What is a Risk Assessment?
A risk assessment is a systematic process of identifying hazards in the workplace, evaluating the risks they pose, and determining appropriate control measures to protect workers and others. It is not about creating huge amounts of paperwork โ it is about identifying sensible measures to control real risks.
The legal duty to carry out risk assessments comes from two key pieces of legislation: the Health and Safety at Work etc. Act 1974 (HSWA), Section 2, which places a general duty on employers to ensure, so far as is reasonably practicable, the health, safety, and welfare of employees; and Regulation 3 of the Management of Health and Safety at Work Regulations (MHSWR) 1999, which specifically requires a suitable and sufficient assessment of risks.
Who Must Carry Out a Risk Assessment?
Every employer and self-employed person must carry out a risk assessment. If you employ five or more people, you must record the significant findings in writing. However, it is best practice to document all assessments regardless of workforce size.
The HSE 5-Step Risk Assessment Process
The Health and Safety Executive (HSE) recommends a straightforward 5-step approach to risk assessment. This framework, set out in guidance document INDG163, is widely recognised as the standard method for UK workplaces.
The 5 Steps to Risk Assessment
| Step | Action | Key Activities |
|---|---|---|
| 1 | Identify the hazards | Walk the workplace, consult employees, review accident records, check manufacturers' instructions and safety data sheets |
| 2 | Decide who might be harmed and how | Consider employees, contractors, visitors, members of the public, vulnerable groups (young workers, new/expectant mothers, lone workers, people with disabilities) |
| 3 | Evaluate the risks and decide on precautions | Compare existing controls against good practice, apply the hierarchy of controls (eliminate, substitute, engineer, administrate, PPE), decide if more needs to be done |
| 4 | Record your significant findings | Document hazards identified, who is at risk, existing controls, further actions needed, responsible persons, and target dates. Must be recorded if you have 5+ employees |
| 5 | Review and update the assessment | Review after any significant change, after an accident or near miss, when new equipment or substances are introduced, or at regular intervals (at least annually) |
Source: HSE INDG163 โ Five Steps to Risk Assessment
The assessment should be "suitable and sufficient" โ proportionate to the level of risk. A small office with few hazards needs a simpler assessment than a chemical plant. The key is to be practical and focused on the real risks that could cause harm.
Competent Person
Risk assessments must be carried out by, or under the guidance of, a competent person โ someone with sufficient training, knowledge, experience, and other qualities to undertake the task properly. This does not always require a formal qualification, but appropriate health and safety training is strongly recommended.
Types of Risk Assessment
While the general risk assessment under MHSWR 1999 covers all workplace hazards, several specific regulations require dedicated assessments for particular types of risk. Each has its own legal trigger and requirements.
Risk Assessment Types and Their Legal Basis
| Type | Focus | Triggering Regulation |
|---|---|---|
| General Risk Assessment | All workplace hazards and risks to employees and others | MHSWR 1999, Reg. 3 |
| Fire Risk Assessment | Fire hazards, ignition sources, people at risk, fire detection and escape | Regulatory Reform (Fire Safety) Order 2005 |
| COSHH Assessment | Exposure to hazardous substances (chemicals, dusts, fumes, biological agents) | COSHH Regulations 2002, Reg. 6 |
| Manual Handling Assessment | Risks from lifting, carrying, pushing, pulling loads | Manual Handling Operations Regulations 1992, Reg. 4 |
| DSE Assessment | Risks to users of display screen equipment (computers, laptops) | Health and Safety (Display Screen Equipment) Regulations 1992, Reg. 2 |
| Noise Assessment | Exposure to noise levels that could cause hearing damage | Control of Noise at Work Regulations 2005, Reg. 5 |
| Vibration Assessment | Exposure to hand-arm vibration (HAV) and whole-body vibration (WBV) | Control of Vibration at Work Regulations 2005, Reg. 5 |
| Working at Height Assessment | Risks from falls, falling objects, fragile surfaces | Work at Height Regulations 2005, Reg. 6 |
Source: HSE Guidance and UK Statutory Instruments
One Assessment or Many?
There is no legal requirement to keep separate documents for each type of assessment. Many employers combine them into a single workplace risk assessment. What matters is that all significant risks are identified and adequately controlled, regardless of how the paperwork is organised.
Common Workplace Hazards
Hazards fall into five broad categories. Understanding these helps you carry out a thorough assessment and avoid overlooking risks that are less obvious.
Workplace Hazards by Category
| Category | Examples | Typical Controls |
|---|---|---|
| Physical | Slips, trips and falls; moving machinery; electricity; noise; vibration; working at height; vehicles | Housekeeping, guarding, isolation, LEV, PPE, traffic management plans |
| Chemical | Cleaning products, solvents, paints, adhesives, dusts, fumes, gases | Substitution, ventilation, enclosed processes, safe storage, PPE, COSHH assessments |
| Biological | Bacteria, viruses, fungi, needle-stick injuries, animal waste, legionella | Vaccination, hygiene procedures, sharps disposal, water treatment, PPE |
| Ergonomic | Manual handling, repetitive tasks, poor workstation setup, prolonged standing or sitting | Job rotation, mechanical aids, DSE assessments, workstation adjustments, rest breaks |
| Psychosocial | Work-related stress, bullying, harassment, long hours, lone working, violence | Workload management, anti-bullying policies, employee support, lone worker procedures, stress risk assessments |
Source: HSE Guidance โ Managing Risks and Risk Assessment at Work
When walking the workplace during Step 1, use these categories as a checklist. It is easy to focus on obvious physical hazards and overlook psychosocial or ergonomic risks, which are among the leading causes of work-related ill health in the UK.
Risk Assessment Matrix
A risk matrix is a practical tool for prioritising risks by combining the likelihood of harm occurring with the severity of its consequences. While not legally required, using a matrix helps you make consistent, objective decisions about which risks need urgent attention.
3x3 Risk Rating Matrix
| Likelihood / Severity | Low Severity | Medium Severity | High Severity |
|---|---|---|---|
| High Likelihood | Medium | High | High |
| Medium Likelihood | Low | Medium | High |
| Low Likelihood | Low | Low | Medium |
Risk Rating Actions
| Risk Rating | Action Required | Timeframe |
|---|---|---|
| High | Stop the activity or implement immediate controls. Senior management involvement required. Detailed action plan with named responsible persons. | Immediate |
| Medium | Reduce the risk as soon as reasonably practicable. Implement additional control measures. Monitor effectiveness. | Within days to weeks |
| Low | Manage by routine procedures. Monitor to ensure controls remain effective. Review at next scheduled assessment. | Ongoing monitoring |
Adapted from HSE risk assessment guidance (HSG65)
Don't Over-Complicate the Matrix
A 3x3 matrix is sufficient for most workplaces. More complex 5x5 matrices are available but can create a false sense of precision. The goal is to distinguish between high, medium, and low risks so you can allocate resources where they are needed most.
Employer Legal Obligations
UK employers have clear legal duties regarding risk assessment. These come primarily from the Health and Safety at Work etc. Act 1974 and the Management of Health and Safety at Work Regulations 1999.
Key Legal Duties
| Duty | Legal Source | Requirement |
|---|---|---|
| General duty of care | HSWA 1974, s.2 | Ensure, so far as is reasonably practicable, the health, safety, and welfare of all employees at work |
| Risk assessment | MHSWR 1999, Reg. 3 | Carry out a suitable and sufficient assessment of risks to employees and anyone else affected by the undertaking |
| Principles of prevention | MHSWR 1999, Reg. 4, Sch. 1 | Implement preventive and protective measures guided by the general principles of prevention (avoid risks, evaluate unavoidable risks, combat risks at source) |
| Health and safety arrangements | MHSWR 1999, Reg. 5 | Make and give effect to appropriate arrangements for effective planning, organisation, control, monitoring, and review of preventive measures |
| Competent assistance | MHSWR 1999, Reg. 7 | Appoint one or more competent persons to assist in undertaking measures to comply with health and safety law |
| Information for employees | MHSWR 1999, Reg. 10 | Provide employees with comprehensible and relevant information on risks, preventive measures, and emergency procedures |
| Training | MHSWR 1999, Reg. 13 | Provide adequate health and safety training on recruitment and when exposed to new or changed risks |
| Recording requirements | MHSWR 1999, Reg. 3(6) | Record the significant findings of the risk assessment and any group of employees identified as being especially at risk (employers with 5+ employees) |
Source: HSWA 1974 and MHSWR 1999 (SI 1999/3242)
Penalties for Non-Compliance
Since February 2016, health and safety offences in England and Wales carry unlimited fines in both the Crown Court and Magistrates' Court. Individuals (directors, managers) can face up to 2 years' imprisonment for serious breaches. Corporate manslaughter carries an unlimited fine with a minimum based on the organisation's turnover. The HSE issued over 8,000 enforcement notices in 2023/24.
Industry-Specific Risk Assessment Scenarios
Risk assessments must be tailored to the specific hazards of each workplace. Different industries face different risk profiles and are subject to sector-specific regulations alongside the general duties.
Sector Hazards and Key Regulations
| Sector | Top Hazards | Key Regulations |
|---|---|---|
| Construction | Falls from height, struck by moving vehicles/objects, collapse of structures, silica dust, asbestos | CDM Regulations 2015, Work at Height Regs 2005, Control of Asbestos Regs 2012 |
| Office | DSE-related musculoskeletal disorders, slips/trips, stress, poor ergonomics, fire | DSE Regulations 1992, MHSWR 1999, Fire Safety Order 2005 |
| Manufacturing | Machinery entanglement, noise, vibration, chemical exposure, manual handling, fire/explosion | PUWER 1998, LOLER 1998, Noise Regs 2005, COSHH 2002, ATEX/DSEAR 2002 |
| Healthcare | Needle-stick injuries, biological agents, manual handling of patients, violence, stress, latex allergy | COSHH 2002, Sharps Regulations 2013, MHOR 1992, MHSWR 1999 |
| Retail | Manual handling, slips/trips, violence and aggression, lone working, workplace transport | MHOR 1992, MHSWR 1999, Workplace (Health, Safety and Welfare) Regs 1992 |
| Hospitality | Burns and scalds, slips on wet/greasy floors, knife injuries, manual handling, stress, long hours | Workplace Regs 1992, MHOR 1992, MHSWR 1999, Gas Safety Regs 1998 |
Source: HSE sector-specific guidance pages
When conducting a risk assessment, always check whether your sector has HSE-published guidance specific to your industry. These documents often contain practical examples and templates tailored to common hazards in your line of work.
Common Risk Assessment Mistakes to Avoid
Even well-intentioned employers make mistakes with risk assessments. Here are the most common pitfalls and how to avoid them.
Mistake 1: Treating It as a One-Off Exercise
A risk assessment is a living document, not a file-and-forget exercise. It must be reviewed whenever there are significant changes โ new equipment, new processes, new staff, after an incident, or at regular intervals. Outdated assessments give a false sense of security and will not protect you legally.
Mistake 2: Being Too Generic
Copying a template from the internet without adapting it to your specific workplace is one of the most common failures. Your assessment must reflect your actual hazards, your people, and your controls. A generic assessment will not satisfy the "suitable and sufficient" requirement.
Mistake 3: Not Consulting Employees
Workers doing the job every day know the real risks better than anyone. Regulation 4(1) of the Safety Representatives and Safety Committees Regulations 1977 and the Health and Safety (Consultation with Employees) Regulations 1996 require employers to consult employees on health and safety matters, including risk assessment.
Mistake 4: Ignoring Psychosocial Risks
Work-related stress, anxiety, and depression account for over 50% of all work-related ill health in the UK. Many risk assessments focus exclusively on physical hazards and miss stress, bullying, excessive workload, and lone working entirely.
Mistake 5: Over-Relying on PPE
PPE is the last resort in the hierarchy of controls, not the first. If you can eliminate or reduce a hazard through engineering or administrative controls, you must do so before issuing PPE. An assessment that lists "wear gloves" for every hazard is not applying the hierarchy properly.
Mistake 6: Failing to Record Actions and Responsible Persons
Identifying risks is only half the job. Your assessment must include specific actions, who is responsible, and target completion dates. Without this, nothing gets done and the assessment becomes a paper exercise with no real impact on safety.
Resources & Further Reading
The following resources from the Health and Safety Executive (HSE) and other authoritative bodies provide detailed guidance on workplace risk assessment.
Essential Risk Assessment Resources
| Resource | Description | Publisher |
|---|---|---|
| INDG163 โ Five Steps to Risk Assessment | Free HSE leaflet outlining the 5-step risk assessment process for all employers | HSE |
| HSG65 โ Managing for Health and Safety | Comprehensive guidance on the Plan-Do-Check-Act approach to health and safety management | HSE |
| Risk Assessment: A Brief Guide (INDG163 Rev5) | Updated version of the 5-step guide with worked examples for different industries | HSE |
| HSE Risk Assessment Templates | Free downloadable risk assessment templates for various workplace types | HSE |
| L21 โ Management of Health and Safety at Work ACoP | Approved Code of Practice for the Management of Health and Safety at Work Regulations 1999 | HSE |
| HSWA 1974 โ Full Text | The primary legislation governing workplace health and safety in Great Britain | legislation.gov.uk |
| MHSWR 1999 โ Full Text | The Management of Health and Safety at Work Regulations 1999 (SI 1999/3242) | legislation.gov.uk |
| HSE Example Risk Assessments | Completed example risk assessments for common workplace scenarios (classroom, office, warehouse, etc.) | HSE |
All HSE publications available at hse.gov.uk
Staying Up to Date
Health and safety law and guidance evolve over time. Check the HSE website regularly for updates to guidance documents, new Approved Codes of Practice, and changes to regulations. Subscribe to HSE e-bulletins for alerts on regulatory changes relevant to your sector.
Get Qualified in Health & Safety
Risk assessment is a core competency for anyone responsible for workplace safety. Our accredited Health & Safety course covers the HSE 5-step process, legal duties under MHSWR 1999 and HSWA 1974, hazard identification, control measures, and practical risk assessment techniques โ giving you the skills to protect your workforce and meet your legal obligations.
Explore Our Health & Safety Course