What are the 5 steps of a risk assessment?

Table of Contents

Before we discuss the 5 steps of a risk assessment it is important to understand what a health and safety risk assessment is. A risk assessment can be defined as an inspection of the work environment to identify hazards that could potentially cause workplace risk to employees, machinery, structures, or the environment. A risk assessment is a vital component of the overall health and safety management system to evaluate which actions are required to maintain a safe working environment which is the responsibility of every employee and employer across the world

Is a risk assessment a legal requirement?

The Constitution of the Republic of South Africa, 1996 mentions that “everyone has the right to an environment that is not harmful to their health and well-being.” How would an employer and its health and safety management team ensure an environment without workplace risk if they do not conduct regular risk assessments to identify hazards?

The Occupational Health and Safety Act 85 of 1993 makes more direct reference to workplace risk, the need for risk assessments, and hazard identification. Throughout the OHS Act and its Regulations, it is mentioned how important a risk assessment is and how employers should reduce workplace risk as per the work regulations. 

The only way to identify hazards and mitigate against them (Section 8), ensuring products are produced without risk to consumers (Section 10), and reducing risk to employees (Section 12) is to conduct a risk assessment at regular intervals! Since it is a legal requirement of a company’s management to “identify hazards and potential major incidents at the workplace” (Section 8), it is, therefore, essential to ensure that your health and safety team are trained to be able to perform risk assessments and determine the likelihood of harm!

Performing risk assessments is a definite legal requirement for all organisations to perform and they should be conducted as follows: 

  • When there is a change in the level of risk; 
  • Annually by the safety management department, health, and safety officer, or any other competent health and safety person
  • When a recent injury, accident, or incident has occurred to identify hazards;
  • When there has been a change – in the organisation’s production process, design of building or product or structures, to ensure reduced workplace risk; 
  • Quarterly by the organisation’s health and safety representatives;
  • As and when new departments and or acquisitions are made by organisations; etc.  

What documentation is required for a risk assessment?

There are various documents that could assist in conducting a risk assessment and to get the complete picture in order to identify all workplace risks. The list of documents includes but is not limited to:

Job descriptions – Are all employees conducting their tasks as indicated in their job descriptions?

Training requirements – Has every employee been trained to safely perform every task that they are required to perform?

Manufacturer’s instructions – Has the manufacturer’s instructions been consulted before safe working procedures were developed?

Incident investigation reports – Previous incident investigations reports will give you an idea of where problem areas are located and possibly highlight workplace risk which may not have been identified prior to the incident.

Documentation of the effectiveness of control measures – Where control measures have been put in place to control workplace risk, is there documentation/evidence to prove the effectiveness of these measures?

Checklists – Are the necessary checklists completed and filed by the Health and Safety Representatives as well as the operators of machinery at the required intervals?

What are the consequences of not conducting regular risk assessments?

Should the employer and the safety management team fail to conduct regular risk assessments they would be unable to identify hazards and eliminate workplace risk. This would prevent them from complying with legal legislation on providing a safe and healthy working environment for all involved! According to Section 38 of the Occupational Health and Safety Act this failure to comply could lead to a fine of up to R100 000.00 or a prison sentence of up to 2 years or both for non-compliant business owners!

Over and above this and accrediting bodies and still the direct and indirect cost burden that business owners would have to face when incidents do occur. Direct costs would include the cost of medical expenses, repairs on machinery etc. The indirect costs include paying additional staff to complete the tasks, decreased production, damage to company reputation, demoralised staff, etc. The indirect costs are something a company can’t insure against and it could amount to a lot more than the direct cost of incidents! Conducting regular risk assessments is an obligation for every company to comply with.

What are the 5 steps of the risk assessment process?

Step 1: Identify hazards

Step one is critical for the safety management team. By identifying hazards in the workplace they will be able to address safety issues and appropriately act on them to reduce the chances of injuries, death, and damages. Hazards can be identified by consulting with employees, walkabouts, check sheets, manufacturer’s instructions, etc. Always keep long-term effects on employee’s health in mind as these hazards are often overlooked.

Step 2: Who may be at harm of workplace risk

For each risk identified you have to decide who may be at harm. Not everyone in the workplace will be at risk of the same factors. Some will perform specialised jobs which other employees won’t have access to, employees may be very well aware of risks but how at-risk will visitors be? Some employees may be more at risk than others e.g. new employees who have not received adequate training, older employees, pregnant employees, employees with disabilities, and migrant workers/employees with a language barrier.

Step 3: Evaluate workplace risk and decide on precautions

After you have been able to identify hazards you now have to decide how you will be dealing with them. The law requires that you do everything that is “reasonably practicable” to protect anyone that might be affected by your operations in this risk evaluation against set risk criteria. Where possible remove the risk completely, where this is not possible try to reduce the risk as much as possible e.g. decrease exposure time or swapping a very hazardous chemical out to something not as hazardous. If you have done everything you can do to remove or reduce workplace risk then you can issue Personal Protective Equipment (PPE) as a last resort.

Step 4: Record and implement findings 

Recording your risk assessment and sharing them with your safety management team will encourage everyone involved to act on hazards identified in the workplace and work together to achieve a safe working environment for all through the actions identified as appropriate. 

Step 5: Review your risk assessment and update where necessary

Workplace risks are continuously changing e.g. new technology is introduced, new employees are employed, current employees get complacent to dangers, etc. It is therefore important to regularly review your risk assessment to see if your control measures are effective and if any new hazards have been identified since your last risk assessment/risk analysis.

What ensures effective risk management?

The process of risk assessment is managing all risks effectively that have been identified in the risk management process. To effectively manage all the estimated risk means that the risk assessment must have been done correctly as per the 5 steps of the risk assessment process. Risk management ties in with step 5 of the risk assessment process – manage and control the identified risk effectively. In order to identify if your risk management process is effective or not is to ensure that you reduce the possible identified risk from occurring by acting proactively rather than reactively.

Who is responsible for the completion of a risk assessment?

The risk assessment cannot be completed or managed by any 1 individual. The scope of the risk assessment will determine the level of training and the structure of the risk assessment team. It is important to involve different people in the process, from both the employer and employee category of staff. This will ensure that the process remains objective and well structured.

Skills of team members might include:

  • Ability to conduct an assessment in an unbiased manner;
  • Complete understanding of the methodology used for the risk assessment;
  • Ability to effectively communicate with a diverse group of people;
  • Ability to provide direction and focus to the risk assessment team and their activities;
  • Ability and desire to conduct assessments ethically and honestly;
  • Good organisational skills to facilitate risk assessment visits on site.

The risk assessment team should include the following team members:

Three main types of risk assessments, each with different functions:

1) Baseline Risk Assessment

A baseline risk assessment should be performed to obtain a benchmark of the type and size of potential hazards that could have a significant impact on the whole organisation. It should identify the major and significant risks, prioritise these risks and evaluate the effectiveness of the current systems of risk control.

Baseline risk assessment can be defined as the primary or initial, broad-based risk assessment of an organisation. The baseline risk assessment is used to determine a risk profile for the organisation.

2) Issue-Based Risk Assessment

This type of assessment is normally focused on operational activities, processes and systems-based business functions. It focuses on the identification of risks within a certain task, process or activity and is usually associated with the management of change. Risk profiles from the baseline risk assessment form the basis for establishing issue-based risk assessments.

Issue-based risk assessments follow from the baseline risk assessment and the need for them is identified in the baseline risk assessment. Issue-based risk assessments are conducted as and when required.

3) Continuous Risk Assessment

Continuous risk assessments should be conducted on a regular basis in the work environment. Continuous risk assessment is a powerful and important tool that should form an integral part of the Health & Safety management system, day-to-day hazard and risk awareness, and immediate risk control and mitigation.

All three types of risk assessment have the following desired outcomes:

  • Systematic: The methodology selected should be clear with regard to the procedure and steps to follow.
  • Rigorous: When effectively applied, the outcome of the risk assessment should at all times generate reasonable and consistent results.
  • Structured: The risk assessment should be structured in a format that is easily understood.
  • Repeatable: The risk assessment should generate the same results when applied in the future.
  • Consultative: The risk assessment should not be conducted by management in isolation: the process should include consultation with a cross-section of employees, e.g. SHE Representative, Operator, Supervisor.
  • Defensible: The organisation should be able to justify any risk rating and risk identified in the context of site operations, and the methodology used to safeguard against it.
  • Auditable: When a third party audits the organisation, the information provided for the risk assessment should be sufficient to make fair assessments.

Example of risk management measures

The risk management measures refer to the Hierarchy of controls:

  • Eliminate/substitute.
  • Reduce/control at source.
  • Isolate (barriers and removal).
  • Contain.
  • Procedures / safe systems of work /information/instruction/training/supervision.
  • Personal Protective Equipment.

For example, an extremely noisy metalworking machine might prove to be a high noise risk to employees.  

By following the hierarchy, there is a range of controls that could be considered.

Eliminate or Substitute

  • Switch off the machine or subcontract the job out.

Reduce or Control at Source

  • Make the machine safer, e.g. maintain it by lubrication of the noisy part, change the steel mounts to rubber, install silencers, etc.


  • Physically remove the person from the hazard or vice versa e.g. can the machinery be operated away from people?


  • Enclose the machine e.g. build an acoustic enclosure around it or enclose the individual by building an acoustic haven.

Procedures, Safe Systems of Work, Information, Instruction, Training, and Supervision.

  • Ensure that staff follow a system of work e.g. a specific routine that reduces the number of hours staff might be in contact with the machine, e.g. by working in job rotation.
  • Ensure that staff are informed of the potential risks and that they understand why they must follow the system of work.
  • Ensure that staff are trained in the use of the machinery and are supervised where necessary.

Personal Protective Equipment (PPE)

  • PPE should only be considered as a last resort as it only protects the individual and does not minimise the risk, whereas controlling at source protects everyone


  • The most effective control measure is to avoid the risk altogether, this can be achieved by keeping the hazard away from the people who may be harmed.

Prioritise Workplace Safety

Download our free Workplace Safety Checklist now and take the first step towards a safer, more secure work environment