What is Residual Risk in Health and Safety: How to Access and Manage

In any workplace or system, risk is inevitable. Even after applying safety measures, some level of risk always remains—this is what we call residual risk.

According to the International Organization for Standardization (ISO 45001:2018), residual risk is “the risk remaining after risk treatment.” This concept is vital in any health and safety management system (HSMS), as it forms the basis for continuous improvement and informed decision-making.

What Is Residual Risk?

Residual risk refers to the remaining risk after implementing control measures. These are the hazards that cannot be completely eliminated but must still be monitored and minimized.

Residual Risk = Inherent Risk – Risk Controls

  • Inherent risk: The level of risk before any controls are applied.

  • Risk controls: Actions taken to reduce the likelihood or impact of a hazard.

  • Residual risk: The remaining risk after controls are in place.

Example: A construction worker wears a harness when working at height. The harness reduces the chance of serious injury if a fall occurs, but does not eliminate the risk of falling altogether. That remaining risk is residual risk.

Why Is Residual Risk Important?

Residual risk is critical in decision-making, budgeting, and continuous improvement in workplace safety. Here’s why:

  • Compliance: Standards like ISO 45001, OSHA, and HSE UK require organizations to evaluate and control residual risks.

  • Risk Acceptance: Helps stakeholders determine whether a risk level is acceptable or needs more action.

  • Emergency Planning: Ensures that plans are in place for risks that cannot be eliminated.

  • Transparency: Demonstrates that an organization has evaluated and addressed risks thoroughly.

Examples of Residual Risks in Health and Safety

Here are some common examples across industries:

Industry Hazard Control Measure Residual Risk
Construction Falling from heights Safety harness, guardrails Harness failure, improper usage
Healthcare Needle stick injury Sharps disposal container Accidental pricks due to negligence
Manufacturing Noise exposure Earplugs, soundproofing Hearing loss from prolonged exposure
Office Repetitive strain injury (RSI) Ergonomic workstation setup Discomfort due to poor posture habits
Chemical industry Toxic exposure PPE, ventilation systems Residual vapors or improper equipment use

How to Assess Residual Risk

Effectively assessing residual risk is a structured process that enables organizations to identify gaps in their risk control systems. It ensures that what remains after all preventive and corrective actions has been measured, documented, and managed. Here’s a breakdown of each step:

Step 1: Identify Hazards

The first step in assessing residual risk is identifying all potential hazards within the workplace. A hazard is anything with the potential to cause harm, whether physical, chemical, biological, ergonomic, or psychosocial. Identifying hazards is crucial because any risk that isn’t identified cannot be evaluated or controlled.

To begin, carry out a comprehensive hazard identification process, which may include:

  • Workplace walkthroughs: Physically inspect areas, tools, equipment, and operations.

  • Task analysis: Break down job roles and procedures to pinpoint inherent dangers.

  • Consultation with workers: Engage with employees who are familiar with daily operations—they are often the first to spot hidden risks.

  • Review of incident and accident records: Historical data provides valuable insight into recurring issues or near misses.

  • Using checklists and templates: Established hazard identification tools help standardize the process.

At this stage, consider both routine and non-routine activities (like maintenance or cleaning), and evaluate external risks such as weather conditions or third-party contractors.

Once hazards are identified, they should be recorded in a risk register with enough detail to guide the subsequent stages of assessment. Hazards must not be generalized; specificity is critical—for example, “manual handling of 20kg cement bags” is clearer than “lifting.”

Remember, hazard identification should be ongoing, not a one-time event. Changes in processes, equipment, staffing, or environment can introduce new hazards or modify existing ones, making periodic reviews necessary for a proactive safety culture.

Step 2: Assess Inherent Risk

Once hazards are identified, the next step is to assess the inherent risk—the level of risk posed before any control measures are implemented. This step is foundational, as it serves as the benchmark for evaluating the effectiveness of the risk controls you’ll later apply.

Inherent risk is typically determined by evaluating two key dimensions:

  • Likelihood (Probability): How likely is the hazardous event to occur?

  • Severity (Consequence): How severe would the outcome be if the hazard materialized?

Use a risk matrix to score each hazard. For instance:

Severity \ Likelihood Rare (1) Unlikely (2) Possible (3) Likely (4) Certain (5)
Insignificant (1) 1 2 3 4 5
Minor (2) 2 4 6 8 10
Moderate (3) 3 6 9 12 15
Major (4) 4 8 12 16 20
Catastrophic (5) 5 10 15 20 25

Multiply the severity by the likelihood to obtain a numerical risk rating. The higher the score, the greater the inherent risk.

Inherent risk scoring enables you to prioritize your response. Hazards with high inherent risks must be addressed more urgently than those scoring low. For example, the risk of electrocution in wet environments is both high in severity and likelihood, thus requiring immediate mitigation.

When assessing inherent risk:

  • Don’t factor in any existing controls.

  • Base scores on worst-case realistic scenarios.

  • Ensure consistency by using agreed-upon scoring criteria across your organization.

By establishing this baseline, you can later compare it against the residual risk level to determine how effective your control measures truly are.

Step 3: Implement Control Measures

With inherent risks understood, the next phase involves implementing control measures to reduce the likelihood or severity of a hazard. These measures should follow the Hierarchy of Controls, a five-level framework prioritized from most effective to least:

  1. Elimination – Remove the hazard entirely (e.g., automate a dangerous manual task).

  2. Substitution – Replace the hazard with something less harmful (e.g., using non-toxic chemicals).

  3. Engineering Controls – Physically isolate people from the hazard (e.g., machine guards, ventilation).

  4. Administrative Controls – Change the way people work (e.g., safety training, work rotation).

  5. Personal Protective Equipment (PPE) – Equip workers with gear (e.g., gloves, goggles, helmets).

When implementing controls:

  • Combine multiple control levels if necessary. Relying solely on PPE is not ideal.

  • Consider the cost-benefit balance without compromising safety.

  • Ensure controls are practical and sustainable. For example, a fume hood may be technically effective, but ineffective if not properly maintained.

  • Document all actions taken, including their rationale and the responsible persons.

  • Communicate new procedures clearly to all affected employees.

Controls should also be monitored for effectiveness. Sometimes a control may initially seem sufficient but fail under real working conditions (e.g., inadequate training for new machinery).

Consider involving safety committees or external auditors to validate your control strategy. In high-risk industries like construction or mining, regulatory authorities may even require specific controls.

Remember, the goal isn’t just to reduce risk—it’s to reduce it as low as reasonably practicable (ALARP). Controls must be proportionate to the hazard’s severity and likelihood.

Step 4: Reassess and Calculate Residual Risk

After applying controls, it’s time to reassess each risk to determine the residual risk level. This step helps evaluate the effectiveness of your risk mitigation strategy and identifies whether the remaining risk is tolerable, acceptable, or still requires further intervention.

Using the same risk matrix applied in Step 2, reassess both the likelihood and severity of the hazard, but this time, factor in the control measures now in place.

For example:

  • If workers wear proper PPE and follow protocols, the likelihood of injury may drop from “likely” to “unlikely.”

  • If a guard has been installed on a moving machine part, the severity of injury might reduce from “catastrophic” to “moderate.”

Calculate a new score and compare it to your organization’s risk acceptance criteria. This comparison will guide your next steps:

  • If residual risk falls within acceptable levels, document and monitor.

  • If residual risk is marginally acceptable, consider adding secondary controls or scheduling periodic reviews.

  • If residual risk is still too high, revisit Steps 1 to 3 to identify stronger interventions.

When calculating residual risk, keep in mind:

  • Worker behavior can influence real-world outcomes. Even with controls, complacency or poor training can undermine safety.

  • Environmental factors such as lighting, noise, or weather can affect how effective a control measure is.

  • Maintenance and wear-and-tear of engineering controls can lead to increasing residual risks over time.

All residual risks should be recorded in a residual risk register, with accompanying justification for any decision to accept them. Where applicable, develop contingency or emergency response plans for risks that cannot be further mitigated.

Incorporating residual risk reassessment into your organization’s continuous improvement cycle (e.g., ISO 45001’s PDCA model) ensures long-term safety and compliance.

Managing Residual Risk: Best Practices

Effectively managing residual risk requires a proactive, structured approach to ensure that remaining hazards are kept under control and do not lead to incidents. Below are five key best practices that every workplace should implement, each offering practical guidance.

Continuous Monitoring: Track and Review Controls for Effectiveness Regularly

Residual risks must be continuously monitored to ensure they do not escalate over time. The mere presence of control measures doesn’t guarantee long-term safety. Wear and tear, human behavior, changing work conditions, and external influences can weaken or nullify previously effective controls. That’s why continuous monitoring is critical.

Develop a structured system for tracking risk control performance. This could include automated monitoring tools, physical inspections, or checklists tailored to specific tasks or departments. For instance, if machine guarding is a primary control, regular checks must be made to verify guards are in place, secure, and used correctly. Include near-miss reporting and incident data in your monitoring routine, as these often provide early warning signs of failing controls.

Create a monitoring schedule based on risk level—high-risk areas may need daily observation, while lower-risk environments can be reviewed weekly or monthly. Assign responsible personnel and ensure they are trained to identify red flags. Document all monitoring activities, and feed this data into a broader review process to trigger improvements or redesigns.

Ultimately, continuous monitoring transforms risk management from a one-off task into an ongoing safety habit that prevents complacency and enhances workplace resilience.

Risk Registers: Maintain a Dynamic Record of All Identified and Residual Risks

A risk register is more than a compliance document—it’s a living, breathing tool that forms the backbone of effective residual risk management. By maintaining a comprehensive and regularly updated risk register, organizations ensure full visibility of all identified hazards, the controls in place, and what residual risks remain after mitigation.

Each entry in the risk register should include: the nature of the hazard, initial risk rating, controls implemented, residual risk rating, and further actions (if required). It should also identify who is responsible for managing each risk. Importantly, the register should allow for categorization (e.g., physical, chemical, psychosocial), helping prioritize resources for higher-risk areas.

Risk registers are most effective when updated dynamically. Every time there’s a process change, introduction of new equipment, staff turnover, or an incident, the register must be reviewed and revised accordingly. Consider integrating your risk register into digital safety platforms or enterprise risk management software to allow for real-time collaboration, audit trails, and alert systems.

Regularly reviewing the risk register with key stakeholders, such as department heads, safety reps, or external auditors, ensures that no residual risk goes unnoticed or unmanaged. A well-maintained register also provides legal protection and evidence of due diligence.

Training: Equip Employees to Identify, Report, and Work Safely Around Residual Hazards

Training is a frontline defense in managing residual risk effectively. After implementing technical or administrative controls, the human factor becomes critical. Employees must be aware of the hazards that persist despite these controls and be equipped with the knowledge and tools to act safely around them.

Effective training programs should go beyond general safety induction. They must be role-specific, task-focused, and continuously updated to reflect changing risk profiles. For example, a worker in a confined space should not only know about ventilation systems but also how to respond if those systems fail. Training must address not just what to do, but why it’s important—connecting actions with outcomes improves retention and compliance.

Use a mix of learning methods, such as classroom sessions, e-learning, hands-on demonstrations, toolbox talks, and safety simulations. Encourage workers to participate actively and raise questions. Make it clear that they are part of the safety solution, not just recipients of instructions.

Furthermore, embed a reporting culture in your training efforts. Teach staff to recognize early signs of control failure, unsafe behaviors, or new risks. Provide easy-to-use channels for reporting, such as mobile apps, paper forms, or verbal escalation. Training empowers workers to manage residual risk in real time, making them partners in prevention.

Audits & Reviews: Conduct Periodic Audits to Catch Overlooked or Emerging Risks

No risk management system is foolproof, which is why regular audits and reviews are essential to detecting gaps in controls and identifying emerging residual risks. These formal evaluations provide a structured opportunity to verify that safety measures remain fit for purpose and aligned with actual work practices.

There are several types of audits to consider: internal audits (conducted by your safety team), external audits (carried out by third-party professionals), and compliance audits (focused on meeting legal or industry standards). Each audit should assess the effectiveness of existing controls, evaluate compliance with procedures, and examine whether any new hazards have developed.

Audits must be systematic, covering all departments and risk categories over a defined period. Use structured checklists, scoring systems, and photographic evidence to ensure consistency and traceability. Following each audit, develop a corrective action plan with clear timelines, assigned responsibilities, and follow-up reviews to ensure closure.

Crucially, audits should not be punitive. Instead, foster a collaborative approach where the goal is continuous improvement rather than finger-pointing. Share audit findings across the organization to raise awareness and reinforce accountability.

Regular reviews not only help catch missed risks—they also keep safety culture alive and demonstrate your organization’s commitment to due diligence and continuous improvement.

Communication: Communicate Known Residual Risks to Workers and Management

Clear, timely communication is a cornerstone of residual risk management. Even after engineering and administrative controls are applied, hazards may persist. These residual risks must be transparently communicated to all relevant stakeholders, including workers, supervisors, and senior management.

Start by identifying who needs to know what. Frontline workers must understand the specific risks in their work environment and the precautions to take. Supervisors need to monitor compliance and address concerns promptly. Management must grasp the broader risk profile to allocate resources and guide policy.

Use various communication channels to reach all audiences: safety signage, safety data sheets, toolbox talks, safety alerts, posters, digital bulletins, and one-on-one briefings. Ensure your messaging is clear, jargon-free, and contextualized. For instance, instead of saying “chemical hazard remains,” clarify that “residual risk includes low-level vapour exposure when handling solvent XYZ—use gloves and local exhaust ventilation.”

Communication should also be two-way. Encourage feedback from staff and incorporate their observations into your residual risk reviews. Empower workers to speak up without fear of reprisal if they notice changes in workplace safety.

By fostering open communication about residual risks, you create an informed workforce, strengthen your safety culture, and uphold your legal duty to provide information under health and safety laws.

When Is Residual Risk Acceptable?

A residual risk is considered acceptable when:

  • The cost or feasibility of further mitigation outweighs the benefit.

  • It aligns with legal and industry compliance standards.

  • It is transparently documented and communicated.

  • There is an emergency response or contingency plan in place.

Pro tip: Even if a risk is accepted, it must still be monitored. Risk levels can change with equipment wear, human behavior, or operational changes.

ISO 45001 and Residual Risk

The ISO 45001:2018 standard provides a framework for organizations to manage health and safety risks, including:

  • Contextualizing residual risk in the Plan-Do-Check-Act (PDCA) cycle.

  • Emphasizing risk-based thinking.

  • Requiring top management involvement in identifying and managing residual risks.

For full compliance, residual risks must be identified, evaluated, and documented as part of the overall Occupational Health and Safety Management System (OHSMS).

Residual Risk vs Inherent Risk vs Controlled Risk

Term Definition
Inherent Risk The risk is before any controls are applied.
Controlled Risk The adjusted risk level after basic controls are in place.
Residual Risk The remaining risk that still exists after all reasonable measures.

Conclusion

Residual risk is an unavoidable reality in every workplace, but with the right approach, it can be identified, assessed, managed, and monitored effectively.

Failing to account for residual risks can lead to accidents, legal penalties, or reputational damage. By embracing risk management best practices, your organization can foster a culture of safety and compliance.

References

Related Posts

The Salient Relationship Between Hazard, Risk, and Accidents

What is Ergonomic Injury: Risk Factors and Prevention

What is Risk Control: Importance and Hierarchy of Control

5 Key Elements of the Risk Management Process

Flash Fire: Risk and Prevention Tips

Discover more from HSEWatch - Health and Safety (HSE) Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading