Learn to identify every category of workplace hazard, quantify risk using internationally recognised methods, and select controls that actually eliminate harm.
These two words are used interchangeably in everyday speech but they mean completely different things in safety. Confusing them is one of the most common mistakes new safety professionals make.
A source, situation, or act with a potential to cause harm — injury, ill health, property damage, or environmental damage. A hazard is a condition that exists.
Example: A wet floor is a hazard.
The combination of likelihood and severity of harm resulting from a hazard. Risk is the probability × consequence of the hazard being realised.
Example: A wet floor in a busy corridor = high risk. A wet floor in a locked storeroom = low risk.
Any measure that modifies risk — by reducing likelihood, reducing severity, or eliminating the hazard entirely. Controls are chosen using the Hierarchy of Controls.
Example: A wet floor sign + non-slip mat = risk controls.
ISO 31000:2018 (Risk Management — Guidelines) defines risk as "the effect of uncertainty on objectives." In EHS, we narrow this to the probability and severity of harm. ISO 45001:2018 Clause 6.1 requires organisations to determine risks and opportunities — this is the formal requirement that makes hazard identification mandatory for certified organisations.
Every workplace hazard falls into one of six categories. As a safety professional, your first task at any site is to identify hazards across all six — missing a whole category is a common gap in risk assessments.
ISO 45003:2021 — Psychological health and safety at work is the first international standard specifically addressing psychosocial risks. Published in 2021, it provides guidance on managing psychological hazards as part of an ISO 45001 management system. This was a landmark development — psychosocial hazards are now formally recognised as an equal category alongside physical and chemical hazards.
OSHA's Fatal Four (Construction): Per OSHA data, four hazard types cause 60% of all construction fatalities: (1) Falls, (2) Struck-by objects, (3) Electrocution, (4) Caught-in/between. OSHA has a specific national emphasis program targeting these. Any construction site hazard assessment must address all four. Ref: OSHA 29 CFR 1926
Knowing hazard categories is step one. Step two is using structured methods to systematically find them in your workplace — before they cause harm.
Systematic physical walkthrough of the workplace to identify conditions and behaviours that could cause harm. Should be structured using a checklist, conducted at regular intervals, and documented. OSHA expects employers to conduct regular inspections under the General Duty Clause. ISO 45001 Clause 9.1 requires performance evaluation.
A step-by-step breakdown of a specific job task to identify hazards at each step and define controls. Required or strongly recommended by OSHA for high-hazard tasks. Also known as Task Risk Assessment (TRA) in some regions. Each task step is analysed: What could go wrong? Who could be harmed? What controls are needed?
A structured, team-based technique used in process industries (chemical, oil and gas, pharmaceutical). A guide word approach (No, More, Less, As Well As, Part Of, Reverse, Other Than) is applied to process parameters to identify deviations that could create hazards. Required by OSHA PSM 29 CFR 1910.119 and UK COMAH regulations for major hazard sites.
Systematically identifies how equipment or processes can fail, what the effects of each failure mode are, and what controls exist. Uses a Risk Priority Number (RPN) = Severity × Occurrence × Detection. Common in manufacturing (AIAG/VDA FMEA standard) and aerospace (MIL-STD-1629).
Every near miss is an unplanned hazard identification event. A mature safety culture treats near-miss reports as free lessons. Heinrich's Triangle (1:29:300 ratio) and Bird's Triangle suggest that for every serious injury there are hundreds of near-miss events that preceded it. OSHA requires recording of work-related injuries and illnesses on Form 300/301.
Every hazardous chemical must have an SDS (Safety Data Sheet, formerly MSDS). Section 2 of the GHS-format SDS lists hazard identification. Section 8 gives exposure limits. Reviewing SDSs is a primary chemical hazard identification method. OSHA 29 CFR 1910.1200 requires SDSs for all hazardous chemicals and worker access to them.
ISO 45001:2018, Clause 6.1.2.1 requires that hazard identification considers: routine and non-routine activities; human factors (behaviour, capabilities, fatigue); infrastructure, equipment, and materials; design of work areas and processes; emergency situations; and changes — planned and unplanned. Most hazard IDs miss non-routine tasks (maintenance, cleaning) which are where many serious injuries occur.
The UK Health and Safety Executive (HSE) five-step approach is the most widely adopted risk assessment framework globally, referenced in EU guidance, aligned with ISO 45001, and accepted by OSHA as a systematic method.
"Risk assessment is the process of evaluating the risks to the health and safety of workers and others arising from hazards at work, so that adequate control measures can be put in place."
Walk around the workplace. Talk to workers — they know the hazards best. Review accident records, near-miss reports, and SDSs. Consider all 6 hazard categories. Think about non-routine tasks, young workers, new employees, and pregnant workers who may be more vulnerable.
Identify all groups: employees, contractors, visitors, members of the public, vulnerable groups (new/young workers, pregnant workers, workers with disabilities). Consider how each group could be harmed — different hazards affect different people differently. ISO 45001 Clause 6.1.2.1 specifically requires consideration of "all persons who may be affected."
Assign likelihood (probability of harm occurring) and severity (potential consequences) ratings to each hazard. Multiply to get a risk score. Use a risk matrix to categorise: Low / Medium / High / Critical. Consider existing controls — what is already in place? Is it sufficient?
Document the assessment: hazard identified, who could be harmed, risk rating, controls recommended, person responsible, and completion date. Apply controls using the Hierarchy of Controls (elimination first, PPE last). In the UK, written risk assessment is legally required for employers with 5 or more employees (Management Regulations 1999).
Risk assessments are not one-time documents. Review when: there is a significant change in process or equipment; after an incident or near miss; at least annually for high-risk activities; when new hazards emerge (new chemicals, new tasks, new staff). ISO 45001 Clause 6.1.2.3 requires risk assessment to be kept as documented information.
A risk matrix plots likelihood against severity to produce a risk rating. It is the most widely used risk scoring tool in the world — used in OSHA programs, ISO 45001 implementations, and military/aerospace standards.
Risk = Likelihood × Severity. This formula is the basis of virtually every risk matrix in use today. The scoring scales vary (3×3, 4×4, 5×5) but the principle is the same. MIL-STD-882E (US Dept of Defense System Safety Standard) uses a 5×4 matrix. ISO 45001 does not prescribe a specific matrix format but requires that risks be evaluated consistently.
| Likelihood ↓ / Severity → | 1 — Negligible First aid only |
2 — Minor Medical treatment |
3 — Serious Lost time injury |
4 — Major Permanent disability |
5 — Catastrophic Fatality / multiple |
|---|---|---|---|---|---|
| 5 — Almost Certain Daily/weekly |
5 MEDIUM |
10 HIGH |
15 CRITICAL |
20 CRITICAL |
25 CRITICAL |
| 4 — Likely Monthly |
4 LOW |
8 MEDIUM |
12 HIGH |
16 HIGH |
20 CRITICAL |
| 3 — Possible Yearly |
3 LOW |
6 MEDIUM |
9 MEDIUM |
12 HIGH |
15 HIGH |
| 2 — Unlikely Every few years |
2 LOW |
4 LOW |
6 MEDIUM |
8 MEDIUM |
10 HIGH |
| 1 — Rare Once in career |
1 LOW |
2 LOW |
3 LOW |
4 LOW |
5 MEDIUM |
Once you have identified a hazard and assessed its risk, you must select a control. The Hierarchy of Controls is a universally mandated framework that ranks control measures from most to least effective.
"The employer shall implement feasible engineering and work practice controls to reduce and maintain employee exposure at or below the permissible exposure limit…"
Physically remove the hazard entirely. The most effective control — eliminates the risk at source.
Replace the hazard with something less dangerous. Reduces risk but does not eliminate it.
Isolate people from the hazard through physical design changes. Works without relying on worker behaviour.
Change the way people work. Relies on compliance and behaviour — less reliable than engineering controls.
The last line of defence. Does not reduce or eliminate the hazard — only protects the individual if everything else fails. Should never be the only control for a significant hazard.
Legal mandate — worldwide: The Hierarchy of Controls is not just good practice — it is legally mandated in most jurisdictions. OSHA 29 CFR 1910.1000 requires engineering controls before administrative controls before PPE for air contaminants. ISO 45001:2018 Clause 8.1.2 requires following the hierarchy. The UK Management of Health and Safety at Work Regulations 1999, Regulation 4 mandates the same order. ILO-OSH 2001, Section 3.10.1 requires preventive and protective measures to follow the hierarchy.
Common mistake — jumping straight to PPE: Many organisations issue PPE as the first response to a hazard because it is cheap and quick. This is legally insufficient when higher-level controls are feasible. OSHA has cited employers for relying on PPE when engineering controls were practicable. Always ask: can we eliminate or engineer out this hazard before issuing gloves?
See how a JHA works in practice. This example analyses a common task: changing a drum of chemical on a manufacturing line. Every step follows OSHA's JHA methodology (OSHA Publication 3071).
OSHA Publication 3071 is OSHA's free guide to conducting Job Hazard Analyses. It is the definitive US reference for JHA methodology. The same approach is described internationally as "Task Risk Assessment" (TRA) or "Step-by-Step Risk Assessment." ISO 45001 Clause 6.1.2.1 requires this level of analysis for hazard identification.
Task: Changing a 200L drum of chemical solvent on a production line · Standard applied: OSHA 3071 · Additional refs: OSHA 29 CFR 1910.1200, 1910.119
| Job Step | Potential Hazard | Risk Score |
Recommended Controls (Hierarchy) |
|---|---|---|---|
| 1. Gather tools and PPE | Inadequate PPE for chemical — skin/eye contact with solvent. Chemical: vapour inhalation. | HIGH 12 | Eng: LEV in drum-change area. Admin: SDS review before task; PPE checklist. PPE: Chemical-resistant gloves, safety glasses, respirator (half-face with organic vapour cartridge). |
| 2. Move drum from storage to production line | Manual handling injury (back/musculoskeletal). Drum tip-over — chemical spill, fire, slip hazard. | HIGH 12 | Eng: Use drum trolley or forklift — no manual lifting of 200L drum. Admin: Inspect drum integrity before moving; clear path of travel. PPE: Safety footwear (steel toe). |
| 3. Disconnect empty drum and connect new drum | Chemical splash during disconnection. Vapour release — flammable atmosphere. Static electricity — ignition source. | CRIT 16 | Elim: Closed-loop coupling system eliminates splash risk. Eng: Bonding and grounding of drum and equipment (NFPA 77); LEV on. Sub: Low-vapour-pressure alternative chemical if feasible. Admin: Permit to Work; no ignition sources within 5m; two-person task. PPE: Full face shield, chemical gloves, anti-static footwear. |
| 4. Dispose of empty drum | Residual chemical in drum — vapour, fire, skin contact. Drum considered hazardous waste if contaminated. | MED 9 | Admin: Label drum as hazardous waste per OSHA 1910.1200 and RCRA (40 CFR 262). PPE: Chemical gloves. Admin: Approved waste contractor for disposal — not general waste. |
| 5. Clean up and inspect area | Residual solvent spill creating slip/fire hazard. Contaminated rags — fire or skin hazard. | LOW 4 | Admin: Use solvent-compatible absorbent (not paper towel). Store used rags in covered metal bin (NFPA 30). Inspect area for leaks. Sign off permit-to-work. |
Notice how Step 3 (drum connection) is rated CRITICAL — this is where the most controls are applied, and elimination (closed-loop coupling) is specified first before PPE. This is the Hierarchy of Controls in action. The JHA ensures that the highest-risk steps receive the most robust controls. Reference: OSHA 3071 NFPA 77 (static) NFPA 30 (flammables)
As you progress, you will encounter these more specialised methods. Each one is applied in specific contexts — knowing which tool to use when is a hallmark of an experienced EHS professional.
Bow-tie analysis maps the causal pathway from hazard to top event (the unwanted incident) and from the top event to consequences. The left side shows threats (causes) and prevention barriers; the right side shows consequences and recovery/mitigation barriers.
A top-down, deductive failure analysis that uses Boolean logic (AND/OR gates) to model the combinations of events that can lead to a specific undesired event (top event). Calculates the probability of the top event from component failure rates.
Event tree analysis is the forward-looking complement to FTA. Starting from an initiating event, it traces the possible outcomes through a series of success/failure branches (safeguards, barriers, systems). Calculates the probability and severity of each outcome path.
LOPA is a semi-quantitative method used primarily in process safety to evaluate whether independent protection layers (IPLs) provide sufficient risk reduction. Each IPL has a probability of failure on demand (PFD). LOPA verifies that the combination of IPLs reduces risk to a tolerable level.
The NIOSH Revised Lifting Equation (1994) calculates a Recommended Weight Limit (RWL) and Lifting Index (LI) for manual lifting tasks. LI > 1.0 indicates increased risk of musculoskeletal disorder. Widely accepted by OSHA and used in industrial ergonomics.
QRA uses numerical data and probabilistic modelling to calculate Individual Risk (IR) and Societal Risk (F-N curves) from major hazard scenarios. Used for land-use planning around major hazard sites, offshore safety cases, and process industry risk management.
A risk assessment that isn't documented didn't happen — at least not in the eyes of a regulator. Here is what international law requires you to record and retain.
| Jurisdiction | Legal Requirement | What Must Be Recorded | Retention |
|---|---|---|---|
| USA (OSHA) | OSHA 29 CFR 1904 (recordkeeping); General Duty Clause implies documentation of hazard assessments | Form 300 (injury log), Form 301 (incident report), Form 300A (annual summary). JHA records retained. PSM PHA documentation required for covered processes. | Form 300: 5 years. PSM records: life of process + 1 year. |
| UK (HSE) | Management of Health and Safety at Work Regulations 1999, Regulation 3 | Written risk assessment required for employers with 5+ employees. Significant findings, vulnerable groups, and control measures must be recorded. | Until superseded. RIDDOR reports: 3 years. |
| EU Member States | EU Framework Directive 89/391/EEC, Article 9; national implementations | Risk assessment results; list of hazardous substances; health surveillance records; preventive and protective measures taken. | Varies by member state; typically 10–40 years for health records. |
| International (ISO) | ISO 45001:2018, Clause 6.1.2.3 (documented information) | Hazard identification results, risk assessment results, risk controls, OH&S objectives, and evidence of ongoing review must be maintained as documented information. | Organisation-defined; sufficient for audit trail. Retained per Clause 7.5. |
| Global (ILO) | ILO-OSH 2001, Section 3.7–3.9 | Initial review, hazard identification, risk assessment records, and preventive/protective measure documentation. | Organisation-defined; must be available to workers. |
Best practice tip: ISO 45001:2018 Clause 7.5 (documented information) requires that risk assessment records be controlled — versioned, dated, approved, protected, and accessible to relevant workers. Workers have the right to access information about risks to their health and safety under ILO C155 Article 19 and OSHA's Hazard Communication Standard 29 CFR 1910.1200. Never restrict worker access to risk assessments that affect them.
1. ISO 45001:2018 defines "risk" as which of the following?
2. According to the Hierarchy of Controls (ISO 45001 Clause 8.1.2 and OSHA 29 CFR 1910.1000), which control measure is considered MOST effective?
3. OSHA's Construction "Fatal Four" — the four causes of 60% of construction fatalities — include which of the following groups?
4. Which international standard was published in 2021 specifically to address psychosocial risks in the workplace?
5. The UK's legal requirement to conduct a WRITTEN risk assessment applies to employers with how many employees?
6. HAZOP (Hazard and Operability Study) is mandated by which OSHA standard for covered process industries?