ChatGPT is a general-purpose language model trained on internet text. It can produce coherent, professional-sounding paragraphs on almost any topic — including risk assessments. But producing text that sounds plausible is not the same as producing a document that meets UK legal requirements under the Management of Health and Safety at Work Regulations 1999. A risk assessment that fails to be suitable and sufficient is not just poor practice — it exposes you to enforcement action, unlimited fines, and civil claims if someone is injured.
ChatGPT Has No Knowledge of Current UK Health and Safety Law
ChatGPT's training data has a knowledge cutoff. The free version (GPT-3.5) has a cutoff of September 2021. Even the paid version (GPT-4) is trained on data only up to April 2023 for the base model, with limited ability to access current web content. UK health and safety law changes frequently. New regulations, updated HSE guidance, revised occupational exposure limits, court judgments, and enforcement policy changes occur every year.
For example, the Construction (Design and Management) Regulations 2015 replaced CDM 2007. The General Data Protection Regulation (GDPR) came into force in 2018 and affects risk assessments where personal data is processed. The Personal Protective Equipment (Enforcement) Regulations 2018 made significant changes to the legal framework for PPE. HSE's enforcement policy statement was updated in 2022. ChatGPT trained on 2021 data will confidently cite outdated or superseded regulations and may miss entirely new legal duties introduced after its cutoff.
More fundamentally, ChatGPT does not understand the hierarchy of legislation in UK health and safety. It cannot reliably distinguish between primary legislation (Acts of Parliament), secondary legislation (Statutory Instruments), Approved Codes of Practice (which have quasi-legal status under Section 17 of the Health and Safety at Work Act 1974), and HSE guidance (which is persuasive but not mandatory). A risk assessment that misapplies or misunderstands these distinctions will not meet the suitable and sufficient standard under MHSWR 1999 Regulation 3(1).
ChatGPT Cannot Capture Site-Specific Hazards Without Detailed Context
A legally compliant risk assessment must be specific to the actual work being done in the actual workplace where it will be used. Under MHSWR 1999, the assessment must identify the risks to which employees are exposed whilst at work. A generic risk assessment — one that could apply to any similar workplace without modification — is unlikely to be suitable and sufficient.
ChatGPT can only work with the information you give it. If you type "write me a risk assessment for working at height," it will produce a generic document covering common hazards: falls from ladders, falls through fragile roofs, dropped objects, adverse weather. It will not know whether your specific task involves a mobile elevating work platform or a fixed scaffold, whether the work is indoors or outdoors, whether there are overhead power lines nearby, what the ground conditions are, or whether the workers are trained and competent. All of these factors change the risk profile and the control measures required under the Work at Height Regulations 2005.
Anyrisks addresses this by asking seven targeted questions before generating a risk assessment: What is the activity? Where will it take place? Who will carry it out? What equipment or substances are involved? What is the duration? Who else might be affected? Are there any specific hazards you are already aware of? This structured intake ensures that the generated assessment reflects the actual conditions of the task, not a one-size-fits-all template.
ChatGPT Produces Unstructured Text, Not HSE-Compliant Documents
Risk assessments in the UK follow a recognisable structure. HSE guidance and common practice expect to see: a clear description of the task or activity, identification of who is at risk, a list of hazards with their associated risks, an evaluation of likelihood and severity, existing control measures, a risk rating (before and after controls), any additional actions required, the person responsible for each action, and a review date. Most assessments are presented in a tabular format with columns for each of these elements.
ChatGPT produces prose. If you ask it for a risk assessment, you will receive paragraphs of text describing hazards and controls. You will then need to manually convert that text into a structured table, assign risk ratings, identify responsible persons, and add review dates. This is time-consuming and introduces the risk of transcription errors or omissions.
Professional risk assessment tools — including Anyrisks — output documents in the format that HSE inspectors, insurance assessors, and principal contractors expect to see. The risk assessment is delivered as a formatted PDF and an editable Word document, with a professional header, a structured table of hazards and controls, risk ratings calculated using a standard matrix (likelihood × severity), and space for signatures, dates, and review records. This is not cosmetic — it is part of demonstrating that the assessment is suitable and sufficient.
ChatGPT Hallucinates Legal References and Control Measures
ChatGPT is a probabilistic text generator. It predicts the next most likely word based on patterns in its training data. It does not have a database of true facts that it retrieves. When asked for specific information — such as a regulation number, a legal standard, or a technical specification — it will produce text that looks plausible but may be entirely fabricated. This phenomenon is known as hallucination.
For example, if you prompt ChatGPT to "cite the regulation that requires risk assessments for electrical work," it might confidently state "Regulation 4(2) of the Electricity at Work Regulations 1989 requires all electrical work to be risk assessed before commencement." In fact, the Electricity at Work Regulations 1989 do not contain a standalone risk assessment requirement in Regulation 4(2) — the duty to risk assess electrical work arises from the general duty under MHSWR 1999 Regulation 3(1). The Electricity at Work Regulations impose duties to ensure systems are constructed, maintained and worked safely, but they do not use the phrase "risk assessment" in the way ChatGPT has implied. An HSE inspector reading this would immediately identify it as incorrect.
Similarly, ChatGPT may suggest control measures that sound reasonable but are not appropriate to the specific hazard or do not follow the hierarchy of controls under MHSWR 1999 Schedule 1. For instance, it might recommend PPE as the primary control for a chemical exposure hazard without first considering elimination, substitution, or local exhaust ventilation. This violates the legal hierarchy and would be challenged in an enforcement context.
Anyrisks is purpose-built for UK health and safety. It has been trained on actual UK regulations, HSE guidance documents, Approved Codes of Practice, and real risk assessments used by UK businesses. When it cites a regulation, the citation is accurate. When it suggests a control measure, it applies the hierarchy of controls in the legally mandated order. Every generated assessment undergoes automated quality checks to flag missing elements, ambiguous language, and control measures that do not match the identified hazard.
ChatGPT Has No Quality Assurance Layer
When you use ChatGPT, the output you receive is the raw model output. There is no secondary review, no validation against known standards, no check that the document is internally consistent or that it meets the regulatory framework it claims to address. If ChatGPT produces a risk assessment that omits a significant hazard, contradicts itself, or suggests an unsafe control measure, you will only discover this if you read the document critically and have the competence to identify the flaw.
Under MHSWR 1999 Regulation 7, every employer must appoint one or more competent persons to assist in complying with health and safety duties. A competent person is someone with sufficient training, experience, knowledge and other qualities to enable them to properly assist. The legal duty to ensure a risk assessment is suitable and sufficient cannot be delegated to an AI tool — the employer remains accountable. But the quality of the tool matters. A tool that routinely produces incorrect, incomplete or misleading assessments increases the burden on the competent person and increases the risk of non-compliance.
Anyrisks incorporates automated quality assurance checks before an assessment is delivered. The system checks that each identified hazard has at least one corresponding control measure, that the risk rating is consistent with the described likelihood and severity, that vulnerable groups mentioned in the "who is at risk" section are addressed in the controls, and that the hierarchy of controls is applied. If the system detects a potential issue — such as reliance on PPE without justification — it flags this for user review. This does not replace the legal duty of a competent person to review the assessment, but it provides a safeguard that generic AI tools do not offer.
ChatGPT Cannot Produce Signed, Dated, Editable Documents
Under MHSWR 1999 Regulation 3(6), the significant findings of a risk assessment must be recorded. While there is no prescribed format, best practice and HSE guidance indicate that the record should include: the name of the person who carried out the assessment, the date it was completed, the date it is due for review, and (where relevant) the signature of a responsible manager confirming the assessment has been reviewed and approved for use.
ChatGPT outputs text in a chat window. You can copy and paste it into Word, but you must then add a header, a footer, a signature block, a review schedule, and page numbers. If the assessment runs to multiple pages, you must ensure continuity. If you need to share it with a contractor, upload it to a client portal, or present it to an HSE inspector, you need to convert it into a professional document format.
Anyrisks delivers every risk assessment as a print-ready PDF and a fully editable Word document. The PDF includes a professional header with your company name (entered at the start of the process), the date of generation, a unique reference number, and space for a reviewer signature and date. The Word document is formatted with styles and tables that can be edited to reflect any last-minute changes before the assessment is issued. Both formats are suitable for immediate use, saving 30–45 minutes of manual formatting work per assessment.
What a Legally Compliant Risk Assessment Actually Requires
To meet the suitable and sufficient standard under MHSWR 1999 Regulation 3(1), a risk assessment must demonstrate that the employer has systematically considered the hazards arising from the work, identified who could be harmed, evaluated the level of risk, and determined what measures are necessary to eliminate or adequately control that risk. The assessment must be specific to the work activity and workplace in question, not a generic document copied from the internet or generated by a tool that has no knowledge of the actual conditions.
The assessment must cite the correct legal framework. If the work involves substances hazardous to health, the assessment must reference COSHH and include the specific requirements of Regulation 6 (assessment of health risks), Regulation 7 (prevention or control of exposure), and Regulation 12 (information, instruction and training). If the work involves noise exposure, it must reference the Control of Noise at Work Regulations 2005 and the exposure action values and limit values set out in Regulation 4. Simply stating "the employer must comply with health and safety law" is not sufficient.
The assessment must apply the hierarchy of controls in the order required by MHSWR 1999 Schedule 1. Before relying on PPE, the employer must demonstrate that elimination, substitution, engineering controls and administrative controls have been considered and are either in place or not reasonably practicable. An assessment that lists "provide gloves" as the sole control measure for a chemical hazard, without any mention of whether a less hazardous substance could be used or whether local exhaust ventilation is practicable, will not withstand scrutiny.
The assessment must be recorded in a format that can be shared, reviewed, and updated. A risk assessment scribbled in a notebook or stored only in someone's memory does not meet the recording requirement under Regulation 3(6). A risk assessment generated by ChatGPT and left in a chat history without being saved, printed or shared is equally non-compliant.
How Anyrisks Addresses Every Limitation of ChatGPT
Anyrisks is a purpose-built UK risk assessment generator. It has been trained exclusively on UK health and safety regulations, HSE guidance, Approved Codes of Practice, and sector-specific legal requirements. Every regulation cited in an Anyrisks assessment is accurate and current. Every control measure is drawn from the hierarchy of controls and matched to the specific hazard described. The system does not hallucinate legal references or invent safety standards.
Anyrisks captures site-specific context through a seven-question intake process. Before generating an assessment, the system asks: What is the activity or task? Where will it take place (e.g. construction site, office, public highway)? Who will carry out the work (employees, contractors, volunteers)? What equipment, tools or substances are involved? How long will the activity last? Who else might be affected (visitors, members of the public, vulnerable groups)? Are there any known hazards or previous incidents? This structured intake ensures the generated assessment reflects the actual work being assessed, not a generic template.
Anyrisks outputs professional documents in HSE-recognised format. Every assessment is delivered as a formatted PDF and an editable Word document. The documents include a risk matrix table with columns for hazard, who is at risk, existing controls, risk rating (before and after), additional actions required, responsible person, and review date. The risk rating uses a standard 5×5 matrix (likelihood × severity) and follows the colour-coding convention used across UK industry (green = low, amber = medium, red = high). Signature blocks, review schedules and page numbering are included automatically.
Anyrisks incorporates quality assurance checks before delivery. The system verifies that each hazard has at least one control measure, that vulnerable groups mentioned in the "who is at risk" section are addressed in the controls, that the hierarchy of controls is followed, and that the risk rating is consistent with the described scenario. If a potential issue is detected, the system flags it for user review before the document is generated. This provides a safeguard that generic AI tools cannot offer.
The entire process takes under two minutes and costs £29. You receive both a PDF and a Word document by email immediately. The Word document can be edited to add company-specific branding, site-specific details, or signatures before it is issued. The assessment is yours to keep, use and update as required. If you are not satisfied, Anyrisks offers a full refund within 24 hours — no questions asked.
When ChatGPT Might Still Be Useful (With Caveats)
ChatGPT is not inherently useless for health and safety work. It can be a helpful tool for drafting method statements, summarising HSE guidance, brainstorming potential hazards in an unfamiliar task, or generating training material. But it must be used as a starting point, not a finished product, and every output must be critically reviewed by a competent person who has detailed knowledge of UK health and safety law and the specific workplace in question.
If you choose to use ChatGPT to draft a risk assessment, you must fact-check every regulation cited, verify that the control measures are appropriate and follow the hierarchy of controls, check that the assessment is specific to your workplace and not generic boilerplate, and format the output into a structured document with risk ratings, responsible persons and review dates. In practice, this process takes longer than using a purpose-built tool and introduces more risk of error. The time saved in drafting is lost in validation and formatting.
The Legal Duty Remains With the Employer
Under HSWA 1974 Section 2 and MHSWR 1999 Regulation 3, the legal duty to assess and manage risks rests with the employer. This duty cannot be delegated to a consultant, a software tool, or an AI system. The employer (or a competent person appointed under Regulation 7) must review the risk assessment, confirm it is suitable and sufficient for the work in question, and authorise its use. If an incident occurs and the risk assessment is found to be inadequate, the employer is liable — regardless of whether the assessment was generated by ChatGPT, Anyrisks, or written manually.
The role of a risk assessment tool is to reduce the time and effort required to produce a compliant document and to reduce the risk of errors, omissions and regulatory mistakes. A good tool provides structure, accuracy, and professional formatting. It does not replace competence — but it supports the competent person in discharging their legal duties efficiently and correctly. ChatGPT, as a general-purpose language model, cannot fulfil this role without significant additional work by the user. Anyrisks is designed specifically to do so.
