A risk assessment is a careful, structured examination of what could cause harm in a given situation, how likely that harm is, and what you can do to prevent it. It’s used across workplaces, healthcare, construction, finance, and dozens of other fields, but the core idea is always the same: identify dangers before they cause problems, then take practical steps to reduce them. Rather than reacting after something goes wrong, a risk assessment is fundamentally proactive.
Hazards vs. Risks
Understanding the difference between a hazard and a risk is the foundation of any risk assessment. A hazard is anything with the potential to cause harm: a chemical, a piece of equipment, a slippery floor, a process that generates extreme heat. A risk is the likelihood that the hazard will actually cause harm, combined with how severe that harm could be. The U.S. Geological Survey illustrates this with a simple image: a rockfall is a hazard, but it only becomes a risk when there’s a house sitting at the base of the cliff. Without something vulnerable in the path, the hazard exists but the risk is low.
This distinction matters because it shapes what you prioritize. A workplace might contain dozens of hazards, but only a handful pose significant risk once you account for how often people are exposed, what safeguards are already in place, and what the consequences of failure look like.
The Basic Steps
Most risk assessment frameworks follow a similar sequence, whether you’re evaluating a construction site, a chemical process, or an office building. The steps break down into five broad actions:
- Identify the hazards. Gather existing information about known dangers, inspect the environment, and look at both safety hazards (things that could cause injury) and health hazards (things that could cause illness over time).
- Determine who could be harmed and how. Think beyond full-time workers. Visitors, contractors, nearby residents, and people with specific vulnerabilities all factor in.
- Evaluate the risks and decide on precautions. For each hazard, consider how likely harm is and how serious it could be. Then determine whether existing controls are adequate or whether more action is needed.
- Record your findings and implement them. Document the hazards, the people at risk, and the control measures you’ve chosen. A written record keeps everyone accountable and provides a reference point for future reviews.
- Review and update regularly. Workplaces change. New equipment, new processes, new staff, or an incident that reveals a gap all signal that the assessment needs revisiting.
How Risks Are Scored
Once you’ve identified hazards, you need a way to compare them and decide where to focus your resources. The most common tool is a risk matrix, which plots two dimensions: how likely something is to happen and how severe the consequences would be if it did.
Both dimensions typically use a 1-to-5 scale. For likelihood, a score of 1 means “rare” (less than a 10% chance), while 5 means “almost certain” (greater than 90%). For impact, 1 represents a minor consequence and 5 represents something severe, like a fatality or a catastrophic financial loss. Multiply the two numbers together and you get a risk score. A matrix color-codes the results: green cells represent low-level risks that need monitoring but little action, yellow cells flag risks that need a management plan, and red cells demand immediate attention and senior oversight.
This scoring system isn’t precise science. It’s a decision-making tool. Its value is in forcing you to think systematically rather than relying on gut feeling about which problems matter most.
Qualitative vs. Quantitative Methods
Risk assessments generally fall into two categories depending on how much data you have and how complex the situation is.
A qualitative assessment relies on judgment, experience, and descriptive categories rather than hard numbers. It’s faster, easier to perform, and doesn’t require direct measurements or detailed toxicological data. Many small and mid-sized businesses use qualitative methods because they can be completed without specialized equipment or expertise. The UK’s Health and Safety Executive developed a “control banding” approach for chemical hazards, for example, that lets workplaces manage risks without quantitative exposure data.
A quantitative assessment uses measured data to calculate risk numerically. It typically involves four stages: identifying the hazard, assessing what dose or exposure level causes harm, measuring actual exposure, and then characterizing the risk with a number. This approach is more precise but also more resource-intensive, requiring monitoring equipment, lab analysis, and trained assessors. Industries with high-consequence hazards, like chemical processing or nuclear energy, tend to rely on quantitative methods because the stakes justify the cost.
Specialized Techniques
Certain industries use structured analytical methods to make risk assessments more thorough. Two of the most widely used are HAZOP and FMEA.
A Hazard and Operability Study (HAZOP) is a team-based, qualitative technique designed for complex processes like chemical plants or manufacturing lines. A group of experts walks through every component of a system and asks what would happen if key parameters deviated from normal. What if the flow rate is too high? Too low? What if there’s no flow at all, or flow in the wrong direction? The team uses a set of “guidewords” (more, less, none, reverse, and others) combined with process parameters like temperature, pressure, level, and timing to systematically explore every possible deviation. For each one, they identify causes, consequences, and whether existing safeguards are adequate.
Failure Mode and Effects Analysis (FMEA) takes a complementary approach. Instead of looking at process deviations, it focuses on individual components and asks how each one could fail, what the effect of that failure would be, and how detectable the failure is before it causes a problem. FMEA is widely used in manufacturing, aerospace, automotive, and medical device design. Both techniques are meant to be used alongside other tools, not as standalone assessments.
The Hierarchy of Controls
Once a risk assessment identifies hazards that need action, the next question is what kind of action to take. OSHA’s hierarchy of controls ranks safeguards from most to least effective:
- Elimination: Remove the hazard entirely. Stop using a dangerous chemical, or redesign a task so it no longer requires working at height.
- Substitution: Replace the hazard with something less dangerous. Switch to a less toxic material or a process that uses lower temperatures.
- Engineering controls: Put physical barriers between workers and the hazard. Machine guards, ventilation systems, guardrails, and noise enclosures all fall here.
- Administrative controls: Change how people work through procedures, training, warning signs, rotating workers to limit exposure time, or scheduling high-risk tasks when fewer people are present.
- Personal protective equipment (PPE): Safety glasses, respirators, hardhats, hearing protection, and similar gear. PPE is the last line of defense because it depends on consistent, correct use by every worker, every time.
The hierarchy exists because controls at the top are more reliable. Eliminating a hazard protects everyone automatically. PPE only works if someone remembers to wear it and wears it correctly. In practice, most workplaces use a combination of controls at different levels.
When to Review a Risk Assessment
A risk assessment isn’t a one-time document. It needs updating whenever something meaningful changes: new equipment, a change in layout, different materials, new staff who bring different experience levels, or an incident that exposes a gap no one anticipated. The Joint Commission notes that while no universal rule dictates exactly how often to reassess, annual reviews are a practical baseline. They give you a structured opportunity to incorporate new tools, new knowledge, and any changes that have accumulated over the year.
If your organization has set its own review schedule through internal policy, that schedule becomes the standard you’re held to. High-risk issues benefit from more frequent review cycles simply because the consequences of outdated information are more severe.
The International Standard: ISO 31000
For organizations that want a formal framework, ISO 31000:2018 is the international standard for risk management. Originally published in 2009 and revised in 2018, it lays out eight principles for effective risk management. Risk management should be integrated across the entire organization, not siloed in a safety department. It should be structured and comprehensive enough to ensure consistency, but customized to fit the organization’s specific context. It should include the knowledge and perspectives of key stakeholders, adapt dynamically as risks change over time, and rely on the best available information. Human and cultural factors should be part of the analysis, and the entire process should be treated as something that improves continuously rather than something you complete once and file away.
ISO 31000 applies broadly. It’s not limited to workplace safety. Organizations use it for financial risk, reputational risk, cybersecurity, supply chain vulnerabilities, and strategic planning. The framework gives structure without being prescriptive about specific tools, which is why it works across such different contexts.