workplace safetyrisk assessment

What Makes a Risk Assessment Suitable and Sufficient?

Understand what 'suitable and sufficient' means in UK law. Learn the legal test for adequate risk assessments, common failures, and how to ensure your assessments meet regulatory requirements.

This guide includes a free downloadable checklist.

Get the checklist

"Suitable and sufficient" is the legal standard for risk assessments under the Management of Health and Safety at Work Regulations 1999. It's the test HSE inspectors apply when reviewing your assessments and the standard courts use when determining whether you've met your duty.

What's your main concern about your risk assessments?

Let's address the key issue.

The legal standard

The Management of Health and Safety at Work Regulations 1999, Regulation 3, requires every employer to make "a suitable and sufficient assessment" of risks.

What the law requires

Regulation 3(1):

"Every employer shall make a suitable and sufficient assessment of— (a) the risks to the health and safety of his employees to which they are exposed whilst they are at work; and (b) the risks to the health and safety of persons not in his employment arising out of or in connection with the conduct by him of his undertaking."

This creates two duties:

  1. Assess risks to your employees
  2. Assess risks to everyone else your work affects

Both assessments must be "suitable and sufficient."

What "suitable and sufficient" means

The Approved Code of Practice (ACOP) to the Management Regulations explains what suitable and sufficient means:

A suitable and sufficient risk assessment should:

  1. Identify the significant risks arising from or in connection with work
  2. Enable the employer to identify and prioritise the measures needed to comply with health and safety law
  3. Be appropriate to the nature of the work and remain valid for a reasonable period of time
  4. Identify and assess risks to employees and anyone else who might be affected
  5. Take account of the work and how it's organized
  6. Consider vulnerable groups of workers (young persons, new and expectant mothers, disabled workers)
Key Point

"Suitable and sufficient" doesn't mean perfect or exhaustive. It means the assessment identifies significant risks, shows you've considered who might be harmed, demonstrates that precautions are reasonable, and covers all relevant work activities. The assessment should be proportionate to the risk.

What suitable and sufficient does NOT mean

It does not require:

  • Covering every conceivable risk, no matter how trivial
  • Complex numerical risk scoring or matrices
  • Lengthy documents for simple workplaces
  • Professional or consultant-quality reports
  • Perfect prose or formatting
  • Identification of risks that are not reasonably foreseeable
  • Assessment of risks outside your control
Note:

HSE recognizes that small businesses have limited resources. They're looking for evidence of a systematic approach to identifying and controlling significant risks, not perfection. A simple, honest assessment that reflects your workplace is better than an elaborate generic document.

The five tests for suitability and sufficiency

To determine whether an assessment is suitable and sufficient, apply these five tests:

Test 1: Does it identify the significant risks?

What this means: The assessment must identify all significant hazards present in the workplace and the significant risks they create.

Significant risks are those that:

  • Could realistically result in harm
  • Require active management or control measures
  • Would not be immediately obvious to everyone

Not significant (can be excluded):

  • Trivial, everyday risks (e.g., risk of paper cut in office)
  • Risks fully eliminated by design
  • Risks already adequately controlled by well-established, universal measures

How to test this:

  • Walk your workplace and list all hazards
  • Compare this list against what's in your assessment
  • If real hazards are missing, the assessment is insufficient

Example failure: Assessment for a care home lists slips, trips, and fire hazards, but makes no mention of manual handling of residents, violence and aggression from residents with dementia, or infection control. These are significant risks in care settings—their absence makes the assessment insufficient.

Test 2: Does it identify who might be harmed?

What this means: The assessment must identify all groups of people at risk, including vulnerable groups requiring special consideration.

Must identify:

  • Employees (by role or vulnerability, not just "all staff")
  • Non-employees affected (contractors, visitors, public)
  • Groups especially at risk (young workers, pregnant workers, disabled workers, lone workers, inexperienced workers)

How to test this:

  • Check whether assessment identifies specific groups
  • Verify vulnerable groups are specifically mentioned
  • Ensure non-employees are considered

Example failure: Assessment states "employees" might be harmed but doesn't identify that young apprentices face higher risks due to inexperience, or that pregnant worker faces specific risks from certain chemicals. Management Regulations specifically require consideration of young persons and new and expectant mothers.

Test 3: Are the precautions reasonable?

What this means: The assessment must show you've thought about whether existing controls are adequate and whether further measures are reasonably practicable.

Must demonstrate:

  • Consideration of the hierarchy of controls (elimination, substitution, engineering, administrative, PPE)
  • Why you've not used higher-level controls if relying on lower-level ones
  • That precautions are proportionate to the risk
  • That controls comply with specific legal requirements

How to test this:

  • For each hazard, check whether assessment explains what controls are in place
  • Verify whether assessment justifies why higher-level controls aren't used
  • Check that high risks have robust controls, not just PPE and training

Example failure: Assessment identifies risk of back injury from manual handling. Only control listed is "training provided." No consideration of whether handling can be eliminated, loads reduced, or mechanical aids provided. Courts and HSE expect evidence you've worked through the hierarchy, not defaulted to the least effective control.

Adequate vs Inadequate Control Analysis

Inadequate Assessment

  • States 'adequate controls in place' without listing them
  • Relies mainly on PPE and training
  • No explanation of why higher controls not used
  • Generic controls not specific to workplace
  • No evidence of hierarchy consideration
  • Same level of control for all risks regardless of severity

Suitable Assessment

Recommended
  • Lists specific controls actually present
  • Works through hierarchy systematically
  • Justifies why higher controls aren't reasonably practicable if not used
  • Controls are workplace-specific
  • Shows evidence of considering alternatives
  • Higher-risk hazards have more robust controls

Bottom line: A suitable and sufficient assessment shows you've thought critically about whether controls are adequate and whether you can reasonably do more. It's not just a list of hazards—it's evidence of decision-making about risk reduction.

Test 4: Is it appropriate to the nature of the work?

What this means: The assessment must reflect the actual work carried out and remain valid for a reasonable period.

Must reflect:

  • The actual work activities and processes
  • How work is actually done, not just formal procedures
  • The specific equipment, substances, and environment
  • Current working practices

How to test this:

  • Does the assessment match what you observe in the workplace?
  • Would someone reading it understand the actual work?
  • Is it so generic it could apply to any similar business?

Example failure: Assessment for a small manufacturing workshop is clearly a downloaded template with company name changed. Lists hazards like "work at height" and "confined spaces" that don't exist in this workplace. Misses the specific machinery and processes actually present. Such assessments are not "appropriate to the nature of the work."

Test 5: Does it remain valid?

What this means: The assessment should be reviewed and updated so it remains current and accurate.

Must show:

  • Regular review (annually minimum)
  • Updates when circumstances change
  • Review after incidents
  • Evidence of ongoing validity

How to test this:

  • Is there a review date?
  • Does it reflect recent changes to equipment, processes, or workforce?
  • Has it been updated following any incidents?
  • Is there evidence of actual review, not just changing the date?

Example failure: Assessment dated 5 years ago. Company has since introduced new machinery, changed layout, and employed vulnerable workers. Assessment doesn't mention these. Old assessment no longer reflects reality, therefore no longer valid.

Warning(anonymised)

Construction company fined £200,000 for risk assessment that wasn't suitable and sufficient

The Situation

Worker fell from height during roof work, suffering life-changing injuries. Company had a risk assessment for working at height, but investigation found it was not suitable and sufficient.

What Went Wrong
  • Risk assessment was generic template, not specific to this project or roof type
  • Didn't identify the specific fall hazards present on this particular roof
  • Listed edge protection as control measure, but none was actually installed
  • No assessment of rescue arrangements if fall occurred
  • Assessment not reviewed despite changes to work sequence
  • No consideration of weather conditions affecting slip risk on pitched roof
  • Method statement referenced in assessment didn't exist
Outcome

HSE prosecution resulted in £200,000 fine plus £45,000 costs. Judge stated: 'The risk assessment was not suitable and sufficient. It was generic, not site-specific, and bore little relation to the actual work being carried out. It provided no protection to workers and no defense to the company.' Worker's civil claim settled for seven-figure sum.

Key Lesson

Generic or template-based assessments that don't reflect the actual work are not suitable and sufficient. Assessments must be specific to the activity, the location, and the actual hazards present. Controls listed must actually exist in practice, not just on paper.

Common failures of suitability and sufficiency

Understanding what makes assessments inadequate helps you avoid these failures.

Failure 1: Generic, template-based assessments

The problem: Downloaded templates with only the company name changed. Hazards and controls don't match the actual workplace.

Why it fails: Not "appropriate to the nature of the work" (Test 4). Doesn't identify workplace-specific risks (Test 1).

Example: Office using construction risk assessment template. Lists hazards like excavations, scaffolding, and heavy plant that don't exist. Misses the actual office hazards: DSE, slips and trips, fire, stress.

How to avoid: Walk your workplace, identify your actual hazards, and document your real controls. Use templates as structure only, not as content.

Failure 2: Overly simplistic "tick-box" assessments

The problem: Checklist of hazards ticked "yes" with no detail, no analysis, no consideration of controls.

Why it fails: Doesn't demonstrate precautions are reasonable (Test 3). Doesn't enable employer to identify necessary measures.

Example: Assessment listing:

  • ✓ Slips and trips
  • ✓ Manual handling
  • ✓ Fire
  • ✓ DSE

No explanation of what the hazards are, where they're located, who's at risk, what controls exist, or what actions are needed.

How to avoid: For each hazard, document who's at risk, existing controls, whether they're adequate, and any further actions needed.

Failure 3: No identification of vulnerable groups

The problem: Assessment mentions "employees" or "all staff" without identifying groups especially at risk.

Why it fails: Doesn't identify who might be harmed (Test 2). Fails legal requirement to identify groups especially at risk (Regulation 3(6)(b)).

Example: Warehouse assessment that doesn't mention young apprentices (higher risk due to inexperience), pregnant workers (shouldn't do certain manual handling), or night shift workers (lone working and fatigue risks).

How to avoid: Specifically identify vulnerable groups: young workers, pregnant workers, disabled workers, lone workers, inexperienced workers, workers with relevant health conditions.

Failure 4: Inadequate control analysis

The problem: Controls listed without thought about whether they're adequate or whether higher-level controls are possible.

Why it fails: Doesn't show precautions are reasonable (Test 3). No evidence of working through hierarchy of controls.

Example: High-risk hazard (chemical exposure) with only control listed as "Training provided and PPE available." No consideration of elimination, substitution, or engineering controls.

How to avoid: For each hazard, work through hierarchy: Can you eliminate it? Substitute something safer? Use engineering controls? Only then rely on administrative controls and PPE. Document this thinking.

Failure 5: No action plan or vague actions

The problem: Assessment identifies inadequate controls but no specific actions to improve them, or actions are too vague to be useful.

Why it fails: Doesn't enable employer to identify measures needed (purpose of risk assessment). Provides no route to compliance.

Example: Assessment identifies high risk from unguarded machinery. "Further actions" section says "Improve" or "Management to review." No specific action, no responsibility, no deadline.

How to avoid: Every inadequately controlled risk needs specific action: what will be done, by whom, by when. "Install interlocked guard on saw 3 — Maintenance Manager — by 28 Feb 2025."

Failure 6: Never reviewed or updated

The problem: Old assessment that doesn't reflect current workplace, equipment, or workforce.

Why it fails: No longer valid (Test 5). Doesn't reflect the actual work being done now.

Example: Assessment dated 2018. Workplace has since introduced new equipment, changed layout, and increased staff. Assessment makes no mention of these. It's now 2024 and nothing has been updated.

How to avoid: Review annually as minimum. Review after any significant change. Update the document when circumstances change. Keep old versions to show progression.

Warning:

An old, outdated risk assessment can be worse than having none at all. It's evidence you know you should assess risks but haven't kept it current. In legal proceedings, an outdated assessment demonstrates neglect rather than providing defense.

What HSE inspectors look for

When HSE inspectors review risk assessments, they apply the suitable and sufficient test by asking:

Key inspector questions

1. Does it reflect this workplace?

  • Could this assessment apply to any similar business, or is it specific to this one?
  • Do the hazards listed match what the inspector observes?
  • Are the controls described actually present and working?

2. Have you thought about the real risks?

  • Are significant hazards identified?
  • Have you missed anything obvious?
  • Do the controls make sense for the risks identified?

3. Have you involved workers?

  • Is there evidence of consultation with employees?
  • Do workers know about the assessment and its findings?
  • Have you acted on worker concerns?

4. Is it being used?

  • Is the action plan being worked through?
  • Are controls listed in the assessment actually implemented?
  • Is the assessment accessible to those who need it?

5. Is it kept up to date?

  • When was it last reviewed?
  • Does it reflect recent changes?
  • Is there a system for triggering reviews?
Key Point

HSE inspectors are pragmatic. They're not looking for perfect documents from small businesses. They want evidence of a genuine effort to identify real risks and implement reasonable controls. A simple, honest assessment beats a professional-looking generic one every time.

Red flags that trigger enforcement

Certain failures are likely to result in enforcement action:

Immediate red flags:

  • No risk assessment at all
  • Generic template clearly copied without customization
  • Assessment lists controls that don't exist
  • Serious hazards not identified or assessed
  • No evidence of review for many years
  • Action plan with no completed actions

Serious concerns:

  • Assessment doesn't match what inspector observes
  • Vulnerable groups not considered
  • High risks with inadequate controls
  • No consideration of hierarchy of controls
  • Evidence assessment is never referred to or used

What might result in improvement notice:

  • Assessment present but not suitable and sufficient
  • Significant gaps in hazard identification
  • Inadequate control analysis
  • No regular review process
  • Action plan not being implemented

What might result in prohibition or prosecution:

  • No assessment for high-risk activities
  • Assessment so inadequate it provides no protection
  • Serious incident occurs due to unassessed risk
  • Repeated failure to improve after previous enforcement

Proportionality principle

"Suitable and sufficient" is relative to the risks you face. The assessment should be proportionate.

Simple workplace, simple assessment

Low-risk office environment:

  • Few significant hazards: DSE, slips and trips, fire, manual handling of files
  • Well-understood risks with standard controls
  • Stable workforce and environment

Suitable assessment:

  • Simple table format, 2-4 pages
  • Lists hazards, controls, and any improvements needed
  • Clear but concise
  • Can be completed by competent manager using HSE guidance

Would be disproportionate:

  • 50-page report with complex risk scoring matrices
  • Consultant-conducted detailed analysis
  • Elaborate quantitative risk calculations
  • Extensive technical specifications

Complex workplace, detailed assessment

High-risk manufacturing or construction:

  • Many significant hazards: machinery, chemicals, work at height, confined spaces
  • Specialist hazards requiring technical knowledge
  • Complex processes with multiple steps
  • Contractors and visitors present

Suitable assessment:

  • Multiple assessments for different activities or areas
  • Detailed analysis of high-risk activities
  • Specific assessments by competent persons (COSHH, noise, etc.)
  • May run to many pages with detailed action plans

Would be insufficient:

  • Single-page tick-box checklist
  • Generic template without detailed analysis
  • No specialist assessment of complex hazards
  • Controls listed as "adequate" without specification

Proportionate Assessment Examples

Simple Office (5 staff)

  • 3-page Word document
  • Covers DSE, slips/trips, fire, manual handling, stress
  • Simple table format
  • Completed by office manager using HSE template
  • Reviewed annually
  • Entirely proportionate and adequate

Chemical Plant (100 staff)

  • Multiple detailed assessments for different processes
  • COSHH assessments for each substance
  • Specialist assessments (noise, vibration, confined space)
  • May involve external consultants for complex hazards
  • Frequent review due to process changes
  • Extensive documentation necessary and proportionate

Bottom line: The level of detail and sophistication should match the complexity and severity of the risks. Don't overcomplicate simple risks, and don't oversimplify complex ones. Both extremes result in assessments that aren't suitable and sufficient.

Demonstrating suitability and sufficiency

How to show your assessment meets the standard:

Evidence of workplace-specific content

Show it's your workplace:

  • Name specific equipment, locations, and processes
  • Describe actual work activities
  • Reference your workforce composition
  • Include photos, diagrams, or layout plans if helpful

Example: Generic: "Manual handling of loads" Workplace-specific: "Manual handling of beer kegs (50kg each) from delivery vehicle to cellar via external stairs at Railway Tavern, High Street. Deliveries typically Tuesday and Friday mornings, handled by bar staff Sarah and Mike."

Evidence of thought process

Show you've analyzed risks, not just listed them:

  • For each hazard, explain who's at risk and how
  • Describe existing controls and evaluate whether they're adequate
  • If controls are inadequate, explain what more is reasonably practicable
  • If you've not used higher-level controls, document why

Example: Insufficient: "Slips and trips — Low risk — Adequate controls" Suitable: "Wet floor from cleaning in customer area. Could cause slips resulting in bruising or fractures, particularly for elderly customers. Controls: 'Wet floor' signs used during cleaning, anti-slip floor covering installed 2022, cleaning done before opening where possible. Controls adequate but could improve timing—action: change cleaning schedule to complete before 9am opening (Manager, by end Jan 2025)."

Evidence of consultation

Show you've involved workers:

  • Reference discussions with employees
  • Note concerns raised by workers
  • Document how you've acted on employee input
  • Include signatures of worker representatives if applicable

Example: "Hazards identified through workplace walkthrough on 5 Dec 2024 with warehouse team. Staff raised concerns about trolley wheel failures and lack of lighting in loading bay. Both issues addressed in action plan below."

Evidence of regular review

Show it's a living document:

  • Record review dates and who conducted review
  • Note what triggered review (scheduled, incident, change)
  • Document what changed and why
  • Keep superseded versions showing progression

Example: "Original assessment: Jan 2023 by J Smith. Review 1: Jan 2024 — no changes, controls adequate. Review 2: June 2024 — reviewed following near-miss with forklift. Updated to include additional mirrors and revised traffic management. Next review: Jan 2025 or sooner if further incidents."

Frequently asked questions

Apply the five tests: Does it identify significant risks? Does it identify who might be harmed? Are precautions reasonable? Is it appropriate to the nature of work? Does it remain valid? If you can answer yes to all five, it's likely suitable and sufficient. Also ask: would this assessment help someone unfamiliar with your workplace understand the risks and controls?

Yes. If an HSE inspector reviews your assessment and determines it doesn't meet the suitable and sufficient standard, they can issue an improvement notice requiring you to conduct an adequate assessment by a specified deadline. Failure to comply can result in prosecution. More seriously, if an incident occurs and your assessment is found inadequate, this can be evidence in prosecution.

Yes, for a very simple workplace with few hazards. A small office with standard hazards (DSE, slips/trips, fire) could be adequately assessed on one page if it covers who's at risk, what controls exist, and any actions needed. However, most workplaces have enough significant risks to require more detail. Don't artificially constrain yourself to fit on one page.

Not necessarily. You can group related hazards in a single assessment if it makes sense. What matters is that all significant hazards are assessed. Some organizations prefer one comprehensive workplace assessment; others prefer separate assessments for different activities or areas. Choose what works for your workplace and makes the assessment usable.

Yes, if you thoroughly customize it to your workplace. Templates provide structure, but you must: identify your actual hazards, document your real controls, create your specific action plan, and remove irrelevant template content. A customized template can absolutely be suitable and sufficient. An unchanged generic template cannot.

Detailed enough to demonstrate you've thought about whether controls are adequate. You don't need complex numerical scoring, but you do need to evaluate: Are current controls working? Are they suitable for the risk level? Do we need to do more? For simple risks, a simple evaluation is fine. For complex or high risks, more detailed analysis is expected.

The assessment itself can be suitable and sufficient if it correctly identifies risks and appropriate actions. However, your overall compliance is not adequate if you haven't implemented the controls. The assessment is just documentation—what matters is whether risks are actually controlled. Uncompleted actions mean you're still in breach of duty to control risks.

Same principles apply: it must identify fire hazards (ignition sources, fuel, oxygen), identify who's at risk (particularly those with mobility issues), evaluate existing fire safety measures (detection, warning, means of escape, firefighting equipment), and identify any improvements needed. It should be specific to your premises, not a generic template. See HSE and Fire Service guidance for fire-specific requirements.

No. Risk assessments must remain valid. If circumstances change (new equipment, different processes, changed workforce, new information about hazards), your old assessment may no longer be suitable and sufficient. You must review and update it. An assessment that was adequate 5 years ago but hasn't been reviewed is no longer suitable and sufficient.

The real test is often retrospective (after an incident), but you can get assurance beforehand by: having it reviewed by a competent person, comparing it against HSE guidance, using the self-assessment checklist above, consulting workers to verify it matches reality, or commissioning an audit by a health and safety consultant. However, ultimate judgment if challenged is by HSE inspector or court.

Concerned your risk assessments might not meet the suitable and sufficient standard? A qualified health and safety consultant can review your assessments, identify any gaps, and help you develop compliant documentation that truly protects your workers and your organization.

Speak to a professional

Summary: The suitable and sufficient standard

A risk assessment is suitable and sufficient when it:

Identifies all significant workplace hazards — Real risks in your actual workplace, not generic lists

Identifies everyone who might be harmed — Specific groups, including vulnerable workers who need special consideration

Evaluates whether existing controls are adequate — Shows you've thought about whether precautions are reasonable and whether you can do more

Is specific to your workplace — Reflects your actual equipment, processes, environment, and workforce

Enables you to identify necessary measures — Clear action plan with specific responsibilities and deadlines

Is proportionate to your risks — Simple for straightforward risks, detailed for complex or high-risk activities

Remains current and valid — Regularly reviewed and updated when circumstances change

Is actually used — A working document that informs decisions, not something filed and forgotten

Note:

The suitable and sufficient test is ultimately about substance, not form. A simple, honest assessment that genuinely reflects your workplace and leads to adequate risk control will always beat an elaborate, professional-looking document that's generic and unused. Focus on identifying real risks and implementing real controls, not on creating impressive paperwork.

Related articles:

Useful tools: