A health and safety risk assessment is a legal requirement for virtually every UK employer and self-employed person under the Management of Health and Safety at Work Regulations 1999. It is the systematic process of identifying workplace hazards, deciding who might be harmed and how, evaluating the level of risk, and putting in place measures to eliminate or control that risk. Failing to carry out a suitable and sufficient risk assessment is a criminal offence and can result in unlimited fines, imprisonment, and civil liability if someone is injured.
What is a Health and Safety Risk Assessment?
A health and safety risk assessment is a structured examination of what could cause harm to people in your workplace or as a result of your work activities. The assessment identifies hazards — anything with the potential to cause harm, such as machinery, chemicals, manual handling tasks, working at height, electricity, or workplace stress — and evaluates the risk associated with each hazard.
Risk is a combination of the likelihood that harm will occur and the severity of that harm. A hazard might have the potential to cause serious injury, but if the likelihood is extremely low and effective controls are in place, the risk may be acceptable. Conversely, a hazard that might cause relatively minor harm but occurs frequently may require immediate action.
The purpose of a health and safety risk assessment is not to eliminate all risk — that is neither possible nor required by law. The legal standard is to reduce risk so far as is reasonably practicable. This means balancing the level of risk against the time, trouble, cost and physical difficulty of taking measures to avoid or reduce the risk. Where the risk is high, more is expected; where the risk is trivial, little or nothing may be required.
Legal Requirements: Who Must Carry Out a Risk Assessment?
Under Regulation 3(1) of the Management of Health and Safety at Work Regulations 1999 (MHSWR 1999), every employer must make a suitable and sufficient assessment of the risks to the health and safety of employees and anyone else who may be affected by their work activities. This includes contractors, visitors, members of the public, customers, and in some cases neighbours or passers-by.
Self-employed persons have a parallel duty under Regulation 3(2) to assess risks to their own health and safety and to others affected by their work. This is particularly relevant for sole traders working in client premises, freelance contractors, and tradespeople operating under their own name.
There is no minimum size threshold — a sole trader with no employees still has a legal obligation to carry out a risk assessment. However, under Regulation 3(6), only employers with five or more employees are required to record the significant findings of the assessment in writing. Despite this, it is considered best practice to record all risk assessments regardless of the number of employees, as a written record provides evidence of compliance and helps communicate the findings to workers.
The legal duty applies across all sectors: offices, shops, factories, construction sites, care homes, schools, gyms, hospitality venues, and any other workplace. It applies whether you own the premises, rent them, or work temporarily in someone else's building. It applies to permanent staff, temporary workers, and agency workers. If you have control over the work activity, you have a duty to assess the risks.
The 5-Step Risk Assessment Process
The Health and Safety Executive (HSE) promotes a standardised 5-step approach to risk assessment. This framework is widely accepted across UK industry and forms the basis of most risk assessment templates and training courses.
Step 1: Identify the Hazards
Walk around your workplace and look for anything that could reasonably be expected to cause harm. Consider physical hazards such as trailing cables, unguarded machinery, working at height, slippery floors, and sharp objects. Consider chemical hazards including cleaning products, solvents, paints, adhesives, and dusts. Biological hazards may include bacteria, viruses, moulds, and animal waste. Ergonomic hazards cover repetitive tasks, poor posture, manual handling, and poorly designed workstations. Psychosocial hazards include lone working, violence and aggression, excessive workload, and workplace bullying.
Do not limit yourself to obvious hazards. Consult your workers — they are often aware of hazards that management may overlook. Review your accident and near-miss records: patterns in these records often point to underlying hazards that need to be controlled. Check the manufacturer's instructions for equipment and machinery, and review safety data sheets for any substances you use.
Step 2: Decide Who Might Be Harmed and How
For each hazard identified, consider all the groups of people who could be exposed. This includes your own employees, but also contractors, agency workers, visitors, clients, customers, cleaners, security staff, delivery drivers, and members of the public. Pay particular attention to vulnerable groups: young workers under 18, new or expectant mothers, workers with disabilities, lone workers, and staff who may not speak English as a first language.
Think about how each group might be harmed. A wet floor is a slip hazard for everyone, but the consequences may be more serious for an elderly visitor than a young, fit employee. A noisy workshop may pose a hearing risk to full-time production staff, but less so to office staff who visit occasionally. Tailoring your assessment to the specific groups at risk is a key element of making it suitable and sufficient.
Step 3: Evaluate the Risks and Decide on Precautions
For each hazard, assess the current level of risk by considering both the likelihood of harm occurring and the potential severity. Many organisations use a simple risk matrix: likelihood (rare, unlikely, possible, likely, almost certain) crossed with severity (negligible, minor, moderate, major, catastrophic). This gives a risk rating such as low, medium, high, or very high.
Once you have evaluated the risk, decide what precautions are needed. UK law requires you to apply the hierarchy of controls, a legally mandated framework set out in Schedule 1 of MHSWR 1999. The hierarchy, in order of preference, is: elimination (remove the hazard entirely), substitution (replace with something less dangerous), engineering controls (physical safeguards such as guards, barriers, ventilation), administrative controls (safe systems of work, training, supervision, job rotation), and finally personal protective equipment (PPE) as a last resort.
You must work through this hierarchy and demonstrate why higher-order controls are not reasonably practicable before relying on lower-order ones. For example, you cannot simply issue PPE to workers exposed to a hazardous substance if it is reasonably practicable to substitute the substance for a safer alternative or install local exhaust ventilation.
Step 4: Record the Findings and Implement Them
If you employ five or more people, you must record the significant findings of your risk assessment under Regulation 3(6) of MHSWR 1999. The record should include: the hazards identified, who is at risk and how, the risk rating, the control measures already in place, any further action needed to control the risk, the person responsible for implementing further action, and the target completion date.
Recording your findings is not just a bureaucratic exercise — it is evidence that you have thought systematically about the risks in your workplace and have a plan to manage them. In the event of an accident or an HSE inspection, the written risk assessment is the first document an inspector will ask to see.
Implementation is critical. A risk assessment that identifies a serious hazard but is then filed away without action is worse than useless — it is evidence that you knew about the risk and chose to do nothing. Ensure that the control measures identified in the assessment are put in place, that workers are informed and trained, and that responsibilities are clearly assigned.
Step 5: Review the Assessment and Update if Necessary
Under Regulation 3(3) of MHSWR 1999, you must review your risk assessment whenever you have reason to suspect it is no longer valid, or there has been a significant change in the matters to which it relates. Specific triggers for review include: a workplace accident or near-miss, a change in work processes or equipment, the introduction of new substances or materials, a change in the number or type of workers (such as taking on young workers or pregnant employees), new information about a hazard (such as updated guidance from the HSE), and following an HSE enforcement notice.
Even if none of these triggers occur, it is good practice to review your risk assessments at least annually. Workplaces change over time — new equipment is introduced, layouts are altered, staff turnover occurs — and a risk assessment that was suitable and sufficient two years ago may no longer reflect current conditions.
What Does 'Suitable and Sufficient' Mean?
The legal standard for a health and safety risk assessment is that it must be suitable and sufficient. This phrase appears in Regulation 3(1) of MHSWR 1999 and is central to enforcement action taken by the HSE. There is no statutory definition of suitable and sufficient, but HSE guidance and case law provide clarity.
A suitable and sufficient risk assessment must identify the significant risks arising from the work, be appropriate to the nature of the work, and remain valid for a reasonable period of time. It must enable the employer to identify and prioritise the measures needed to comply with relevant health and safety law. It does not need to be perfect, but it must demonstrate that the employer has given genuine thought to the hazards present and the controls required.
A common failing is the use of generic, template-driven risk assessments that could apply to any business. An assessment that states "slips, trips and falls may occur" without specifying what surfaces are present, what footwear is required, what spillage procedures are in place, or what lighting levels are maintained is unlikely to be considered suitable and sufficient. The assessment must be specific to your workplace and your activities.
Another indicator of an inadequate assessment is a failure to reflect actual working practices. If the risk assessment describes a safe system of work that is not actually followed on the ground — for example, it states that a permit-to-work system is in operation when in fact no such system exists — then the assessment is not suitable and sufficient.
Common Types of Health and Safety Risk Assessment
While the term health and safety risk assessment is generic, in practice assessments are often categorised by the type of hazard or activity being assessed. Some of the most common types in UK workplaces include:
General workplace risk assessment — covers routine hazards in an office, shop, or factory environment such as slips and trips, manual handling, display screen equipment (DSE), electrical safety, and fire. This is the baseline assessment required under MHSWR 1999.
Fire risk assessment — required under the Regulatory Reform (Fire Safety) Order 2005 for all non-domestic premises in England and Wales. It identifies fire hazards, people at risk, evaluates the adequacy of existing fire precautions, and records any further action needed. See our dedicated fire risk assessment guide for more detail.
COSHH assessment — required under the Control of Substances Hazardous to Health Regulations 2002 (COSHH) before using any substance that could harm health. This includes cleaning chemicals, paints, solvents, adhesives, welding fumes, wood dust, and flour dust. A COSHH assessment must be carried out by a competent person and must be specific to the substance, the task, and the workplace conditions.
Manual handling risk assessment — required under the Manual Handling Operations Regulations 1992 where manual handling tasks present a risk of injury. The assessment must consider the task, the load, the working environment, and the individual capability of the worker. Employers must avoid hazardous manual handling so far as is reasonably practicable, and where it cannot be avoided, they must reduce the risk of injury.
Working at height risk assessment — required under the Work at Height Regulations 2005 before any work is carried out at height. The assessment must consider whether the work can be done safely from ground level, whether collective fall protection (edge protection, guardrails) can be used, and only as a last resort whether fall arrest equipment (harnesses) is needed. Work at height is one of the biggest causes of workplace fatalities in the UK.
DSE assessment — required under the Health and Safety (Display Screen Equipment) Regulations 1992 for employees who use display screen equipment (computers, laptops, tablets) as a significant part of their work. The assessment evaluates the workstation setup, seating, lighting, breaks, and eyesight testing arrangements. Employers must reduce risks identified in the assessment, such as providing adjustable chairs, footrests, or document holders.
Lone working risk assessment — required where employees work alone, such as delivery drivers, security guards, home care workers, or remote site engineers. The assessment must consider how the lone worker will summon help in an emergency, how they will be supervised, and what additional risks they face compared to workers who are not alone. There is no specific lone working legislation, but the duty arises from MHSWR 1999 and HSWA 1974 Section 2.
New and expectant mother risk assessment — required under Regulation 16 of MHSWR 1999 when a worker notifies her employer in writing that she is pregnant, has given birth within the previous six months, or is breastfeeding. The assessment must consider risks such as manual handling, standing or sitting for long periods, exposure to certain chemicals or biological agents, working conditions, and working hours. Where risks are identified that cannot be controlled, the employer must alter working conditions or hours, offer suitable alternative work, or suspend the worker on full pay.
Young person risk assessment — required under Regulation 19 of MHSWR 1999 before a young person (under 18) starts work. The assessment must take into account the young person's immaturity, lack of experience, and lack of awareness of risks. Certain work activities are prohibited for young people, and others require close supervision.
Who Can Carry Out a Health and Safety Risk Assessment?
Under Regulation 7 of MHSWR 1999, every employer must appoint one or more competent persons to assist in undertaking the measures needed to comply with health and safety law, including carrying out risk assessments. A competent person is defined as someone with sufficient training, experience, knowledge and other qualities to enable them to properly assist in the undertaking.
For many small businesses, the employer or a manager may be the competent person, provided they have the necessary knowledge of the work activities and the hazards involved, and have received appropriate training in risk assessment. Numerous training providers offer risk assessment training courses, ranging from half-day awareness sessions to multi-day courses leading to qualifications such as NEBOSH or IOSH certificates.
In larger or higher-risk organisations, competent persons may include dedicated health and safety officers, occupational health professionals, or safety advisers. In some cases, external consultants may be appointed, particularly for specialist assessments such as noise assessments, vibration assessments, or occupational hygiene surveys.
The key point is that competence is judged on a case-by-case basis. A person competent to assess office-based risks may not be competent to assess risks on a construction site or in a chemical plant. If you do not have in-house competence, you must either develop it through training or appoint external assistance.
Industry-Specific Health and Safety Risk Assessment Examples
Construction
Health and safety risk assessment in the construction industry must comply with the Construction (Design and Management) Regulations 2015 (CDM 2015) as well as MHSWR 1999. Common construction hazards include working at height (scaffolding, ladders, roof work), excavations and groundworks, plant and machinery (excavators, telehandlers), manual handling (bricks, blocks, steel), electrical hazards, noise and vibration, dust and hazardous substances (silica, asbestos), and site transport. Every construction project must have a construction phase plan that includes risk assessments for all significant activities. See our construction risk assessments guide for detailed examples.
Healthcare and Social Care
Health and safety risk assessments in healthcare settings must address biological hazards (infection control, sharps injuries, blood-borne viruses), manual handling (patient handling, moving and positioning), violence and aggression (from patients or visitors), lone working (community nurses, home care workers), stress and mental health (shift work, emotional demands), and slip and trip hazards (wet floors, trailing equipment leads). The sector also requires specific assessments under the Health and Safety (Sharp Instruments in Healthcare) Regulations 2013.
Education
Schools, nurseries and universities must carry out risk assessments covering premises safety (fire, asbestos, Legionella, glazing), curriculum activities (science experiments, design and technology, PE and sports, off-site visits), safeguarding and security, transport (minibuses, walking buses), catering and food safety, and staff wellbeing (violence from pupils or parents, workload, lone working). The Early Years Foundation Stage (EYFS) Statutory Framework 2024 requires registered early years providers to carry out risk assessments for all areas and activities. See our school and nursery risk assessments guide.
Hospitality
Hospitality businesses such as restaurants, pubs, hotels and cafes must assess risks including kitchen hazards (hot oil, slips on wet floors, knives and slicers, manual handling of stock), customer-facing risks (violence and aggression, lone working by bar staff), fire safety (cooking appliances, means of escape in sleeping accommodation), food hygiene (covered by separate food safety regulations but overlapping with health and safety), cleaning chemicals (COSHH assessment required), and waste management (glass breakage, heavy bins). Licensing conditions often require a written risk assessment to be available for inspection.
Retail
Retail premises must assess risks such as manual handling (deliveries, stock replenishment, heavy goods), customer and public interaction (violence and aggression, shoplifting, cash handling), working at height (accessing high shelves, changing displays), slips and trips (wet entrances, trailing cables, uneven surfaces), lone working (opening and closing procedures, late-night trading), and fire safety (storage arrangements, means of escape, fire detection). Seasonal peaks such as Christmas or sales periods may introduce additional risks that require assessment.
Legal Penalties and Enforcement
Failing to carry out a suitable and sufficient risk assessment, or failing to implement the findings, is a criminal offence under Section 33 of the Health and Safety at Work Act 1974. The offence can be prosecuted in either the magistrates' court or the Crown Court, with significantly higher penalties available in the Crown Court.
For individuals convicted of a health and safety offence, the maximum penalty in the magistrates' court is an unlimited fine. In the Crown Court, individuals can face an unlimited fine and up to two years' imprisonment for the most serious offences. For organisations, there is no upper limit on fines. Under the 2016 sentencing guidelines for health and safety offences, fines are calculated based on the seriousness of the offence (categorised as negligent, reckless, or deliberate), the level of harm caused or risked, and the organisation's annual turnover.
Very large organisations (turnover £50 million or more) convicted of a serious health and safety failing can expect fines in the millions of pounds. In 2023/24, the Health and Safety Executive secured 628 convictions with an average fine per conviction of £148,000. There were 14,502 enforcement notices issued (improvement notices and prohibition notices combined).
Beyond criminal prosecution, an employer who fails to carry out or implement a risk assessment may face civil liability if an employee or member of the public is injured. Employers' liability insurance is compulsory under the Employers' Liability (Compulsory Insurance) Act 1969, but insurers may refuse to cover claims where there has been a deliberate or reckless breach of health and safety duties.
How to Write a Health and Safety Risk Assessment
A written health and safety risk assessment should include the following elements: the name of the assessor and the date, the area or activity being assessed, the hazards identified, the groups of people at risk, the existing control measures in place, the risk rating (both before and after controls), any further action required to control the risk, the person responsible for implementing further action, the target completion date, and the date for review.
Use plain English throughout. Avoid jargon and overly technical language unless it is necessary and will be understood by the people reading the assessment. Be specific: name the actual pieces of equipment, substances, work areas and job roles involved. Avoid generic statements such as "appropriate PPE will be worn" — specify what PPE is required (for example, "cut-resistant gloves to EN 388 Level 5, safety boots to EN ISO 20345, and clear safety glasses to EN 166").
Reference the specific regulations that apply. For a COSHH assessment, cite the Control of Substances Hazardous to Health Regulations 2002. For work at height, cite the Work at Height Regulations 2005. This demonstrates that you have considered your legal obligations and helps anyone reviewing the assessment (including HSE inspectors) to understand the legal context.
Involve your workers. People who do the job day-to-day are often the best source of information about what hazards exist and what control measures work in practice. Consultation is not just good practice — it is a legal requirement under Regulation 4 of the Safety Representatives and Safety Committees Regulations 1977 (for unionised workplaces) and Regulation 3 of the Health and Safety (Consultation with Employees) Regulations 1996 (for non-unionised workplaces).
Keep the assessment proportionate. A low-risk office environment does not require the same level of detail as a high-risk construction site. HSE guidance makes clear that a suitable and sufficient risk assessment does not need to be perfect — it needs to be appropriate to the nature of the work and the level of risk.
Common Mistakes in Health and Safety Risk Assessments
One of the most common mistakes is the use of generic, boilerplate language that could apply to any workplace. Statements such as "ensure all walkways are kept clear" or "slips and trips may occur" are not sufficient. The assessment must describe the specific walkways in your workplace, what is stored near them, what the floor surface is made of, what cleaning regime is in place, and what the lighting level is.
Another frequent error is over-reliance on personal protective equipment (PPE) as the primary control measure. PPE is the last resort in the hierarchy of controls. Before requiring workers to wear PPE, you must demonstrate that you have considered elimination, substitution, engineering controls, and administrative controls, and that none of these are reasonably practicable. An HSE inspector will challenge any assessment that defaults to PPE without justification.
Failing to review and update assessments is another common failing. A risk assessment dated five years ago for a workplace that has changed significantly in the interim is not suitable and sufficient. Changes such as new equipment, new staff, a change in work processes, or an accident should all trigger a review.
Not involving workers in the assessment process is both a legal failing (consultation is required) and a practical one. Workers who are not involved in the risk assessment are less likely to understand or follow the control measures it identifies.
Finally, treating risk assessment as a paper exercise rather than a practical tool is a fundamental error. The purpose of a risk assessment is to prevent accidents and ill health, not to produce a document. If the assessment sits in a file and is never referred to, never communicated to workers, and never implemented, it has failed in its purpose.
Using Technology and AI for Health and Safety Risk Assessments
Traditional risk assessment methods involve starting with a blank form or a generic template, filling in sections manually, and producing a document that may or may not reflect the specific hazards of the workplace. This process is time-consuming, requires significant health and safety knowledge, and often results in assessments that are too generic to be useful.
AI-powered tools such as Anyrisks are changing this approach. Users describe their specific work activity — the location, the task, the people involved, any hazards they are aware of — and the system generates a full risk assessment document in under two minutes. The output includes identification of relevant hazards, application of the hierarchy of controls, references to applicable UK regulations, and a structured action plan.
The advantage of AI-generated assessments is specificity. Rather than starting with a generic template that says "manual handling may occur", the system can generate an assessment that states: "Delivery drivers will manually handle parcels weighing up to 15 kg from the vehicle tailgate to customer doorsteps. Risks include back strain, slips on wet paths, and striking limbs on door frames." This level of detail makes the assessment far more useful as a practical tool.
AI-generated risk assessments still require review by a competent person before use. The legal duty to assess risks cannot be outsourced to a machine. However, the time required to produce a well-written, regulation-compliant document can be reduced from hours to minutes, allowing businesses to focus their competence on reviewing and implementing the controls rather than writing the assessment from scratch.
Further Guidance and Resources
The Health and Safety Executive publishes extensive free guidance on risk assessment, including the flagship guidance document INDG163 "Five Steps to Risk Assessment". This is the single most important document for anyone new to risk assessment and is available as a free download from the HSE website.
For specific types of risk assessment, see our guides: Fire risk assessments, Construction risk assessments, School and nursery risk assessments, Event risk assessments. For a detailed breakdown of UK health and safety law, see our risk assessment legal requirements guide. For an overview of different risk assessment methodologies, see our types of risk assessment guide.
