Hazard Identification and Risk Assessment in the Workplace
Hazard identification and risk assessment form the analytical foundation of any occupational safety program, establishing the systematic process by which employers recognize workplace dangers and evaluate the likelihood and severity of resulting harm. These processes are mandated under the Occupational Safety and Health Act of 1970 (29 U.S.C. § 651 et seq.) and are operationalized through OSHA standards across general industry, construction, maritime, and agriculture sectors. This page covers the regulatory framing, structural mechanics, classification boundaries, and process steps that define how hazard analysis functions in practice.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
- References
Definition and scope
OSHA's General Duty Clause (Section 5(a)(1) of the OSH Act) requires employers to furnish a workplace free from recognized hazards that are causing or likely to cause death or serious physical harm. That obligation cannot be satisfied without first identifying which hazards exist — making hazard identification a legal prerequisite, not merely a management best practice. For a fuller treatment of how that statutory obligation is structured, see the page on the regulatory context for workplace safety.
Hazard identification is the process of recognizing conditions, agents, or work practices with the potential to cause injury, illness, or property damage. Risk assessment is the subsequent analytical step that evaluates the probability of a hazard producing harm and the severity of that harm. Together, they produce a risk profile — a ranked inventory of workplace threats that informs control selection, resource allocation, and training priorities.
ANSI/AIHA Z10-2012, the American National Standard for Occupational Health and Safety Management Systems, defines risk assessment as a structured evaluation covering both likelihood and consequence. The International Organization for Standardization's ISO 45001:2018 standard (ISO 45001) similarly frames hazard identification as a continuous organizational process rather than a one-time audit event. NIOSH's Hierarchy of Controls framework sits downstream of risk assessment, using the output of the assessment to sequence control measures from elimination through personal protective equipment. More detail on that hierarchy is available at hierarchy of hazard controls.
The scope of hazard identification extends across 4 primary exposure pathways: physical, chemical, biological, and ergonomic. OSHA's sector-specific standards each encode hazard recognition requirements within those pathways — for example, 29 CFR 1910.119 (Process Safety Management) mandates formal Process Hazard Analysis for facilities handling highly hazardous chemicals above threshold quantities.
Core mechanics or structure
A functional hazard identification and risk assessment (HIRA) system operates in 3 sequential phases: hazard identification, risk estimation, and risk evaluation.
Phase 1 — Hazard Identification involves systematically surveying all work environments, tasks, tools, materials, and worker interactions to surface potential harm sources. Primary data collection methods include workplace walkthroughs, job hazard analysis (JHA), incident and near-miss record review, safety data sheet (SDS) review under OSHA's Hazard Communication Standard (29 CFR 1910.1200), and worker interviews. OSHA's Field Operations Manual instructs compliance officers to conduct opening conference and records review as the first two steps of any inspection — mirroring the same information-gathering logic that underpins internal hazard identification.
Phase 2 — Risk Estimation quantifies or qualifies each identified hazard by scoring two variables: the likelihood that a harmful event will occur, and the severity of consequences if it does. These two variables are typically combined in a risk matrix format (see the reference table in the final section). NIOSH's Health Hazard Evaluation program applies this two-variable approach during field investigations of reported health concerns.
Phase 3 — Risk Evaluation compares estimated risk levels against acceptable thresholds. ISO 45001 defines risk acceptance criteria as something each organization must establish explicitly — there is no universal numerical threshold embedded in federal OSHA standards. Outcomes from evaluation drive decisions about whether a hazard requires immediate control, scheduled abatement, engineering review, or documented acceptance with monitoring.
Causal relationships or drivers
The accuracy and completeness of a HIRA output depends on 4 upstream factors.
Worker participation is the most operationally significant driver. Workers who perform tasks daily are the primary detection mechanism for non-obvious hazards — pinch points, awkward postures, ventilation gaps, and behavioral workarounds that do not appear in engineering drawings. OSHA's Recommended Practices for Safety and Health Programs explicitly identifies worker participation as one of its 7 core program elements.
Data quality from incident records directly constrains hazard visibility. OSHA 29 CFR 1904 recordkeeping requirements mandate logging of work-related injuries and illnesses on the OSHA 300 Log, but near-miss events — which often predict more serious injuries — carry no mandatory recording requirement. Organizations that capture near-miss data internally produce hazard identification outputs that are systematically more complete than those relying only on OSHA 300 Log data.
Change management is a structural gap in hazard identification programs. Unreviewed changes — new equipment, modified work processes, substitute chemicals, or workforce reassignments — introduce hazards that pre-existing assessments do not cover. OSHA's PSM standard (29 CFR 1910.119(l)) addresses this through the Management of Change requirement, which mandates formal hazard review before process changes take effect.
Assessment frequency affects detection of evolving hazards. A HIRA conducted once and filed without review will fail to capture hazards introduced by equipment wear, staff turnover, seasonal work conditions, or regulatory changes. ISO 45001 §6.1.1 requires that the hazard identification process account for "changes in the organization, its processes, activities and the OH&S management system."
Classification boundaries
Hazards in the workplace are classified along 6 recognized categories, each with distinct detection methods and applicable regulatory standards.
Physical hazards include noise above 85 dB(A) (subject to OSHA's permissible exposure limit framework at 29 CFR 1910.95), ionizing radiation, temperature extremes, and mechanical energy sources. Full coverage is at physical hazards in the workplace.
Chemical hazards are governed by OSHA's Hazard Communication Standard and require SDS availability for all hazardous substances. The standard classifies chemicals into 16 physical hazard categories and 10 health hazard categories aligned with the Globally Harmonized System (GHS). See chemical hazards and HazCom for the full classification structure.
Biological hazards include bloodborne pathogens regulated under 29 CFR 1910.1030, airborne infectious agents, and environmental biological agents. Healthcare and agriculture sectors carry elevated biological hazard profiles.
Ergonomic hazards encompass repetitive motion, forceful exertion, awkward postures, contact stress, and vibration. OSHA has no comprehensive ergonomics standard in general industry following the Congressional nullification of the 2000 ergonomics rule, but the General Duty Clause has been applied to ergonomic hazards in specific enforcement contexts (OSHA Ergonomics page).
Psychosocial hazards — including workplace violence, job stress, and fatigue — represent a classification gaining regulatory attention. OSHA's Workplace Violence prevention guidelines target healthcare and social service sectors specifically (OSHA Workplace Violence).
Safety hazards (fall hazards, struck-by, caught-in/between, electrical) constitute the majority of OSHA's top-cited violations annually. Falls remain the leading cause of fatality in the construction sector (OSHA Fatal Four).
Tradeoffs and tensions
Four structural tensions complicate HIRA implementation.
Comprehensiveness vs. operational burden. A fully comprehensive HIRA covering every task, chemical, and environmental variable in a large facility can consume substantial analyst time without proportionate safety gain. The practical resolution is risk-tiered prioritization — allocating deeper analysis to higher-consequence tasks — but this requires a threshold judgment that, if set incorrectly, systematically underanalyzes the highest-risk work.
Quantitative vs. qualitative methods. Quantitative risk assessment (assigning numerical probabilities and harm magnitudes) produces defensible, auditable outputs but requires exposure data that small and mid-sized employers rarely possess. Qualitative methods (high/medium/low risk matrices) are accessible but introduce subjectivity and inter-rater variability. Neither approach is mandated by OSHA for general industry; the choice is left to employer discretion except where sector-specific standards (e.g., PSM) specify a methodology.
Point-in-time assessment vs. continuous monitoring. Formal HIRA processes tend to generate static documents that reflect conditions at a single point in time. Workplaces are dynamic — equipment ages, workers rotate, materials change — so a point-in-time assessment degrades in accuracy over time. ISO 45001's continuous improvement model addresses this tension structurally, but implementation requires organizational commitment beyond document production.
Employer-driven assessment vs. worker-reported hazards. Top-down assessment by safety professionals captures engineered systems and documented processes but often misses informal work practices. Bottom-up hazard reporting by workers captures daily operational reality but is subject to underreporting due to fear of retaliation — a concern addressed by OSHA's whistleblower protection provisions (Section 11(c) of the OSH Act).
Common misconceptions
Misconception 1: Hazard identification and risk assessment are the same process.
These are two distinct phases. Hazard identification asks "what could go wrong?" — it produces an inventory of potential harm sources. Risk assessment asks "how likely and how severe?" — it evaluates the items on that inventory. Conflating them produces incomplete outputs: identifying hazards without assessing risk provides no basis for prioritization, while assessing risk without systematic hazard identification misses exposures entirely.
Misconception 2: OSHA requires a single standardized HIRA format.
No such universal format exists in federal OSHA standards for general industry. OSHA's Recommended Practices for Safety and Health Programs describe the function of hazard identification without mandating a specific form, frequency, or documentation template. Sector-specific standards impose more prescriptive requirements — PSM requires a Process Hazard Analysis by one of 6 specified methodologies — but these are exceptions rather than the rule.
Misconception 3: A low injury rate means hazards have been adequately identified.
Injury rates are lagging indicators — they reflect harm that has already occurred. An employer can have a zero-injury year while harboring severe uncontrolled hazards that have not yet produced a recorded event. NIOSH and the National Safety Council consistently identify the gap between leading and lagging indicator reliance as a root cause of safety program failure. Hazard identification is a leading indicator process precisely because it operates before harm occurs.
Misconception 4: Risk assessment is only required for chemical or industrial hazards.
OSHA's General Duty Clause applies to all recognized hazards regardless of category. Ergonomic hazards, workplace violence, and psychosocial stressors have all been cited under the General Duty Clause in enforcement actions, establishing that the obligation to identify and assess hazards is not limited to the categories with dedicated OSHA standards.
Checklist or steps (non-advisory)
The following sequence reflects the HIRA process structure documented in OSHA's Recommended Practices for Safety and Health Programs and ISO 45001 §6.1.
Step 1 — Define scope and work areas
- Enumerate all work locations, shifts, job titles, and tasks within scope
- Include contractor and temporary worker activities
- Document scope boundaries in writing
Step 2 — Collect baseline information
- Gather OSHA 300 Logs from the prior 3 years
- Collect all safety data sheets for chemicals in use
- Review equipment manuals, engineering drawings, and maintenance records
- Compile prior inspection reports and any OSHA citation history
Step 3 — Conduct physical walkthroughs
- Observe tasks as performed, not as written in job descriptions
- Document deviations from written procedures
- Note housekeeping conditions, lighting levels, noise exposure, and access/egress
Step 4 — Perform job hazard analysis (JHA) on priority tasks
- Break each high-risk task into discrete steps (minimum 5-step breakdown for complex tasks)
- Identify hazard type and exposure pathway for each step
- Record existing controls already in place
Step 5 — Estimate risk for each identified hazard
- Rate likelihood using a defined scale (e.g., 1–5 or low/medium/high)
- Rate severity using a defined scale referencing OSHA injury classifications
- Calculate risk score or level using the organization's risk matrix
Step 6 — Evaluate and prioritize
- Compare risk scores against the organization's defined acceptance criteria
- Flag all imminent-danger-level hazards for immediate action
- Rank remaining hazards for scheduled abatement
Step 7 — Document findings
- Record all identified hazards, risk scores, existing controls, and recommended actions
- Assign responsible parties and target completion dates for each control action
- Retain records as part of the OSHA recordkeeping requirements documentation set
Step 8 — Review and update
- Schedule reassessment at defined intervals (ISO 45001 requires reassessment upon change)
- Integrate HIRA findings into the broader safety management systems cycle
- Communicate findings to affected workers
Reference table or matrix
Standard 5×5 Risk Assessment Matrix
| Likelihood → | Rare (1) | Unlikely (2) | Possible (3) | Likely (4) | Almost Certain (5) |
|---|---|---|---|---|---|
| Catastrophic (5) | Medium (5) | High (10) | High (15) | Extreme (20) | Extreme (25) |
| Major (4) | Low (4) | Medium (8) | High (12) | High (16) | Extreme (20) |
| Moderate (3) | Low (3) | Medium (6) | Medium (9) | High (12) | High (15) |
| Minor (2) | Low (2) | Low (4) | Medium (6) | Medium (8) | High (10) |
| Negligible (1) | Low (1) | Low (2) | Low (3) | Low (4) | Medium (5) |
Risk level thresholds (illustrative; organizations set their own acceptance criteria per ISO 45001 §6.1):
| Risk Level | Score Range | Typical Action Frame |
|---|---|---|
| Extreme | 20–25 | Immediate cessation or engineering control |
| High | 10–19 | Priority abatement with timeline |
| Medium | 5–9 | Scheduled control implementation |
| Low | 1–4 | Monitor; document acceptance |
HIRA Method Comparison
| Method | Best Fit | Regulatory Reference | Quantitative? |
|---|---|---|---|
| Job Hazard Analysis (JHA) | Task-level, general industry | OSHA JHA Publication 3071 | No |
| Process Hazard Analysis (PHA) | Chemical/process facilities | [29 CFR 1910.119](https://www.osha.gov/laws-regs/regulations/standardnumber/1910/1 |