Skip to main content

Conducting a risk assessment

A risk assessment in ReFresh follows the Code of Practice four-step process: identify, assess, control, review. Assessments move through a defined lifecycle and combine inherent and residual risk...

Written by Harrison Kennedy

A risk assessment in ReFresh follows the Code of Practice four-step process: identify, assess, control, review. Assessments move through a defined lifecycle and combine inherent and residual risk ratings using a 5x5 likelihood-and-consequence matrix.

  • Open the assessment form from a risk on the Risk Register

  • Set Status (Draft, Identified, Assessing, Treating, Monitoring, Accepted, Closed, Archived)

  • Set Treatment (Not set initially)

  • Rate Inherent Risk and Residual Risk against likelihood and consequence

  • Save Changes to advance the assessment

Opening an assessment

From the Risk Register (admin sidebar → Risk Assessment → Risk Register):

  • Click an existing risk to open its assessment

  • Or click + Custom Risk Assessment to create a new one

The assessment form opens with the risk's title at the top and a Short description field beneath.

Status and Treatment

Two top-level fields control the assessment's lifecycle:

  • Status: where the assessment sits in its lifecycle. Default is Draft.

  • Treatment: the chosen response (initially "Not set"; populated as the assessment progresses)

The full Status lifecycle: Draft → Identified → Assessing → Treating → Monitoring → Accepted or Closed → Archived.

Rating Inherent Risk

Inherent Risk is the risk before any controls are applied. Pick one option from each of two dimensions:

Likelihood:

  • Constant (Daily)

  • Frequent (Weekly)

  • Regular (Monthly)

  • Occasional (Quarterly)

  • Rare (Yearly)

Consequence:

  • Insignificant (No injury)

  • Minor (First aid)

  • Moderate (Medical treatment)

  • Major (Lost-time injury)

  • Catastrophic (Fatality / permanent)

The form combines the two into a Result band (for example, "Regular × Moderate = MEDIUM") and shows a 5x5 heatmap preview with your selection highlighted.

Rating Residual Risk

Residual Risk is the risk that remains after controls are applied. Use the same likelihood-and-consequence matrix to rate it.

The two ratings together (inherent and residual) appear on the Risk Register as the Inherent and Residual columns.

Saving and progressing

Click Save Changes to commit the assessment. The risk's lifecycle status updates accordingly.

Risks can be assessed at any level of your organisation:

  • Tenant-wide (the recommended starting point for first assessments)

  • Group-specific (a particular team, site, or division)

  • User-specific (in rare, focused cases)

Linking to controls and consultation

A risk assessment is the structured starting point. As the lifecycle progresses, link the risk to:

  • Controls that mitigate it (Compliance → Controls)

  • Consultations that informed the assessment (Risk Assessment → Consultations)

  • Incidents that materialised from this risk

  • Evidence that supports the rating

These links are made from each related entity's own page; risk-side links surface in the risk's detail view.

Related articles

  • Using the risk register (3.8)

  • Adopting risks from the scenario library (3.9)

  • The control library (4.2)

  • Recording worker consultation (4.9)

Related Articles
Risk Intelligence overview
Using the risk register
Adopting risks from the scenario library
Safety Orchestration overview
Risk heatmaps and trend analysis
Did this answer your question?