Risk assessment program

1.0 Purpose

This program establishes the minimum global requirements for conducting Risk Assessments (RAs) at all Microsoft locations. Any variation to this global program, whether modifying the existing requirements or making other changes, must be evaluated through the Occupational Health and Safety (OHS) Governance Framework before implementation.

2.0 Scope

This document provides requirements for Microsoft employees, interns, and external staff (where applicable) who are responsible for conducting RAs. Microsoft Suppliers must maintain their own health and safety programs consistent with the Microsoft Supplier Code of Conduct, including setting health and safety standards, processes, and procedures for Microsoft external staff and subcontractors who provide services to Microsoft, to the extent permitted by law. Only persons knowledgeable with both the relevant operations, hazards, and appropriate mitigation controls may conduct RAs.

3.0 Program requirements

The Risk Assessment program establishes a structured process for identifying hazards, assessing risks, and implementing appropriate hazard controls to ensure compliance with regulatory requirements and maintain a safe work environment. This process systematically evaluates workplace hazards, assesses existing controls, and prescribes additional measures to reduce residual risk. It also guides the allocation of necessary resources to support effective hazard management. Upon completion, this program serves as a framework to guide the development of local RA documents, which reflect site-specific conditions and operational needs. Although these RA documents are key outputs of the program, they are intended for local use and do not require formal approval through the Microsoft OHS Governance process.

The Risk Assessment program applies a standardized method for determining risk levels by evaluating two key factors:

Probability of an incident occurring.
Severity of potential injuries or illnesses.

RAs must be reviewed and updated at least annually or when new hazards are introduced, incidents occur, or process changes modify the existing risk profile.

4.0 Risk assessment

The RA systematically evaluates equipment, materials, tools, work practices, and workspaces/facilities associated with a specific process. Hazard identification is a crucial element of the RA process. If hazards are not identified, the associated risks cannot be evaluated, eliminated, and/or reduced through the implementation of controls. Each identified hazard associated with an activity is subsequently evaluated using the following criteria:

The likelihood of an incident occurring.
The severity of any injuries or illnesses that result from the incident.

The following sections detail how the above is to be implemented and documented.

4.1 Risk assessment methodologies

Microsoft's Risk Assessment Framework is structured into two primary assessment methods. The choice of methodology is determined by the People Manager, Supervisor, or Lab Manager, in collaboration with Local OHS Manager familiar with the operations, based on the nature of the assessment:

Site-Level Risk Assessment (Risk Register): If required, a register of site hazards and risks specific to the Microsoft location. It covers the general risks that all employees, contractors, vendors, and visitors may be exposed to by accessing the locations. This could include, but is not limited to:
- Parking areas, walkways, lobbies, offices, restrooms, breakrooms, etc.
- Site-specific hazards related to weather conditions, site, and building design.

The decision on the appropriate level of site RA (e.g., country, campus, building, labs, or specific operational areas) should be based on the risk level of the activities or spaces involved, as well as applicable local regulatory requirements. For example, a site-level RA can be focused on a specific operational area such as a Failure Analysis/Reliability lab, mechanical shop, hardware testing lab, or video production facility.

Activity Level RA (Job Hazard Analysis): A comprehensive assessment that evaluates risks by breaking down tasks into steps, identifying hazards, and implementing controls. Used for work processes, machine operations, and task-specific risks. A Risk Assessment template is included in section 9.1 of this document.

Each RA follows a structured approach involving hazard identification, risk evaluation using a 5x5 Risk Matrix, and implementation of necessary control measures. The Risk Assessment template for each method includes:

Description of work activities, tasks, chemicals, or areas.
Identified hazards and potential effects.
Existing control measures and risk rating.
Additional control measures if the risk is high and risk rating after additional risk control.
Assessment details (date, assessor's name, reviewer's name, and assessment scope).

4.2 Risk assessment team

The People Manager/Supervisor or Lab Manager in collaboration with Local OHS Manager determines the required composition of the Risk Assessment team based on the scope of the task or site. Additional team members may be included based on task complexity, expertise required, or specific regulatory considerations. Having a team with a variety of experience and expertise ensures a comprehensive evaluation of existing and predictable hazards and effective mitigation controls.

Recommended team members typically include workers who perform the task (providing firsthand knowledge of the work), their People Manager, Supervisor, or Lab Manager (to ensure operational alignment and accountability), Local OHS manager, and individuals with relevant technical or engineering expertise (to support hazard identification and control strategies).

The Risk Assessment team is responsible for overseeing, documenting, communicating, and implementing RAs.

4.3 Risk assssment process

Define Scope of Work: Identify the task or activity to be assessed.
Choose the RA Methodology: Most applicable to the scope (Risk Register or Job Hazard Analysis).
Assess Initial Risk: Use a 5x5 Risk Matrix to determine risk levels.
Implement Control Measures: Apply appropriate controls based on the hierarchy of controls (elimination, substitution, engineering, administrative, PPE).
Assess Residual Risk: Reevaluate the risk after control measures are applied.
Approve and Document: Record the findings, ensure management approval, and store the assessment in the designated system.
Communication Findings: Share risk information with all affected personnel.
Monitor and Review: Review at least annually, or sooner if there are significant changes in work conditions, processes, or hazards.

4.4 Risk evaluation

The evaluation of the relative risk for each identified hazard will be performed using the Risk Matrix listed below. The risk level associated with each hazard will be ranked as Low, Medium, or High using the following criteria:

Risk Matrix
		Severity
		Injuries or illnesses that do not require medical treatment	Minor injury/illness that requires first aid	Injury/illness requiring medical treatment beyond first aid	Serious injury/illness requiring medical treatment and admittance to hospital	Fatality or multiple life-threatening injury/illness case requiring hospitalization
Likelihood		Insignificant	Minor	Moderate	Major	Catastrophic
Likelihood		1	2	3	4	5
Frequent May be expected to occur frequently	5	M	M	H	H	H
Probable Likely to occur several times	4	M	M	M	H	H
Occasional Likely to occur sometime but multiple occurrences are unlikely	3	L	M	M	M	H
Remote Unlikely, but possible to occur	2	L	M	M	M	M
Improbable So unlikely, it can be assumed occurrence may not be experienced	1	L	L	L	M	M

The hazard ranking will determine the selection of appropriate controls. The RA will be conducted on the work or task as it is currently performed with the existing controls in place. If the RA identifies that risks could be mitigated by implementing new or additional controls, those recommendations will be documented on the Risk Assessment template.

Actions required based on the assigned risk level are summarized below.

Risk Level	Risk Acceptability	Required Actions
Low	Acceptable	No additional risk control measures are needed. Frequent review and monitoring of hazards are required to ensure the assigned risk level is accurate and does not increase over time.
Medium	Tolerable	A careful evaluation of the hazards must be carried out to ensure the risk level is reduced to as low as reasonably possible within a defined period. Interim risk control measures, such as administrative controls or PPE, may be implemented while longer term measures are being established.
High	Unacceptable	High risk work cannot proceed and must be mitigated to at least Medium, unless unusual circumstances justify an exception approved in writing by the applicable CVP. There shouldn't be any interim risk control measures. Risk control measures should not be overly dependent on PPE or administrative controls.

4.5 Risk control selection

Hazard control selection will be based on the hierarchy of controls. The following list contains typical control types ranked by effectiveness:

Elimination: Elimination of the hazard is the most effective means of hazard control. It involves the physical removal of the hazard.
Substitution: Replacing something that produces a hazard (similar to elimination) with something that does not produce a hazard or reduces the overall risk.
Engineering: Engineering controls do not eliminate hazards; they reduce the level of risk by preventing contact with the hazard. Engineering controls usually have capital costs and require periodic validation and preventative maintenance to ensure effectiveness.
Administrative: Administrative controls involve changes to the way people work. Examples include written procedures, employee training, and installation of signs or warning labels. Administrative controls do not remove hazards; they limit the risk of those hazards by correcting unsafe behaviors.
Personal protective equipment (PPE): PPE is the least effective means of controlling hazards because of its potential to become ineffective. Some PPE, such as respirators, increase the physiological effort to complete a task and, therefore, require medical examinations to ensure the worker can use the PPE without any detrimental risk to their health.

4.6 Risk communication

Effective risk communication ensures that all employees, vendors/contractors and their subcontractors, and approved visitors are aware of and understand potential hazards and necessary precautions. Once the RA is completed or revised, the People Manager, Supervisor, or Lab Manager of the work scope or area is responsible for making sure that all affected employees, vendors/contractors, and approved visitors have been informed of the associated hazards and required work controls related to the RA. Please refer to Appendix A for Risk Communication Email template. People Manager, Supervisor, or Lab Manager must make sure RA documents are maintained and accessible to employees to meet regulatory requirements for training and education.

Risk communication may occur in the following situations:

During new employee onboarding training.
Before the execution of tasks involving identified risks.
Regular safety meetings.
When updates to RAs occur.
During work planning sessions/meetings.

Communication methods include meetings, digital platforms, signage, and training sessions. The Responsible People Manager, Supervisor, or Lab Manager must ensure timely and effective dissemination of risk-related information.

The RA will include any required training based on the hazard levels defined for the task. Once defined as part of the RA, training is required for all employees and external staff to perform the work.

Site RAs must be reviewed at least annually or following an incident related to the RA or whenever significant changes occur, such as:

Modifications to work methods or procedures.
Changes in equipment, chemicals, or surrounding conditions.
Before implementation, RAs should be reviewed by the local OHS representative and approved by the direct manager of the task or area before implementation. Updates must be communicated to all relevant personnel.

5.0 Training requirements

The RA will consider any required training based on the hazard levels defined for the task. Once defined as part of the RA, training is required for all employees and external staff (as applicable) performing the work. Please refer to the Global Training program (add link) for instructions on how to designate training as required and how to assign it.

All employees conducting RAs must review and understand the contents of this program before performing RAs. The People Manager, Supervisor, or Lab Manager is responsible for ensuring competent people conduct these activities.

6.0 Roles and responsibilities

OHS Council	Offer specialized advice and recommendations. Support Global OHS Team during OHS Governance Review Meeting, when required.
Global OHS Team	Define minimum OHS program and training requirements. Provide consultation with local OHS support personnel as needed. Provide training tools to local OHS support personnel. Facilitate periodic review of OHS program documents.
Business Group and/or Local Executives	Provide sincere, visible, and proactive leadership. Ensure adequate funding, support, and staffing for implementing this program. Understand and implement applicable regulatory requirements. Ensure managers are held accountable to implement this program.
People Manager, Supervisor, or Lab Manager	Implement and enforce all provisions of this program for work areas under their control. Ensure RAs are completed in collaboration with OHS professionals, and that appropriate controls, training, and follow-up actions are implemented. Report all workplace injuries, unsafe conditions, and near misses using SafetyHub Report (aka.ms/SafetyHubReport). Comply with the necessary documentation requirements as described in this document. Approve the RA.
OHS Manager Assigned to the Location or Business Group	Facilitate consistent implementation of this program. Oversee implementation of applicable legal requirements, as approved by Global OHS Governance. Serve as technical experts for RAs within their respective sites. Verify control measures documented in RAs are implemented and maintained. Facilitate periodic reviews of existing RAs and update when new hazards arise, incidents occur, or regulatory changes impact workplace risks. Provide required Safety and Health training resources for supervisors and employees. Complete and document the Program Self-Assessment as required in the Governance Framework. Approve the RA.
Microsoft Employees	Understand and follow the requirements of this program. Take reasonable care not to put themselves or others at risk during their work. Participation in RA if required. Inform their supervisor or the local OHS Manager of any circumstance that might affect their ability to work safely. Escalate to Global OHS, if appropriate. Verify hazard controls are in place, maintained, and followed. Report all workplace injuries, illnesses, unsafe conditions, and near misses as soon as possible using SafetyHub Report. Complete all safety training requirements and comply with documentation procedures.
External Staff	External staff who do not receive day-to-day supervision from Microsoft employees and who perform work activities covered by this program are required to include necessary procedures in their safety plans. These procedures must conform to the requirements of this document. External staff who receive day-to-day supervision from Microsoft employees must follow the requirements of employees (see above). Participation in RA if required.

7.0 Records

Record Type and Code	Description	Examples	Exclusions
OHS Program Documents (CMPL 9200)	Documents pertaining to implementing the OHS program globally or in a specific location.	Implementation plans Injury/illness logs Training records RAs Hazard evaluations Records of reporting to local government agencies Internal inspections and program assessments	Worker Safety Compliance OHS Incident Investigations Environmental Incident Investigations Documents generated in response to assessments by Internal Audit team
OHS Incident Records (CMPL 9600)	Records related to reporting and investigation of work-related injury and illness events.	Witness statements Initial report of incident Investigation documents Evidence Action plans Content in Enablon related to OHS incidents	Environmental Incident Records Employee Exposure Records Medical Surveillance Records OHS Program Documents Injury/illness logs
Nonwork-related OHS Incident Records (CMPL 9700)	Injury and illness reports reviewed by OHS Team from nonwork-related employees, as determined by OHS staff.	Injury or illness reports from personal activities.	Workers' Compensation OHS Incident Reports

8.0 Key terms and definitions

The following terms are used in this document. The definitions below are used in the scope of this document, but local regulatory definitions supersede if there is a conflict.

Administrative Controls: The use of management involvement, employee training, job or task rotation, safe work practices, exposure monitoring, or medical surveillance to protect workers from exposure to workplace hazards.

Engineering Controls: The elimination or reduction of a hazard by means of engineered machinery or equipment. Examples include process change, isolation, ventilation, and source of modification.

Harm: Physical injury or damage to the health of people, or damage to property or the environment.

Hazard: A potential source of harm.

Personal Protective Equipment (PPE): Specialized clothing or equipment worn by an employee for protection against workplace hazards. Examples include safety glasses or goggles, respirators, hard hats, hearing protection, gloves, impermeable or fire-retardant clothing, and protective boots.

Protective Measures: Means used to reduce risk, and includes risk reduction by inherently safe design, protective devices, and PPE, information for use and installation, and training.

Risk: The combination of the probability or likelihood that a hazard may cause harm and the severity of that harm.

Risk Analysis: Systematic use of available information to identify hazards and estimate risk associated with such hazard.

Risk Assessment (RA): Process of quantifying the probability and severity of a harmful effect to individuals or populations from certain human activities.

Risk Evaluation: Procedure based on Risk Analysis to determine if Tolerable Risk has been achieved.

Tolerable Risk: Risk, which is accepted in each context, is based on the current values of Microsoft.

9.0 Related documents and references

9.1 Microsoft internal

Microsoft internal safety programs can be accessed here: SafetyHub Programs and Guidance

9.2 Microsoft external

Australia, Model Work Health and Safety Act | Safe Work Australia
Australia, Safe Work Australia, Model-WHS-Regulations (Section 66)
Australia, Safe Work Australia, Model Code of Practice: How to manage work health and safety risks
China, Law of the People's Republic of China on Prevention and Control of Occupational Diseases | english.www.gov.cn
France, Article R4121-1 - Code du travail - Légifrance Section 1: Document unique d'évaluation des risques
Hong Kong, Cap. 509 Occupational Safety and Health Ordinance (article 6)
India, IS 15656 (2006): Hazard identification and risk analysis - Code of practice
Ireland, Safety, Health, and Welfare at Work Act 2005, section 19, Hazard Identification and Risk Assessment
Italy, Legislative Decree 81/2008 (Testo Unico sulla Salute e Sicurezza sul Lavoro) | safetyone.it
Japan, Industrial Safety and Health Act | japaneselawtranslation.go.jp
Malaysia, OSHCIM - Official Portal of the Department of Occupational Safety and Health
New Zealand, Work Safe, Health and Safety at Work (General Risk and Workplace Management) Regulations 2016 (LI 2016/13) (as at 10 August 2024)
Poland, Regulation of the Minister of Labor and Social Policy of September 26, 1997, on general provisions of occupational safety and health
Singapore Ministry of Manpower, Workplace Safety and Health (Risk Management) Regulations
Singapore, Workplace Safety and Health Council, Code of Practice on WSH Risk Management
South Korea, Occupational Safety and Health Act
Spain, Law 31/1995, of November 8, on the Prevention of Occupational Risks, Royal Decree 39/1997, of January 17, approving the Regulation of Prevention Services
Sweden, Systematic work environment, Systematic Work Environment Management, AFS 2001:1
Taiwan, Law Source Retrieving System Labor Laws And Regulations-Article Content (articles 23-1 and 31-1)
UK, The Management of Health and Safety at Work Regulations 1999 Regulation 3 – Risk Assessment Health and Safety at Work etc. Act 1974
United States (Federal), OSHA, 29 CFR § 1910.132, Personal Protective Equipment
United States (Federal), OSHA, 29 CFR § 1910 Subpart I App B, Nonmandatory Compliance Guidelines for Hazard Assessment and Personal Protective Equipment Selection
United States (California), Cal/OSHA, 8 CCR § 3380 Personal Protective Devices and Safeguards

Appendix A: Risk Communication Email Template

To: [All affected employees, contractors, vendors, and visitors]
Cc: [Site Lead, EHS, JHSC, CBRE/FM, HR (as applicable)]
From: [Responsible People Manager, Supervisor, or Lab Manager]

Dear Team,

Please find attached the Risk Assessment (RA) for [Scope of the RA], completed on [insert date/timeframe] at [insert location or area].

The RA includes:

Identified hazards related to this activity
Required controls and safety measures

All individuals involved in or affected by this scope of work must review the RA and ensure they understand the hazards and the controls in place. If you have any questions or need clarification, please don't hesitate to reach out.

The RA will also be available at [location – e.g., SharePoint site, safety board, or onsite binder] for future reference.

Thank you for your attention and cooperation in maintaining a safe workplace.

Best regards,
[Your Name]
[Your Title]
[Contact Information]

Attachments: Risk Assessment

Program name	Risk Assessment Program
Owners	Microsoft Global Occupational Health and Safety
Revision date	Revision C, September 11, 2025
Effective date	July 30, 2025

Report an injury, illness, or safety observation