Comprehensive Risk Assessment Guide

Risk assessment is the foundation of good health and safety management. It's a legal requirement, but more importantly, it's the systematic process that helps you protect people from harm. Understanding how to identify hazards and evaluate risks enables you to implement the right controls.

What is risk assessment?

Risk assessment is the process of identifying hazards in your workplace and evaluating the risks they present, so you can implement appropriate controls to prevent harm.

It's not about creating mountains of paperwork. It's about careful examination of what could cause harm, so you can decide whether you're doing enough or need to do more.

Hazard vs risk

These terms are often confused but have distinct meanings:

Hazard: Something with the potential to cause harm (injury, ill health, or damage)

• Examples: electricity, chemicals, working at height, heavy loads, sharp objects

Risk: The likelihood that the hazard will cause harm, and the severity of that harm

• Risk = Likelihood × Severity

Example in practice

Hazard: A wet floor in a busy corridor Risk: High likelihood someone will slip (busy area, constant traffic) × moderate severity (could cause bruising, sprains, or broken bones) = Medium to high risk

Control measures: Warning signs, barriers, immediate cleaning, anti-slip floor coating, regular inspection

The legal requirement

Risk assessment is required by Regulation 3 of the Management of Health and Safety at Work Regulations 1999 (MHSWR):

"Every employer shall make a suitable and sufficient assessment of: (a) the risks to the health and safety of his employees to which they are exposed whilst they are at work; and (b) the risks to the health and safety of persons not in his employment arising out of or in connection with the conduct by him of his undertaking."

In plain English:

• You must assess risks to both employees and others (visitors, contractors, public)
• The assessment must be suitable and sufficient (proportionate and adequate)
• You must record the significant findings if you employ 5 or more people
• You must review and update assessments when necessary

Underlying duty under HSWA 1974

The risk assessment requirement flows from the general duty in Section 2(1) of the Health and Safety at Work Act 1974:

"It shall be the duty of every employer to ensure, so far as is reasonably practicable, the health, safety and welfare at work of all his employees."

You can't ensure health and safety without first understanding what the risks are. Risk assessment is the tool that enables compliance with this fundamental duty.

The 5-step approach to risk assessment

The HSE recommends a simple 5-step process for conducting risk assessments. This works for businesses of all sizes and sectors.

Step 1: Identify the hazards

Walk around your workplace and look for things that could cause harm. Consider:

Physical hazards:

• Slips, trips, and falls (wet floors, uneven surfaces, trailing cables)
• Working at height (ladders, scaffolds, fragile roofs)
• Moving machinery and vehicles
• Electricity (exposed wiring, damaged equipment)
• Fire and explosion
• Noise and vibration
• Temperature extremes (hot processes, cold stores)
• Confined spaces

Health hazards:

• Hazardous substances (chemicals, dust, fumes, biological agents)
• Manual handling (lifting, carrying, repetitive movements)
• Display screen equipment (prolonged computer use)
• Radiation (ionizing, non-ionizing, UV)
• Asbestos and other legacy materials

Workplace hazards:

• Poor lighting or ventilation
• Inadequate welfare facilities
• Workplace layout and congestion
• Poor housekeeping

Work organization hazards:

• Lone working
• Violence and aggression
• Fatigue and work patterns (shift work, long hours)
• Stress and mental health
• Inadequate training or supervision

How to identify hazards:

• Walk around your premises, looking at each work area and activity
• Talk to employees — they often know the risks better than management
• Check accident and ill-health records — patterns reveal hazards
• Review manufacturers' instructions for equipment and substances
• Consult industry guidance — HSE, trade associations, professional bodies
• Look at near-misses — what almost caused harm?

Step 2: Decide who might be harmed and how

For each hazard identified, consider who could be affected:

Your employees:

• Are some employees at greater risk than others? (e.g., young or inexperienced workers, new starters, expectant mothers, people with disabilities)
• Do certain roles face specific hazards? (e.g., maintenance staff, cleaners, managers)

Non-employees:

• Contractors and agency workers
• Visitors (clients, deliveries, members of the public)
• Cleaners and maintenance contractors
• Neighbors or members of the public near your premises

Vulnerable groups:

• Young workers (under 18) who may lack experience or judgment
• New or expectant mothers who face specific risks
• People with disabilities who may need additional controls
• Lone workers who can't rely on others for help
• Night shift workers who may face fatigue risks

Document how harm could occur:

Don't just list "employees" — describe the mechanism of harm:

• "Warehouse operatives could suffer musculoskeletal injuries from repetitive manual handling of heavy boxes"
• "Office workers could develop eye strain and back problems from prolonged display screen work without breaks"
• "Visitors could slip on wet floor during cleaning if area not cordoned off"

This specificity helps you identify appropriate controls.

Step 3: Evaluate the risks and decide on precautions

For each hazard, evaluate:

1. What are you already doing? (existing controls)
2. Is it enough? (does it reduce risk to acceptable level?)
3. What more could you do? (additional controls needed)

Evaluating risk level:

Consider two factors:

Likelihood: How probable is it that harm will occur?

• Rare: might happen once in many years
• Unlikely: could happen occasionally
• Possible: might happen from time to time
• Likely: will probably happen repeatedly
• Almost certain: expected to occur frequently

Severity: How bad could the harm be?

• Trivial: minor injury, no time off work
• Minor: small injury, up to 3 days off
• Moderate: injury requiring medical treatment, 3-7 days off
• Major: serious injury, broken bones, over 7 days off, RIDDOR reportable
• Catastrophic: death or life-changing injury

Combine these to judge the risk level:

Applying the hierarchy of control:

When deciding on precautions, follow this order of preference:

1. Elimination — remove the hazard entirely (best option if possible)
2. Substitution — replace with something less hazardous
3. Engineering controls — physical measures to reduce risk (guards, barriers, ventilation)
4. Administrative controls — safe systems of work, training, supervision, rotation
5. PPE (Personal Protective Equipment) — last resort, protects the individual

Example application:

Hazard: Risk of hand injury from operating a guillotine cutter

1. Elimination: Can you avoid using the guillotine? (Use pre-cut materials?) — Not practical
2. Substitution: Use a safer cutting method? (e.g., rotary cutter) — Could consider
3. Engineering: Fit guard that prevents access to blade during operation — Yes, implement
4. Administrative: Provide training, restrict to trained operators only, regular maintenance — Yes, in addition
5. PPE: Cut-resistant gloves — Not effective as primary control, hands need dexterity

Result: Fit guard (engineering), provide training and restrict access (administrative), maintain equipment. Don't rely on gloves alone.

Step 4: Record your significant findings

If you employ 5 or more people, you must record the significant findings of your risk assessment.

What to record:

• The hazards identified (what could cause harm)
• Who might be harmed and how (employees, visitors, specific groups)
• What you're doing to control the risks (existing and planned controls)
• Any further action needed (with timescales and responsibilities)

Format:

There's no prescribed format. You can use:

• Simple table or spreadsheet
• Pre-made templates (HSE provides free templates)
• Specialized software
• Custom documents

What matters is that it's clear, accessible, and actually used.

What doesn't need detailed recording:

You don't need to document every trivial risk. If:

• The risk is very low and
• The precautions are well-known and
• You're confident controls are adequate

Then a brief note is sufficient. For example, "Slip risk from wet floor during cleaning — managed by warning signs and immediate cleaning" is enough for a routine, well-controlled hazard.

Focus your detailed documentation on significant risks, complex activities, or situations where controls need careful management.

Step 5: Review and update

Risk assessments are not "write once and forget." Review them:

When to review:

• At least annually — even if nothing has changed, scheduled reviews ensure continued suitability
• When work activities change — new equipment, processes, substances, or locations
• After an accident or near miss — the assessment may have missed something
• When you identify new hazards — changing work patterns or external factors
• If employee feedback suggests problems — they're closest to the risks
• When regulations or guidance change — new legal requirements or industry standards

What to check during review:

• Are the hazards still the same, or have new ones emerged?
• Have work activities changed in ways that affect risk?
• Are the existing controls still effective and being used?
• Have there been any incidents, near misses, or health issues?
• Is there new equipment, technology, or ways of working?
• Has workforce changed (more inexperienced workers, different shifts)?
• Is there updated guidance or better control options available?

Document the review:

Record when you reviewed the assessment, what (if anything) changed, and when the next review is due. Simple log example:

Who should conduct risk assessments?

The employer is legally responsible, but they can (and should) appoint competent people to carry out the assessments.

Competent person requirements:

Someone is competent if they have:

• Training in risk assessment techniques and your specific hazards
• Knowledge of health and safety law and industry practices
• Experience in your type of work and workplace
• Authority to make recommendations and implement controls

For simple, low-risk environments (small offices, retail), someone with basic health and safety training (e.g., IOSH Managing Safely) may be competent.

For complex or high-risk environments (manufacturing, construction, chemicals), you likely need professionally qualified people (NEBOSH Diploma or equivalent) with relevant sector experience.

Who can help:

• Employers themselves for very small, low-risk businesses (with appropriate training)
• Managers or supervisors who understand the work and have health and safety knowledge
• Health and safety coordinators with suitable qualifications
• External consultants for specialist or complex risks
• Employees should be consulted — they know the day-to-day reality

Common types of risk assessment

General workplace risk assessment

Covers the overall work environment and common activities:

• Slips, trips, and falls
• Fire safety
• Manual handling
• Display screen equipment
• Workplace facilities and conditions
• General machinery and equipment

Activity-specific risk assessments

For particular tasks or processes:

• Working at height
• Confined space entry
• Electrical work
• Hot work (welding, grinding)
• Lone working
• Driving and workplace transport

Substance-specific risk assessments (COSHH)

Required under Control of Substances Hazardous to Health Regulations 2002:

• Identify hazardous substances (check safety data sheets)
• Assess health risks from exposure
• Implement controls (substitution, ventilation, PPE)
• Monitor exposure and health surveillance if needed

Fire risk assessment

Required under Regulatory Reform (Fire Safety) Order 2005:

• Identify fire hazards (ignition sources, fuel, oxygen)
• Identify people at risk (especially vulnerable persons)
• Evaluate, remove, or reduce risks
• Record findings and implement fire precautions
• Prepare emergency plan and provide training

Specific risk assessments for vulnerable groups

• Young persons (under 18) — lack of experience and maturity
• New and expectant mothers — specific risks to mother and baby
• Persons with disabilities — ensure workplace accessibility and evacuation

How to write effective risk assessments

Be specific, not generic

Generic (poor):

• Hazard: "Slips and trips"
• Risk: "People could fall"
• Control: "Keep floors clean"

Specific (good):

• Hazard: "Water spillage from drinks machine in kitchen area creates slip hazard on tiled floor"
• Risk: "Staff and visitors using kitchen could slip, potentially causing bruising, sprains, or fractures. Moderate severity, possible likelihood = medium risk"
• Control: "Drip tray installed under machine. Daily checks by office manager. Warning sign posted. Spills cleaned immediately. Anti-slip mat placed in front of machine. Spillage procedure in staff handbook."

Focus on significant risks

Don't waste time documenting trivial risks that are obvious and well-controlled. Focus on:

• Risks that could cause serious harm
• Risks that are not immediately obvious
• Risks where controls need active management
• Risks affecting vulnerable groups

Make it usable

The risk assessment should be:

• Accessible — available to those doing the work
• Understandable — written in plain language, not jargon
• Practical — describes controls that are actually implemented
• Concise — long enough to be adequate, short enough to be read

Avoid lengthy generic documents that sit in files unread. A two-page specific, practical assessment is better than a 50-page generic template.

Involve employees

The people doing the work often have the best understanding of:

• What the real hazards are
• What could go wrong
• What controls are practical and effective
• What isn't working with current measures

Consult employees when conducting assessments and when reviewing them. This improves quality and buy-in.

Small business considerations

If you run a small, low-risk business, risk assessment doesn't need to be complicated.

Exemption for very low-risk businesses

If your business has very few hazards and they're well-controlled, you can sometimes use pre-prepared risk assessments:

• HSE provides example risk assessments for many common scenarios
• Trade associations often have sector-specific templates
• These can be adapted quickly rather than starting from scratch

However, you must check that they actually fit your situation and make adjustments as needed.

Simple risk assessment for small businesses

For a small office, shop, or low-risk service business:

Step 1: Identify hazards (walk around, list obvious hazards)

• Slip/trip hazards (cables, wet floor, stairs)
• Manual handling (moving stock, deliveries)
• Display screen work (computers)
• Fire
• Basic electrical safety

Step 2: Who might be harmed (employees, visitors, delivery drivers)

Step 3: Evaluate and control (for each hazard, what are you doing?)

• Cables managed, spills cleaned, handrails on stairs
• Training on lifting, trolleys available
• DSE assessments, breaks encouraged
• Fire alarm, extinguishers, evacuation plan
• PAT testing, visual checks

Step 4: Record (simple table, one or two pages)

Step 5: Review (set reminder for annual review)

Time required: 1-3 hours for a comprehensive initial assessment in a typical small business with low-risk activities.

Common mistakes in risk assessment

1. Generic cut-and-paste assessments

The mistake: Downloading a template and filling it in without adapting to your specific workplace, activities, or risks.

Why it's a problem: Generic assessments miss your actual hazards and propose controls that don't fit your situation. They're obvious to inspectors and useless for your workforce.

The fix: Use templates as a starting point, but customize thoroughly. Walk your workplace, talk to employees, describe your actual hazards and controls.

2. Focusing only on compliance, not reality

The mistake: Writing what you think should be in place to satisfy an inspector, rather than describing what you actually do.

Why it's a problem: Creates a gap between documented and real practice. You'll be judged against the standards you claim to meet. If an incident occurs, the gap is evidence of failure.

The fix: Be honest. Document your actual arrangements. If they're inadequate, the risk assessment should identify this and propose improvements, not pretend everything is perfect.

3. Too much detail on trivial risks, not enough on serious ones

The mistake: Pages of documentation on minor hazards like paper cuts or trips over very low thresholds, while significant risks like working at height or hazardous substances get brief mentions.

Why it's a problem: Wastes time, obscures important information, and suggests you don't understand risk priorities.

The fix: Apply the concept of "suitable and sufficient" — enough detail for significant risks, brief notes for trivial ones. Focus effort where harm is most likely or most severe.

4. Not reviewing or updating

The mistake: Conducting assessments once to tick a box, then filing them and never looking again.

Why it's a problem: Work activities change, new hazards emerge, controls degrade. An outdated assessment doesn't reflect current risks and provides false assurance.

The fix: Schedule annual reviews in your calendar. Review immediately when you change processes, equipment, or organization. Document each review.

5. Not involving employees

The mistake: Risk assessment done in an office by someone who doesn't do the work, without input from those exposed to the hazards.

Why it's a problem: Misses practical knowledge, proposes unworkable controls, and creates no buy-in from workforce.

The fix: Consult employees when conducting and reviewing assessments. Walk the job with them, ask what could go wrong, listen to their concerns.

6. Relying on PPE as primary control

The mistake: Identifying a hazard and jumping straight to PPE (gloves, goggles, high-viz) without considering elimination, substitution, or engineering controls.

Why it's a problem: PPE is the weakest control. It only protects if worn correctly, maintained, and fit for purpose. It doesn't reduce the hazard.

The fix: Apply the hierarchy of control. Eliminate or reduce the hazard first. Use PPE only when other controls are insufficient, and as an additional layer, not primary control.

7. Forgetting non-employees

The mistake: Only assessing risks to employees, ignoring visitors, contractors, delivery drivers, or members of the public.

Why it's a problem: Section 3 of HSWA 1974 requires you to protect non-employees. If they're harmed, you can be prosecuted even if employees were safe.

The fix: For each hazard, explicitly consider who else might be affected. Include controls for visitors (e.g., signing in, escorts, induction, restricted access).

Frequently asked questions

Next steps

To develop effective risk assessment in your organization:

1. Understand your legal duty — risk assessment is mandatory, not optional
2. Identify a competent person — ensure someone has the knowledge and authority to conduct assessments
3. Start with a walkthrough — physically inspect your workplace and activities
4. Consult employees — involve those who do the work
5. Use the 5-step approach — identify hazards, decide who might be harmed, evaluate risks, record findings, review regularly
6. Prioritize significant risks — focus on what could cause serious harm
7. Implement controls — following the hierarchy (eliminate, reduce, control)
8. Document your findings — if you employ 5 or more people
9. Communicate — ensure those affected know about risks and controls
10. Review and update — set reminders for annual review, and review when changes occur

Related articles:

• What is a Competent Person?
• Health and Safety Responsibilities
• Small Business Health and Safety Guide

Useful tools:

• Risk Assessment Tool
• Hazard Identification Checker