PropoDoc provides self-help document templates and tools. It is not a law firm and does not provide legal advice. Learn more.
Skip to main content

Risk Assessment

A systematic document identifying, analysing, and evaluating risks, with mitigation strategies and action plans.

Use Free Template
Create your custom version — free to start

20 free credits on signup — no card needed

report
moderate
high Risk
90 min
Governance
Internal
Management
Moderate
Report

About this Document

What a risk assessment is

A risk assessment is a structured look at one particular activity, project, task, or place to work out what could cause harm, decide whether the steps already in place are enough, and put in anything more that is needed. It is a point-in-time exercise: it captures the picture of risk for a defined scope at a defined moment, and it is repeated or refreshed when something changes. The output is a short, practical record that names each hazard, judges how serious and how likely the resulting harm is, lists the controls, and says who is responsible and when it will be looked at again.

The purpose is not to produce paperwork or to prove that nothing can ever go wrong. It is to think through the dangers of a specific piece of work before it happens, so that sensible precautions are taken rather than lessons learned the hard way afterwards. A good assessment is proportionate: a quick task with obvious, minor hazards needs only a light touch, while a complex or hazardous activity deserves a careful, detailed study.

It helps to be clear about two words that are often muddled. A hazard is anything with the potential to cause harm — a trailing cable, a chemical, a tight deadline, a single supplier. A risk is the chance that the hazard actually causes harm, combined with how bad that harm would be. The cable is the hazard; someone tripping and breaking a wrist is the risk. Assessment is the disciplined move from spotting hazards to sizing and managing the risks they create.

The steps of a risk assessment

However formal or informal the exercise, a sound risk assessment moves through the same five steps.

1. Identify the hazards. Walk through the activity and ask, honestly, what could go wrong. Look at the physical setting, the equipment, the materials, the people involved, and the way the work is actually done rather than how it is meant to be done. Useful sources include talking to the people who do the task, past incidents and near-misses, manufacturer information, and simply observing the work in progress. The aim is breadth: capture every credible hazard before arguing about how serious any of them is. Pay particular attention to anyone who might be more vulnerable than usual.

2. Decide who or what could be harmed and how. For each hazard, note who is exposed — the worker doing the task, colleagues nearby, visitors, the public, contractors — and the way harm would occur. The same hazard can affect different people in different ways, and naming them keeps the controls targeted rather than generic.

3. Assess the risk: likelihood times severity. This is the heart of the exercise. For each hazard, judge how likely the harm is to happen and how severe it would be if it did, usually on a simple scale such as 1 to 5. Combining the two — most often by multiplying them — gives a risk rating that lets a long list be ranked. A low-likelihood, low-severity hazard can be noted and left; a high-likelihood, high-severity one demands action now. The scoring is a structured judgement, not a precise measurement, so it is done openly and against agreed definitions.

4. Evaluate and control the risk. Compare each rating against what is already in place and decide whether more is needed. Where it is, add controls in order of effectiveness — the hierarchy of control: first try to eliminate the hazard altogether, then substitute something safer, then use engineering controls such as guards or barriers, then administrative controls such as procedures, training, and signage, and only lastly rely on personal protective equipment. The higher up the hierarchy a control sits, the less it depends on people remembering to behave perfectly. After adding controls, re-score the risk to record the residual rating — the risk that remains once the controls are working.

5. Record and review. Write the findings down in a form people can actually use, share it with those who are affected, and set a date to review it. Review is not optional: an assessment is a snapshot, so it must be refreshed whenever the activity changes materially, after an incident or near-miss, or simply at a planned interval to confirm it is still valid. An assessment filed and forgotten quietly stops describing reality.

The risk matrix and how to read a rating

The tool that ties likelihood and severity together is the risk matrix — a grid with likelihood along one axis and severity along the other. Each cell holds the product of the two scores, and the grid is shaded into bands: typically green for low, amber for medium, and red for high. Plotting a hazard by its two scores places it in a band and turns a column of numbers into a picture anyone can read at a glance.

With a 1-to-5 scale on each axis, ratings run from 1 to 25. A common banding is 1 to 4 low, 5 to 12 medium, and 15 to 25 high, though the exact thresholds are a choice the assessment should state plainly so everyone reads a rating the same way. The bands are most useful when they drive action rather than just colour a cell — for example, a rule that any red risk must have additional controls and a named owner before the work starts, while a green risk is simply monitored. The matrix is then not decoration but a decision tool: it forces a sense of proportion and points attention at the few risks that genuinely matter.

The same matrix is used twice. Once to capture the inherent rating — the risk with current controls — and again, after the chosen controls are added, to capture the residual rating. The gap between the two is the visible evidence that the controls are worth having.

A risk assessment is not an ongoing risk management plan

These two documents are constantly confused, and getting the difference right matters. A risk assessment is narrow and point-in-time: it studies the risks of one specific activity or situation and produces a snapshot valid until something changes. A risk management plan is broad and continuous: it is the standing framework that governs how an organisation identifies, assesses, responds to, owns, and monitors all its risks on a repeating cycle, along with the risk appetite and governance around them.

Put simply, the assessment is one input; the plan is the system that uses it. An organisation may run dozens of individual risk assessments — one per task, site, or project — and the risk management plan is what knits them together, decides how often each is refreshed, and keeps the whole practice alive between snapshots. Carrying out an assessment and treating it as if it were the plan leaves everything outside that one activity, and everything after that one moment, unmanaged. Conversely, a plan with no actual assessments underneath it is a framework with nothing in it.

Common mistakes to avoid

  • Confusing it with an ongoing plan. A risk assessment is a snapshot of one activity, not the standing framework for managing all risk over time. Doing the assessment and calling it the plan leaves the rest of the organisation, and every later moment, uncovered.
  • Listing hazards but never scoring them. A list of things that could go wrong, with no judgement of how likely or how serious each is, gives no way to decide what to act on first. The likelihood-times-severity step is what turns a list into priorities.
  • Vague or generic controls. "Be careful" and "take precautions" commit to nothing. A real control names the specific measure, who is responsible, and when it applies, and it sits as high up the hierarchy of control as is reasonable.
  • Relying on PPE first. Reaching straight for protective equipment skips the more effective options of eliminating, substituting, or engineering out the hazard. PPE is the last line, not the first.
  • Forgetting the residual rating. Recording only the original risk hides whether the controls actually reduced it. Re-scoring after controls shows the assessment did its job.
  • A snapshot that is never reviewed. Because an assessment is point-in-time, it goes stale. Not setting a review date, or not redoing it after a change or an incident, lets it quietly stop reflecting reality.
  • Copying a generic template without looking at the actual work. A risk assessment lifted wholesale from another job describes that job, not this one. The value comes from observing the real activity and the real people doing it.
  • No owner. A control with no named person responsible for it is unlikely to happen. Every significant risk needs someone answerable for putting and keeping its controls in place.

Required Sections

Scope

Assessment boundaries

Required

Methodology

Assessment approach

Required

Risk Identification

Identified risks

Required

Risk Analysis

Likelihood and impact scoring

Required

Risk Evaluation

Risk prioritisation

Required

Mitigation Strategies

Risk response plans

Required

Optional Sections

Residual Risk

Remaining risk after mitigation

Optional

Monitoring Plan

Ongoing risk monitoring

Optional

Frequently Asked Questions

What is the difference between a risk assessment and a risk management plan?
A risk assessment is a point-in-time exercise that examines one specific activity, project, task, or location, lists the hazards, scores how likely and how severe the resulting harm is, decides on controls, and records the result. A risk management plan is the ongoing, organisation-wide framework that governs how all risks are identified, assessed, responded to, owned, and monitored on a repeating cycle, together with the risk appetite and governance around them. The assessment is one input; the plan is the system that uses it and keeps the practice alive between snapshots. An organisation may run dozens of assessments, while the plan is what ties them together and decides how often each is refreshed.
What is the difference between a hazard and a risk?
A hazard is anything with the potential to cause harm, such as a trailing cable, a chemical, a heavy load, or a tight deadline. A risk is the chance that the hazard actually causes harm, combined with how bad that harm would be. The cable is the hazard; someone tripping and being injured is the risk. The whole point of a risk assessment is to move in a disciplined way from spotting hazards to sizing and managing the risks they create, because a hazard that is well controlled may present very little real risk, while a minor-looking hazard left unmanaged can present a serious one.
What are the five steps of a risk assessment?
The five steps are: identify the hazards by looking honestly at the activity and how the work is really done; decide who or what could be harmed and how; assess the risk by scoring likelihood and severity and combining them into a rating; evaluate and control the risk by adding controls in order of effectiveness and re-scoring to give the residual rating; and record the findings, share them, and set a review date. The steps are the same whether the assessment is a quick informal check or a detailed formal study; what changes is the depth, which should be proportionate to the hazards involved.
How do likelihood and severity give a risk rating?
Each hazard is scored on two dimensions: likelihood, meaning how probable the harm is, and severity, meaning how bad it would be if it happened, usually on a simple scale such as 1 to 5 against definitions agreed in advance. Combining the two, most often by multiplying them, gives a risk rating that lets a long list of hazards be ranked from trivial to serious. With a 1-to-5 scale the rating runs from 1 to 25, often banded as low, medium, and high. The rating is a structured judgement rather than a precise measurement, and its purpose is proportion: to make sure attention and controls go to the few risks that genuinely matter most.
What is the hierarchy of control?
The hierarchy of control is the order of preference for dealing with a risk, from most to least effective. First try to eliminate the hazard altogether; if you cannot, substitute something safer; then apply engineering controls such as guards or barriers; then administrative controls such as procedures, training, and signage; and only as a last line rely on personal protective equipment. The higher up the hierarchy a control sits, the less it depends on people behaving perfectly every time, which is why reaching straight for protective equipment is a common mistake. A good risk assessment works down this hierarchy for each significant hazard.
How often should a risk assessment be reviewed?
Because a risk assessment is a snapshot, it must be reviewed whenever the picture it describes might have changed. The usual triggers are a material change to the activity, new equipment, materials, or people, an incident or a near-miss, or simply the arrival of a planned review date set when the assessment was written. There is no single universal interval; the right frequency is proportionate to the risk and to how fast the activity changes. The key principle is that an assessment filed and never looked at again quietly stops reflecting reality, so setting and keeping a review date is part of doing the assessment properly.

Ready to create your document?

Use our free template or generate a custom version tailored to your needs.

Use Free Template
Create your custom version — free to start

20 free credits on signup — no card needed

This document involves significant legal or financial considerations. Professional review is strongly recommended.

Last reviewed: June 4, 2026