Risk Assessment How-To

How to Write a Risk Assessment: A Step-by-Step UK Guide

Everything you need to know to write a legally compliant UK risk assessment — from identifying hazards to recording your findings and implementing controls.

Let's go
Writing a UK risk assessment illustration

Writing a risk assessment means systematically identifying the hazards present in a workplace or activity, deciding who could be harmed and how, evaluating the level of risk, and putting in place measures to eliminate or reduce that risk. Under UK law, specifically Regulation 3(1) of the Management of Health and Safety at Work Regulations 1999, every employer must carry out a suitable and sufficient risk assessment — and if you employ five or more people, you must record the significant findings in writing.

Before You Start: Who Can Write a Risk Assessment?

There is no legal requirement for a risk assessment to be written by a certified health and safety professional. The law requires that the assessment is carried out by someone who is competent — meaning they have the necessary knowledge, skills, and experience to identify the risks and evaluate appropriate controls. Regulation 7 of MHSWR 1999 defines a competent person as someone with sufficient training and experience or knowledge and other qualities.

In practice, this means that a business owner, manager, or supervisor who knows the work being done and has received basic health and safety training can complete a risk assessment. For higher-risk activities — work at height, confined spaces, work with hazardous substances, construction projects — it is good practice to involve a competent health and safety adviser or to ensure the person completing the assessment has specific training in that area.

Crucially, workers should always be consulted. Regulation 4 of the Safety Representatives and Safety Committees Regulations 1977 and the Health and Safety (Consultation with Employees) Regulations 1996 require employers to consult employees or their representatives on health and safety matters, including risk assessment. Workers doing the job every day often spot hazards that someone writing a risk assessment from an office will miss.

Step 1: Identify the Hazards

A hazard is anything with the potential to cause harm. The first step in writing a risk assessment is to identify all the hazards associated with the work activity or workplace. Walk around the site. Watch the work being done. Ask employees what they think could go wrong. Review accident and near-miss records — these often point directly to uncontrolled hazards.

Hazards can be grouped into categories to help ensure you cover everything:

Be specific. Do not write slips, trips and falls as a single line item. Instead, identify the specific hazards that could cause a slip, trip or fall: worn carpet in reception area, trailing cables in open-plan office, wet floor after mopping in kitchen, uneven paving in car park, poor lighting in stairwell.

Step 2: Decide Who Might Be Harmed and How

For each hazard you have identified, think about who could be harmed and in what way. Different groups of people may be affected differently by the same hazard. Consider:

Describe how each group could be harmed. For example: kitchen staff could suffer burns from hot oil splatter when using the deep fryer; visiting delivery drivers could be struck by a reversing forklift truck in the loading bay; nursery children aged 2–4 could suffer head injury from fall on outdoor play equipment.

Step 3: Evaluate the Risks and Decide on Precautions

Once you have identified the hazards and who might be harmed, you need to evaluate the level of risk and decide what to do about it. Risk is a function of two things: the likelihood that harm will occur, and the severity of the harm if it does occur. A high-severity, low-likelihood event (such as a crane collapse) still represents a significant risk requiring substantial control measures.

Many businesses use a risk matrix to score risks numerically — typically a 3×3 or 5×5 matrix with likelihood on one axis and severity on the other. While these can be helpful, they are not a legal requirement. What matters is that you think through each hazard systematically and apply the hierarchy of controls to reduce the risk.

The Hierarchy of Controls

The hierarchy of controls is set out in Schedule 1 of MHSWR 1999 and represents the legal order in which control measures must be considered. You must demonstrate why higher-order controls are not reasonably practicable before relying on lower-order measures.

For each hazard, work through this hierarchy and record what controls are already in place and what additional controls are needed. For example, if the hazard is a slip risk from a wet floor during mopping, the controls might be: (3) engineering — use a mop and bucket system that minimises water spillage; (4) administrative — display wet floor sign during mopping, mop during quiet periods, cordon off area, train cleaners in safe mopping technique; (5) PPE — slip-resistant footwear for cleaning staff.

Step 4: Record Your Findings

Under Regulation 3(6) of MHSWR 1999, if you employ five or more people, you must record the significant findings of your risk assessment. The significant findings are the hazards identified, the groups at risk, and the control measures in place and planned. There is no legally prescribed format for this record — it can be a paper form, a spreadsheet, a Word document, or an entry in dedicated health and safety software.

Good practice is to record all risk assessments in writing, regardless of the number of employees. A written record provides evidence of compliance in the event of an HSE inspection or a civil claim following an accident. It also ensures the assessment can be reviewed and updated as circumstances change.

Your written risk assessment should include:

Avoid vague, generic language. A risk assessment that states slips, trips and falls may occur; staff must take care is not suitable and sufficient. Instead, write: wet floor in kitchen during and after mopping presents slip risk to kitchen staff and front-of-house staff passing through. Controls: wet floor sign displayed, mopping carried out during quiet periods (3–4pm), kitchen staff wear slip-resistant footwear (provided). Additional action: replace worn non-slip matting at sink area by 15 March 2025 (responsible: kitchen manager).

Step 5: Implement the Control Measures

Writing the risk assessment is not the end of the process. The legal duty is to ensure the health and safety of workers and others, not simply to complete paperwork. Every control measure identified in the risk assessment must be implemented. If the assessment identifies that guardrails are required around an open edge, those guardrails must be installed. If it identifies that training is needed, that training must be delivered.

Assign responsibility for each action to a named person and set a realistic but firm deadline. Track progress and follow up. Some control measures may require capital expenditure and may take time to implement — if so, put interim measures in place to reduce the risk while the permanent solution is being arranged. For example, if the risk assessment identifies that a pedestrian walkway needs to be created in a warehouse but this will take three months to install, interim measures might include reducing forklift speeds, using banksmen when vehicles reverse, and restricting pedestrian access to certain times of day.

Step 6: Review and Update the Assessment

A risk assessment is not a one-time exercise. Regulation 3(3) of MHSWR 1999 requires employers to review their risk assessment if they have reason to suspect it is no longer valid, or if there has been a significant change in the matters to which it relates. Specific triggers for a review include:

Even if none of these triggers occur, it is good practice to review all risk assessments at least annually. Set a review date and add it to a diary or health and safety calendar.

Common Mistakes When Writing a Risk Assessment

HSE inspectors see the same mistakes repeatedly. Avoiding these will significantly improve the quality and legal defensibility of your risk assessments.

Using a generic template without customisation

Downloading a free template from the internet and filling in the blanks with minimal thought produces an assessment that is not specific to your workplace. A suitable and sufficient risk assessment under MHSWR 1999 must relate to the actual work being done, in the actual location, with the actual people involved. If your risk assessment could apply equally to any business in your sector, it is not suitable and sufficient.

Listing hazards without identifying controls

A common mistake is to list every conceivable hazard and then write PPE required or staff must be careful in the controls column. This does not demonstrate that you have thought through the hierarchy of controls or that you have implemented specific, practical measures.

Failing to consult workers

Risk assessments written by someone who does not do the job, without consulting those who do, routinely miss hazards. The law requires consultation with employees under the Safety Representatives and Safety Committees Regulations 1977 and the Health and Safety (Consultation with Employees) Regulations 1996. Workers know where the problems are.

Not recording actions and responsibilities

A risk assessment that identifies additional controls needed but does not record who is responsible for implementing them, and by when, is incomplete. Without accountability, the controls are unlikely to be put in place.

Filing the assessment and forgetting about it

A risk assessment is a living document. If you complete it, file it, and never look at it again, it will quickly become out of date. When an accident happens and the HSE investigates, one of the first questions they ask is: when was your risk assessment last reviewed? An answer of five years ago will not be well received.

What Format Should a Risk Assessment Be In?

There is no legally required format. HSE does not mandate a particular template or software. What matters is that the record is clear, accessible, and contains the information required under Regulation 3(6) of MHSWR 1999: the hazards, the people at risk, and the control measures.

Common formats include:

Whatever format you choose, the assessment must be easy to read, easy to update, and easy to share with employees and enforcement officers.

Do I Need a Different Risk Assessment for Every Activity?

Not necessarily. If several tasks or areas of the workplace share the same hazards and controls, they can be covered by a single assessment. For example, a retail business might have one risk assessment covering manual handling of stock across all store locations, provided the tasks, loads, and controls are similar.

However, if the risk profile differs — for example, one store has a mezzanine requiring work at height and another does not — separate assessments are needed. The key legal test is whether the assessment is suitable and sufficient for the specific work being carried out.

Generic assessments that attempt to cover everything in a single document (whole business risk assessment) are rarely suitable and sufficient. They tend to be too vague to be useful and too broad to reflect the real risks in any one area.

What Happens If You Do Not Have a Risk Assessment?

Failing to carry out a suitable and sufficient risk assessment is a breach of Regulation 3(1) of MHSWR 1999. If the HSE inspects your workplace and finds no risk assessment, or finds an assessment that is clearly inadequate, they can take enforcement action. This may include:

Even if no enforcement action is taken, the absence of a risk assessment can have serious consequences if an accident occurs. If an employee is injured and sues for damages, the employer's failure to carry out and implement a risk assessment is strong evidence of negligence. Employers' liability insurers will scrutinise whether proper risk assessments were in place — and in some cases may refuse to cover claims where the employer has been reckless.

How Long Does It Take to Write a Risk Assessment?

The time required depends on the complexity of the activity and the level of detail needed. A straightforward risk assessment for a low-risk office environment might take 30–60 minutes to complete if you are familiar with the process. A complex assessment for a construction site or a chemical process might take several hours or even days, particularly if it involves consultations with specialists, review of technical data sheets, or site surveys.

For many businesses, the time-consuming part is not the thinking — it is the writing. Describing hazards clearly, writing out control measures in detail, and formatting the document takes significantly longer than the assessment itself. This is where AI-assisted tools can be valuable: by generating a well-written first draft in under two minutes, they allow the competent person to focus on reviewing and adapting the content rather than starting from a blank page.

Can I Use AI to Write My Risk Assessment?

Yes — provided the AI-generated assessment is reviewed and approved by a competent person before it is implemented. The legal duty under Regulation 3 of MHSWR 1999 cannot be delegated to software: a human being who understands the work being done must confirm that the assessment reflects reality and that the identified controls are appropriate and practicable.

AI tools like Anyrisks work by taking a detailed description of the activity — the task, the location, the people involved, known hazards, and any specific concerns — and generating a complete risk assessment document in UK-compliant format. The output includes specific hazards, named groups at risk, control measures organised by the hierarchy of controls, and references to relevant UK legislation.

The advantage is specificity and speed. Rather than working from a generic template that lists every possible hazard whether relevant or not, the AI produces an assessment tailored to the described activity. The competent person then reviews the draft, makes any necessary changes (adding site-specific detail, removing controls that are not practicable, adjusting timescales), and approves it for use.

This approach is legally compliant provided the review is genuine. Simply downloading an AI-generated document and filing it without reading it does not satisfy the legal requirement.

Risk Assessment and Insurance

Most businesses in the UK are required by law to hold employers' liability insurance under the Employers' Liability (Compulsory Insurance) Act 1969. This insurance covers claims from employees who are injured or become ill as a result of their work. Insurers increasingly ask to see evidence of risk assessments when underwriting policies or investigating claims.

If an employee is injured and the business cannot produce a suitable and sufficient risk assessment for the activity that caused the injury, the insurer may argue that the business was in breach of its legal duties and challenge the claim. Some policies explicitly exclude cover for injuries arising from activities where no risk assessment was in place.

Beyond employers' liability insurance, public liability insurers (covering injury to non-employees) and professional indemnity insurers also expect businesses to demonstrate good risk management practices. A well-maintained library of up-to-date risk assessments is evidence of that.

Also see: The Ultimate Guide to Risk Assessment · Do I Need a Risk Assessment? · Risk Assessment Legal Requirements · Risk Assessment Generator

Frequently Asked Questions

Get your risk assessment written in under 2 minutes

Tell us what you do. Get a fully written, legally compliant UK risk assessment — delivered as PDF + editable Word doc. £29, instant download, money-back guarantee.

Let's go