Last reviewed 31 August 2015

Andrew Christodoulou goes back to basics to get the best out of the risk assessment process.


The need to perform risk assessments has been embedded into health and safety legislation and practice to the extent that risk assessment has now become a standard and fundamental activity. The Health and Safety at Work, etc Act 1974 does not explicitly require risk assessments but its requirements are qualified by the term “so far as is reasonably practicable”, which has been defined in court as meaning a cost versus risk balance, and so the Act arguably implicitly requires risk assessments to be performed. The Management of Health and Safety at Work Regulations 1999 (MHSWR), which originally came into force as part of the EU “six-pack”, require at regulation 3 that employers and the self-employed carry out risk assessments. Many other regulations also explicitly require risk assessments to be performed and these include those regulations relating to manual handling, asbestos, noise and working at height, to name a few.

The need to perform risk assessments has also become an integral part of successfully managing health and safety. Schemes such as the Health and Safety Executive’s (HSE) HSG65 Managing for Health and Safety have risk assessment as an integral part of health and safety management approaches.

It is therefore vital that organisations understand how to approach the practice of carrying out risk assessments, what it entails, what it means and how to get accurate and meaningful outcomes.

The basic methodology

Organisations must ensure that they carry out a risk assessment for all work activities that may lead to harm. In practice, the first stage of risk assessment is to decide how to approach the actual task of risk assessment in the organisation. Will it be by activity, process or task; will it be by department; will it be by hazard type? There is no prescribed approach except it should be a sensible proportionate one which ignores trivial hazards and places greatest emphasis and effort on the higher risk areas and less so for lower risk areas. There is also scope for generic risk assessments whereby similar activities or processes are grouped together under the umbrella of a single risk assessment. This is a legitimate approach providing any significant differences between the activities are accounted for. Otherwise, any opportunity to simplify the task of risk assessment should be taken.

Where there are legal requirements for specific types of risk assessments such as manual handling, display screens, asbestos or noise reference should be made to those legal requirements, and there is no need to duplicate risk assessments.

For most situations in the workplace, carrying out risk assessments can be achieved by taking a simple structured approach and it always needs to be borne in mind that the purpose of the risk assessment is to consider what in any workplace is likely to cause harm to people, the degree of harm, and whether sufficient steps are being taken to prevent that harm. In other words, the prevention of harm is the fundamental purpose of a risk assessment. INDG163 A Brief Guide to Controlling Risks in the Workplacegives a simple approach to risk assessment and this can be used in most workplaces.

The basic methodology is as follows.

  1. Identify the hazards.

  2. Decide who might be harmed and how.

  3. Evaluate the risks and decide on precautions.

  4. Record the findings and implement them

  5. Review the assessment.

Identify the hazards

Hazards are very varied. Some organisations considering hazards, use schemes such as the following, to categorise different types of hazards and to help them identify the full breadth of hazards which may be present.

  • Physical, eg machinery, working at height, slips and trips, etc.

  • Ergonomic, eg DSE work, manual handling, etc.

  • Chemical, eg asbestos and other carcinogens, solvents and cleaning chemicals, etc.

  • Biological, eg bacteria such as legionella, viruses, moulds and fungi, etc

Such schemes may be helpful but care needs to be taken to also consider hazards which may not be so obvious such as psycho/social hazards which can lead to stress and similar outcomes.

Hazards can be identified in a number of ways and from a number of sources, such as by:

  • carrying out an inspection of the workplace including an observation of work practices

  • referring to manufacturers’ instructions and data sheets

  • considering carefully non-routine operations such as maintenance work and work out of hours

  • considering hazards, eg asbestos, which do not cause immediate harm but may have long latent periods

  • referring to near-miss, accident, incident and ill-health data; these may be an indication of hazards, eg a history of eye injury in a machine shop may be an indication that eye protection is needed or not being worn (remember — a no or good accident history does not mean that risk is not present)

  • consulting with employees and their representatives as the people intimately involved in the work and practices in any workplace often have an informed knowledge of the hazards present.

Decide who might be harmed

It is important to be aware that the MHSWR require risks to employees and non-employees to be considered. In addition, those with potential particular vulnerabilities, such as the young, old, new and expectant mothers, migrant workers and the disabled, need to be specifically considered. Members of the public who might be affected by work activities must also be taken into account including children. People who are visitors to the work place such as contractors must be included. Where the workplace is shared with other organisations the impact on other employees must be considered and the other occupiers must be consulted.

Evaluate the risk

To make a judgment about the level of the risk, the following basic and simple equation can be used:

RISK = Likelihood × Severity

That is, the chance or probability that the activity being assessed will lead to an injury is multiplied by the likely severity of the injury. Many organisations may wish to use scoring schemes to help them make this calculation; such schemes can be very helpful to measure relative risks and therefore to prioritise actions. There is, however, sometimes concern about the accuracy of such scoring schemes but it should be remembered that the final “score” is not a definitive measurement of risk rather an indication of risk which can be used in particular to compare relative risks and therefore to set priorities.

Factors affecting severity of risk may include:

  • numbers of people that may be affected

  • level of energy, eg voltage, pressure, temperature, noise

  • concentration, eg dust levels, dilute versus concentrated acids and alkalis

  • toxicity of a substance

  • duration of exposure, ie a one-off brief exposure versus long-term regular exposures.

A hazard can lead to varying levels of severity of injury. For example, the severity of harm as a result of an electrical hazard can vary with the voltage and the environment. The severity of harm from a fall can vary with the height fallen. It is important when deciding on the severity of harm to select the most likely level of harm rather than what is possible otherwise severity scores are likely to be inflated and may lead to an unrealistic assessment of risk.

Factors affecting the likelihood of harm include:

  • number of people exposed to a hazard

  • frequency of exposure, ie how often the task is performed

  • length and time of exposure

  • type of persons exposed, ie vulnerable groups such as the young, old, etc

  • the control measures already in place.

After the risk has been evaluated, it is necessary to consider whether additional control measures are necessary to reduce the level of risk. When considering these control measures, it is important to apply the “hierarchy of control” detailed at Schedule 1 of the MHSWR, which gives the well-known “general principles of protection”. It indicates that the best and most effective control measure is to avoid the risk, ie elimination. This may be achieved by not carrying out the activity at all or by changing methods. The least effective means of control are those which rely on people, eg the provision of instruction or the use of personal protective equipment. In order to decide whether enough is being done to control the risk, reference should be made to the appropriate legislation, ACOPs and guidance which may give direction on the most appropriate and acceptable control measures.

Record the findings

There is no prescriptive way in which risk assessments need to be recorded but INDG163 does give some advice. Risk assessment forms can be designed based on this information and any paperwork devised should be an aid to communicating information about the risks and does not need to be overcomplicated. Therefore, records of risk assessments can be simple and straightforward.

Review the assessment

Risk assessments should be reviewed regularly and when there is evidence to suggest they are no longer valid or when the situation has changed significantly. For example, a risk assessment should be reviewed following an accident, a change in legislation or a change in plant, methods and technology.

Who should carry out the assessments?

Those performing risk assessments must have the necessary knowledge, skills and experience to ensure that those risk assessments performed are accurate, have meaningful results and meet current legal requirements. This will mean that some training is required for those involved in the task of risk assessment and there are a number of risk assessment training courses available which can be provided either in-house or at an external training centre. In practice, a team of people may need to be assembled to perform risk assessments. Such a team may typically comprise:

  • trained risk assessors

  • employees who perform the activities being assessed

  • representatives of employees

  • member(s) of management

  • access to professional health and safety advice and specialist either in-house or externally.

What to do with the risk assessment?

Once the risk assessment has been carried out any remedial action(s) required by the risk assessment must be implemented. It is imperative that the information contained in the risk assessment is passed onto those staff engaged in the work, otherwise the whole process may have been a relative waste of time and effort. The risk must be communicated, not files away as part of a paperwork exercise.

Other approaches

The basic methodology contained in INDG163 will suffice for most workplaces and activities trying to provide risk assessments. However, there will be circumstances, for example in the chemical process industry, or where the situation is complex with high risks, where more sophisticated risk assessment techniques will be required. These include:

  • hazard and operability studies

  • fault tree analysis

  • event tree analysis

  • failure mode and effect analysis.


There has been a tendency to over-complicate risk assessment and in many cases it has become over burdensome in terms of paperwork and bureaucracy. Adopting a simple methodology as in INDG163 will be sufficient for most workplaces and work activities providing it is applied in sensible manner with the following pointers in mind.


  • take the risk assessment seriously but be sensible

  • give most time and effort to high risk areas and ignore trivial risks

  • involve and consult with staff when carrying out risk assessment

  • refer to appropriate legal requirements and ACOPs/guidance as necessary

  • train those involved in risk assessment

  • keep paperwork simple

  • pass on information from the risk assessment to those carrying out the work.


  • regard risk assessment as a paperwork exercise

  • over-complicate the process

  • spend too much time on low low-risk areas

  • build a mountain of paperwork.

INDG163 can be downloaded from the HSE website.