%201.svg)
The short legal answer is that there is no fixed review period for a UK risk assessment. The Management of Health and Safety at Work Regulations 1999 require the assessment to be reviewed when there's reason to suspect it's no longer valid, or where significant change has taken place in the work to which it relates. Both triggers are event-driven, not calendar-driven.
Online guidance on this topic is full of confident assertions that risk assessments should be reviewed annually, every two years, or at some other fixed interval. These are conventions adopted by individual employers or industry bodies — not legal requirements. The actual legal position is more flexible than that, and understanding it properly is the difference between a routine compliance exercise and a useful safety management practice.
Why there's no annual requirement
Regulation 3 of the Management of Health and Safety at Work Regulations 1999 sets out the review duty. Subsection (3) requires the employer to review the assessment if there is reason to suspect that it's no longer valid, or there's been a significant change in the matters to which it relates. The regulation doesn't specify a time interval, and the absence isn't an oversight — workplaces vary so much in their rate of change that a single statutory interval wouldn't make sense.
A small office that hasn't changed its layout, staff, equipment or work pattern in two years probably doesn't need a fundamentally new assessment. A construction site changes substantially every few weeks and needs continuous review. A hospital ward sits in between. Tying the duty to a calendar would be either over-prescriptive for the static workplace or under-prescriptive for the dynamic one.
The HSE has been consistent on this. Its published guidance — including the managing risks pages on its website — refers to "regular" review without specifying a fixed interval, and lists the substantive triggers that should drive review.
The five review triggers
In practice, five triggers should prompt review of any risk assessment.
Significant change in the work, the workplace or the workforce
New equipment, new processes, new materials, new layouts, new shift patterns, the introduction of a substantial new product line, a major refurbishment, a change in management arrangements. Any change that materially affects what people do, how they do it, or where they do it triggers review of the relevant assessment.
Reason to suspect the assessment is no longer valid
This is broader than significant change. It covers situations where the assessment hasn't been formally invalidated but evidence suggests it may not be working — controls that look good on paper but aren't being followed in practice, hazards identified but not visibly addressed, worker concerns that aren't reflected in the document.
Incident or near-miss
Any reportable injury, near-miss, occupational ill-health case or dangerous occurrence on premises covered by the assessment should prompt review of the relevant section. The incident itself is evidence that the assessment didn't anticipate something — and the question is what needs to change to prevent recurrence.
Monitoring results indicating the controls aren't working
Some assessments include ongoing monitoring — air quality measurements for COSHH, temperature monitoring for legionella, absence patterns for stress, inspection records for working at height equipment. Where monitoring shows that controls aren't achieving the expected outcomes, the underlying assessment needs revisiting.
Time elapsed since the last review, considered as good practice
This isn't a legal requirement but it's a sensible default. Most organisations land on an annual cycle for full review, with more frequent review for higher-risk activities. The cycle catches drift — small gradual changes that don't individually trigger a formal review but cumulatively make the assessment less suitable than it was.
Vertical-specific timelines
Different verticals attract different practical review cadences. None of these are legal requirements; they're the typical patterns we see in well-run organisations.
Fire risk assessment is typically reviewed annually in lower-risk premises and more frequently — sometimes six-monthly — in higher-risk residential buildings. The post-Grenfell regulatory environment has tightened expectations, and the responsible person's duty to keep the assessment "up to date" under the Fire Safety Order is interpreted in practice as requiring active review, not just dated documentation.
Legionella risk assessment is reviewed when the water system or its usage changes. Many landlords and managing agents adopt a two-year cycle as good practice; some sources cite this as a legal requirement, but it isn't — ACOP L8 is clear that review is event-driven. Operational tasks within the written scheme of control (temperature monitoring, showerhead cleaning) run on shorter cycles, but those are operational frequencies, not review intervals for the assessment.
COSHH assessments are reviewed when substances change, processes change, monitoring suggests controls aren't working, or workplace exposure limits in EH40 are updated. Annual review is good practice for most chemical-handling workplaces.
DSE assessments are reviewed when the workstation changes, the user changes, the work changes substantially, or the user reports discomfort. For stable office workstations a two-year refresh is the typical practice; for home workstations more frequent review is appropriate.
Manual handling is reviewed when tasks change, new equipment is introduced, or there's evidence of musculoskeletal disorder among the workforce.
Stress risk assessment organisational reviews are typically annual, often tied to a structured Indicator Tool survey. Individual stress assessments are revisited on a much tighter cycle — weeks or months — because the situation is specific to the worker.
Working at height assessments for routine maintenance are reviewed annually; project-specific assessments within construction work change as the project progresses.
Documenting a review
A review doesn't have to be a full rewrite. The most common form is a quick check that confirms nothing material has changed, updated by the reviewer, with the next review date set.
A useful pattern for documenting a "no significant change" review is something like:
"Reviewed [date] by [name and role]. No significant changes to work, workplace, workforce or controls since last review. No reported incidents. Assessment remains valid. Next review by [date]."
That's it. Three sentences. A signed and dated review of an unchanged assessment is a valid review under regulation 3.
A review that identifies needed changes generates an updated version of the assessment. The change log — what changed, why, when, by whom — is part of the documentation. The previous version isn't deleted; it's archived with the date of supersession.
Where the assessment is in a digital system, the system typically captures these elements automatically. Where it's a paper or document-based assessment, the review record needs to be deliberate.
Why "annual review" became the default
The annual cycle has become near-universal in UK workplaces despite not being a legal requirement. Three reasons account for the pattern.
Insurance and compliance audits typically expect to see assessments dated within the last twelve months. An assessment older than that draws scrutiny. The annual cycle is partly a defensive posture to satisfy those checks.
Many specific health and safety duties run on annual or shorter cycles — annual fire alarm testing, annual workplace inspections, periodic equipment examinations. Aligning the risk assessment review with these other annual activities is administratively efficient.
Drift accumulates. Even in stable workplaces, small changes occur — staff turn over, equipment is added or replaced, layouts shift, new materials are introduced. An annual review forces a fresh look that catches the cumulative effect of these changes.
For most UK employers, the right pattern is: an annual full review of every assessment, plus event-driven review whenever a trigger occurs. The annual cycle catches drift; the trigger-driven review catches significant change. Together they satisfy regulation 3 properly.
Where this connects in the cluster
The review duty connects every vertical. Different categories of risk attract different practical cadences, but the underlying legal framework is the same regulation 3 duty — covered in our introduction to risk assessment and applied across the cluster.
The competence to recognise when an assessment needs review is itself part of the competent person's role. The same competence framework covered on our who can carry out a risk assessment page applies — the assessor doesn't just write the assessment, they maintain it.
For organisations building in-house competence in maintaining assessments routinely — rather than commissioning fresh external work each year — formal Risk Assessment Training covers both the initial assessment method and the ongoing maintenance discipline.
Frequently asked questions
Is there a legal requirement to review a risk assessment every 12 months?
No. The Management of Health and Safety at Work Regulations 1999 require review when there's reason to suspect the assessment is no longer valid, or when significant change has taken place. Annual review is widely adopted as good practice, but it's not a legal requirement.
What counts as a significant change requiring review?
New equipment, new processes, new materials, new layouts, new shift patterns, new staff in different roles, a change of premises, regulatory change affecting the activity, an incident or near-miss, or any other change that materially affects what people do or how they do it. The test is whether the change is likely to alter the hazards, the people at risk, or the adequacy of the controls.
Do I need to redo the whole assessment or can I just review it?
A review can be a quick check that confirms nothing has changed and updates the review date. A formal rewrite is only needed when something has changed enough to require it. For most stable workplaces, periodic light-touch reviews are sufficient, with full rewrites triggered by significant change.
What's the maximum gap between reviews under UK law?
There is no statutory maximum. The legal duty is event-driven, not interval-driven. Long gaps without review are defensible in stable workplaces with no significant change; they're harder to defend in workplaces where change has occurred or where an incident reveals the assessment hadn't kept pace.
How often should a fire risk assessment be reviewed?
There's no fixed legal period under the Regulatory Reform (Fire Safety) Order 2005. The responsible person must keep the assessment up to date. Annual review is common practice; higher-risk premises — particularly multi-occupied residential buildings — often warrant more frequent review. See our fire risk assessment page for the post-Grenfell legislative changes that affect this.
Is there a two-year review requirement for legionella?
No. Some commercial sources and online guides cite "every two years" as a legal requirement for legionella risk assessment review. This is convention, not law. ACOP L8 requires review when there's reason to suspect the assessment is no longer valid or when the system has changed.
