The HSE 5 steps to risk assessment are: (1) identify the hazards; (2) decide who might be harmed and how; (3) evaluate the risks and decide on precautions; (4) record your findings and implement them; (5) review your assessment and update if necessary. This is the UK reference framework, set in HSE guidance INDG163 and used to interpret the duty to carry out a “suitable and sufficient” risk assessment under Regulation 3 of the Management of Health and Safety at Work Regulations 1999. The method applies to every UK workplace, from offices to construction sites.
This guide is a practical walk-through of the HSE 5-step method, with UK worked examples and the specific things inspectors expect to see at each step. For the wider context, what a risk assessment is, the legal framework, when to review, and common mistakes, see our complete risk assessments UK guide.
Where the 5 steps come from
The HSE 5-step method was published in 1998 in HSE leaflet INDG163 (“Risk assessment: A brief guide to controlling risks in the workplace”) and has been the UK reference framework for nearly three decades. It exists to make a broad legal duty, the requirement to carry out a “suitable and sufficient” risk assessment under Regulation 3 of the Management of Health and Safety at Work Regulations 1999, practical and consistent.
The five steps are not themselves law. They are HSE’s recommended structure for fulfilling the legal duty. Employers using a different but equally rigorous structure (ISO 31000, a sector-specific framework) can still comply, provided the result is suitable and sufficient. In practice, HSE inspectors and post-incident investigators expect to see the 5-step structure used because it is the recognised UK reference.
Step 1: Identify the hazards
A hazard is anything with the potential to cause harm: equipment, substances, work methods, the environment, or a combination of these. Step 1 is the systematic process of looking at the work and listing what could go wrong.
How to identify hazards
- Walk the workplace. Slowly, deliberately, with someone who knows the operation. Observe what people actually do, not what the procedure says they do; the two are often different.
- Talk to the people who do the work. Frontline staff know the workarounds, the near-misses, and the bits the procedure does not cover. The people doing the job often spot hazards their managers do not see.
- Check accident and near-miss records. What has gone wrong before is the strongest predictor of what could go wrong again. Sickness absence patterns and equipment maintenance records also reveal hazards.
- Read manufacturers’ instructions. Safety data sheets for substances, operating manuals for equipment, and supplier risk information tell you what hazards the product creates.
- Cover non-routine activity. Maintenance, cleaning, breakdowns, shift handover, deliveries, contractor visits and emergencies. Non-routine work is over-represented in serious incidents.
- Think about long-term hazards too. Not just things that cause immediate injury, but exposures that cause harm over time: chemicals, noise, vibration, repetitive strain, mental-health impact.
- Cover the less obvious. Stress and workload, ergonomic strain, hazards to lone workers, hazards specific to new and expectant mothers, hazards to young workers, and hazards to workers with disabilities.
Common hazard categories
It helps to think systematically. Common hazard categories in UK workplaces:
| Category | Examples |
|---|---|
| Physical | Slips and trips, working at height, manual handling, machinery, vehicles, electricity, fire |
| Chemical | Cleaning products, fuels, solvents, dust, fumes, gases (covered by COSHH) |
| Biological | Bacteria, viruses, fungi. Especially relevant in healthcare, waste, and food production |
| Ergonomic | Repetitive movements, poor posture, manual handling, display screen use |
| Psychosocial | Workload, stress, harassment, isolation, fatigue from shift patterns |
| Environmental | Temperature, lighting, ventilation, noise, vibration |
Worked example: a UK office
A small office identifies hazards including DSE-related musculoskeletal strain, slips from cables and wet floors after cleaning, manual handling of file boxes, electrical hazards from portable appliances, fire and egress, work-related stress, and lone working during Saturday cover. The list is shorter than a factory’s, but the discipline of compiling it systematically still applies.
Step 2: Decide who might be harmed and how
For each hazard identified in Step 1, work out which groups of people could be affected, and how. The “who” goes beyond your direct employees. UK law, specifically Section 3 of the Health and Safety at Work Act 1974, extends employer duties to anyone affected by the work, not just your own staff.
Groups to consider
- Direct employees doing the work
- Other employees nearby, even if not doing the task themselves
- Contractors, sub-contractors and agency staff
- Visitors and members of the public who could be affected (delivery drivers, customers, neighbours)
- Lone workers and those working outside normal hours
- New and young workers (under 18)
- Expectant mothers and new mothers
- Workers with disabilities
- Workers whose first language is not English
- Cleaners and maintenance workers who often work outside normal hours
- Emergency responders who might be called to an incident
The “how” matters as much as the “who”
Be specific. “Workers might be harmed” is too vague. A clear route to harm, such as “the operative could be struck by the reversing forklift while crossing the loading bay, causing crush injuries”, points to specific control measures. A vague description like “vehicle hazards” does not.
Step 3: Evaluate the risks and decide on precautions
This is where the assessment turns from observation into action. For each hazard, you need to assess the level of risk, decide whether existing controls are adequate, and if not, decide what additional controls are needed.
Evaluating risk: likelihood and severity
Most UK workplaces use a simple matrix to evaluate risk: likelihood (how probable is harm?) multiplied by severity (how bad would the harm be?). A typical 5×5 matrix:
| Severity / Likelihood | Rare | Unlikely | Possible | Likely | Almost certain |
|---|---|---|---|---|---|
| Catastrophic (death) | Medium | High | High | Very high | Very high |
| Major (serious injury) | Low | Medium | High | High | Very high |
| Moderate (lost-time injury) | Low | Low | Medium | High | High |
| Minor (first aid) | Very low | Low | Low | Medium | Medium |
| Negligible | Very low | Very low | Low | Low | Low |
The matrix is a tool for prioritisation, not a magic answer. Two reasonable assessors looking at the same hazard may rate the likelihood differently, and that is fine, as long as the reasoning is documented. For lower-complexity workplaces a 3×3 matrix gives enough resolution to prioritise.
The hierarchy of control
When you decide what precautions to put in place, UK law requires you to follow the hierarchy of control. The principle is to prefer the most effective controls over the least effective:
- Eliminate: remove the hazard entirely (do not use the hazardous substance at all; redesign the process to remove the lifting task).
- Substitute: replace with something less hazardous (use a less harmful chemical; replace step-ladder use with a mobile elevated work platform).
- Engineering controls: change the workplace to reduce exposure (extraction, machinery guarding, vehicle segregation).
- Administrative controls: change how people work (procedures, training, signage, permits-to-work, restricted access).
- Personal protective equipment (PPE): protect the individual (gloves, masks, hard hats).
PPE is at the bottom because it relies on people wearing it correctly, does not reduce the hazard itself, and fails when people forget or take shortcuts. UK case law and HSE enforcement practice consistently expect employers to consider higher-hierarchy controls first. Going straight to “we’ll give them PPE” without considering elimination or engineering controls is a frequent reason for enforcement action.
For a deeper walk-through, see our complete hierarchy of control guide.
“So far as is reasonably practicable”
UK law uses the phrase “so far as is reasonably practicable”, meaning the cost and effort of a control should be balanced against the risk it reduces. You are not required to eliminate every conceivable risk. You are required to take measures that are reasonable in proportion to the risk. The greater the risk, the more cost and effort can reasonably be expected.
Step 4: Record your findings and implement them
If you employ five or more people, the significant findings of your risk assessment must be recorded. This is set in Regulation 3(6) of the Management of Health and Safety at Work Regulations 1999. Smaller employers are not legally required to record assessments, but it is good practice and provides evidence of due diligence if anything goes wrong.
What to record
A written risk assessment should typically include, for each hazard:
- What the assessment covers (workplace, activity, date)
- Who carried it out and who they consulted
- The hazard identified
- Who could be harmed and how
- The existing control measures in place
- An evaluation of the residual risk after controls (acceptable, or further action needed)
- Any additional control measures required
- Who is responsible for implementing each control
- Target dates for completion
- Date of next review
The HSE provides a free generic template. We provide a free UK risk assessment template in Word, Excel and PDF that covers all the fields HSE expects to see, ready to adapt to your operations.
Writing a risk assessment that is actually useful, clear, specific and action-oriented, is a discipline in itself. The pattern most untrained writers fall into is recording what is nominally in place rather than what is actually controlling the risk, and producing documents nobody reads after the day they are filed. For staff responsible for writing assessments across an organisation, our Risk Assessment Writers Workshop covers the practical writing skills: phrasing controls so they are verifiable, structuring assessments so they survive review, and avoiding the generic-template trap that makes documents legally weak.
Implementation: the part that actually protects people
The risk assessment is only valuable if the controls actually get implemented. This is where many assessments fail; controls are listed in the document but never put into practice. Real implementation usually requires:
- Someone specific made responsible for each action
- A timeline with realistic dates
- Budget allocated where needed
- A check that the action was completed
- Communication to the workers affected
In HSE enforcement practice, an assessment that lists three corrective actions and leaves them open eighteen months later is almost as bad as having no risk assessment at all.
Step 5: Review your assessment and update if necessary
Risk assessments are not one-off documents. The HSE expects them to be reviewed regularly and updated whenever circumstances change.
When to review
- After an incident. Including near-misses where harm was averted. Any incident or near-miss should trigger a review of the relevant assessment to understand whether the controls failed and why.
- When work changes. New equipment, new substances, new processes, new layouts, new shift patterns, new staff cohorts.
- When the workforce changes. New starters, especially in safety-sensitive roles.
- When laws or guidance change. HSE updates, new ACOPs, regulatory changes, court rulings.
- On a regular schedule. Higher-risk activities reviewed at least annually; moderate-risk every 12 to 18 months; lower-risk every 2 to 3 years.
What to look for in review
The review is not a paperwork exercise. It is a real check on whether the controls are working. Are workers using the PPE? Has the engineering control been maintained? Have new hazards emerged? Are there incidents or near-misses suggesting the assessment underestimated something? HSE inspectors and post-incident investigators often ask “when was this risk assessment last reviewed?” Years-old reviews with no triggering event in between are difficult to defend.
Dynamic risk assessment: for changing conditions
The five-step framework works well for stable, predictable workplaces. For work where conditions change in real time, emergency response, security, healthcare, lone working in unfamiliar environments, a static assessment written in advance cannot keep up. Dynamic risk assessment is the discipline of continuously re-assessing while work is in progress: noticing what has changed, reassessing the risk on the spot, and adjusting the response. It complements rather than replaces the standard five-step process. Our Dynamic Risk Assessment Workshop covers this skill specifically and is the right level for staff in roles where conditions can shift faster than paperwork can follow.
Worked example: warehouse forklift operations
A 40-person distribution warehouse reviews its risk assessment for forklift operations.
| Step | Detail |
|---|---|
| 1. Hazards identified | Forklift collision with pedestrians; forklift collision with racking; falling loads; refuelling LPG cylinder changes; battery charging (electric trucks); poor visibility round blind corners; fatigued operation toward end of shift; untrained or refresher-overdue operators driving. |
| 2. Who might be harmed and how | Forklift operators (poor visibility, collisions, falling loads, LPG handling); warehouse pedestrians (collision); office staff using the warehouse for stock checks (collision, falling loads); delivery drivers in the bay (collision, loading errors); maintenance contractors (battery work, LPG storage). |
| 3. Evaluation and precautions | Pedestrian-forklift collision rated likely/major. Existing controls: marked pedestrian walkways, mirrors at blind corners, designated crossing points, hi-vis vests for everyone in the warehouse. Residual risk assessed as moderate. Additional control: review crossing-point lighting (one is dimmer than the others), consider audible warning device on forklifts. LPG refuelling rated possible/major; existing controls (outdoor cylinder change point, two-person process, signage). Residual risk low. Battery charging rated possible/major; existing controls (designated charging area with eyewash and Class C extinguisher, segregated from operations). Residual risk low. |
| 4. Record and implement | Findings recorded on the company’s risk assessment form. Actions raised: (a) install brighter LED lighting at the dim crossing point, owner: Operations Manager, deadline: 30 days; (b) commission acoustic warning device assessment, owner: H&S Coordinator, deadline: 60 days; (c) audit forklift operator competence and ensure all in-date, owner: Training Manager, deadline: 14 days. |
| 5. Review | Next scheduled review in 12 months given moderate-to-high risk profile; immediate review on completion of acoustic warning device assessment; immediate review on any forklift-related incident or near-miss. |
What HSE inspectors look for in a 5-step risk assessment
If an HSE inspector reviews your risk assessment, during a routine visit or after an incident, they will typically look for the following:
- Specificity. Does it relate to the work actually being done at this site, by these people, with this equipment? Generic downloaded templates are an immediate concern.
- Coverage. Are the significant risks all addressed? Common gaps: stress, ergonomic strain, lone working, contractor and visitor risk.
- Hierarchy of control. Has the employer considered eliminating or engineering out hazards before defaulting to PPE?
- Implementation. Have the actions identified been followed through, or are they stale?
- Review history. Are recent reviews recorded? Has the assessment been refreshed after changes or incidents?
- Competence of the assessor. Was the assessment carried out by someone with appropriate training and knowledge of the work?
- Worker involvement. Were the people doing the work involved in identifying hazards? Their fingerprints should be visible.
Common mistakes that fail risk assessments
1. Treating it as paperwork
The most common failure. The assessment is written, filed, and never looked at again until something goes wrong. A risk assessment that does not change behaviour is not a risk assessment, it is a record of past thinking.
2. Generic assessments
Copying a template without genuinely thinking about the specific workplace. Generic assessments miss the hazards unique to the actual operation. The strongest assessments are workplace-specific.
3. Not consulting the workforce
Managers writing the assessment without talking to workers. The people doing the job have insights no one else has. Skipping that conversation is the single quickest way to write a weak assessment.
4. Focusing only on PPE
Defaulting to “we’ll issue gloves” without considering whether the hazard could be eliminated, substituted or engineered out. PPE is the last line of defence, not the first.
5. Never reviewing
Risk assessments dated five years ago, with a workforce that has changed twice and equipment that has been replaced. A risk assessment is a living document or it is nothing.
When you need professional help
For most everyday workplace risks, a competent line manager or safety officer trained in risk assessment can produce a good assessment. For complex or specialist hazards, professional input is appropriate:
- Fire risk assessment. Legally required to be carried out by a “competent person” under the Regulatory Reform (Fire Safety) Order 2005. For low and medium-risk environments, our Fire Risk Assessment for Low to Medium Risk Environments course covers the assessor competence the order expects.
- COSHH assessments. Chemical risk assessments may need specialist occupational hygiene input for complex exposures. Our COSHH Assessors Training covers in-house competence for routine and moderately complex chemical assessments, with COSHH Awareness as the wider workforce baseline.
- Major hazard sites (COMAH). Process safety assessments require qualified specialists.
- Asbestos surveys. Must be carried out by a competent surveyor. Asbestos Awareness is the worker-level baseline; for duty-holders, our Managing Asbestos course covers the broader management framework.
KeyOstas’s Risk Assessment and Management consultancy supports UK businesses with both routine and specialist risk assessment, drawing on 41 years of practical safety experience.
Where to learn more
The Management of Health and Safety at Work Regulations 1999 require risk assessments to be carried out by a competent person, someone with the knowledge, experience and training appropriate to the risk. If you need to carry out risk assessments as part of your role, formal training pays back quickly. KeyOstas offers options at every level, mapped to who in the organisation needs the training:
- IOSH Working Safely: entry-level qualification for any employee, covering risk awareness and personal responsibility.
- Risk Assessment Training: practical 1-day course for managers and supervisors who carry out assessments themselves.
- Risk Assessment Writers Workshop: for staff responsible for writing assessments across an organisation.
- Dynamic Risk Assessment Workshop: for staff in roles where conditions change in real time.
- IOSH Managing Safely: 3-day course covering the 5 steps in practical depth, with a guided risk assessment exercise. The UK standard for line managers and supervisors.
- NEBOSH National General Certificate: Level 3 qualification with risk assessment as a core component. Suitable for safety practitioners and senior managers.
Sector-specific qualifications cover specialised assessments: the NEBOSH Construction Certificate for construction site risk, the NEBOSH Certificate in Fire Safety for fire risk assessment, and similar. For consultancy support on specific risk assessments, see our Risk Assessment and Management consultancy service. Or call us on +44 (0) 3300 569534 for tailored advice.
Frequently asked questions about the 5 steps to risk assessment
What are the 5 steps to risk assessment?
Step 1: identify the hazards. Step 2: decide who might be harmed and how. Step 3: evaluate the risks and decide on precautions. Step 4: record your findings and implement them. Step 5: review your assessment and update if necessary.
How many steps are there in a risk assessment?
The HSE’s recommended method uses 5 steps. The framework was published by HSE in 1998 in leaflet INDG163 and has been the UK reference for nearly three decades.
Is the HSE 5-step method legally required?
No. The legal requirement is to carry out a “suitable and sufficient” risk assessment under Regulation 3 of the Management of Health and Safety at Work Regulations 1999. The HSE 5-step method is the recommended way of meeting that duty. Employers using a different but equally rigorous structure (ISO 31000, a sector-specific framework) can still comply, provided the result is suitable and sufficient.
Where does the HSE 5-step method come from?
The HSE published the 5-step method in 1998 in leaflet INDG163 (“Risk assessment: A brief guide to controlling risks in the workplace”). It has been the UK reference framework for nearly three decades and is the structure HSE inspectors and post-incident investigators expect to see used.
Who is competent to carry out a 5-step risk assessment?
The Management Regulations require a “competent person”, someone with the knowledge, experience and training appropriate to the risk. For general workplace risks, IOSH Managing Safely or NEBOSH National General Certificate is the typical UK benchmark. Specialist risks (construction, fire, hazardous substances, asbestos) require additional sector-specific qualifications.
How often should a risk assessment be reviewed?
Risk assessments must be reviewed when work changes, after any incident or near-miss, when new information about risks comes to light, and at planned intervals. In practice: higher-risk activities annually as a minimum; moderate-risk every 12 to 18 months; lower-risk every 2 to 3 years.
What is the second step of a risk assessment?
Step 2 is “decide who might be harmed and how”. For each hazard identified in Step 1, the employer identifies who could be harmed (employees, contractors, visitors, members of the public, vulnerable groups) and describes the route to harm in enough detail to point toward appropriate control measures.
What is the fifth step of a risk assessment?
Step 5 is “review your assessment and update if necessary”. Risk assessments must be reviewed when work changes, after any incident or near-miss, when new information about risks comes to light, and at planned intervals.
What is the difference between a risk assessment and a method statement?
A risk assessment identifies hazards and recommends controls. A method statement is the practical step-by-step plan that puts those controls into action for a specific task. For high-risk work, particularly in construction, both are typically required and are often presented together as a “RAMS” document.
What is the hierarchy of control in risk assessment?
The hierarchy of control is the principle of preferring more effective control measures over less effective ones. The order is: (1) eliminate the hazard, (2) substitute with something safer, (3) engineering controls, (4) administrative controls, (5) personal protective equipment. UK law expects employers to consider higher-hierarchy controls first.
Do I need risk assessment training?
Anyone responsible for carrying out risk assessments at work should have training appropriate to the level of risk they are assessing. For everyday workplace risks, IOSH Managing Safely or our 1-day Risk Assessment Training is the UK benchmark. Higher-risk environments typically need NEBOSH National General Certificate or sector-specific qualifications.