The five steps of risk assessment

AuthorRichard White Published 27 July 2009

One of the most confusing aspects of risk management is the variety of terms used to refer to the same set of activities. Hazard analysis, risk analysis, probabilistic risk assessment and quantitative risk assessment, to name a few, are all risk assessments. They all involve a process of determining risk.

However, the terms 'hazard' and 'risk' do not mean the same thing. A hazard is something that has the potential to cause an undesirable outcome or undesirable consequence. A risk, by contrast, incorporates the probability of the hazard actually occurring. In this way, a risk is effectively a mathematical result for the consequence times the likelihood of the hazard). For example, if you play Russian Roulette with one bullet in a gun that can hold six bullets, the hazard you face is a weapon that has your death as a potential consequence. The risk of death from this hazard is 1 in 6.

Risk assessment begins with identifying hazardous situations, conditions, processes, products etc that have the potential to cause harm, injury or damage to people, property or the environment. This creates a broad definition of hazard and has implications for companies. No longer can companies focus on themselves and their employees, with little regard for their externalities. Companies are corporate citizens. They have responsibilities to the communities and the environments in which they operate, and they are obliged to minimise all negative impacts arising out of their business.

The next step in the risk assessment process is determining the seriousness or significance of the consequences of an identified hazard in the event that it occurs. This evaluates the potential magnitude of the impact of the hazard. It should include impacts on people, property and the environment. These impacts are not just those in the workplace, but include the community (possibly up to global scale) and the environment.

The third step involves establishing the probability or likelihood of the hazard (and therefore its consequences) actually occurring. At this stage it is appropriate to take into account any measures that exist to safeguard against the hazard happening. For example, an unmaintained braking system in a motor car may fail once every ten years, but if the brakes on a particular car are checked (and repaired where necessary) each year, the likelihood of brake failure is reduced.

The fourth step is possibly the most controversial. It involves calculating the risk associated with each hazard (using the outcomes of the second and third steps). The results of these calculations are then compared to what is considered an 'acceptable risk'. At this stage it is important to have a strong sense of what constitutes an acceptable risk – remember that nothing has zero risk; every situation has some hazard associated with it. Where a risk is not acceptable in a given situation, appropriate remediation action (such as getting the brakes checked more regularly) is implemented. If a risk is considered acceptable, no action need be taken.

The final step, like any good management system, involves monitoring what actually occurs following the decision regarding the risk level and remediation action. This re-iterative step sends the process back to the first step, and should be ongoing. It must take into account changed operating conditions and new information that may have become available after the initial evaluation took place.

This entire process should be adequately documented so that any stakeholders (employees, company directors, regulatory bodies, interest groups, community groups, governments, clients and so on) may be satisfied that appropriate due diligence occurred during the risk assessment – and subsequent management – of any given hazard. Such documentation will also assist in the organisational response to hazards.