Risk Assessments: A Complete UK Guide (HSE 5 Steps, Examples, Templates)

This guide explains what a UK risk assessment actually is, the legal framework that requires it, the HSE 5-step method with worked examples, what “suitable and sufficient” means in practice, how often to review, and the common mistakes that result in HSE enforcement action. It is written for UK H&S managers, business owners, supervisors and anyone with responsibility for keeping people safe at work.

What is a risk assessment?

A risk assessment is a careful examination of what, in your work, could cause harm to people, so that you can weigh up whether you have taken enough precautions or should do more. The wording is the HSE’s own. The intent is practical: stop accidents and ill health before they happen, by thinking about the work systematically rather than reacting after the fact.

Two concepts sit at the heart of risk assessment and are often confused:

• Hazard: anything that has the potential to cause harm. A chemical, a moving vehicle, a slippery floor, a stressful workload, a step-ladder.
• Risk: the likelihood that the hazard will actually cause harm, combined with how severe that harm would be. A chemical locked in a cupboard is a hazard but a low risk. The same chemical being decanted by an untrained worker is a high risk.

A risk assessment is the systematic process of identifying hazards, assessing the risks they create, and putting in place control measures that reduce those risks to an acceptable level (what UK law calls “so far as is reasonably practicable”).

Is risk assessment a legal requirement in the UK?

Yes. Under the Management of Health and Safety at Work Regulations 1999 (made under the Health and Safety at Work Act 1974), every UK employer has a legal duty to carry out a “suitable and sufficient” risk assessment of the risks to the health and safety of their employees and anyone else affected by their work.

Specifically:

• Regulation 3: the general duty to assess risks.
• Regulation 3(6): where five or more employees, the significant findings must be recorded.
• Regulation 3(3): assessments must be reviewed when circumstances change or when there is reason to believe they are no longer valid.

Additional specific risk assessment requirements come from other regulations: COSHH 2002 (substances hazardous to health), LOLER 1998 (lifting operations), PUWER 1998 (work equipment), the Manual Handling Operations Regulations 1992, the Regulatory Reform (Fire Safety) Order 2005, and the DSE Regulations 1992 (display screen equipment). Each of these requires a sector- or topic-specific risk assessment.

What does “suitable and sufficient” mean?

The phrase “suitable and sufficient” is used in UK law but not defined in detail. It is meant to be proportionate to the risk. HSE guidance and case law set out what it amounts to in practice:

• Suitable: appropriate to the work actually being done, by the people actually doing it, with the equipment they are actually using. A generic risk assessment for “construction work” pulled off the internet is unlikely to be suitable for your specific site.
• Sufficient: covers the significant risks (not every conceivable hazard), considers all who could be harmed (including non-employees), reflects current legislation and good practice, and is reviewed when it should be.

In HSE enforcement practice, a risk assessment is often found to be neither suitable nor sufficient if it was downloaded from a template and not adapted, completed by someone with no first-hand knowledge of the work, or last reviewed many years before an incident.

The HSE 5 steps to risk assessment

The HSE’s published 5-step method has been the UK reference framework since 1998 and is the structure most UK risk assessments follow. Each step is summarised below; the dedicated article 5 Steps to Risk Assessment (HSE Method) goes deeper with full worked examples.

Step 1: Identify the hazards

Walk the work. Talk to the people who do it. Look at incident and near-miss records. Check manufacturer instructions for equipment and substances. Consider all aspects of the work: physical, chemical, biological, ergonomic, psychosocial. Don’t forget non-routine activities: maintenance, breakdown, shift handover, contractor visits.

Step 2: Decide who might be harmed and how

For each hazard, identify who could be harmed and how. This includes employees, contractors, agency staff, members of the public, lone workers, new and young workers, expectant mothers, disabled workers and workers whose first language is not English. The “how” matters as much as the “who”. Describing the route to harm helps you design effective controls.

Step 3: Evaluate the risks and decide on precautions

For each hazard, evaluate the risk by considering likelihood (how often) and severity (how badly). Decide what precautions are already in place and whether they are enough. Where they are not, apply the hierarchy of control: eliminate the hazard first; if you can’t, substitute a safer alternative; if you can’t, use engineering controls (guards, ventilation, isolation); then administrative controls (procedures, training, supervision); and only as the last line, personal protective equipment.

Read more in our hierarchy of control UK guide.

Step 4: Record your findings and implement them

If you employ five or more people, you must record the significant findings of your risk assessment. The record should include: the hazards identified, who could be harmed and how, the existing controls, the conclusion (is the risk acceptably controlled?), any actions required, who is responsible for them, and the deadline.

Most importantly: the actions must be implemented. A risk assessment that identifies actions and leaves them open in a spreadsheet does not protect anyone. We provide a free risk assessment template with the fields HSE expects to see.

Step 5: Review your assessment and update if necessary

Risk assessments are not one-off documents. They must be reviewed when:

• The work changes (new equipment, new processes, new substances, new layout)
• Following an incident or near-miss
• When new information about risks comes to light (a manufacturer alert, a regulatory change, a court ruling)
• At a planned review interval, typically annually for higher-risk activities, every 2-3 years for lower-risk ones

Worked example 1: Construction site risk assessment

A small construction company is fitting out a high-street retail unit. The site supervisor carries out a risk assessment before work starts.

• Hazards identified: working at height (fitting ceiling-mounted fixtures, ~3.5m), manual handling (carrying shop-fit panels), dust (sanding wall trim), slips and trips (cables across the floor), interface with public (the unit has a shared service corridor).
• Who could be harmed: the four operatives, the shop-fit subcontractor’s two workers, delivery drivers, members of the public using the shared corridor, the unit’s manager visiting site.
• Existing controls: two podium steps (in good condition, inspected), four mechanical lifting trolleys, dust extraction on sanders, traffic-management plan for the corridor.
• Risk evaluation: working at height rated moderate likelihood and high severity, controlled by podium steps and supervision. Manual handling rated moderate likelihood and moderate severity, controlled by trolleys. Dust rated moderate likelihood with low-to-moderate severity, controlled by extraction and FFP3 masks for sustained use. Slips rated moderate likelihood and moderate severity, controlled by cable trunking and good housekeeping. Public interface rated moderate likelihood and moderate severity, controlled by the traffic-management plan and barriers.
• Actions: issue FFP3 masks to all operatives day 1; toolbox-talk on cable management; daily housekeeping check by supervisor; weekly review of traffic-management effectiveness.
• Review: reassess if scope of work changes (e.g., higher ceiling fixtures requiring tower scaffold); review after any incident; final reassessment before site handover.

This worked example illustrates a “suitable and sufficient” assessment for a small-scale, well-understood job. A complex or high-risk project (working at height above 6 metres, confined-space entry, hot work in flammable atmospheres) would require significantly more detailed assessment and specific competent supervision.

Worked example 2: Office risk assessment

A 25-person professional services office reviews its general office risk assessment.

• Hazards identified: display screen equipment (prolonged use), slips/trips (cables, wet floors after cleaning), manual handling (file storage, occasional equipment moves), electrical (portable appliances), fire (egress and detection), stress (workload, long hours), lone working (Saturday cover).
• Who could be harmed: the 25 employees, the 6 contractors on site at any time (IT, cleaners, building maintenance), visitors.
• Existing controls: DSE assessments completed for all desk-based workers; PAT testing (annual); fire risk assessment current; clearly marked egress; weekly cleaner brief on wet floor signage; lone-working sign-out procedure for Saturday cover; flexible working policy.
• Risk evaluation: DSE rated moderate likelihood of musculoskeletal symptoms, controlled by individual assessments. Slips rated low-to-moderate likelihood, controlled by the cleaning protocol. Fire rated low likelihood but high severity if it occurred, controlled by detection, alarms and drills. Stress rated moderate-to-high likelihood given the workload; partially controlled by flexible working but flagged as needing further work.
• Actions: commission an external stress risk assessment given recurring grievances; refresh fire drill schedule (last drill 14 months ago); update PAT testing schedule and confirm next due date.
• Review: annual review for routine operations; immediate review on office move (planned Q3); immediate review after any incident.

How often should you review a risk assessment?

UK law does not specify a fixed review interval. The Management Regulations require review when “no longer valid” or when “there has been a significant change”. In practice, HSE-aligned good practice is:

• High-risk activities (construction, confined spaces, working at height above 2m, hazardous substances): review at least annually, and immediately after any incident or significant change.
• Moderate-risk activities (manual handling, vehicles on site, hot work): review every 12-18 months and immediately on change.
• Low-risk activities (general office, low-volume retail): review every 2-3 years and immediately on change.

Whatever interval you set, build the review schedule into a calendar so reviews actually happen. HSE inspectors and post-incident investigators often ask “when was this risk assessment last reviewed?”, and “five years ago” is rarely a survivable answer.

Common mistakes in UK risk assessment

The most common reasons UK risk assessments fail an HSE inspection or are criticised in post-incident investigation:

1. Generic, template-only assessments: downloaded online, never adapted to actual work, never owned by the team doing the work.
2. Written by the wrong person: by the safety officer alone, without input from the people who actually do the job.
3. Identifying actions, not implementing them: the assessment lists three actions; eighteen months later all three are still open.
4. Missing the significant hazards: ergonomic, psychosocial and lone-working hazards often missed. Stress at work in particular.
5. Not considering non-employees: Section 3 of the H&S at Work Act covers contractors, visitors and the public. Many assessments don’t.
6. “Set and forget” attitude: assessment dated 2019 still on file in 2026 with no review record.
7. Treating risk assessment as a paperwork exercise rather than a way of actually identifying and eliminating hazards. HSE will see the difference instantly.

Risk assessment templates and tools

A consistent template helps make sure each risk assessment captures the same fields and is easy to compare across teams or sites. The HSE publishes a free generic template. We provide a downloadable risk assessment template tailored for UK employers, covering the fields HSE expects to see in a “suitable and sufficient” record.

For organisations carrying out many assessments, dedicated risk assessment software (some specifically designed for the UK market) offers version control, electronic sign-off, action tracking and reporting. The exact choice depends on the scale and complexity of operations.

Who should carry out a risk assessment?

The Management Regulations require that risk assessments are carried out by a “competent person”. Competence is not a single qualification. It is a combination of knowledge, experience and training appropriate to the risk being assessed. For most general workplace risks, a supervisor or line manager who has completed IOSH Managing Safely or the NEBOSH National General Certificate would be considered competent.

For specialised or high-risk areas, additional sector-specific qualifications are typically required: NEBOSH Construction Certificate for construction site assessments, NEBOSH Fire Certificate or equivalent for fire risk assessment, IATA Dangerous Goods for hazardous transport, and so on. Employers carrying out specialist assessments without appropriate competence are commonly criticised in HSE enforcement.

How risk assessment training fits in

The most effective UK organisations invest in risk assessment competence at multiple levels:

• Frontline workers: short awareness modules cover what risk assessment is, why it matters, and how to spot and report hazards.
• Line managers and supervisors: IOSH Managing Safely includes a practical risk assessment exercise and is the UK standard for supervisor-level competence.
• Safety practitioners: the NEBOSH National General Certificate is the practitioner-level UK benchmark and covers risk assessment to significant depth.
• Senior leaders: IOSH Leading Safely equips boards and directors to understand the cultural and strategic role they play in supporting effective risk assessment.

Risk Assessments, Frequently Asked Questions

What is a risk assessment in health and safety?

A risk assessment is the structured process of identifying workplace hazards, deciding who might be harmed and how, evaluating the risks, putting control measures in place to reduce them so far as reasonably practicable, recording the findings, and reviewing the assessment when circumstances change. It is a legal requirement for UK employers under the Management of Health and Safety at Work Regulations 1999.

How many steps are in a risk assessment?

The HSE recommends a 5-step approach: (1) identify the hazards, (2) decide who might be harmed and how, (3) evaluate the risks and decide on precautions, (4) record findings and implement them, and (5) review the assessment and update if necessary.

When is a risk assessment necessary?

UK employers must carry out a risk assessment of all work activities under Regulation 3 of the Management of Health and Safety at Work Regulations 1999. Specific additional assessments are required under COSHH (substances), LOLER (lifting), PUWER (equipment), DSE (display screen), Manual Handling Operations Regulations 1992, and the Fire Safety Order 2005. Risk assessments must be reviewed whenever the work changes, after any incident, and at planned intervals.

How often should risk assessments be reviewed?

UK law requires review when circumstances change or when the assessment is no longer valid. In practice, high-risk activities should be reviewed at least annually; moderate-risk activities every 12-18 months; low-risk activities every 2-3 years. Any incident, near-miss, regulatory change or change in work activity triggers an immediate review regardless of schedule.

What does “suitable and sufficient” mean for a risk assessment?

“Suitable” means appropriate to the actual work being done, by the actual people doing it, with the actual equipment they use, not a generic downloaded template. “Sufficient” means it covers the significant risks, considers all who could be harmed including non-employees, reflects current law and good practice, and is reviewed when it should be. The phrase is not defined precisely in law because it is intended to be proportionate to risk.

Who can carry out a risk assessment?

The Management of Health and Safety at Work Regulations 1999 require risk assessments to be carried out by a “competent person”, someone with the knowledge, experience and training appropriate to the risk. For general workplace risks, a supervisor or manager who has completed IOSH Managing Safely or NEBOSH National General Certificate is typically considered competent. Specialist risks (construction, fire, hazardous substances) require additional sector-specific qualifications.

Do I need to record my risk assessment?

If you employ five or more people, you must record the significant findings of your risk assessment, this is set in Regulation 3(6) of the Management Regulations. Smaller employers are not legally required to record their assessments in writing but are strongly encouraged to do so. In any HSE investigation or insurance claim, a written record is the only practical way to demonstrate that an assessment was actually carried out.

What is the difference between a hazard and a risk?

A hazard is anything with the potential to cause harm, a chemical, a moving vehicle, a slippery floor. A risk is the likelihood that the hazard will actually cause harm, combined with how severe that harm would be. The same hazard can present very different risks depending on control measures in place.

What is the hierarchy of control in risk assessment?

The hierarchy of control is the order of preference UK law expects for risk control measures: (1) eliminate the hazard, (2) substitute with something safer, (3) engineering controls (guards, ventilation, isolation), (4) administrative controls (procedures, training, supervision), and (5) personal protective equipment as a last line. Employers should always look to control higher in the hierarchy before relying on lower-order measures. Read our full hierarchy of control guide.

What is a dynamic risk assessment?

A dynamic risk assessment is one made by workers on the spot, in real time, when conditions change unexpectedly. It is used in emergency services, lone-working roles, and field-based work where written pre-task assessments cannot anticipate every situation. Dynamic assessment complements, it does not replace, the formal written risk assessment of the routine work.