The Risk Assessment Playbook: Steps, Tools and Best Practices

Every workplace comes with its share of risks. Without a structured approach, hazards can go unnoticed until they cause real harm to people or operations. This is where risk assessments come in. 

Workplace risk assessments analyze and evaluate the risks associated with workplace hazards and produce suitable precautions to eliminate or reduce risks to acceptable levels. In this article, we will explore everything you need to know about workplace risk assessments, including the basic steps of a risk assessment, various risk assessment tools and risk assessment methodologies.   

Why Are Risk Assessments Important?

Risk assessments, also known as risk evaluations, are vital to workplace well-being. By assessing potential risks that may cause harm, these assessments help organizations: 

• Reduce incidents in the workplace: Properly identifying, assessing and controlling workplace risks puts control measures in place to prevent harmful incidents or accidents from occurring. This can also save organizations financial strain by avoiding rising insurance premiums, time off work and potential legal fees associated with workplace accidents. 

• Comply with regulation: All employers are legally required to protect their employees and their workplace from hazards, and risk assessments are the way to do this. In the U.S., guidelines laid out by the Occupational Safety and Health Administration (OSHA) require businesses to conduct relevant mandatory risk assessments. In the U.K., the Health and Safety Executive (HSE) states that businesses have a “legal duty to assess the risk to the health and safety of your employees.” 

• Support risk management initiatives: Workplace risk management in the workplace is a core approach to creating a safe and compliant work environment by proactively minimizing risks before they result in incidents. Risk assessments are the foundation of this, providing the critical insights needed to understand what could go wrong, how likely risks are and what the consequences might be.  

When Should You Conduct a Risk Assessment?

Risk assessments are most effective when conducted at the proper time. Common situations in which a risk assessment should be carried out include:

• Before a new procedure or job activity is introduced: A risk assessment will identify any potential hazards that may occur because of this new task. If the organization experiences high staff turnover, it’s recommended that new staff are monitored to ensure they conduct their work safely. If not, training should be provided.  

• Before changes are made to existing procedures: A risk assessment helps notify the EHS department of any specific changes that need to be implemented moving forward.   

• Before new equipment is brought into the workplace: New equipment may bring new risks into the workplace and previous risk assessments will no longer be sufficient or relevant in this case.    

• When a hazard has been identified: Once a hazard has been identified, a risk assessment should be carried out to analyze the severity of risk associated with the hazard. From there, appropriate measures can be implemented. 

Steps of a Workplace Risk Assessment

According to UNISON, “By law, every employer must conduct risk assessments on the work their employees do.  If the company or organization employs more than five employees, then the results should be recorded with details of any groups of employees particularly at risk such as older, younger, pregnant or disabled employees.”  

However, although specific risk assessments can vary widely across businesses and industries, there are a set of key steps that must be covered across all sectors. These steps are as follows:  

Step 1: Planning 

A successful risk assessment relies heavily on extensive planning to ensure that every relevant detail is assessed and compliance with relevant guidelines is achieved. Planning should revolve around trying to answer these key questions: 

• What equipment is required? 

• Who needs to be involved? 

• What exactly needs to be identified? 

• What regulations need to be complied with?  

Step 2: Identify Hazards  

While looking for hazards, it’s important to keep an eye out for unique or rare hazards that you may not have been expecting. When it comes to identifying hazards, the EHS department should:  

• Request feedback from employees  

• Observe workers carrying out tasks   

• Check previous risk assessment records   

• Consult guidelines and available information on the work activity  

• Consider possible scenarios  

Step 3: Gather Findings 

Once hazard identification is carried out, the EHS department should gather and organize all the information obtained. This procedure should be carried out to ensure that all areas of the assessment have been covered to gain a comprehensive overview of the data. If this step is conducted correctly, it will be easier to evaluate and decide which actions would be appropriate to undertake next.   

Step 4: Evaluate Risk Factors  

When evaluating risk, certain key factors must be analyzed closely. These include:  

• How workers are exposed to the hazards  

• Where workers are exposed to the hazards   

• To what extent are workers exposed to the hazard   

• What duration of time workers are exposed to the hazard  

• How dangerous the hazard is to workers 

At this stage, it can be useful to assign a risk rating (see below) to each of the potential hazards to gain a better understanding of next steps.  

Step 5: Decide Actions Required to Prevent Hazards  

This step should focus on creating a plan to prevent identified hazards from occurring. This process should be prioritized by the hazards’ perceived risks in accordance with the risk rating.  

Step 6: Document Findings and Actions Taken  

Keeping a formal record of the risk assessment findings is vital for the success of your EHS department. Not only does this step ensure total transparency within your organization, but it can also be useful during audits or when demonstrating compliance to legal authorities. Documenting actions can eliminate doubt regarding processes. It can also prove useful to managers when assessing the impact of the actions taken. The use of EHS software can help cut down time and streamline this regulatory compliance with easy recordkeeping tools.  

Step 7: Review Risk Assessment 

The final step should involve reviewing the entire risk assessment. This step should include following up to ensure that recommended actions have been taken to eliminate hazards. The review should also measure the success of implemented actions and identify whether any actions were unable to be identified throughout this process. Any improvements that could be made to future assessments should also be noted. 
 
This is also an opportunity to assess whether any new working practices, machinery or demands have been implemented that may bring about new hazards.   

Risk Assessment Tools

Risk Matrix 

A risk matrix is a tool that helps organizations visualize and understand potential risks. A risk assessment matrix, like the one shown below, is typically used in the project planning stage of a project. The visual representation helps categorize the level of risk by the level of interruption or damage that it would bring to the project.   

The two key elements of a risk matrix are the likeliness of a hazard occurring and the severity or impact of the hazard if it occurs. These categories range from “low,” “medium” or “high”. Risk matrix formats may differ and your EHS department should decide on a risk matrix format that works best for your specific organization. A risk matrix is commonly presented in either a 3x3, 4x4 or 5x5 format.   

Bowtie Method 

The bowtie method helps organizations understand and manage risk by clearly illustrating how a hazard might occur and what could cause it (left side of the diagram), as well as the potential consequences (right side). This approach connects the dots between risks, controls and outcomes, breaking down challenges into manageable components. By doing so, it enables businesses to identify existing risks, respond effectively and proactively plan preventative measures. 

An example of a complete bowtie diagram can be found below:

Risk Assessments Methodologies

Specific risk assessments may vary based on a number of organizational factors. Examples of workplace risk assessments include: 

• Qualitative risk assessment: A qualitative risk assessment is a method used to evaluate the severity of potential risks based on expert judgment, experience and observations rather than numerical data. It determines risk severity using the formula: Severity = Impact × Likelihood. Results are typically organized into categories (e.g., High, Medium, Low) or visualized in a qualitative risk assessment matrix, helping companies quickly identify and prioritize the most critical risks. 

• Quantitative risk assessment: A quantitative risk assessment assigns numerical values to risks to estimate their potential financial impact and likelihood. Unlike qualitative assessments that use categories like high or low, this method uses data-driven techniques, such as Failure Mode and Effects Analytics (FMEA), Business Impact Analysis (BIA) or Expected Monetary Value (EMV), to evaluate and prioritize risks. Results are often presented in matrices or visual reports to help stakeholders understand and address the most significant threats. 

• Generic risk assessment: A generic risk assessment evaluates common workplace activities that are repetitive and consistent across an organization, such as working at heights or handling machinery. These assessments are especially useful for large companies, as the findings can be applied across multiple departments or sites performing similar tasks. 

• Site-specific risk assessment: A site-specific risk assessment focuses on the unique hazards of a particular location, environment, industry and team, ensuring safety measures are tailored to that specific context. Site-specific assessments identify location-specific dangers, like asbestos or trip hazards on a roofing site, and help implement targeted controls.   

• Dynamic risk assessment: A dynamic risk assessment is usually performed by a worker entering a new or rapidly changing environment, especially when formal assessments may not cover emerging hazards. It relies on the individual's experience and judgment to identify and respond to unexpected risks, such as delaying a task until safer equipment is available.  

• Process hazard analysis: Another type of risk assessment is a process hazard analysis (PHA), which is a systematic approach used to identify and evaluate potential hazards associated with industrial processes. It helps organizations understand how failures or deviations in equipment, procedures or operations could lead to accidents. 

• Job hazard analysis: A job hazard analysis (JHA) breaks a job into steps, identifies the hazards at each stage and determines controls to reduce or eliminate them. It considers the interactions between the worker, tools, equipment and environment to create a clear picture of the risks involved.

   

How Can Evotix Help? 

Using risk assessment software can massively help streamline the risk management process and allow your organization to confidently manage workplace risks.  

To learn more about how Evotix can support your risk management needs, visit our solutions page here.