risk assessment 4 steps

The Essentials of Effective Project Risk Assessments

By Kate Eby | September 19, 2022

Share on Facebook
Share on LinkedIn

Link copied

Performing risk assessments is vital to a project’s success. We’ve gathered tips from experts on doing effective risk assessments and compiled a free, downloadable risk assessment starter kit.

Included on this page, you’ll find details on the five primary elements of risk , a comprehensive step-by-step process for assessing risk , tips on creating a risk assessment report , and editable templates and checklists to help you perform your own risk assessments.

What Is a Project Risk Assessment?

A project risk assessment is a formal effort to identify and analyze risks that a project faces. First, teams identify all possible project risks. Next, they determine the likelihood and potential impact of each risk.

During a project risk assessment, teams analyze both positive and negative risks. Negative risks are events that can derail a project or significantly hurt its chances of success. Negative risks become more dangerous when teams haven’t identified them or created a plan to deal with them.

A project risk assessment also looks at positive risks. Also called opportunities, positive risks are events that stand to benefit the project or organization. Your project team should assess those risks so they can seize on opportunities when they arise.

Your team will want to perform a project risk assessment before the project begins. They should also continually monitor for risks and update the assessment throughout the life of the project.

Some experts use the term project risk analysis to describe a project risk assessment. However, a risk analysis typically refers to the more detailed analysis of a single risk within your broader risk assessment. For expert tips and information, see this comprehensive guide to performing a project risk analysis.

Project risk assessments are an important part of project risk management. Learn more from experts about best practices in this article on project risk management . For even more tips and resources, see this guide to creating a project risk management plan .

How Do You Assess Risk in a Project?

Teams begin project risk assessments by brainstorming possible project risks. Avoid missing important risks by reviewing events from similar past projects. Finally, analyze each risk to understand its time frame, probability, factors, and impact.

Your team should also gather input from stakeholders and others who might have thoughts on possible risks.

In general terms, consider these five important elements when analyzing risks:

Risk Event: Identify circumstances or events that might have an impact on your project.
Risk Time Frame: Determine when these events are most likely to happen. This might mean when they happen in the lifecycle of a project or during a sales season or calendar year.
Probability: Estimate the likelihood of an event happening.
Impact: Determine the impact on the project and your organization if the event happens.
Factors: Determine the events that might happen before a risk event or that might trigger the event.

Project Risk Assessment Tools

Project leaders can use various tools and methodologies to help measure risks. One option is a failure mode and effects analysis. Other options include a finite element analysis or a factor analysis and information risk.

These are some common risk assessment tools:

Process Steps: Identify all steps in a process.
Potential Problems: Identify what could go wrong with each step.
Problem Sources: Identify the causes of the problem.
Potential Consequences: Identify the consequences of the problem or failure.
Solutions: Identify ways to prevent the problem from happening.
Finite Element Analysis (FEA): This is a computerized method for simulating and analyzing the forces on a structure and the ways that a structure could break. The method can account for many, sometimes thousands, of elements. Computer analysis then determines how each of those elements works and how often the elements won’t work. The analysis for each element is then added together to determine all possible failures and the rate of failure for the entire product.
Factor Analysis of Information Risk (FAIR): This framework helps teams analyze risks to information data or cybersecurity risk.

How to Conduct a Project Risk Assessment

The project manager and team members will want to continually perform risk assessments for a project. Doing good risk assessments involves a number of steps. These steps include identifying all possible risks and assessing the probability of each.

Most importantly, team members must fully explore and assess all possible risks, including risks that at first might not be obvious.

“The best thing that a risk assessment process can do for any project, over time, is to be a way of bringing unrecognized assumptions to light,” says Mike Wills , a certified mentor and coach and an assistant professor at Embry-Riddle Aeronautical University’s College of Business. “We carry so many assumptions without realizing how they constrain our thinking.”

Steps in a Project Risk Assessment

Experts recommend several important steps in an effective project risk assessment. These steps include identifying potential risks, assessing their possible impact, and formulating a plan to prevent or respond to those risks.

Here are 10 important steps in a project risk assessment:

Step 1: Identify Potential Risks

Bring your team together to identify all potential risks to your project. Here are some common ways to help identify risks, with tips from experts:

Review Documents: Review all documents associated with the project.
Consider Industry-Specific Risks: Use risk prompt lists for your industry. Risk prompt lists are broad categories of risks, such as environmental or legal, that can occur in a project.
Revisit Previous Projects: Use checklists from similar projects your organization has done in the past.

“What I like to do for specific types of projects is put together a checklist, a taxonomy of old risks that you've identified in other projects from lessons learned,” says Wendy Romeu, President and CEO of Alluvionic . “Say you have a software development program. You would pull up your template that includes all the risks that you realized in other projects and go through that list of questions. Then you would ask: ‘Do these risks apply to our project?’ That's kind of a starting point.” “You do that with your core project team,” Romeu says, “and it gets their juices flowing.” Learn more about properly assessing lessons learned at the end of a project in this comprehensive guide to project management lessons learned .
Consult Experts: Conduct interviews with experts within and, in some cases, outside your organization.
Brainstorm: Brainstorm ideas with your team. “The best scenario, which doesn't usually happen, is the whole team comes together and identifies the risks,” says Romeu.
Stick to Major Risks: Don’t try to identify an unrealistic or unwieldy number of risks. “You want to identify possible risks, but you want to keep the numbers manageable,” says Wills. “The more risks you identify, the longer you spend analyzing them. And the longer you’re in analysis, the fewer decisions you make.”
Look for Positive Risks: Identify both positive risks and negative ones. It’s easy to forget that risks aren’t all negative. There can be unexpected positive events as well. Some people call these opportunities , but in a risk assessment, experts call them positive risks.

“A risk is a future event that has a likelihood of occurrence and an impact,” says Alan Zucker, founding principal of Project Management Essentials , who has more than two decades of experience managing projects in Fortune 100 companies. “Risks can both be opportunities — good things — and threats. Most people, when they think about risk assessment, they always think about the negatives. I really try to stress on people to think about the opportunities as well.” Opportunities, or positive risks, might include your team doing great work on a project and a client wanting the team to do more work. Positive risks might include a project moving forward more quickly than planned or costing less money than planned. You’ll want to know how to respond in those situations, Zucker says. Learn more about project risk identification and find more tips from experts in this guide to project risk identification .

Step 2: Determine the Probability of Each Risk

After your team has identified possible risks, you will want to determine the probability of each risk happening. Your team can make educated guesses using some of the same methods it used to identify those risks.

Determine the probability of each identified risk with these tactics:

Brainstorm with your team.
Interview experts.
Review similar past projects.
Review other projects in the same industry.

Step 3: Determine the Impact of Each Risk

Your team will then determine the impact of each risk should it occur. Would the risk stop the project entirely or stop the development of a product? Or would the risk occurring have a relatively minor impact?

Assessing impact is important because if it’s a positive risk, Romeu says, “You want to make sure you’re doing the things to make it happen. Whereas if it's a high risk and a negative situation, you want to do the things to make sure it doesn't happen.”

There are two ways to measure impact: qualitative and quantitative. “Are we going to do just a qualitative risk assessment, where we're talking about the likelihood and the probability or the urgency of that risk?” asks Zucker. “Or are we going to do a quantitative risk assessment, where we're putting a dollar figure or a time figure to those risks?”

Most often, a team will analyze and measure risk based on qualitative impact. The team will analyze risk based on a qualitative description of what could happen, such as a project being delayed or failing. The team may judge that impact as significant but won’t put a dollar figure on it.

A quantitative risk assessment, on the other hand, estimates the impact in numbers, often measured in dollars or profits lost, should a risk happen. “Typically, for most projects, we don’t do a quantitative risk assessment,” Zucker says. “It’s usually when we’re doing engineering projects or big, federal projects. That’s where we're doing the quantitative.”

Step 4: Determine the Risk Score of Each Event

Once your team assesses possible risks, along with the risk probability and impact, it’s time to determine a risk score for each potential event. This score allows your organization to understand the risks that need the most attention.

Often, teams will use a simple risk matrix to determine that risk score. Your team will assign a score based on the probability of each risk event. It will then assign a second score based on the impact that event would have on the organization. Those two figures multiplied will give you each event or risk a risk score.

Zucker says he prefers to assign the numbers 1, 5, and 10 — for low, medium, and high — to both the likelihood of an event happening and its impact. In that scenario, an event with a low likelihood of happening (level of 1) and low impact (level of 1) would have a total risk score of 1 (1 multiplied by 1). An event with a high likelihood of happening (level of 10) and a large impact (level of 10) would have a total risk score of 100.

Zucker says he prefers using those numbers because a scale as small as one to three doesn't convey the importance of high-probability and high-impact risks. “A nine doesn't feel that bad,” he says. “But if it's 100, it's like, ‘Whoa, I really need to worry about that thing.’”

While these risk matrices use numbers, they are not really quantitative. Your teams are making qualitative judgments on events and assigning a rough score. In some cases, however, teams can determine a quantitative risk score.

Your team might determine, based on past projects or other information, that an event has a 10 percent chance of happening. For example, if that event will diminish your manufacturing plant’s production capacity by 50 percent for one month, your team might determine that it will cost your company $400,000. In that case, the risk would have a risk score of $40,000.

At the same time, another event might have a 40 percent chance of happening. Your team might determine the cost to the business would be $10,000. In that case, the risk score is $4,000.

“Just simple counts start to give you a quantifiable way of looking at risk,” says Wills. “A risk that is going to delay 10 percent of your production capacity is a different kind of risk than one that will delay 50 percent of it. Because you have a number, you can gather real operational data for a week or two and see how things support the argument. You can start to compare apples to apples, not apples to fish.”

Wills adds, “Humans, being very optimistic and terrible at predicting the future, will say, ‘Oh, I don't think it'll happen very often.’ Quantitative techniques help to get you away from this gambler fallacy kind of approach. They can make or break your argument to a stakeholder that says, ‘I've looked at this, and I can explain mechanically, count by the numbers like an accountant, what's going on and what might go wrong.’”

Step 5: Understand Your Risk Tolerance

As your team considers risks, it must understand the organization’s risk tolerance. Your team should know what kinds of risks that organizational leaders and stakeholders are willing to take to see a project through.

Understanding that tolerance will also help your team decide how and where to invest time and resources in order to prevent certain negative events.

Step 6: Decide How to Prioritize Risks

Once your team has determined the risk score for each risk, it will see which potential risks need the most attention. These are risks that are high impact and that your organization will want to work hard to prevent.

“You want to attack the ones that are high impact and high likelihood first,” says Romeu.

“Some projects are just so vital to what you do and how you do it that you cannot tolerate the risk of derailment or major failure,” says Wills. “So you're willing to spend money, time, and effort to contain that risk. On other projects, you're taking a flier. You're willing to lose a little money, lose a little effort.”

“You have to decide, based on your project, based on your organization, the markets you're in, is that an ‘oh my gosh, it's gonna keep me up every night’ kind of strategic risk? Or is it one you can deal with?” he says.

Step 7: Develop Risk Response Strategies

Once your team has assessed all possible risks and ranked them by importance, you will want to dive deeper into risk response strategies. That plan should include ways to respond to both positive and negative risks.

These are the main strategies for responding to threats or negative risks:

Mitigate: These are actions you will take to reduce the likelihood of a risk event happening or that will reduce the impact if it does happen. “For example, if you’re building a datacenter, we might have backup power generators to mitigate the likelihood or the impact of a power loss,” says Zucker. You can learn more, including more tips from experts, about project risk mitigation .
Avoid: If a certain action, new product, or new service carries an unacceptably high risk, you might want to avoid it entirely.
Transfer: The most common way that organizations transfer risk is by buying insurance. A common example is fire insurance for a building. Another is cybersecurity insurance that would cover your company in the event of a data breach. An additional option is to transfer certain risks to other companies that can do the work and assume its risks for your company. “It could be if you didn't want to have the risk of running a datacenter anymore, you transfer that risk to Jeff Bezos (Amazon Web Services) or to Google or whoever,” Zucker says.

These are the main strategies for responding to opportunities or positive risks:

Share: Your company might partner with another company to work together on achieving an opportunity, and then share in the benefits.
Exploit: Your company and team work hard to make sure an event happens because it will benefit your company.
Enhance: Your company works to improve the likelihood of something happening, with the understanding that it might not happen.

These are the main strategies for responding to both threats and opportunities, or negative and positive risks:

Accept: Your company simply accepts that a risk might happen but continues on because the benefits of the action are significant. “You're not ignoring the risks, but you're saying, ‘I can't do anything practical about them,’” says Wills. “So they're there. But I'm not going to spend gray matter driving myself crazy thinking about them.”
Escalate: This is when a project manager sees a risk as exceptionally high, impactful, and beyond their purview. The project manager should then escalate information about the risk to company leaders. They can then help decide what needs to happen. “Some project managers seem almost fearful about communicating risks to organization leaders,” Romeu says. “It drives me nuts. It's about communicating at the right level to the right people. At the executive level, it’s about communicating what risks are happening and what the impact of those risks are. If they happen, everybody knows what the plan is. And people aren't taken by surprise.”

Step 8: Monitor Your Risk Plans

Your team will want to understand how viable your organization’s risk plans are. That means you might want to monitor how they might work or how to test them.

A common example might be all-hands desktop exercises on a disaster plan. For example, how will a hospital respond to a power failure or earthquake? It’s like a fire drill, Zucker says. “Did we have a plan? Do people know what to do when the risk event occurs?”

Step 9: Perform Risk Assessments Continually

Your team will want to continually assess risks to the project. This step should happen throughout your project, from project planning to execution to closeout.

Zucker explains that the biggest mistake teams tend to make with project risk assessment: “People think it's a one-and-done event. They say, ‘I’ve put together my risk register, we’ve filed it into the documents that we needed to file, and I'm not worrying about it.’ I think that is probably the most common issue: that people don't keep it up. They don't think about it.”

Not thinking about how risks change and evolve throughout a project means project leaders won’t be ready for something when it happens. That’s why doing continual risk assessment as a primary part of risk management is vital, says Wills.

“Risk management is a process that should start before you start doing that activity. As you have that second dream about doing that project, start thinking about risk management,” he says. “And when you have completely retired that thing — you've shut down the business, you've pensioned everybody off, you’re clipping your coupons and working on your backstroke — that's when you're done with risk management. It's just a living, breathing, ongoing thing.”

Experts say project managers must learn to develop a sense for always assessing and monitoring risk. “As a PM, you should, in every single meeting you have, listen for risks,” Romeu says. “A technical person might say, ‘Well, this is going to be difficult because of X or Y or Z.’ That's a risk. They don't understand that's a risk, but as a PM, you should be aware of that.”

Step 10: Identify Lessons Learned

After your project is finished, your team should come together to identify the lessons learned during the project. Create a lessons learned document for future use. Include information about project risks in the discussion and the final document.

By keeping track of risks in a lessons learned document, you allow future leaders of similar projects to learn from your successes and failures. As a result, they can better understand the risks that could affect their project.

“Those lessons learned should feed back into the system — back into that original risk checklist,” Romeu says. “So the next software development project knows to look at these risks that you found.”

How to Write a Project Risk Assessment Report

Teams will often track risks in an online document that is accessible to all team members and organization leaders. Sometimes, a project manager will also create a separate project risk assessment report for top leaders or stakeholders.

Here are some tips for creating that report:

Find an Appropriate Template for Your Organization, Industry, and Project: You can find a number of templates that will help guide you in creating a risk assessment report. Find a project risk assessment report template in our project risk assessment starter kit.
Consider Your Audience: As you create the report, remember your audience. For example, a report for a technical team will be more detailed than a report for the CEO of your company. Some more detailed reports for project team members might include a full list of risks, which would be 100 or more. “But don't show executives that list; they will lose their mind,” says Romeu.

Project Risk Assessment Starter Kit

Download Project Risk Assessment Starter Kit

This starter kit includes a checklist on assessing possible project risks, a risk register template, a template for a risk impact matrix, a quantitative risk impact matrix, a project risk assessment report template, and a project risk response table. The kit will help your team better understand how to assess and continually monitor risks to a project.

In this kit, you’ll find:

A risk assessment checklist PDF document and Microsoft Word to help you identify potential risks for your project. The checklist included in the starter kit is based on a document from Alluvionic Project Management Services.
A project risk register template for Microsoft Excel to help you identify, analyze, and track project risks.
A project risk impact assessment matrix for Microsoft Excel to assess the probability and impact of various risks.
A quantitative project risk impact matrix for Microsoft Excel to quantify the probability and impact of various risks.
A project risk assessment report template for Microsoft Excel to help you communicate your risk assessment findings and risk mitigation plans to company leadership.
A project risk response diagram PDF document and Microsoft Word to better understand how to respond to various positive and negative risks.

Expertly Assess and Manage Project Risks with Real-Time Work Management in Smartsheet

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change.

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.

Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

The four steps of risk assessment

Hazard vs. risk

click for infographic

Risk assessment is a rigorous scientific process that EFSA uses to help keep the public, animals, plants and the environment safe from food-borne hazards. It has four steps.

EFSA’s risk assessment of caffeine, which hit the headlines in summer 2015, is a practical example of these four steps in action.

Hazard identification: What might harm you?

Scientists identify biological hazards (such as bacteria, viruses, parasites, fungi and moulds) or chemical hazards (such as residues of pesticides or veterinary drugs) present in food.

Caffeine is a naturally occurring chemical compound found in plant constituents such as coffee and cocoa beans, tea leaves, guarana berries and the kola nut, and has a long history of human consumption. It is added to a variety of foods, such as baked pastries, ice creams, sweets, and cola drinks, and is also found in “energy drinks”.

Hazard characterisation: What effects do such hazards cause?

Food-borne hazards can have different health effects from stomach pain to tumours. In rare cases they might be fatal. Scientists study the nature of these health effects and where possible risk assessors calculate a safe level of exposure for consumers.

Short-term adverse effects of caffeine on adults and children can include interrupted sleep, anxiety and behavioural changes. In the longer term, excessive caffeine consumption has been linked to cardiovascular problems and, in pregnant women, stunted foetus development.

Exposure assessment: Who may be harmed?

Scientists need to find out the amount of a hazard present in our food and how much of these foods people of different ages eat. To do so, they use data on chemicals in food and food consumption from across Europe collected by Member States.

Because caffeine is found in so many commonly consumed products, all population groups are exposed to possible negative effects. Average daily intakes vary among Member States, with a maximum of about 320mg a day for adults and 360mg a day for the elderly.

Risk characterisation: Is a food-borne hazard likely to harm you?

Finally, risk assessors draw conclusions on the level of risk. If exposure is above the recommended safe levels, there may be a safety concern for consumers in general or specific groups.

Most people are not at risk but high consumers – such as adults consuming more than 400mg of caffeine a day – may need to control their intake.

Political decision-makers use risk assessment advice to consider how to reduce consumer exposure to potential hazards in the food chain, such as caffeine in food. This may include, for example, advice on eating and lifestyle habits, or controls on commercial food production.

A complete guide to the risk assessment process

Lucid Content

Reading time: about 7 min

Mark Zuckerberg, the founder of Facebook, once said, “The biggest risk is not taking any risk. In a world that's changing really quickly, the only strategy that is guaranteed to fail is not taking risks.”

While this advice isn't new, we think you’ll agree that there are some risks your company doesn’t want to take: Risks that put the health and well-being of your employees in danger.

These are risks that aren’t worth taking. But it’s not always clear what actions, policies, or procedures are high-risk.

That’s where a risk assessment comes in.

With a risk assessment, companies can identify and prepare for potential risks in order to avoid catastrophic consequences down the road and keep their personnel safe.

What is risk assessment?

During the risk assessment process, employers review and evaluate their organizations to:

Identify processes and situations that may cause harm, particularly to people (hazard identification).
Determine how likely it is that each hazard will occur and how severe the consequences would be (risk analysis and evaluation).
Decide what steps the organization can take to stop these hazards from occurring or to control the risk when the hazard can't be eliminated (risk control).

It’s important to note the difference between hazards and risks. A hazard is anything that can cause harm , including work accidents, emergency situations, toxic chemicals, employee conflicts, stress, and more. A risk, on the other hand, is the chance that a hazard will cause harm . As part of your risk assessment plan, you will first identify potential hazards and then calculate the risk or likelihood of those hazards occurring.

The goal of a risk assessment will vary across industries, but overall, the goal is to help organizations prepare for and combat risk. Other goals include:

Providing an analysis of possible threats
Preventing injuries or illnesses
Meeting legal requirements
Creating awareness about hazards and risk
Creating an accurate inventory of available assets
Justifying the costs of managing risks
Determining the budget to remediate risks
Understanding the return on investment

Businesses should perform a risk assessment before introducing new processes or activities, before introducing changes to existing processes or activities (such as changing machinery), or when the company identifies a new hazard.

The steps used in risk assessment form an integral part of your organization’s health and safety management plan and ensure that your organization is prepared to handle any risk.

Preparing for your risk assessment

Before you start the risk management process, you should determine the scope of the assessment, necessary resources, stakeholders involved, and laws and regulations that you’ll need to follow.

Scope: Define the processes, activities, functions, and physical locations included within your risk assessment. The scope of your assessment impacts the time and resources you will need to complete it, so it’s important to clearly outline what is included (and what isn’t) to accurately plan and budget.

Resources : What resources will you need to conduct the risk assessment? This includes the time, personnel, and financial resources required to develop, implement, and manage the risk assessment.

Stakeholders: Who is involved in the risk assessment? In addition to senior leaders that need to be kept in the loop, you’ll also need to organize an assessment team. Designate who will fill key roles such as risk manager, assessment team leader, risk assessors, and any subject matter experts.

Laws and regulations: Different industries will have specific regulations and legal requirements governing risk and work hazards. For instance, the Occupational Safety and Health Administration (OSHA) sets and enforces working condition standards for most private and public sectors. Plan your assessment with these regulations in mind so you can ensure your organization is compliant.

5 steps in the risk assessment process

Once you've planned and allocated the necessary resources, you can begin the risk assessment process.

Proceed with these five steps.

1. Identify the hazards

The first step to creating your risk assessment is determining what hazards your employees and your business face, including:

Natural disasters (flooding, tornadoes, hurricanes, earthquakes, fire, etc.)
Biological hazards (pandemic diseases, foodborne illnesses, etc.)
Workplace accidents (slips and trips, transportation accidents, structural failure, mechanical breakdowns, etc.)
Intentional acts (labor strikes, demonstrations, bomb threats, robbery, arson, etc.)
Technological hazards (lost Internet connection, power outage, etc.)
Chemical hazards (asbestos, cleaning fluids, etc.)
Mental hazards (excess workload, bullying, etc.)
Interruptions in the supply chain

Take a look around your workplace and see what processes or activities could potentially harm your organization. Include all aspects of work, including remote workers and non-routine activities such as repair and maintenance. You should also look at accident/incident reports to determine what hazards have impacted your company in the past.

Use Lucidchart to break down tasks into potential hazards and assets at risk—try our free template below.

2. Determine who might be harmed and how

As you look around your organization, think about how your employees could be harmed by business activities or external factors. For every hazard that you identify in step one, think about who will be harmed should the hazard take place.

3. Evaluate the risks and take precautions

Now that you have gathered a list of potential hazards, you need to consider how likely it is that the hazard will occur and how severe the consequences will be if that hazard occurs. This evaluation will help you determine where you should reduce the level of risk and which hazards you should prioritize first.

Later in this article, you'll learn how you can create a risk assessment chart to help you through this process.

4. Record your findings

If you have more than five employees in your office, you are required by law to write down your risk assessment process. Your plan should include the hazards you’ve found, the people they affect, and how you plan to mitigate them. The record—or the risk assessment plan—should show that you:

Conducted a proper check of your workspace
Determined who would be affected
Controlled and dealt with obvious hazards
Initiated precautions to keep risks low
Kept your staff involved in the process

5. Review your assessment and update if necessary

Your workplace is always changing, so the risks to your organization change as well. As new equipment, processes, and people are introduced, each brings the risk of a new hazard. Continually review and update your risk assessment process to stay on top of these new hazards.

How to create a risk assessment chart

Even though you need to be aware of the risks facing your organization, you shouldn’t try to fix all of them at once—risk mitigation can get expensive and can stretch your resources. Instead, prioritize risks to focus your time and effort on preventing the most important hazards. To help you prioritize your risks, create a risk assessment chart.

The risk assessment chart is based on the principle that a risk has two primary dimensions: probability and impact, each represented on one axis of the chart. You can use these two measures to plot risks on the chart, which allows you to determine priority and resource allocation.

Be prepared for anything

By applying the risk assessment steps mentioned above, you can manage any potential risk to your business. Get prepared with your risk assessment plan—take the time to look for the hazards facing your business and figure out how to manage them.

Now it's time to create your own risk management process, here are five steps to get you started.

About Lucidchart

Lucidchart, a cloud-based intelligent diagramming application, is a core component of Lucid Software's Visual Collaboration Suite. This intuitive, cloud-based solution empowers teams to collaborate in real-time to build flowcharts, mockups, UML diagrams, customer journey maps, and more. Lucidchart propels teams forward to build the future faster. Lucid is proud to serve top businesses around the world, including customers such as Google, GE, and NBC Universal, and 99% of the Fortune 500. Lucid partners with industry leaders, including Google, Atlassian, and Microsoft. Since its founding, Lucid has received numerous awards for its products, business, and workplace culture. For more information, visit lucidchart.com.

While you can’t entirely avoid risk, you can anticipate and mitigate risks through an established risk management process. Follow these steps!

Implement the strategic planning process to make measurable progress toward achieving your company’s vision and make decisions that will keep you on the path to success for years to come.

Bring your bright ideas to life.

or continue with

ASSP Community
Member Benefits
Member Types and Qualifications
Employer Justification
ASSP Fellows
Past Recipients
Region SPY Past Recipients
Practice Specialty/CIG SPY Past Recipients
Chapter SPY Past Recipients
Chapter SPY Recipients Archive
Council Safety Professional of the Year Award
Committees and Committee Members
Committee Leadership Roles
Leadership Connection
Online ASSP Community
Local Chapters
Environmental
Fire Protection
Global Operations
Industrial Hygiene
Manufacturing
Public Sector
Risk Management
Training and Communications
Transportation
Member Mentoring
Membership Directory
Get Involved
Board of Directors Elections
Council Vice President Elections
Regional Elections
Practice Specialty Elections
Common Interest Group Elections
Nominations
Past ASSP Election Results
Election Resource
Member-Get-A-Member
Community Leader Resources
My Learning
Education Catalog
Online Learning
Math Review
Safety Management
Leadership in Safety Management
Occupational Health and Safety Management System
Safety 2025: Call for Presenters
Leadership Conference
SafetyFOCUS
Global Education
Train Your Safety Team
ASSP-Owned Course Proposal
New ASSP Course Proposal
Instructors
Buy Standards
Standards Development
Active Shooter Technical Report
Confined Spaces (Z117.1)
Construction and Demolition Operations (A10)
Fall Protection and Fall Restraint (Z359)
Fleet/Motor Vehicles (Z15)
Hydrogen Sulfide Training (Z390.1)
Lockout, Tagout and Alternative Methods (Z244.1)
Machine Guarding (B11)
OSH Management (Z10)
OSH Management (ANSI/ASSP/ISO 45001)
OSH Training (Z490)
PPE for Women (Z590.6)
Prevention Through Design (Z590.3)
Risk Management (ISO 31000)
Safety and Health Metrics (Z16.1)
Temporary Workers (Z590.9)
Walking/Working Surfaces (A1264)
Work/Aerial Work Platforms (A92)
Certification and Accreditation
Call for Submissions
Book Proposals
Share Your Story
Submission Form
Online Bookstore
Professional Safety
Journal of Safety, Health and Environmental Research Archive
Salary Survey
Alliances and Affiliations
ASSP Safety Curriculum Guidelines
Government Affairs News
Safe + Sound Week
Position Statements
Risk Assessment Committee
ROI of Safety
Roles and Responsibilities of the Safety Professional
Safety Research Agenda
President's Message
For the Media
Fall Protection
Construction Safety Management Systems | ASSP
The Case for Safety Podcast
Career Center
What Can You Expect From OSHA in the New Administration
Business Skills and Leadership Webinars
Become a Safety Professional
By The Way, This Is Not The Way
Apply for a Professional Education Grant
Assessing Readiness for Total Worker Health
Making the Business Case for Total Worker Health
Risk Assessment and Management
Free Training Funded by OSHA Susan Harwood Grant
Free Field Inspection Management Software
Apply to Join
Membership Benefits and Qualifications
Student News and Events
Student Sections
Scholarships
Accredited Academic Programs
Student Membership Drive
Board of Directors
ASSP Fact Sheet
Past Society General Chairs and Presidents
Code of Professional Conduct
Society Bylaws
Society Operating Guidelines
Governance Proposal Background
Strategic Plan
Advertising and Sponsorship
Corporate Alliance
Current Sponsors
Jobs at ASSP
Staff Directory
Diversity, Equity and Inclusion
The ASSP Advisory Group
Tackling Today's Safety Challenges

News and Articles

Conducting a risk assessment.

Once you have gathered the data and set the scope for a risk assessment project, the process moves on to conducting the risk assessment itself. Risk assessment serves many purposes for an organization, including reducing operational risks, improving safety performance and achieving objectives.

Risk Identification

Tangible and intangible sources of risk
Threats and opportunities
Causes and events
Consequences and their impact on objectives
Limitations of knowledge and reliability of information
Vulnerabilities and capabilities
Changes in external and internal context
Indicators of emerging risks
Time-related factors
Biases, assumptions and beliefs of those involved

Focusing on these areas, a risk assessment team can then use several different methods to identify the hazards present in the workplace. One such method is a hazard identification (HAZID) study that offers a qualitative, structured technique for risk identification.

HAZID uses guide words and/or checklists to identify potential hazards, their causes and consequences. Along with its qualitative structure, HAZID can also include qualitative analysis to determine the potential severity of a particular hazard, as well as the likelihood of occurrence.

The risk assessment team can use tools such as risk assessment matrices and heat maps to compare and, therefore, prioritize hazards. These tools allow safety professionals to place risks into the matrix or map based on the likelihood and severity of a potential incident. From there, decision-makers can analyze each risk to determine the highest-level risks to address.

Risk Analysis

Working from the information gathered during risk identification, stakeholders can then begin to analyze the risk levels of certain hazards and prioritize actions based on existing controls, among other criteria.

Risk analysis involves a detailed consideration of uncertainties, hazards, consequences, likelihood, events, scenarios, controls and their effectiveness. An event can have multiple causes and consequences and can affect multiple objectives.

Earlier identified hazards with HAZID can be included in preliminary hazard analysis. In such an analysis, an assessor analyzes current conditions with existing controls and a potential future state with proposed additional controls. Tools such as risk assessment matrices and heat maps can be used to compare, and therefore, prioritize hazards. These tools allow safety professionals to place risks into the matrix or map based on the likelihood and severity of a potential incident.

From there, decision makers can then analyze each risk to determine the highest-level risks to address. The results from a preliminary hazard analysis can then be transferred to a more detailed approach such as a bow-tie risk assessment diagram for further evaluation to provide more in-depth information to decision makers.

In terms of finding acceptable solutions for a particular hazard, a layer of protection analysis (LOPA), studies whether existing or proposed barriers are able to achieve acceptable risk levels. When conducting a LOPA, safety professionals select hazards and consequences, and independent protection layers (IPLs) are identified for each hazard/consequence pair. IPLs are physical barriers such as engineering controls, design changes or warning devices designed to prevent the initiating cause proceeding to the unwanted consequence.

Taking this type of approach to risk analysis allows safety professionals to consider what additional IPLs could be installed to prevent a particular risk and calculate the impact that those controls would have on the severity and likelihood of an incident.

Risk Evaluation

As the final step of risk assessment , risk evaluation calls on safety professionals to examine the results of the risk analysis and compare them to established risk criteria in order to determine where additional controls may be required and what those controls might be.

As noted, bow-tie risk analysis is a technique for risk evaluation that has gained traction in the safety profession because it provides a more holistic view of risk and paints a picture of a specific hazardous event. The bow-tie analysis is centered around a potential incident, examining its causes, the preventive controls in place, the mitigative controls if it were to occur and the consequences of the incident.

The benefit of a bow-tie analysis is the ability to better visualize a specific hazardous event, how it could occur, the consequences and how those consequences could be prevented or mitigated. Such an analysis does not, however, usually include a risk scoring mechanism, nor does it reflect the effectiveness of controls.

Regardless of the method, keep in mind that risk-based decision-making should take into account the wider context as well as the actual and perceived consequences to internal and external stakeholders.

Risk Communication

Threaded throughout all steps of the risk assessment process is a fourth element, equally crucial to effective risk management – risk communication.

Safety professionals must keep in mind that they must communicate the risks identified, analyzed and evaluated during the assessment to all involved so that everyone has a comprehensive understanding of the existing risks and how they can best be prevented or mitigated to achieve organizational objectives.

Taking the steps outlined in this article enables all involved to have a comprehensive understanding of the hazards and risks that exist within facilities and processes, the consequences of the hazards present, and how those can be prevented or mitigated to protect workers’ health and safety.

Understanding Risk Management and Assessment

We have the resources and expert guidance you need to improve how you assess risks to prevent hazards, protect workers and safeguard equipment. Learn more

Thank you for the comment! Your comment must be approved first

You've already submitted a review for this item

Thank you! Your review has been submitted successfully

Are You Passionate About Safety?

Volunteer with ASSP today.

Jumpstart Your Learning

Access our latest free webinars, articles and more.

Advance Your Career

Earning an ASSP certificate can enhance your career.

Get Insight & Analysis

Learn about the latest trends in safety management, government affairs and more.

Connect With ASSP

Advanced Security

Risk Management Framework (RMF)

What are the 4 essential stages steps in the risk assessment process?

Definitions

Four steps of a risk assessment process

As the adage goes, failing to plan is planning to fail. This is especially true when it comes to managing risks in business operations. Risk assessment is a critical component of risk management that allows businesses to identify potential risks and develop strategies for mitigating them. In this article, we will explore the four essential stages of the risk assessment process in detail.

Understanding the importance of risk assessment in business operations

The first step in the risk assessment process is understanding why it’s essential. Risk assessment is crucial for all types of businesses, regardless of their size and industry. It allows companies to identify potential risks that may arise from internal and external factors such as changes in legislation, cyber-attacks, natural disasters, and financial risks.

Moreover, risk assessment helps businesses to prioritize their resources and efforts towards mitigating the most significant risks. By identifying potential risks, companies can take proactive measures to prevent or minimize the impact of these risks on their operations, employees, and customers. This, in turn, helps to protect the company’s reputation, assets, and bottom line.

Identifying potential risks within your organization

The second stage of the risk assessment process is identifying potential risks within your organization. This requires a thorough evaluation of all areas of the business, including operations, finance, human resources, and technology. Identifying potential risks can be a challenging task since it requires businesses to think beyond the obvious risks and consider less apparent factors that could impact operations.

One way to identify potential risks is to conduct interviews with employees at all levels of the organization. This can provide valuable insights into areas of the business that may be vulnerable to risks, as well as potential risks that may not have been previously considered. Additionally, reviewing past incidents and near-misses can help identify areas where improvements can be made to prevent future incidents.

Analyzing the likelihood and impact of identified risks

Once potential risks have been identified, the next step in the risk assessment process is to analyze their likelihood and impact. This stage involves evaluating the frequency with which the risk may occur and the severity of the impact should it happen. The purpose of this analysis is to prioritize risks and identify those that require immediate attention.

It is important to note that the likelihood and impact of a risk can change over time. For example, a risk that was previously considered low-impact may become high-impact due to changes in the business environment or technology. Therefore, it is essential to regularly review and update the risk assessment to ensure that it remains relevant and effective.

Another factor to consider when analyzing risks is the potential for interdependencies. One risk may have a cascading effect on other areas of the business, leading to a domino effect of negative consequences. It is important to identify and address these interdependencies to prevent a small risk from turning into a major crisis.

Developing a risk management strategy to mitigate identified risks

The final stage of the risk assessment process is developing a risk management strategy to mitigate identified risks. This involves developing a plan that outlines the steps to be taken to prevent or minimize the impact of the risk. The risk management plan should include clear objectives, responsibilities, and timelines for implementation.

It is important to regularly review and update the risk management plan to ensure its effectiveness. This can be done by conducting regular risk assessments and identifying any new risks that may have emerged. Additionally, it is important to communicate the risk management plan to all relevant stakeholders and ensure that they understand their roles and responsibilities in implementing the plan.

The role of risk assessment in compliance with regulatory requirements

In addition to helping businesses mitigate risks, risk assessment is also critical for regulatory compliance. Many industries have specific regulations and standards that businesses must adhere to, and risk assessment is a key requirement for compliance in many cases.

For example, in the healthcare industry, the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers to conduct regular risk assessments to ensure the confidentiality, integrity, and availability of patient information. Similarly, in the financial industry, the Federal Financial Institutions Examination Council (FFIEC) requires financial institutions to conduct regular risk assessments to ensure the security of customer data and compliance with anti-money laundering regulations.

Best practices for conducting an effective risk assessment process

To conduct an effective risk assessment process, businesses should follow certain best practices. These include involving key stakeholders in the process, conducting regular risk assessments, allocating resources to assigned responsibilities, and documenting all stages of the process.

Another important best practice for conducting an effective risk assessment process is to prioritize risks based on their potential impact on the business. This involves identifying and assessing the likelihood and severity of each risk, and then ranking them in order of priority. By prioritizing risks, businesses can focus their resources on addressing the most critical risks first, and ensure that they are adequately prepared to manage them.

Evaluating the effectiveness of your risk management plan

It’s not enough to develop a risk management plan; businesses must also evaluate its effectiveness regularly. This involves tracking progress against the set objectives, assessing the impact of the implemented strategies, and making necessary adjustments to the plan based on the findings.

One way to evaluate the effectiveness of a risk management plan is to conduct a risk assessment. This involves identifying potential risks, analyzing their likelihood and impact, and determining the best course of action to mitigate or avoid them. By conducting regular risk assessments, businesses can ensure that their risk management plan remains relevant and effective.

Another important aspect of evaluating the effectiveness of a risk management plan is to involve all stakeholders in the process. This includes employees, customers, suppliers, and other relevant parties. By soliciting feedback and input from these stakeholders, businesses can gain valuable insights into the effectiveness of their risk management plan and identify areas for improvement.

The importance of ongoing risk assessment and review in maintaining business resilience

Businesses operate in dynamic environments, and risks are continuously evolving. Therefore, conducting ongoing risk assessment and review is critical for maintaining business resilience. Regular reviews allow businesses to identify new risks and adjust the risk management plan accordingly.

Moreover, ongoing risk assessment and review help businesses to stay compliant with regulatory requirements. Compliance regulations are constantly changing, and businesses need to ensure that they are up-to-date with the latest regulations. Regular risk assessments can help businesses to identify any compliance gaps and take corrective actions to address them.

Additionally, ongoing risk assessment and review can help businesses to improve their overall performance. By identifying and addressing risks, businesses can reduce the likelihood of disruptions and improve their operational efficiency. This can lead to cost savings, increased productivity, and improved customer satisfaction.

Real-life examples of successful risk assessment and management in various industries

Many businesses have successfully implemented risk assessment and management strategies to great effect. Industries such as healthcare, finance, and technology provide excellent examples of how businesses can mitigate risks and protect their operations.

In the healthcare industry, risk assessment and management are critical to ensuring patient safety. Hospitals and clinics use various tools and techniques to identify potential risks and develop strategies to mitigate them. For example, healthcare providers may conduct regular audits of their facilities to identify potential hazards, such as faulty equipment or unsafe working conditions. They may also implement strict protocols for infection control and patient safety to minimize the risk of adverse events.

In the finance industry, risk assessment and management are essential to protecting investments and ensuring financial stability. Financial institutions use sophisticated risk management tools and techniques to identify potential risks and develop strategies to mitigate them. For example, banks may use stress testing to assess the impact of various economic scenarios on their portfolios. They may also implement strict compliance and regulatory frameworks to ensure that they are operating within legal and ethical boundaries.

Common mistakes to avoid when conducting a risk assessment

There are some common mistakes that businesses make when conducting a risk assessment. These include overestimating risks, overlooking less apparent risks, and failing to involve all relevant stakeholders in the process. To conduct an effective risk assessment, businesses must avoid these mistakes.

Another common mistake that businesses make when conducting a risk assessment is relying solely on past experiences and not considering new or emerging risks. It is important to stay up-to-date with industry trends and changes in the business environment to identify potential risks that may not have been present in the past. By doing so, businesses can ensure that their risk assessment is comprehensive and effective in identifying all potential risks.

Integrating technology into your risk assessment process for improved accuracy and efficiency

Technology plays a critical role in risk assessment, and businesses can leverage it to improve accuracy and efficiency. Tools such as risk assessment software, data analytics, and artificial intelligence offer businesses the ability to identify potential risks and develop effective risk management strategies faster, and more accurately.

One of the key benefits of using technology in risk assessment is the ability to analyze large amounts of data quickly and accurately. With the help of data analytics tools, businesses can identify patterns and trends that may not be immediately apparent, allowing them to make more informed decisions about potential risks. Additionally, artificial intelligence can be used to automate certain aspects of the risk assessment process, freeing up valuable time and resources for other important tasks.

The benefits of seeking professional assistance in conducting a thorough risk assessment

Risk assessment is a complex process that requires specialized skills and knowledge. Seeking professional assistance can help businesses to conduct a thorough risk assessment, leveraging the experience and expertise of risk management professionals.

One of the key benefits of seeking professional assistance in conducting a risk assessment is that it can help businesses to identify risks that they may not have been aware of. Risk management professionals have a wealth of experience in identifying potential risks and can help businesses to develop strategies to mitigate them.

Another benefit of seeking professional assistance is that it can help businesses to save time and resources. Conducting a thorough risk assessment can be a time-consuming process, and businesses may not have the necessary resources to dedicate to it. By outsourcing the task to a professional, businesses can free up their own resources and focus on other important areas of their operations.

Preparing for unexpected risks through scenario planning and crisis management strategies

Regardless of robust risk management strategies, businesses must prepare for unexpected risks. Scenario planning and crisis management strategies provide businesses with a framework for responding to unexpected risks and minimizing their impact on operations.

Scenario planning involves creating hypothetical situations that could potentially impact a business and developing strategies to address them. By considering a range of possible scenarios, businesses can identify potential risks and develop contingency plans to mitigate their impact. This approach allows businesses to be proactive in their risk management efforts and better prepared for unexpected events.

Crisis management strategies, on the other hand, focus on responding to unexpected events that have already occurred. These strategies involve a coordinated effort to manage the crisis, communicate with stakeholders, and minimize the impact on operations. Effective crisis management requires clear communication, quick decision-making, and a well-defined plan of action.

Conclusion: why an effective risk assessment process is crucial for long-term business success

In conclusion, an effective risk assessment process is critical for long-term business success. By identifying potential risks and developing appropriate strategies for mitigating them, businesses can protect their operations, maintain regulatory compliance, and build resilience in the face of changing circumstances.

What is the difference between NIST 800-37 and 800-53?

What are the 4 elements of NIST Framework Core?

A layered diagram of the nist sp 800-37 risk management framework

What is NIST SP 800-37 Risk Management Framework?

You may have missed

What are the risk management framework impact levels?

Discover our global expertise Project services PMO & Project Delivery Project Dashboards Project Management as a Service (PMaaS) Project Portfolio Execution Strategy execution & Business Improvements Project Management Improvement Agility at scale Change Management Lean Innovation Project Portfolio Management & Optimisation Digital Solutions Digital PMO Deployment of PM Solutions Intelligent Project Prediction (IPP) Clayverest: the PMO's Copilot Case studies Discover how our expertise supports our clients
Join our team Our company culture Empower your project experience Empower your professional experience Empower your CSR experience Empower your social experience Our job families Project Management Consultant Delivery Manager Business Manager Your profile Early Professional Experienced Professional Our job offers Discover our local and international opportunities
The Project Management Blog PM Guides Agile Change Management Cost Management Crisis Management Digital PMO Industry Insights Lean Innovation PMaaS PMO Portfolio Management Project Management Delivery Project Managements Roles Risk Management Schedule Management Latest articles Newsroom Case studies Discover how our expertise supports our clients
Europe France Germany Italy Portugal Romania Spain Switzerland United Kingdom North America Canada Mexico United States Asia South East Asia Oceania Australia Contact Us

The Risk Management Process: 4 Essential Steps

27 September 2021

Risk Management

Risk Management Process

In Project Risk Management and the Elements of Risk Management Implementation , we looked at what risk management is and the essential elements for implementing risk management into your organization. In this article, we look at the process of risk management and how to identify, assess, and respond to project risks.

The Risk Management Process is a clearly defined method of understanding what risks and opportunities are present, how they could affect a project or organization, and how to respond to them.

The 4 essential steps of the risk management process are:.

Identify the risk.
Assess the risk.
Treat the risk.
Monitor and Report on the risk.

Four steps of the risk management process: identify, assess, treat, and monitor & report

Step 1: Risk Identification

The first step in the risk management process is to identify all the events that can negatively (risk) or positively (opportunity) affect the objectives of the project:

Project milestones
Financial trajectory of the project
Project scope

These events can be listed in the risk matrix and later captured in the risk register.

A risk (or opportunity) is characterized by its description, causes and consequences, qualitative assessment, quantitative assessment and mitigation plan. It can also be characterized by who is responsible for its action. Each of these characteristics are necessary for a risk (or opportunity) to be valid.

In order to be managed effectively, the Risks and Opportunities (R&O) identified must be as precise and specific as possible. The title of the risk or opportunity must be succinct, self-explanatory and clearly defined.

All members of the project can and should identify R&O, and the content of these is the responsibility of the Risk (or Opportunity) Owners. Risk Managers are responsible for ensuring that a formal process for identifying risks and developing response plans are conducted through exchanges with risk owners. We will explain each of these roles in further detail in our next article on Risk Management Team Roles .

Below are examples of tools to help identify R&O:

Analysis of existing documentation
Interviews with experts
Conducting brainstorming meetings
Using the approaches of standard methodologies – such as Failure Modes, Effects and Criticality Analysis (FMECA), cause trees, etc.
Considering the lessons learned from R&Os encountered in previous projects
Using pre-established checklists or questionnaires covering the different areas of the project (Risk Breakdown Structure or RBS).

Step 2: Risk Assessment

There are two types of risk and opportunity assessments: qualitative and quantitative. A qualitative assessment analyzes the level of criticality based on the event’s probability and impact. A quantitative assessment analyzes the financial impact or benefit of the event. Both are necessary for a comprehensive evaluation of risks and opportunities.

Qualitative Assessment

The Risk Owner and the Risk Manager will rank and prioritize each identified risk and opportunity by occurrence probability and impact severity , according to the project’s criticality scales.

Evaluating occurrence probability (P):

This is determined preferably based on experience, the progress of the project, or else by speaking to a risk expert, and is on a scale of 1 to 99%.

For example, suppose the risk that: “the inability of supplier X to conduct studies on a modification Y by the end of 2025” is 50% probable. This could be determined from feedback and analysis of the supplier’s workload.

Evaluating impacts severity (I):

To assess the overall impact, it is necessary to estimate the severity of each of the impacts defined at the project level. A scale is used to classify the different impacts and their severities. This ensures that the assessment of the risk and opportunity is standardized and reliable.

The criticality level of a risk or opportunity is obtained by the equation: Criticality = P x I

The purpose of the qualitative assessment is to ensure that the risk management team prioritizes the response on critical items first.

Quantitative Assessment

In most projects, the objective of the quantitative assessment is to establish a financial evaluation of a risk’s impact or an opportunity’s benefit, should it occur. This step is carried out by the Risk Owner, the Risk Manager (with support of those responsible for estimates and figures), or the management controller depending on the organizational set up in the company. These amounts represent a potential additional cost (or a potential profit if we are talking about an opportunity) not anticipated in the project budget.

For this, it is therefore necessary:

Hours of internal engineering
Hours of subcontracting
Additional work to do
Amendments and/or claims made to contracts
To calculate the cost of the undesired event’s consequences by adding these values.

This step will make it possible to estimate the need for additional budget for risks and opportunities of the project.

Step 3: Risk Treatment

In order to treat risks, an organization must first identify their strategies for doing so by developing a treatment plan. The objective of the risk treatment plan is to reduce the probability of occurrence of the risk (preventive action) and/or to reduce the impact of the risk (mitigation action). For an opportunity, the objective of the treatment plan is to increase the likelihood of the opportunity occurring and/or to increase its benefits. Depending on the nature of the risk or opportunity, a response strategy is defined for the project. The following 7 strategies are possible:

funnel diagram showing the 7 risk or opportunity response strategies

7 Risk Response Strategies

Accept: Do not initiate any action but continue to monitor.
Mitigate/Enhance: Reduce (for a risk) or increase (for an opportunity) the probability of occurrence and/or the severity of impact.
Transfer/Share: Transfer responsibility of a risk to a third party who would bear the consequences of the problem (share the benefits of a realized opportunity).
Avoid/Exploit: Entirely eliminate uncertainty / take advantage of the opportunity.

Monitoring the progress of the treatment plan is the responsibility of the risk owner. They must report regularly to the risk manager, who must keep the risk register up to date.

Note: The cost of a risk mitigation plan must be integrated into the budget of the project.

When defining a treatment plan:

Each action begins with an action verb and has a clear purpose.
Each action has an actionee and a deadline.
Actions that could generate costs must be tracked and considered in the project.
For example: to reduce the risk of my car breaking down, a treatment plan could be to have it checked annually by a repair shop.

When does risk become an issue?

line diagram showing the point in time at which a risk becomes an issue

It is possible that, despite the actions put in place to mitigate or prevent it, a risk probability could increase and reach 100%. Once a risk is confirmed, we no longer refer to it as a risk but as an issue. The Risk Manager must then inform the various project stakeholders who will relay that a risk has become an issue and transfer it to the issue log.

Step 4: Risk Monitoring and Reporting

Risks and opportunities and their treatment plans need to be monitored and reported on. The frequency of this will depend on the criticality of risk/opp. By developing a monitoring and reporting structure it will ensure there are appropriate forums for escalation and that appropriate risk responses are being actioned.

person showing reports on a table to someone

In the previous article we identified the Risk and Opportunity Management Plan or ROMP as one of the five essential elements of Project Risk Management . It should include not only the project stakeholders and steering members, but the governance cadence for monitoring and reporting on risks and opportunities. How this is organized and governed is defined by the Risk Manager in conjunction with the Project Manager.

We will go over both of these roles as well as additional roles within the Risk Management Team in more detail in our next article.

This article was written by: Marie BELGODERE, Jérémie CLAUSTRE, Capucine COMTE, Alioune DIALLO, Emmanuel LATGE, Jessy MIGNOT, Ingrid NGOBAY, Pierre PETILLON, Louann SUGDEN, Chris WAMAL .

Podcast #06 – Risk Assessment and Management

Risk management team roles: who takes care of project risk, 5 key elements of risk management implementation, risk contingency reserve, murphy’s law, ready for the inevitable, good risk management.

Subscribe to our Newsletter

A monthly digest of our best articles on all things Project Management.

Subscribe to our newsletter!

Our website is not supported on this browser

The browser you are using (Internet Explorer) cannot display our content. Please come back on a more recent browser to have the best experience possible

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

https://www.nist.gov/publications/guide-conducting-risk-assessments

Guide for Conducting Risk Assessments

Download paper, additional citation formats.

Google Scholar

If you have any questions about this publication or are having problems accessing it, please contact [email protected] .

school Campus Bookshelves
menu_book Bookshelves
perm_media Learning Objects
login Login
how_to_reg Request Instructor Account
hub Instructor Commons

Margin Size

Download Page (PDF)
Download Full Book (PDF)
Periodic Table
Physics Constants
Scientific Calculator
Reference & Cite
Tools expand_more
Readability

selected template will load here

This action is not available.

6.1: Introduction - The Essence of Risk Assessment

Last updated
Save as PDF
Page ID 294572

Sylvia Moes, Kees van Gestel, & Gerco van Beek

Sylvia Moes, Kees van Gestel, & Gerco van Beek

$ \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } $

$ \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} $

$ \newcommand{\id}{\mathrm{id}}$ $ \newcommand{\Span}{\mathrm{span}}$

( \newcommand{\kernel}{\mathrm{null}\,}\) $ \newcommand{\range}{\mathrm{range}\,}$

$ \newcommand{\RealPart}{\mathrm{Re}}$ $ \newcommand{\ImaginaryPart}{\mathrm{Im}}$

$ \newcommand{\Argument}{\mathrm{Arg}}$ $ \newcommand{\norm}[1]{\| #1 \|}$

$ \newcommand{\inner}[2]{\langle #1, #2 \rangle}$

$ \newcommand{\Span}{\mathrm{span}}$

$ \newcommand{\id}{\mathrm{id}}$

$ \newcommand{\kernel}{\mathrm{null}\,}$

$ \newcommand{\range}{\mathrm{range}\,}$

$ \newcommand{\RealPart}{\mathrm{Re}}$

$ \newcommand{\ImaginaryPart}{\mathrm{Im}}$

$ \newcommand{\Argument}{\mathrm{Arg}}$

$ \newcommand{\norm}[1]{\| #1 \|}$

$ \newcommand{\Span}{\mathrm{span}}$ $ \newcommand{\AA}{\unicode[.8,0]{x212B}}$

$ \newcommand{\vectorA}[1]{\vec{#1}} % arrow$

$ \newcommand{\vectorAt}[1]{\vec{\text{#1}}} % arrow$

$ \newcommand{\vectorB}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } $

$ \newcommand{\vectorC}[1]{\textbf{#1}} $

$ \newcommand{\vectorD}[1]{\overrightarrow{#1}} $

$ \newcommand{\vectorDt}[1]{\overrightarrow{\text{#1}}} $

$ \newcommand{\vectE}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash{\mathbf {#1}}}} $

Author : Ad Ragas

Reviewer : Martien Janssen

Learning Objectives

After this module, you should be able to:

explain the terms risk, hazard, risk assessment, risk management and solution-focused risk assessment ;
explain the different steps of the risk assessment process, the relation between these steps and how the principle of tiering works;
give an example of a risk indicator;
indicate the most important advantages and disadvantages of the risk assessment paradigm.

Risk, hazard, tiering, problem definition, exposure assessment, effect assessment, risk characterization

Introduction

We assess risks on a daily basis, although we may not always be aware of it. For example, when we cross the street, we - often implicitly - assess the benefits of crossing and weigh these against the risks of getting hit by a vehicle. If the risks are considered too high, we may decide not to cross the street, or to walk a bit further and cross at a safer spot with traffic lights.

Risk assessment is common practice for a wide range of activities in society, for example for building bridges, protection against floods, insurance against theft and accidents, and the construction of a new industrial plant. The principle is always the same: we use the available knowledge to assess the probability of potential adverse effects of an activity as good as we can. And if these risks are considered too high, we consider options to reduce or avoid the risk.

Terminology

Risk assessment of chemicals aims to describe the risks resulting from the use of chemicals in our society. In chemical risk assessment, risk is commonly defined as "the probability of an adverse effect after exposure to a chemical". This is a very practical definition that provides natural scientists and engineers the opportunity to quantify risk using "objective" scientific methods, e.g. by quantifying exposure and the likelihood of adverse effects. However, it should be noted that this definition ignores more subjective aspects of risk, typically studied by social scientists, e.g. the perceptions of people and (dealing with) knowledge gaps. This subjective dimension can be important for risk management. For example, risk managers may decide to take action if a risk is perceived as high by a substantial part of the population, even if the associated health risks have been assessed as negligible by natural scientists and engineers.

Next to the term "risk", the term "hazard" is often used. The difference between both terms is subtle, but important. A hazard is defined as the inherent capacity of a chemical (or agent/activity) to cause adverse effects. The labelling of a substance as "carcinogenic" is an example of a hazard-based action. The inherent capacity of the substance to trigger cancer, as for example demonstrated in an in vitro assay or an experiment with rats or mice, can be sufficient reason to label a substance as "carcinogenic". Hazard is thus independent of the actual exposure level of a chemical, whereas risk is not.

Risk assessment is closely related to risk management, i.e. the process of dealing with risks in society. Decisions to accept or reduce risks belong to the risk management domain and involve consideration of the socio-economic implications of the risks as well as the risk management options. Whereas risk assessment is typically performed by natural scientists and engineers, often referred to as "risk assessors", risk management is performed by policy makers, often referred to as "risk managers".

Risk assessment and risk management are often depicted as sequential processes, where assessment precedes management. However, strict separation of both processes is not always possible and management decisions may be needed before risks are assessed. For example, risk assessment requires political agreement on what should be protected and at what level, which is a risk management issue (see Section on Protection Goals ). Similarly, the identification, description and assessment of uncertainties in the assessment is an activity that involves risk assessors as well as risk managers. Finally, it is often more efficient to define alternative management options before performing a risk assessment. This enables the assessment of the current situation and alternative management scenarios (i.e., potential solutions) in one round. The scenario with the maximum risk reduction that is also feasible in practice would then be the preferred management option. This mapping of solutions and concurrent assessment of the associated risks is also known as solution-focused risk assessment.

Risk assessment steps and tiering

Chemical risk assessment is typically organized in a limited number of steps, which may vary depending on the regulatory context. Here, we distinguish four steps (Figure1):

Problem definition (sometimes also called hazard identification), during which the scope of the assessment is defined;
Exposure assessment, during which the extent of exposure is quantified;
Effect assessment (sometimes also called hazard or dose-response assessment), during which the relationship between exposure and effects is established;
Risk characterization, during which the results of the exposure and effect assessments are combined into an estimate of risk and the uncertainty of this estimate is described.

The four risk assessment steps are explained in more detail below. The four steps are often repeated multiple times before a final conclusion on the acceptability of the risk is reached. This repetition is called tiering (Figure 2). It typically starts with a simple, conservative assessment and then, in subsequent tiers, more data are added to the assessment resulting in less conservative assumptions and risk estimates. Tiering is used to focus the available time and resources for assessing risks on those chemicals that potentially lead to unacceptable risks. Detailed data are gathered only for chemicals showing potential risk in the lower, more conservative tiers.

The order of the exposure and effect assessment steps has been a topic of debate among risk assessors and managers. Some argue that effect assessment should precede exposure assessment because effect information is independent of the exposure scenario and can be used to decide how exposure should be determined, e.g., information on toxicokinetics can be relevant to determine the exposure duration of interest. Others argue that exposure should precede effect assessment since assessing effects is expensive and unnecessary if exposure is negligible. The current consensus is that the preferred order should be determined on a case-by-case basis with parallel assessment of exposure and effects and exchange of information between the two steps as the preferred option.

Problem definition

The scope of the assessment is determined during the problem definition phase. Questions typically answered in the problem definition include:

What is the nature of the problem and which chemical(s) is/are involved?
What should be protected, e.g. the general population, specific sensitive target groups, aquatic ecosystems, terrestrial ecosystems or particular species, and at what level?
What information is already available, e.g. from previous assessments?
What are the available resources for the assessment?
What is the assessment order and will tiering be applied?
What exposure routes will be considered?
What is the timeframe of the assessment, e.g. are acute or (sub)chronic exposures considered?
What risk metric will be used to express the risk?
How will uncertainties be addressed?

Problem definition is not a task for risk assessors only, but should preferably be performed in a collaborative effort between risk managers, risk assessors and stakeholders. The problem definition should try to capture the worries of stakeholders as good as possible. This is not always an easy task as these worries may be very broad and sometimes also poorly articulated. Risk assessors need a clearly demarcated problem and they can only assess those aspects for which assessment methods are available. The dialogue should make transparent which aspects of the stakeholder concerns will be assessed and which not. Being transparent about this can avoid disappointments later in the process, e.g. if aspects considered important by stakeholders were not accounted for because suitable risk assessment methods were lacking. For example, if stakeholders are worried about the acute and chronic impacts of pesticide exposure, but only the acute impacts will be addressed, this should be made clear at the beginning of the assessment.

The problem definition phase results in a risk assessment plan detailing how the risks will be assessed given the available resources and within the available timeframe.

Exposure assessment

An important aspect of exposure assessment is the determination of an exposure scenario. An exposure scenario describes the situation for which the exposure is being assessed. In some cases, this exposure situation may be evident, e.g. soil organisms living a contaminated site. However, especially when we want to assess potential risks of future substance applications, we have to come up a typical exposure scenario. Such scenarios are for example defined before a substance is allowed to be used as a food additive or before a new pesticide is allowed on the market. Exposure scenarios are often conservative, meaning that the resulting exposure estimate will be higher than the expected average exposure.

The exposure metric used to assess the risk depends on the protection target. For ecosystems, a medium concentration is often used such as the water concentration for aquatic systems, the sediment concentration for benthic systems and the soil concentration for terrestrial systems. These concentrations can either be measured or predicted using a fate model (see Section 3.8 ) and may or may not take into account bioavailability (see Section 3.6 ). For human risk assessment, the exposure metric depends on the exposure route. An air concentration is often used to cover inhalation, the average daily intake from food and water to cover oral exposure, and uptake through skin for dermal exposure. Uptake through multiple routes can also be combined in a dose metric for internal exposure, such as Area Under the Curve (AUC) in blood (see Section 6.3.1 ). Exposure metrics for specific wildlife species (e.g. top predators) and farm animals are often similar as those for humans. Measuring and modelling route-specific exposures is generally more complex than quantifying a simple medium concentration, because it does not only require the quantification of the substance concentration in the contact medium (e.g., concentration in drinking water), but also quantification of the contact intensity (e.g., how much water is consumed per day). Especially oral exposure can be difficult to quantify because it covers a wide range of different contact media (e.g. food products) and intensities varying from organism to organism.

Effect assessment

The aim of the effect assessment is to estimate a reference exposure level, typically an exposure level which is expected to cause no or very limited adverse effects. There are many different types of reference levels in chemical risk assessment; each used in a different context. The most common reference level for ecological risk assessment is the Predicted No Effect Concentration (PNEC). This is the water, soil, sediment or air concentration at which no adverse effects at the ecosystem level are being expected. In human risk assessment, a myriad of different reference levels are being used, e.g. the Acceptable Daily Intake (ADI), the oral and inhalatory Reference Dose (RfD), the Derived No Effect Level (DNEL), the Point of Departure (PoD) and the Virtually Safe Dose (VSD). Each of these reference levels is used in a specific context, e.g. for addressing a specific exposure route (ADI is oral), regulatory domain (the DNEL is used in the EU for REACH, whereas the RfD is used in the USA), substance type (the VSD is typical for genotoxic carcinogens) or risk assessment method (the PoD is typical for the Margin of Safety approach).

What all reference levels have in common, is that they reflect a certain level of protection for a specific protection goal. In ecological risk assessment, the protection goal typically is the ecosystem, but it can also be a specific species or even an organism. In human risk assessment, the protection goal typically comprises all individuals of the human population. The definition of protection goals is a normative issue and it therefore is not a task of risk assessors, but of politicians. The protection levels defined by politicians typically involve a high level of abstraction, e.g. "the entire ecosystem and all individuals of the human population should be protected". Such abstract protection goals do not always match with the methods used to assess the risks. For example, if one assumes that one molecule of a genotoxic carcinogen can trigger a deathly tumour, 100% protection for all individuals of the human population is feasible only by banning all genotoxic carcinogens (reference level = 0). Likewise, the safe concentration for an ecosystem is infinitely small if one assumes that the sensitivity of the species in the system follows a lognormal distribution which asymptotically approaches the x-axis. Hence, the abstract protection goals have to be operationalized, i.e. defined in more practical terms and matching the methods used for assessing effects. This is often done in a dialogue between scientific experts and risk managers. An example is the " one in a million lifetime risk estimated with a conservative dose response model " which is used by many (inter)national organizations as a basis for setting reference levels for genotoxic carcinogens. Likewise, the concentration at which the no observed effect concentration (NOEC) for only 5% of the species is being exceeded is often used as a basis for deriving a PNEC.

Once a protection goal has been operationalized, it must be translated into a corresponding exposure level, i.e. the reference level. This is typically done using the outcomes of (eco)toxicity tests, i.e. tests with laboratory animals such as rats, mice and dogs for human reference levels and with primary consumers, invertebrates and vertebrates for ecological reference levels. Often, the toxicity data are plotted in a graph with the exposure level on the x-axis and the effect or response level on the y-axis. A mathematical function is then fitted to the data; the so-called dose-response relationship. This dose-response relationship is subsequently used to derive an exposure level that corresponds to a predefined effect or response level. Finally, this exposure level is extrapolated to the ultimate protection goal, accounting for phenomena such as differences in sensitivity between laboratory and field conditions, between tested species and the species to be protected, and the (often very large) variability in sensitivity in the human population or the ecosystem. This extrapolation is done by dividing the exposure level that corresponds to a predefined effect or response level by one or more assessment or safety factors. These assessment factors do not have a pure scientific basis in the sense that they account for physiological differences which have actually been proven to exist. These factors also account for uncertainties in the assessment and should make sure that the derived reference level is a conservative estimate. The determination of reference levels is an art in itself and is further explained in sections 6.3.1 for human risk assessment and 6.3.2 for ecological risk assessment .

Risk characterization

The aim of risk characterization is to come up with a risk estimate, including associated uncertainties. A comparison of the actual exposure level with the reference level provides an indication of the risk:

If the reference level reflects the maximum safe exposure level, then the risk indicator should be below unity (1.0). A risk indicator higher than 1.0 indicates a potential risk. It is a "potential risk" because many conservative assumptions may have been made in the exposure and effect assessments. A risk indicator above 1.0 can thus lead to two different management actions: (1) if available resources (time, money) allow and the assessment was conservative, additional data may be gathered and a higher tier assessment may be performed, or (2) consideration of mitigation options to reduce the risk. Assessment of the uncertainties is very important in this phase, as it reveals how conservative the assessment was and how it can be improved by gathering additional data or applying more advanced risk assessment tools.

Risks can also be estimated using a margin-of-safety approach. In this approach, the reference level used has not yet been extrapolated from the tested species to the protection goal, e.g. by applying assessment factors for interspecies and interindividual differences in sensitivity. As such, the reference level is not a conservative estimate. In this case, the risk indicator reflects the "margin of safety" between actual exposure and the non-extrapolated reference level. Depending on the situation at hand, the margin-of-safety typically should be 100 or higher. The main difference between the traditional and the margin-of-safety approach in risk assessment is the timing for addressing the uncertainties in the effect assessment.

Figure 3 illustrates the risk assessment paradigm using the DPSIR chain ( Section 1.2 ). It illustrates how reference exposure levels are being derived from protection goals, i.e. the maximum level of impact that we consider acceptable. The actual exposure level is either measured or predicted using estimated emission levels and dispersion models. When measured exposure levels are used, this is called retrospective or diagnostic risk assessment: the environmental is already polluted and the assessor wants to know whether the risk is acceptable and which substances are contributing to it. When the environment is not yet polluted, predictive tools can be used. This is called prospective risk assessment: the assessor wants to know whether a projected activity will result in unacceptable risks. Even if the environment is already polluted, the risk assessor may still decide to prefer predicted over measured exposure levels, e.g. if measurements are too expensive. This is possible only if the pollution sources are well-characterized. Retrospective (diagnostic) and prospective risk assessments can differ substantially in terms of problem definitions and methods used, and are therefore discussed in separate sections in this online book.

Figure 3 can also be used to illustrate some important criticism on the current risk assessment paradigm, i.e. the comparison between the actual exposure level and a reference level. In current assessments, only one point of the dose-response relationship is being used to assess risk, i.e. the reference level. Critics argue that this is suboptimal and a waste of resources because the dose-response information is not used to assess the actual risk. A risk indicator with a value of 2.0 implies that the exposure is twice as high as the reference level but this does not give an indication of how many individuals or species are being affected or of the intensity of the effect. If the dose-response relationship would be used to determine the risk, this would result in a better-informed risk estimate.

A final critical remark that should be made, is the fact that risk assessment is often performed on a substance-by-substance basis. Dealing with mixtures of chemicals is difficult because each mixture has a unique composition in terms of compounds and concentration ratios between compounds. This makes it difficult to determine a reference level for mixtures. Mixture toxicology is slowly progressing and several methods are now available to address mixtures, i.e. whole mixture methods and compound-based approaches ( Section 6.3.6 ). Another promising development are effect-based methods ( Section 6.4.2 ). These methods do not assess risk based on chemical concentration, but on the toxicity measured in an environmental sample. In terms of DPSIR, these methods are assessing risks on the level of impacts rather than the level of state or pressures.

Imagine the herbicide glyphosate would be banned based on its carcinogenic properties. Would this intervention be risk-based or hazard-based?

Indicate whether the following activities should involve risk assessors, risk managers/politicians and/or stakeholders:

Determination of a safe dose level based on established protection goals;
Determination of protection goals;
Determination of intervention options;
Demarcation of the risk assessment problem;
Translation of abstract protection goals into operational goals.

Indicate whether the following risk assessments are retrospective or prospective:

Determining the adverse impacts of a contaminated area on human health and the environment;
Quantifying the human health risk of current air pollution levels;
Determining whether the risks associated with a new pesticide are acceptable;
Predicting the risk of chemicals based on current emission levels.

A risk assessment was performed for two different substances, i.e. A and B. The risk indicator value of substance A was 1.5 and that of substance B was 2.0. A risk manager proposes to first address substance B and subsequently substance A. Do you agree? Motivate your answer.

Skip to main content
Skip to site information
Departments

Language selection

Français

Scheduled maintenance - Thursday, July 12 at 5:00 PM EDT

We expect this update to take about an hour. Access to this website will be unavailable during this time.

Hazard and Risk - Risk Assessment

On this page, what is a risk assessment, why is risk assessment important, what is the goal of risk assessment, when should a risk assessment be done, how do you plan for a risk assessment, how is a risk assessment done, how are the hazards identified, how do you know if the hazard will cause harm (poses a risk), how are risks ranked or prioritized, what are methods of hazard control, why is it important to review and monitor the assessments, what documentation should be done for a risk assessment.

Risk assessment is a term used to describe the overall process or method where you:

Identify hazards and risk factors that have the potential to cause harm (hazard identification).
Analyze and evaluate the risk associated with that hazard (risk analysis, and risk evaluation).
Determine appropriate ways to eliminate the hazard, or control the risk when the hazard cannot be eliminated (risk control).

A risk assessment is a thorough look at your workplace to identify those things, situations, processes, etc. that may cause harm, particularly to people. After identification is made, you analyze and evaluate how likely and severe the risk is. When this determination is made, you can next, decide what measures should be in place to effectively eliminate or control the harm from happening.

The CSA Standard Z1002 "Occupational health and safety - Hazard identification and elimination and risk assessment and control" uses the following terms:

Risk assessment – the overall process of hazard identification, risk analysis, and risk evaluation. Hazard identification – the process of finding, listing, and characterizing hazards. Risk analysis – a process for comprehending the nature of hazards and determining the level of risk. Notes: (1) Risk analysis provides a basis for risk evaluation and decisions about risk control. (2) Information can include current and historical data, theoretical analysis, informed opinions, and the concerns of stakeholders. (3) Risk analysis includes risk estimation. Risk evaluation – the process of comparing an estimated risk against given risk criteria to determine the significance of the risk. Risk control – actions implementing risk evaluation decisions. Note: Risk control can involve monitoring, re-evaluation, and compliance with decisions.

For definitions and more information about what hazards and risks are, please see the OSH Answers document Hazard and Risk .

Risk assessments are very important as they form an integral part of an occupational health and safety management plan. They help to:

Create awareness of hazards and risk.
Identify who may be at risk (e.g., employees, cleaners, visitors, contractors, the public, etc.).
Determine whether a control program is required for a particular hazard.
Determine if existing control measures are adequate or if more should be done.
Prevent injuries or illnesses, especially when done at the design or planning stage.
Prioritize hazards and control measures.
Meet legal requirements where applicable.

The aim of the risk assessment process is to evaluate hazards, then remove that hazard or minimize the level of its risk by adding control measures, as necessary. By doing so, you have created a safer and healthier workplace.

The goal is to try to answer the following questions:

What can happen and under what circumstances?
What are the possible consequences?
How likely are the possible consequences to occur?
Is the risk controlled effectively, or is further action required?

There may be many reasons a risk assessment is needed, including:

Before new processes or activities are introduced.
Before changes are introduced to existing processes or activities, including when products, machinery, tools, equipment change or new information concerning harm becomes available.
When hazards are identified.

In general, determine:

What the scope of your risk assessment will be (e.g., be specific about what you are assessing such as the lifetime of the product, the physical area where the work activity takes place, or the types of hazards).
The resources needed (e.g., train a team of individuals to carry out the assessment, the types of information sources, etc.).
What type of risk analysis measures will be used (e.g., how exact the scale or parameters need to be in order to provide the most relevant evaluation).
Who are the stakeholders involved (e.g., manager, supervisors, workers, worker representatives, suppliers, etc.).
What relevant laws, regulations, codes, or standards may apply in your jurisdiction, as well as organizational policies and procedures.

Assessments should be done by a competent person or team of individuals who have a good working knowledge of the situation being studied. Include either on the team or as sources of information, the supervisors and workers who work with the process under review as these individuals are the most familiar with the operation.

In general, to do an assessment, you should:

Identify hazards.
Consider normal operational situations as well as non-standard events such as maintenance, shutdowns, power outages, emergencies, extreme weather, etc.
Review all available health and safety information about the hazard such as Safety Data Sheet (SDS), manufacturers literature, information from reputable organizations, results of testing, workplace inspection reports, records of workplace incidents (accidents), including information about the type and frequency of the occurrence, illnesses, injuries, near misses, etc.
Understand the minimum legislated requirements for your jurisdiction.
Identify actions necessary to eliminate the hazard, or control the risk using the hierarchy of risk control methods.
Evaluate to confirm if the hazard has been eliminated or if the risk is appropriately controlled.
Monitor to make sure the control continues to be effective.
Keep any documents or records that may be necessary. Documentation may include detailing the process used to assess the risk, outlining any evaluations, or detailing how conclusions were made.

When doing an assessment, also take into account:

The methods and procedures used in the processing, use, handling or storage of the substance, etc.
The actual and the potential exposure of workers (e.g., how many workers may be exposed, what that exposure is/will be, and how often they will be exposed).
The measures and procedures necessary to control such exposure by means of engineering controls, work practices, and hygiene practices and facilities.
The duration and frequency of the task (how long and how often a task is done).
The location where the task is done.
The machinery, tools, materials, etc. that are used in the operation and how they are used (e.g., the physical state of a chemical, or lifting heavy loads for a distance).
Any possible interactions with other activities in the area and if the task could affect others (e.g., cleaners, visitors, etc.).
The lifecycle of the product, process or service (e.g., design, construction, uses, decommissioning).
The education and training the workers have received.
How a person would react in a particular situation (e.g., what would be the most common reaction by a person if the machine failed or malfunctioned).

It is important to remember that the assessment must take into account not only the current state of the workplace but any potential situations as well.

By determining the level of risk associated with the hazard, the employer, and the health and safety committee (where appropriate), can decide whether a control program is required and to what level.

See a sample risk assessment form .

Overall, the goal is to find and record possible hazards that may be present in your workplace. It may help to work as a team and include both people familiar with the work area, as well as people who are not - this way you have both the experienced and fresh eye to conduct the inspection. In either case, the person or team should be competent to carry out the assessment and have good knowledge about the hazard being assessed, any situations that might likely occur, and protective measures appropriate to that hazard or risk.

To be sure that all hazards are found:

Look at all aspects of the work.
Include non-routine activities such as maintenance, repair, or cleaning.
Look at accident / incident / near-miss records.
Include people who work off site either at home, on other job sites, drivers, teleworkers, with clients, etc.
Look at the way the work is organized or done (include experience of people doing the work, systems being used, etc).
Look at foreseeable unusual conditions (for example: possible impact on hazard control procedures that may be unavailable in an emergency situation, power outage, etc.).
Determine whether a product, machine or equipment can be intentionally or unintentionally changed (e.g., a safety guard that could be removed).
Review all of the phases of the lifecycle.
Examine risks to visitors or the public.
Consider the groups of people that may have a different level of risk such as young or inexperienced workers, persons with disabilities, or new or expectant mothers.

It may help to create a chart or table such as the following:

Each hazard should be studied to determine its' level of risk. To research the hazard, you can look at:

Product information / manufacturer documentation.
Past experience (knowledge from workers, etc.).
Legislated requirements and/or applicable standards.
Industry codes of practice / best practices.
Health and safety material about the hazard such as safety data sheets (SDSs), research studies, or other manufacturer information.
Information from reputable organizations.
Results of testing (atmospheric or air sampling of workplace, biological swabs, etc.).
The expertise of an occupational health and safety professional.
Information about previous injuries, illnesses, near misses, incident reports, etc.
Observation of the process or task.

Remember to include factors that contribute to the level of risk such as:

The work environment (layout, condition, etc.).
The systems of work being used.
The range of foreseeable conditions.
The way the source may cause harm (e.g., inhalation, ingestion, etc.).
How often and how much a person will be exposed.
The interaction, capability, skill, experience of workers who do the work.

Ranking or prioritizing hazards is one way to help determine which risk is the most serious and thus which to control first. Priority is usually established by taking into account the employee exposure and the potential for incident, injury or illness. By assigning a priority to the risks, you are creating a ranking or an action list.

There is no one simple or single way to determine the level of risk. Nor will a single technique apply in all situations. The organization has to determine which technique will work best for each situation. Ranking hazards requires the knowledge of the workplace activities, urgency of situations, and most importantly, objective judgement.

For simple or less complex situations, an assessment can literally be a discussion or brainstorming session based on knowledge and experience. In some cases, checklists or a probability matrix can be helpful. For more complex situations, a team of knowledgeable personnel who are familiar with the work is usually necessary.

As an example, consider this simple risk matrix. Table 1 shows the relationship between probability and severity.

Severity ratings in this example represent:

High: major fracture, poisoning, significant loss of blood, serious head injury, or fatal disease
Medium: sprain, strain, localized burn, dermatitis, asthma, injury requiring days off work
Low: an injury that requires first aid only; short-term pain, irritation, or dizziness

Probability ratings in this example represent:

High: likely to be experienced once or twice a year by an individual
Medium: may be experienced once every five years by an individual
Low: may occur once during a working lifetime

The cells in Table 1 correspond to a risk level, as shown in Table 2.

These risk ratings correspond to recommended actions such as:

Immediately dangerous: stop the process and implement controls
High risk: investigate the process and implement controls immediately
Medium risk: keep the process going; however, a control plan must be developed and should be implemented as soon as possible
Low risk: keep the process going, but monitor regularly. A control plan should also be investigated
Very low risk: keep monitoring the process

Let's use an example: When painting a room, a step stool must be used to reach higher areas. The individual will not be standing higher than 1 metre (3 feet) at any time. The assessment team reviewed the situation and agrees that working from a step stool at 1 m is likely to:

Cause a short-term injury such as a strain or sprain if the individual falls. A severe sprain may require days off work. This outcome is similar to a medium severity rating.
Occur once in a working lifetime as painting is an uncommon activity for this organization. This criterion is similar to a low probability rating.

When compared to the risk matrix chart (Table 1), these values correspond to a low risk.

The workplace decides to implement risk control measures, including the use of a stool with a large top that will allow the individual to maintain stability when standing on the stool. They also determined that while the floor surface is flat, they provided training to the individual on the importance of making sure the stool's legs always rest on the flat surface. The training also included steps to avoid excess reaching while painting.

Once you have established the priorities, the organization can decide on ways to control each specific hazard. Hazard control methods are often grouped into the following categories:

Elimination (including substitution).
Engineering controls.
Administrative controls.
Personal protective equipment.

For more details, please see the OSH Answers Hazard Control .

It is important to know if your risk assessment was complete and accurate. It is also essential to be sure that any changes in the workplace have not introduced new hazards or changed hazards that were once ranked as lower priority to a higher priority.

It is good practice to review your assessment on a regular basis to make sure your control methods are effective.

Keeping records of your assessment and any control actions taken is very important. You may be required to store assessments for a specific number of years. Check for local requirements in your jurisdiction.

The level of documentation or record keeping will depend on:

Level of risk involved.
Legislated requirements.
Requirements of any management systems that may be in place.

Your records should show that you:

Conducted a good hazard review.
Determined the risks of those hazards.
Implemented control measures suitable for the risk.
Reviewed and monitored all hazards in the workplace.
Fact sheet last revised: 2017-02-15

22nd February, 2024

The 5 Steps To Risk Assessment (And How To Complete Them)

In this blog post, we look at what the 5 steps to risk assessment are, why you need them, and how to complete them. From identifying hazards and risks in your workplace to deciding on precautions and recording your assessment.

Risk assessment is the process of identifying what could harm people in your business, and deciding what action is needed to reduce the risk.

At work, your risk assessment process can follow these 5 steps:

Identify hazards
Assess the risks
Control the risks
Record your findings
Review the controls

Carrying out a risk assessment might sound complicated, but you've been learning how to risk assess your whole life. And if you've made it this far, you're probably pretty good at it!

You might not realise it but you are risk assessing things all day. When we are driving, working, playing, and even just crossing the road. We ask ourselves, is this safe?

It's a skill we discover as children and develop through experience. We learn when things are hot, not to touch them again.

Yes, some people might be more accident-prone than others. But, no matter how clumsy you think you are, we all have the ability to assess risks. To look at a situation and determine if it is safe to continue.

Risk assessment at work might seem more formal. It's a legal requirement after all . But it serves the same purpose and asks the same question. Is this safe?

That's all a risk assessment is, at its core - an assessment of risk.

But if we all know how to risk assess in everyday life, why do we need "5 steps" ? And why has it become a legal requirement?

At work, employers have legal health and safety responsibilities (and so do employees ). And you're not choosing do to these activities, you're being told to do them. So they need to be safe (it's the law!).

The hazards might be more complex, depending on the type of work you do. The risks might be more serious than touching something hot. But the overall aim is the same. We need to make sure the activity is safe, or it is made safe.

The 5 steps to risk assessment:

Identify the hazards
Decide who might be harmed and how
Evaluate the risks and decide on precautions
Record your significant findings
Review your assessment and update if necessary

These are the 5 steps you can work through when writing a risk assessment . Going through this step-by-step process will help you to make sure you have covered all the necessary bases. Ok, we now know the 5 steps, but how do we complete them?

Need to write a risk assessment? Use the free blank risk assessment template to follow along and create your own risk assessment.

1. Identify the hazards

The first step of risk assessment is to identify the hazards . A hazard is something with the potential to cause harm. For example, a substance could be a hazard, it might be toxic, you could spill it and create a slip hazard, or it could be flammable. Any of these things have the potential to cause harm.

A hazard is not a risk. Find out more in the difference between hazard and risk explained .

There may be one hazard or multiple hazards involved with a task or activity.

You don't have to identify every possible hazard, but you should aim to identify any significant hazards . These are things which could result in harm to people.

Hazards can be identified by reviewing the activity, and the working environment.

Fire and Explosion
Radiation / Biological Hazards
Environment
Individuals

Need more examples? Here's 52 examples of workplace hazards .

2. Decide who might be harmed and how

Now it's time to assess the risks, by looking at who might be harmed by the hazards and how .

For each hazard, you need to be clear about who might be harmed. This might be workers carrying out the activity, visitors, or even members of the public if you are working on or adjacent to public areas.

Don't just think about those carrying out the task. Of course, they might be the most obvious people that could be harmed. But what about others?

If the task creates dust or fumes, that could spread to other workers nearby. If you are working in public areas or occupied buildings, you need to think about people beyond your own team.

The worker or operators
Adjacent workers
Particular groups of workers
All workers
Other occupants
Members of the public

You might already be controlling some of the risks with your existing controls. For example, the activity might be noisy, but it will happen in a place that already requires ear protection.

This might reduce how someone could be harmed , but next, you'll decide if there's more you need to do to control the risks.

3. Evaluate the risks and decide on precautions

In step 3 of our risk assessment, we evaluate the risks and decide on precautions to control the risks.

We measure risk by likelihood and severity. This tells us if the risk is low or high. Likelihood is how likely harm could occur, for example, rare or certain. And severity is how serious that harm could be, for example, minor cuts or death.

You might choose to represent this risk level as Low, Medium, or High. Or use a 5x5 risk matrix , a 9x9 matrix or some other scale.

risk assessment high medium low risk levels

Use the free risk assessment calculator to help assess and prioritise your risk levels. We use a 9x9 calculation simplified into Low, Medium, and High results for your risk levels.

The higher the risk, the more of a priority controlling that risk should be.

Look at each hazard you identified (in Step 1) and the risks they create (in Step 2). How can you manage these risks responsibly?

The control measures you put in place should bring the risk down to an acceptable level before you start work. If the control measures are not in place that need to be, then work shouldn't start or continue until those risks have been controlled.

Risk doesn't have to be zero . There will often be some risk remaining ( residual risk ) - but it needs to be at an acceptable level. If the risk is still high, and someone could get seriously hurt, then it is unlikely you have done enough to control the risks.

Put in place actions and controls to reduce the risk as much as is reasonably practicable, to reduce the risk to an acceptable level.

Here are the 5 best risk assessment control measures with examples , to help you out with step 3.

4. Record your significant findings

Once you have completed the first 3 steps, it's time to record your significant findings. This is a legal requirement if you have 5 or more employees.

(6) Where the employer employs five or more employees, he shall record— the significant findings of the assessment; and any group of his employees identified by it as being especially at risk. The Management of Health and Safety at Work Regulations Risk Assessment

Although it's not a legal requirement to write your risk assessment down if you have less than 5 employees, it's useful to record your findings no matter what size of business you are.

Clients and others may ask to see it. Your team might need to see it. And businesses of all sizes are required to carry out risk assessments, so having it written down proves that you have done one and gives you a record.

A written risk assessment is a record of your findings and can be used to communicate the hazards and controls to your workforce, and as a record that the assessment has been carried out.

5. Review your assessment and update if necessary

Finally, make sure you review your risk assessment and update if necessary.

Things can change over time, review and revision may be necessary when conditions change or based on feedback from the team completing the activity.

How often you need to review your risk assessment will depend on several factors:

If the way you work changes.
If you introduce new technology or equipment.
If health and safety regulations change.
If you identify problems.

Even if nothing changes, review your risk assessments periodically and make sure your risk assessment stays up to date.

Find out more in how often do you need to review a risk assessment?

Need help with your risk assessments? We have a large library of risk assessment templates that you can edit and use for your business activities.

This article was written by Emma at HASpod . Emma has over 10 years experience in health and safety and BSc (Hons) Construction Management. She is NEBOSH qualified and Tech IOSH.

Need Health and Safety Documents?

Search hundreds of health and safety documents ready to edit and download for your business.

How To Report An Accident Under RIDDOR

Employers or persons in charge of the premises are legally required to report certain accidents, incidents and work-related diseases to the HSE under RIDDOR. If you're wondering how to report a RIDDOR-related accident, that's exactly what we will cover in this article.

The 5 Steps To Risk Assessment (And How To Complete Them) image

When Should A Risk Assessment Be Carried Out?

Risk assessments are a legal requirement, but when do you need to carry one out? Before you start an activity? Every time you do a task? What about changes? Let's take a look at what the regulations say and consider when you should carry out a risk assessment at work.

Spend less time on paperwork. Start with the free plan today.

Contact | Subscribe | Media centre

Lifting, pushing and pulling
Psychosocial hazards
Working at heights
Crystalline silica and silicosis
Managing health and safety
Identify, assess and control hazards
Safety data sheets
Personal protective equipment
Emergency plans and procedures
Incident reporting

Industry and business

Construction
Small business
Agriculture
Gig economy

The Commonwealth, states and territories regulate and enforce WHS laws.

Find your Regulator

Model WHS Laws

We created the model WHS laws in 2011.

Model WHS Act
Model WHS Regulations
Duties under Model WHS laws
Codes of Practice
Legislation

WHS laws in your jurisdiction

Contact your regulator

Data and Research

We collect, analyse and publish data and information on work health and safety and workers' compensation.

See our data

Work-related fatalities
Work-related injuries
Work-related diseases
Return to Work
Explore our data
About our data
Industry benchmarking
Research by industry or topic

See our latest Key work health and safety statistics

explore our data

Workers' Compensation

We develop national policy and strategy about workers' compensation.

Workers’ compensation
Comparing workers' compensation in Australia
National Return to Work Strategy
Deemed diseases
Permanent impairment
Workers' compensation for psychological injury

Read the Strategy

Resources and Publications

We publish a wide range of resources covering many work health and safety topics.

Codes of practice
Video and audio
Corporate publications

Media centre

Media releases
News update

Read our Codes of Practice

read the codes

Managing risks

Risk management involves thinking about what could happen if someone is exposed to a hazard and how likely it is to happen. You should always aim to eliminate risks. If you can’t, you must minimise risks so far as is reasonably practicable.

Safety by topic

Eliminating the risk is the best control. If you can’t, you must minimise the risk so far as is reasonably practicable. The hierarchy of control measures assists duty holders to select the highest control measures to effectively manage risk.

A step-by-step approach

To manage WHS risks you should:

Identify hazards

Assess risks

Control risks

Review control measures

At each step you must consult with workers and their health and safety representatives. Workers have knowledge, experience and ideas that can help you manage WHS risks.

Risk management should be used for both physical risks and psychological risks in the workplace. Psychological risks are risks to someone’s psychological health (mental health).

Step 1 - Identify hazards

Hazards are things and situations that could harm a person. Find out what could cause harm in your workplace.

Step 2 - Assess risks

Undertake a risk assessment to identify the hazards in your workplace, which may cause harm (death, injury, or illness). A risk assessment involves looking at what could happen if someone is exposed to a hazard and the likelihood of it happening.

A risk assessment can help you work out:

how severe a risk is

if your control measures are effective

what action you should take to control the risk

how urgently you need to take action.

You may not need to undertake this step if the hazards, risks, and control measures are well-known.

Step 3 - Control risks

You should always aim to eliminate risks, as this is the best way to manage risks. Where this is not possible, you must minimise risks so far as is reasonably practicable.

To control risks, you can follow the hierarchy of control measures, which are ranked from the highest level of protection and reliability to the lowest.

Step 4 - Review control measures

Review your control measures to make sure they work as planned.

Examples of the risk management process can be found in Appendix B of the model Code of Practice: How to manage work health and safety risks .

Control measures

You should always aim to eliminate risks, as this is the best way to manage risk. If you can’t eliminate risks, you must minimise risks so far as is reasonably practicable.

Use the hierarchy of control measures to control risks and reduce exposure to hazards. The ways of controlling risk are ranked from the highest level of protection and reliability to the lowest. Administrative controls and personal protective equipment (PPE) are the least effective. They do not control the hazard at the source and rely on human behaviour and supervision.

The hierarchy of control measures can be applied to any risk and must be applied where it is not reasonably practicable to eliminate risks linked to:

remote or isolated work

hazardous atmospheres or chemicals

hazardous manual tasks

falls or falling objects

plant, electrical or construction work

hearing loss associated with noise

general diving work

confined spaces

naturally occurring asbestos

Figure 1. The hierarchy of control measures

Reasonably practicable

What you must do to manage WHS risks depends on what is reasonably practicable. To decide if something is reasonably practicable you should think about all the relevant matters, for example:

the likelihood of the hazard or risk

the harm that could occur

knowledge about the hazard or risk

ways to minimise or eliminate the risk, and if these are available and suitable

cost, including whether the cost is grossly disproportionate to the risk.

Further information about ‘reasonably practicable’ is available in our guide How to determine what is reasonably practicable to meet a health and safety duty .

Further Advice

SWA is not a regulator and cannot advise you about WHS issues in the workplace. If you need help please contact your state or territory work health and safety authority .

We develop national policy relating to WHS and workers' compensation.

COMMENTS

Essential Guide to Project Risk Assessments
A project risk assessment is a formal effort to identify and analyze risks that a project faces. First, teams identify all possible project risks. Next, they determine the likelihood and potential impact of each risk. During a project risk assessment, teams analyze both positive and negative risks. Negative risks are events that can derail a ...
Four Steps of Risk assessment
The four steps of risk assessment. Share: STEP. 1. Hazard identification: What might harm you? THEORY. Scientists identify biological hazards (such as bacteria, viruses, parasites, fungi and moulds) or chemical hazards (such as residues of pesticides or veterinary drugs) present in food.
Risk Assessment: Process, Tools, & Techniques
Below are the 5 steps on how to efficiently perform risk assessments: 1. Identify hazards. Survey the workplace and look at what could reasonably be expected to cause harm. Identify common workplace hazards. Check the manufacturer's or suppliers' instructions or data sheets for any obvious hazards.
A complete guide to the risk assessment process
1. Identify the hazards. The first step to creating your risk assessment is determining what hazards your employees and your business face, including: Natural disasters (flooding, tornadoes, hurricanes, earthquakes, fire, etc.) Biological hazards (pandemic diseases, foodborne illnesses, etc.)
Conducting a Risk Assessment
While many individuals are involved in the process and many factors come into play, performing an effective risk assessment comes down to four core elements: risk identification, risk analysis, risk evaluation and risk communication. ... Threaded throughout all steps of the risk assessment process is a fourth element, equally crucial to ...
What are the 4 essential stages steps in the risk assessment process
The final stage of the risk assessment process is developing a risk management strategy to mitigate identified risks. This involves developing a plan that outlines the steps to be taken to prevent or minimize the impact of the risk. The risk management plan should include clear objectives, responsibilities, and timelines for implementation.
Risk Assessment and Management: A Complete Guide
1. Risk assessments are crucial to preventing accidents in the workplace: not only can risk assessments reduce the likelihood of accidents, they also help raise awareness of hazards and minimise risk. 2. They reduce injuries and save lives: risk assessments don't just identify hazards that create short-term risks.
Mastering the Process of Risk Assessment
The first step in this process is to determine the hazard or threat and its potential source in the corporate environment, from internal factors (e.g., operational workflows, personnel, finance) to external ones (e.g., market trends and regulatory changes). This is crucial in understanding the extent of the danger and vulnerability of the company.
The Risk Management Process: 4 Essential Steps
Step 1: Risk Identification. The first step in the risk management process is to identify all the events that can negatively (risk) or positively (opportunity) affect the objectives of the project: These events can be listed in the risk matrix and later captured in the risk register. A risk (or opportunity) is characterized by its description ...
Guide for Conducting Risk Assessments
This document provides guidance for carrying out each of the three steps in the risk assessment process (i.e., prepare for the assessment, conduct the assessment, and maintain the assessment) and how risk assessments and other organizational risk management processes complement and inform each other. [Supersedes SP 800-30 (July 2002): http ...
Risk Assessment and Analysis Methods: Qualitative and Quantitative
A risk assessment determines the likelihood, consequences and tolerances of possible incidents. "Risk assessment is an inherent part of a broader risk management strategy to introduce control measures to eliminate or reduce any potential risk- related consequences." 1 The main purpose of risk assessment is to avoid negative consequences related to risk or to evaluate possible opportunities.
The NRC Risk Assessment Paradigm
The NRC concluded that risk assessment and risk management are "two distinct elements" between which agencies should maintain a clear conceptual distinction. The 1983 NRC report identified four steps integral to any risk assessment: 1) hazard identification, 2) dose-response assessment, 3) exposure assessment, and 4) risk characterization.
Understanding the Risk Assessment Process: A Comprehensive Guide
This comprehensive guide aims to thoroughly understand the risk assessment process, covering the key steps and their significance. The first step in the risk assessment process is risk identification, where potential risks are identified and documented. This involves a systematic review of the organization's operations, processes, and ...
Risk Assessment Procedures
The five steps to conducting a risk assessment involve identifying the hazard, assessing the risk, implementing controls and safeguards, reassessing the risk with control in place, and confirming the reduced risk. The article provides examples of risk control measures, techniques for effective risk control, and methods for evaluating risks.
6.1: Introduction
The four risk assessment steps are explained in more detail below. The four steps are often repeated multiple times before a final conclusion on the acceptability of the risk is reached. This repetition is called tiering (Figure 2). It typically starts with a simple, conservative assessment and then, in subsequent tiers, more data are added to ...
CCOHS: Hazard and Risk
The CSA Standard Z1002 "Occupational health and safety - Hazard identification and elimination and risk assessment and control" uses the following terms: Risk assessment - the overall process of hazard identification, risk analysis, and risk evaluation. Hazard identification - the process of finding, listing, and characterizing hazards.
Risk assessment: Steps needed to manage risk
Steps needed to manage risk. Risk management is a step-by-step process for controlling health and safety risks caused by hazards in the workplace. You can do it yourself or appoint a competent person to help you. Identify hazards. Assess the risks.
The 4 steps of the risk assessment process. The risk assessment
Download scientific diagram | The 4 steps of the risk assessment process. The risk assessment consists of hazard identification, dose-response assessment, exposure assessment, and risk ...
What's a Risk Assessment Matrix? Build One in 4 Simple Steps
Step 2: Determining the risk criteria. Before assessing each risk, you'll want to develop a common set of factors to help evaluate your organization's risk universe. A typical risk assessment matrix uses two main criteria: Likelihood (the level of possibility) Impact (how "big" an event could be)
Human Health Risk Assessment
Step 2 - Dose-Response Assessment The risk assessor(s) gather information to determine the numerical relationship between exposure and effects. Step 3 - Exposure Assessment Once steps 1 & 2 are identified, the risk assessor(s) examine what is known about the frequency, timing, and levels of contact with the stressor. Step 4 - Risk Characterization
The 5 Steps To Risk Assessment (And How To Complete Them)
Risk assessment is the process of identifying what could harm people in your business, and deciding what action is needed to reduce the risk. At work, your risk assessment process can follow these 5 steps: Identify hazards. Assess the risks. Control the risks. Record your findings.
Identify, assess and control hazards
Step 1 - Identify hazards. Hazards are things and situations that could harm a person. Find out what could cause harm in your workplace. Step 2 - Assess risks. Undertake a risk assessment to identify the hazards in your workplace, which may cause harm (death, injury, or illness). A risk assessment involves looking at what could happen if ...
Conducting an ABC risk assessment: 4 key steps
Conducting an ABC risk assessment: 4 key steps. By Andrew Reeves (UK), Claudia Van Gruisen & Stuart Neely (UK) on March 11, 2021. Anti-bribery and corruption ( ABC) risk assessments are the cornerstone of an effective compliance programme, ensuring that compliance resources are focused on the most significant ABC risks faced by the business.
How To Conduct HR Compliance Risk Assessment Efficiently?
Step 3: Identify Potential R͏isk Areas. It is essential to analyze your HR practices and identify potential risk areas to ensure your organization operates smoothly͏ and efficiently. To do so, paying close attention to several key risks ͏ar͏eas com͏monly associated with HR practices is recommended. These risk areas include recruitment ...
Falls in Older Adults: Approach and Prevention
The cost of falls in older adults was estimated at $50 billion in 2015 ($64.8 billion in 2023 when adjusted for inflation). 6. The risk of falls increases with age. In 2020, the Centers for ...
Time Is Ripe for Targeting Per- and Polyfluoroalkyl Substances-Induced
Globally implemented ecological risk assessment (ERA) guidelines marginalize hormesis, a biphasic dose-response relationship characterized by low-dose stimulation and high-dose inhibition. The present study illuminated the promise of hormesis as a scientific dose-response model for ERA of per- and polyfluoroalkyl substances (PFAS) represented by perfluorooctanoic acid (PFOA) and ...
Integrating life cycle assessment and health risk assessment of direct
In order to achieve the goals of sustainable development, the integration of life cycle assessment (LCA) and health risk assessment (HRA) as complementary tools is an effective step towards comprehensive environmental management. As the need for electricity generation is growing increasingly, the integration of these tools can provide a broader perspective for decision-makers and policy-makers.
Escape Debt Fast: 5 Steps to Financial Freedom In 2024
"Discover the ultimate guide to financial freedom in 2024! Learn five actionable steps to escape debt fast and achieve your money goals. Join us on this jour...

The Essentials of Effective Project Risk Assessments

What Is a Project Risk Assessment?

How Do You Assess Risk in a Project?

Project Risk Assessment Tools

How to Conduct a Project Risk Assessment

Steps in a Project Risk Assessment

Step 1: Identify Potential Risks

Step 2: Determine the Probability of Each Risk

Step 3: Determine the Impact of Each Risk

Step 4: Determine the Risk Score of Each Event

Step 5: Understand Your Risk Tolerance

Step 6: Decide How to Prioritize Risks

Step 7: Develop Risk Response Strategies

Step 8: Monitor Your Risk Plans

Step 9: Perform Risk Assessments Continually

Step 10: Identify Lessons Learned

How to Write a Project Risk Assessment Report

Project Risk Assessment Starter Kit

Expertly Assess and Manage Project Risks with Real-Time Work Management in Smartsheet

Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

Hazard identification: What might harm you?

Hazard characterisation: What effects do such hazards cause?

Exposure assessment: Who may be harmed?

Risk characterisation: Is a food-borne hazard likely to harm you?

A complete guide to the risk assessment process

What is risk assessment?

Preparing for your risk assessment

5 steps in the risk assessment process

1. Identify the hazards

2. Determine who might be harmed and how

3. Evaluate the risks and take precautions

4. Record your findings

5. Review your assessment and update if necessary

How to create a risk assessment chart

Be prepared for anything

About Lucidchart

Related articles

Bring your bright ideas to life.

News and Articles

Risk Identification

Risk Analysis

Risk Evaluation

Risk Communication

Understanding Risk Management and Assessment

Are You Passionate About Safety?

Jumpstart Your Learning

Advance Your Career

Get Insight & Analysis

Connect With ASSP

What are the 4 essential stages steps in the risk assessment process?

Understanding the importance of risk assessment in business operations

Identifying potential risks within your organization

Analyzing the likelihood and impact of identified risks

Developing a risk management strategy to mitigate identified risks

The role of risk assessment in compliance with regulatory requirements

Best practices for conducting an effective risk assessment process

Evaluating the effectiveness of your risk management plan

The importance of ongoing risk assessment and review in maintaining business resilience

Real-life examples of successful risk assessment and management in various industries

Common mistakes to avoid when conducting a risk assessment

Integrating technology into your risk assessment process for improved accuracy and efficiency

The benefits of seeking professional assistance in conducting a thorough risk assessment

Preparing for unexpected risks through scenario planning and crisis management strategies

Conclusion: why an effective risk assessment process is crucial for long-term business success

More Stories

What is the difference between NIST 800-37 and 800-53?

What are the 4 elements of NIST Framework Core?

What is NIST SP 800-37 Risk Management Framework?

You may have missed

What are the risk management framework impact levels?

The Risk Management Process: 4 Essential Steps

Risk Management

Table of Contents

Step 1: Risk Identification

Step 2: Risk Assessment

Qualitative Assessment

Quantitative Assessment

Step 3: Risk Treatment

7 Risk Response Strategies

When does risk become an issue?