A forklift operator backs into an unsecured shelving unit and sends 400 pounds of inventory crashing to the floor. An office worker trips over a cable that has been taped across a corridor for six months.
A chemical spill goes uncontained because the MSDS binder was outdated and the spill kit was empty. Each of these incidents has one thing in common: someone either failed to assess the risk, or the assessment sat in a binder that nobody opened after it was written.
Risk assessment is the foundation of workplace safety. It is also one of the most misunderstood and poorly executed processes in many organizations.
Done right, it prevents injuries, protects people, reduces costs, and keeps organizations compliant with regulatory requirements. Done poorly, it becomes a paper exercise that gives a false sense of security while real hazards go unaddressed.
This guide walks through the risk assessment process from start to finish. It covers what a risk assessment is, when to conduct one, the five-step methodology recognized by OSHA, the ISO 31000:2018 standard, and other authoritative frameworks.
It also covers the tools, techniques, and reporting practices that separate effective risk assessments from checkbox exercises. Whether you manage a construction site, a manufacturing plant, a corporate office, or a public-sector operation, the principles apply.
What Is a Risk Assessment?
A risk assessment is a systematic process for identifying hazards, analyzing the risks those hazards present, evaluating whether existing controls are adequate, and determining what additional measures are needed to reduce risk to an acceptable level.
Two terms matter here. A hazard is anything with the potential to cause harm. That includes physical hazards (unguarded machinery, working at height), chemical hazards (toxic substances, flammable materials), biological hazards (infectious agents, mold), ergonomic hazards (repetitive motion, poor workstation design), and psychosocial hazards (workplace violence, excessive workload, bullying).
A risk is the combination of how likely a hazard is to cause harm and how severe that harm would be. A sharp knife in a kitchen is a hazard. The risk depends on who is using it, how it is stored, what training they have received, and what protective measures are in place.
ISO 31000:2018 defines risk assessment as the overall process of risk identification, risk analysis, and risk evaluation, carried out in a systematic, iterative, and collaborative manner. That definition applies well beyond workplace safety.
Risk assessment is a core component of enterprise risk management, project risk management, financial risk management, cybersecurity, and business continuity. The principles in this guide are universal, though the examples focus on workplace application.
Why Risk Assessments Matter
Risk assessments are not optional. In the United States, OSHA’s General Duty Clause (Section 5(a)(1) of the OSH Act) requires employers to provide a workplace free from recognized hazards likely to cause death or serious physical harm.
Specific OSHA standards require risk assessments for hazards ranging from personal protective equipment selection (29 CFR 1910.132) to process safety management for highly hazardous chemicals (29 CFR 1910.119).
Beyond compliance, the practical reasons are straightforward. Risk assessments prevent injuries and save lives. They protect organizations from enforcement actions, fines, and litigation.
They reduce operational disruption caused by incidents and investigations. They lower workers’ compensation costs and insurance premiums. And they build a safety culture where people feel protected and empowered to speak up about hazards.
According to the British Safety Council, nearly 60% of workplace injuries could be prevented with proper risk assessments. That statistic alone justifies the investment.
When to Conduct a Risk Assessment
Risk assessments are not a one-time event. You should conduct or update a risk assessment when new processes, equipment, or materials are introduced into the workplace, when work conditions change (new location, new shift patterns, new contractors), after an incident, accident, near-miss, or reported concern, when regulations or industry standards change, at regular intervals as part of your ongoing safety management system, and when existing controls are found to be ineffective or insufficient.
For organizations operating under ISO 45001 (occupational health and safety management systems) or similar frameworks, risk assessment is a continuous process integrated into planning and operational controls.
It is not something you complete once and file away. The workplace changes. Risks change with it. For guidance on integrating risk assessment into broader frameworks, see our step-by-step risk assessment guide.
The Five-Step Risk Assessment Process
The widely recognized five-step approach provides a structured methodology that works across industries and hazard types. Each step builds on the previous one to produce a documented, actionable assessment.
Step 1: Identify Hazards
Before you can assess risk, you need to know what could go wrong. Hazard identification is about systematically finding everything in your workplace that has the potential to cause harm.
Walk the workplace. Physical inspections are irreplaceable. Walk through every area, including back-of-house, storage, rooftops, and parking lots. Look at the work being done, not just the space.
Observe how tasks are actually performed, not just how procedures say they should be performed. The gap between written procedures and actual practice is where many hazards hide.
Review records. Examine accident reports, near-miss logs, workers’ compensation claims, maintenance records, and OSHA 300 logs. Patterns in historical data often reveal hazards that have been tolerated rather than addressed.
Talk to workers. The people performing the work know where the hazards are. They know which machines malfunction, which processes create awkward postures, which chemicals cause irritation, and which shortcuts are taken when time pressure builds.
OSHA specifically recommends involving workers in hazard identification because their direct experience is an essential source of information.
Review safety data sheets and manufacturer instructions. For chemicals, review SDS documents for exposure limits, required ventilation, and PPE requirements. For equipment, review manufacturer guidance on safe operation, maintenance schedules, and known failure modes.
Consider all hazard categories. Physical, chemical, biological, ergonomic, psychosocial, environmental, and electrical hazards should all be considered.
A comprehensive approach prevents tunnel vision. Organizations that only look for slip-and-trip hazards miss the ergonomic, chemical, and psychosocial risks that may cause more long-term harm.
Step 2: Determine Who Might Be Harmed and How
For each identified hazard, determine who is exposed. This includes direct operators and workers, other employees who pass through or work nearby, contractors, visitors, and members of the public, and vulnerable groups such as young workers, pregnant workers, workers with disabilities, or lone workers.
Also consider how harm could occur. A chemical hazard might cause acute poisoning through inhalation, chronic illness through repeated skin contact, or environmental contamination through a spill.
Each pathway requires different controls. Identifying the exposure pathway is as important as identifying the hazard itself.
Step 3: Evaluate Risks and Determine Controls
This is the analytical core of the risk assessment. For each hazard, evaluate two factors: the likelihood of harm occurring (considering how often people are exposed, the duration of exposure, and the effectiveness of existing controls) and the severity of the potential consequences (ranging from minor injuries to fatalities, considering both immediate harm and long-term health effects).
The standard formula is: Risk = Likelihood x Severity. Most organizations use a risk matrix (also called a risk assessment matrix) to plot these two dimensions and assign a risk rating.
A typical 5×5 matrix uses numerical scales for likelihood (rare, unlikely, possible, likely, almost certain) and severity (insignificant, minor, moderate, major, catastrophic). The resulting score determines the risk level: low risk (acceptable with current controls), moderate risk (additional controls should be planned), high risk (immediate action required), and extreme risk (stop the activity until controls are in place).
For more on risk matrix methodology, see our guide on the CRAMM risk assessment method and how to apply structured frameworks to different risk domains.
Select controls using the hierarchy of controls. This is a critical step that many assessments handle poorly. The hierarchy of controls, recognized by OSHA and NIOSH, prioritizes control measures by effectiveness. Elimination removes the hazard entirely (the most effective control). Substitution replaces the hazard with something less dangerous. Engineering controls isolate people from the hazard through physical changes (guards, ventilation, barriers).
Administrative controls change the way people work (procedures, training, signage, job rotation). Personal protective equipment (PPE) provides a last line of defense when other controls cannot fully eliminate the risk.
The hierarchy matters because too many organizations jump straight to PPE and training without considering whether the hazard could be eliminated or engineered out. PPE is the least reliable control because it depends entirely on individual compliance.
Step 4: Record Your Findings
Documentation is both a legal requirement (for organizations with five or more employees under many jurisdictions) and a practical necessity.
A risk assessment record should capture the hazards identified, who might be harmed and how, the existing controls in place, the risk rating (likelihood, severity, overall score), the additional controls required, the person responsible for implementing each control, and the target completion date.
Keep the documentation clear, specific, and actionable. Avoid vague entries like “ensure safe working” or “train staff.” Instead, write “Install fixed guard on belt drive mechanism by March 15. Responsible: Maintenance Supervisor.” Specificity drives accountability. For practical guidance on documentation, see our guide on how to conduct a risk assessment.
Step 5: Review, Update, and Improve
A risk assessment is a living document. It must be reviewed and updated when workplace conditions change, after incidents or near-misses reveal new information, when new equipment, processes, or substances are introduced, at scheduled intervals (annually at minimum for most workplaces), and when monitoring or audit findings indicate that controls are not working.
The review cycle closes the loop. It is what transforms risk assessment from a static document into a continuous improvement process. Organizations that embed review into their safety management system consistently outperform those that treat risk assessment as a periodic compliance exercise.
Qualitative vs. Quantitative Risk Assessment
There are two broad approaches to analyzing risk, and the most effective programs use both.
Qualitative Risk Assessment
Qualitative assessment uses descriptive scales (high, medium, low) and expert judgment to evaluate risks. It is fast, intuitive, and accessible. It works well for general workplace hazards, routine tasks, and situations where precise data is not available. Most workplace risk assessments start here.
The limitation is subjectivity. Two assessors looking at the same hazard may assign different likelihood and severity ratings based on their experience and risk tolerance. Calibration workshops, where assessors discuss and align their ratings against reference scenarios, help reduce inconsistency.
Quantitative Risk Assessment
Quantitative assessment assigns numerical values to probability and impact, often using statistical data, failure rates, exposure modeling, or simulation techniques such as Monte Carlo analysis.
It is essential for high-consequence environments like chemical processing, nuclear facilities, oil and gas operations, and major hazard installations where regulatory requirements demand quantitative risk analysis (QRA).
Quantitative methods produce more defensible, data-driven results but require more time, expertise, and data. For most general workplace risk assessments, a qualitative or semi-quantitative approach (using numerical scales within a risk matrix) provides sufficient rigor. For complex or high-consequence risks, quantitative analysis adds precision. Our guide on scenario-based risk assessment covers how to use scenario analysis to bridge qualitative and quantitative approaches.
Risk Assessment Tools and Techniques
Several tools and techniques support the risk assessment process. Choosing the right tool depends on the complexity of the hazard, the regulatory context, and the available resources.
Risk matrix (likelihood x severity). The most common tool. A 5×5 matrix is standard in most industries, though 3×3 and 4×4 versions are used in lower-complexity environments. The matrix provides a visual, color-coded representation of risk levels that supports prioritization and communication.
Hazard and Operability Study (HAZOP). A structured technique for identifying potential hazards in process systems. HAZOP uses guide words (no, more, less, reverse, part of) applied to process parameters to systematically explore how deviations from design intent could create hazardous conditions. It is widely used in chemical, petrochemical, and pharmaceutical industries.
Failure Mode and Effects Analysis (FMEA). A method for identifying potential failure modes in a system, product, or process, evaluating their effects, and prioritizing them for corrective action. FMEA uses a Risk Priority Number (RPN) calculated as Severity x Occurrence x Detection to rank failures.
Bow-tie analysis. A visual tool that maps the relationship between hazard causes (on the left), the top event (in the center), consequences (on the right), and the preventive and mitigating controls on each side. Bow-tie diagrams are excellent for communicating complex risk scenarios to non-technical audiences.
Job Safety Analysis (JSA) or Job Hazard Analysis (JHA). A technique that breaks a job into its component steps and identifies hazards associated with each step. JSAs are practical, task-specific, and involve the workers who perform the job. They are particularly effective for high-risk routine tasks like confined space entry, working at height, or hot work.
Checklists. Simple but effective for routine inspections and standardized assessments. Checklists ensure consistency and completeness but should not substitute for analytical thinking. A checklist tells you what to look for; it does not tell you what the risk means or what to do about it.
For a detailed comparison of risk assessment methodologies including CRAMM and ISO 12100, see our resources on CRAMM risk assessment and ISO 12100 risk assessment templates.
Risk Assessment Reporting: Making Findings Actionable
A risk assessment is only as valuable as the action it drives. Reporting is how findings reach the people who need to make decisions and allocate resources.
Write for your audience. A report to senior management should lead with the highest-priority risks and the resources needed to address them. A report to frontline supervisors should focus on specific actions they need to take.
A compliance report for regulators needs to demonstrate the methodology, evidence base, and control adequacy.
Use visual tools. Risk matrices, heat maps, and trend charts communicate risk levels more effectively than pages of text. A color-coded risk register that shows red, amber, and green ratings gives decision-makers an immediate understanding of where attention is needed.
Follow the What, So What, Now What framework. For each significant risk, state what the risk is, explain why it matters (the so what), and specify what action is required, by whom, and by when (the now what). This structure ensures that every finding leads to a decision or action.
Track actions to closure. A risk register without follow-up is a list of good intentions. Assign each action to a named owner with a due date. Track completion status. Verify that implemented controls are actually reducing risk. Report on action closure rates as a KPI for your safety management program. For guidance on integrating risk metrics into broader reporting, see our article on enterprise risk management key risk indicators.
Common Mistakes in Risk Assessment
After reviewing hundreds of risk assessments across industries, the same mistakes appear repeatedly. Avoiding them will dramatically improve the quality and impact of your assessments.
Treating risk assessment as a paperwork exercise. If the assessment exists to satisfy an auditor but nobody consults it when making operational decisions, it is not protecting anyone. The assessment must be a working document that drives behavior.
Assessing the generic workplace instead of actual tasks. A risk assessment that says “office environment – low risk” misses ergonomic hazards at specific workstations, electrical risks from overloaded power strips, and psychosocial hazards from excessive workload. Assess the actual work, not the building category.
Skipping the people who do the work. Risk assessments written by managers in conference rooms without input from frontline workers miss the hazards that workers navigate every day. Worker participation is not just best practice. It is an OSHA-recommended element of effective safety programs.
Defaulting to PPE as the primary control. The hierarchy of controls exists for a reason. If your risk assessment response to every hazard is “provide PPE and training,” you are not using the hierarchy. Ask first whether the hazard can be eliminated, substituted, or engineered out before relying on individual compliance.
Failing to review and update. A risk assessment from 2019 does not reflect the hazards of 2025. Equipment changes, processes evolve, new chemicals are introduced, and workforce composition shifts. If your assessments are not current, your controls may not be relevant.
Confusing hazard identification with risk assessment. Identifying that “a wet floor is a slip hazard” is only the beginning. Risk assessment requires evaluating the likelihood and severity, considering who is exposed, evaluating existing controls, and determining whether additional action is needed. Identification without analysis is incomplete.
Specialized Risk Assessments
While the five-step process applies universally, some hazards require specialized assessment approaches mandated by specific regulations.
COSHH assessments (Control of Substances Hazardous to Health) evaluate risks from exposure to hazardous substances, including chemicals, dust, fumes, and biological agents. They require specific attention to exposure routes, occupational exposure limits, and health surveillance requirements.
Manual handling assessments evaluate the risks of musculoskeletal injuries from lifting, carrying, pushing, and pulling tasks. They consider the load, the individual, the task, and the environment (the TILE framework).
Display screen equipment (DSE) assessments evaluate ergonomic risks for workers who use computers and other display screen equipment regularly. They cover workstation layout, screen position, seating, lighting, and work breaks.
Fire risk assessments identify fire hazards, evaluate the risk of fire starting and spreading, and assess the adequacy of fire prevention and protection measures including detection, alarm systems, escape routes, and firefighting equipment.
Industry-specific assessments also exist for construction, transportation, healthcare, oil and gas, and other high-hazard sectors. For examples in specific domains, see our guides on transportation risk assessment and product risk assessment.
Connecting Risk Assessment to Broader Risk Management
Risk assessment does not exist in isolation. It is the analytical engine within a broader risk management system. In organizational terms, workplace risk assessments should connect upward to the enterprise risk management framework, ensuring that operational safety risks are visible to senior leadership and the board alongside strategic, financial, and compliance risks.
The ISO 31000 risk management process provides the overarching structure: establish context, assess risk (identify, analyze, evaluate), treat risk, and monitor and review. Workplace risk assessment fits within the assessment phase. The treatment phase corresponds to implementing controls. The monitoring phase corresponds to review and update.
Organizations that connect workplace safety risk assessments to their enterprise risk framework gain several advantages.
They can aggregate risks across locations and functions to identify systemic issues. They can allocate resources based on enterprise-wide risk priorities rather than site-level anecdotes.
They can report to leadership and the board in a consistent format. And they can demonstrate to regulators and auditors that safety risk management is integrated, not siloed. For guidance on building that integration, see our article on risk management integration.
Next Steps
If you do not have a structured risk assessment process, start with the five steps outlined in this guide. Begin with your highest-risk activities and work outward. If you already have risk assessments in place, audit them for quality.
Ask whether they reflect current conditions, involve the right people, use the hierarchy of controls properly, and drive action rather than just documentation.
The organizations that achieve the best safety outcomes are the ones that treat risk assessment as a continuous capability embedded in daily operations, not a periodic compliance task filed in a binder. The process is straightforward. The discipline to do it consistently is what separates safe workplaces from dangerous ones.
Looking for more practical risk management guidance? Explore riskpublishing.com for actionable frameworks on enterprise risk management, business continuity management, and project risk management that you can implement today.
Sources and Further Reading
1. OSHA, Hazard Identification and Assessment: osha.gov
2. ISO 31000:2018, Risk Management Guidelines: iso.org
3. British Safety Council, Risk Assessments Guide: britsafe.org
4. SafetyCulture, Risk Assessment Process, Tools, and Techniques: safetyculture.com
5. Evotix, The Risk Assessment Playbook: evotix.com
6. NIOSH, Hierarchy of Controls: cdc.gov/niosh
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.