Risk assessment in safety is a structured process for identifying workplace hazards, evaluating how likely they are to cause harm, and deciding what controls to put in place. It’s the foundation of every effective safety program, whether you’re managing a construction site, a chemical plant, or an office. The UK’s Health and Safety Executive breaks it into five steps: identify hazards, assess the risks, control the risks, record your findings, and review the controls.
Hazards and Risks Are Not the Same Thing
One of the most common points of confusion is treating “hazard” and “risk” as interchangeable. They’re related but distinct. A hazard is any source of potential harm: a wet floor, an exposed electrical wire, a toxic chemical, even a workplace behavior like bullying. A risk is the probability that someone will actually be harmed by that hazard. A knife sitting in a drawer is a hazard. The risk depends on who handles it, how often, and under what conditions.
This distinction matters because it shapes how you prioritize. A substance like benzene is always a hazard (it can cause leukemia), but the risk to a given worker depends on concentration, duration of exposure, and what protective measures are in place. Risk assessment is the process of looking at each hazard and asking: how likely is it that this will hurt someone, and how serious would the injury be?
The Five Steps of Risk Assessment
Most regulatory frameworks follow a version of the same five-step process. Here’s what each step involves in practice.
- Identify hazards. Walk through the workplace and look at what could cause harm. This includes physical things (machinery, chemicals, noise), conditions (poor lighting, cluttered walkways), and work practices (repetitive lifting, lone working). Talk to employees. They often know where the real dangers are before anyone else does.
- Assess the risks. For each hazard, evaluate who might be harmed and how seriously. Consider how often people are exposed, whether existing precautions are adequate, and what could go wrong. This is where you rank risks by severity and likelihood to decide which ones need attention first.
- Control the risks. Put measures in place to eliminate or reduce each risk. The goal is to bring risk down to the lowest reasonably achievable level.
- Record your findings. Document the hazards you found, the people at risk, and the controls you’ve implemented. This creates accountability and gives you a baseline for future reviews.
- Review the controls. Revisit your assessment regularly to make sure controls are still working and nothing has changed.
Qualitative vs. Quantitative Approaches
Not every risk assessment needs the same level of detail. There are two broad approaches, and the right one depends on the complexity of the situation.
Qualitative risk assessment uses judgment and experience to rate risks on simple scales, such as ranking probability and impact from 1 to 5. It works well for routine workplace hazards, smaller projects, and situations where speed matters more than precision. A team doing a walk-through of a warehouse, for example, can use a qualitative matrix to flag the most urgent issues without needing detailed data.
Quantitative risk assessment uses numerical data to calculate risk more precisely. It requires high-quality inputs: historical incident rates, exposure measurements, cost estimates for potential losses. Organizations typically use this approach for large, complex operations where decisions have significant financial or safety consequences. If a company needs to decide whether a multimillion-dollar engineering control is justified, a quantitative analysis provides the numbers to support that decision.
Many organizations use both. A qualitative screening identifies the most significant risks, and quantitative analysis is then applied to those that warrant deeper investigation.
How Risks Are Controlled
Once you’ve identified and ranked risks, the next question is what to do about them. The CDC and NIOSH recommend following the hierarchy of controls, which ranks protective measures from most to least effective:
- Elimination. Remove the hazard entirely. If a task requires working at dangerous heights, redesign the process so it can be done at ground level.
- Substitution. Replace the hazard with something less dangerous. Switch from a toxic solvent to a water-based alternative.
- Engineering controls. Isolate people from the hazard through physical changes to the workplace: ventilation systems, machine guards, noise barriers.
- Administrative controls. Change the way people work: rotating shifts to limit exposure time, posting warning signs, updating training procedures.
- Personal protective equipment (PPE). Gloves, respirators, hard hats, and safety goggles. PPE is the last line of defense because it depends entirely on the worker using it correctly every time.
The top of the hierarchy is always the goal. Elimination and substitution remove risk at the source. PPE only manages it at the point of contact, which is why it’s considered the least reliable option on its own.
Why Risk Assessment Has Measurable Impact
Formal risk assessment isn’t just a compliance exercise. It produces real, quantifiable reductions in harm. One clear example: when OSHA developed its rule limiting workplace silica dust exposure, the formal risk assessment behind it estimated the regulation would prevent 17 to 22 deaths per year from lung cancer, respiratory disease, and kidney failure, along with 60 to 71 nonfatal illness cases annually. The averted medical costs and productivity losses from fatal lung cancers alone were valued at $4.9 million per year, and the broader economic value of prevented deaths and illnesses was estimated at $304 million to $1.1 billion annually.
These numbers illustrate a broader principle: the upfront effort of risk assessment pays for itself many times over in injuries that never happen, medical costs that are never incurred, and operational disruptions that are avoided entirely.
International Standards and Legal Requirements
Risk assessment is embedded in workplace safety law in most countries, and the international standard ISO 45001 provides a globally recognized framework. Under ISO 45001, organizations are required to systematically identify risks and opportunities across all work activities, assess hazards using defined methodologies, and set measurable safety objectives with action plans to achieve them. The standard emphasizes proactive management, meaning hazards should be identified and controlled before incidents occur, not investigated after the fact.
For many organizations, achieving ISO 45001 certification requires building risk assessment capabilities from the ground up: training teams, developing standardized procedures, and integrating safety evaluation into everyday operations rather than treating it as an occasional audit.
When to Review a Risk Assessment
A risk assessment is not a one-time document. It needs to be revisited whenever something changes in the workplace. Common triggers include introducing new equipment or technology, changes in staff or management, a safety incident or near-miss, alterations to work processes, and moving to a new location or reorganizing an existing one.
There’s no universal rule for how often to review. Some organizations do it annually, others every two or three years, depending on the nature of the work and the pace of change. The most effective approach is to treat risk assessment as a continuous process, evaluating potential risks as part of planning any operational change rather than waiting until a scheduled review date. Organizations that build risk assessment into their day-to-day planning consistently spend less time and effort correcting problems that could have been anticipated.