What is risk assessment?

A yellow inflatable raft with red and black stripes and a crew wearing blue life jackets and white helmets navigates through white water rapids in a canyon, assessing risk at every paddle stroke.

Risk assessment began as a discipline in the late 1960s, with some of the earliest formal papers published in the early 1970s [1] and [2]. The early researchers were part of the US military and were interested in reducing the risks for military personnel carrying out their duties.

Since then, risk assessment has become a key part of reducing risk to manufacturers, employers, and workers. There are many forms of risk assessment, each suited to a particular sector of the economy [7] through [13]. Today, extensive risk assessment research is being done by organizations and universities around the world.

You may not realize it, but you already do risk assessments daily in every task and activity. When you pause to consider what might go wrong and what you can do to avoid that – that’s a risk assessment. You just aren’t writing it down or using any defined scoring tools to do it.


Risk assessment is an incredibly wide topic. Since this website is focused on industrial machinery safety, this discussion is limited to machinery. Risk assessment is essentially an orderly, methodical process where things that can harm people, animals or the environment, called hazards, are identified, the severity of injury posed by each hazard is estimated, and the probability of occurrence of the injury is estimated.

Based on applicable laws, regulations, standards and public opinion, control measures are applied to reduce “intolerable” or “unacceptable” risks to “tolerable” or “acceptable” levels.


Risk controls are applied based on the ‘Hierarchy of Controls” [12]. In North America, the Hierarchy is considered to have five levels, while in the International Standards, only the first three levels are recognized. This discrepancy exists because ISO and IEC standards are written from the product designer’s perspective, and the last two levels are only available to workplaces. There are distinct linkages between the first three levels and the last two, so none of these control measures exists in a vacuum.

The five-level hierarchy includes:

  1. Inherently Safe Design;
  2. Engineering Controls:
    • Barriers (Fences)
    • Enclosing Guards
    • Fixed Guards
    • Movable Guards, including Adjustable and Self Adjusting Guards and Interlocking Guards with or without Guard Locking
    • Safeguarding Devices including Light Curtains, Fences and Beams, Safety Mats, Area Scanners, 3D vision-based systems and two-Hand Controls
    • Awareness Devices, including lights, horns, buzzers, markings, etc.
  3. Information for Use including Operator Screens (HMI screens), Manuals, and Hazard Warnings
  4. Administrative Controls
    • Training
    • Safe Working Procedures including HECP, Permit to Work, Confined Space Entry, etc.
    • Supervision
    • etc.
  5. Personal Protective Equipment (PPE)

The control measures can be applied in the order given in the hierarchy, or you can simply apply all of the control measures to the design, depending on the school of safety thinking you follow. Control measures are generally most effective at the top and least effective at the bottom. All may be necessary to reduce risk to acceptable levels.

Residual risk

The process is repeated until all of the control measures in the hierarchy have been exhausted. The risk that remains is called the residual risk. Often the residual risk will be within “tolerable” or “acceptable” levels, but in some cases, it may not.

Tolerable or acceptable risk

Unfortunately, the level of risk considered tolerable or acceptable is a moving target. It can vary by the activity, the people involved, the level of benefit the participants receive from the activity, and many other factors. Generally, most jurisdictions worldwide have legislation regulating the maximum risk that citizens can be exposed to. Examples are the limits set by the US Consumer Product Safety Commission, Health Canada, the EU’s General Product Safety Directive and the RAPEX system.


The risk that has been reduced to levels that are at least tolerable is sometimes referred to as “ALARP” for “As Low As Reasonably Practicable” or “ALARA” for “As Low As Reasonably Achievable.” This concept arose in UK law and is recognized in some other jurisdictions globally.

Many labour organizations have significant problems with the ALARP concept. The concern is that risk reduction will stop once the risk is deemed to have been reduced ALARP. The problem is that the worker exposed to the risk may not realize the risk or agree to accept the exposure.

How far do you have to go in reducing risk?

Risk control is never complete unless the hazard has been eliminated or the risk reduced to the point where it is considered broadly acceptable. New technologies and control methods will be developed as time passes and must be implemented to maintain the lowest possible risk.

There are always financial considerations in controlling risk. If you are dealing with a risk that involves a significant severity of injury and the controls seem too expensive, you should consider not proceeding with the project/product/machine. It is never acceptable to leave an uncontrolled risk when there are risk control measures available and the severity of injury is anything more than a minor cut or bruise.

Types of assessments

Risk assessments can be Hazard-Based, meaning that hazards are assessed without specific reference to tasks that workers are expected to carry out. They can be Task-Based, where hazards are assessed based on the specific tasks that workers must carry out. This type of analysis is sometimes called a Task Hazard Analysis.

A Job Hazard Analysis is closely related, however, it is focused on a specific task that must be done. This type of analysis is used for non-routine, non-repetitive events, like repairing downed power lines or replacing a roof-mounted HVAC unit.

Risk assessments can be objective when sufficient data is available to allow the severity and probability factors to be quantified, but this is often impossible. Subjective risk assessments are based on the combined knowledge and skill of the risk assessment team that is assigned to the task.

A “What-if?” analysis can be used at the simplest level to get a quick reading on risk. Most of us do this daily as we prepare to commute to work, when crossing the street, and when considering large purchases. What-if analysis consists of asking as many what-if questions as necessary to exhaust the potential scenarios that can be imagined. This may be a place to start for machinery, but it is seldom detailed or comprehensive enough to be effective. Additional tools are required.

Risk assessment standards

There are a number of risk assessment standards published, and an even larger number of product family standards have risk assessment methodologies built into them.

Until 2010, ISO 14121-1?was the de-facto preferred standard for machinery risk assessment. When ISO 12100:2010 was published, it included the combined text from ISO 12100-1, ISO 12100-2 and ISO 14121-1. The second part of ISO 14121, ISO/TR 14121-2 — Safety of machinery — Risk assessment — Part 2: Practical guidance and examples of methods, was not included in the new document and is still published and valid as of May 2021. If you are looking for a guidance document that includes an example of a risk matrix and a decision tree, this document will be helpful for you.

ISO 12100 deals primarily with the Preliminary Hazard Analysis (PHA) method and provides guidance on using FMEA, MFMEA, FTA, HazOPS and other methods to analyze the risks.

CSA has embedded the ANSI RIA R15.06 risk analysis scoring system in one key Canadian machinery standard, CSA Z434 — Industrial Robots and Robot Systems — General Safety Requirements. This standard combines ISO 10218-1 and ISO 10218-2 into a single document. Because CSA Z434 is based on ISO 10218, you can still use ISO 12100 as the basis for your robot system risk assessments.

Internationally, ISO and IEC preparing to publish ISO/IEC 31010, Risk Management – Risk Assessment Techniques. This standard is part of the new ISO 31000 series on Risk Management. This standard is focused on business or organizational risk rather than machinery risk, although the basic principles used are the same.

ISO has also published a new OHS Risk Assessment standard, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use. This standard has also been adopted as a Canadian standard as CSA Z45001:2019.

CSA published its own OHS risk assessment standard, CSA Z1002:2012 — Occupational Injury and Illness Risk Assessment and Management. This standard is part of the CSA Z1000 series of standards dealing with Occupational Health and Safety Management. Compliance InSight Consulting is contributing to the development of CSA Z1002 directly with the involvement of Doug Nix on the CSA s362 Technical Committee.

Risk assessment software

A few software vendors have developed risk assessment software packages to assist in the risk assessment process by handling the scoring calculations automatically and in some cases allowing for revision control and many other features.

For many applications, it is possible to develop risk assessment scoring sheets using standard spreadsheet applications like MS Excel™, Apple™ Numbers™, Google Sheets™ and many others. These can be very flexible but are usually cumbersome to maintain over time. This shortcoming can be overcome with document revision control software that can manage the files appropriately.

There are other software packages available to assist you with risk assessment. We don’t currently have a package that we recommend.


If you are unsure how to proceed with risk assessment, check out our RA101 course.

This course is suitable for control systems designers and engineers. If you have a CMSE designation or equivalent, and you’re still not feeling confident about how to conduct a machinery risk assessment, this course will work for you too.


For more information, check out these resources:


ASSE: American Society of Safety Engineers

SAR: Society for Risk Analysis

IEEE Product Safety Engineering Society


Risk Assessment: Basics and Benchmarks, Bruce Main. See the IEEE Xplore Review

Innovations in Safety Management, Fred Manuele, Sept 2001

On the Practice of Safety, Fred Manuele, 3rd edition, 2003.


PreAccident Investigation Podcast (USA) – Dr. Todd Conklin

The Safety of Work (Australia) – Dr. Drew Rae and Dr. David Provan

Web Sites

CCOHS: Canadian Centre for Occupational Health and Safety


Risk World

Wikipedia: Risk Assessment


[1] W. T. Fine, “Mathematical Evaluation for Controlling Hazards,” J. Safety Res., vol. 3, no. 4, pp. 157–166, 1971.

[2] G. F. Kinney and A. D. Wiruth, “Practical Risk Analysis for Safety Management,” US Department of the Navy, China Lake, 1976.

[3] H. G. Benis, “Quantified hazards analysis: A technique for ensuring safety in equipment design and use,” New Zeal. Eng., vol. 31, no. 4, pp. 107–110, 1976.

[4] T. A. Kletz, “The Risk Equations What risks should we run?,” New Sci., vol. 74, no. 1051, pp. 320–325, 1977.

[5] T. A. Kletz, “Hazard analysis-A review of criteria,” Reliab. Eng., vol. 3, no. 4, pp. 325–338, 1982.

[7] Risk management — Guidelines, ISO 31000. International Organization for Standardization (ISO). 2018.

[8] Risk management — Risk assessment techniques, ISO 31010. International Organization for Standardization (ISO). 2019.

[9] Occupational health and safety management systems — Requirements with guidance for use, ISO 45001. International Organization for Standardization (ISO). 2018.

[10] Occupational health and safety – Hazard identification and elimination and risk assessment and control, CSA Z1002. Canadian Standards Association (CSA). 2012 (R2022).

[11] Benefit-risk assessment for sports, for recreational and sports facilities including equipment, ISO/DIS 4980. International Organization for Standardization (ISO). 2022.

[12] Safety of machinery — General principles for design — Risk assessment and risk reduction, ISO 12100. International Organization for Standardization (ISO). 2010.

[13] Safety of machinery — Risk assessment — Part 2: Practical guidance and examples of methods, ISO/TR 14121-2. International Organization for Standardization (ISO). 2012.

© 2021 – 2022, Compliance inSight Consulting Inc. Creative Commons Licence
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.