As the first step in addressing workplace hazards, risk assessments must be carried out correctly. It helps to think of your risk management programme as a building, and your risk assessment as the foundation on which it sits – get it wrong, and the whole thing can come down.
Understanding how to carry out a risk assessment is therefore an essential aspect of any role that involves risk or health and safety management. While the specifics of assessment differ by case, all effective risk assessments follow the same crucial 5 steps.
In this article, we explain everything you need to know about the 5 stages of a risk assessment so you can make your workplace safer for your colleagues.
What is a risk assessment?
The Health and Safety Executive (HSE) defines a risk assessment as follows:
‘A careful examination of what, in your work, could cause harm to people, so that you can weigh up whether you have taken enough precautions or should do more to prevent harm.’
The information gathered in a risk assessment needs to guide you in reducing risk as far as is “reasonably practicable”. This means taking proportionate and sustainable action to minimise or ideally remove the risk.
During a risk assessment, the assessor aims to identify and understand workplace hazards. They will focus on the type of hazard (such as physical, chemical, biological, ergonomic, or psychosocial), who might be harmed and how, the likelihood of harm occurring, and the severity of potential consequences.
Once these factors are considered, the assessor can recommend appropriate control measures.
The ultimate purpose of a risk assessment is not just to comply with legal obligations, but to create a safer working environment, protect employee wellbeing, and promote a culture of proactive risk management.
The 5 stages of risk assessment – explained
The 5 steps of risk assessment are:
- Identify the hazards
- Assess the risks
- Communicate & control the risks
- Monitor impact
- Review controls
Now let’s put each one of these stages under the microscope to give you an in-depth understanding of how they work and why they’re necessary.
Step 1: Identify the hazards
The first step of a risk assessment is all about finding hazards. The goal is to build a complete, plain-English list of anything in your work that could cause harm — so you can assess and control it in the next steps.
It’s best to start with a clear understanding of what “hazard” and “risk” actually mean:
- Hazard: anything with the potential to cause harm (to people first and foremost, but also to property or the environment).
- Risk: the chance that harm will occur and how severe it could be (you’ll judge this in Step 2; right now you’re just spotting hazards).
Once definitions are clear, you can begin the hazard identification process. Some practical ways to spot hazards include:
- Walking the workplace – Observe real work as it happens — including start-up/shutdown, cleaning, maintenance, deliveries, and out-of-hours tasks. Take notes and photos.
- Talking to people – Ask employees, contractors, safety reps and supervisors what worries them, where “workarounds” happen, and what nearly went wrong.
- Learning from records – Review accidents, near-misses, sickness/absence data, inspection reports and maintenance logs to uncover recurring or hidden issues.
- Checking documentation – Look at manufacturers’ manuals, permits, and safety data sheets for chemicals; these often list built-in hazards you might overlook.
- Thinking about change – New equipment, new staff, layout tweaks, construction works or seasonal peaks often introduce fresh hazards.
- Considering everyone affected – Employees, agency/temporary staff, contractors, visitors, customers, members of the public — and vulnerable groups such as young persons, new/expectant mothers, lone workers, and those with disabilities.
If you’re unsure what you’re looking for or what strictly counts as a hazard, here are some common hazard categories to guide you:
- Physical: slips/trips/falls; work at height; moving machinery/unguarded parts; vehicles and traffic routes; pressure systems; noise; vibration; electricity; radiation; heat/cold; confined spaces; poor lighting; uneven surfaces.
- Chemical: cleaning agents, solvents, welding fumes, dusts (e.g., wood, flour, silica), gases, asbestos; storage/handling of flammables.
- Biological: infectious diseases, moulds, bodily fluids, waste handling.
- Ergonomic: manual handling (lifting/pushing/pulling), repetitive tasks, awkward postures, poorly set-up DSE/workstations, tool design.
- Psychosocial: workload and deadlines, role ambiguity, bullying/harassment, violence and aggression, fatigue, lone/remote work.
- Fire & explosion: ignition sources, combustible materials, gas cylinders, dust explosion risks.
- Environmental/site-specific: weather exposure, outdoor work near water, neighbouring activities (e.g., construction), crowding at entrances/exits.
For each hazard identified, record the location and/or task, and some form of evidence, i.e. a photo, an incident reference, SDS, etc. You can also note any obvious existing controls for context, but save judgments about adequacy for the next stage.
A thorough, well-documented hazard list is the foundation for Step 2 (assess the risks). If you miss hazards here, everything that follows is built on sand.
Common pitfalls to avoid during step 1 of a risk assessment
- Only listing the “obvious” acute hazards and missing long-term health harms (e.g., noise, vibration, stress, respiratory sensitisers).
- Ignoring non-routine work (maintenance, cleaning, breakdowns, out-of-hours).
- Overlooking interfaces (your staff working alongside contractors or the public).
- Forgetting time-of-day/seasonal changes that alter risk (reduced lighting, weather, peak footfall).
Step 2: Assess the risks
The second step of a risk assessment centres on working out how serious each hazard is by judging how likely harm is to happen and how severe the harm could be. You can’t fix everything at once; this step helps you decide what needs urgent attention and what can be managed with existing controls.
This step also gives you evidence of a considered systematic approach to risk reduction, which can be used for tracking progress and as poof of compliance with health and safety standards and regulations.
You should start Step 2 by asking two key questions:
1 – Who could be harmed and how?
Don’t stop at employees. Consider:
- Contractors/subcontractors who may be less familiar with your site and processes
- Visitors
- Members of the public
And remember to give additional thought to vulnerable groups both within and outside of your workforce, e.g. young workers, new/expectant mothers, people with disabilities, lone workers, etc.
2 – What is the level of risk?
Risk is usually calculated by combining:
- Likelihood (how probable is it that harm will occur?)
- Severity (how bad would the outcome be if it did occur?)
This is where things get a bit tricky, as the goal is to create a priority list of hazards to address in sequence. But there’s a straightforward mechanism for doing so, and it’s called a risk matrix (see below).
Source: Researchgate
They can be more expansive if required, with a different colour grading system or layout, but an equally weighted 5 x 5 risk matrix is a good example for getting to grips with the scoring process.
Each plotted number is the sum of the likelihood and consequence values multiplied, giving you a combined risk score that considers both factors.
How to use a risk matrix
First, you should attach real-world meaning to each number on the likelihood and consequence axes. So, for the Likelihood axis, assign an occurrence timeframe, e.g.:
Likelihood:
- (Rare) = Yearly+
- (Unlikely) = Yearly
- (Possible) = Monthly
- (Likely) = Weekly
- (Almost certain) = Daily
And for your consequence axis, assign actual outcomes, e.g.:
Consequence:
- (Negligible) = No injury
- (Minor) = Minor injuries that may require first aid
- (Moderate) = Short absence from work required (1-day to a week)
- (Major) = More than 1 week off work required
- (Catastrophic) = Potentially fatal
To put risk matrix scores into practice, you’ll also need to assign an action to each colour/risk rating. So, for the above risk matrix, you might allocate the following:
- Low (green) = No further action, but controls must still be maintained and periodically reviewed
- Moderate (yellow) = Monitor – and aim to minimise upon next review or should the circumstances of the hazard change
- High (orange) = Take urgent action to minimise while maintaining existing controls. Stop activity if necessary
- Extreme (red) = Stop all activity and take immediate action
Finally, decide which likelihood and consequence categories each of the hazards documented during Step 1 fall into, plot their positions on the risk matrix, then order the hazards by urgency.
Important to note – Your judgement is more important than risk matrix scores. You’re the expert in your work environment, so if you feel a hazard is more serious than its score suggests, treat it as a priority anyway.
Common pitfalls to avoid during Step 2 of a risk assessment
- Relying solely on numbers from a risk matrix without considering real-world context can lead to misjudged priorities.
- Failing to account for employees, visitors, or contractors who may be more at risk, including young workers, pregnant staff, lone workers, or people with disabilities.
- Multiple low-level hazards may combine to create a serious overall risk; don’t assess each in isolation.
- Using old incident records or assumptions about hazards may not reflect current workplace conditions.
- Medium or low-level risks can escalate if left unmonitored, particularly when changes occur in processes or the work environment.
Step 3: Communicate and control the risks
Once hazards have been identified and their risk assessed, the next step is to share your findings with anybody who may be affected by the flagged hazards or who will play a role in controlling them. You’ll also identify and implement effective controls. Controls should be proportionate to the risk: higher risks need stronger, more urgent measures.
It’s good practice to start by assessing what controls you already have in place, whether they are adequate, and if they meet legal requirements and recognised industry standards.
This will inform the next part of the stage: applying the hierarchy of control measures.
Not all controls are equal. Safety best practice follows a “hierarchy of control” — a ranked order of methods, from most effective to least. Where possible, you should start at the top and only move down when higher-level controls are not feasible.
- Elimination – Remove the hazard entirely. Example: Replacing a manual handling task with a mechanical lifting aid eliminates the lifting risk.
- Substitution – Replace the hazard with something safer. Example: Using a water-based cleaning product instead of a solvent-based one.
- Engineering controls – Design or modify equipment, processes, or the work environment to reduce risk. Example: Installing machine guards, local exhaust ventilation, or safety interlocks.
- Administrative controls – Change how people work. Example: Safe systems of work (SSOW), training, job rotation to limit exposure, clear signage, or separating pedestrian and vehicle routes.
- Personal Protective Equipment (PPE) – Provide protective clothing and equipment to reduce the impact of any remaining risk. But note that PPE is always the last line of defence and should not be relied upon as the only control measure. Example: Helmets, gloves, goggles, high-visibility vests.
Here are a few examples of control measure implementation using the above-detailed hierarchy:
- An unguarded machine shaft: elimination isn’t possible, so install a properly designed and maintained guard (engineering control), train staff on safe use (administrative control), and provide gloves if necessary (PPE).
- A noisy environment: eliminate the source where possible, or substitute machinery for quieter models. If this isn’t possible, install sound barriers (engineering), rotate shifts to limit exposure (administrative), and issue hearing protection (PPE).
Important – it’s rarely just one control measure that solves the problem. In most cases, a combination of controls provides the best protection.
You need to make your risk control plans known
As you prepare to action control measures, it’s essential that you open clear lines of communication with all interested parties. Primarily, this will be the employees directly involved with changes being introduced, but leadership teams and stakeholders may also need to know.
Depending on the nature of your control measures, training might be required to ensure colleagues can safely use equipment and follow new systems of work.
At Cardinus, we offer a variety of interactive and customisable health and safety eLearning courses. Reach team members anywhere with essential training. Explore our courses.
Common pitfalls to avoid during Step 3 of a risk assessment
- Jumping straight to administrative measures without considering higher-level options can leave unnecessary risk in place.
- Failing to inform employees, contractors, and relevant stakeholders about new controls can lead to misuse, non-compliance, or confusion.
- Implementing new procedures or equipment without proper training increases the likelihood of accidents rather than reducing it.
- Most hazards require a combination of measures; relying on a single control often leaves gaps in safety.
- Not checking if current controls are still effective or compliant with regulations can mean risks persist unnoticed.
Step 4: Monitor the impact of your control measures
Once you’ve implemented controls, it’s crucial to check that they are actually working. Monitoring ensures your efforts are having the desired impact and helps catch issues before they become incidents.
The benefits of monitoring the impact of your control measures include:
- Confirms that control measures are effective.
- Highlights new or evolving hazards.
- Demonstrates accountability and compliance with health and safety standards.
- Provides clarity for employees and contractors about safe working practices.
By actively monitoring and reviewing controls, you create a culture of continuous improvement, making your workplace safer and reducing the likelihood of harm over time.
Start by recording the controls you’ve applied and how you expect them to reduce each risk. This allows you to calculate a “residual risk” for each hazard — the level of risk that remains after controls are in place. Ideally, this number should be lower than the original risk, confirming that your measures are effective.
Common pitfalls to avoid during Step 4 of a risk assessment
- Assuming implementation equals effectiveness. Simply putting controls in place doesn’t guarantee they are working as intended.
- Failing to document residual risks. Without recording the expected impact of each control, it’s hard to track progress or demonstrate compliance.
- Ignoring new or evolving hazards. Workplaces change, and new risks can arise even after initial controls are applied.
- Waiting too long to check controls can allow small problems to escalate into serious incidents.
- Over-reliance on risk matrix scores. Residual risk should be confirmed with observation, employee feedback, and real-world testing, not just numerical calculations.
- Poor communication of findings. If employees and stakeholders aren’t aware of how controls are performing or what changes are needed, the benefits of monitoring are lost.
Step 5: Review controls
Workplaces are constantly changing, and so are the risks within them. Regularly reviewing your risk assessment and the controls you’ve put in place ensures that they remain effective and relevant over time.
Reviews should be carried out whenever there’s a change that could affect risk. Consider updating your assessment when:
- New equipment or materials are introduced.
- Processes or workflows change, such as new production methods or service delivery procedures.
- New employees or contractors join the organisation, bringing fresh experience levels and training needs.
- Incidents or near misses occur, highlighting risks that weren’t previously identified.
Frequent reviews help you stay on top of evolving hazards, demonstrate compliance with health and safety regulations, and maintain a safe working environment. They also encourage a proactive culture, where safety is continuously improving.
Common pitfalls to avoid during Step 5 of a risk assessment
- Waiting too long between reviews. Infrequent checks can let outdated controls fail to address new or evolving hazards.
- Failing to act after incidents. Near misses or accidents are valuable signals; ignoring them can leave serious risks unaddressed.
- Overlooking changes in the workplace. New equipment, processes, or staff can introduce hazards that weren’t in the original assessment.
- Not involving relevant stakeholders. Reviews should include input from employees, supervisors, and safety representatives to capture a full picture.
- Treating the review as a formality. Simply updating paperwork without evaluating real-world effectiveness doesn’t reduce risk.
- Ignoring cumulative lessons from monitoring. Insights from Step 4 should feed directly into reviews; failing to do so misses opportunities for improvement.
Ready to risk assess?
Follow the steps in this guide, and you should be able to deliver effective risk assessments in your workplace. But even with the process laid out for you, it’s a lot to consider and a big responsibility, which brings us to one of the most important aspects of workplace health and safety – knowing when it’s time to consult experts.
Cardinus specialises in DSE and industrial ergonomics risk assessment, as well as non-destructive and destructive fire risk assessments, so you don’t have to shoulder your H&S responsibilities alone.
We also provide a range of Safety Consultancy Services to support the management of health and safety risks across all business types.
If you do want to carry out impactful risk assessments yourself but don’t feel quite confident enough after reading this guide, we offer an Effective Risk Assessment Training eLearning course designed to fully prepare you for the undertaking.
Contact Cardinus today to discuss your risk assessment requirements or learn more about how we can safeguard you and your team.