Workplace safety risk assessments are conducted in a unique way at each company. However, there are some general, basic steps that should be part of every company’s workplace risk assessment.
Workplace safety risk assessments may be conducted differently at different companies. However, there are some basic steps that should be part of every company's workplace risk assessment.
These steps can be tailored easily to company and industry needs in order to make sure companies comply with laws and regulations that govern different industries. Many of the risks employees face in the workplace are easy to spot and don't require a complex solution.
Not sure how to conduct a risk assessment? Use our free risk matrix template to get started.
What Is a Risk Assessment?
A risk assessment is a systematic process used to identify potential hazards, analyze the likelihood and impact of those hazards, and determine appropriate steps to minimize or eliminate risks. It serves as a foundation for decision-making, helping organizations proactively manage threats to safety, operations, compliance, and reputation.
By evaluating risks before they become incidents, businesses can create safer environments, allocate resources more effectively, and enhance their ability to respond to unexpected challenges.
Why Risk Assessments Are Crucial for Any Business
Risk assessments are critical because they allow businesses to anticipate problems before they occur. Without a structured approach to identifying and managing risks, organizations leave themselves vulnerable to accidents, financial losses, legal liabilities, and reputational harm.
A well-executed risk assessment can improve operational efficiency, protect employees and customers, ensure regulatory compliance, and foster a culture of continuous improvement. It also demonstrates to stakeholders—whether regulators, clients, or investors—that the organization is committed to proactive risk management and responsible governance.
How to Perform a Risk Assessment in 10 Basic Steps
The Health and Safety Executive (HSE) website outlines and explains five tips for conducting a risk assessment:
1. Identify the Hazards:
Take a walk through your workplace to identify hazards. Some hazards may be easy to identify and others may require some assistance from other professionals outside of your business (ie. health and safety experts, machinists, etc.).
You will want to observe employees completing their daily tasks in order to identify additional risks and to see if there could be an easier way for them to complete tasks.
It’s important to talk to your employees while conducting your assessment because they are the ones who will have the best feedback regarding issues that may not be as obvious to you.
Consulting lists developed by safety groups can also help you to look for specific hazards in the workplace. OSHA has provided a great graphic outlining six categories of hazards and their risks. Review past incident reports and complaints in order to ensure that the corrective action actually managed to reduce as much risk as possible.
Past reports are a great place to look to for less obvious hazards. The website also recommends considering the long term effects of the work environment on employees. Loud noises and other factors may not seem harmful to your employees, but what happens is they are exposed to these every day for many years?
But first, risks and hazards are not the same thing. Specifically,
- A risk is the likelihood that damage, loss or injury will be caused by a hazard and how severe it may be.
- A hazard is anything with the potential to cause harm (electricity, hazardous substances and noise).
2. Decide Who Could Be Harmed and How
Establish groups that are affected by the risks and hazards you identified in your search. To see the bigger picture, understand that there are groups outside of your workplace that might be harmed if corrective action is not taken.
Record the ways that they could be harmed if the hazard or risk is not corrected and review the list with your employees to see if there is anything else they have to add.
The HSE provides some examples of groups that could be harmed:
- Members of the public - consumers, people in nearby neighborhoods, etc.
- People who are not in the workplace every day - contractors, cleaners, visitors, etc.
- Various types of employees - new employees, expectant mothers, those with disabilities all face different types of risks in the workplace.
RELATED: How to Use a Risk Assessment Matrix [with Template]
3. Establish Control Measures:
Identify how you manage the risks at present and what further steps might be required to reduce the risks further as noted by law.
Tools such as benchmarking and looking for advice from best practice leaders in similar industries are a great source for gathering solutions. Take note of the differences between you and the best practice leader to see what changes need to be made.
The HSE suggests asking yourself these two questions and recording the steps you will need to take to answer them:
- Can I get rid of the hazard altogether?
- If not, how can I control the risks so that harm is unlikely?
4. Record Your Findings and Inform Those at Risk
Report your findings and proposed solutions to all employees.
It might also be a good time to provide some additional training regarding any changes to procedures, updates to your health and safety policy and to provide a “refresher” session to employees to remind them that they have their responsibilities in ensuring a safe workplace.
The HSE suggests including a timeline in your course of action, as some hazards can be easily fixed immediately, whereas some require more time to correct.
A timeline is also useful to help establish temporary solutions for dealing with the hazards that will take longer to correct in full. Identify, assign and put a date on the responsibilities of those involved carrying out any of the changes.
Managing health and safety incidents in the workplace can be complex and time-consuming. Learn how to do it effectively with our free eBook.
5. Review the Risk Assessment on a Regular Basis
Changes are always occurring in the workplace in order to remain current with policies and procedures. As these changes take place, it is important assess these areas when implemented into your workplace to reduce risk.
Remain up to date on incidents that take place at work. Handle incidents immediately and record the actions taken to reduce the risk from occurring again - this allows you to remember to check up on this area during your formal risk assessment. Make your risk assessment an annual event.
If you conduct your assessment around the same time each year, it’s easier to place the assessment as a priority and demonstrates your commitment to workplace safety.
RELATED: Using Case Management Software to Manage Inherent Risk
6. Evaluate ALL Areas of Misconduct
To conduct a proper ethics and compliance risk assessment, address all potential areas of risk- not just the most common or obvious ones. To ensure that all of the bases have been covered, evaluate risks that are specific to both the company and the industry that it operates in. As a starting point, go through previous files or cases relating to complaints or problems that occurred within the company and then focus on risks that are a bit harder to identify. It's important to examine the factors causing these risks to occur, as well as the ability company's have to plan for and reduce the impact of risks. This analysis will helps with policy creation, aiding in the development of effective policies fostering an ethical corporate culture.
7. The More The Merrier
During the ethics risk assessment, gather opinions from as many employees as possible. Also, make sure they come from different levels within the company. There are different risks present at different levels and faced by different employees. Including a number of employees allows for a more complete picture of the company's "risk landscape," as these employees can identify and communicate risks they encounter on a day-to-day basis. Depending on company size and the number of people included in this step, use methods such as distributing surveys, holding focus groups or other forms of meetings or individual interviews, to gather information.
8. Benchmarking and Comparison
A useful resource for identifying risks and evaluating ethics and compliance program is to benchmark against competitors or industry leaders. This helps to ensure policies keep companies "in check" with industry laws and standards. When observing the ethics program of an industry leader, look at their code of ethics, corporate culture and corporate social responsibility statements that can be easily accessed on corporate websites. Pay attention to the areas of risk they focus on and see if the policies they have put in place actually work as intended.
For example, Johnson and Johnson is an industry leader in the consumer health care field. If a company is one of their competitors or are looking for a superior quality ethics and compliance program, look at their corporate governance guidelines, annual reports and code of ethics to get an idea of issues that are important to them and how they handle them. Benchmarking is similar to leading by example. Industry leaders and companies known for their commitment to ethics and compliance want to lead the way for other companies to follow and incorporate best practices into their workplace.
9. Training and Awareness
BAE Systems credits increased employee awareness of compliance and reporting systems as a contributing factor in the increased use of internal reporting systems to help detect and uncover workplace misconduct. Employees must be aware of all policies and procedures that govern employee actions in order to create an ethical corporate culture.
When evaluating and developing training programs, consider the interests of the audience and make training interactive. Taking those two factors into consideration will lead to increased employee engagement and retention of information communicated- take a page out of the books at Cisco Systems, their "Ethics Idol" training program really got employees talking!
10. Set a Re-Evaluation Date
Select a time or times each year where to re-evaluate corporate risk assessments. This allows companies to keep policies and procedures up to date and remain inline with updated laws and regulations. As the workplace evolves, adapt policies to these changes to help mitigate risk.
To provide an idea of the frequency required for re-evaluation, the authors of the article "Maintaining a Robust Ethics and Compliance Program in Today’s Business Climate: A Necessity to Minimize Your Organization’s Risks" recommend that:
The frequency with which an organization chooses to conduct ethics and compliance risk assessments depends on the nature of the organization’s industry, but if the methodology and process is adequately defined, it can reasonably be conducted on an annual basis where year-over-year results can be appropriately compared. Since operating environments, regulations and government enforcement priorities routinely change, it is inadvisable to conduct compliance risk assessments on a less frequent basis than every two years."
When Should You Conduct a Risk Assessment?
Risk assessments should be conducted at several key points in a business’s operations. These include:
- Before starting a new project, process, or service where new risks may emerge.
- When introducing new equipment, technology, or work practices that could affect safety or security.
- After an incident, near miss, or significant organizational change to reassess vulnerabilities.
- Periodically, as part of routine risk management activities to address evolving threats and maintain compliance with regulations.
Conducting regular risk assessments ensures that businesses remain agile and responsive to both internal changes and external challenges.
Types of Risk Assessments in the Workplace
Several types of risk assessments are used depending on the nature of the business and the risks involved. Common types include:
- General Risk Assessment: A broad evaluation of risks across the entire organization or specific departments.
- Fire Risk Assessment: Focuses specifically on identifying fire hazards and implementing fire safety measures.
- Health and Safety Risk Assessment: Concentrates on physical workplace hazards that could lead to injury or illness.
- Environmental Risk Assessment: Evaluates potential impacts on the environment from organizational activities or products.
- Security Risk Assessment: Assesses threats to data, physical assets, and personnel from internal or external sources.
Choosing the right type of assessment—or a combination—ensures that risks are addressed comprehensively based on the organization's specific context and priorities.
What are Common Mistakes in Conducting a Risk Assessment?
Even with the best intentions, organizations can make critical mistakes during the risk assessment process that undermine its effectiveness. Common pitfalls include:
- Failing to Involve the Right People: Risk assessments often miss key insights when only a limited group of employees is consulted. Frontline workers, supervisors, and technical experts should all contribute to identifying real-world hazards.
- Overlooking Emerging or Non-Traditional Risks: Focusing solely on obvious, traditional hazards can cause organizations to miss evolving risks, such as cybersecurity threats, mental health concerns, or environmental impacts.
- Underestimating Risk Severity or Likelihood: In an effort to downplay concerns or expedite the process, some assessments minimize the potential impact of risks, leaving organizations vulnerable.
- Using Outdated Information: Relying on old data or assumptions without considering changes in the work environment, technology, or regulations can lead to inaccurate results.
- Skipping Regular Reviews: Risk assessments should not be a one-time task. Without periodic reviews and updates, businesses fail to capture new risks and changing circumstances.
- Poor Documentation: Incomplete or vague records make it difficult to track actions taken, justify decisions, or demonstrate compliance to regulators or stakeholders.
Avoiding these common mistakes ensures that risk assessments truly serve their purpose: protecting the organization, its people, and its future.
FAQs
1. Why conduct a risk assessment?
Conducting a risk assessment is essential to identify hazards, assess potential harm to individuals, and implement measures to mitigate risks, ensuring a safe and compliant workplace environment.
2. What is the correct process when conducting a risk assessment?
The correct process when conducting a risk assessment involves identifying hazards, determining who could be harmed and how, establishing control measures, recording findings and informing those at risk, reviewing the assessment regularly, evaluating all areas of misconduct, involving multiple employees, benchmarking against industry standards, providing training and awareness, and setting a re-evaluation date to ensure ongoing compliance and risk mitigation.
3. What are 5 examples of conducting risk assessments?
Five examples of conducting risk assessments include identifying hazards through workplace walkthroughs, consulting with employees to gather feedback on potential risks, establishing control measures to mitigate identified risks, recording findings and informing all relevant parties, and regularly reviewing and updating the risk assessment to ensure ongoing effectiveness and compliance.
4. How often should a risk assessment be done?
Risk assessments should typically be conducted annually, though industries with higher hazards may require more frequent reviews. Update your assessment whenever significant workplace changes occur - like new equipment, procedures, or substances.
Reassess after incidents or near misses. The article recommends conducting assessments at least every two years, though annual reviews allow better year-over-year comparisons as regulations and environments change.
5. Who is responsible for doing the risk assessment?
Managers or supervisors familiar with workplace operations typically conduct risk assessments. In smaller companies, this might be the business owner or safety officer. Larger organizations often have dedicated safety professionals or committees.
For complex hazards, outside specialists may be brought in. Ultimately, the employer has the legal duty to ensure risks are properly identified and managed.
6. Can employees be involved in the risk assessment process?
Yes, absolutely! Employees can and should be involved. They know their jobs best and can point out risks that might be missed otherwise. Talking to them and getting their feedback helps make the risk assessment more accurate and useful.