How to Conduct a Health and Safety Risk Assessment

A Complete International Guide to Workplace Risk Assessment 

Every workplace faces health and safety risks. This comprehensive guide explains how to conduct effective risk assessments that identify hazards, evaluate risks, and implement controls. From defining scope to ongoing monitoring, we guide you through the process needed to protect your workers and maintain compliance across different jurisdictions. 

Introduction: Why Risk Assessments Are Essential 

Every workplace carries health and safety risks. As operations expand with growing teams, new technologies, and evolving compliance requirements, the potential for those risks to cause harm only increases. Change brings opportunity, but it also introduces new hazards and potential points of failure. 

Consider organisations adopting new work patterns such as hybrid working, implementing new technologies, or expanding into new markets. These changes drive business growth and operational efficiency. But they also introduce new health and safety considerations that must be assessed and managed. 

The Health and Safety Executive (HSE) statistics for 2024/25 reveal the continuing scale of workplace harm in Great Britain: 138 workers killed in work-related accidents, 604,000 workers sustaining non-fatal injuries, and 33.7 million working days lost due to work-related illness and injury. Behind these statistics are real people whose lives have been affected by workplace hazards that were not adequately controlled. 

Knowing how to conduct a risk assessment effectively is what separates organisations that protect their workers from those that expose them to preventable harm. Risk assessment is not merely a compliance exercise. It is a fundamental business process that enables organisations to identify what could go wrong, understand who might be harmed, and implement effective controls before incidents occur. 

Why Risk Assessments Are Key 

In today's environment of constant change, rapid innovation, and evolving regulations, risk assessments put the necessary structure in place to keep track of potential workplace hazards. They identify not just where risks exist, but how likely they are to cause harm, how severe the consequences could be, and what controls are required to eliminate or reduce them. 

The fundamental value of a risk assessment is clarity. What can otherwise feel like vague or overwhelming concerns are systematically analysed. Leaders can see exactly what might go wrong, who could be affected, and how serious the outcomes may be. This clarity enables informed decision-making about resource allocation and control measures. 

For Health and Safety Consultants and internal health and safety professionals, effective risk assessment facilitates success in three critical areas: identifying emerging risks before they cause harm, driving ownership of health and safety across the organisation, and using data and evidence to inform risk management decisions. 

Legal Requirements 

Risk assessment is a legal requirement in most jurisdictions. In the UK, the Management of Health and Safety at Work Regulations 1999 require employers to make a suitable and sufficient assessment of the risks to the health and safety of employees and others who may be affected by their work activities. The EU Framework Directive 89/391/EEC establishes similar requirements across EU member states. In the United States, OSHA's General Duty Clause requires employers to provide workplaces free from recognised hazards. 

Beyond general requirements, specific regulations often mandate risk assessments for particular hazards. In the UK, this includes the Control of Substances Hazardous to Health Regulations 2002 (COSHH), the Manual Handling Operations Regulations 1992, the Display Screen Equipment Regulations 1992, and many others. International Health and Safety Consultants must understand how these specific requirements vary across jurisdictions. 

When to Conduct Risk Assessments 

Risk assessments are most impactful when timed around meaningful change, exposure, or transformation. Key triggers include the following scenarios. 

Before introducing new processes, equipment, or systems: Identify hazards before new procedures create downstream problems. New machinery, work methods, or technologies should be assessed before implementation to ensure adequate controls are in place from the start. 

After an incident or near miss: Investigate root causes, assess impact, and build a plan to prevent repeat issues. Incidents reveal gaps in existing risk assessments and provide learning opportunities to strengthen controls. 

During organisational change: Structural changes, relocations, and reorganisations often expose new risk areas. A fresh assessment helps reduce friction and confusion while ensuring that health and safety is maintained through transitions. 

When introducing new substances or materials: Validate usage guidelines and identify any safety, training, or control requirements. New chemicals, materials, or biological agents require specific assessment under regulations such as COSHH. 

In response to updated laws or standards: Review practices to ensure alignment with new requirements and avoid enforcement action, fines, or operational disruption. Regulatory changes may require reassessment against new criteria. 

As part of routine reviews: Keep assessments current and responsive to gradual changes before they compound. Regular review ensures that assessments remain valid as circumstances evolve. 

How to Conduct a Health and Safety Risk Assessment 

Risk assessments are effective when they reflect how work is actually performed and decisions are actually made inside the organisation. They should connect directly to daily operations and be championed by people with real knowledge of the work and authority to implement changes. The following process ensures your risk assessment is robust in practice. 

Step One: Define the Scope and Objectives 

Start by defining what you are assessing: a specific work activity, a piece of equipment, a workplace area, a process, or an entire operation. Document what is included in your scope, the people and assets that could be affected, and the outcomes you are trying to prevent. 

Clear scope definition prevents assessments from becoming unwieldy while ensuring that nothing significant is overlooked. For complex operations, consider breaking the assessment into manageable sections covering different activities, areas, or hazard types. This enables thorough assessment without losing focus. 

Step Two: Identify Hazards 

Examine the work activities, equipment, substances, and environment within your defined scope to identify everything that could cause harm. Record your findings systematically, regardless of whether they seem significant, to ensure that hazards can be properly evaluated and prioritised. 

Common hazard categories in workplace environments include physical hazards such as moving machinery, vehicles, working at height, manual handling, slips, trips, and falls. Chemical hazards include substances that can cause harm through inhalation, skin contact, or ingestion. Biological hazards include bacteria, viruses, and other organisms that can cause infection or disease. Ergonomic hazards arise from workstation design, repetitive movements, and sustained postures. Psychosocial hazards include work-related stress, violence, bullying, and harassment. 

Draw on multiple sources including workplace inspections, accident and incident records, manufacturer instructions, safety data sheets, industry guidance, and insights from workers who understand where hazards are most likely to surface. Effective hazard identification requires thorough investigation and ongoing attention. 

Step Three: Determine Who Might Be Harmed 

For each hazard, identify the people who could be affected and how they might be harmed. This goes beyond direct employees to include contractors, visitors, members of the public, and anyone else who might be exposed to the hazard. 

Give particular consideration to workers who may be at increased risk: new or inexperienced workers who may not recognise hazards; young workers who may lack experience and maturity; pregnant workers or new mothers with specific vulnerabilities; workers with disabilities who may need adjustments; lone workers without immediate access to assistance; and workers whose first language is not the workplace language. 

Consider both direct harm and downstream effects. A hazard might directly affect the worker performing a task, but it could also affect others nearby, workers who use the same equipment later, or workers involved in maintenance or cleaning activities. 

Step Four: Evaluate Likelihood and Severity 

Once you have identified the hazards and those who might be harmed, the next step is to evaluate the risk involved. This typically involves considering both the likelihood that harm will occur and the severity of that harm if it does occur. 

Likelihood considers factors such as how often the activity occurs, how many people are exposed, the effectiveness of existing controls, and the potential for human error or equipment failure. Severity considers the nature of potential harm, from minor injuries requiring first aid to major injuries, occupational diseases, or fatalities. 

A risk matrix plotting likelihood against severity provides a systematic approach to evaluation. Many organisations use a five-by-five matrix with likelihood rated from very unlikely to very likely and severity rated from trivial to catastrophic. The intersection determines the risk rating and guides prioritisation of control measures. 

Modern Health and Safety Consultants and Software platforms enable more sophisticated analysis, connecting information from incident records, inspection findings, and compliance data to provide evidence-based risk evaluation. Automated tools reduce subjectivity in risk rating while enabling real-time monitoring of changing conditions. 

Step Five: Prioritise Risks and Determine Controls 

Use likelihood and severity ratings to establish a clear hierarchy of risks. High-priority risks require immediate action, while lower-level risks can be monitored until conditions change or resources become available. Each significant risk should have a designated owner with authority to allocate resources and implement controls. 

For each risk requiring action, identify the most effective measures to reduce or eliminate exposure. Apply the hierarchy of controls as your guide. Elimination removes the hazard entirely. Substitution replaces a hazardous substance or process with a less hazardous alternative. Engineering controls isolate people from the hazard through guards, enclosures, ventilation, or other physical measures. Administrative controls change the way people work through procedures, training, supervision, and rotation. Personal protective equipment provides a last line of defence when other controls are insufficient. 

Start with controls at the top of the hierarchy wherever reasonably practicable. Higher-level controls are generally more reliable because they do not depend on human behaviour for their effectiveness. Lower-level controls should supplement, not replace, higher-level measures. 

Step Six: Record Your Findings 

If you employ five or more people in the UK, you are legally required to record the significant findings of your risk assessment. Even where not legally required, documented assessments are good practice and provide evidence of your approach to managing health and safety. 

Record the hazards identified, who might be harmed, the existing controls in place, the evaluation of risk with those controls, and any additional measures required. Document the action plan for implementing improvements, including responsibilities and timescales. Keep records accessible and ensure they can be understood by those who need to implement or verify controls. 

Good documentation serves multiple purposes: it demonstrates compliance to regulators, provides evidence for insurance purposes, enables effective handover when personnel change, and supports organisational learning and continuous improvement. 

Step Seven: Implement Controls 

A risk assessment is only valuable if its findings lead to action. Implement the control measures identified, following the action plan with clear responsibilities and timescales. Prioritise high-risk activities while maintaining progress on lower-priority improvements. 

Effective implementation requires communication with affected workers, provision of necessary training, procurement of equipment or materials, and verification that controls work as intended. Involve workers in developing and implementing solutions, as those closest to the work often have the best insights into practical and effective controls. 

Step Eight: Monitor, Review, and Update 

A risk assessment is only effective if it stays current. Set a review schedule that reflects the rhythm of your operations, whether quarterly, annually, or following significant changes. Use Health and Safety Audits, incident investigations, and performance metrics to evaluate whether controls remain effective and whether new hazards have emerged. 

Key review triggers include changes to work activities, equipment, substances, or premises; accidents, incidents, or near misses; new information about hazards or control measures; changes in legislation or guidance; and findings from inspections, audits, or enforcement action. 

An ongoing cycle of monitoring and adjustment strengthens organisational resilience and embeds risk awareness into everyday decision-making. Risk management becomes a continuous discipline rather than a one-off project. 

International Risk Assessment Requirements 

For organisations operating across multiple countries, risk assessment requirements vary by jurisdiction. Global Health and Safety Consultants must understand these differences to ensure compliance wherever organisations operate. 

United Kingdom 

The Management of Health and Safety at Work Regulations 1999 require employers to assess risks to employees and others affected by work activities. The assessment must be suitable and sufficient, meaning it must identify the significant risks and determine what measures are needed to comply with health and safety legislation. Employers with five or more employees must record the significant findings. 

European Union 

The Framework Directive 89/391/EEC requires employers in all EU member states to evaluate risks and implement preventive measures. Individual member states have national legislation implementing these requirements, often with additional specific provisions. Risk assessment documentation requirements vary by country, with some requiring specific formats or submission to authorities. 

United States 

OSHA does not mandate a single risk assessment methodology, but the General Duty Clause requires employers to provide workplaces free from recognised hazards likely to cause death or serious harm. Specific OSHA standards require hazard assessments for particular risks including personal protective equipment, permit-required confined spaces, and process safety management. Many employers adopt voluntary risk assessment approaches based on ANSI/ASSP Z10 or similar standards. 

Australia and New Zealand 

Model Work Health and Safety legislation requires persons conducting a business or undertaking (PCBUs) to identify hazards and assess risks. The model Codes of Practice provide detailed guidance on risk assessment methodology. Risk assessments must be conducted in consultation with workers and their representatives. 

ISO 45001 

ISO 45001 provides an international framework for occupational health and safety management systems. The standard requires organisations to establish processes for hazard identification and assessment of OH&S risks and opportunities. Organisations seeking certification must demonstrate systematic risk assessment integrated with their management system. 

How Arinite Supports Risk Assessment 

Arinite provides comprehensive risk assessment services delivered by CMIOSH-qualified Health and Safety Consultants with expertise across diverse industries and hazard types. Our assessments are thorough, practical, and compliant with regulatory requirements in the jurisdictions where you operate. 

We conduct risk assessments for all types of workplace hazards, from routine office activities to complex industrial processes. Our assessments follow systematic methodology while being tailored to your specific operations, ensuring that controls are practical and proportionate to the risks involved. 

Our Health and Safety Consultants and Software approach combines expert assessment with efficient digital tools. Software enables consistent assessment methodology across multiple sites, centralised tracking of findings and actions, and real-time visibility into risk profiles. Consultants provide the expertise for complex assessments and strategic guidance. 

For organisations with multiple sites or international operations, our Global Health and Safety Consultants deliver consistent risk assessment standards while ensuring compliance with local requirements. With support for over 1,500 global businesses across more than 50 countries, we bring experience across diverse regulatory environments and industry sectors. 

Our Keeping It Simple philosophy means practical assessments without unnecessary complexity. We focus on identifying real risks and recommending effective controls that protect your workers and your business. Our goal is to make risk assessment a valuable tool for improving safety, not just a compliance exercise. 

Contact Arinite today to discuss your risk assessment requirements. Call +44 (0)20 7947 9581 or visit www.arinite.com to book your free 30-minute Gap Analysis Call. 

Frequently Asked Questions 

What is a health and safety risk assessment? 

A health and safety risk assessment is a systematic process to identify hazards in the workplace, determine who might be harmed and how, evaluate the risks, and decide on appropriate control measures. It enables organisations to manage risks proactively rather than reacting after harm occurs. 

Is risk assessment a legal requirement? 

Yes, in most jurisdictions. In the UK, the Management of Health and Safety at Work Regulations 1999 require employers to assess risks to employees and others affected by work activities. Similar requirements exist under EU directives, OSHA regulations, and health and safety legislation in other countries. 

Who should conduct risk assessments? 

Risk assessments should be conducted by someone with the competence to identify hazards, evaluate risks, and determine appropriate controls. This may be an internal health and safety professional, a trained manager, or external Health and Safety Consultants, depending on the complexity of the risks involved. 

How often should risk assessments be reviewed? 

Risk assessments should be reviewed whenever circumstances change, including new activities, equipment, or substances; after accidents or near misses; when new information emerges; and as part of regular periodic review. Many organisations review assessments annually as a minimum, with more frequent review for higher-risk activities. 

What must be recorded in a risk assessment? 

UK law requires employers with five or more employees to record the significant findings of risk assessments. Good practice includes recording hazards identified, who might be harmed, existing controls, risk evaluation, additional measures required, and action plans with responsibilities and timescales. 

What is the hierarchy of controls? 

The hierarchy of controls prioritises control measures by effectiveness: elimination (remove the hazard), substitution (replace with something less hazardous), engineering controls (isolate people from the hazard), administrative controls (change how people work), and personal protective equipment (last resort when other controls are insufficient). 

How detailed should a risk assessment be? 

Risk assessments should be proportionate to the risks involved. Simple, low-risk activities may need only brief assessment. Complex, high-risk activities require more detailed analysis. The assessment should be sufficient to identify significant risks and determine appropriate controls. 

Can risk assessments be generic? 

Generic assessments can provide a starting point for common activities, but they must be adapted to specific circumstances. Factors such as workplace layout, equipment variations, worker capabilities, and environmental conditions mean that generic assessments rarely capture all relevant risks without customisation. 

What is the difference between hazard and risk? 

A hazard is something with the potential to cause harm, such as a chemical, machinery, or work method. Risk is the likelihood that the hazard will cause harm and the severity of that harm. Risk assessment involves identifying hazards and then evaluating the associated risks. 

How can Health and Safety Consultants help with risk assessment? 

Health and Safety Consultants bring expertise, independence, and experience from multiple organisations and sectors. They can conduct thorough assessments, identify hazards that internal staff might overlook, ensure compliance with legal requirements, and recommend practical controls. International Health and Safety Consultants also ensure consistent standards across different jurisdictions.