Anyrisks risk assessment creator

Home › Legal Requirements

Risk Assessment Legal Requirements in the UK

The complete legal framework: which laws apply, what they require, what ‘suitable and sufficient’ means in practice, and what the HSE can do if you do not comply.

Generate a compliant risk assessment

The primary legislation: Health and Safety at Work Act 1974

The Health and Safety at Work Act 1974 (HSWA) is the foundation of UK health and safety law. Section 2(1) places a general duty on employers to ensure, so far as is reasonably practicable, the health, safety and welfare of their employees. Section 3 extends that duty to persons not in their employment — contractors, visitors, members of the public — who may be affected by the business’s activities.

The HSWA does not specifically require a written risk assessment, but the duty to ensure safety is impossible to meet without systematically identifying what risks exist. The explicit risk assessment duty comes from the regulations made under it.

The specific duty: Management of Health and Safety at Work Regulations 1999

Regulation 3(1) of the Management of Health and Safety at Work Regulations 1999 (MHSWR 1999) is the provision that directly imposes the risk assessment obligation. It requires every employer to make a ‘suitable and sufficient’ assessment of:

  • the risks to the health and safety of employees to which they are exposed whilst at work; and
  • the risks to the health and safety of persons not in employment arising out of or in connection with the conduct of the undertaking.

Regulation 3(2) imposes the same obligation on self-employed persons. Regulation 3(6) requires employers with five or more employees to record the significant findings in writing. Regulation 3(3) requires the assessment to be reviewed whenever there is reason to think it is no longer valid, or when there has been a significant change in the work.

What ‘suitable and sufficient’ means in practice

The phrase ‘suitable and sufficient’ is not defined in the Regulations, but HSE guidance and case law have given it substantial content. A suitable and sufficient risk assessment must:

  • Identify the significant risks arising from the work — not every trivial hazard, but not only the obvious ones either.
  • Be specific to the actual work being done, in the actual workplace, with the actual workforce. A generic template using identical text for every business in a sector does not meet this standard.
  • Enable the employer to identify and prioritise the measures needed to comply with the relevant statutory provisions.
  • Be proportionate to the nature and complexity of the risks involved.

HSE inspectors regularly reject risk assessments that use boilerplate language (‘slips, trips and falls may occur’) without specifying the surfaces, footwear requirements, or housekeeping regime at the specific premises, or that list PPE as the primary control without demonstrating that higher-order controls were considered first.

Sector-specific regulations

MHSWR 1999 sets the baseline. On top of it, sector-specific regulations impose additional risk assessment duties:

  • COSHH Regulations 2002 — require a specific assessment before work with substances hazardous to health. A general risk assessment is not sufficient; COSHH requires its own assessment covering the substance, the route of exposure, the likely effects, and the control measures.
  • Manual Handling Operations Regulations 1992 — require an assessment of any manual handling task that presents a risk of injury. Employers must avoid such tasks where reasonably practicable, and where unavoidable, must reduce the risk to the lowest level reasonably practicable.
  • Work at Height Regulations 2005 — require all work at height to be properly planned, appropriately supervised, and carried out safely. Specific risk assessments are required before any work at height begins.
  • Regulatory Reform (Fire Safety) Order 2005 — requires a fire risk assessment for all non-domestic premises. The responsible person must identify fire hazards, identify people at risk, evaluate and act on the risks, and review the assessment regularly.
  • Construction (Design and Management) Regulations 2015 — require construction projects to have a pre-construction information pack and, for notifiable projects, a principal designer and principal contractor managing health and safety throughout the project lifecycle.
  • Display Screen Equipment Regulations 1992 — require employers to assess workstations used by employees who habitually use display screen equipment as a significant part of their work.

The competent person requirement

Regulation 7 of MHSWR 1999 requires every employer to appoint one or more competent persons to assist them in undertaking the measures necessary to comply with health and safety obligations. A person is competent if they have sufficient training, experience, and knowledge to assist properly. For most small businesses, this is typically the owner or a senior employee with appropriate health and safety training.

The competent person does not need to be a qualified health and safety professional — but they do need to understand the work well enough to identify real hazards and assess genuine risks. This is also the person who should review any AI-generated risk assessment before it is put into use.

HSE enforcement powers

The HSE and local authorities enforce the HSWA and the Regulations made under it. Inspectors can enter premises without notice, inspect documents, take samples, interview employees, and require immediate remedial action. The range of enforcement responses includes: informal advice; improvement notices (requiring a breach to be remedied within a fixed period, minimum 21 days); prohibition notices (stopping an activity immediately); and prosecution under Section 33 of the HSWA.

For prosecuted cases, fines are calculated based on the organisation’s annual turnover, culpability level, and seriousness of harm risked. In 2023/24, the HSE secured 628 convictions. The average fine was £148,000. The largest single fine that year exceeded £2 million. Individual defendants can receive unlimited fines and up to two years’ imprisonment. Directors and senior managers can be held personally liable.

Common compliance failures

HSE inspection data consistently identifies the same recurring failures: risk assessments that are generic and could apply to any business, not the specific one; that identify hazards but do not assess the actual level of risk; that list control measures not genuinely in place; that have not been reviewed after a significant change; or that were produced by someone without sufficient knowledge of the actual activity. A document that names the right regulations but does not reflect reality on the ground is not compliant.

Further reading

For a complete explanation of the 5-step risk assessment process and the hierarchy of controls, see the ultimate guide to risk assessment. For a practical guide to producing a compliant assessment quickly, see how to use AI for instant risk assessment.

Frequently Asked Questions

Give Anyrisks a go today.

You'll be delighted with your Risk Assessment, or your money back

Let's go

Need lots of Risk Assessments regularly?

Check out our Annual Plan

Save your staff countless hours by turbo-charging the risk assessment process. Let them focus on what matters - creating a safer, more productive workplace.

Contact

Got questions? Need help?
Email us any time, just pop your details in the form on the right hand side.

We'd love to hear from you.

People