What is a risk assessment?

A risk assessment is a careful examination of what, at work, could cause harm to people. It weighs up whether reasonable precautions have been taken or whether more can be done to prevent harm, and if the resulting level of risk is acceptable.

Why do you need to assess risks?

There is a requirement placed on the employer, duty holder or responsible person in UK health and safety legislation, in particular Regulation 3 of the Management of Health and Safety at Work Regulations 1999, to make a suitable and sufficient assessment of the risks people are exposed to at work and to take “reasonable practicable” steps to control those risks.

This extends from employees to the health and safety of visitors and members of the public who may be affected by the organisation’s work activities.

What do you need to do as an employer?

Risk assessment should be a part of day-to-day business management rather than simply a form-filling exercise.

For general advice and information, see the topic Risk Assessment: Principles and Techniques. There are also more than 100 useful forms throughout the product for you to download and edit.

Plan the risk assessment

  1. Decide who is going to be responsible for risk assessment. This may be an in-house health and safety advisor, contracted consultant, or nominated members of staff.

  2. Responsibilities should be detailed in the general Health and Safety Policy or in a specific Risk Assessment Policy.

  3. Make sure those responsible for undertaking risk assessments are competent (see the Competent Persons topic). They will need to understand the organisation’s work activities as well as the risk assessment process. Try your general Risk Assessment Training Presentation or the detailed in-house Risk Assessment training module, complete with trainers’ notes, activities and handouts. See also the Q&A Competency in risk assessment.

  4. Decide the scope of the risk assessment before it begins, ie which premises, activities or people will be included. A simple task analysis that breaks down work activities into stages may be helpful. The process will need to take account of the views of employees and any safety representatives as well as management.

  5. Choose the most appropriate risk assessment methodology to capture the relevant information. There are various risk assessment templates available throughout relevant topics, eg the General Risk Assessment form.

  6. Ensure your risk assessment will be suitable and sufficient. (Unfortunately, what makes a risk assessment suitable and sufficient is not defined in legislation or official guidance.) See Q&A “Suitable and sufficient” risk assessment.

Undertake the risk assessment

  1. Identify the potential hazards in the workplace, both immediate and long term, such as exposure to hazardous substances. Consider both routine and non-routine operations and activities.

    Ways to identify relevant hazards include:

    • checking official and trade association guidance relevant to your work activities

    • reviewing your organisation’s accident and near-miss reports

    • talking to employees and managers about their experiences

    • referring to information from suppliers and manufacturers, eg material safety data sheets or operation and maintenance manuals.

    (See the Resources page in your Risk Assessment: Principles and Techniques topic for a variety of Hazards associated with… templates.)

  2. Identify the individuals who may be exposed to harm, including employees, contractors, visitors and members of the public. Some may be at increased risk due to their age or because of health problems or disability. Language skills, pregnancy and homeworking may also be factors.

  3. Evaluate the risks, ie how likely is it that harm will occur? Are the precautions currently in place sufficient? Then rank the risks: which need to be dealt with first? This could be as simple as giving the risks a low, medium or high score. For information on this, see Risk evaluation.

  4. Decide what — if any — further actions need to be taken to eliminate or reduce unacceptable risks to as low as reasonably practicable. Follow the general principles of prevention in the Management of Health and Safety at Work Regulations 1999, as described in Preventive and Protective Measures.


    While employers need to do everything “reasonably practicable” to protect people from harm, they do not need to implement control measures if they would be grossly disproportionate (in terms of money, time or trouble) to the level of risk. See Q&A Practicable risk control measures.

  5. You must record the findings of the risk assessment if you have five employees or more — but it is worth doing so in any case. This record should include the hazards, the people at harm and the measures you are taking to control the risks.

Implement the risk assessment

  1. Once you’ve identified the risk controls required, decide how to implement them. Set out the relevant procedures and actions, appoint people to carry them out and establish a method for tracking progress. See Control Measures.

  2. Communicate the findings of the risk assessment to those who need to know: Provide Comprehensible and Relevant Information. See also Q&A Communicating the findings of a risk assessment.

Monitor and review your risk control measures

  1. Risk control measures must be monitored to ensure they are managing the risks effectively. Decide by whom, how and when this monitoring will take place and how and to whom it will be reported. See Process of Review.

  2. Your risk assessment must be reviewed when there is reason to believe it is no longer valid, an incident has occurred or there have been significant changes in work activities, equipment, processes, etc.

  3. If you produce a number of risk assessments, there should be a process in place to ensure these are appropriately recorded, stored, made available to relevant persons and subject to review on a regular basis.

Useful Qs&As

Competency in risk assessment: How do we ensure that the members of staff undertaking our risk assessments are competent?

“Suitable and sufficient” risk assessment: How do we ensure that our risk assessment meets the “suitable and sufficient” criteria?

Practicable risk control measures: How do we decide what is reasonably practicable when determining the necessary risk control measures to implement?

Communicating the findings of a risk assessment: How do we communicate the findings of our risk assessment to our staff?

Risk profiling: It has been suggested that we should be “risk profiling” the threats to our organisation.

Risk assessment for travel: It has been recommended that as part of the risk assessment process and subsequent control measures, we should be taking account of cultural issues when sending employees overseas.

Risk assessing immaturity: My company employs a number of people under the age of 18. I am aware of the need to carry out a risk assessment for young persons, taking into account their immaturity.

Useful features

These are just some of the many feature articles on Croner-i.

Risk assessment and competency: What does competency mean in the context of undertaking risk assessments?

Confined spaces and risk assessment: Each year in the UK, people die or are injured in confined spaces. Confined spaces must not be entered until a thorough and systematic risk assessment has been carried out.

RAMS: a symbiotic relationship: The intrinsic connection between risk assessments and method statements (RAMS) examined.

Risk assessment and leadership: Leadership is at the heart of good and successful management and this also applies to the process of risk assessment.

Risk assessment when planning roof work: One of the main causes of deaths and injuries at work each year is falling from height, particularly through or from roofs.

Risk assessment for effective asset maintenance: Tighter budgets are making it tricky to prioritise maintenance and meet legislative requirements, especially when it comes to the workplace. Try risk-based methodology to prioritise planned maintenance programmes.

Risk assessment and the provision of training: The provision of training is no different to any other work activity and must be risk assessed.

Risk assessment and lung disease: Work-related lung disease is a major issue in the UK and warrants special attention and emphasis during the risk assessment process.

Last reviewed 9 October 2018