Check out the courses we offer
Knowledge Base » Health and Safety » How to Carry Out an Effective Risk Assessment

How to Carry Out an Effective Risk Assessment

Last updated on 20th December 2023

For a risk assessment to be effective in reducing the risks, it must identify the hazards that are foreseeable and significant. It must then evaluate the risks, which will assist in determining the required control measures.

A risk assessment should be done before a work activity starts, before starting in a new work location or if there are any changes. The specific risk assessment requirements in particular health and safety regulations must also be taken into account, e.g. the Control of Substances Hazardous to Health Regulations (2002) requires a COSHH Assessment.

Hazard Something that has the potential to cause harm.
Risk The likelihood someone will be harmed by the hazard and how serious the harm could be.
Risk assessment A careful examination of what could cause harm to people at work.
Carrying Out An Effective Risk Assessment Before Work Activity Starts

Steps to risk assessment

A general risk assessment is completed in five steps (although you may come across other methods).

The five steps are:

1. Identification of hazards.
2. Deciding who could be harmed by the hazard and how.
3. Evaluating the risks identified and deciding what precautions are necessary.
4. Recording the findings of the risk assessment.
5. Reviewing and updating the risk assessment where necessary.

We will now explore each step in further detail.

Identification of hazards

As you have learned, hazards are anything in the workplace that have the potential to cause harm. The first step of a risk assessment is the identification of these hazards around the workplace.

There are many ways of achieving this, such as:

  • Walking around and observing the layout of the workplace and the work being carried out, e.g. are fire exits blocked? Is a machine leaking? Are high dust levels being produced? Are people wearing personal protective equipment (PPE) when they are supposed to?
  • Asking the people who do the work and their representatives, as they should be aware of the hazards associated with the job. It will also improve morale, as workers then feel like their employer cares about their health and safety.
  • Looking at the manufacturer’s instructions for machinery and equipment. These can detail hazards and sometimes suggest precautions.
  • Looking at Safety Data Sheets (SDS). These should come with chemicals and these detail the hazards associated with the chemical and the precautions required.
  • Looking at the Health and Safety Executive (HSE) website, guidance and Approved Codes of Practice (ACOPs). There is also guidance from industry/trade associations and trade unions.

Other ways to identify hazards include:

  • Looking back at previous accidents and near misses (incidents). If a similar accident or near miss is occurring, it would suggest that there is a hazard that is not being controlled. Ill health should also be looked at, as some health hazards can have long-term irreversible effects, e.g. noise, stress and hazardous substances.
  • Looking at previous maintenance, inspection and test records to see if there have been any faults, damage or defects.
  • Looking at unusual tasks that are not part of everyday operation. These are non-routine, can be easily missed and are sometimes more dangerous, i.e. maintenance work in a production environment.

Three tools can be used in hazard identification:

  • Hazard observation – As previously mentioned, walking around the workplace, observing tasks and behaviours.
  • Hazards identification checklists – These can be a useful prompt for spotting hazards.
  • Job hazard analysis – This breaks down the task into steps and looks at the hazards associated with each part of the job.

The assessor should focus on hazards that will cause significant harm to workers and others. The hazards present will depend on the nature of the business’s activities and the type of workplace.

Who could be harmed?

Once the hazards have been identified, then the assessor will need to decide who could be harmed and how.

They will need to decide on the groups of people who could be at risk, for example (this list is not exhaustive):

  • Temporary workers, e.g. from an agency.
  • Contractors and subcontractors.
  • Shift workers, particularly night workers.
  • Maintenance workers.
  • Homeworkers.
  • Trainees.
  • Drivers of plant, machinery and vehicles.
  • Members of the public.
  • Employees from other companies in shared workplaces.
  • Vulnerable groups such as:
    – Disabled and impaired workers.
    – The elderly and children.
    – Young inexperienced persons.
    – Migrant workers.
    – Expectant or new mothers.
    – Lone workers.

Who could be harmed needs to be identified for each hazard. It can be done by groups of people, as per the above list. The assessor can also ask employees if there are any other groups of people who could be at risk.

How can they be harmed?

This part of the assessment looks at the severity (consequences) that could occur if people were exposed to the hazards.

Consider the following example:

  • The hazard – There is defective flooring in the reception area of a public building. It is in a location where there is a lot of foot traffic. Visitors must walk passed it to get to the interview rooms. Staff members have previously tripped on the poorly maintained flooring, but luckily there have been no injuries.
  • Who could be harmed – Typically staff and visitors (e.g. members of the public) could be harmed. There could also be those who are vulnerable, e.g. the elderly or impaired. The assessor would detail the groups at risk in the assessment.
  • How can they be harmed – Staff and visitors could trip over the defective flooring and fall. It could result in sprains, strains, bruising, grazes/cuts or fractures. It may also result in more severe injuries for the elderly and impaired. The severity of harm would be detailed in the assessment.
Employee Exposed To Hazards Because No Risk Assessment Was Carried Out

Evaluating the risks identified

The hazards have now been identified. The next step is to decide how likely it is that they will cause harm and the most likely severity.

This is risk evaluation and is determined by:

Risk = Likelihood (probability) of a hazard causing harm X Severity (consequences) of the harm

Going back to the previous example, the assessor needs to decide how likely it is that someone will trip on the defective flooring and injure themselves.

There could be the following scenarios (these are examples):

1. Likely – Someone will trip and fall.
2. Probable – Someone could trip and fall.
3. Unlikely – It is unlikely someone will trip and fall.

Low, medium and high can be used instead of likely, probable and unlikely. The terms used will depend on the company’s choice and the complexity of the work and risks involved.

The likelihood of being injured will depend on the particular situation and what existing precautions are in place. As the defect is in a location where there is a high volume of foot traffic, it is likely someone will trip and fall.

Once the likelihood has been established, then the severity can be considered.

It is also known as the consequence and can be categorised as follows (these are examples):

1. Minor – Minor injury, e.g. bruises, cuts and grazes.
2. Moderate – Moderate injury, e.g. deep cuts, sprains, concussion and fractures.
3. Major – Disability or death.

The assessor would need to consider the likely severity if someone tripped over the defective flooring and was injured. Would it be death, disability, moderate injury or minor injury?

Again, this will depend on the situation and existing precautions in place. As there are several different groups who visit the public building, including the elderly and disabled, the most likely consequence would probably be a moderate injury, e.g. potential sprain or a fracture.

All of the different groups that could be harmed should be considered and a judgement made on the potential numbers exposed in these groups.

Severity, like likelihood, can also be categorised as high, medium and low.

A risk matrix can be used to evaluate the level of risk, which is known as the risk rating. These matrices can be different, and the example below is based on a 3 x 3 matrix. Numbers can be used as well as descriptions to get a value for the risk. These are useful so that significant (higher value) risks can be prioritised and controlled over minor insignificant ones.

Likelihood x Severity = Risk

Severity (consequence)
Likelihood Minor (1) Moderate (2) Major (3)
Unlikely (1) 1 2 3
Probable (2) 2 4 6
Likely (3) 3 6 8
1-2 Risk acceptable. Further action is not necessary and precautions are to be maintained.
3-4 Risk can be tolerated but further precautions should be considered to reduce the risk.
6-9 Risk is unacceptable and precautions need to be taken immediately.

The assessor would need to decide on the likelihood and the severity of harm, which is the risk. They would then multiply these together to get an overall risk rating, which would tell them whether the risk is acceptable, tolerable or unacceptable.

A risk matrix does not have to be used for assessments. However, they are useful in working out levels of risk. It helps prioritise the significant risks which could cause serious harm. Risk matrices tend to be used where the risks are more complex. Where they are used, the assessor will require a higher level of competence to be able to judge the likelihood of harm.

It is important to note that a risk assessment is subjective, particularly the evaluation step. It is based on the risk assessor’s judgement and the information they have available to them at the time. That’s why risk assessments should be completed at the work location and with people who know the workplace and work activities.

Deciding what precautions are necessary

Precautions are sometimes known as control measures. The assessor should look at whether existing controls are enough to reduce the likelihood of harm from the hazards identified. If existing controls are not enough, the assessor should look at what additional precautions are required to bring the risk down to the lowest possible level.

If a hazard cannot be removed entirely, then employers should control the risks to ensure that harm is unlikely.

The general principles from the HSE should be considered, which includes:

  • Trying a less risky option, e.g. removing electrical hazards by using alternative equipment.
  • Preventing access to the hazards, e.g. machine guarding.
  • Organising the work to reduce exposure to the hazard, e.g. job rotation.
  • Issuing protective equipment, e.g. PPE.
  • Providing welfare facilities, such as first aid and washing facilities.
  • Involving and consulting with workers.

The hierarchy of hazard control can also be used to decide on additional precautions. The top options should always be prioritised.

  • It is the best option in the hierarchy.
  • It completely removes the hazard.
  • It is the second-best option in the hierarchy.
  • It substitutes the more hazardous for less hazardous or non-hazardous.
Engineering controls
  • It is the third-best option in the hierarchy.
  • It prevents workers from coming into contact with hazards by isolating or enclosing them.
Administrative controls
  • It is the fourth option in the hierarchy.
  • It includes safe systems of work, procedures, training and safety signs.
Personal Protective Equipment (PPE)
  • It is the last option in the hierarchy of control.
  • It only protects an individual. It can also be unreliable in protecting a worker due to potential damage, incorrect fit and a lack of training.
  • It should be considered when all other options in the hierarchy have been exhausted.

There are also principles of prevention for considering additional precautions. These are from the Management of Health and Safety at Work Regulations (MHSWR) 1999. These nine principles provide a framework for controlling risks and are similar to the above hierarchy.

Files For Work Safety And Safety Procedures And Regulations To Follow When Carrying Out An Effective Risk Assessment

The Management of Health and Safety at Work Regulations 1999 (Schedule 1) details nine general principles of prevention. The regulations state that where an employer implements any preventive and protective measures, they shall do so on the basis of the principles of prevention (Regulation 4).

Principle of prevention

Avoiding risks Avoid (eliminate) the risks.
Evaluating the risks which cannot be avoided Assess the risks, including risk evaluation.
Combating the risks at source Try and remove the risks at the point of creation, e.g. extracting wood dust at the cutting zone.
Adapting the work to the individual Consider the individual when looking at tasks and the workplace, e.g. by redesigning tasks, so they are not monotonous or repetitive.
Adapting to technical progress Embrace technological advancements that can reduce the risks, e.g. new equipment.
Replacing the dangerous by the non-dangerous or the less dangerous Substitute with something that reduces the risk, e.g. replacing a hazardous substance.
Developing a coherent overall prevention policy Commit to reducing the risks across all levels of the organisation. A policy should cover technology, organisation of work, working conditions, social relationships and the influence of factors relating to the working environment.
Giving collective protective measures priority over individual protective measures Protect everyone as opposed to just one person, e.g. use fall prevention equipment instead of PPE.
Giving appropriate instructions to employees Instructing employees on the risks and preventive and protective measures.

The nine principles of prevention are very similar to a hierarchy, with avoiding risks being the best option. Where the risks are not avoidable, assessors should apply the other principles as appropriate.

Just like the hierarchy of hazard control, more than one of the principles can be used to reduce the risks. You can have more than one precaution for a hazard; several controls can be used in conjunction with one another.

The aim is to reduce the risk to the lowest possible level while considering the cost, time and trouble (reasonably practicable). The precautions must be sensible and proportionate to the risk. Some regulations will also require certain precautions to be taken to comply with the law.

It is important to note that some risks cannot be eliminated and have to be tolerated. Risks are a part of everyday life; as a society, we tolerate them for various reasons. As long as risk assessments are suitable and sufficient, and the risks are as low as reasonably practicable, then employers should be complying with the law.

Recording the findings of the risk assessment

Once the risk assessment has been completed, it should be recorded if there are five or more employees. Where there are less than five employees, the findings of the risk assessments can be communicated verbally. It is good practice to record risk assessments, as it provides evidence to enforcement authorities and insurance companies.

The assessment should detail any groups that have been identified as being at a higher risk.

The significant findings should also be recorded, which includes:

  • What the risks are.
  • What is being done to control them.
  • What further action is required.

Where there are many different hazards identified in the assessment, they should be ranked in order of importance. Serious risks should be prioritised and addressed first.

There are many different templates for risk assessments. The HSE provides an example for smaller businesses, where the risks are simple. However, businesses can choose to produce their own version. The detail within will depend on the size of the company, the activities and the risks.

The risk assessment record should be suitable, sufficient and simple.

A typical risk assessment form would include:

  • Name and role of the person completing the assessment.
  • The date and time it was completed.
  • Title of the risk assessment, e.g. the activity, location and equipment being assessed.
  • The five steps of risk assessment, which you have looked at earlier in this unit. It should focus on the control measures that are required to reduce the risks.
  • Who is responsible for implementing further precautions and the date that they should be completed.
  • The review date.

There is no particular retention time for risk assessment records. However, they should be kept for as long as they are still relevant.

Once the assessment has been recorded, it should be monitored and reviewed where necessary.

Reviewing and updating the risk assessment where necessary

A risk assessment is not a one-off exercise. It should be reviewed and updated regularly to ensure that it is still suitable and sufficient and that the precautions remain effective.

There is no legal requirement to review risk assessments at a set frequency.

However, they should be reviewed under the following circumstances:

  • Validity – If it suspected that it is no longer valid, e.g. if there are doubts about the control measures working.
  • Significant changes – If there are any significant changes, such as:
    – Staff changes.
    – Process changes.
    – New equipment.
    – Changes in control measures.
    – New and updated procedures.
  • After an accident or near miss – If there is an accident or near miss, it suggests that a risk is not being controlled. After investigation, and establishing causes, there should be recommendations to prevent a recurrence. These recommendations should be included in the review.
  • Legislation changes – Changes in legislation may require additional precautions for certain risks. It may also highlight new hazards.
  • Reports from workers – If workers identify other hazards or problems which are not covered by the risk assessment.

A review should include the first four steps of the risk assessment process, which you have looked at earlier in the unit.

Once a risk assessment has been completed or reviewed, the findings must be brought to the attention of employees and their representatives. This can be via training sessions, briefings, toolbox talks and online/verbal communication.

Assessing Risk (Risk Assessment Course)

Assessing Risk

Just £20

Study online and gain a full CPD certificate posted out to you the very next working day.

Take a look at this course

About the author

Megan Huziej

Megan Huziej

Megan has worked with CPD Online College since August 2020, she is in charge of content production, as well as planning, managing and delegating tasks. Megan works closely with our writers, voice artists, companies and individuals to create the most appropriate and relevant content as well as also using and managing SEO. She gained her Business Administration Level 3 qualification over the duration of being at CPD Online College as well. Outside of work Megan loves to venture to different places and eateries as well as spending quality time with friends and family.

Similar posts