Risk assessment step by step


Risk assessment is a key foundation in systematic HSE work. Below, we present some key points businesses should include in their risk assessments, along with links to relevant templates and tools. This work must be adapted to the business’ individual needs and circumstances.

Why perform a risk assessment?

The Working Environment Act requires all enterprises to identify potential risks in the workplace. The employer is responsible for this identification process. The objective is to prevent anyone from getting injured or sick, and to prevent anything in the workplace from affecting the business in terms of absences, loss of production, damage to equipment, etc.

Have you established what the final product of the analysis should be and how you plan to use the outcome in your decision-making process? Without a clear objective, the analysis may lack focus and may not give you the answers you need.

Collect relevant information about the potential risk you are assessing. Without relevant information on hand, the outcome is not likely to be of good quality.

Broad analysis

What can happen?

Begin by asking a completely open-ended question: "What can happen?"

Experiences, accident reports and incidents from the business' own activities may offer important insight, as could figures from the relevant industry, insurance companies, etc.

If the number of potential incidents is very high, it could be beneficial to rule out incidents with low probability and/or small consequences already at this point in the process.

See also the chapter on deviation handling. (in norwegian) 


How likely is it?

Address the most likely incidents and try to assess the probability of them occurring. Rate each incident based on how likely it is to occur.

There may be many different reasons why an unwanted incident occurs, e.g. insufficient maintenance, technical failure, inadequate training.

In many cases, the occurrence cannot be attributed to any single cause – instead a number of factors combined cause the incident to occur.

Experiences from the business' own activities or the industry at large can give some indication of the probability of an incident occurring.


What are the potential consequences of an incident?

It is common to distinguish between three different types of consequences: Consequences to people, environment and property.

Once incident may have one or several different consequences.
You should try to look beyond the immediate consequence of an unwanted incident – the incident may trigger a domino effect of consequences.

You also need to determine the degree of severity for each consequence.


Assessment of risk

Once you have determined the probability and consequences of each individual incident, you have an overview of potential unwanted incidents, categorized by risk.

You should prioritize addressing the incidents with the highest risk, i.e. incidents with both high probability and considerable consequences.

As a main rule, we recommend first looking into measures that may reduce probability and then measures to reduce potential consequences.

It is often less expensive to prevent than to repair.

Measures – action plan

How to reduce risk

Once a risk has been assessed, you must prepare a binding action plan. In this plan, you must specify and prioritize specific risk-reducing measures. A person responsible must be assigned to each measure, deadlines must be set, and the necessary funds must be allocated.

Measures may include anything from technical improvements, training and exercises to new procedures, etc.

All follow-up of this action plan must be documented.

In order to maintain focus on the efforts to reduce risk, it is important for management to follow up on and regularly request status updates and results.

Remember that the risk assessment process should be repeated regularly and always whenever changes are made that may affect potential risks.

The work to identify and reduce risks must be part of the systematic internal control process.