Risk Assessment
A systematic document identifying, analysing, and evaluating risks, with mitigation strategies and action plans.
20 free credits on signup — no card needed
About this Document
What a risk assessment is
A risk assessment is a structured look at one particular activity, project, task, or place to work out what could cause harm, decide whether the steps already in place are enough, and put in anything more that is needed. It is a point-in-time exercise: it captures the picture of risk for a defined scope at a defined moment, and it is repeated or refreshed when something changes. The output is a short, practical record that names each hazard, judges how serious and how likely the resulting harm is, lists the controls, and says who is responsible and when it will be looked at again.
The purpose is not to produce paperwork or to prove that nothing can ever go wrong. It is to think through the dangers of a specific piece of work before it happens, so that sensible precautions are taken rather than lessons learned the hard way afterwards. A good assessment is proportionate: a quick task with obvious, minor hazards needs only a light touch, while a complex or hazardous activity deserves a careful, detailed study.
It helps to be clear about two words that are often muddled. A hazard is anything with the potential to cause harm — a trailing cable, a chemical, a tight deadline, a single supplier. A risk is the chance that the hazard actually causes harm, combined with how bad that harm would be. The cable is the hazard; someone tripping and breaking a wrist is the risk. Assessment is the disciplined move from spotting hazards to sizing and managing the risks they create.
The steps of a risk assessment
However formal or informal the exercise, a sound risk assessment moves through the same five steps.
1. Identify the hazards. Walk through the activity and ask, honestly, what could go wrong. Look at the physical setting, the equipment, the materials, the people involved, and the way the work is actually done rather than how it is meant to be done. Useful sources include talking to the people who do the task, past incidents and near-misses, manufacturer information, and simply observing the work in progress. The aim is breadth: capture every credible hazard before arguing about how serious any of them is. Pay particular attention to anyone who might be more vulnerable than usual.
2. Decide who or what could be harmed and how. For each hazard, note who is exposed — the worker doing the task, colleagues nearby, visitors, the public, contractors — and the way harm would occur. The same hazard can affect different people in different ways, and naming them keeps the controls targeted rather than generic.
3. Assess the risk: likelihood times severity. This is the heart of the exercise. For each hazard, judge how likely the harm is to happen and how severe it would be if it did, usually on a simple scale such as 1 to 5. Combining the two — most often by multiplying them — gives a risk rating that lets a long list be ranked. A low-likelihood, low-severity hazard can be noted and left; a high-likelihood, high-severity one demands action now. The scoring is a structured judgement, not a precise measurement, so it is done openly and against agreed definitions.
4. Evaluate and control the risk. Compare each rating against what is already in place and decide whether more is needed. Where it is, add controls in order of effectiveness — the hierarchy of control: first try to eliminate the hazard altogether, then substitute something safer, then use engineering controls such as guards or barriers, then administrative controls such as procedures, training, and signage, and only lastly rely on personal protective equipment. The higher up the hierarchy a control sits, the less it depends on people remembering to behave perfectly. After adding controls, re-score the risk to record the residual rating — the risk that remains once the controls are working.
5. Record and review. Write the findings down in a form people can actually use, share it with those who are affected, and set a date to review it. Review is not optional: an assessment is a snapshot, so it must be refreshed whenever the activity changes materially, after an incident or near-miss, or simply at a planned interval to confirm it is still valid. An assessment filed and forgotten quietly stops describing reality.
The risk matrix and how to read a rating
The tool that ties likelihood and severity together is the risk matrix — a grid with likelihood along one axis and severity along the other. Each cell holds the product of the two scores, and the grid is shaded into bands: typically green for low, amber for medium, and red for high. Plotting a hazard by its two scores places it in a band and turns a column of numbers into a picture anyone can read at a glance.
With a 1-to-5 scale on each axis, ratings run from 1 to 25. A common banding is 1 to 4 low, 5 to 12 medium, and 15 to 25 high, though the exact thresholds are a choice the assessment should state plainly so everyone reads a rating the same way. The bands are most useful when they drive action rather than just colour a cell — for example, a rule that any red risk must have additional controls and a named owner before the work starts, while a green risk is simply monitored. The matrix is then not decoration but a decision tool: it forces a sense of proportion and points attention at the few risks that genuinely matter.
The same matrix is used twice. Once to capture the inherent rating — the risk with current controls — and again, after the chosen controls are added, to capture the residual rating. The gap between the two is the visible evidence that the controls are worth having.
A risk assessment is not an ongoing risk management plan
These two documents are constantly confused, and getting the difference right matters. A risk assessment is narrow and point-in-time: it studies the risks of one specific activity or situation and produces a snapshot valid until something changes. A risk management plan is broad and continuous: it is the standing framework that governs how an organisation identifies, assesses, responds to, owns, and monitors all its risks on a repeating cycle, along with the risk appetite and governance around them.
Put simply, the assessment is one input; the plan is the system that uses it. An organisation may run dozens of individual risk assessments — one per task, site, or project — and the risk management plan is what knits them together, decides how often each is refreshed, and keeps the whole practice alive between snapshots. Carrying out an assessment and treating it as if it were the plan leaves everything outside that one activity, and everything after that one moment, unmanaged. Conversely, a plan with no actual assessments underneath it is a framework with nothing in it.
Common mistakes to avoid
- Confusing it with an ongoing plan. A risk assessment is a snapshot of one activity, not the standing framework for managing all risk over time. Doing the assessment and calling it the plan leaves the rest of the organisation, and every later moment, uncovered.
- Listing hazards but never scoring them. A list of things that could go wrong, with no judgement of how likely or how serious each is, gives no way to decide what to act on first. The likelihood-times-severity step is what turns a list into priorities.
- Vague or generic controls. "Be careful" and "take precautions" commit to nothing. A real control names the specific measure, who is responsible, and when it applies, and it sits as high up the hierarchy of control as is reasonable.
- Relying on PPE first. Reaching straight for protective equipment skips the more effective options of eliminating, substituting, or engineering out the hazard. PPE is the last line, not the first.
- Forgetting the residual rating. Recording only the original risk hides whether the controls actually reduced it. Re-scoring after controls shows the assessment did its job.
- A snapshot that is never reviewed. Because an assessment is point-in-time, it goes stale. Not setting a review date, or not redoing it after a change or an incident, lets it quietly stop reflecting reality.
- Copying a generic template without looking at the actual work. A risk assessment lifted wholesale from another job describes that job, not this one. The value comes from observing the real activity and the real people doing it.
- No owner. A control with no named person responsible for it is unlikely to happen. Every significant risk needs someone answerable for putting and keeping its controls in place.
Required Sections
Scope
Assessment boundaries
Methodology
Assessment approach
Risk Identification
Identified risks
Risk Analysis
Likelihood and impact scoring
Risk Evaluation
Risk prioritisation
Mitigation Strategies
Risk response plans
Optional Sections
Residual Risk
Remaining risk after mitigation
Monitoring Plan
Ongoing risk monitoring
Frequently Asked Questions
What is the difference between a risk assessment and a risk management plan?
What is the difference between a hazard and a risk?
What are the five steps of a risk assessment?
How do likelihood and severity give a risk rating?
What is the hierarchy of control?
How often should a risk assessment be reviewed?
Ready to create your document?
Use our free template or generate a custom version tailored to your needs.
20 free credits on signup — no card needed
This document involves significant legal or financial considerations. Professional review is strongly recommended.
Last reviewed: June 4, 2026