A risk assessment is a structured document that identifies what could go wrong, how likely it is, how serious the consequences would be, and what you’re doing about it. Whether it’s a single-page worksheet for a small construction site or a detailed report for a corporate project, the core structure follows the same logic: find the hazards, score them, and document your plan to reduce them.
The Core Structure
Every risk assessment, regardless of industry, moves through the same basic sequence. First, you describe the scope of what you’re evaluating, whether that’s a workplace, a project, a system, or a process. Then you work through each risk systematically. The international standard for risk management (ISO 31000:2018) lays out the process as identifying, analyzing, evaluating, treating, monitoring, and communicating risks. In practice, most assessments compress this into a document with a few key sections.
A typical risk assessment includes:
- Hazard or threat identification: A plain description of what could cause harm or disruption
- Who or what is affected: The people, assets, or operations at risk
- Existing controls: What’s already in place to reduce the risk
- Likelihood rating: How probable the event is
- Impact rating: How serious the consequences would be
- Overall risk score: A combined rating that tells you where to focus
- Mitigation plan: What additional steps you’ll take to bring the risk down
- Owner: The specific person responsible for managing that risk
Most of this lives in a table or spreadsheet. Each row represents one risk. Each column captures one of those data points. That table, when it tracks risks across an entire project or organization, is called a risk register.
The Risk Register
A risk register is the working heart of any risk assessment. It’s a living document, usually a spreadsheet or database, where every identified risk gets its own entry. Each entry includes a risk ID, a name, the date it was identified, a description of what could happen, a category (financial, safety, operational, legal), likelihood and impact scores, a mitigation plan, an owner, and a status field that tracks whether the risk is open, in progress, or closed.
The register isn’t something you fill out once and file away. It gets updated as risks change, new ones appear, or existing ones get resolved. On a construction project, you might add a new row when weather delays create a scheduling risk. In a healthcare organization, you’d update the register after migrating to a new electronic records system. The register is what turns a one-time assessment into an ongoing management tool.
The Risk Matrix
The most recognizable visual element of a risk assessment is the risk matrix, a color-coded grid that plots likelihood on one axis and impact on the other. The most common version is a 5×5 grid. Likelihood runs from “very low” (essentially negligible probability) up through “low,” “moderate,” “high,” and “very likely” (expected to occur often). Impact runs from minimal consequences up to catastrophic ones.
Each risk lands in a cell where its likelihood and impact intersect. Risks in the green zone (low likelihood, low impact) need monitoring but not urgent action. Risks in the yellow or orange zone need a mitigation plan. Risks in the red zone, where both likelihood and impact are high, demand immediate attention and resources. NASA, for example, developed a detailed 5×5 matrix for engineering safety where each level has precise probability thresholds, but most organizations use simpler descriptive scales. The point is to give everyone a shared, visual way to compare risks and prioritize where to spend effort.
This matrix typically appears in the assessment document itself, either as a standalone chart or as a reference table alongside the risk register. Some organizations plot every identified risk onto a single matrix so leadership can see the full risk landscape at a glance.
Qualitative vs. Quantitative Scoring
Risk assessments come in two flavors depending on how you measure likelihood and impact. Most use qualitative scoring, where a team of people with relevant experience rates each risk using descriptive scales like “low, medium, high” or numbered levels from 1 to 5. This approach works well when you’re dealing with risks that are hard to quantify, like reputational damage or regulatory penalties. The output is your risk matrix.
Quantitative assessments rely on numerical data. Instead of labeling a risk “high likelihood,” you calculate a specific probability based on historical data. Instead of calling the impact “severe,” you estimate a dollar figure for potential losses. Organizations often use tools like decision trees or time series analysis to model these numbers. Financial risk assessments almost always lean quantitative because the data, including investment performance, cash flow trends, and profit margins, already exists in numerical form.
Many organizations use both. They start with a qualitative assessment to identify and prioritize risks, then apply quantitative analysis to the highest-priority items that justify deeper investigation.
How Mitigation Gets Documented
Identifying a risk without documenting how you’ll address it defeats the purpose. The mitigation section of a risk assessment lists the specific actions you’ll take to reduce either the likelihood or the impact of each risk. In workplace safety, these actions follow a well-established ranking system called the hierarchy of controls, developed by OSHA. It prioritizes solutions from most to least effective:
- Elimination: Remove the hazard entirely. Stop using a dangerous chemical or move work to ground level instead of at heights.
- Substitution: Replace the hazard with something less dangerous. Switch to a less toxic material or a lower-energy process.
- Engineering controls: Put physical barriers between workers and the hazard. Machine guards, ventilation systems, guardrails, and noise enclosures all fall here.
- Administrative controls: Change how work is done through training, procedures, warning signs, schedule rotations, or checklists.
- Personal protective equipment: Safety glasses, hard hats, respirators, and harnesses. These are the last line of defense because they require constant effort from the worker and don’t reduce the hazard itself.
The assessment documents which level of control applies to each hazard. A well-designed worksheet also includes a column noting whether the control itself creates any new hazards. Adding a machine guard, for instance, might create a pinch point that needs its own mitigation.
What a Workplace Assessment Looks Like
In a workplace setting, OSHA requires employers to perform a hazard assessment to determine whether protective equipment is necessary. The written document must identify the workplace that was evaluated, the person who performed the assessment, the date it was completed, and what hazards were found. If hazards are present, the employer selects appropriate protective equipment, ensures it fits each worker, and communicates those decisions to everyone affected.
A typical workplace risk assessment form is straightforward. It might be a single page for a small shop or a multi-page document for a manufacturing facility. You walk through the work area, note each hazard (chemical exposure, fall risks, loud machinery, moving parts), identify who’s exposed, record what controls are already in place, rate the risk, and write down what additional steps are needed. The completed form serves as both a planning tool and a legal record that the assessment was done.
How Often Assessments Get Updated
A risk assessment is only useful if it reflects current conditions. The general standard across industries is to conduct a full assessment at least once a year, with immediate updates whenever something significant changes. Organizations in high-risk or fast-changing environments often reassess quarterly or semiannually.
Changes that should trigger an immediate reassessment include major system upgrades, new processes or services, changes to your physical space, bringing on or losing key vendors, mergers or acquisitions, and any incident that exposed a gap in your existing controls. Between formal reviews, the risk register should be a living document that gets updated as conditions shift. Some organizations layer in continuous monitoring for their highest-priority risks, reviewing critical controls monthly or even weekly, while lower-risk areas stay on an annual cycle.