Risk Assessment

A systematic process of identifying workplace hazards, evaluating the likelihood and severity of harm they could cause, and determining appropriate controls to eliminate or reduce risk to an acceptable level.

What Is a Risk Assessment?

Key Takeaways

  • A risk assessment is a structured method of examining workplace activities and conditions to identify what could cause harm, how likely that harm is, and what you should do about it.
  • It's a legal requirement in many jurisdictions, including the UK (Management of Health and Safety at Work Regulations 1999) and a core element of ISO 45001 and OSHA's recommended practices.
  • Risk is calculated as the combination of hazard severity and the likelihood of that hazard causing harm. A risk matrix helps visualize and prioritize these combinations.
  • The goal isn't to eliminate all risk, which is impossible, but to reduce it to the lowest level that's reasonably practicable given the nature of the work.
  • Risk assessments aren't one-time events. They must be reviewed regularly, especially when processes change, incidents occur, or new hazards emerge.

A risk assessment answers a simple question: what could go wrong, and how bad would it be? That sounds basic, but doing it well takes discipline. Every workplace has hazards. The box cutter in the warehouse. The cleaning chemicals under the break room sink. The ergonomic setup of 200 identical desk workstations. The stress levels on the customer service floor. Risk assessment is the process of looking at each one, deciding how likely it is to cause harm, how severe that harm could be, and then doing something about the ones that matter most. Most people think of risk assessment as a health and safety exercise, and it is. But it's also a business exercise. The $167 billion annual cost of work injuries in the US isn't just a safety statistic. It's lost productivity, insurance premiums, legal expenses, and the cost of replacing trained workers. Companies that assess and control risks effectively spend less on all of those. In the UK, risk assessment is a legal requirement under the Management of Health and Safety at Work Regulations 1999. In the US, OSHA doesn't have a standalone risk assessment standard, but it's embedded throughout OSHA's regulatory framework and recommended practices. ISO 45001, the international occupational health and safety management standard, places risk assessment at the center of the entire system.

$167BTotal cost of work injuries in the US in 2022, much of it preventable through risk assessment (NSC)
5,486Fatal work injuries recorded in the US in 2022 (BLS Census of Fatal Occupational Injuries)
ISO 45001International standard for occupational health and safety management that requires formal risk assessment
2.93MNonfatal workplace injuries and illnesses in the US private sector in 2022 (BLS)

The Five Steps of Risk Assessment

The UK's Health and Safety Executive (HSE) established a widely adopted five-step framework that works across industries and organization sizes.

StepActionWhat's InvolvedOutput
1. Identify hazardsFind things that could cause harmWorkplace walk-throughs, review of incident reports, SDS review, employee consultationHazard inventory list
2. Decide who might be harmed and howConsider which workers are exposed and the nature of potential harmConsider employees, contractors, visitors, vulnerable groups (young workers, pregnant employees)Exposure analysis
3. Evaluate risks and decide on controlsAssess likelihood and severity, apply hierarchy of controlsRisk matrix scoring, review of existing controls, identify gapsPrioritized risk register with control measures
4. Record findings and implementDocument the assessment and put controls in placeWritten risk assessment, action plans with owners and deadlinesRisk assessment document, implementation plan
5. Review and updateKeep the assessment currentRegular reviews, post-incident reassessments, annual auditsUpdated risk assessment with revision history

Risk Matrices and Scoring

A risk matrix is the standard tool for combining likelihood and severity into a single risk score. It helps teams prioritize which hazards to address first.

How a risk matrix works

The typical matrix uses a 5x5 grid. One axis represents likelihood (rare, unlikely, possible, likely, almost certain). The other represents severity (negligible, minor, moderate, major, catastrophic). Each hazard is plotted on the grid based on these two factors. The intersection gives a risk level: low, medium, high, or critical. Critical and high risks need immediate action. Medium risks need planned controls. Low risks need monitoring. The matrix isn't a precise scientific instrument. It's a decision-making tool that helps teams have structured conversations about where to focus their limited resources.

Common scoring approaches

The simplest approach assigns numerical values: likelihood from 1 (rare) to 5 (almost certain) and severity from 1 (negligible) to 5 (catastrophic). Multiply them for a risk score between 1 and 25. Scores of 15 to 25 are critical, 10 to 14 are high, 5 to 9 are medium, and 1 to 4 are low. Some organizations use different scales or weighting systems, but the principle is the same: combine likelihood and severity to prioritize action. The key is consistency. Whatever scoring system you use, apply it the same way across all assessments.

The Hierarchy of Controls

Once you've identified and scored risks, the hierarchy of controls tells you the most effective way to address them. Controls at the top are more effective because they don't rely on human behavior.

Control LevelApproachEffectivenessExample
1. EliminationRemove the hazard entirelyMost effectiveStop using a toxic chemical by switching to a water-based alternative
2. SubstitutionReplace the hazard with something less dangerousVery effectiveUse a less hazardous solvent that achieves the same result
3. Engineering controlsIsolate people from the hazardEffectiveInstall machine guards, ventilation systems, or noise barriers
4. Administrative controlsChange the way people workModerately effectiveJob rotation to reduce repetitive strain, safety signage, work permits
5. PPEProtect the worker with equipmentLeast effective (relies on consistent human compliance)Safety glasses, gloves, hard hats, respirators

Types of Workplace Risk Assessments

Different situations call for different assessment approaches. Here are the most common types HR and safety teams encounter.

General workplace risk assessment

The broadest type, covering all activities and areas in the workplace. This is the assessment most employers start with: walk through every area, identify hazards, evaluate risks, and document controls. It covers slips and trips, manual handling, workstation ergonomics, electrical safety, fire risks, and general housekeeping. For small businesses with straightforward operations, a single general assessment may be sufficient.

Job hazard analysis (JHA)

Also called a job safety analysis (JSA), this breaks a specific job into individual steps and identifies hazards at each step. It's particularly useful for tasks with multiple hazard points: operating a forklift, working at height, performing maintenance on equipment, or handling chemicals. The JHA format lists each step, the hazard associated with it, and the control measure in place. JHAs are excellent training tools because they walk new employees through the safe way to perform their tasks.

COSHH assessment (UK)

In the UK, the Control of Substances Hazardous to Health (COSHH) Regulations 2002 require specific assessments for work involving hazardous substances. These assessments evaluate exposure levels, compare them to workplace exposure limits (WELs), and determine what controls are needed. COSHH assessments are mandatory whenever employees are exposed to hazardous substances including chemicals, dust, fumes, biological agents, and certain medications.

Psychosocial risk assessment

This is a growing area that evaluates risks from work-related stress, bullying, harassment, excessive workload, poor work-life balance, and organizational change. ISO 45003 (published 2021) provides guidance on managing psychosocial risks. In several European countries, psychosocial risk assessment is now a legal requirement. The assessment methods differ from physical hazard assessments: employee surveys, focus groups, workload analysis, and absence data are common tools. But the five-step framework still applies.

DSE assessment

Display Screen Equipment (DSE) assessments are required in the UK under the Health and Safety (Display Screen Equipment) Regulations 1992 for employees who use computers as a significant part of their work. They evaluate workstation setup, including chair height, monitor position, keyboard placement, lighting, and work breaks. With the shift to remote and hybrid working, DSE assessments now need to cover home workstation setups too.

Documenting Risk Assessments

A risk assessment that isn't documented might as well not exist. Good documentation protects the organization and provides the foundation for ongoing risk management.

What to include

Every written risk assessment should include: the date of the assessment, the assessor's name and qualifications, the area or activity assessed, hazards identified, who might be harmed and how, existing controls already in place, the risk rating (before and after controls), additional controls needed, the person responsible for implementing each control, the target completion date, and the date of the next scheduled review. Keep it clear and practical. A 50-page assessment that nobody reads is less useful than a 3-page one that everyone understands.

Legal requirements for documentation

In the UK, employers with 5 or more employees must record the significant findings of their risk assessments. In the US, OSHA's various standards require documentation of specific assessments (PPE hazard assessment certifications, lockout/tagout energy surveys, process hazard analyses). Even where not strictly required, written risk assessments are the primary evidence that an employer exercised due diligence. In litigation or regulatory investigation, 'we assessed the risks but didn't write it down' is nearly impossible to defend.

Common Risk Assessment Mistakes

Even experienced safety professionals fall into these traps. Awareness of them improves the quality of every assessment you conduct.

  • Doing it as a paper exercise without actually walking the workplace. Desk-based risk assessments miss the hazards that are only visible when you're standing where the work happens.
  • Assessing hazards without consulting the people who do the work. Workers know the shortcuts, the near-misses that never got reported, and the practical realities of their tasks. Leave them out and you'll miss real risks.
  • Treating it as a one-time project. Risk assessments go stale. Processes change, equipment ages, staff turns over, and new hazards emerge. Set a review schedule and stick to it.
  • Focusing only on physical hazards. Psychosocial risks (stress, bullying, excessive workload) cause real harm, including absence, turnover, and mental health crises. They belong in your assessment.
  • Listing hazards without assigning controls or owners. An assessment that identifies 40 risks but doesn't say who is responsible for addressing each one won't drive any action.
  • Using generic templates without tailoring them to the actual workplace. A risk assessment template for a construction site won't cover the hazards in a laboratory. Start with templates if helpful, but customize them to your reality.
  • Underestimating severity because 'it hasn't happened here.' That's survivorship bias. The absence of an incident doesn't mean the risk is low. It means you've been lucky so far.

Workplace Injury and Risk Assessment Statistics [2026]

Data that demonstrates why systematic risk assessment is worth the investment of time and resources.

$167B
Total cost of work injuries in the US in 2022National Safety Council
5,486
Fatal work injuries in the US in 2022BLS
2.93M
Nonfatal workplace injuries and illnesses in the US in 2022BLS
40%
Of workplace injuries attributed to overexertion and bodily reaction, identifiable through JHAsNSC, 2023

Frequently Asked Questions

Who should conduct workplace risk assessments?

The person conducting the assessment needs to be 'competent,' meaning they understand the hazards, the work processes, and the principles of risk assessment. This doesn't necessarily mean they need a formal qualification. A trained supervisor who knows the work area well can conduct a general risk assessment. For specialized assessments (chemical, noise, ergonomic, psychosocial), you may need someone with specific expertise, either in-house or through an external occupational health and safety consultant. In the UK, employers have a legal duty to appoint a competent person to assist with health and safety, which includes risk assessment.

How often should risk assessments be reviewed?

There's no single legally mandated frequency, but best practice is to review at least annually and after any of these triggers: a workplace accident or near-miss, introduction of new equipment or processes, changes in legislation or industry standards, employee complaints about health or safety conditions, or organizational changes like office moves or restructuring. Don't wait for a trigger if you know the assessment is outdated. A common approach is to review one-third of all assessments each quarter, cycling through the entire portfolio over a year.

Do office-based businesses need risk assessments?

Yes. Office environments have real hazards: slips and trips, ergonomic injuries from workstation setup, electrical hazards, fire risks, stress and mental health risks, and lone working situations. Office risk assessments tend to be less complex than industrial ones, but they're not optional. In the UK, any employer with 5 or more employees must document risk assessments. In the US, OSHA's general duty clause applies to offices just as it applies to factories.

What's the difference between a hazard and a risk?

A hazard is something that has the potential to cause harm: a wet floor, a toxic chemical, an unguarded machine, or excessive noise. A risk is the likelihood that the hazard will actually cause harm, combined with how severe that harm could be. A bottle of concentrated acid on a high shelf in a locked cabinet is a hazard. The risk is low because access is controlled. The same bottle sitting open on a workbench in a busy area is the same hazard, but the risk is much higher because exposure is likely. Risk assessment evaluates both elements.

Can risk assessments reduce insurance premiums?

Often, yes. Workers' compensation insurers use experience modification rates that reflect your claims history. Fewer injuries mean lower premiums. Documented risk assessments, safety programs, and incident trends showing improvement can also influence underwriting decisions. Some insurers offer premium discounts for employers who maintain ISO 45001 certification or participate in voluntary safety programs. The financial return on risk assessment often pays for itself through reduced claims, lower insurance costs, and fewer lost workdays.

Do we need separate risk assessments for remote workers?

Yes, employers have a duty of care to employees working from home. The assessment should cover workstation ergonomics (DSE assessment), electrical safety (the home electrical setup used for work), fire safety (smoke detectors, clear exit routes), and psychosocial risks (isolation, blurred work-life boundaries, excessive working hours). The assessment can often be done through a self-assessment questionnaire completed by the employee and reviewed by the employer. Where issues are identified, the employer should provide guidance, equipment, or adjustments just as they would for an office-based worker.
Adithyan RKWritten by Adithyan RK
Surya N
Fact-checked by Surya N
Published on: 25 Mar 2026Last updated:
Share:
Previous
Next