focus only on physical hazards (the most visible) miss the ergonomic, psychosocial, and biological risks that often drive the highest workers’ compensation costs and long-term health impacts. Map identified hazards into your organization’s risk taxonomy.
The Hierarchy of Controls: Selecting the Right Risk Treatment
The Hierarchy of Controls is the universally accepted framework, mandated by ISO 45001 Clause 8.1.2 and endorsed by OSHA and NIOSH, that prioritizes control measures from most effective (elimination) to least effective (PPE).
The hierarchy is not a menu of equal options. Always start at the top and work down.
| Control Level | Definition | Effectiveness | Examples | When to Use |
| 1. Elimination | Remove the hazard entirely so the risk no longer exists | Most effective; permanently removes the risk source | Eliminate a manual handling task by redesigning the process; remove a toxic substance from the workflow; automate a hazardous operation entirely | Always the first option considered. Ask: can the hazard be removed completely? |
| 2. Substitution | Replace the hazardous material, process, or equipment with a less hazardous alternative | Highly effective; reduces severity or likelihood without eliminating the activity | Replace solvent-based paint with water-based paint; substitute a less toxic cleaning chemical; use pre-fabricated components instead of on-site welding | When elimination is not feasible. Ask: can a safer alternative achieve the same result? |
| 3. Engineering Controls | Isolate people from the hazard through physical barriers, ventilation, machine guarding, or workspace redesign | Effective; does not rely on worker behavior; protects anyone in the area | Install machine guards; add ventilation systems to remove chemical fumes; install fall protection guardrails; enclose noisy equipment in sound-dampening enclosures | When the hazard cannot be eliminated or substituted. Physical separation is the next best defense. |
| 4. Administrative Controls | Change the way people work through procedures, training, signage, job rotation, scheduling, and permits to work | Moderately effective; relies on consistent worker compliance and management enforcement | Safety training programs; lockout/tagout procedures; job rotation to reduce repetitive strain; posted safety signage; scheduled rest breaks; permit-to-work systems | When engineering controls alone do not reduce risk to acceptable levels. Always combine with higher-level controls. |
| 5. PPE (Personal Protective Equipment) | Protect the individual worker with safety equipment worn on the body | Least effective; last line of defense; relies entirely on correct selection, fit, use, and maintenance | Safety glasses, hard hats, hearing protection, respiratory protection, chemical-resistant gloves, fall harnesses, steel-toed boots, high-visibility clothing | Only as a supplement to higher-level controls or when all other options are impractical. Never use PPE as the primary control. |
In practice, most hazards require controls from multiple levels. A construction site might eliminate certain fall hazards through design (Level 1), install guardrails where work at height remains necessary (Level 3), implement permit-to-work procedures (Level 4), and require fall harnesses as backup (Level 5).
The key principle: never rely on PPE alone when higher-level controls are feasible. Our risk mitigation in project management guide covers the five response strategies that complement the Hierarchy of Controls.
Health and Safety Risk Matrix: Scoring Likelihood and Severity
| Rating | Likelihood Definition | Severity Definition | Risk Score Range |
| 1 — Rare | Less than 5% probability; has never occurred in the organization; theoretically possible but highly unlikely | Negligible harm; first-aid-level injury only; no lost time; no regulatory interest | 1–5 (Low) |
| 2 — Unlikely | 5–20% probability; has occurred in the industry but not at this organization; requires unusual circumstances | Minor harm; medical treatment injury; 1–3 lost workdays; minor regulatory inquiry | 2–10 (Low to Medium) |
| 3 — Possible | 20–50% probability; has occurred at this organization before; could reasonably happen again without improved controls | Moderate harm; serious injury requiring hospital treatment; 4–30 lost workdays; regulatory investigation; workers’ compensation claim | 3–15 (Medium) |
| 4 — Likely | 50–80% probability; has occurred multiple times; is expected to recur without intervention; existing controls are insufficient | Major harm; disabling injury or occupational illness; > 30 lost workdays; OSHA recordable injury; significant financial impact | 4–20 (High) |
| 5 — Almost Certain | Greater than 80% probability; is occurring now or will almost certainly occur within the assessment period | Catastrophic harm; fatality or permanent disability; multiple injuries; OSHA citation; criminal investigation; shutdown risk | 5–25 (Extreme) |
Calibrate these definitions to your organization’s context and industry. A “catastrophic” outcome in a chemical plant involves different scenarios than in an office environment. Anchor the severity definitions to your risk appetite statement so the matrix reflects actual organizational tolerance.
Industry-Specific Health and Safety Risk Assessments
| Industry | Primary Hazard Focus | Key Regulatory Requirements | Unique Assessment Considerations |
| Construction | Falls from height; struck-by/caught-between; electrocution; trench collapse; heat stress; silica dust exposure | OSHA 29 CFR 1926 (Construction Standards); OSHA Focus Four Hazards; state-specific requirements | High-risk activities change with each project phase; assessments must be updated at each phase gate; subcontractor risk must be assessed alongside direct-hire risk |
| Manufacturing | Machine guarding; lockout/tagout; chemical exposure; noise; ergonomic strain; forklift operations | OSHA 29 CFR 1910 (General Industry); NFPA standards; machine-specific ANSI standards | Process-specific assessments needed to each production line; equipment modification triggers reassessment; shift work introduces fatigue as a psychosocial hazard |
| Healthcare | Bloodborne pathogens; patient handling (ergonomic); workplace violence; chemical exposure (disinfectants, pharmaceuticals); infectious disease | OSHA Bloodborne Pathogen Standard (29 CFR 1910.1030); Joint Commission standards; CMS Conditions of Participation | Patient handling injuries are the leading cause of lost workdays; violence risk assessment is increasingly mandated; pandemic preparedness adds biological hazard complexity |
| Office / Professional Services | Ergonomic (workstation design, prolonged sitting); psychosocial (stress, burnout, harassment); indoor air quality; slips/trips/falls; electrical | OSHA General Duty Clause; ADA workplace accommodation requirements; state ergonomic guidelines | Often underassessed because perceived as “low risk”; psychosocial hazards (burnout, workplace bullying) drive significant absenteeism and workers’ comp claims in knowledge-work environments |
| Oil and Gas | Process safety (fire, explosion, toxic release); confined space; H2S exposure; fall hazards; heat/cold stress; remote location risk | OSHA Process Safety Management (PSM) (29 CFR 1910.119); EPA RMP; API standards | High-consequence / low-probability events require quantitative risk assessment (QRA); remote locations complicate emergency response; contractor management is a critical risk factor |
| Food Processing | Biological contamination; chemical cleaning agents; machine guarding; cold/heat exposure; slips/falls (wet floors); ergonomic (repetitive motion) | FDA FSMA; OSHA General Industry Standards; HACCP requirements; state health department regulations | Food safety and worker safety assessments must be coordinated; biological hazards affect both product integrity and worker health; seasonal workforce creates training and competency challenges |
Health and Safety KRI Dashboard: What to Track After the Assessment
| KRI | What Gets Measured | Green | Amber | Red |
| OSHA Recordable Incident Rate (TRIR) | Total recordable incidents per 200,000 hours worked | Below industry average | At industry average | Above industry average |
| Lost Time Injury Frequency Rate (LTIFR) | Lost time injuries per 1,000,000 hours worked | < 2.0 | 2.0–4.0 | > 4.0 |
| Near-Miss Reporting Rate | Number of near-misses reported per month (leading indicator of safety culture) | Increasing trend (active reporting culture) | Stable | Decreasing trend (underreporting risk) |
| Risk Assessment Completion Rate | Percentage of scheduled risk assessments completed on time | 100% on time | 90–99% on time | < 90% on time |
| Overdue Corrective Actions | Percentage of safety corrective actions past their due date | 0% overdue | 1–10% overdue | > 10% overdue |
| Safety Training Completion | Percentage of employees current on required safety training | 100% current | 90–99% current | < 90% current |
| Workers’ Compensation Cost Trend | Year-over-year change in workers’ compensation costs per employee | Decreasing | Stable | Increasing |
| Safety Inspection Compliance | Percentage of scheduled safety inspections completed on time with documented findings | 100% completed | ≥ 90% completed | < 90% completed |
Integrate these health and safety KRIs into your broader KRI dashboard framework so workplace safety risk visibility reaches the board alongside financial, operational, and strategic risk metrics.
Common Pitfalls in Health and Safety Risk Assessments
| Pitfall | Root Cause | How to Avoid |
| Assessing only obvious physical hazards | Teams focus on visible hazards (machinery, falls) and miss ergonomic, psychosocial, biological, and chemical risks | Use the six-category hazard classification (physical, chemical, biological, ergonomic, psychosocial, environmental). Require coverage of all six categories in every assessment. |
| Paper exercise that never reaches the shop floor | Assessment completed by safety staff in an office without walking the actual work area or consulting workers who perform the tasks | Mandate physical workplace walk-throughs. Require worker participation in every assessment. Post findings at the point of work. |
| Static assessment never reviewed after initial completion | Assessment done once and filed. Changes in processes, equipment, personnel, or regulations are not reflected. | Establish mandatory annual review cadence. Trigger reassessments on any material workplace change. Track review compliance as a KRI. |
| Jumping straight to PPE without considering the full Hierarchy of Controls | Time pressure or cost avoidance leads teams to default to PPE rather than investing in elimination, substitution, or engineering solutions | Require documented justification when higher-level controls are not selected. Make Hierarchy of Controls analysis a mandatory section of every assessment. |
| No worker participation in hazard identification | Assessment conducted exclusively by management or external consultants without input from the people who perform the work daily | Workers see hazards that management cannot. Require front-line employee participation in every identification workshop. Include worker sign-off on completed assessments. |
| Failure to communicate findings to affected workers | Assessment documented but not shared with the people the hazards affect | Deliver findings through toolbox talks, safety briefings, posted summaries, and digital access. Verify communication through sign-off records. |
| Incomplete documentation that fails regulatory scrutiny | Assessment findings recorded informally or inconsistently, making regulatory defense difficult during OSHA inspections or litigation | Use a standardized risk assessment template. Document every hazard, risk rating, control selected, responsible person, implementation date, and review date. |
| Treating the assessment as compliance-only rather than an operational improvement tool | Assessment framed as a regulatory requirement to satisfy OSHA rather than a business tool to reduce injuries, lower costs, and improve productivity | Connect assessment outcomes to financial metrics (workers’ comp costs, lost productivity, insurance premiums). Report safety improvements alongside cost savings to leadership. |
90-Day Roadmap: Building a Repeatable Health and Safety Risk Assessment Program
| Phase | Timeline | Key Activities | Deliverables |
| Phase 1: Design | Days 1–30 | Audit current H&S risk assessment practices against ISO 45001 and OSHA requirements; develop standardized assessment template with 5×5 matrix calibrated to your industry; identify all work areas, activities, and roles requiring assessment; secure leadership commitment and assign resources | Gap analysis report; standardized risk assessment template; assessment schedule covering all work areas; leadership commitment letter |
| Phase 2: Execute | Days 31–60 | Conduct hazard identification walk-throughs across all scheduled areas with worker participation; complete risk analysis using the calibrated matrix; apply Hierarchy of Controls to select and document control measures; assign control owners with implementation timelines | Completed risk assessments with hazard registers; risk heatmaps; control implementation plans with named owners; updated safe work procedures |
| Phase 3: Embed | Days 61–90 | Deploy KRI monitoring dashboard tracking TRIR, LTIFR, near-misses, and corrective action completion; communicate all assessment findings to affected workers; deliver first board-level H&S risk report; schedule annual reassessment cadence; launch safety awareness training program | Live KRI dashboard; worker communication records; board H&S risk briefing; annual review calendar; training completion records |
After Day 90, shift to continuous operations: annual comprehensive reassessments, quarterly top-risk reviews, event-triggered reassessments after incidents or changes, and ongoing KRI monitoring.
Feed lessons learned from incidents and near-misses into the next assessment cycle through your risk management lifecycle.
Integrating Health and Safety Risk Assessment into Your ERM and GRC Framework
Health and safety risk does not exist in isolation. Workplace injuries create financial risk (workers’ compensation costs, litigation, fines), operational risk (lost productivity, business disruption), compliance risk (OSHA citations, state penalties), and reputational risk (employer brand damage, recruitment challenges).
Integrating H&S risk assessment into the broader enterprise risk management framework ensures these interconnected impacts are visible at the enterprise level.
Step 1: Include H&S risk categories in your enterprise risk taxonomy. Map workplace hazards alongside operational, strategic, financial, and compliance risks.
Step 2: Roll H&S risk assessment findings into the enterprise risk register. High-severity workplace risks should appear alongside other material enterprise risks.
Step 3: Report H&S KRIs (TRIR, LTIFR, workers’ comp cost trend) to the board within the consolidated risk dashboard. Do not isolate safety data in a separate report that only the safety team reads.
Step 4: Align H&S risk assessment methodology with ISO 31000 and COSO ERM principles. Using the same Likelihood × Impact scales, risk appetite definitions, and reporting formats across all risk domains creates consistency and enables cross-domain risk comparison. Our COSO ERM vs ISO 31000 comparison explains how to blend these frameworks.
Start Your Health and Safety Risk Assessment Today
Workplace injuries are preventable. The organizations that perform structured, standards-aligned health and safety risk assessments consistently outperform their peers on safety outcomes, regulatory compliance, and total cost of risk.
The process is straightforward: identify hazards, assess risks, implement controls following the Hierarchy, document everything, communicate to workers, and review continuously.
Start with the five-step process and the 90-day roadmap above. Walk the workplace. Talk to workers. Score the risks. Apply the Hierarchy of Controls. Track KRIs. Report to leadership. Then iterate relentlessly.
Explore More on riskpublishing.com:
• Enterprise Risk Management Frameworks
• Key Risk Indicators: The Complete Guide
• Risk Appetite Statement: How to Build One
• Risk Register: The Complete Guide
• Risk Mitigation in Project Management
• Risk Assessment Step-by-Step Guide
• Compliance Risk Assessment Framework
• NIST Cybersecurity Framework Key Risk Indicators
• Definition of Control Risk and Risk Assessment
• Third-Party Risk Management Framework
• ISO 27001 Risk Assessment Guide
References
1. ISO 45001:2018 — Occupational Health and Safety Management Systems
2. OSHA — Recommended Practices for Safety and Health Programs
3. OSHA — Hierarchy of Controls Worksheet
4. NIOSH — Hierarchy of Controls
5. ISO 31000:2018 — Risk Management Guidelines
6. ISO/IEC 31010:2019 — Risk Assessment Techniques
7. PECB — ISO 45001 OH&S Management System Requirements
8. NQA — How to Implement ISO 45001
9. RoSPA — Understanding the Hierarchy of Control: Practical Applications
10. COSO — Enterprise Risk Management Framework (2017)
11. IIA — Three Lines Model (2020)
12. Bureau of Labor Statistics — Workplace Injuries and Illnesses
13. OSHA — General Duty Clause, Section 5(a)(1) of the OSH Act
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.