Risk assessment procedures are the systematic steps organizations use to identify what could go wrong, determine how serious each threat is, and decide what to do about it. The process follows a consistent structure across industries: establish context, identify risks, analyze them, evaluate their significance, and then treat them. Whether you’re dealing with workplace safety, project management, or regulatory compliance, the core logic is the same.
The Three Stages of Risk Assessment
Risk assessment sits inside a broader risk management process, but the assessment itself has three distinct stages: identification, analysis, and evaluation. These stages appear in the ISO 31000 framework, which is the most widely referenced international standard for risk management.
Risk identification establishes your exposure to risk and uncertainty. The goal is to build a comprehensive list of everything that could affect your objectives, whether those are worker safety, project timelines, financial targets, or data security. You’re casting a wide net here, not yet judging how likely or severe anything is.
Risk analysis takes each identified risk and examines its causes, likelihood, and potential consequences. This stage produces a risk profile that rates the significance of each risk. The output helps you see which risks deserve management attention and which ones are minor enough to monitor without action.
Risk evaluation compares the results of your analysis against criteria you’ve set in advance, such as your organization’s tolerance for financial loss, safety incidents, or operational disruption. This is where you decide which risks need treatment and which are acceptable as they stand.
How to Identify Risks
Identification is where most organizations either build a strong foundation or create blind spots that haunt them later. OSHA recommends several overlapping methods to catch hazards from different angles.
Workplace inspections are the most straightforward. Walk through all operations, equipment, work areas, and facilities on a regular schedule. Hazards creep in over time as workstations change, tools wear out, maintenance gets delayed, or housekeeping slips. What looked safe six months ago may not be safe today.
Incident investigations go deeper. Every injury, illness, near miss, or safety concern points directly to an existing hazard. The purpose isn’t to assign blame but to find root causes, and there’s often more than one. Grouping similar incidents together and looking for trends in your injury logs can reveal systemic problems that individual reports might not show. Job hazard analyses (also called job safety analyses) break down specific tasks step by step to identify where things could go wrong during each phase of the work.
Beyond safety, the same principle applies in other fields. In project management, you might review lessons learned from past projects. In cybersecurity, you’d examine system vulnerabilities and threat intelligence. In finance, you’d look at market data, credit exposure, and operational failures. The method changes, but the goal stays the same: build a list you can analyze.
Qualitative vs. Quantitative Analysis
Once you’ve identified your risks, you need to figure out how big they are. There are two broad approaches, and most organizations use both.
Qualitative analysis relies on expert judgment, experience, and discussion to sort risks into categories like high, medium, or low. The most common tool is a risk matrix (sometimes called a heat map) that plots likelihood against impact on a grid. It’s fast, flexible, and works well when you don’t have hard data or when you’re in early planning stages. The downside is subjectivity. Two people can look at the same risk and assign different ratings based on their experience and biases.
Quantitative analysis uses data, historical patterns, and statistical models to express risk in numbers: a dollar figure for potential loss, a probability percentage, or a projected timeline impact. This approach is more precise and supports data-backed decisions, but it requires significant data and technical expertise. Financial forecasting, compliance analysis, and technical risk modeling typically call for quantitative methods.
In practice, many organizations start with qualitative screening to identify their top risks, then apply quantitative analysis to the ones that matter most. You don’t need a statistical model for every risk on your register.
Specialized Assessment Methods
Some industries use structured techniques designed for specific types of risk. Two of the most established are FMEA and HAZOP.
Failure Mode and Effects Analysis (FMEA) works from the bottom up, examining individual components or functions to identify how they might fail. Each potential failure gets scored for severity, likelihood, and detectability, producing a risk priority number that ranks failures against each other. It’s well suited for evaluating technical components like structural elements, construction equipment, electrical panels, or prefabricated systems. Think of it as a reliability tool: what specific part could break, and how bad would that be?
Hazard and Operability Studies (HAZOP) take a top-down view. A team walks through a system’s intended design or operational flow and uses structured guide words (“more,” “less,” “reverse,” “other than”) to prompt discussion about what could deviate from the plan. HAZOP excels in complex systems where the interactions between components matter more than any single part. It’s commonly applied to HVAC systems, fire protection, water treatment, high-risk excavation near existing utilities, and interfaces between different building systems like electrical and plumbing in a data center.
The key difference: FMEA is faster and more quantitative, ideal for screening many individual components. HAZOP is slower and more qualitative, better for uncovering systemic or process-based risks that component-level analysis might miss.
Deciding What’s Acceptable
Risk evaluation requires a benchmark. You can’t decide whether a risk needs treatment unless you’ve defined what “acceptable” means for your organization. One widely used principle is ALARP, which stands for “As Low As Reasonably Practicable.”
ALARP works on a simple idea: you should reduce risk unless the cost of doing so is grossly disproportionate to the benefit. This isn’t the same as a standard cost-benefit test, where you’d stop spending once costs equal benefits. Under ALARP, you’re expected to keep reducing risk even when the cost somewhat exceeds the benefit. You can stop only when further spending would be wildly out of proportion to the remaining risk.
There’s also a ceiling. In the UK framework where ALARP originated, workplace fatality risks above 1 in 1,000 per year are considered intolerable regardless of cost. If your risk sits above that maximum tolerable level, you reduce it or stop the activity entirely. Below that ceiling, ALARP applies. Below a lower threshold, the risk is broadly acceptable and you simply monitor it. This three-zone model (intolerable, ALARP region, broadly acceptable) gives organizations a structured way to make decisions that might otherwise feel arbitrary.
Documenting Risks in a Register
A risk register is the living document where all assessment results are recorded, tracked, and updated. A well-built register typically includes these fields for each entry:
- Risk ID and date: a unique number and the date the risk was first recorded
- Risk description: a clear statement of what could happen
- Likelihood: how probable the risk is, using whatever scale your analysis produced
- Impact: the potential consequences if the risk materializes
- Intensity or overall rating: a combined score reflecting both likelihood and impact
- Risk owner: the person responsible for managing that specific risk
- Preventative actions: what’s being done to reduce the risk before it happens
- Contingency plan: what you’ll do if the risk does happen
- Progress updates: notes on how treatment is going
- Status: whether the risk is open, in progress, or closed
OSHA requires employers to document inspections so they can verify that hazardous conditions were corrected. ISO 45001, the international standard for occupational health and safety, goes further: organizations must maintain documented information on their assessment methodologies and criteria, not just the results. If your assessment approach isn’t written down, it doesn’t meet the standard.
The Four Ways to Treat Risk
After evaluation, risks that fall outside your acceptable range need treatment. There are four standard options, sometimes called the “four Ts.”
Terminate (avoid): eliminate the risk entirely by not doing the activity that creates it. If a construction method is too dangerous, you choose a different method.
Treat (mitigate): reduce the likelihood or impact through controls. Adding a guardrail, improving a process, or training employees are all forms of treatment. ISO 31000 defines risk treatment as selecting and implementing appropriate controls to modify the risk.
Transfer: shift the financial or operational burden to a third party, usually through insurance, contracts, or outsourcing. The risk still exists, but someone else bears the consequences.
Tolerate (accept): acknowledge the risk and move forward without additional action. This makes sense for low-level risks where treatment costs would outweigh the potential harm, or when you’ve already reduced the risk as far as reasonably practicable.
Most real-world risk responses combine these strategies. You might mitigate a risk through better procedures, transfer the residual financial exposure through insurance, and accept whatever small likelihood remains.
When to Review and Update
Risk assessment isn’t a one-time event. ISO 45001 requires that assessment methodologies be proactive rather than reactive and applied in a systematic way. The question is how often.
There’s no universal answer. Some organizations review annually, others every two or three years, and many use a trigger-based approach on top of a regular cycle. Common triggers include new technology or equipment, changes in business operations or ownership, turnover in key staff or management, and any security or safety incident. The logic is straightforward: if your environment has changed, your risk profile has probably changed too.
The most effective approach integrates risk analysis into planning rather than treating it as an afterthought. When you assess risks while new technologies and operations are still being designed, you catch problems before implementation, which is cheaper and less disruptive than discovering them after something goes wrong.