workplace safety

What is a Risk Assessment?

A risk assessment identifies workplace hazards and evaluates risks to health and safety. Learn the 5 steps, legal requirements, and how to conduct effective risk assessments in the UK.

This guide includes a free downloadable checklist.

Get the checklist

A risk assessment is a systematic examination of your workplace to identify hazards, evaluate who might be harmed, and determine what precautions are needed. It's a legal requirement for all employers in the UK and forms the foundation of workplace health and safety management.

Do you have current risk assessments for your workplace?

Let's point you to the right information.

What is a risk assessment?

A risk assessment is a careful examination of your workplace to identify what could cause harm to people, so you can decide whether you're taking reasonable precautions or need to do more to prevent harm.

It involves identifying:

  • Hazards — anything with the potential to cause harm
  • Who might be harmed — employees, visitors, contractors, members of the public
  • Existing controls — what measures you already have in place
  • Further actions needed — what additional steps are required

The purpose is not bureaucracy. It's to ensure people can work safely without injury or ill health.

Key Point

A risk assessment is not a certificate or qualification. It's a documented process of identifying workplace hazards and deciding on adequate precautions. The assessment itself is the written record of this systematic review.

Legal requirement

Under the Management of Health and Safety at Work Regulations 1999, every employer must:

  • Carry out a suitable and sufficient risk assessment
  • Identify measures needed to comply with health and safety law
  • Review the assessment when necessary

This applies to all work activities, all workplaces, and all employers — regardless of size or sector.

If you employ 5 or more people, you must record:

  • The significant findings of your assessment
  • Any group of employees identified as being especially at risk
  • The arrangements for protecting health and safety
Warning:

Failure to conduct risk assessments is a breach of the Management Regulations and can result in enforcement action, including improvement notices, prohibition notices, and prosecution with unlimited fines.

Hazard vs Risk — what's the difference?

Many people confuse hazards with risks. Understanding the difference is essential for effective risk assessment.

Hazard: Something with the potential to cause harm

  • A wet floor
  • A chemical
  • A trailing cable
  • Working at height
  • A heavy load

Risk: The likelihood that the hazard will cause harm, combined with the severity of that harm

  • A wet floor in a busy corridor = high risk
  • A wet floor in a locked room = low risk
  • Benzene exposure = high risk (serious harm likely)
  • Washing up liquid = low risk (minor harm possible)

Hazard vs Risk

Hazard

  • The thing that could cause harm
  • A wet floor
  • A sharp knife
  • A chemical substance
  • Electricity
  • Working at height

Risk

  • The chance of harm occurring
  • Likelihood someone will slip
  • Likelihood of a cut injury
  • Likelihood of chemical exposure
  • Likelihood of electric shock
  • Likelihood of a fall

Bottom line: A hazard is what can cause harm. A risk is the chance it will cause harm. Risk assessment involves identifying hazards and evaluating the risks they present.

The 5 steps to risk assessment

The Health and Safety Executive recommends a five-step approach applicable to all workplaces:

Step 1: Identify the hazards

Walk through your workplace and look for anything that could reasonably be expected to cause harm.

Consider:

Physical hazards:

  • Slips, trips, and falls
  • Working at height
  • Moving machinery
  • Vehicles and transport
  • Manual handling and lifting
  • Noise and vibration
  • Temperature extremes

Chemical and biological hazards:

  • Cleaning products and solvents
  • Dust and fumes
  • Asbestos
  • Legionella in water systems
  • Biological agents (healthcare, waste, sewage)

Work environment hazards:

  • Poor lighting
  • Inadequate ventilation
  • Confined spaces
  • Electrical installations
  • Fire risks
  • Structural issues

Work activity hazards:

  • Lone working
  • Violence and aggression
  • Stress and mental health
  • Display screen equipment use
  • Repetitive tasks
  • Working hours and fatigue

Don't just rely on your own observations:

  • Check accident and ill-health records
  • Consult employees — they know the risks
  • Review manufacturer instructions for equipment
  • Check industry guidance for your sector

Step 2: Decide who might be harmed and how

Consider all the people who could be affected:

Employees:

  • Full-time, part-time, temporary staff
  • Young workers (under 18)
  • New and expectant mothers
  • Disabled employees
  • Older workers
  • Those working alone or in isolated areas

Non-employees:

  • Contractors and maintenance personnel
  • Visitors and customers
  • Delivery drivers
  • Cleaners and security staff (often outside normal hours)
  • Members of the public
  • Vulnerable people (children, elderly, those with health conditions)

For each hazard, think about how people might be harmed. The same hazard can affect different groups in different ways.

Step 3: Evaluate the risks and decide on precautions

For each hazard, ask:

  1. Can I eliminate the hazard entirely? (Best option — no hazard means no risk)
  2. Can I substitute it for something safer? (Replace with less hazardous alternative)
  3. Can I prevent access to the hazard? (Guards, barriers, enclosures)
  4. Can I reduce exposure? (Time limits, ventilation, less frequent use)
  5. What protective measures are needed? (PPE, training, supervision)

This hierarchy of controls should guide your decisions:

Note:

Hierarchy of Controls

  1. Elimination — Remove the hazard completely
  2. Substitution — Replace with something less dangerous
  3. Engineering controls — Guard, enclose, or isolate the hazard
  4. Administrative controls — Procedures, training, supervision
  5. Personal protective equipment (PPE) — Last resort when other controls aren't enough

Consider whether your existing precautions are adequate:

  • Are they working properly?
  • Are they being used correctly?
  • Are they suitable for the level of risk?
  • Do they comply with relevant standards?

If the answer is no, what more do you need to do?

Step 4: Record your findings and implement them

If you employ 5 or more people, you must record the significant findings of your assessment.

Your written risk assessment should include:

The hazards identified:

  • What they are
  • Where they are
  • Who is exposed

Who might be harmed:

  • Specific groups at risk
  • How they might be harmed
  • How severe the harm could be

Existing control measures:

  • What you already have in place
  • Whether they're adequate

Further actions needed:

  • What additional steps are required
  • Who is responsible for each action
  • Target completion dates
  • Priority (high, medium, low)

Review date:

  • When the assessment will be reviewed

Even if you have fewer than 5 employees, keeping a written record is strongly recommended. It demonstrates you've taken your duties seriously and provides a baseline for future reviews.

Key Point

Recording findings is not the end — it's just documentation. The critical part is implementing the actions identified. A risk assessment that sits in a drawer while hazards remain uncontrolled is worse than useless.

Step 5: Review and update the assessment

Risk assessments are not one-off tasks. Review them:

As a minimum:

  • Annually (good practice for most workplaces)
  • When there's reason to suspect it's no longer valid

Triggers for review:

  • After an accident or near miss
  • After significant changes to work activities
  • When introducing new equipment, substances, or processes
  • When the work environment changes
  • When new information about hazards becomes available
  • If workforce composition changes (new starters, vulnerable workers)

Risk Assessment Review Schedule

Daily
Workplace inspections

Regular checks by supervisors for obvious hazards and control measures

Monthly
Incident review

Review any accidents, near misses, or ill-health reports

Quarterly
Consultation meetings

Discuss health and safety concerns with employees

Annually
Formal risk assessment review

Systematic review of all risk assessments

As needed
Change-triggered reviews

Review when significant changes occur

Who can conduct risk assessments?

The law requires risk assessments to be carried out by a "competent person" — someone with sufficient training, experience, and knowledge.

For many workplace hazards, this could be:

  • You (the employer)
  • A manager or supervisor
  • An employee with appropriate training

You don't need specific qualifications for straightforward risks in simple workplaces.

When to do it yourself vs use a professional

DIY Assessment

  • Simple, low-risk office environment
  • Standard workplace hazards
  • You understand the work activities
  • You have time to do it properly
  • Free HSE guidance available
  • Suitable training can be obtained

Professional Help

Recommended
  • Complex or high-risk activities
  • Specialist hazards (asbestos, radiation)
  • Construction sites
  • Chemical processes
  • You lack necessary knowledge
  • Typically £300-1,500+ depending on scope

Bottom line: For routine office risks, employers can often assess with appropriate guidance. For complex hazards or specialized industries, professional health and safety consultants ensure compliance and protect your workforce.

However, for specialist hazards, you need appropriate expertise:

  • Asbestos — requires asbestos awareness or surveyor qualifications
  • Manual handling — requires understanding of ergonomics and injury mechanisms
  • COSHH — requires knowledge of chemical hazards and control measures
  • Noise — may require measurement equipment and acoustic knowledge
  • Display screen equipment (DSE) — requires understanding of ergonomic principles

Common workplace risks to assess

While every workplace is different, most need to assess these common hazards:

Physical environment:

  • Slips, trips, and falls (most common workplace accident)
  • Working at height (ladders, scaffolds, roofs)
  • Manual handling and lifting
  • Display screen equipment and workstation setup
  • Workplace transport (forklifts, vehicles)
  • Electrical safety
  • Fire safety

Substances and materials:

  • Chemicals (COSHH assessment required)
  • Dust and fumes
  • Asbestos (if building pre-2000)
  • Legionella in water systems

Work organization:

  • Lone working
  • Working time and fatigue
  • Stress and mental health
  • Violence and aggression
  • Young workers and work experience
  • New and expectant mothers

Specific activities:

  • Construction and maintenance work
  • Hot work (welding, cutting)
  • Confined space entry
  • Work near water or excavations
Tip:

Don't try to write a single risk assessment covering everything. Break it down by activity, area, or hazard type. This makes assessments more manageable and easier to review when changes occur.

Recording requirements

If you have 5 or more employees, you must record in writing:

  1. The significant findings — hazards identified and conclusions about risk levels
  2. Employees especially at risk — any groups requiring special consideration
  3. Control measures — what you're doing to manage the risks

If you have fewer than 5 employees, there's no legal requirement to write it down, but you should because:

  • It demonstrates you've thought about risks systematically
  • It provides evidence of compliance if challenged
  • It creates a baseline for future reviews
  • It helps communicate risks to employees
  • It's useful if you need to claim insurance or defend legal action
Key Point

"I've done a mental risk assessment" is not adequate. Even for micro-businesses, a simple written record shows you've taken your duties seriously and helps you remember what you decided.

Risk assessment templates

Templates can be helpful, but use them carefully:

Good templates:

  • Prompt you to think about different hazard types
  • Provide structure for recording findings
  • Include action planning sections
  • Can be adapted to your workplace

Template pitfalls:

  • Generic assessments that don't reflect your actual workplace
  • Copying someone else's assessment without understanding it
  • Filling in boxes without thinking about real hazards
  • Creating lengthy documents that nobody reads or acts on
Warning:

Never download a risk assessment and put your company name on it without thoroughly checking it matches your actual workplace. Fire services and HSE inspectors can spot generic assessments, and they provide no legal protection if they don't reflect reality.

Common risk assessment mistakes

Warning(anonymised)

Manufacturing company fined £120,000 after preventable injury

The Situation

A worker suffered serious crush injuries when operating a press machine. The company had a risk assessment on file, but it was generic and didn't reflect the actual working practices.

What Went Wrong
  • Generic risk assessment copied from a template
  • No assessment of actual working methods
  • Guards had been removed to speed up production
  • No consultation with operators about risks
  • Assessment not reviewed in 5 years despite process changes
  • Action plan items never implemented
Outcome

HSE prosecution resulted in a £120,000 fine plus £45,000 costs. The company also faced a civil claim. The incident was entirely preventable with proper risk assessment and control measures.

Key Lesson

A risk assessment is only useful if it reflects reality, identifies real risks, and leads to actual improvements. Generic paperwork provides no protection to workers or employers.

Mistakes to avoid:

  1. Treating it as a paperwork exercise — The point is preventing harm, not creating documents.

  2. Generic, template-based assessments — Every workplace is different. Your assessment must reflect your specific situation.

  3. Not involving employees — Those doing the work often know the real risks better than anyone.

  4. Covering too much in one assessment — Break it down by activity or area for clarity.

  5. Focusing only on obvious physical risks — Don't forget stress, lone working, violence, and health hazards.

  6. Ignoring the action plan — Identifying risks without acting on them is pointless and still leaves you liable.

  7. Filing and forgetting — Risk assessments need regular review and update.

  8. Overcomplicating it — For simple risks, a simple assessment is fine. Don't create bureaucracy for its own sake.

What happens if you don't do risk assessments?

Failure to conduct suitable and sufficient risk assessments is a breach of the Management of Health and Safety at Work Regulations 1999.

Enforcement action:

  • Improvement notice — HSE requires you to conduct assessments by a set deadline
  • Prohibition notice — HSE stops work activities until risks are assessed and controlled
  • Prosecution — For serious breaches, resulting in unlimited fines

Other consequences:

  • Increased risk of workplace accidents and ill health
  • Civil claims from injured employees
  • Higher insurance premiums or difficulty obtaining cover
  • Reputational damage
  • Loss of client contracts (many require evidence of risk assessments)
  • Personal liability for directors and business owners
Note:

HSE can prosecute directors personally for serious health and safety breaches. Risk assessment failures, especially if they contribute to serious injury or death, can result in custodial sentences under the Health and Safety at Work etc. Act 1974 or Corporate Manslaughter and Corporate Homicide Act 2007.

Not sure where to start or dealing with complex hazards? A health and safety consultant can help you identify risks, create compliant assessments, and implement practical control measures tailored to your workplace.

Speak to a professional

Frequently asked questions

Yes. Every employer in the UK must conduct risk assessments under the Management of Health and Safety at Work Regulations 1999. This applies regardless of business size, sector, or number of employees. Even sole traders with no employees should assess risks to ensure their own safety and that of anyone affected by their work.

Legally, no — the requirement to record findings in writing only applies if you employ 5 or more people. However, writing it down is strongly recommended even for smaller businesses. It demonstrates you've thought systematically about risks, provides evidence of compliance, and creates a useful reference for the future.

As long as necessary to cover the risks, but no longer. For a simple office with standard hazards, a few pages may be enough. For complex industrial processes, it might run to many pages. Focus on clarity and usefulness, not length. A concise assessment that's actually used is better than a lengthy document that sits unread.

A suitable and sufficient risk assessment identifies the significant risks in your workplace, shows you've considered who might be harmed, demonstrates that precautions are reasonable, and covers all relevant work activities. It should be proportionate to the risk — simple for low risks, more detailed for complex or serious hazards.

Generic templates can provide helpful structure, but you must adapt them to reflect your actual workplace. Simply downloading a template and putting your company name on it is not adequate. The assessment must identify the real hazards present in your workplace and the actual controls you have in place.

There's no fixed expiry date, but risk assessments must be reviewed regularly and whenever there's reason to suspect they're no longer valid. Annual review is considered good practice. An old assessment that doesn't reflect current working practices or hazards is not suitable and sufficient.

The person who conducted the assessment should sign it, along with the date. If you employ 5 or more people, the assessment must be approved by someone with authority to ensure the actions are implemented — typically a director, owner, or senior manager with budget and decision-making power.

A risk assessment identifies hazards and evaluates risks. A method statement describes how work will be carried out safely. Risk assessments inform method statements. In practice, they're often combined in a single RAMS (Risk Assessment and Method Statement) document, especially in construction.

COVID-19 is now treated like other respiratory infections. You should include infectious disease risks in your general workplace risk assessment rather than maintaining separate COVID-19 assessments. Focus on ventilation, hygiene facilities, and supporting staff who are unwell.

If you lack the competence to assess a hazard, you must either get training or bring in someone with appropriate expertise. For specialist hazards like asbestos, confined spaces, or chemical processes, using a professional is essential. HSE and industry bodies provide free guidance for many common hazards.

Related articles:

Useful tools: