Health, Safety, Security and Environment

Occupational safety and health risk assessment methodologies

12 min read

Occupational safety and health risk assessment methodologies

Workers should be protected from occupational risks they could be exposed to. This could be achieved through a risk management process, which involves risk analysis, risk assessment and risk control practices. In order to carry out an effective risk management process, it is necessary to have a clear understanding of the legal context, concepts, risk analysis, assessment and control processes and the role played by all involved in the process. It is also desirable to base risk management on solid and tested methodologies.

Prevention of occupational risks

Within the context of their general obligations, employers have to take the necessary measures for the safety and health protection of workers, including prevention of occupational risks. This is a quite basic principle in the law of many countries. For instance, within the European Community, it was settled by the Council Directive of 12 June 1989 on the introduction of measures to encourage improvements in the safety and health of workers at work (Framework Directive 89/391/EEC), and then adopted by Member States’ national laws. It should be noted that Member States can introduce more rigorous provisions to protect their workers.

For preventing occupational accidents and ill health, employers must perform risk assessment regarding safety and health at work, and decide on protective measures to take and, if necessary, on protective equipment to use. It is advisable that risk assessment should be done at least every year or every time a change is introduced in the workplace, for instance due to the introduction of new work equipment or procedure, or the use of a new chemical substance or preparation.

Risk assessment, as referred before, is a legal obligation in Europe but it is also a good practice that contributes to keep companies competitive and effective. Risk assessment is a dynamic process that allows companies and organizations to put in place a proactive policy for managing occupational risks. Therefore, risk assessment constitutes the basis for implementation of appropriate preventive measures and, according to the Directive; it must be the starting point of any Occupational Safety and Health (OSH) Management system. An OSH Management system should be integrated in the company’s management system. It is intended to develop and implement company OSH policies and manage its OSH risks. Risk assessment is a step in the OSH risk management process.

Important concepts

Important concepts in risk management are the concepts of hazard and risk. A hazard is a source, situation, or act with a potential for harm in terms of human injury or ill health, or a combination of these. Therefore, a hazard can be anything present in the workplace that has the potential to cause an injury to workers, either a work accident or an occupational disease. Examples of physical hazardous situations can be working on a ladder, handling chemicals substances or walking on a wet floor. Examples of psychosocial hazardous situations are job content, job insecurity, isolation, bullying or harassment, since employees’ health are affected by their perceptions and experience about work organization and other related factors.

Risk is the combination of the likelihood of an occurrence of a hazardous event or exposure and the severity of injury or ill health that can be caused by the event or exposure.

From a psychosocial perspective risk is defined as the likelihood that psychosocial factors have a hazardous influence on employees’ health through their perceptions and experience and the severity of ill health that can be caused by exposure to them.

Another important concept in risk management is risk acceptability. According to the BS OHSAS 18001 an acceptable risk is a risk that has been reduced to a level that can be tolerated by the organization having regard to its legal obligations and its own OSH policy.

Risk management


Figure 1: Risk mangement

Risk management is an iterative and cyclic process, as depicted on Figure 1.

Following the methodology PDCA(Plan-Do-Check-Act) risk management is a systematic process that includes the examination of all characteristics of the work system where the worker operates, namely, the workplace, the equipment/machines, materials, work methods/practices and work environment. The aim of Risk Management is to identify what could go wrong, i.e. finding what can cause injury or harm to workers, and to decide on proper safety control measures to prevent work accidents and occupational diseases and implement them (i.e. risk control).

It is important that employers know where the risks are in their organizations and control them to avoid putting in risk employees, customers and the organization itself. The main goal of risk management is to eliminate or at least to reduce the risks according to the ALARP (as low as reasonably practicable) principle. A key aspect in risk management is that it should be carried out with an active participation/involvement of the entire workforce. Carrying out risk management implies performing several steps (whose activities will be detailed in the next sub-sections).

Preparation of the process

The preparation of the risk management process involves several activities, namely:

  • Identification of exposed workers – particular attention should be given to:
  • workers with special needs, such as pregnant women, young workers, aging workers and workers with disabilities;
  • maintenance workers, cleaners, contractors and visitors
  • Characterization of tasks, work equipment, materials, and work procedures;
  • Identification and characterization of safety measures in use;
  • Identification of work accidents and occupational diseases related with the workplace in analysis; and
  • Identification of legislation, standards or company regulations related to the workplace in analysis.

Several means can be used to support these activities. For instance:

  • Direct observation while the job is being performed – walkthrough;
  • Interviews with workers and managers;
  • Check work accidents and occupational diseases records;
  • Check equipment/machine technical data;
  • Examine material safety data sheets regarding chemical substances used in workplace;
  • Consider legislation, standards and company regulations applicable to the workplace under study.

As referred, according to EU legislation employers are responsible for performing risk assessment regarding safety and health at work. Therefore, the overall responsibility for identifying, assessing and controlling risks at the workplace lies with the employer, who must guarantee that the occupational safety and health (OSH) risk management activities are properly executed.

The employer can delegate this function (not the responsibility) in occupational health and safety specialists and occupational physicians. The specialists may be part of the company staff (internal services) or be contracted outside (external services).

Workers participation in the process of occupational safety and health risk management is fundamental, since workers are the actors that best know the OSH problems and the resources involved in their tasks. Another important reason for their participation is related with the acceptance of the safety measures to implement.

Risk analysis

The risk analysis activities involve:

  • Identification of hazards present in the workplace and work environment;
  • Identification of hazards discovered in previous risk management;
  • Identification of potential consequences of the recognized hazards – risks, i.e. the potential causes of injury to workers, a work accident, an occupational disease or a work related disease.

Several means can be used to support these activities. For instance:

  • Direct observation – walkthrough;
  • Interviews with workers and managers;
  • Checklists;
  • Deviation analysis;
  • Energy analysis;
  • Job safety analysis;
  • Previous risk assessment data;
  • Employee (satisfaction) surveys.

Risk assessment

Risk assessment is the process of evaluation of the risks arising from a hazard, taking into account the adequacy of any existing controls and deciding whether or not the risks is acceptable. Several methods to perform risk assessment are available ranging from expert to participatory methodologies and from simple to complex methods.
Risk assessment involves evaluating, ranking, and classifying risks.

Risk evaluation



Table 1: A simple risk estimator

Risk evaluation involves the determination of a quantitative or qualitative value for the risk. Quantitative risk evaluation requires calculations of the two components of the risk: the probability that the risk will occur, and the severity of the potential consequences. This approach is seldom applied in practice.

Qualitative risk evaluation is more common and usually adopts a methodology based on a matrix, for instance the matrix proposed in British Standard 8800. It is a simple method for estimating risks. Risks are estimated according to their likelihood and potential severity of harm, combining the severity and likelihood categories, as shown on table 1.

According to British Standard organizations should adjust the design and size of the matrix to suit their needs.

Ranking of the evaluated risks

Based on the risk values obtained during the risk evaluation phase, risks should be sorted and ranked according to their severity.

Classify risk acceptability

A decision whether or not a risk is acceptable result from the comparison of the obtained risk value with reference values defined in legislation. Complying with legislation is the minimum requirement. Although companies should consider doing more than the legal minimum.
However there is not always applicable legislation. Therefore, the decision should be supported on other knowledge sources, namely international standards, OSH guidelines, machine/equipment specifications, recommendations from advisory bodies (e.g. unions), or by comparison with similar hazardous situations in similar companies.

In this decision process it is advisable to take into account the individuals’ total exposure to risk, allowing for the fact that they could be exposed to risks associated with a number of different hazards.


Table 2: Risk categorization

It should be highlighted that a particularly careful assessment of individual risk exposure should be performed to workers of special groups (for example, vulnerable groups such as new or inexperienced workers), or to those most directly involved in the highest risk activities] (i.e. the most exposed group of workers).

This risk classification is the baseline for selecting safety actions to be implemented and when defining the timescale, i.e. the urgency of the implementation of the corrective safety measures.
As an example, table 2 depicts a simple risk categorization and the respective guidance to the application of corrective safety measures proposed by.

To have a consistent base for all risk assessments the company should first establish the acceptability criteria. This should involve consultation with workers representatives and other stakeholders and should take account of legislation and regulatory agency guidance, where applicable.

Risk control

Risk control is the stage where the actions to identify and implement safety measures to control risks are performed having in mind the protection of workers’ health and safety, as well as their monitoring over time. The safety measures implemented should be the ones that best protect everyone exposed to the risk. However, it is important not to forget that additional or different safety measures may be required to protect workers belonging to special groups, namely workers with special needs (such as pregnant women, young workers, aging workers and workers with disabilities) and maintenance workers, cleaners, contractors and visitors.
It is very important to take account of the number of individuals exposed to the risk when setting priorities and timescales to the implementation of safety control measures.
Risk control includes design, planning and implementing of safety control measures, as well as training and workers information

Design safety control measures

The first step of risk control is the design of the safety control measures to eliminate risks. The risks that cannot be avoided or eliminated should be reduced to an acceptable level, i.e. the residual risk shall be minimized according to the ALARP (as low as reasonably practicable) principle. This means employers must perform a cost-benefit analysis to balance the cost (include money, time, trouble and effort) they could have to reduce a risk against the degree of risk presented. It should be demonstrated that the cost involved in reducing the risk further would be grossly disproportionate to the benefit gained. The residual risk should be controlled.

Implement safety control measures

The safety control measures to be implemented should be based on up-dated technical and/or organisational knowledge, and good practices. Safety control measures implementation should be done using the following hierarchy order:

  • Prevention measures
  • Protection measures
  • Mitigation measures
Prevention measures

The aim of implementation of prevention measures is to reduce the likelihood of work accident or occupational disease occurrence. Several examples, also in hierarchical order, that can be used to achieve this objective are:

a) Using engineering or technical measures to act directly on the risk source, in order to:
  • Remove it, i.e. ensure that during the workplace design phase risks are ‘designed out’
  • Reduce levels of hazardous materials. For instance provide effective ventilation through local or general exhaust ventilation systems.
  • Replace it, i.e. substitute the risk by a less risky material, equipment or substance

These measures are more efficient and economical when accomplished during the workplace design phase.

b) Using organizational or administrative measures to force changing of behaviours and attitudes and promote a safety culture:
  • Information and training (awareness)
  • Establish appropriate working procedures and supervision
  • Management and proactive monitoring
  • Routine maintenance and housekeeping procedures
Protection measures

Implementation of Protection measures should consider, first, collective measures and then individual measures. Several examples of measures (sorted by priority) that can be used to achieve this objective are:

a) Collective Protection measures:
  • Enclose or isolate the risk through the use of guards, protection of machinery and parts, or remote handling techniques;
  • Physical barriers (anti-drop networks, railings, packaging, acoustic, thermal or electrical barriers);
  • Using organizational or administrative measures to diminish the exposure duration:
    • job rotation of workers;
    • timing the job so that fewer workers are exposed;
    • Implementation of safety signs, for instance restricting entry to authorized persons.
b) Individual Protection – use of Personnel Protective Equipment (PPE) to protect worker from the residual risk. The worker should participate in the selection of PPE and should be trained in its use.

Mitigation measures

When prevention and protective measures fail a work accident or an occupational disease could happen. The company needs to be prepared (emergency preparedness) and to have mitigation measures implemented. The aim of mitigation measures is to reduce the severity of any damage to facilities and harm to employees and public. Several examples of measures that can be used to achieve this aim are: emergency plan, evacuation planning, warning systems (alarms, flashing lights), test of emergency procedures, exercises and drills, fire-extinguishing system, or a return-to-work plan.

Training and information

Managers must know the risk their workers are exposed to. Workers must know the risks they are exposed to. Providing information and Training courses to workers is a legal requirement in EU. In the U.S., according to the federal Occupational Safety and Health Act of 1970 (OSH Act), workers have the “Right to Know” – about the hazards they are exposed to, the harm they might cause, and precautions that could prevent these harmful effects.

Review and update

The risk management process should be reviewed and updated regularly, for instance every year, to ensure that the safety measures implemented are adequate and effective. Additional measures might be necessary if the improvements do not show the expected results.
This is also a highly recommendable procedure since workplaces are dynamic due to change in equipment, machines, substances or work procedures that could introduce new hazards in the workplace. Another reason is that new knowledge regarding risks can emerge; either leading to the need of an intervention or offering new ways of controlling the risk.
The review of the risk management process should consider a variety of types of information and draw them from a number of relevant perspectives (e.g. staff, management, stakeholders).

Document the process

In EU it is a legal obligation that employers make an “assessment of the risks to safety and health at work, including those facing groups of workers exposed to particular risks” (Framework Directive 89/391/EEC). Because of that the entire process has to be documented. Documentation should provide an overview of the identified hazards, respective risks and subsequent safety control measures implemented. Namely, it should include the following items: work activity/area under assessment; employees at risk; list of occupational risks and hazards, likelihood of harm; severity of harm; risk levels and their acceptability or controls in place. See for instance “Risk assessment sheet” from OSHA.

Risk management tools

It is desirable to perform risk management based on tested/verifiable methodologies. The European Safety and Health Agency (OSHA) have developed a risk assessment tools database with tools from all over Europe. These tools are free and available online in. The database is regularly updated with new tools.

For instance, Last Minute Risk Assessment (LMRA) is a new tool, adequate to be used in companies where (acute) safety risks are relevant. Every time, before the work is started, workers confirm that there are no acute risks and that normal preventive measures are in place. The underlying idea is to emphasize that workers/contractors have a personal responsibility (in all circumstances) to be aware of risks and to take action when necessary.


Leave a Reply