Top 10 Tips for Risk Assessments


Risk Assessments

Top 10 Tips for Risk Assessments

The ultimate goal of an OSH management system is to continually improve performance, and to minimize risk and associated costs of occupational incidents as indicated by ANSI/ASSE/AIHA Z10 Occupational Health and Safety Management Systems, and similar management system standards and guidelines. For such a system to reach this goal, risks must be continually identified, analyzed and evaluated to understand their potential for occurring and their magnitude of loss, as well as existing controls and needed improvements. This key element is known as risk assessment.

A risk assessment has three distinct components:

  • Risk identification: finding, recognizing and recording hazards
  • Risk analysis: understanding consequences, probabilities and existing controls
  • Risk evaluation: comparing levels of risk and considering additional controls

figure1Risk assessments are common in Europe, Australia, New Zealand, Canada and other parts of the world. In the U.K., risk assessments have been legally required since 1999 by the Health and Safety Executive. However, few risk assessments are mandated in the U.S., with the exception of OSHA 29 CFR 1910.119, Process Safety Management of Highly Hazardous Chemicals, and EPA 40 CFR Part 68, Risk Management Plan. Well-executed risk assessments enable organizations to make the right decisions, protect their assets, and properly manage their risks as they operate, grow and improve their businesses.

ANSI/ASSE Z590.3 Prevention through Design Guidelines for Addressing Occupational Hazards and Risks in Design and Redesign Process and ANSI/ASSE Z690.3, provide a solid foundation for the safety profession to build on in terms of risk assessments (Figure 1).

OSH professionals should consider these principles and practices in the risk assessment process:

Reason 10: Perform a Formal Assessment

An organization should have a strategy to determine where, when and how risks must be assessed as described in Z690.3 Section 4.2, Risk Assessment and the Risk Management Framework (p. 12). Basic criteria for establishing the need for risk assessment may include:

  • Projects or tasks that have not had a formal risk assessment
  • New facilities, processes or equipment
  • When several risks are present or introduced that make it necessary to apply risk priorities in an organized manner
  • When a risk could have serious consequences and where control measures are unclear
  • Where there is a planned change to equipment, machinery or a particular process (as outlined in Z10, 5.1.2, Design Review and Management of Change).

In many cases, risk assessments are simply not performed. Organizations cite many reasons to not perform risk assessments:

  • Belief that since no significant incidents have occurred, the organization has adequately assessed and managed risks by informal means
  • Reliance on insurance coverage and outside risk control services to manage risks
  • Misconception that simple hazard identification and correction methods are adequate
  • Hazards-based and compliance-type approach
  • Fear of discovering and documenting certain risk that may be difficult to address or mitigate
  • Lack of knowledge and/or resources to perform a risk assessment internally;
  • No mandate or corporate requirement to perform risk assessment.

In the U.S., many organizations have relied on checklist-and-hazard-inspection methods that focus on regulatory compliance, and prescribed hazards and conditions to evaluate workplace safety and health. Unfortunately, such methods do not provide a true measure of risk.

In ASSE’s webinar, Prevention Through Design: Guidelines for Addressing Occupational Hazards and Risks in Design and Redesign Processes, presenter Bruce Main quoted a study conducted by a Fortune 500 company which indicated that 65% of serious incidents had no previous risk assessment. This number may be indicative of other Fortune 500 companies, and supports the authors’ experience that many smaller companies perform few, if any, risk assessments.

Reason 9: Define the Context & Objectives of the Assessment

The purpose and scope of a risk assessment should be determined by those who will use the resulting information to make informed decisions. It should be written so that everyone on the team can continuously refer to it in order to stay focused and avoid wandering too far from the intended goal.

Communicating the purpose and scope to the risk assessment team should include a common understanding of terminology to be used. For example, when using qualitative risk analysis, a clear explanation of the terms used and their meanings should be communicated and understood by the assessment team and management (ANSI/ASSE 2011c, p. 18).

Reason 8: Understand an Organization’s Acceptable Risk Level

An organization must define its acceptable risk levels and incorporate them into the risk assessment process. As described in Z10, Appendix F, safety and health management goals should be actionable, realistic and time-oriented.

figure2What is an achievable and acceptable level of risk? Z690.3 explains that the potential for harm must be reduced until the cost of further reduction is disproportionate to the benefit gained - to the level of as low as reasonably practicable (ALARP, Figure 2). The criteria used to determine this level should include the organization’s OSH goals and the use of cost-benefit analyses of risk and their treatment; it also will be influenced by its culture and industry setting (ANSI/ASSE 2011c, p. 21). Typically, as an organization matures and improves its risk control measures, the acceptable risk level will move closer to the negligible risk level.

Reason 7: Assemble the Best Team to Perform the Risk Assessment

Risk assessments are excellent opportunities for employee involvement, which is critical to the success of any safety effort. Employee involvement is required by all safety management system standards (e.g., ANSI/ASSE Z10, OHSAS 18001,OSHA VPP). It also is required by some state OSHA regulations and specific regulations such as OSHA’s process safety management standard. Employee involvement leads to a better risk assessment.

Depending on the assessment’s scope, a team of objective, knowledgeable, experienced and complementary personnel should be created. Teams of three to 10 competent members usually offer sufficient perspectives on a risk assessment, yet are not too large to manage and keep focused. Team members should be selected based on their knowledge, experience and commitment to the effort, and will vary depending on the hazards and risks being assessed. For example, a team assessing a product might include representatives from research and development, design, engineering, production, quality, legal, sales, service, risk management and safety. A transportation risk assessment might include a driver, routing/scheduling, DOT compliance, service and maintenance, risk management and safety. These members can be directed to gather input from their departments if the process is not confidential because external parties often contribute to the risk assessment.

Reason 6: Risk Assessment Techniques

Many different risk assessment techniques exist, some complex (quantitative) and specific, and others more basic (qualitative) and broad in application. Certain techniques have specific applications. For example, hazard analysis and critical control points is often used in food and beverage processing. Z690.3 describes 31 different techniques (pp. 22-25; Figure 3), while Z590.3 features eight. Three risk assessment techniques are highlighted in Z590.3 as being more practical for most risk situations: preliminary hazard analysis, what-if/checklist analysis, failure modes and effects analysis (FMEA) (Figure 3).


The technique selected should be justifiable and appropriate for the situation; provide useful results; and be traceable, verifiable and consistent. Selection criteria should be based on the assessment’s defined context and objectives (Reason 9) and should consider the following:

  • complexity of problem
  • type and range of risks
  • potential magnitude
  • risk assessment team’s degree of experience
  • available data
  • regulatory requirements

figure4In some cases, more than one technique may be needed. However, specific concerns, such as ergonomics risk factors, may not fully be identified or measured using standard risk assessment techniques. Specific tools that focus on ergonomic risks, such as the rapid upper limb assessment, the Snook tables, NIOSH’s lifting formula and similar tools, are available to assess ergonomic-related risk factors (figure 4).

To achieve desired results, an organization must properly match the technique used to the exposure. The assessment and its output should be consistent with the risk criteria established in the assessment’s scope and purpose.

Reason 5: Be Objective in the Risk Assessment Process

A risk assessment can be moderated by a well-rounded assessment team or an experienced facilitator. Sometimes, team members can be too close to the situation or be less-than-objective due to past experience. An objective, experienced facilitator can keep the risk assessment focused on its purpose and goals. The right comparisons can be made, and questions can be asked to bring the perception back in line with reality.

Reason 4: Identify Hazards That Create Risks & Consider Combined Whole-System Risk

Sound risk assessments account for the combined or synergistic effects of multiple risks rather than view them as mutually exclusive. Whole-system risk must be considered in the assessment process to properly manage actual risk.

FMEA typically takes each failure as a single event and analyzes each failure individually for its causes and effects. Certain combinations of risks create greater risk. For instance, in the meat processing industry, cold temperatures combined with hand-arm vibration from pneumatic hand tools increase risk of soft-tissue damage (ANSI/ASSE 2011a, Section 7.4.5).

If an organization does not use a well-rounded assessment team to capture a broader spectrum of risks (Reason 7), the assessment is left to the individual risk assessor’s comfort level with certain types of exposures (e.g., machine guarding, electrical, ergonomics, industrial hygiene), which limits the results. Depending on complexity, a false sense of security may develop, with critical risks remaining unidentified and untreated.

The potential effect of combined risks also may be missed. Risk assessment teams that identify and catalog individual hazards as line items may miss the potential for certain risks occurring at the same time and producing synergistic effects.

For example, a large manufacturing operation initiated a corporate-wide effort to identify and manage its risks. The scope of the assessment process was broad and was conducted by plant personnel who had limited training. The assessors identified safety-related hazards, but did not recognize potential health risks related to operations such as coating and finishing tasks. Industrial hygiene and ergonomic risks were present, but were not identified. Other significant risks were missed in some plants. The inconsistencies and missed risks had to be addressed in a second assessment by an outside consulting group.

Reason 3: Consider the Hierarchy of Controls & Prioritize Based on Risk

figure5An organization should have a strategy for prioritizing control measures based on risk level and degree of exposure to optimize efforts and resources. Z590.3 addresses the hierarchy of controls, selecting and implementing risk reduction, control method and covers control assessment. The hierarchy presents controls in order from most effective to least effective (Figure 5). Applying this hierarchy properly should become second nature for every OSH professional and standard practice for organizations. It serves to assess risk more accurately and helps continuously improve controls.

Reason 2: Perform Risk Assessment During the Design/Redesign Phase

Many organizations do not even think about assessing risk during design and redesign stages, thus missing an opportunity to save money and mitigate risks. Instead, they wait to address risks until project completion or installation and many times not until an incident or significant loss occurs. This approach is aided by inadequate education and training in safety principles for most designers and engineers, lack of planning time built into the design process, in addition to tradition and culture.

Z590.3-2011 provides guidance for life cycle assessments and a design model that balances environmental and occupational safety and health goals over the life span of a facility, process or product. The standard focuses on the four key stages of occupational risk management. The pre-operational, operational, post incident and post-operational stages are all addressed within. Figure 6 depicts how Z590.3 illustrates the typical design concept through decommissioning process. The standard explains the use of risk avoidance in the early design phase:

In the early design phases, there are no risks, yet, to be avoided, eliminated, reduced or controlled. Designers start with a blank sheet of paper, or a blank screen in a CAD system. They have opportunities to avoid hazards altogether in the design concept, preliminary design and detailed design stages. (p. 45)

Risk assessment at the design/redesign phase may be the most overlooked risk management tool available to organizations. Simply put, risk assessments should be a standard practice during the design and redesign phase.

Reason 1: Communicate... Before, During & After the Risk Assessment

As with many other functions, people should make it a priority to communicate effectively when performing risk assessments. Poor communication is often identified as a major contributor to poor outcomes such as injuries.

Communication is a provision of both Z690.3 and Z590.3 and also required by virtually all safety and health management standards such as Z10, OHSAS 18001 and OSHA VPP, yet it is seldom done well. A quality risk assessment involves stakeholders throughout the process and seeks their input before, during and after. Stakeholders include internal personnel, as well as customers, investors, partners, suppliers and vendors.

Investigators determined that NASA’s space shuttle Columbia explosion on Feb. 1, 2003, which claimed seven lives, was partially due to a lack of effective communication of critical safety information. They concluded that organizational causes, including lack of communication, contributed to the incident.

Cultural traits and organizational practices detrimental to safety were allowed to develop, including: reliance on past success as a substitute for sound engineering practices . . . organizational barriers that prevented effective communication of critical safety information of opinion; lack of integrated management across program elements; and the evolution of an informal chain of command and decision-making processes that operated outside the organization’s rules. (CAIB, 2003, p. 9)

Organizations face a wide range of risks each day that can affect their ability to achieve certain business objectives and stay in business. OSH professionals should become familiar with these standards, and strengthen their proficiency and skills in performing risk assessments.

Bruce K. Lyon, P.E., CSP, ARM, CHMM, is director of risk control with Hays Cos., a commercial insurance brokerage firm. He holds a B.S. in Industrial Safety and an M.S. in Occupational Safety Management/Fire Science from the University of Central Missouri. Lyon is a professional member and past president of ASSE’s Heart of America Chapter and a recipient of the Region V Safety Professional of the Year Award. He is advisory board chair to the University of Central Missouri’s Safety Sciences Program.

Bruce Hollcroft, CSP, ARM, CHMM, is director of risk control with Hays Cos. He holds a B.S. in Industrial Safety from the University of Central Missouri. Hollcroft is a professional member of ASSE and past president of both the Heart of America and Columbia-Willamette chapters. He also has chaired the Oregon Governor’s Occupational Safety and Health Conference.

Over the past 30 years as risk control consultants, the authors have performed, facilitated, participated in and observed thousands of risk assessments for almost all industry types and sizes. Based on those experiences, they have concluded that many organizations fail to perform effective risk assessments.


Contact Us

Customer Service (M-F 8:30am - 5:00pm)
+1 847 699.2929

American Society of Safety Engineers
520 N. Northwest Hwy
Park Ridge, IL 60068