Occupational safety and health risk assessment methodologies
Isabel L. Nunes, DEMI, Faculdade de Ciências e Tecnologia, Universidade Nova de Lisboa, Portugal
- 1 Introduction
- 2 Prevention of occupational risks
- 3 Basic concepts
- 4 Risk management
- 4.1 Step 1: Preparation of the process
- 4.2 Step 2: Risk analysis
- 4.3 Step 3: Risk assessment
- 4.4 Step 4: Taking measures
- 4.5 Step 5: Review and update
- 4.6 Step 6: Document the process
- 5 Risk management tools
- 6 References
- 7 Links for future reading
Workers should be protected from occupational risks they could be exposed to. This could be achieved through a risk management process, which involves risk analysis, risk assessment and risk prevention and control practices. In order to carry out an effective risk management process, it is necessary to have a clear understanding of the legal context, concepts, risk analysis, assessment and prevention and control processes and the role played by all involved. It is also desirable to base risk management on solid and tested methodologies.
Prevention of occupational risks
Within the context of their general obligations, employers have to take the necessary measures for the safety and health protection of workers, including prevention of occupational risks. This is a quite basic principle in the law of many countries. For instance, within the European Community, it was settled by the Council Directive of 12 June 1989 on the introduction of measures to encourage improvements in the safety and health of workers at work (Framework Directive 89/391/EEC), and then adopted by Member States’ national laws. It should be noted that Member States can introduce more rigorous provisions to protect their workers.
For preventing occupational accidents and ill health, employers must carry out a risk assessment, and decide on prevention measures to take and, if necessary, on personal protective equipment to use. It is recommended to review the risk assessment on a regular basis and in particular each time a change occurs at the workplace, e.g. the use of new work equipment or chemicals, changes in the work processes or modifications to the work organisation.
Risk assessment, as referred before, is a legal obligation in Europe but it is also a good practice that contributes to keep companies competitive and effective. Risk assessment is a dynamic process that allows companies and organisations to put in place a proactive policy for managing occupational risks. Therefore, risk assessment constitutes the basis for implementation of appropriate preventive measures and, according to the Directive; it must be the starting point of any Occupational Safety and Health (OSH) Management system. An OSH Management system should be integrated in the company’s management system. It is intended to develop and implement company OSH policies and manage its OSH risks. Risk assessment is a step in the OSH risk management process.
Basic concepts in risk management are the definitions of hazard and risk.
Hazard: source or situation with a potential to cause injury and ill-health i.e. an adverse effect on the physical, mental or cognitive condition of a person. Examples of physical hazardous sources or situations can be working on a ladder, handling chemicals or walking on a wet floor. Examples of psychosocial hazardous sources or situations are job content, job insecurity, isolation, bullying or harassment.
Risk: effect of uncertainty; Occupational health and safety risk: combination of the likelihood of occurrence of a work-related hazardous event or exposure(s) and the severity of injury and ill health that can be caused by the event or exposures.
A psychosocial risk is defined as a combination of the likelihood of occurrence of exposure to work-related hazard(s) of a psychosocial nature and the severity of injury and ill-health that can be caused by these hazards. Hazards of a psychosocial nature include aspects of work organisation, social factors at work, work environment, equipment and hazardous tasks.
Risk assessment can be defined as the process of evaluating the risk to the health and safety of workers while at work arising from the circumstances of the occurrence of a hazard at the workplace. This definition stems from the EU guide elaborated by the EU Commission to provide practical assistance for the implementation of the risk assessment requirements from the framework directive. However, it should be noted that the concept of risk assessment is not only used within the context of OSH but it can also relate to financial, environmental, socio-economic, technical and other aspects. A general framework on the risk assessment process is provided in standard ISO 31001. This standard describes risk assessment as the overall process of (1) risk identification, (2) risk analysis and (3) risk evaluation:
- Risk Identification: process of finding, recognising and describing risks;
- Risk analysis: process to comprehend the nature of risk and to determine the level of risk;
- Risk evaluation: process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable.
Risk management is an iterative and cyclic process, as depicted on Figure 1.
Following the methodology PDCA(Plan-Do-Check-Act) risk management is a systematic process that includes the examination of all characteristics of the work system where the worker operates, namely, the workplace, the equipment/machines, materials, work methods/practices and work environment. The aim of risk management is to identify what could go wrong, i.e. finding what can cause injury or harm to workers, and to decide on measures to prevent injuries and ill-health and implement the measures.
It is important that employers know where the risks are in their organisations and prevent or keep them under control to avoid putting employees, customers and the organisation itself at risk. The main goal of risk management is to eliminate or at least to reduce the risks according to the ALARP (as low as reasonably practicable) principle. A key aspect in risk management is that it should be carried out with an active participation/involvement of the entire workforce. Carrying out risk management requires a step-by-step approach.
Step 1: Preparation of the process
The preparation of the risk management process involves several activities, namely:
- Identification of exposed workers – particular attention should be given to:
- Description of tasks, work equipment, materials, and work procedures;
- Consideration of work patterns and organisational aspects;
- Consideration of external factors that could affect the workplace;
- Identification and description of implemented prevention measures;
- Data on workplace incidents, near-misses, injuries and work-related health problems; and
- Identification of legal requirements, standards or company regulations.
Several means can be used to support these activities. For instance:
- Direct observation while the job is being performed – walkthrough;
- Interviews with workers and managers;
- Consultation of data on workplace incidents, near-misses, injuries and work-related health problems;
- Consultation of technical documentation and inspection reports on work equipment and machinery;
- Consultation of the safety data sheets of the chemicals used in workplace;
- Review of the applicable legislation, standards and company regulations.
As referred, according to EU legislation employers are responsible for performing risk assessment regarding safety and health at work. Therefore, the overall responsibility for identifying, assessing and preventing risks at the workplace lies with the employer, who must guarantee that the occupational safety and health (OSH) risk management activities are properly executed.
The employer can delegate this function (not the responsibility) to occupational health and safety specialists and occupational physicians. The specialists may be part of the company staff (internal services) or be contracted outside (external services).
The participation of workers in the process of risk management in the field of safety and health at work is of fundamental importance, as workers have the best knowledge of their tasks and the associated risks. Participation also improves acceptance of the measures and facilitates their application in practice.
Step 2: Risk analysis
The risk analysis activities involve:
- Identification of hazards present in the workplace and work environment;
- Determination of the potential consequences of the risks.
Several means can be used to support these activities. For instance:
- Direct observation – walkthrough;
- Interviews with workers and managers;
- Deviation analysis;
- Task analysis;
- Previous risk assessment data;
- Employee (satisfaction) surveys.
Step 3: Risk assessment
Risk assessment is the process of evaluation of the risks arising from a hazard, taking into account the adequacy of any existing controls. Several methods to perform risk assessment are available ranging from expert to participatory methodologies and from simple to complex methods. Which method for assessing risks is applied will depend on the nature of the workplace, the type of the tasks and work processes, and the technical complexity. An overview and some guidance on risk assessment techniques can be found in IEC/ISO Standard 31010:2019 Risk management - Risk assessment techniques . Risk assessment involves evaluating, ranking, and classifying risks.
Risk evaluation involves the determination of a quantitative or qualitative value for the risk. Quantitative risk evaluation requires calculations of the two components of the risk: the probability that the risk will occur, and the severity of the potential consequences. This approach is seldom applied in practice.
Qualitative risk evaluation is more common and usually adopts a methodology based on a matrix. A risk assessment matrix consists of a two-dimensional grid with categories of harmful effects on one axis and categories of probability or likelihood on the other axis. The cells within the grid are used to indicate risk. An example is shown in table 1.
Ranking of the evaluated risks
Based on the risk values obtained during the risk evaluation phase, risks should be sorted and ranked according to their severity.
Classify risk acceptability
A decision whether or not a risk is acceptable results from the comparison of the obtained risk value with acceptability criteria based on legal requirements, principles of the hierarchy of prevention, standards, recommendations, evidence-based information on risks, adapting to innovation, etc.
It should be highlighted that a particularly careful assessment of individual risk exposure should be performed to workers of special groups (for example, vulnerable groups such as new or inexperienced workers), or to those most directly involved in the highest risk activities (i.e. the most exposed group of workers).
This risk classification is the baseline for selecting actions to be implemented and when defining the timescale, i.e. the urgency of the implementation of the corrective measures.
As an example, table 2 depicts a simple risk categorisation and the respective guidance to the application of corrective measures proposed.
To have a consistent base for all risk assessments the company should first establish the acceptability criteria. This should involve consultation with workers representatives and other stakeholders and should take account of legislation and regulatory agency guidance, where applicable.
Step 4: Taking measures
At this stage actions are identified and implemented to avoid or reduce risks having in mind the protection of workers’ health and safety, as well as their monitoring over time. The measures implemented should be the ones that best protect everyone exposed to the risk. However, it is important not to forget that additional or different measures may be required to protect workers belonging to special groups, namely workers with special needs (such as pregnant women, young workers, aging workers and workers with disabilities) and maintenance workers, cleaners, contractors and visitors.
It is very important to take account of the number of individuals exposed to the risk when setting priorities and the timeline for the implementation of prevention and control measures. The risk prevention and control strategy includes the design, planning and implementing of adequate measures, as well as training and informing workers.
The first step is the design of the measures to eliminate risks. The risks that cannot be avoided or eliminated should be reduced to an acceptable level, i.e. the residual risk shall be minimised according to the ALARP (as low as reasonably practicable) principle. This means employers must perform a cost-benefit analysis to balance the cost (including money, time, trouble and effort) they could have to reduce a risk against the degree of risk. It should be demonstrated that the cost involved in reducing the risk further would be grossly disproportionate to the benefit gained. The residual risk should be controlled.
- Prevention measures
- Protection measures
- Mitigation measures
The aim of implementation of prevention measures is to reduce the likelihood of injuries or ill-health. Several examples, also in hierarchical order, that can be used to achieve this objective are:
- a) Using engineering or technical measures to act directly on the risk source, in order to:
- Remove it, i.e. ensure that during the workplace design phase risks are 'designed out'
- Reduce levels of hazardous materials. For instance provide effective ventilation through local or general exhaust ventilation systems.
- Replace it, i.e. substitute the risk by a less risky material, equipment or substance.
These measures are more efficient and economical when accomplished during the workplace design phase.
- b) Using organisational or administrative measures for changing of behaviours and attitudes and promote a safety culture:
- Information and training (awareness)
- Establish appropriate working procedures and supervision
- Management and proactive monitoring
- Routine maintenance and housekeeping procedures
Implementation of Protection measures should consider, first, collective measures and then individual measures. Several examples of measures (sorted by priority) that can be used to achieve this objective are:
- a) Collective Protection measures:
- Enclose or isolate the risk through the use of guards, protection of machinery and parts, or remote handling techniques;
- Physical barriers (anti-drop networks, railings, packaging, acoustic, thermal or electrical barriers);
- Using organisational or administrative measures to diminish the exposure duration:
- job rotation of workers;
- timing the job so that fewer workers are exposed;
- Implementation of safety signs, for instance restricting entry to authorised persons.
- b) Individual Protection - use of Personnel Protective Equipment (PPE) to protect worker from the residual risk. The worker should participate in the selection of PPE and should be trained in its use.
When despite prevention and protective measures incidents, an injury or a cases of ill-health occurs, the company needs to be prepared (emergency preparedness) by implementing mitigation measures. The aim of mitigation measures is to reduce the severity of any damage to facilities and harm to employees and public. Several examples of measures that can be used to achieve this aim are: emergency plans, evacuation planning, warning systems (alarms, flashing lights), test of emergency procedures, exercises and drills, fire-extinguishing system, or a return-to-work plan.
Training and information
Managers must know the risk their workers are exposed to. Workers must know the risks they are exposed to. Providing information and training courses to workers is a legal requirement in EU.
Step 5: Review and update
The risk management process should be reviewed and updated regularly, for instance every year, to ensure that the prevention measures implemented are adequate and effective. Additional measures might be necessary if the improvements do not show the expected results. This is also a highly recommendable procedure since workplaces are dynamic due to change in equipment, machines, substances or work procedures that could introduce new hazards in the workplace. Another reason is that new knowledge regarding risks can emerge; either leading to the need of an intervention or offering new ways of avoiding or controlling the risk. The review of the risk management process should consider a variety of types of information and draw them from a number of relevant perspectives (e.g. staff, management, stakeholders).
Step 6: Document the process
In EU it is a legal obligation that employers make an assessment of the risks to safety and health at work, including those facing groups of workers exposed to particular risks (Framework Directive 89/391/EEC) and document the process. Documentation should provide an overview of the identified hazards, respective risks and subsequent measures implemented.
Risk management tools
The risk management process plays a central role for any to ensure occupational health and safety and to prevent workplace injuries and ill-health. But, companies, especially smaller ones, sometimes lack the expertise and the resources to carry out risk assessments. The need for a simple, clear and cost-effective way to ensure compliance with the legislation and to foster a positive safety and health culture has led to the development and use of web-based tools. To assist Member States, EU-OSHA has created the OiRA tool, a web-based platform that enables the creation of sectoral risk assessment tools in any language in an easy and standardised way. The OiRA tool generator is provided free of charge to sectoral social partners and national authorities at EU and national level. All the OiRA tools are available on oiraproject.eu  and can be used by workplaces to carry out risk assessments.
- Directive 89/391/EEC of 12 June 1989 on the introduction of measures to encourage improvements in the safety and health of workers at work - "Framework Directive". Available at: 
- ISO 45001:2018 Occupational health and safety management systems — Requirements with guidance for use
- ISO 45003:2021 Occupational health and safety management - Psychological health and safety at work - Guidelines for managing psychosocial risks
- EC - European Commission, Guidance on Risk Assessment at Work, Luxembourg, 1996. Available at: 
- Nunes, I. L., 'Risk Analysis for Work Accidents based on a Fuzzy Logics Model', 5th International Conference of Working on Safety - On the road to vision zero? Roros. Norway, 2010.
- BSI - British Standard Institutions, Occupational health and safety management systems — Guide, BS 8800, 2004.
- HSE - Health and Safety Executive, Principles and guidelines to assist HSE in its judgements that duty-holders have reduced risk as low as reasonably practicable, 2011. Available at: 
- NSW - New South Wales Government, Six steps to Occupational Health and Safety. Available at: 
- Harms-Ringdahl, L., Safety Analysis: Principles and Practice in Occupational Safety, Taylor & Francis, 2001.
Links for future reading
EU-OSHA - European Agency for Safety and Health at Work, Risk assessment essentials. Available at: 
EU-OSHA - European Agency for Safety and Health at Work, Management Leadership in Occupational Safety and Health – a practical guide. Available at: 
EU Commission, Health and safety at work is everybody’s business. Available at: 
ILO - International Labour Organisation, How can occupational safety and health be managed? Available at: 
IEC/ISO 31010:2019 Risk management - Risk assessment techniques .
ISO/TR 14121-2:2012 Safety of machinery — Risk assessment — Part 2: Practical guidance and examples of methods