Risk Assessment

1 Feb 2010 Denise Copeland    Last updated: 2 Nov 2022

This article provides clear, concise information and a straightforward guide to risk assessment. It will help your committee/board to adhere to Principle 4 of the Code of Good Governance: Exercising appropriate control.

Risk assessment - five steps of the process

A risk assessment is a careful examination of what could potentially cause harm to people. It involves identifying the hazards present and then evaluating the extent of the risk they pose.

By carrying out a risk assessment, it should be easier to assess whether or not enough precautions have been taken to reduce the potential risk and assess whether or not more controls are needed to prevent harm.

Step One: identify hazards 

A HAZARD is anything that can cause harm, a RISK is the chance, high or low, that somebody will be harmed by the hazard.

Draw up a preliminary checklist of all significant hazards (ignore the trivial):

  • Walk around the workplace, venue, grounds, etc. and look at what could reasonably be expected to cause harm
  • Ask employees, volunteers or users for their help in identifying hazards, bearing in mind that some hazards may seem familiar and some individuals may not be aware that they can cause harm
  • Look in the accident book as a guide to risks that individuals have already been exposed to.

An example of a preliminary checklist for an office:

Hazards and issues to consider

  • Display screen equipment - Level of use, comfort of staff, training.
  • Electrical equipment - Visual checks, routine maintenance.
  • Fire - Means of escape, fire alarm and firefighting, housekeeping, storage, smoking.
  • Slips, trips, falls - Maintenance, housekeeping, training.
  • Others - Toilets, temperature, welfare.

Once you have identified the hazards, then you need to look at associated issues that need further consideration and think about the people who might be harmed.

Step Two: identify people who might be harmed and how

It is not necessary to identify individuals by name, think about groups of people. Bear in mind that the following groups are especially at risk:

  • Young
  • New employees/volunteers
  • Pregnant
  • Inexperienced volunteers/employees
  • Disabled
  • Lone workers
  • Contractors
  • Maintenance workers
  • Visitors
  • The public.

Step Three: analyse risk

Now that you have identified all the significant hazards, consider how likely it is that each hazard could cause harm and determine the likelihood and severity of the risk.


  • High – ‘certain or near certain’
  • Low – ‘seldom’


  • Major – ‘death, major injury, etc.’
  • Minor – ‘all other injuries, illness’

Likelihood: rating system

Some people tend to put too much emphasis on the likelihood of a risk; they should also consider the severity of the risk.

  • Rating 1 = Low
  • Rating 2 = Moderate
  • Rating 3 = High


The biggest risk is NOT the hazard that may happen most frequently.

  • Rating 1 = Minor
  • Rating 2 = Serious
  • Rating 3 = Major

Calculating risk

Multiply likelihood and severity. For example, the likelihood of office staff getting a paper cut is moderate but the severity of it would be minor, therefore in order to find the risk rating multiply 2 by 1 which gives you 2.

If it is a high risk, then it is a high priority.

Risk rating and priority

In the example of the paper cut the risk rating is 2 which is a low priority action as can be seen from the figures below.

  • 1 = No action, low priority
  • 2 = Low priority action
  • 3 and 4 = Medium priority action
  • 6 = High priority
  • 9 = Urgent action

The only value of attributing a number is to help to assess the greatest risk.

Evaluate risk

When evaluating the risk, consider existing precautions in place:

  • Do they meet the standards set by legal requirements?
  • Do they comply with industry/ organisation standards?
  • Do they reduce risk so far as is reasonably possible?
  • Do controls work in practice, are the procedures being followed?
  • Do they represent good practice?
  • Do you provide sufficient information and/or training?

If the risk is not adequately controlled, then draw up an action list of further controls or precautions needed.

Risk control hierarchy

You should use the following hierarchy to eliminate/minimise risk e.g. if it is not possible to eliminate the hazard at once, you should reduce the hazard and so on down the hierarchy

  • Eliminate hazard at source
  • Reduce hazard at source
  • Remove person from hazard
  • Contain hazard by enclosure
  • Reduce employee exposure
  • Change systems of work
  • Personal protective equipment (PPE) - if you can’t reduce the risk, protect against it.

Inform other individuals and/or organisations about any risks your work could cause them and precautions being taken.

Step Four: records

You are required by law to keep a written record of the risk assessment if you have five employees or more and tell employees about the findings. However, it is recommended that all risk assessments should be written down, not only for good practice but also as the insurance company will ask for it in the event of a claim against your group.

The written risk assessment should be suitable and sufficient if it shows that:

  • A proper check was made
  • You asked who might be affected
  • You dealt with all the obvious significant hazards, taking into account the number of people who could be involved
  • The precautions are reasonable and the remaining risk is low.

An example of a basic risk assessment, as taken from the Health and Safety Executive’s guide to risk assessment, is attached as a guide for your organisation. Also attached is a more detailed assessment which may help you with this process.

Step Five: review

When reviewing the process, you need to consider:

  • Does it work?
  • Has it been effective?
  • Is it up to date?
  • Circumstances could change...

There could be a situation where one risk may conflict with another risk e.g. a health and safety precaution may override an equality consideration.

Need to decide/consider:

  • Who will take action and when
  • How to inform employees, volunteers, etc.
  • Effectiveness of control measures
  • Review for new hazards.


For further information contact:

NICVA Governance and Charity Advice Service
Tel: 028 9087 7777
Email: [email protected]

NICVA’s governance and charity advice staff can deliver specialised training on Assessing and Managing Risk.

For risk assessment template and example risk assessments visit 

Online governance resources mapped to the principles of the Code of Good Governance.

Every effort is made to ensure that the contents of this document are accurate, but the advice given should not be relied on as a definitive legal statement.
denise.copeland@nicva.org's picture
by Denise Copeland

Governance and Charity Advice Manager

[email protected]

Page Status

Content under review

Not a NICVA member yet?

Save time, money and energy. Join NICVA and you’ll be connecting in to a strong network of local organisations focused on voluntary and community activity.

Join Us

NICVA now welcomes all small groups for free.