What Is a Workplace Risk Assessment?
A workplace risk assessment is a systematic examination of the workplace to identify hazards, evaluate the likelihood and severity of harm those hazards could cause, and determine appropriate control measures. It is the foundational process of proactive occupational health and safety management — identifying what could go wrong before it does.
Risk assessment is not optional. Under OSHA's General Duty Clause (Section 5(a)(1) of the OSH Act), employers must provide a workplace free from recognised hazards that are causing or are likely to cause death or serious physical harm. Risk assessment is the primary mechanism for identifying those recognised hazards and demonstrating that appropriate action has been taken. ISO 45001 — the international occupational health and safety management system standard — goes further, explicitly requiring organisations to "identify hazards and assess OH&S risks" as a core planning requirement.
In the UK, the Management of Health and Safety at Work Regulations 1999 (Regulation 3) require all employers to conduct "suitable and sufficient" risk assessments. Employers with five or more employees must record the significant findings in writing. Similar requirements exist in Australia (Work Health and Safety Acts), Canada (provincial OHS legislation), and the European Union (Framework Directive 89/391/EEC).
Beyond compliance, well-executed risk assessment is the most cost-effective safety intervention available. For every dollar spent preventing workplace injuries through systematic hazard management, OSHA estimates a $4–$6 return in avoided costs. The risk assessment process described in this guide — when embedded in an organisation's routine — enables that return.
The 5-Step Workplace Risk Assessment Process
The five-step framework below is derived from the Health and Safety Executive (HSE UK) model, which is widely used internationally and aligned with ISO 45001 hazard identification and risk assessment requirements. It applies to any industry, hazard type, or organisation size.
Identify Hazards
Hazard identification requires looking at the workplace with fresh eyes — walking the physical environment, examining work processes, and consulting the people who do the work. A hazard is anything with the potential to cause harm: physical energy (falling objects, moving machinery, electricity), chemical substances, biological agents, ergonomic factors (repetitive motions, manual handling loads), and psychosocial factors (excessive workload, workplace conflict, lone working).
Effective hazard identification draws from multiple sources:
- Physical walkthrough of the workplace — look at all areas including rarely visited locations, roof access, confined spaces, maintenance areas
- Review of incident and near miss records — past events are reliable indicators of future hazards
- Worker consultation — the people performing the work have direct knowledge of hazards that are invisible to a walkthrough
- Manufacturer safety data sheets and equipment manuals — chemical hazards and machinery hazards are documented by law
- Industry-specific hazard checklists — standard lists for construction, manufacturing, healthcare, and other sectors
- Regulatory standards and enforcement data — OSHA's most-cited standards indicate where hazards are commonly found
Determine Who Might Be Harmed and How
For each identified hazard, identify which people could be harmed and under what circumstances. This step is often abbreviated in practice — don't skip it. Comprehensive exposure mapping identifies:
- Routine workers who perform the task regularly
- Occasional workers — maintenance, cleaning, inspection staff who enter the hazard area periodically
- Contractors and subcontractors — who may be unaware of site-specific hazards
- Visitors, customers, or members of the public — particularly in retail, healthcare, and construction
- Groups with specific vulnerabilities: new workers (less experienced, not yet task-competent), young workers, pregnant workers, workers with disabilities or health conditions, lone workers
- Mechanism of harm — not just 'someone could fall' but 'a worker ascending the fixed ladder while carrying equipment could lose balance at height due to inadequate handhold width'
Evaluate the Risk and Decide on Precautions
Risk evaluation combines the likelihood of harm occurring with the severity of the potential consequence to produce a risk rating — typically scored on a matrix and categorised as high, medium, or low. The risk rating drives control priority: high risks require immediate action; medium risks require a planned improvement schedule; low risks are tolerable with existing controls.
Once risks are rated, apply the hierarchy of controls (see below) to identify the most effective practicable control for each significant hazard. Start at the top of the hierarchy — elimination — and work down only when higher controls are not practicable.
Record Your Findings and Implement Controls
Document every significant hazard, the risk rating, and the controls selected. Assign a responsible person and a target completion date for each control that requires implementation. In the UK, employers with five or more employees must document their significant findings in writing — but even smaller employers benefit from written records as evidence of due diligence.
A risk assessment register — maintained digitally in an
A risk assessment register — maintained digitally in an HSE management system HSE management system like HSETrack — provides a single, searchable repository of all risk assessments, enabling periodic review, regulatory inspection preparation, and ISO 45001 audit support. Each assessment should be version-controlled so the history of hazard management decisions is visible.
Review and Update the Assessment
Risk assessment is not a one-off exercise. Hazards change as processes change, equipment ages, new chemicals are introduced, or organisational structures shift. Assessments must be reviewed:
- After any incident or near miss involving the assessed hazard
- When a significant change occurs — new equipment, process change, workplace restructuring, or new legislation
- When new information about a hazard becomes available (new scientific evidence on chemical exposure limits, updated machinery guarding standards)
- At a regular scheduled interval — at least annually as a baseline; more frequently in high-hazard environments
- When a worker or their representative raises a concern about the adequacy of existing controls
Risk Matrix: A Practical Template
A risk matrix provides a structured, consistent method for evaluating and comparing risks across an organisation. The 5×5 matrix below uses five likelihood categories and five severity categories to produce 25 possible risk combinations, grouped into three bands.
Severity categories: Negligible (no injury), Minor (first aid), Moderate (medical treatment, short absence), Major (serious injury, long-term absence), Critical (fatality or permanent disability).
| Likelihood ↓ / Severity → | Negligible | Minor | Moderate | Major | Critical |
|---|---|---|---|---|---|
| Almost Certain | Low | Medium | High | High | High |
| Likely | Low | Medium | Medium | High | High |
| Possible | Low | Low | Medium | Medium | High |
| Unlikely | Low | Low | Low | Medium | Medium |
| Rare | Low | Low | Low | Low | Medium |
Organisations should calibrate their risk matrix thresholds to reflect their risk tolerance, regulatory environment, and industry. A construction company operating at height may set a lower threshold for "critical" severity than an office-based employer. Whatever matrix is used, the key is consistency — applying the same criteria across all assessments so that risk ratings are comparable.
The Hierarchy of Controls
The hierarchy of controls is the most important framework in risk management — it establishes which types of control measures are most reliable and should be considered first. OSHA, NIOSH, and ISO 45001 all reference the hierarchy of controls as the basis for selecting risk controls. The hierarchy runs from most to least effective:
1. Elimination
Physically remove the hazard from the workplace. This is the most effective control because it means the hazard no longer exists. Examples: removing a trip hazard entirely, discontinuing use of a hazardous chemical, automating a task that exposes workers to injury risk.
2. Substitution
Replace a hazardous material or process with a less hazardous one. Examples: replacing a solvent-based paint with a water-based alternative, using a lighter material to reduce manual handling load, switching to a lower-voltage electrical tool.
3. Engineering Controls
Isolate people from the hazard through physical design modifications. These controls do not depend on worker behaviour. Examples: machine guarding, ventilation extraction systems, interlocked access gates, noise enclosures, anti-vibration mounts.
4. Administrative Controls
Change how people work to reduce exposure. These controls depend on consistent worker and supervisor behaviour to be effective. Examples: written safe work procedures, permit-to-work systems, job rotation to reduce repetitive strain, training programmes, safe work schedules.
5. Personal Protective Equipment (PPE)
Protect the individual worker as the final barrier against harm. PPE does not reduce or eliminate the hazard — it only protects the wearer if all other controls fail. Examples: hard hats, safety glasses, gloves, hearing protection, respirators, fall arrest harnesses. Should only be relied upon after higher-order controls have been applied.
Combining Controls
In practice, most effective risk management uses a combination of controls from multiple levels of the hierarchy. A chemical handling task might combine substitution (lower-toxicity chemical), engineering controls (ventilation extraction), administrative controls (written handling procedure, training), and PPE (chemical-resistant gloves, safety glasses). The important principle is that PPE should never be the primary control — it is always the last line of defence, used in combination with higher-order controls.
Regulatory Requirements for Risk Assessment
Risk assessment requirements vary by jurisdiction, but the underlying obligation is consistent: employers must systematically identify hazards and implement appropriate controls. Key frameworks include:
OSHA (United States)
OSHA does not have a general risk assessment regulation comparable to the UK or EU. However, risk assessment obligations exist throughout OSHA standards — the Process Safety Management standard (29 CFR 1910.119) requires detailed Process Hazard Analysis for facilities handling highly hazardous chemicals; the PPE standard (1910.132) requires hazard assessments to justify PPE selection; and the General Duty Clause creates a broad obligation to address recognised hazards. OSHA's Voluntary Protection Programs and Safety and Health Program guidelines recommend a systematic hazard identification and control process aligned with ISO 45001.
ISO 45001 (International)
ISO 45001 Clause 6.1 (Actions to address risks and opportunities) requires organisations to identify hazards, assess OH&S risks, assess other risks and opportunities, and determine necessary actions. The standard emphasises that hazard identification should be proactive, systematic, and cover all workers (including contractors), all work activities, and all facilities. ISO 45001 requires documented information — risk assessment records — as evidence of compliance. For organisations seeking certification, the risk assessment process must be fully documented, reviewed regularly, and integrated with corrective action and improvement processes.
UK Health and Safety at Work Act / MHSWR
Under the Management of Health and Safety at Work Regulations 1999 (Regulation 3), all UK employers must conduct suitable and sufficient risk assessments. Employers with five or more employees must document significant findings. The UK HSE provides the Five Steps to Risk Assessment guidance, which forms the basis of the process described in this guide. Sector-specific regulations — CDM for construction, COSHH for chemicals, DSEAR for explosive atmospheres, LOLER for lifting equipment — impose additional risk assessment requirements on top of the general requirement.
Industry-Specific Hazard Types
While the risk assessment process is universal, the hazard profile varies significantly by industry. Understanding the characteristic hazards of your sector focuses the assessment effort on the areas of greatest risk:
Construction
- •Falls from height (roofs, scaffolding, excavations)
- •Struck-by hazards (vehicles, falling objects, equipment)
- •Electrical contact from buried/overhead services
- •Caught-in incidents from excavation collapse or plant
- •Silica dust, wood dust, and asbestos exposure
- •Manual handling during materials handling tasks
Manufacturing
- •Machinery entrapment and entanglement
- •Hazardous energy release (LOTO failure)
- •Chemical exposure (process chemicals, cleaning agents, lubricants)
- •Noise-induced hearing loss from sustained exposure
- •Ergonomic injuries from repetitive tasks and static postures
- •Forklift and pedestrian interface in warehousing areas
Healthcare
- •Manual handling of patients — musculoskeletal injury risk
- •Needlestick and sharps injuries — bloodborne pathogen exposure
- •Workplace violence from patients and visitors
- •Exposure to infectious agents and biological hazards
- •Chemical exposure (disinfectants, anaesthetic agents, chemotherapy)
- •Slips and trips in clinical environments
Oil, Gas & Utilities
- •High-pressure process equipment failure
- •Flammable and explosive atmospheres (ATEX zones)
- •H2S and toxic gas exposure in confined spaces
- •Dropped objects at height during offshore operations
- •High-voltage electrical hazards in utilities
- •Isolation failures during maintenance (LOTO / energy isolation)
How Risk Assessment Software Automates the Process
Paper-based and spreadsheet risk assessments are difficult to maintain, rarely reviewed on schedule, and almost impossible to analyse for trends. Digital risk assessment — integrated into an HSE management system like HSETrack — transforms risk assessment from a static compliance document into a living operational tool.
Centralised Risk Register
All risk assessments stored in a searchable, version-controlled register. Safety managers see the full risk profile at a glance — every hazard, rating, control, and review date — without hunting through shared drives or filing cabinets.
Scheduled Review Reminders
Automatic reminders when assessments are due for review. Review-date breaches appear in the safety manager's dashboard with escalation alerts — ensuring no assessment becomes stale without action.
Integration with Incident Data
When an incident occurs involving a hazard that is included in a risk assessment, the software can flag the assessment for immediate review. Incident patterns — repeat near misses or incidents in the same location or task type — are automatically surfaced as potential risk assessment gaps.
Corrective Action Tracking
Control implementation actions from risk assessments are assigned, tracked, and escalated within the same platform as incident corrective actions — creating a single corrective action register with full visibility across the organisation.
Audit-Ready Documentation
Every assessment, every review, every control implementation, and every approval is date-stamped and attributed. When OSHA inspectors, ISO auditors, or legal counsel request evidence of adequate risk management, the complete record is immediately accessible.
Frequently Asked Questions
What is a workplace risk assessment?
A workplace risk assessment is a systematic process for identifying hazards in the workplace, evaluating the likelihood and severity of harm they could cause, and deciding on appropriate control measures. It is the foundation of proactive occupational health and safety management and is required by OSHA's General Duty Clause, ISO 45001, UK Management of Health and Safety at Work Regulations, and equivalent legislation in most jurisdictions.
What is the hierarchy of controls?
The hierarchy of controls ranks control measures from most to least effective: (1) Elimination — remove the hazard; (2) Substitution — replace with something less hazardous; (3) Engineering controls — physically isolate people from the hazard; (4) Administrative controls — change how work is done; (5) PPE — protect the individual worker. Higher-order controls are more reliable because they do not depend on consistent human behaviour.
Who is responsible for conducting workplace risk assessments?
The employer is legally responsible. In practice, risk assessments are conducted by competent persons — safety managers, trained supervisors, or occupational health and safety consultants with relevant knowledge of the work processes and applicable standards.
How often should a risk assessment be reviewed?
At minimum annually; also after any incident or near miss involving the assessed hazard, when significant changes occur (new equipment, processes, chemicals), when new information about a hazard becomes available, and when a worker raises a concern. High-hazard environments warrant more frequent review cycles.
What is the difference between a hazard and a risk?
A hazard is anything with the potential to cause harm — a chemical, a piece of machinery, a work at height task. A risk is the likelihood that the hazard will actually cause harm, combined with the severity of that harm. Hazard identification finds what could go wrong; risk assessment evaluates how likely it is and how serious it would be — guiding where to invest in controls.
Manage Your Risk Assessments Digitally
HSETrack's risk register keeps every assessment current, every control tracked, and every review scheduled — so your risk management programme drives real hazard reduction, not just documentation.