Risk profiling and risk assessment defined

Tuesday, 24 October 2023

Not completely clear about how risk assessment and risk profiling fit together? This useful quick-read is the perfect resource for anyone seeking clear definitions and clarity on how risk assessment and risk profiling differ.

Hannah Li, Senior Lead (Innovation) at NEBOSH brings together content from the NEBOSH pocket guide series* to define risk assessment and risk profiling, looking at how they relate and explaining the processes needed to successfully apply them in your workplace and wider organisations.

Risk profiling and risk assessment – definitions and processes

Both risk profiling and risk assessment involve assessing risk. However, in health & safety, the term 'risk assessment' usually refers to a certain process, often focused on the risk arising from a specific workplace activity or process. The hazards, risks, and controls it considers tend to be more direct.

Risk profiling is a more high-level activity carried out at the business unit, division or branch level. Its output is intended to identify areas of high risk or undesirable exposure to risk that require senior leadership attention. These threats are considered in terms of the potential harm to people, disruption to the organisation and financial impacts, in order to determine where resources should be prioritised effectively.

So, a risk profile is a form of high-level risk assessment, but with the distinguishing feature that risk profiling considers and consolidates a range of threats and a range of risks, not just those related to health and safety.

To understand this in greater detail let’s revisit the NEBOSH definitions and then look at the risk assessment and risk profiling processes displayed below.

What is risk assessment? What is risk profiling?

The objective of risk assessment is to prevent workplace accidents and incidents that might give rise to injuries and/or occupational ill-health.

The risk assessment process allows organisations to identify specific hazards and ensure that they are adequately controlled.

Preventative controls and precautions can be deployed to help to reduce the risk to an acceptable level or eliminate it.

A risk assessment should generally remain valid for a reasonable period of time and be reviewed periodically unless something happens to suggest it is reviewed sooner, e.g., change in legislation or an incident.

The purpose of risk profiling is to make risks visible within an organisation. At its simplest, a risk profile is a description of a set of risks. The profile can relate to the whole organisation or at a departmental level.

An organisation's risk profile should inform all aspects of the approach to leading and managing health and safety risks. Health and safety leaders need to ensure that their respective organisations have built a risk profile that covers:

  • the nature and level of the threats faced by an organisation;
  • the likelihood of adverse effects occurring;
  • the level of disruption and costs associated with each type of risk; and
  • the effectiveness of controls in place to manage those risks.

The outcome of risk profiling will be that the right risks have been identified and prioritised for action, controls communicated, with minor risks given lower priority. A risk profile also informs decisions about what risk control measures are needed and the availability and allocation of resources.

Every organisation will have its own risk profile, and effective leaders must know the risks their organisations face, rank them in order of significance and take action to control them. This is the starting point for determining the greatest potential issues for an organisation.

The risk assessment process The risk profiling process

Most organisations will have a template to use when carrying out and recording the findings of a risk assessment. Unlike a risk profiling exercise, a risk assessment can be done very informally (depending on the scale and nature of the activity), and often starts with simply observing the workplace as it is operating. The most important part of risk assessment is making sure that suitable controls are put in place.
Risk assessment usually involves the following key stages:

  • Identify the hazards
  • Identify people at risk
  • Evaluate risk and decide if you need to do more
  • Record significant findings
  • Review and update

How risk profiling is carried out can vary across sectors. Making it a collective exercise involving relevant people from across the organisation, unit or discipline for which the risk profile is being produced is always good practice.

Risk profiling usually involves the following key stages:

  • Agree definitions and descriptors for types of risk, types of consequence, likelihood, treatment and controls, and criteria for risk prioritisation.
  • Select the risk profiling team and gather information about operations and processes.
  • Understand the context and risk appetite of the organisation.
  • Identify potential risks, considering both external and internal causes.
  • Understand the potential consequences if those risks are realised.
  • Consider existing and additional controls.
  • Agree prioritisation of risks.
  • Produce a risk register to record findings and inform further actions.
  • Ensure continuous review and improvement.


Risk assessment and risk profiling in your workplace and wider organisation

Understanding the hazards present in the workplace, and the potential threats to an organisation are both incredibly important processes. A well-managed organisation will carry out both, and use the findings to ensure they are protecting people, and their business, from any potential threat or harm. Both risk profiling and risk assessments form contribute to an effective health and safety management system and support to the preparedness and continual improvement of an organisation.


*The information in this article provides a useful taster of the NEBOSH pocket guides Quick Reference Guide to Risk Assessment and Quick Reference Guide to Risk Profiling. These build on the basic principles and definitions covered above to help OSH professionals conduct structured and effective risk assessments and risk profiling processes. Both guides also feature the tips, tools and models you need to effectively consider, identify and prioritise risks and treatment options, plus real-life examples to apply in your own workplace and wider organisation.