The 5 steps to risk assessment is the framework set out by the UK Health and Safety Executive (HSE) for identifying and controlling workplace risk. The five steps are: (1) identify the hazards, (2) decide who might be harmed and how, (3) evaluate the risks and decide on precautions, (4) record your findings and implement them, and (5) review your assessment and update if necessary. The framework applies to every UK workplace under the Management of Health and Safety at Work Regulations 1999, and is the basis of the NG2/GNC2 practical assessment in the NEBOSH General Certificate.
Risk assessment is the foundation of UK workplace health and safety. Almost every safety failure that causes serious harm — and there are around 135 work-related fatalities and 600,000 non-fatal injuries reported in the UK each year — could have been prevented or reduced by a properly conducted risk assessment.
The HSE's 5-step framework is the standard approach. It's used by safety officers, line managers, and anyone responsible for workplace safety in the UK. This guide walks through each step in detail, with worked examples, common mistakes to avoid, and how the framework fits into UK law.
A risk assessment is a careful, structured examination of what could harm people in a workplace, and what reasonable steps you can take to prevent that harm. Two important distinctions:
Risk assessment is the process of identifying hazards, evaluating the risks they pose, and deciding what to do about them. It's not a paperwork exercise — though it does need to be documented — it's a tool for making workplaces genuinely safer.
The HSE published the 5-step framework in their guidance document INDG163 (originally in 1996, updated several times since). It's deliberately simple. The framework was designed to be usable by small employers without specialist safety knowledge — but it's the same framework professional safety officers use, just applied with more depth.
The 5 steps work because they map onto the underlying logic of risk management: find the problem, work out who's affected, decide what to do, do it, then check it's working. Anything more complicated tends to confuse rather than help.
The first step is finding everything in the workplace that could cause harm. There's no shortcut to this — it requires actually looking at the workplace, observing how the work is done, and asking the people who do it.
It helps to think systematically. Common hazard categories in UK workplaces:
| Category | Examples |
|---|---|
| Physical | Slips and trips, working at height, manual handling, machinery, vehicles, electricity, fire |
| Chemical | Cleaning products, fuels, solvents, dust, fumes, gases (covered by COSHH) |
| Biological | Bacteria, viruses, fungi — particularly relevant in healthcare, waste, food production |
| Ergonomic | Repetitive movements, poor posture, manual handling, display screen use |
| Psychosocial | Workload, stress, harassment, isolation, fatigue from shift patterns |
| Environmental | Temperature, lighting, ventilation, noise, vibration |
For each hazard you've identified, work out which groups of people could be affected, and how. This isn't always obvious.
Be specific. "Workers might be harmed" is too vague. "A forklift driver could collide with a pedestrian in the warehouse aisle, causing crush injuries" is the level of detail that drives effective control measures.
This is where the assessment turns from observation into action. For each hazard, you need to:
Most UK workplaces use a simple matrix to evaluate risk: likelihood (how probable is harm?) multiplied by severity (how bad would the harm be?). A typical 5x5 matrix:
| Severity / Likelihood | Rare | Unlikely | Possible | Likely | Almost certain |
|---|---|---|---|---|---|
| Catastrophic (death) | Medium | High | High | Very high | Very high |
| Major (serious injury) | Low | Medium | High | High | Very high |
| Moderate (lost-time injury) | Low | Low | Medium | High | High |
| Minor (first aid) | Very low | Low | Low | Medium | Medium |
| Negligible | Very low | Very low | Low | Low | Low |
The matrix is a tool for prioritisation, not a magic answer. Two reasonable assessors looking at the same hazard may rate the likelihood differently — and that's fine, as long as the reasoning is documented.
When you decide what precautions to put in place, UK law requires you to follow the hierarchy of control — also called the hierarchy of risk control measures. The principle is to prefer the most effective controls over the least effective:
PPE is at the bottom because it relies on people wearing it correctly, doesn't reduce the hazard itself, and fails when people forget or take shortcuts. It's a backstop, not a primary control.
UK law uses the phrase "so far as is reasonably practicable" — meaning the cost and effort of a control should be balanced against the risk it reduces. You're not required to eliminate every conceivable risk; you're required to take measures that are reasonable in proportion to the risk. The greater the risk, the more cost and effort can reasonably be expected.
UK law (specifically the Management of Health and Safety at Work Regulations 1999) requires employers with five or more employees to record their significant findings in writing. Smaller employers don't have to — but it's still good practice and provides evidence of due diligence if anything goes wrong.
A written risk assessment should typically include:
Writing a risk assessment that's actually useful — clear, specific, action-oriented — is a discipline in itself. The pattern most untrained writers fall into is recording what's nominally in place rather than what's actually controlling the risk, and producing documents nobody reads after the day they're filed. For people responsible for writing assessments across an organisation, our Risk Assessment Writers Workshop covers the practical writing skills — phrasing controls so they're verifiable, structuring assessments so they survive review, and avoiding the generic-template trap that makes documents legally weak.
The risk assessment is only valuable if the controls actually get implemented. This is where many assessments fail — controls are listed in the document but never put into practice. Real implementation usually requires:
Risk assessments aren't done once. The HSE expects them to be reviewed regularly and updated whenever circumstances change.
The review isn't a paperwork exercise — it's a real check on whether the controls are working. Are workers using the PPE? Has the engineering control been maintained? Have new hazards emerged? Are there incidents or near-misses suggesting the assessment underestimated something?
The five-step framework works well for stable, predictable workplaces. For work where conditions change in real time — emergency response, security, healthcare, lone working in unfamiliar environments — a static assessment written in advance can't keep up. Dynamic risk assessment is the discipline of continuously re-assessing while work is in progress: noticing what's changed, reassessing the risk on the spot, and adjusting the response. It complements rather than replaces the standard five-step process. Our Dynamic Risk Assessment Workshop covers this skill specifically and is the right level for staff in roles where conditions can shift faster than paperwork can follow.
To make the framework concrete, here's a worked example for a small bakery's risk assessment of "operating the bread oven":
| Step | Detail |
|---|---|
| 1. Hazards identified | Burns from hot oven surface; manual handling of hot trays; slipping on flour-dusted floor near oven; gas supply hazards; electrical hazards from oven controls |
| 2. Who's at risk | Two bakers operating the oven; cleaners working around it after shifts; new starters unfamiliar with the equipment |
| 3. Risk evaluation and precautions | Burns rated medium-high — control: heat-resistant gloves issued, oven door warning signage, two-handed lift trolley introduced for hot trays. Slipping rated medium — control: floor cleaning procedure, anti-slip mats. Gas hazard rated low after annual servicing introduced. |
| 4. Recorded | Risk assessment document signed by manager; controls scheduled into maintenance calendar; PPE issued and recorded |
| 5. Review | Annual review scheduled; reviewed early after a minor burn incident — added requirement for new starters to complete safety induction before operating oven solo |
The most common failure. The assessment is written, filed, and never looked at again until something goes wrong. A risk assessment that doesn't change behaviour isn't a risk assessment — it's a record of past thinking.
Copying a template without genuinely thinking about the specific workplace. Generic assessments miss the hazards unique to the actual operation. The strongest assessments are workplace-specific.
Managers writing the assessment without talking to workers. The people doing the job have insights no one else has. Skipping that conversation is the single quickest way to write a weak assessment.
Defaulting to "we'll issue gloves" without considering whether the hazard could be eliminated, substituted or engineered out. PPE is the last line of defence, not the first.
Risk assessments dated five years ago, with a workforce that's changed twice and equipment that's been replaced. A risk assessment is a living document or it's nothing.
For most everyday workplace risks, a competent line manager or safety officer trained in risk assessment can produce a good assessment. For complex or specialist hazards, professional input is appropriate:
KeyOstas's Risk Assessment & Management consultancy supports UK businesses with both routine and specialist risk assessment, drawing on 41 years of practical safety experience.
The five steps are: (1) identify the hazards, (2) decide who might be harmed and how, (3) evaluate the risks and decide on precautions, (4) record your findings and implement them, and (5) review your assessment and update if necessary.
Yes. Under the Management of Health and Safety at Work Regulations 1999, employers have a legal duty to carry out a risk assessment of workplace activities. Employers with five or more employees must record significant findings in writing.
Risk assessments should be reviewed regularly — annually as a minimum for most workplaces — and additionally whenever circumstances change.
Any "competent person" — meaning someone with sufficient knowledge, training and experience to identify hazards, evaluate risks and recommend appropriate controls.
A risk assessment identifies hazards and recommends controls. A method statement is the practical step-by-step plan that puts those controls into action for a specific task. For high-risk work, both are typically required.
The hierarchy of control is the principle of preferring more effective control measures over less effective ones. The order is: (1) eliminate, (2) substitute, (3) engineering controls, (4) administrative controls, (5) personal protective equipment.
Anyone responsible for carrying out risk assessments at work should have training appropriate to the level of risk they're assessing. Higher-risk environments typically need NEBOSH-level training.
If you need to carry out risk assessments as part of your role, formal training pays back quickly. KeyOstas offers options at every level, broadly mapped to who in the organisation needs the training:
For consultancy support on specific risk assessments, see our Risk Assessment & Management consultancy service. Or call us on +44 (0) 3300 569534 for tailored advice.
