The management of occupational health and safety (OHS) risks is an extremely important process and companies are responsible for reducing the risks that workers are exposed to in the course of their work activities.

Accidents occur when you least expect them, especially at work. Every organization is different and so are the health and safety risks. It all depends on the type of work performed.

The commitment to health and safety at work is a responsibility shared by both employers and employees. If the company demonstrates that it takes health and safety seriously, workers are more likely to follow procedural guidelines, cooperate and get involved in the process.

The support and influence of leaders to encourage safe and healthy attitudes and behavior is certainly one of the first steps to building a culture of safety in your company.

This article summarizes ISO 31000 and ISO 45001 resources to help you understand and implement occupational health and safety risk assessment and management.

Steps in the risk management process

1. Scope, context and criteria

The goal in this step is to customize the risk management process and establish the parameters for managing OHS risks.

The organization should define the scope of the process, the context (external and internal) and the criteria to assess the significance of the risk.

Defining the scope

Define which level to apply risk management: strategic, operational, program, project or other activities.

Take into account the organization’s goals, expected results, tools, techniques, resources, responsibilities and records to be kept, among others.

Take into account the needs and expectations of workers and other stakeholders.

Context of the organization

The context should reflect the specific environment of activity where the risk management process is applied.

Identify and analyze the external and internal issues that affect your ability to achieve the intended results.


The organization should specify the degree and type of risk it can (or cannot) accept in relation to the goals.

Criteria should be aligned with the risk management framework and customized to the specific goal and scope of the activity in question.

To support decision-making, criteria should be established to assess the significance of the risk. These criteria are dynamic and, whenever necessary, should be periodically analyzed and modified.

2. Communication and consultation

The purpose of communication and consultation is to assist stakeholders in understanding the risk, the basis for decisions and why specific actions are required. Communication promotes awareness and understanding of the risks, while consultation involves obtaining feedback and information to support decision-making.

Communication and consultation have to occur in each step and throughout the entire risk management process. This makes it possible to bring together different areas of expertise and ensure that different views are considered when defining criteria and assessing risks. It also helps to build a sense of inclusion and responsibility among those affected by risk.

It is important to consult with workers when assessing risks. They are in the best position to point out dangers and suggest improvements since they do this work every day. They can suggest practical and cost-effective solutions.

3. Identification of hazards and risks

Knowing the difference between hazards and risks is an important part of successful risk assessment.

According to ISO 45001:

Hazard: a hazard is a source of potential injury or harm.

Hazards include potential sources of harm, dangerous situations or circumstances with the potential for injury or illness.

Risk: risk is the effect of uncertainty.

An effect is a deviation from the expected, whether positive or negative.

Uncertainty is the state, even if partial, of a lack of information, understanding or knowledge related to an event, its consequences or its probability.

Hazard and risk identification helps an organization recognize and understand workplace hazards and hazards for workers in order to assess, prioritize and eliminate hazards or reduce OHS risks.

The hazard identification process should be ongoing and proactive.

To build a list of risk sources and their consequences, the team needs to address the following questions:

  • What could go wrong? (Risk)
  • How bad could it be? (Consequences/Impact)
  • How often could this occur? (Probability)

Some strategies for answering these questions are:

  • Brainstorming;
  • Developing ‘what if’ scenarios;
  • Review of accidents, injury rates and death records to identify processes/activities that need to be reviewed or that require more attention in hazard and risk assessment.

4. Risk analysis

Risk analysis involves a detailed consideration of uncertainties, sources of risk, consequences, probability, events, scenarios, controls and their effectiveness.

Probability: the chance of something occurring.

Consequence/impact: the result of an event that affects the goals.

A consequence can be certain or uncertain and can have direct or indirect and positive or negative effects on goals.

Consequences can be expressed qualitatively or quantitatively.

A Risk Matrix / Risk Diagram is a simple visual tool that is commonly used to assess the level of risk and assist in the decision-making process.

Organizations can define their own consequence and probability criteria according to their current situation and goals (Step 1 – Scope, Context and Criteria). You can also use previously developed criteria.

Examples of Probability and Impact Criteria

Probability and impact can be expressed qualitatively or quantitatively:





Conceivable, but extremely unlikely

Less than one event in 100 years


Possible, but unlikely 1 event between 10-100 years
Possible Likely to occur, but not certainly

1 event between 1-10 years

Very probable

Probably it will occur More than one event per year
Almost certain Extremely likely

More than one event per month



Qualitatively Quantitatively

No impact

Almost an accident

No injuries or illnesses

Light Injury requiring First Aid

Biological/chemical spill



Moderate Injury/Illness

Reversible injury

Biological hazard exposure

Serious Serious Injury/Illness

Temporary Disability

Injury with time off work

Dangerous Incident


Very serious

Multiple fatalities

and/or significant irreversible injuries


Example of a Risk Matrix

In this step, we can build a Risk Matrix to calculate the magnitude of potential consequences (impact level) and the probability (probability level) that the consequences will occur.

5. Risk assessment

The purpose of risk assessment is to compare the results of the risk analysis with established criteria to determine where further action is required.

The risk assessment criteria are also defined in step 1.


Risk level

Acceptability of risk level Necessary immediate action
Low Acceptable

Continue the process, but monitor it regularly

Medium Fairly acceptable Continue the process, but develop a control plan and implement it as soon as possible



Investigate the process and implement controls immediately

Extreme Unacceptable

Halt the process and implement controls

Decisions should take into account the larger context and the real and perceived consequences for external and internal stakeholders.

The risk assessment results should be recorded, communicated and validated at the appropriate levels in the organization.

6. Risk treatment

The aim of risk treatment is to select and implement options to address the risk.

Risk treatment involves an iterative process with steps:

  • formulate and select risk treatment options;
  • plan and implement risk treatment;
  • assess the effectiveness of this treatment;
  • decide whether the remaining risk is acceptable;
  • if not acceptable, develop another risk treatment.

After the risk assessment, the organization can decide how to control each identified risk. Risk control methods are often grouped according to the following hierarchy:

7. Monitoring and critical analysis

Risk management is an ongoing process that needs to be monitored and revised to ensure its continued adequacy and effectiveness.

You should review the risk management process at scheduled intervals or when:

  • it is no longer effective;
  • changes occur in the workplace that lead to new risks;
  • there has been an accident or near accident;
  • legal requirements have changed;
  • audit results indicate non-compliances or opportunities for improvement;
  • workers identify problems or suggest improvements;
  • circumstances warrant a review.

OHS risks can be monitored with:

  • audits;
  • inspections;
  • monitoring of risk exposure;
  • reviews of performance indicators;
  • other means.

Monitoring and reviewing the performance of OHS risk management is a way to ensure continuous improvement.

8. Registration and reporting

Keeping records of your risk assessments and the actions taken to mitigate risks is very important, as well as being a legal requirement.

Having a long-standing record of your risk assessments is helpful when you face similar situations since you can compare previous actions or refine your strategy.

Registration and reporting are intended to:

  • communicate risk management activities and results in the organization;
  • provide information for decision-making;
  • improve risk management activities;
  • improve interactions with stakeholders, including those with accountability and responsibility for risk management activities.


The occupational health and safety risk management process allows you to act proactively rather than reactively and mitigate risks before they cause harm to workers.

In addition to preventing work-related accidents, OHS risk management provides a number of benefits, such as:

  • Greater employee satisfaction, trust and engagement;
  • Reduction in the absenteeism rate;
  • Increased productivity;
  • Lower costs;
  • Improved company trust and reputation;
  • Improved company public image;
  • Compliance with the principles of corporate social responsibility (CSR) for the physical, social and mental well-being of employees.

Now that you know more about how to OHS risks in your company, get to know SoftExpert EHSM (Environmental, Health and Safety Management), the most comprehensive and innovative solution for process improvement and automation, regulatory compliance and excellence in performance management.

Contact our experts to learn more about how your company can benefit from the advantages and benefits of SoftExpert EHSM. We understand your needs and can recommend the best way to implement our EHSM solution to satisfy your requirements.

I want to talk to SoftExpert



Bruna Borsalli


Bruna Borsalli

Business Analyst at SoftExpert Software, holds a Bachelor's degree in Chemical Engineering from Univille. Experienced in EHS (Environment, Health and Safety) and a Quality Management specialist as well as a certified Six Sigma Yellow Belt and Internal Auditor for ISO 9001 | 14001 | 45001 Integrated Management Systems.

You might also like:

Get free content in your inbox!

Subscribe to our Newsletter and get content about corporate management's best practices produced by specialists.

By clicking the button below, you confirm that you have read and accept our Privacy Policy.

Please, fill out the form to download

Required field
Required field
Required field
Please enter a valid phone number
Required field

By clicking the button below, you confirm that you have read and accept our Privacy Policy