This is perfectly safe*. You don't need to keep it outside of your web root as another commenter noted because it the server will evaluate it as php and never echo it to the browser.
However, it is a very cumbersome way of managing your SQL. You are relying on your include to always be error free, in that it always assigns the (presumably) global variable of $query with the right SQL statement. You are also adding a very confusing layer around the SQL itself that will make it hard for others to try to read your code (or even yourself in the future).
An improvement would be to save the statements as text files. If what you are trying to get at is separation of concerns, then save just the statements as text files, such that
SELECT `Riskrating` FROM `currentdetails` WHERE 1;
is located in files/myquery.sql. Then load it with
$query = file_get_contents('files/myquery.sql');
This way, you are eliminating one potential source of errors and you can automatically loop over all of your queries and check them for correctness (eg, in a unit test). Note that if you do this, you will have to keep your queries outside of the document root because they can be shown in the browser.
However, a much better approach is to use an ORM such as RedBean or Doctrine. This way, you don't have to mess around with your database layer at all.
* Assuming that the file contents are actually:
<?php $query = "sql statement";