Do I Need a Risk Assessment? When It’s Required and What to Do Next
If people, property, or processes could be harmed by the way work is done, you need a risk assessment. It’s the backbone of workplace safety compliance: a structured way to spot hazards, judge how likely and severe harm could be, and choose controls that reduce risk to an acceptable level. This guide explains when assessments are required and how to complete one confidently.
Understanding Legal Requirements for Risk Assessments
What the Occupational Safety and Health Act expects
The Occupational Safety and Health Act requires employers to furnish a workplace free from recognized hazards. While it doesn’t impose one universal “risk assessment” form, many OSHA standards make hazard identification, evaluation, and documentation mandatory to demonstrate compliance. In short, you must assess risks whenever it’s necessary to prevent harm and meet applicable standards.
When a risk assessment is explicitly required
- Personal protective equipment: You must perform and certify a workplace hazard assessment before selecting PPE to ensure it matches the risks present.
- Chemicals and process safety: Hazard communication requires classifying chemical hazards and informing workers; process safety management requires thorough analyses for highly hazardous chemicals.
- Biological agents and exposure: Standards such as bloodborne pathogens require exposure determinations and documented controls.
- High‑risk operations: Confined spaces, energized work, hot work, cranes, and similar activities typically require documented hazard analyses before work begins.
- State plans and client/insurer rules: Some states mandate comprehensive written programs (for example, injury and illness prevention programs) that include routine hazard assessments. Clients and insurers may also require risk assessments for contracts or coverage.
Practical triggers that mean “do one now”
- New or changed equipment, processes, chemicals, or layouts.
- After any incident, near miss, or regulatory citation.
- When introducing contractors, temporary staff, or new work methods.
- When hazards affect vulnerable groups (new or young workers, pregnant employees, lone or remote workers).
If any of the above apply, completing and recording a risk assessment is part of prudent risk mitigation and essential for workplace safety compliance.
Identifying Workplace Hazards
Build a complete picture of work
- Gather information: procedures, equipment manuals, safety data sheets, maintenance logs, training records, and incident/near‑miss data.
- Walk the work: observe normal, non‑routine, start‑up/shutdown, cleaning, and emergency conditions. Note energy sources, interaction points, and housekeeping.
- Engage workers: ask operators what “almost went wrong,” where bottlenecks occur, and what workarounds exist. Worker insight sharpens hazard identification.
- Map tasks: use a job safety analysis/job hazard analysis to break tasks into steps and list hazards at each step.
- Consider who could be harmed: employees, contractors, visitors, the public, and anyone off‑site who could be affected.
Common hazard categories to check
- Safety/mechanical: moving parts, vehicle interactions, falls, stored energy, machine guarding.
- Physical: noise, vibration, heat/cold stress, radiation, pressure/vacuum.
- Chemical: gases, vapors, dusts, mists, fumes; compatibility and reactivity; routes of exposure.
- Biological: bloodborne pathogens, mold, bacteria, viruses, animal waste.
- Ergonomic: forceful exertions, repetition, awkward postures, manual handling.
- Electrical: shock, arc flash, static, improper grounding.
- Psychosocial/organizational: workload, shift work, workplace violence, fatigue, stressors.
- Environmental/site: weather, natural disasters, poor lighting, uneven surfaces.
Evaluating Risk Levels
Score likelihood and severity
Risk equals the combination of the likelihood of harm and the severity of its potential consequences, considering who is exposed and how often. Rate each hazard before controls to reveal your true baseline risk and again after proposed controls to show improvement.
Use a simple matrix to prioritize
- Likelihood: rare, unlikely, possible, likely, almost certain.
- Severity: minor injury/first aid, medical treatment, lost time/serious injury, single fatality, multiple fatalities/catastrophic loss.
- Risk rating: combine the two to categorize as low, medium, high, or extreme. Tackle extreme/high risks immediately.
Consider real‑world modifiers
- Exposure frequency and duration, number of people at risk, and proximity to the hazard.
- Existing controls and their reliability (engineering versus administrative versus personal protective equipment).
- Uncertainty: when data are limited, assume higher risk until proven otherwise.
Example
Forklifts and pedestrians sharing an aisle may be “likely” with “serious injury,” creating a high risk. Physical separation, speed limits, and pedestrian‑only lanes can reduce likelihood to “unlikely,” dropping the residual risk to medium.
Implementing Risk Control Measures
Apply the hierarchy of controls
- Elimination: remove the hazard (e.g., outsource a high‑risk step or automate manual handling).
- Substitution: replace with a safer chemical, tool, or process of lower inherent risk.
- Engineering controls: enclosures, interlocks, machine guarding, ventilation, barriers, and fail‑safe design.
- Administrative controls: procedures, permits to work, scheduling, signage, training, supervision, and access control.
- Personal protective equipment: select and fit PPE only after higher‑order controls; verify compatibility and train users.
Favor elimination, substitution, and engineering controls whenever feasible; PPE is essential but least reliable on its own. Document why selected controls are reasonably practicable and how they achieve risk mitigation.
Ready to assess your HIPAA security risks?
Join thousands of organizations that use Accountable to identify and fix their security gaps.
Take the Free Risk AssessmentDesign controls that stick
- Assign an owner, due date, and success metric for each control.
- Integrate controls into procurement, maintenance, and change management so they persist over time.
- Train workers on the changed method; verify understanding through observation or practical demonstrations.
- Check compatibility across controls (e.g., ventilation with noise controls; PPE with tool design).
Verify effectiveness
- Field checks: confirm guards are installed, interlocks function, and procedures are used as written.
- Measures: track leading indicators (training completion, inspection scores) and lagging indicators (incidents, exposures).
- Feedback: invite worker suggestions to further reduce risk and improve practicality.
Documenting Risk Assessment Findings
What your record should include
- Scope, location, and activities covered; date and names of the assessment team.
- Method used (e.g., JHA, what‑if, checklist) and data sources.
- Hazards identified, who could be harmed, and initial risk ratings.
- Selected controls aligned to the hierarchy of controls with rationale and acceptance criteria.
- Residual risk ratings after controls and any temporary measures needed.
- Action plan with owners, deadlines, and required resources.
- Approvals, communication plan, and training requirements.
- Attachments: photos, sketches, equipment lists, chemical inventories, and monitoring results.
Clear, specific risk assessment documentation shows how you met workplace safety compliance duties and makes future reviews faster.
Practical formatting tips
- Use unique document IDs and version control. Note revisions and reasons for change.
- Store records where supervisors and workers can access the current version.
- Protect confidential information (medical data, security‑sensitive details) appropriately.
- Link related documents: SOPs, permits, training materials, and maintenance schedules.
Communicate the findings
- Brief affected teams; incorporate changes into toolbox talks and onboarding.
- Post key controls at the point of use with simple visuals.
- Train and evaluate competence before authorizing work.
Reviewing and Updating Risk Assessments
When to review
- On a set cadence (e.g., annually) and sooner for high‑risk activities.
- After incidents, near misses, or significant changes to people, processes, equipment, materials, or layout.
- When regulations, standards, or client/insurer requirements change.
- When monitoring data or worker feedback suggests controls are drifting or new hazards are emerging.
How to review effectively
- Spot‑check controls in the field and verify they still meet acceptance criteria.
- Update hazard lists for new tasks, seasonal conditions, or atypical operations.
- Re‑rate risks with current exposure data; escalate items that remain above your risk tolerance.
- Close the loop: record changes, retrain affected workers, and update linked procedures.
Conclusion
Risk assessments turn uncertainty into action. Confirm what the law expects, build a thorough hazard identification picture, evaluate risk with a clear matrix, implement controls using the hierarchy of controls, and keep concise records. Then schedule reviews so controls remain effective as work evolves.
Follow this cadence and you will meet the spirit of the Occupational Safety and Health Act, strengthen risk mitigation, and maintain workplace safety compliance without unnecessary complexity.
FAQs.
When is a risk assessment legally required?
You must assess risks whenever hazards could cause harm and to satisfy OSHA standards that demand hazard evaluations and documentation. It is explicitly required before selecting personal protective equipment, for chemical and biological exposure programs, and for high‑risk activities such as confined space entry or hot work. State plans, clients, and insurers may require additional written assessments, and you should always complete one after incidents or when work changes.
How do I conduct a risk assessment step-by-step?
- Define scope: the job, area, or process you will assess.
- Collect information: procedures, SDSs, manuals, incident data, and worker input.
- Observe tasks: include normal, non‑routine, and emergency conditions.
- List hazards and who could be harmed for each task step.
- Rate initial risk using likelihood and severity.
- Select controls following the hierarchy of controls.
- Rate residual risk to confirm the reduction is sufficient.
- Document actions with owners and deadlines; communicate and train.
- Monitor effectiveness and schedule a review date.
What are the main hazard categories to consider?
Safety/mechanical, physical (noise, heat, radiation), chemical, biological, ergonomic, electrical, psychosocial/organizational, and environmental/site conditions. Use this list as a cross‑check so important hazards aren’t missed during hazard identification.
How often should risk assessments be reviewed and updated?
Review on a fixed cadence (at least annually for most operations), sooner for high‑risk work, and immediately after incidents, near misses, or significant changes to people, processes, equipment, chemicals, or layouts. Update whenever monitoring data or feedback shows controls aren’t performing as intended or when regulations or client requirements change.
Ready to assess your HIPAA security risks?
Join thousands of organizations that use Accountable to identify and fix their security gaps.
Take the Free Risk Assessment