← Insights

Health & safety

The workplace risk assessment, done properly

July 2026 · 6 min read

Walk onto most sites and you can find a stack of risk assessments. Ask which ones are still accurate and the stack gets a lot thinner, fast. A risk assessment that is filed and forgotten is not a risk assessment - it is a compliance artefact shaped like one.

The paperwork that actually protects people has a specific shape. It follows five steps, it scores the job twice, and it knows when it has gone stale. Miss any one of those and it stops doing its job long before anyone notices.

The five steps, in order

A workplace risk assessment is not a form filled in once and filed. It is a five-step process, and the order matters because each step depends on the last:

Most of the paperwork that fails does so at step three, and it fails in a specific, structural way: it scores the hazard once and stops.

Score it twice, or you have proven nothing

Here is a fair test for any risk assessment on your site: does it show two numbers for the same activity, or one? A single rating tells you the job is dangerous. It does not tell you whether your controls make any difference. A hazard can carry a rating of 15 with no controls and a rating of 15 with three controls listed underneath it, and the paperwork looks identical either way - nobody reading it can tell whether the controls are earning their keep.

The fix is to score the activity twice: the initial risk (sometimes called inherent risk) with no controls in place at all, and the residual risk once your actual controls are applied. The gap between the two numbers is the only honest evidence that your controls do anything - no gap, no proof, and that is worth knowing before an incident tells you the same thing the hard way.

A hazard recorded but scored only once tells you it exists. It does not tell you whether you have it under control.

The 5x5 matrix, in plain terms

The scoring itself does not need to be complicated. A 5x5 matrix rates two things on a scale of 1 to 5 each: how likely the harm is, from rare to almost certain, and how severe it would be if it happened, from minor to catastrophic. Multiply the two and you get a score from 1 to 25, which sorts into rating bands - typically something like low, medium, high and critical.

Score every activity the same way, initial and residual, and the bands do two things at once: they rank your open exposures so you know where to spend the next hour of effort, and they give the residual score somewhere obvious to sit once a control genuinely lowers it - so a critical exposure cannot quietly settle at "medium" because nobody wanted to write down the honest number.

Closing the gap: the hierarchy of control

Scoring the gap only matters if you then close it with controls that actually work, and not every control pulls its weight equally. The hierarchy of control ranks them from most to least effective:

This is where so many residual scores never move. A register that lists "wear gloves and safety glasses" as the only control against a machine-guarding hazard has reached for the bottom of the hierarchy and stopped there. PPE is real protection, but it only works if worn correctly, every time, by every person, and it does nothing for the person standing next to the one wearing it. If a residual score barely differs from its initial score, look at where the listed controls sit on this ladder before you look anywhere else.

Who might be harmed, honestly

The second step in the five - deciding who might be harmed - is the one most likely to get answered lazily. "Operators" is rarely a complete answer. Take a welding bay: the welder wears the right PPE, but the labourer wheeling stock past the curtain and the contractor doing a five-minute extraction check are exposed too, and both are routinely left off the paperwork. A proper pass should also cover:

Naming these groups on the assessment itself, next to the hazard rather than in a separate policy document, is what turns "who might be harmed" from a box-ticking line into something that actually changes which controls you choose.

Review is where it quietly dies

A risk assessment does not fail with a bang. It fails by going out of date while nobody is looking. The layout changes, a new machine goes in, a supplier substitutes a material, and the assessment on file still describes the workplace as it was eighteen months ago.

The fix is not more diligence - diligence does not scale across a busy site. It is a review date on every assessment that flags itself, so one sliding toward stale shows up as due soon and then overdue without anyone needing to remember to check. Review on a set schedule as a baseline, and always after two triggers regardless of the schedule: a change to the work, the equipment or the environment, and any incident or near miss connected to the activity. Both are moments when the old rating is provably wrong.

Not the same as a project risk register

It is worth being clear about what this document is not. A project or business risk register tracks exposures to a programme of work - schedule slip, budget overrun, supplier failure - scored by their impact on the project's objectives. A workplace risk assessment tracks hazards to people doing a physical activity, scored by the likelihood and severity of harm to them. The two use similar-looking grids and get confused for that reason, but a business risk register is no substitute for a hazard-by-hazard look at the work itself.

The risk assessment that scores every job twice

A 5x5 register that scores each activity before and after controls, flags who could be harmed and watches every review date - with a printable form and a live dashboard.

Get the Risk Assessment on Etsy

Never miss a guide

New articles and templates, straight to your inbox. Plus a free tool to start.

By subscribing you consent to receive emails from Axiom. Your address is stored with Kit, our email provider, and never shared. Unsubscribe any time via the link in every email. Privacy policy.