How To Do A Risk Assessment In 5 Steps


Gary Rowe

| September 09 2019

Blog Post | Reading Time: 9 Mins

The best way to do a risk assessment is to methodically identify your hazards, list the controls (layers of defence) you have in place, then honestly answer the most important question....“Is this risk acceptable (in these circumstances)?”.

There's no 7 out of 10 to the this question, only "Yes" or "No". Once you’ve completed your risk assessment, it’s time to act, not just file the assessment.


Before you even worry about how to do a risk assessment, you need to know exactly what you want to achieve.

You need to know the purpose and scope of your risk assessment.

What’s the purpose of the risk assessment?

What problem are you trying to solve and what exactly are you assessing?

You have to ask why.

Over the years I’ve come across a lot of safety fanatics who seem to do risk assessments just because they love it. This is not a good enough reason. It’s a waste of time and money.

Knowing the purpose means you’ll assess the things that matter to your business.

Maybe the number one safety problem in your business is noise but the risk assessment you’re about to do is assessing fumes.

One business I worked with asked their head office for a risk assessment of their security. What they meant was how secure their premises was. What they got was an IT risk assessment.

Once you know the purpose of your risk assessment. Write it down. Be specific.

workmen cleaning in a confined space


What’s the scope of your risk assessment?

Before you do a risk assessment, assess your parameters.

Where will it start and stop?

Are you doing one to assess your high-level business risks? For example:

  • Staff travelling in cars.
  • Building fires.
  • Break-ins.

Or are you needing to move down and look at an individual department? For example, a site-specific traffic management plan.

Or could you move down further and look at a particular machine or task.

Your risk assessment might even be for a specific procedure which could involve multiple machines and tasks. It might also be for one aspect of a machine (e.g. noise or fumes).

There’s merit in all these types of risk assessments, but if you try and tackle them all at once you won’t get a meaningful outcome.

Once you know your purpose and scope, your ready to start your risk assessment.

There are five steps to doing a risk assessment. They are:

  1. Identify your hazards.
  2. List your existing controls.
  3. Assess the risk level.
  4. Determine if the risk is acceptable or not.
  5. Take action.

Let’s go through each step...


Step 1 - Identify Your Hazards

Put simply, a hazard is any source of harm or damage. For example, a machine with only a partial guard where someone could reach around and make contact with a dangerous part.

When most people start looking for hazards, they often just do a walk-around to see what they can spot.

We call this a ‘Hazard Hunt’ and generally it’s ineffective.

We always recommend the use of checklists wherever possible:

  • If you’re assessing machinery, get the machinery safety checklist.
  • If you’re assessing chemicals, get the chemical safety checklist.
  • Assessing traffic management, or falls from height or electrical work? You guessed it…get the appropriate checklist.

picture of a checklist

Why we recommend using checklist when identifying hazards

We recommend you use checklists for two reasons: 

It's more methodical and consistent

To be more methodical means to be more complete.

A good checklist will help identify more than just physical hazards like cutting or grinding components. You'll find non-machinery hazards you may not have thought of like unlabelled controls or stop buttons that aren't red.

They can also make the process safer. Take an electrical safety checklist for example. The checklist will prompt questions like:

  • “Is it isolated”
  • “Has it been correctly locked out and tagged out (LOTO).”

Being methodical means not just assuming an electrical item has been isolated because it won’t turn on, but you have methodically checked it has been disconnected from the power at the designated isolation point.  And that the isolation point is physically locked off and a tag has been attached to advise who has isolated it, when and why.


It makes it easier.

An assessment against a checklist is much easier than just doing a walk-around because you don’t have to think about the items you need to check.

Contact us if you need a checklist to help you perform a particular type of risk assessment.

Once you’ve identified your hazards, the next step is to look at what existing controls you have in place.


Step 2 - List Your Existing Controls

First, let’s define a control.

A control is the physical guarding, safety devices, signage, training or procedures you have in place.

For example, you’ve got a slippery floor (Hazard). You’ve put up a slippery floor sign (administrative Control).

Not all controls are all visible. A control might be:

For any hazard there can and should generally be many possible controls.

For example, replacing a fuel pump is one example of a control however you might choose an alternate control like completing regular physical checks of the fuel pump to save cost.

Why do you need to list your controls?

Listing your controls helps you with the next step ‘Assess the Risks.’ Knowing what controls you have in place will help you decide whether the risk we’re assessing is acceptable or not.

A great way to think about controls is ‘layers of defence’.

Businesses that operate in high-risk industries have multiple controls (layers of defence) in place.

Look at commercial airlines…

Very high risk. If something goes wrong your plane can fall out of the sky.

But….with many layers of controls in place, the activity becomes safe enough to make It commercially safe and viable.

Qantas staff advise that company standard is for every identified hazard, there must be at least five layers of defence (controls).

If it is flight critical hazard, then 25 layers are required eg 25 things must go wrong for the engine to stop.

Contrast a commercial flight with flying an ultralight aeroplane…It’s quite the opposite. Not much has to go wrong for something bad to happen. But, as long as the ultralight pilot is happy to accept the higher risk, they will keep flying them.

Your company can choose to be safer by putting more controls in place (rather than doing more risk assessments).


Now you have identified your hazards and you’ve listed your existing controls you can assess the risk.


Step 3 - Assess the Risks Level

What is risk?

Risk is defined by the ISO 31,000 as the effect of uncertainty on objectives.

However, this definition is not very helpful for you and I when we’re trying to determine level of risk and work out if it is acceptable or not.

The more commonly used and accepted definition is Risk = Likelihood x Severity.

Assessing the risk level

Assessing the risk level is usually done using a risk matrix.

Most organisations use a simple risk matrix like the one below which displays a range of likelihoods and consequences on the vertical and horizontal axis.

The matrix allows the risk level to be read directly off the meeting point of both axes.

Below is a sample risk matrix with 5 options for consequence (severity) and likelihood.

It’s simple to use. For example, if something is likely to happen but the consequence is minor. The risk can be considered medium.risk-matrix-image

The matrix you use is not prescribed.

Some industries tailor it to their industry.

The key is that you are comparing the risk to other risks in your business. Not with something outside of your business.

If you consistently use your matrix against your hazards, it’s valid.


What if your company have a different matrix than the one above?

It’s not a problem…

As long as the matrix is used consistently in your company and you use it consistently to rate risks within your company (high, medium, low).

The purpose of assessing risk levels is to prioritise action. Not to determine if you continue to take that risk or not.

Determining if the risk is acceptable or not is done in the next step.


Step 4 - Determine If the Risk Is Acceptable or Not?

The most important question to ask during your risk assessment is …

“Is this risk acceptable (in these circumstances)?” 

There are only two answers to this question: “Yes” or “No”. 

(You can read more about this all-important question in our post ‘What is a Risk Assessment’)

High Risk Activities

Some people think high risk means you can’t do it.

This is not correct. There’s plenty of examples of businesses that have little choice or tolerate high-risk activities.

A classic example is courier firms and Australia Post who use motorcycles for deliveries.

Statistics show the risk of being killed in a motor vehicle accident are 17 times higher if the person is on a motorcycle than in a car.

Clearly, riding a motorcycle is a high-risk activity and would be banned or illegal if employers were not allowed to undertake “high-risk” activities.

So why does Australia Post and other courier firms use motorcycles for deliveries?

They’ve determined that their controls are adequate for the level of the risk involved. They've deemed this an acceptable risk (within the organisation’s risk appetite).

The controls for riding motorcycles might include:

  • Appropriately licensed for category of bike.
  • Completed an advanced riding skills and defensive riding course.
  • Fit and healthy for riding.
  • Registered and roadworthy (safe) bike.
  • Any special features for making riding the bike safer.

The law doesn’t prohibit the carrying out a task just because it’s high risk, but it does require good controls.

There is a common misconception that we must stop all high-risk activities. Whilst this may be required in certain situations, it is not specified by legislation or codes of practice.

Many high-risk activities are legal and procedurally undertaken by organisations.


What about low risk activities?

The reverse can also be true.

Low risk doesn’t always mean it’s acceptable.

A good example is the colour of the stop button on your machinery.

Plant safety regulations say that stop buttons must be coloured red.

If you’ve got a black stop button on one of your machines, it might be a low risk, as all workers know what it is, but it’s actually an unacceptable risk because it is a clear breach of a specific regulation.


Making the decision

The most important part of this step is that you give management a clear answer.

There’s no 7 out of 10 to the question ‘Is this risk acceptable'. 

Only ‘Yes’ or ‘No.’

There's no 7 out of 10 to the question Is this risk acceptable

Here are some questions that will help you determine if the risk is acceptable for your organisation:

  • Does it comply with the law? (legislative checklists may help).
  • Do we have a documented company standard?
  • Does it sit within our company’s risk appetite? (discussed below)

It’s critical you know your company’s risk appetite as some companies are willing to take higher risks than others.


Risk appetite.

If you don’t know your companies risk appetite, check!

You can’t make this decision unilaterally. It’s not about the mood or your personal opinion. It’s about what types and level of risks your organisation is prepared to accept.

Risk appetite can change over time. Workplace bullying for example.

If someone gets in an argument threatens to kill an individual today, you’ll call the police... You might not have done that 20 years ago, and simply thought he was just “letting off steam”.

Many organisations now adopt a zero-tolerance policy on particular risks like bullying, harassment and threats.


Step 5 - Take Action

Once you’ve completed your risk assessment, it’s time to act, not just file the assessment.

Once you Have completed your risk assessment its time to act not just file the assessment

Depending on the outcome, action could include:

  • Putting more controls in place. I.e. layers of defence.
  • Getting additional equipment.
  • Planning additional training.
  • Clearer safety signage, physical barriers or fencing.
  • Stopping an activity, you’ve deemed too risky and unable to adequately control.

What about risks that were not acceptable?

You have two options:

  • Stop the activity; or
  • Put more controls in place so you can continue.

If you choose option 2, put more controls in place, you need to complete another risk assessment afterwards to make sure the residual risk is now acceptable with the new controls.


What Now?

Take some time to think through the purpose and scope of risks assessments you should be completing in your business.

Follow these 5 simple steps.

Make sure every risk assessment answers the critical question….“Is this risk acceptable (in these circumstances)?” 

If you have questions or require assistance completing risk assessments in your business call +61 (03) 8544 4300 or enquire online


Bonus Questions

We get asked a lot of questions about risk assessments. Here’s some of the more common questions we get asked….


Does A Manager Have To Sign-Off On All Risk Assessments?

There’re no legal requirements for managers to sign-off on risk assessments.

Many organisations have company procedures which require sign-off by a manager so they can be confident that the risk assessment has been conducted to an adequate standard and by appropriate and competent personnel.


Do Employees Need To Sign Risk Assessments?

There’s no legal requirement for workers to sign risk assessments, or SWMS (Safe Work Method Statement), but it is common industry practice to do so.

Having workers sign safe work instructions or risk assessments may be a reasonable company rule for the purpose of demonstrating that the workers were made aware of the risks and the controls for the particular task.


Do Health and Safety Representatives Have To Participate In All Risk Assessments?

There’s no legal requirement for H&S Reps to participate in risk assessments, and indeed there is no duty requiring them to do so.

However, employers a legal duty to consult with H&S Reps and allow them an opportunity to input on any matter that might impact on safety for their work colleagues.

Therefore, it’s prudent and appropriate to involve H&S Reps in risk assessments. Where they’re not involved, you should consult about the risk assessment with them and allow them to provide input.


How Frequently Should We Review Our Risk Assessments?

Some older legislation specified review of many types of risk assessments every 5 years, but the frequency of review is rarely prescribed by the current workplace legislation.

Best practice organisations typically specify review of their risk assessments at intervals between 3 and 5 years.

The logic is that even if no change has been made to the workplace that controls may deteriorate and should be subject to periodic review.

We recommend you consider the level of risk and reliability of the controls to determine an appropriate frequency of review for each circumstance.


Need help or advice completing Risk Assessments in your business? Take away the guesswork and talk to one of our expert Safety Consultants. Call +61 (03) 8544 4300 or enquire online

Get helpful articles like this one emailed to you for free each month.

Subscribe to our newsletter below!