What is a Risk Assessment?
A risk assessment identifies and evaluates the threats and risks of a specified situation. If you’re aware of a potential hazard, it’s easier to either reduce the harm it causes or (ideally) prevent it completely than to deal with the consequences.
Download our Risk Assessment Form & Matrix Template to help keep things organized for the upcoming steps.
This systematic process can uncover glaring risks of fraud, gaps in security or threats to staff wellbeing before it’s too late. It can also mean the difference between a new undertaking being a success or a failure. One catastrophic risk that goes unnoticed can put an immediate stop on any project or event.
Benefits of a Risk Assessment
Conducting a risk assessment has moral, legal and financial benefits.
In 2016, a school in Brentwood, England pleaded guilty after failing to comply with health and safety regulations. A 63-year-old employee was working on the roof when his foot got caught, causing him to fall nearly 10 feet. The man suffered a broken collarbone and chipped vertebrae, among other injuries.
Upon investigation, the Health and Safety Executive (HSE) in Britain determined that the work was being carried out in an unsafe manner and that no safety arrangements were in place for this type of work. The school was required to pay a fine of £40,000 (~$53,000 USD) and £1,477 (~$2000) in costs.
If the school had carried out a risk assessment, they would’ve identified and been able to avoid this hazard. Instead, they failed to provide a safe workplace and, for that, faced legal repercussions, steep fines and a hit to their reputation.
How to Conduct a Risk Assessment
To conduct your own risk assessment, begin by defining a scope of work. Maybe you want to improve health and safety measures in the shipping warehouse. Or, perhaps you want to identify areas of risk in the finance department to better combat employee theft and fraud. Whatever your objective, define it clearly.
If you do identify risks, you’ll want to create a prevention plan. Download the Root Cause Analysis Tools Cheat Sheet to learn more about prevention with root cause analysis.
Note: Remember to modify the risk assessment forms to include details specific to your field. For example, a health risk assessment may want to look at vulnerability instead of likelihood. A data security risk assessment may want to list hazard locations (e.g., internal or external).
Step 1: Identify Hazards
Relating to your scope, brainstorm potential hazards. The list should be long and comprehensive and may include anything from falls and burns, to theft and fraud, to pollution and societal damage.
Step 2: Calculate Likelihood
For each hazard, determine the likelihood it will occur. This can be measured as a probability (a 90 per cent chance) or as a frequency (twice a year). Then, based on the likelihood, choose which bracket accurately describes the probability:
An unlikely hazard is extremely rare, there is a less than 10 per cent chance that it will happen.
Seldom hazards are those that happen about 10 to 35 per cent of the time.
An occasional hazard will happen between 35 and 65 per cent of the time.
A likely hazard has a 65 to 90 per cent probability of occurring.
These hazards will occur 90 to 100 per cent of the time. You can be nearly certain it will manifest.
Step 3: Calculate Consequences
In the same fashion as above, calculate potential loss using either quantitative measurements (dollar), qualitative measurements (descriptive scale) or a mix of both. Then, based on the magnitude of the consequences, choose which bracket accurately describes the losses:
The consequences are insignificant and may cause a near negligible amount of damage. This hazard poses no real threat. Examples: loss of $1K, no media coverage and/or no bodily harm.
The consequences are marginal and may cause only minor damage. This hazard is unlikely to have a huge impact. Examples: loss of $10K, local media coverage and/or minor bodily harm.
The consequences are moderate and may cause a sizeable amount of damage. This hazard cannot be overlooked. Examples: loss of $100K, regional media coverage and/or minor bodily harm.
The consequences are critical and may cause a great deal of damage. This hazard must be addressed quickly. Examples: loss of $1M, national media coverage, major bodily harm and/or police involvement.
The consequences are catastrophic and may cause an unbearable amount of damage. This hazard is a top priority. Examples: loss of $10M+, international media coverage, extreme bodily harm and/or police involvement.
Step 4: Calculate Risk Rating
Assign each hazard with a corresponding risk rating, based on the likelihood and impact you’ve already calculated. For example, a hazard that is very likely to happen and will have major losses will receive a higher risk rating than a hazard that’s unlikely and will cause little harm.
Risk ratings are based on your own opinion and divided into four brackets. They are:
Low risks can be ignored or overlooked as they usually are not a significant threat. A definite hazard with insignificant consequences, such as stubbing your toe, may be low risk.
Medium risks require reasonable steps for prevention but they’re not a priority. A likely hazard with marginal consequences, such as a small fall, may be medium risk.
High risks call for immediate action. An occasional hazard with critical consequences, such as a major car accident, may be high risk.
Extreme risks may cause significant damage, will definitely occur, or a mix of both. They’re a high priority. An unlikely hazard with catastrophic consequences, such as an aircraft crash, is an extreme risk.
Step 5: Create an Action Plan
Your risk action plan will outline steps to address a hazard, reduce its likelihood, reduce its impact and how to respond if it occurs.
Experience a near miss? Don’t forget to document that as a risk. Download the Near Miss Reporting Form Template to keep track and manage near-misses.
Depending on the severity of the hazard, you may wish to include notes about key team members (i.e., project manager, PR or Communications Director, subject matter expert), preventative measures, and a response plan for media and stakeholders.
Step 6: Plug Data into Matrix
A risk assessment matrix simplifies the information from the risk assessment form, making it easier to pinpoint major threats in a single glance. This convenience makes it a key tool in the risk management process.
Every risk assessment matrix has two axes: one that measures the consequence impact and the other measures likelihood.
To use a risk matrix, extract the data from the risk assessment form and plug it into the matrix accordingly.
Green is low risk
Yellow is medium risk
Orange is high risk
Red is extreme risk
Fraud Risk Matrix Sample
Anticipating fraud and theft is a crucial component of a company’s antifraud efforts. Developing a risk assessment helps you identify hazards proactively so you can take precautionary measures or, if required, a risk response plan.
For a list of all fraud risks, check out our 41 Types of Fraud guide.
Examples of hazards that may need to be addressed in your risk assessment include:
- Asset misappropriation (check fraud, billing schemes, theft of cash)
- Fraudulent statements (misstatement of assets, holding books open)
- Corruption (kickbacks, bribery, extortion)
- Conflicts of interest
Health and Safety Risk Matrix Sample
A health and safety risk assessment is important for industries like construction, manufacturing or science labs where work takes place in potentially dangerous environments.
In a warehouse, for example, workers are at risk of many hazards such as:
- Severe or fatal injury from falling
- Repetitive strain injuries from manual handling
- Sprains and fractures from slips and trips
- Being crushed by falling objects
- Being hit by (or falling out of) lift trucks
- Crush injuries or cuts from large machinery
- Moving parts of a conveyor belt resulting in injury
- Exposure to hazardous substances
Health and safety risk assessments must also include things like workplace violence and other dangerous employee misconduct.
Project Risk Matrix Sample
Any project, event or activity must undergo a thorough risk assessment to identify and assess potential hazards. Once these risks are better understood, the team can make a prevention and mitigation plan to arm themselves against the hazard.
Brainstorm hazards in several categories such as:
- Technical (data breach)
- Cost (funding falls through)
- Contractual (modified requirements)
- Weather (natural disaster)
- Environmental (oil spill)
- People (illness, resignation)
Next Steps & Responding to Risks
Once you have finished your plan, determine how action steps. You can choose to “accept” the risk if the cost of countermeasures will exceed the estimated loss.
Harm reduction is a second option. To reduce the consequences of risk, develop a mitigation plan to minimize the potential for harm.
The third option is to avoid the risk. For catastrophic disasters, preventing the risk from occurring at all is the best (and often only) course of action.
However you plan to deal with the risks, your assessment is an ongoing evaluation and must be reviewed regularly. Experts recommend updating your risk assessment at least once a year, and perhaps more often depending on your unique situation.