How to do a Risk Assessment

Last week I wrote a short piece on ‘what a risk assessment is’; This week’s follow up is all about how to do a risk assessment for yourself because, as we all know, every organisation/business should have a risk register, especially in these turbulent and unprecedented times.

There are many guides to ‘How to do a risk assessment’ but the basic steps are as follows:

  1. Identify potential risks/hazards
  2. Identify who or what may be impacted by them
  3. Evaluate the likelihood and severity of each risk/hazard identified (in point 1)
  4. Implement controls to reduce or eliminate risk/hazard
  5. Review & re-assess your risk assessment register

The risk assessment process should consider internal and external hazards and risks. Many risks for an organisation  have an external focus. It is common for a business to be impacted by third party suppliers for example.

It is important to document your assessment in a register for reference and communication as well as for reviewing and updating – it’s not a set and forget exercise! The register should include who is accountable for the management of any particular risk and regular reports should be provided on the state of the risk; ie whether it is reducing or increasing.

Identifying risks/hazards

Sometimes easier said than done but the key to identifying risks and hazards is consultation. Talk to staff and service providers, take a walk around your premises, review previous accident or Ill-health records and any manufacturers’ recommendations for goods-handling or storage or machinery operations. And use third-party data, such as insurance contracts, to provide information and ensure your processes are rigorous and comprehensive.

Identifying who might be impacted

Different groups can be impacted differently by the same hazard or risk. For example, pregnant women would be more at risk from exposure to, say, radiation than other groups; Employees on site might be more at risk than contractors visiting. So, identifying categories of ‘at risk groups’ becomes critical to evaluating the severity of a risk and the controls you choose to mitigate or eliminate risk.

Evaluating the likelihood and severity of each risk/hazard

In a nutshell, any assessment will basically evaluate how likely it is for a risk/hazard to occur and how severe the consequences would be should it occur. By doing this you can consider what controls are available to eliminate or reduce risk ‘as far as practically possible’. And you can identify any costs associated with the control measures you choose to eliminate, reduce or control the risk.

Implementing controls

Not all controls are equal! That is, what’s good for the goose isn’t always what’s good for the gander. Whilst some businesses or organisations will often have the same risks/hazards the choice of suitable control measures may vary depending on the likelihood and severity of potential impact. The consequences of a fire on an offshore major hazard facility are likely to be more serious and require more costly control measures than say a fire in a single storey storage unit housing non-hazardous goods for distribution. There is a proportionality relationship between the risks and controls which are evident in many regulated sectors to exemplify the principle that not all controls are equal.

Reviewing & assessing your risk assessment

Having a written record of your risk assessment is critical; in most cases it’s also a legal requirement, not just an excellent business practice. We refer to this document as the ‘Risk Register’. Having a risk register not only provides a record of your assessment considerations and control measures but it provides the basis for auditing your business/organisation enabling you to be proactive in identifying new risks and new controls. It is a fundamental and significant business resilience tool for any organisation.

Before 2020 how many businesses/organisations would have had ‘working from home’ procedures identifying and evaluating risk and appropriate control measures? How much would mental health factors have been a consideration before the global Covid pandemic? And would the evaluation of mental health factors be the same now as it was in 2020?

Nuffield Group provides consultancy and support services including risk assessment and compliance. Find out more here.