What are the 5 steps of a risk assessment?

The five steps are: (1) identify hazards, (2) decide who might be harmed and how, (3) evaluate the risks and decide on precautions, (4) record your findings and implement them, and (5) review and update. This process is set out in HSE guidance and underpins the requirements of the Management of Health and Safety at Work Regulations 1999.

Is a risk assessment a legal requirement in the UK?

Yes. Regulation 3(1) of the Management of Health and Safety at Work Regulations 1999 requires every employer to make a suitable and sufficient assessment of risks to employees and to anyone else who may be affected by their work activities.

What is the hierarchy of control in risk assessment?

The hierarchy of control ranks risk reduction measures from most to least effective: (1) elimination, (2) substitution, (3) engineering controls, (4) administrative controls, and (5) personal protective equipment (PPE). UK law requires employers to work through this hierarchy rather than defaulting to PPE.

How often should a risk assessment be reviewed?

Under MHSWR 1999 Regulation 3(3), you must review your assessment when it may no longer be valid — for example after an accident, a significant change in the workplace, new equipment, or a change in the number of employees. There is no fixed legal interval but annual review is widely recommended.

What is a suitable and sufficient risk assessment?

A suitable and sufficient risk assessment identifies the significant risks arising from work activities, is proportionate to the level of risk, covers all relevant hazards, and remains valid. HSE guidance makes clear it does not need to be perfect, but it must be based on genuine consideration rather than a copied template.

Do I need five or more employees to need a risk assessment?

No — the legal requirement to carry out a risk assessment applies to all employers regardless of size. The five-employee threshold only relates to the requirement to record the significant findings in writing. Sole traders working for clients also have obligations under MHSWR 1999.

The Ultimate Guide to Risk Assessment in the UK

What is a Risk Assessment?

A risk assessment is a systematic process of identifying hazards in a workplace or activity, evaluating the likelihood and severity of harm they could cause, and putting in place measures to eliminate or reduce that risk. In the UK, risk assessments are not optional: they are a legal requirement for virtually every employer and self-employed person.

A hazard is anything with the potential to cause harm — a wet floor, a heavy load, a chemical substance, a faulty piece of machinery, or even excessive workplace noise. A risk is the likelihood that the hazard will actually cause harm, combined with the severity of that harm. Risk assessment is the process of understanding and managing that relationship.

Why Risk Assessment is a Legal Requirement in the UK

The Health and Safety at Work Act 1974

The Health and Safety at Work Act 1974 (HSWA) is the primary piece of UK health and safety legislation. Section 2 places a general duty on employers to ensure, so far as is reasonably practicable, the health, safety and welfare of their employees. Section 3 extends that duty to non-employees (contractors, visitors, members of the public) who may be affected by the business’s activities. The HSWA does not specifically mention risk assessments — but the duty to assess risks is implicit in the duty to ensure safety.

The Management of Health and Safety at Work Regulations 1999

The explicit legal duty to carry out risk assessments comes from Regulation 3(1) of the Management of Health and Safety at Work Regulations 1999 (MHSWR 1999). It states: “Every employer shall make a suitable and sufficient assessment of the risks to the health and safety of his employees to which they are exposed whilst at work; and the risks to the health and safety of persons not in his employment arising out of or in connection with the conduct by him of his undertaking.”

Self-employed persons have a parallel duty under Regulation 3(2). Where five or more employees are employed, the significant findings of the risk assessment must be recorded in writing under Regulation 3(6). Good practice is to record all risk assessments regardless of headcount.

Sector-specific regulations

Alongside MHSWR 1999, sector-specific regulations impose additional risk assessment duties. The Control of Substances Hazardous to Health Regulations 2002 (COSHH) require a COSHH assessment before using hazardous substances. The Manual Handling Operations Regulations 1992 require an assessment of any manual handling task that presents a risk. The Work at Height Regulations 2005 require all work at height to be properly assessed before it begins. The Regulatory Reform (Fire Safety) Order 2005 requires a fire risk assessment for all non-domestic premises.

What Does ‘Suitable and Sufficient’ Mean?

The legal standard is that a risk assessment must be ‘suitable and sufficient’ — the phrase used in MHSWR 1999 Regulation 3(1). There is no legal definition of this phrase, but HSE guidance and case law indicate that a suitable and sufficient risk assessment must:

Identify the significant risks arising from the work — not every trivial hazard
Enable the employer to identify and prioritise the measures needed to comply with relevant statutory provisions
Be appropriate to the nature of the work and remain in force for a reasonable period
Be specific to the actual work being done — not a generic document that could apply to any business

A risk assessment that uses generic, untailored language — such as “slips and trips may occur” without reference to the specific surfaces, footwear, and housekeeping practices in the actual workplace — is unlikely to meet the suitable and sufficient standard.

The 5-Step Risk Assessment Process

Step 1: Identify the Hazards

Walk around the workplace or think through the work activity systematically. Look for physical hazards (uneven surfaces, moving machinery, working at height), chemical hazards (cleaning products, paints, solvents, dust), biological hazards (Legionella, moulds, animal pathogens), ergonomic hazards (repetitive tasks, manual handling, display screen equipment), and psychosocial hazards (lone working, violence, stress). Consult your workers — they often know about hazards that managers miss.

Step 2: Decide Who Might Be Harmed and How

Consider all groups who could be harmed: employees (including part-time, temporary, and young workers), contractors and visitors, members of the public, and vulnerable groups (pregnant workers, those with disabilities, new starters unfamiliar with the workplace). Think about how each group might encounter each hazard and what harm could result.

Step 3: Evaluate the Risks and Decide on Precautions

For each hazard, assess the likelihood of harm occurring and the potential severity. Then apply the hierarchy of controls — the legal framework under MHSWR 1999 Schedule 1 — to determine what action to take (see hierarchy of controls section below).

Step 4: Record the Findings and Implement Them

Under MHSWR 1999 Regulation 3(6), employers with five or more employees must record the significant findings of the risk assessment. Best practice is to record: the hazard identified, who is at risk and how, the risk rating (before and after controls), the control measures in place and planned, the person responsible, and the target date. The record must be kept and made available to enforcement officers on request.

Step 5: Review the Assessment and Update if Necessary

Under MHSWR 1999 Regulation 3(3), employers must review their risk assessment if they have reason to suspect it is no longer valid, or there has been a significant change in the matters to which it relates. Specific triggering events for a review include: a workplace accident or near-miss, a significant change in work processes or equipment, a change in the workforce (new vulnerable groups), new information about a hazard (e.g. a revised COSHH data sheet), or following an HSE enforcement notice. As a minimum, risk assessments should be reviewed annually.

The Hierarchy of Controls

The hierarchy of controls is the legally mandated framework for risk reduction under MHSWR 1999 Schedule 1. Controls must be applied in order of preference — you must demonstrate why higher-order controls are not practicable before relying on lower-order ones.

1. Elimination — remove the hazard entirely. Example: redesign a process so that a hazardous chemical is no longer needed. This is the most effective control because the risk no longer exists.
2. Substitution — replace the hazard with something less dangerous. Example: replace a solvent-based paint with a water-based equivalent. Example in manual handling: replace a heavy component with a lighter material.
3. Engineering controls — physical changes to the workplace or equipment that reduce exposure. Example: install machine guarding, local exhaust ventilation for dust, edge protection on a roof. Engineering controls work regardless of human behaviour.
4. Administrative controls — changes to how work is organised or carried out. Example: job rotation to reduce repetitive strain exposure, permit-to-work systems, training, safe systems of work. Relies on people following procedures consistently.
5. Personal Protective Equipment (PPE) — the last resort. PPE (gloves, hard hats, hearing protection, respirators) only protects the individual wearing it, only when worn correctly, and only when it fits properly. Under the Personal Protective Equipment at Work Regulations 1992, PPE must be provided free of charge and must be appropriate for the risk.

A common mistake is to rely on PPE as the primary control when engineering or administrative controls are practicable. HSE inspectors will challenge this approach.

Risk Assessment Worked Examples by Industry

Construction (Groundworks)

Hazard: excavation near underground services. Who at risk: groundworkers, visiting engineers. Hierarchy applied: (3) Engineering — CAT and Genny survey before digging, safe digging zone marked; (4) Administrative — permit-to-dig issued, emergency isolation contacts on site, HSG47 procedures followed; (5) PPE — high-vis, safety footwear, hard hat. Regulation: CDM 2015, Construction (Health, Safety and Welfare) Regulations 1996 Regulation 12.

Hospitality (Restaurant Kitchen)

Hazard: hot oil and fat splatter from deep fryers. Who at risk: kitchen staff. Hierarchy applied: (3) Engineering — fryer guards, splash shields, thermostatic controls to prevent overheating; (4) Administrative — training on safe filling and draining, no unsupervised operation by new starters; (5) PPE — heat-resistant gloves, closed footwear, chef’s whites. Regulation: MHSWR 1999, COSHH (cleaning chemicals used to clean fryers).

Education (Nursery Outdoor Play)

Hazard: trip hazard on uneven outdoor surface. Who at risk: children aged 2–4, especially those with developmental delays. Hierarchy applied: (1) Elimination — repair obvious trip hazards; (3) Engineering — impact-absorbing surface under climbing equipment; (4) Administrative — daily outdoor inspection record, supervision ratio 1:4 for under-3s, incident reporting; (5) PPE — appropriate outdoor footwear. Regulation: EYFS Statutory Framework 2024 welfare requirement 3.64, HSWA 1974.

Legal Penalties for Non-Compliance

Failing to carry out a suitable and sufficient risk assessment — or failing to implement its findings — is a criminal offence in the UK. The Health and Safety (Offences) Act 2008 and subsequent sentencing guidelines significantly increased the penalties for health and safety failings.

For individuals, a conviction under HSWA Section 33 can result in an unlimited fine and up to two years’ imprisonment. For organisations, fines are calculated against annual turnover: very large organisations (turnover £50m+) can receive fines of £10 million or more for a single serious offence. According to HSE statistics for 2023/24, 14,502 cases of enforcement were recorded and 628 convictions were secured. The average fine per conviction was £148,000.

Beyond criminal penalties, an employer who fails to carry out or implement a risk assessment may face: civil claims from injured workers (employers’ liability insurance will typically not cover deliberate or reckless failures), improvement notices requiring remedial action within a fixed period, and prohibition notices stopping work immediately on the most dangerous activities.

When Must a Risk Assessment Be Reviewed?

Under MHSWR 1999 Regulation 3(3), a risk assessment must be reviewed whenever the employer has reason to suspect it is no longer valid, or there has been a significant change in the matters to which it relates. Specific events that trigger a mandatory review include a workplace accident or dangerous occurrence, a significant change in work processes, equipment or substances, a change in the workforce that affects the risk profile (new young workers, pregnant workers), an HSE improvement or prohibition notice relating to the activity, or new scientific evidence about a hazard (for example, a revised occupational exposure limit for a substance).

Common Risk Assessment Mistakes

Generic language — “slips, trips and falls may occur” without specifying what surfaces are involved, what footwear is required, and what housekeeping regime is in place. Inspectors dismiss these immediately.
Relying on PPE as the primary control — before demonstrating why elimination, substitution or engineering controls are not reasonably practicable.
Not involving workers — risk assessments conducted in isolation, without consulting the people who actually do the work, routinely miss hazards.
Set and forget — a risk assessment dated five years ago for a workplace that has changed substantially is likely to be inadequate. Risk assessments are living documents.
Identical assessments across different sites — copying and pasting a risk assessment from one location to another without reviewing it for site-specific hazards.

How AI is Changing Risk Assessment in the UK

AI-powered tools like Anyrisks are significantly changing how UK businesses approach risk assessment. Rather than starting from a blank form or a generic template, businesses describe their specific activity — the location, the task, the people involved, and any particular hazards they’re aware of — and receive a fully written, regulation-referenced risk assessment in under 2 minutes.

The key advantage is specificity. A well-configured AI system can generate an assessment that names the specific regulations applicable to the industry, identifies the hazards unique to the described activity, and applies the hierarchy of controls in the correct order. This is materially different from a generic template that a business fills in with minimal thought.

AI-generated assessments still require review by a competent person before use. The person responsible for health and safety must read the assessment, confirm it reflects the actual workplace conditions, and implement the control measures it identifies. The legal duty cannot be outsourced — but the time required to produce a compliant, well-written risk assessment document can be dramatically reduced.