A risk assessment step by step process is one of the most fundamental requirements in occupational health and safety management. Whether you are implementing ISO 45001, complying with OSHA regulations, or meeting local HSE legislative requirements, a well-structured risk assessment is the foundation of every effective safety management system.
Yet despite being a legal requirement in most jurisdictions, risk assessments are among the most poorly executed documents in workplace safety. Too vague. Too generic. Not updated after changes. And almost never reviewed after incidents.
This guide walks you through the risk assessment step by step process — from hazard identification to residual risk management — with practical examples for HSE professionals across all industries.
WHAT IS A RISK ASSESSMENT AND WHY IS IT REQUIRED?
A risk assessment is a systematic process of identifying hazards in the workplace, evaluating the risks they present to workers and others, and implementing appropriate controls to eliminate or reduce those risks to an acceptable level.
In the United Kingdom, the Management of Health and Safety at Work Regulations 1999 make risk assessment a legal duty for all employers. In the EU, the Framework Directive 89/391/EEC imposes the same obligation. In the GCC region including the UAE, risk assessments are required under local HSE legislation and are specifically mandated under ISO 45001 Clause 6.1.
Under ISO 45001:2018 — and the upcoming ISO 45001:2027 revision — risk assessment is not optional. It is the documented evidence that your organisation has systematically identified its hazards and taken proportionate action to control them.
RISK ASSESSMENT STEP BY STEP — THE 5-STEP METHOD
The UK Health and Safety Executive (HSE) defines the risk assessment process in five steps. This method is widely recognised globally and aligns with ISO 45001 requirements. The risk assessment step by step methodology begins with thorough hazard identification
RISK ASSESSMENT STEP 1 — IDENTIFY THE HAZARDS
A hazard is anything with the potential to cause harm. Hazard identification is the foundation of your risk assessment — if you miss a hazard, everything that follows is incomplete.
How to identify hazards effectively:
✅ Walk the workplace — physically inspect every area where work takes place
✅ Review accident and near-miss records — where has harm happened or nearly happened before?
✅ Consult workers — the people doing the job know the hazards better than anyone
✅ Review manufacturer instructions and safety data sheets for chemicals and equipment
✅ Consider non-routine activities — maintenance, cleaning, emergency procedures
✅ Think about remote and lone workers — do they face unique hazards?
Common hazard categories to consider:
→ Physical hazards — noise, vibration, manual handling, slips, trips, falls
→ Chemical hazards — hazardous substances, dusts, fumes, gases
→ Biological hazards — bacteria, viruses, moulds (especially relevant post-pandemic)
→ Ergonomic hazards — workstation design, repetitive movements, awkward postures
→ Psychosocial hazards — stress, fatigue, bullying, workload (increasingly recognised under ISO 45001:2027)
→ Environmental hazards — extreme heat, cold, outdoor work risks
RISK ASSESSMENT STEP 2 — DECIDE WHO MIGHT BE HARMED AND HOW
For each hazard identified, consider who could be harmed and under what circumstances. This goes beyond your direct employees — it includes:
→ Permanent and temporary workers
→ Contractors and subcontractors on your site
→ Visitors and members of the public
→ Vulnerable groups — new and expectant mothers, young workers, workers with disabilities, lone workers
→ Remote workers — their home or remote working environment must also be considered under ISO 45001:2027
Document specifically how each group could be harmed — not just that they could be. “Workers could be harmed by falling objects in the warehouse” is better than “workers may be injured.”
At this stage of the risk assessment step by step process, organisations evaluate likelihood and severity.
RISK ASSESSMENT STEP 3 — EVALUATE THE RISKS AND DECIDE ON PRECAUTIONS
Risk evaluation requires you to assess both the likelihood that harm will occur and the severity of that harm if it does. This produces a risk rating that prioritises your control actions.
Using a risk matrix — likelihood x severity:
Likelihood: 1 = Unlikely, 2 = Possible, 3 = Likely
Severity: 1 = Minor injury, 2 = Major injury, 3 = Fatal or multiple fatalities
Risk rating = Likelihood x Severity
1-2 = Low risk — monitor and review
3-4 = Medium risk — implement controls within defined timescale
6-9 = High risk — immediate action required, consider stopping the activity
Before deciding on controls, check what you already have in place. Are existing controls adequate? Are they actually being used? Are they maintained and in good condition?
RISK ASSESSMENT STEP 4 — IMPLEMENT THE CONTROLS
Controls must be implemented using the hierarchy of controls — in order of preference from most effective to least effective:
- ELIMINATION — Remove the hazard completely. Can the task be redesigned so the hazard no longer exists?
- SUBSTITUTION — Replace the hazardous substance or process with something less hazardous
- ENGINEERING CONTROLS — Physical measures that separate people from the hazard — guards, enclosures, LEV systems
- ADMINISTRATIVE CONTROLS — Systems and procedures — permits to work, safe systems of work, training, supervision
- PERSONAL PROTECTIVE EQUIPMENT (PPE) — The last resort, not the first line of defence
ISO 45001 and most HSE regulations require that PPE is only used where higher-order controls are not reasonably practicable. A risk assessment that jumps straight to “wear PPE” without considering elimination, substitution, and engineering controls is not compliant.
For each control measure, document:
→ What the control is
→ Who is responsible for implementing and maintaining it
→ The timescale for implementation
→ The residual risk rating after controls are applied
The final phase of the risk assessment step by step approach focuses on review and continual improvement
RISK ASSESSMENT STEP 5 — REVIEW AND UPDATE YOUR RISK ASSESSMENT
A risk assessment is not a one-off exercise. It must be reviewed:
✅ After any accident, incident, or near-miss linked to the activity
✅ When significant changes occur — new equipment, new substances, new processes, new workers
✅ When the risk assessment has not been reviewed for a significant period (typically 12 months maximum)
✅ When workers report that the risk assessment no longer reflects actual conditions
✅ When new legislation or standards come into force
ISO 45001 requires organisations to follow a documented risk assessment step by step methodology for hazard identification and risk control. Under ISO 45001, risk assessments must be reviewed as part of your management of change process. The upcoming ISO 45001:2027 revision is expected to strengthen this requirement — particularly around changes to remote working arrangements, new technologies, and supply chain activities.
COMMON RISK ASSESSMENT MISTAKES TO AVOID
❌ Generic risk assessments — copying a template without tailoring it to your specific workplace and activity
❌ No worker involvement — risk assessments written by managers who do not do the job
❌ Straight to PPE — jumping to PPE without working through the hierarchy of controls
❌ Never reviewed — filed away after completion and never updated
❌ No residual risk rating — not documenting the risk level after controls are applied
❌ Missing vulnerable groups — not considering contractors, young workers, or remote workers
❌ Not linked to method statements — risk assessments and method statements should cross-reference each other
RISK ASSESSMENT AND ISO 45001 — CLAUSE 6.1 REQUIREMENTS
ISO 45001:2018 Clause 6.1 requires your organisation to establish, implement, and maintain processes for identifying hazards and assessing occupational health and safety risks. Specifically it requires:
→ A documented methodology for hazard identification
→ Risk assessment covering all activities, all workers, and all locations — including remote
→ Consideration of past incidents and near-misses
→ Assessment of both routine and non-routine activities
→ Residual risk determination after controls are applied
→ Review when changes are planned or after incidents occur
The upcoming ISO 45001:2027 revision is expected to expand these requirements — specifically adding explicit requirements for psychosocial hazard assessment including stress, burnout, and remote work ergonomics.
FREE RISK ASSESSMENT TEMPLATE — DOWNLOAD NOW
Standards Unlimited offers a free, editable risk assessment template in Word format — designed to meet ISO 45001 Clause 6.1 requirements and local HSE legislative obligations.
The template includes:
→ Hazard identification columns for all hazard categories
→ Who might be harmed — with vulnerable group considerations
→ Likelihood x severity risk matrix with colour-coded ratings
→ Hierarchy of controls section
→ Residual risk rating and review date fields
→ Signatory section for legal compliance evidence
👉 Download your free risk assessment template at standardsunlimited.com/free
THE BOTTOM LINE
A risk assessment step by step process that is genuinely completed — not copied from a generic template, not filed away after an audit visit — is the single most important document in your health and safety management system. It protects your workers. It protects your organisation legally. And it is the foundation on which every other safety control is built.
Start with one activity. Follow the five steps. Involve the workers who do the job. Review it after every change. That is all it takes to build a risk assessment programme that actually works.
👉 Download your free risk assessment template at standardsunlimited.com/free