Conducting risk assessments

These guidelines describe how to conduct a risk assessment. The line manager is responsible for carrying out risk assessments at the unit.

Norsk versjon - Gjennomføre risikovurdering

Topic page about HSE | Pages labelled with HSE | Pages labelled with risk assessments

For more information about risk assessments, aspects that might belong in a risk assessment, applicable responsibilities and sources of information, see Risk assessments.

26.04.2019 - IMPORTANT INFORMATION:// Unfortunately, serious errors have been reported in RiskManager risk assessment. The errors are that data can be lost even if you have clicked "save" or navigated between tabs (where auto saving should take place). The errors are of such a nature that, until further notice, we discourage the use of RiskManager's risk assessment for new risk assessments.

A new, digital solution for risk assessment is being worked on, but this will hardly be in place until autumn.

Until we have found a solution, we ask you to use Excel, paper form, or the like for risk assessment.

Login – digital risk assessment system

 Risk assessment login


The purpose of the pre-meeting/mapping is to:

  • get an overview over the aspects that are being risk assessed
  • establish goals for the risk assessment
  • determine how to conduct the risk assessment and who participates in the risk assessment

Individuals with a good knowledge of the subject of the risk assessment should participate in the pre-meeting/mapping.

What should be clarified?

Which tasks and activities are performed? Can some of the tasks and activities cause injury or damage to humans, equipment and/or the environment? The following can be an appropriate procedure for mapping:

  • Conduct an inspection of the activity, process and localities.
  • Go through any applicable HSE guidelines and other requirements.
  • Examine how regulations, guidelines etc. are followed up.
  • Speak to individuals who are performing the tasks, using the equipment and/or have knowledge of the subject of the risk assessment.

When you have an overview of what can cause injury and damage to humans, equipment and/or the environment, you have to determine what should be risk assessed and how comprehensive the risk assessment should be:

  • Should the risk assessment be conducted for a single task or process (from material procurement, through processing to the final product) or for all the activities in a room?
  • Should the risk assessment include health, material values, reputation and/or the environment?
  • If you are assessing the risk of health damage: Does this apply to an individual or to a group of people? Different people can endure different levels of strain.
  • Should you assess acute effects or long-term effects?

Risk assessment frameworks

Establish frameworks for the risk assessment. Follow the steps in the risk assessment system.

Goals and descriptions


  • What do you want to know?


  • Why do you want to conduct a risk assessment? Legislation, nonconformities, standard procedure, etc.

Description and boundaries

  • Who are affected by the subject of the risk assessment? NTNU, the unit, external entities or others?
  • Are there any previous risk assessments or other documentation that can be used as references?
  • Limit the risk assessment to make it as specific as possible. The limitations can be physical/geographical or limitations in time, resources or the activities/processes included, as well as limitations in the consequences that are being risk assessed.

Conditions, assumptions and simplifications

  • Describe any preliminary special assessments.


Risk assessments must always be done by more than one person. Clarify who should participate in the risk assessment and who should have read access to the risk assessment. Participants and readers must be selected specifically for each risk assessment:

Mapping documentation

Tips: Mapping can be documented directly into the risk assessment system.

  • Add the "activity/process" to the mapping form as a "source of danger" ("Risk analysis" tab).
  • Any necessary text is added in the description field.
  • If the mapping reveals that it is not necessary to risk assess an activity/process (source of danger), the field "unwanted incident" should remain blank.

Mapping form (doc) / Mapping form (pdf) can also be used for help. If so, please upload the form as an attachment in RiskManager ("Intro" tab)

Risk assessment

Follow the steps in the risk assessment system. See Risk assessments for a user manual and information about roles and access to RiskManager

Risk matrix

The risk assessment system uses the following risk matrix:

  • X-axis (horizontal): Consequence
  • Y-axis (vertical): Probability

The colours indicate degrees of risk:

  • Red: Unacceptable risk. Measures must be taken.
  • Yellow: Consideration. Consider whether measures might be necessary.
  • Green: Acceptable risk. Consider whether measures might be necessary.

After deciding on a measure to be taken, a new risk assessment must be conducted to investigate whether the risk is now at an acceptable level ("Post-measure evaluation" tab).


RiskManager uses the following grades of probability:

  1. 1 time per 50 years or less. Ergonomics: No instances.
  2. 1 time per 10 years or less. Ergonomics: One instance.
  3. 1 time per year or less. Ergonomics: Single instances.
  4. 1 time per month or less. Ergonomics: Periodically.
  5. Daily – every week. Ergonomics: Continuously.


RiskManager assesses consequence for the following aspects:

  • Health
  • Material values
  • Reputation
  • Environment

The consequence is graded from 1 to 5 (least serious to most serious). Descriptions are available in the consequence grading table.

Follow-up and end result

Go through the activity/process again.

  • Conduct a new inspection of the activity/process (if necessary) to either:
  1. confirm that the specified probability and consequence is acceptable, or
  2. adjust the risk values.
  • Go through, assess and prioritise measures to prevent unwanted incidents. Measures that reduce probability should receive the highest priorities, followed by measures that reduce consequences.
  • Conduct an overall assessment to determine whether the risk is now acceptable. This is documented in writing under "Final assessment".
  • A completed risk assessment forms a basis for drawing up work procedures, training and choices of safety equipment.
  • The completed risk assessment and any new work procedures must be made known/available to everyone involved.
  • Prepare a plan of action and (if necessary) a cost estimate for planned measures. Scheduled measures can be found under the "Measures" tab. The measures will also be included in the report printed from the risk assessment system. The system will soon include improved functionality for plans of action.

Copy a previously conducted risk assessment

You can reuse a previously conducted risk assessment if you want to risk assess a similar work task / process or revise the existing risk assessment. As of today, the option is to copy the exiting risk assessment and make the necessary adjustments.

  1. Log in to risk assessment.
  2. Click on the tab "Overview".
  3. Find the risk assessment you want to copy and click "Copy".

When copying a risk assessment, you can choose whether you want to include the actual risk analysis (probability and consequence assessment):

We recommend that you give the new risk assessment a new name, or it will automatically get the same name as the risk assessment you are copying.

Existing measures listed under the "Existing measures" tab in the risk assessment you copy will be included in the new risk assessment. However, what is listed under the "Planned actions" and "Evaluation after actions" tab will not be included in the new risk assessment, even if the actions are registered as completed.

Safe work analysis

A safe work analysis is conducted:

  • when tasks/processes are changed frequently, and a risk assessment has already been made.
  • to increase awareness of the risks before starting work. This is especially useful for individuals who have not taken part in the risk assessment.

The form for safe work analysis (SJA) is available in three versions:


Is it possible to systematize risk assessments in any way? Can they can be organized in folders, "tags", etc.?

As of today, the only way to systematize risk assessments is to use project number, building number, or other identifiers in the title field of the risk assessment (free text). We have addressed the need to systematize the risk assessments with the supplier several times, but the supplier has unfortunately not prioritized this.

Often, a risk assessment is repeated on a regular basis and it may be expedient to create a new "version". Is the copy feature the only way to reuse an existing risk assessment?

Yes. We do however see that it may be useful to have different versions of the same risk assessment to clearly show what is the latest and guiding version. When copying risk assessments, old and new risk assessments are presented as two separate risk assessments, without any link between them. The only way to separate them is to use the title field and write the version number (free text). We have addressed this need with the supplier several times, but unfortunately, the supplier has not prioritized this.


NTNU regulations




Approved by the Director of HSE – 3 October 2013 – HMSR26 – ePhorte 2013/11326