Risk assessment is a legal requirement under the Management of Health and Safety at Work Regulations 1999. Every employer must assess the risks to employees and anyone else who could be affected by their work activities.
In practice, risk assessments range from thorough and useful to superficial and meaningless. The difference comes down to how they're conducted, not the template they're written on.
Step 1: Identify the hazards
A hazard is anything with the potential to cause harm. Walk through the workplace (or the activity, if you're assessing a task) and identify what could go wrong.
The most common mistake at this stage is being too generic. "Slips, trips and falls" is a hazard category, not a hazard. A useful hazard identification looks more like: "Wet floor in the loading bay during wash-down operations between 6am and 7am." Specificity matters because it drives specific controls.
Sources of information: workplace inspections, incident and near-miss reports, manufacturer's safety data sheets, HSE guidance for your industry, and — critically — conversations with the people who actually do the work.
Step 2: Determine who might be harmed and how
For each hazard, identify who is at risk. This includes employees, contractors, visitors, members of the public, and anyone else who could be affected. Consider whether certain groups are at particular risk — new starters, lone workers, young workers, pregnant workers, or people with disabilities.
Be specific about the harm. "Injury" is too vague. "Fracture from fall at height" or "respiratory sensitisation from chemical exposure" tells you what you're actually trying to prevent.
Step 3: Evaluate the risks and decide on controls
For each hazard, assess the likelihood of harm occurring and the severity if it does. This gives you a risk rating that helps you prioritise.
Then apply controls using the hierarchy of control:
- Elimination — can you remove the hazard entirely?
- Substitution — can you replace the hazard with something less dangerous?
- Engineering controls — can you physically separate people from the hazard?
- Administrative controls — can you change the way work is organised?
- Personal protective equipment — as a last resort, can you protect the individual?
Too many risk assessments jump straight to PPE. The hierarchy exists because the controls at the top are more reliable than those at the bottom. A guard rail doesn't depend on someone remembering to wear a harness.
Step 4: Record your findings
If you employ five or more people, you must record the significant findings of your risk assessment. Even if you employ fewer, recording your assessment is good practice and demonstrates due diligence.
The record should be clear, specific, and proportionate. It's a working document, not a legal treatise. The best risk assessments are ones that the people doing the work can read, understand, and act on.
Step 5: Review and update
A risk assessment is not a one-off exercise. It needs reviewing whenever circumstances change: new equipment, new processes, new substances, after an incident, or when the assessment is simply getting stale.
Set a review schedule and stick to it. Annual reviews are a reasonable minimum for most assessments, with more frequent reviews for higher-risk activities.
Common pitfalls
- Copy-pasting generic assessments from the internet — they don't reflect your actual workplace
- Assessing the risk after controls are in place without recording what those controls are
- Writing assessments that nobody reads — if the workforce doesn't know the risks and controls, the assessment isn't doing its job
- Treating risk assessment as a filing exercise rather than a management tool
If you need help establishing a robust risk assessment process — or reviewing the ones you already have — EHS Protect offers practical risk management support tailored to your industry.
Richard Levack
Managing Director, EHS Protect. IRCA EMS Lead Auditor · NEBOSH · COSHH Assessor