What Is a Risk Assessment? A Complete Guide for UK Employers

A risk assessment is a systematic process of identifying hazards in the workplace, evaluating the risks they pose and determining appropriate measures to control those risks. Under UK law, risk assessments are not optional — they are a fundamental legal duty placed on every employer. This guide explains the legal framework, the HSE's five-step process, the different types of risk assessment, what makes an assessment legally sufficient and the common mistakes that lead to enforcement action.

The Legal Definition and Who Must Carry Out a Risk Assessment

The duty to carry out risk assessments arises from two primary pieces of legislation. Section 2 of the Health and Safety at Work Act 1974 (HSWA) places a general duty on every employer to ensure, so far as is reasonably practicable, the health, safety and welfare at work of all employees. This includes the duty to provide and maintain safe systems of work, a safe working environment and adequate information, instruction, training and supervision.

Regulation 3 of the Management of Health and Safety at Work Regulations 1999 makes the duty explicit: every employer must make a suitable and sufficient assessment of the risks to the health and safety of employees and any other persons who may be affected by the employer's undertaking. This includes visitors, contractors, members of the public and anyone else who could be harmed by the organisation's activities.

There is a critical threshold to be aware of: employers with five or more employees must record the significant findings of their risk assessments. However, even employers with fewer than five employees are still legally required to carry out assessments — they are simply not required to write them down (although doing so is strongly recommended as evidence of compliance).

Self-employed individuals must also assess the risks their work activities pose to others, even if they have no employees. The duty applies to all sectors and all sizes of organisation without exception.

The HSE Five-Step Risk Assessment Process

The Health and Safety Executive (HSE) has established a widely recognised five-step approach to conducting risk assessments. This framework is considered the standard methodology for UK workplaces.

Step 1: Identify the Hazards

A hazard is anything that has the potential to cause harm. This includes physical hazards (such as trailing cables, moving machinery or working at height), chemical hazards (such as cleaning products, solvents or dust), biological hazards (such as bacteria, viruses or mould), ergonomic hazards (such as repetitive movements, poor workstation setup or manual handling) and psychosocial hazards (such as stress, bullying or excessive workload). Hazard identification should involve walking around the workplace, consulting employees, reviewing accident and near-miss records, checking manufacturers' instructions and data sheets and considering non-routine activities.

Step 2: Decide Who Might Be Harmed and How

For each hazard, consider who could be affected. This may include employees, contractors, visitors, members of the public, young workers, new or expectant mothers, lone workers and people with disabilities. Consider how they might be harmed — for example, through inhalation, skin contact, slips and trips, falls from height, musculoskeletal injury or psychological harm.

Step 3: Evaluate the Risks and Decide on Control Measures

Having identified the hazards and who might be harmed, evaluate the level of risk. Risk is typically assessed as a combination of the likelihood of the harm occurring and the severity of the consequences. The hierarchy of controls should be applied: eliminate the hazard where possible, substitute with something less hazardous, use engineering controls (such as guards or ventilation), implement administrative controls (such as training, signage or safe systems of work) and, as a last resort, provide personal protective equipment (PPE).

Step 4: Record the Significant Findings

For employers with five or more employees, the significant findings must be recorded. The record should identify the hazards, who is at risk, the existing control measures, any further actions required, who is responsible for those actions and the date by which they should be completed. The record does not need to be perfect or overly detailed, but it must demonstrate that a proper check was made, that all reasonable precautions have been taken and that the remaining risk is acceptably low.

Step 5: Review and Update Regularly

Risk assessments are not one-off exercises. They must be reviewed and updated whenever there is a significant change in the workplace, such as new equipment, new processes, a change of premises, an accident or near miss, or new information about a hazard. The HSE recommends reviewing risk assessments at least annually, but more frequent reviews may be necessary in higher-risk environments.

Types of Risk Assessment

There are several types of risk assessment that UK employers may need to carry out, depending on their activities and the hazards present in their workplace.

Generic Risk Assessments

A generic risk assessment covers common hazards and activities that apply to a broad range of workplaces, such as office work, use of display screen equipment or general housekeeping. Generic assessments provide a starting point but should always be adapted to reflect the specific circumstances of the workplace.

COSHH Assessments

Where employees are exposed to hazardous substances, a specific assessment is required under the Control of Substances Hazardous to Health Regulations 2002 (COSHH). This assessment must identify the substances used, the risks they pose, the control measures in place (such as ventilation, PPE or substitution) and the health surveillance required. COSHH assessments must be reviewed regularly and whenever there is a change in the substances used or the processes involved.

Manual Handling Assessments

The Manual Handling Operations Regulations 1992 require employers to avoid hazardous manual handling operations so far as is reasonably practicable. Where manual handling cannot be avoided, a specific assessment must be carried out considering the task, the individual, the load and the environment. The assessment should identify measures to reduce the risk of musculoskeletal injury.

Display Screen Equipment (DSE) Assessments

Under the Health and Safety (Display Screen Equipment) Regulations 1992, employers must assess the workstations of habitual DSE users. The assessment covers the screen, keyboard, desk, chair, lighting, noise and software. Employers must also provide information and training, offer eye tests and, where necessary, provide corrective appliances for DSE work.

Lone Worker Risk Assessments

Where employees work alone, whether in isolated locations, during out-of-hours periods or in client-facing roles, a specific assessment must consider the risks arising from lone working. These risks may include violence, medical emergencies, lack of supervision and inability to summon help.

Fire Risk Assessments

Under the Regulatory Reform (Fire Safety) Order 2005, the responsible person (usually the employer or building manager) must carry out a fire risk assessment. This is a separate legal requirement from the general risk assessment and must address fire hazards, people at risk, existing fire safety measures, emergency routes and procedures and the adequacy of fire detection and warning systems.

Dynamic Risk Assessments

Dynamic risk assessments are carried out in real time by individuals when they encounter a situation that was not anticipated in a formal assessment. They are commonly used in emergency services, healthcare, social work and lone working situations. Whilst not a substitute for formal assessments, they are an important skill that should be developed through training.

What Makes a Risk Assessment Legally Sufficient

A risk assessment does not need to be perfect, but it must be “suitable and sufficient” as required by Regulation 3 of the Management of Health and Safety at Work Regulations 1999. The HSE and the courts have established that a suitable and sufficient assessment must:

Identify the significant hazards arising from the work activity
Consider who might be harmed, including employees, visitors and vulnerable groups
Evaluate the risks and determine whether existing control measures are adequate
Be proportionate to the level of risk (a low-risk office needs less detail than a construction site)
Be carried out by a competent person (someone with sufficient knowledge, training and experience)
Be recorded where there are five or more employees
Be reviewed and kept up to date

An assessment that is vague, generic without adaptation to the specific workplace, out of date or that fails to consider obvious hazards will not meet the legal standard.

Common Mistakes Leading to HSE Enforcement

The HSE regularly identifies common failings in workplace risk assessments during inspections and investigations. These include:

Not carrying out a risk assessment at all: Some employers believe that risk assessments are only required in high-risk industries. In fact, they are required in every workplace.
Using a generic template without adaptation: Downloading a template from the internet and not tailoring it to the specific workplace is a frequent failing.
Failing to involve employees: Employees often have the best knowledge of hazards in their work area. Failing to consult them can result in hazards being overlooked.
Not recording findings: Employers with five or more employees who fail to record their assessment findings are in breach of the Regulations.
Not reviewing after incidents or changes: A risk assessment that is not updated after an accident, a near miss or a change in working practices is no longer suitable and sufficient.
Ignoring psychosocial hazards: Stress, bullying and excessive workload are recognised hazards under the Management Regulations and must be assessed.
Failing to implement control measures: Identifying a hazard but taking no action to control it defeats the purpose of the assessment and exposes the employer to enforcement action.

HSE enforcement can range from informal advice and improvement notices to prohibition notices and criminal prosecution. In serious cases, individual directors and managers can be held personally liable.

Risk Assessment Template Structure

A practical risk assessment document should include the following elements:

Title and reference number
Name and role of the assessor
Date of assessment and scheduled review date
Description of the activity, area or process being assessed
A table or list of identified hazards
For each hazard: who might be harmed and how, existing control measures, risk rating (before and after controls), any further actions required, the person responsible and the target date
Sign-off by the assessor and a senior manager
Record of reviews and updates

This structure ensures that the assessment is systematic, proportionate and auditable. For organisations that need help developing risk assessment templates or integrating them into their health and safety policies, Policy Pros can assist.

How Policy Pros Can Help

At Policy Pros, we support UK organisations with all aspects of health and safety documentation, including risk assessment policies, templates and procedures. Whether you need a comprehensive health and safety policy suite or a standalone risk assessment procedure, our policy and procedure writing services are tailored to your sector and the specific risks your business faces. All our documents are written in clear, accessible language and are fully referenced against current UK legislation. Contact us to discuss your requirements.