Risk Assessment

A risk assessment is a structured examination of what could cause harm or loss and an evaluation of the precautions currently in place to prevent that harm or loss occurring, in order to determine whether these precautions are adequate or if more are needed.   Components of risk assessment may include evaluating the uncertainties about the chemical and biological properties of substances, or the probability of events happening together.  A best (most probable) estimate of harm occurring, and a worst case estimate (the most severe rational scenario of harm) then need to be established. This requires the assessor to ask a lot of  ‘what if ’ questions.  Risk assessment is ideally an objective evaluation of risk based upon reliable data, but it often has to be based on subjective assumptions of potential loss and probability of occurrence. This is due to the lack of objective data. Uncertainties must be considered and presented. The chance of error in the assumption of potential and probability is large.

It is good practice for a risk assessment to be undertaken, and all identified precautions implemented  before a task is carried out. Any task should be risk assessed to a level in proportion to the level of risk that could be anticipated. A risk assessment is a practical exercise and needs to relate to the situation in which the risk occurs, hence the workplace or representative worksite will normally need to be visited in the course of a risk assessment to fully understand the nature of the activity.


The Risk Assessment Process

  1. Identify the Hazards

    A hazard is something with the intrinsic potential to cause  harm. This could be  a technology, substance, form of energy, biological agent etc.  Wikipedia, the free encyclopedia provides a concise definition: “A hazard is any biological, chemical, mechanical, environmental or physical agent that is reasonably likely to cause harm or damage to humans, other organisms, or the environment in the absence of its control.”

    Identification of hazards is the first step in performing a risk assessment.

  2. Decide on the severity of the harm that could be caused to people or the environment and how this could arise.

    The severity is the amount of harm or loss that the hazard is able to cause if there is human or environmental exposure to it. In considering potential for harm and loss, the following factors should be taken into account:

    • How many people will be involved in performing the task?
    • Where will the task be performed?
    • How often will the task be carried out, how likely is exposure each time?
    • How long will the task take to perform and how long will exposure be for?
    • Who could be affected? Remember less visible ancillary people (maintenance, cleaners), contractors, visitors.
    • How could the environment be harmed: air or water pollution, consequences of fire or explosion, accumulation of persistent materials in soil and water or in food chains
    • Are there any simultaneous operations (simops) or tasks being undertaken at the same time that will alter the impact of the hazard?
    • What is the form of the hazard e.g chemical, physical, biological, ergonomic, psychological, the amounts involved and how people may come into contact with the hazard or be exposed to it.?
    • How can the hazard cause harm or loss - what are the key health effects or injury potential? For health hazards, data from toxicology, epidemiology and other sciences are of great value in this process.
    • How effective are any control measures already in place for preventing or controlling harm or loss?  These might include engineering controls, written procedures, procedures for mishaps or emergencies, signs or restricted areas, permit systems etc.
    • What steps are taken to check the effectiveness and use of engineering controls, procedural controls and personal protective equipment?

  3. Evaluate the risk and decide on any additional control measures required

    Risk is defined as the probability that exposure to a hazard will lead to a negative consequence. It represents the likelihood of the harm happening under the actual conditions in which the hazard is present. Risk can be defined as the likelihood or probability of a given hazard causing a particular level of loss or damage. The level of risk is often evaluated considering the equation below.

    Risk = How much harm or loss x Likelihood of that harm or loss occurring = Severity x Probability

    Many organisations and advisers utilise a risk matrix that is based on a scale of severity and probability. The severity scale has a guide to levels of injury, damage to the environment, equipment loss, and damage to community or reputational impact. The probability scale has to guide to frequency of occurrence of such an incident within the business, within the wider company group or within the industry sector.  Evaluating the level of risk on such a matrix provides the initial level of risk.

    If the level of risk is not acceptable with the current control measures that are in place, additional control measures to bring the level of risk down to an acceptable level must be implemented and assured.  The level of risk should be reduced so far as is reasonably practicable. Some methods of control are inherently more reliable than others. The more reliable methods should always be the preferred choice. The hierarchy of reliability for control measures is well established. Thus elimination of the risk or engineering controls are always better than those which rely solely on task management or personal protective equipment.


    Arc Flash Accident live cam exterior substation in Cudahy WI

    The control hierarchy

  4. Record your findings and implement them

    Each stage of the risk assessment should be recorded and communicated to all personnel who are involved in the task.

  5. Review your assessment and update if necessary

    The risk assessment is a live document. If the details of the task  change ensure the risk assessment remains valid. Risk assessments must be reviewed regularly. A review should be undertaken immediately if there is reason to believe that the assessment is no longer valid, for instance an injury or a health problem that may be attributable to it, or there has been a significant change in the work to which the assessment relates.


Precautionary principle

The ‘precautionary principle’ is to assume that the worst case can happen, both in terms of uncertain severity and uncertain probabilities. It is important to have in mind the uncertainty of possible harmful effects even if exposure is lower than the level considered to be safe.  The precautionary principle is a well-established approach to the assessment of major hazards and depends on a realistic consideration of worst case scenarios.

A working definition of Precautionary principle is given by the World Commission on the Ethics of Scientific Technology (COMEST):

“When human activities may lead to morally unacceptable harm that is scientifically plausible but uncertain, actions shall be taken to avoid or diminish that harm.
Morally unacceptable harm refers to harm to humans or the environment that is:

  • threatening to human life or health, or
  • serious and effectively irreversible, or
  • inequitable to present or future generations, or
  • imposed without adequate consideration of the human rights of those affected.


The judgment of plausibility should be grounded in scientific analysis. Analysis should be ongoing so that chosen actions are subject to review.Uncertainty may apply to, but need not be limited to, causality or the bounds of the possible harm
Actions are interventions that are undertaken before harm occurs and that seek to avoid or diminish the harm. Actions should be chosen that are proportional to the seriousness of the potential harm, with consideration of their positive and negative consequences, and with an assessment of the moral implications of both action and inaction. The choice of action should be the result of a participatory process.”


Risk management

Risk management implies the use of assessment to develop and implement effective preventative strategies.

The International Organization for Standardization (ISO) identifies the following principles of risk management:

Risk management should:

  • create value – resources expended to mitigate risk should be less than the consequence of inaction, or the gain should exceed the pain
  • be an integral part of organizational processes
  • be part of decision making process
  • explicitly address uncertainty and assumptions
  • be systematic and structured
  • be based on the best available information
  • be tailorable
  • take human factors into account
  • be transparent and inclusive
  • be dynamic, iterative and responsive to change
  • be capable of continual improvement and enhancement
  • be continually or periodically re-assessed


A risk with a large potential loss and a low probability of occurring is often treated differently from one with a low potential loss and a high likelihood of occurring. In theory, both are of nearly equal priority, but in practice it can be very difficult to establish priorities when faced with a scarcity of resources, especially time, in which to conduct the risk management process. Also the political and media response to risk will push those involved in taking steps to avoid rare major events, even at the expense of far more common low level ones that account, on average for a larger number of casualties. This can be well seen in the priority given to preventing rare ship disasters, while paying little attention to the far larger toll of individual death and disability from injuries and occupational disease in the maritime workplace.



Monitoring is the measurement or observation to check that risk management is working as expected.

The objectives of risk monitoring and updating are to:

  • systematically track the identified risks
  • identify any new risks
  • capture lessons learned for future risk assessment and allocation efforts



Evaluation is the process of confirming that the whole risk management system is  adequately controlling the anticipated risks.

A risk management plan can never be perfect. Critical evaluation at every stage is of great importance. Especially at an early stage it is necessary to match the outcomes of the risk management plans with its objectives. A thorough investigation of each activity in a risk management plan is required. After evaluating the effectiveness and efficiency of all the activities, it is may be necessary to make changes in the action plan to get the desired results. If the risk management plan produces the desired results, it may not need any changes.


Review of changes

It is necessary to review in order to confirm that any  changes to the risk management system that have been implemented have led to reductions in risk.

This may be done by recording the possible outcomes of the changed activity and matching them with the main objectives of the risk management plan and then looking  for changes to the frequency and severity of the actual outcomes

Evaluating a risk management plan is sometimes a time consuming process that requires expertise, knowledge and experience.


Risk communication

Seven cardinal rules for the practice of risk communication (U.S. Environmental Protection Agency):

  • Accept and involve the public/other consumers as legitimate partners (e.g. stakeholders).
  • Plan carefully and evaluate your efforts with a focus on your strengths, weaknesses, opportunities, and threats (SWOT).
  • Listen to the stakeholders specific concerns.
  • Be honest, frank, and open.
  • Coordinate and collaborate with other credible sources.
  • Meet the needs of the media.
  • Speak clearly and with compassion.


Hazard v. Risk

Wikipedia, the free encyclopedia notes: “The terms hazard and risk are often used interchangeably, however, in terms of risk assessment, these are two very distinct terms. As defined above, a hazard is any biological, chemical, mechanical, or physical agent that is reasonably likely to cause harm or damage to humans, the environment, property or reputation with sufficient exposure or dose. Risk is defined as the probability that exposure to a hazard will lead to a negative consequence. Thus, a hazard poses no risk if there is not exposure to that hazard. Consider the following example:

Three people crossing the Atlantic in a rowboat face a hazard of drowning. Three hundred people crossing the Atlantic in an ocean liner face the same hazard of drowning.The risk to each individual per crossing is given by the probability of the occurrence of an accident in which he or she drowns.  Clearly the hazard [drowning] if in the Atlantic Ocean without any survival aids is the same for each individual, hence in a risk assessment for the rowing boat and in one for the liner, the hazard will always remain the same.  However,  the risk [probability of drowning] is greater for the individuals in the rowboat than in the ocean liner. In all cases of risk assessment the level of risk is variable depending on exposure to the hazard and the controls that are in place to mitigate the risk”