%201.svg)
The five steps to risk assessment is the method the Health and Safety Executive recommends for working out what could cause harm at your workplace and what to do about it. It's the framework that sits behind almost every written assessment in the UK, regardless of industry, and it underpins the more specific procedures used for fire, legionella, COSHH, manual handling and other risks.
A note on the name. The HSE published its original Five Steps to Risk Assessment leaflet (INDG163) in 1994 and updated it through three revisions. In August 2014 the leaflet was renamed Risk assessment: A brief guide to controlling risks in the workplace. The method itself didn't change, but the HSE deliberately moved away from presenting the five steps as a branded process. Plenty of competitor sites still cite the old title; we mention it here so you know what's the same and what isn't.
This page walks through each step, explains where most assessments fall short, and uses an office worked example to tie it together. For the broader picture of what a risk assessment is and why the law requires one, see our introduction to risk assessment.
Step 1: Identify the hazards
The first step is to work out what in your workplace could cause harm. A hazard is anything with the potential to harm someone — physical, chemical, biological, ergonomic or psychosocial.
The mistake most assessments make at this step is to start with a generic list and tick off the items that apply. That produces a document, but not a useful one. The better approach is to look at the work as it's actually done and think about how someone could be hurt.
Three methods work well in combination. A walkthrough — physically walking the workplace and noting what you see. Cables across walkways, missing guards on equipment, blocked fire exits, unsafe storage. Take photographs. Worker consultation — the people doing the work usually know where the near-misses happen. Ask them. They have information the walkthrough won't reveal. Records review — accident books, near-miss reports, sickness absence patterns, RIDDOR submissions if you've made any, occupational health referrals. Past incidents indicate hazards that have already caused harm.
Don't forget the less obvious. Non-routine activities like maintenance, cleaning, or annual deep-cleans typically produce more accidents per hour than routine work because the controls developed for the routine aren't in place. Long-term health hazards — noise, vibration, dust, repetitive movement, work-related stress — cause more harm in total than the dramatic single events that dominate accident reports.
Step 2: Decide who might be harmed and how
For each hazard, think about who could actually be hurt by it. The "who" matters because different groups need different protection — and missing a group is one of the most common failures.
The obvious group is your own employees. Within that, certain workers need particular attention: new and inexperienced staff who don't yet know the workplace, pregnant workers, young workers whose physical and risk-perception development isn't complete, lone workers who don't have the safety net of colleagues nearby, and workers with disabilities or health conditions that affect their exposure.
Beyond your employees, consider contractors, agency workers, visitors, customers, members of the public near the premises, delivery drivers, and anyone else who might be present. The duty in the Health and Safety at Work etc. Act 1974 extends to "people who are not your employees but who may be affected by your work" — which is broader than most people realise.
The "how" is equally important. Specify the actual harm mechanism, not just "could get hurt". Slipping on a wet floor and falling onto the concrete steps is useful. Slips, trips and falls is generic and doesn't help anyone decide on controls.
Step 3: Evaluate the risks and decide on precautions
Once you've identified the hazards and who's at risk, you have to decide whether what you're already doing is enough. The legal test is "reasonably practicable" — you have to do everything sensible to reduce the risk, but you're not expected to eliminate every conceivable danger regardless of cost.
This is where most workplaces use a risk assessment matrix — a 5x5 grid that combines likelihood with severity to give a risk score and a corresponding action priority. The matrix isn't legally required, but it brings consistency to decisions that would otherwise be made by feel.
The bigger decision at this step is which controls to apply. The hierarchy of control sets the order. It's not a suggestion; it's an expectation built into the regulations.
Eliminate the hazard if you can. Don't use the chemical. Don't work at height. Don't have the trailing lead. Elimination is the most effective control because it removes the risk entirely.
Substitute with something less hazardous. A water-based paint instead of a solvent-based one. A platform stepladder instead of an extension ladder. A trolley instead of carrying.
Engineering controls physically separate people from the hazard. Machine guards, local exhaust ventilation, edge protection, soundproofing, automation.
Administrative controls change how people work — training, procedures, permit-to-work systems, signage, supervision, job rotation to reduce exposure time.
PPE comes last. Personal protective equipment depends on the user wearing it correctly, on it being maintained, and on it actually being suitable for the hazard. It only protects the wearer. And it's the least reliable control because all the previous options have addressed the hazard itself; PPE only manages the consequences.
PPE isn't bad — sometimes it's necessary. But assessments that jump straight to "wear safety glasses" without considering whether the eye hazard could be engineered out are working at the wrong end of the hierarchy.
Step 4: Record your findings and implement them
If you employ five or more people the Management of Health and Safety at Work Regulations 1999 require you to record the significant findings of the assessment in writing. Significant findings means the hazards identified, who's at risk, the controls in place, and the further action needed — not a verbatim record of everything that crossed your mind.
The HSE publishes a free assessment template covering the common columns: hazard, who might be harmed and how, what you're already doing, what further action you need to take, who's going to do it, and by when. You don't have to use that exact form — any structure that captures the same information works — but it's a sensible starting point. We cover what completed assessments look like in our page on risk assessment examples.
Implementation is where assessments most often die. The document gets filed, the actions get assigned, and nothing happens. The discipline that distinguishes good safety management from box-ticking is the routine follow-through on the action column — checking that the new guard was fitted, that the training was delivered, that the SOP was updated, by the date promised.
Step 5: Review your assessment and update if necessary
The assessment isn't a one-off document. Regulation 3 of the 1999 regulations requires it to be reviewed when there's reason to believe it's no longer valid, or when significant change has taken place. We cover this in detail on our page on how often a risk assessment should be reviewed, but the triggers are: new equipment, new processes, new staff, layout changes, accidents or near-misses, regulatory changes, and the passage of time.
There's no statutory annual review requirement. An annual cycle is widely adopted as good practice and it's a sensible default, but the legal duty is event-driven. A risk assessment that hasn't been touched in three years isn't necessarily out of compliance — what matters is whether anything significant has changed.
A review is not always a full rewrite. Often it's a quick check that confirms nothing material has changed and updates the review date. That's a valid review and worth recording.
The hierarchy of control, expanded
The hierarchy of control deserves more than a single paragraph because it's the most frequently misapplied principle in workplace safety.
The reason engineering controls beat administrative controls is that they don't depend on people remembering to do something. A machine guard works whether the operator is tired, distracted or new. A safe operating procedure only works if the operator follows it, which depends on training, supervision and culture.
The reason PPE is last is sharper still. PPE depends on three things being right simultaneously: the equipment being correct for the hazard, the user wearing it properly, and the user wearing it every time. Any of those failing means the worker is exposed.
Take respiratory protection as an example. A worker exposed to silica dust on a construction site can be protected by water suppression at the cutting tool (engineering), by a job rotation that limits exposure time (administrative), or by an FFP3 mask (PPE). The water suppression works the moment the saw is running. The job rotation works if it's actually enforced. The mask works if it fits the worker's face, if they wore it for the whole cut, and if it was properly fit-tested at the start of the shift. The water suppression is more reliable than the mask not because masks are bad but because masks have more failure modes.
Good assessments work down the hierarchy in order and document why each higher tier was rejected before reaching PPE. Assessments that jump straight to PPE typically can't defend that choice in an inspection or a civil claim.
Worked example: a small open-plan office
Consider a small accountancy practice with eight staff in an open-plan office. The general risk assessment runs through the five steps.
Hazards identified: trailing cables under desks; an emergency exit partially blocked by stored archive boxes; a kettle without a fixed base on a worktop near the printer; one workstation positioned directly under a ceiling air-con vent; manual handling of archive boxes onto a high shelf during year-end; work-related stress around the January/February tax-return season; a glass-fronted reception door that doesn't have manifestation.
Who might be harmed and how: staff (slips/trips, electric shock, scalds, neck/back from cold draught, musculoskeletal injury from lifting, stress-related ill health), visitors (slips/trips, walking into the door), the cleaner (lifting, cables), a contractor occasionally on site (all of the above).
Evaluation and precautions: the cables are an engineering fix — cable tidies and surge-protected sockets. The blocked exit is administrative — the boxes are moved to a dedicated archive cupboard and the route is checked weekly. The kettle is substituted for one with a fixed base. The air-con vent is redirected with a deflector. The archive lift is engineered out by moving the boxes onto a lower shelf and committing to box weights below 12 kg. The stress risk is addressed through the HSE Management Standards — workload conversations in November, contractor cover for the January peak. The door is fitted with manifestation strips.
Recording: the seven hazards are entered on the HSE template with current controls and further actions, with owners and deadlines. The completed document is two pages.
Review: scheduled annually, with an explicit trigger to reassess before the January tax-return season each year, after any office move, and after any accident or near-miss.
The whole exercise takes about half a working day for an experienced assessor. It produces a defensible document and — more importantly — identifies actions that genuinely reduce the risk.
A note on training and competence
The person carrying out the assessment has to be competent for the task. Competence is the combination of skills, knowledge, experience and training appropriate to the complexity of the work being assessed. For a small office, an experienced manager with the HSE guidance to hand is usually competent. For a construction site, a manufacturing facility or any premises with high-risk activities, the bar is much higher and external expertise or formal qualifications are often required.
Our Risk Assessment Training courses cover the full five-step methodology, the hierarchy of control, and the documentation practice. The qualification provides a defensible baseline of competence for staff who carry out general workplace assessments.
Frequently asked questions
Is the five-step risk assessment still the current HSE method?
Yes. The HSE retitled its INDG163 publication in 2014 to Risk assessment: A brief guide to controlling risks in the workplace, but the underlying five-step approach is still what's used and still what's taught. The rename was a presentational change, not a methodological one.
What if I have fewer than five employees?
You still have to carry out a risk assessment. The five-employee threshold in the Management of Health and Safety at Work Regulations 1999 applies only to the requirement to record significant findings in writing. With fewer than five employees the assessment is still legally required — writing it down is just a strong recommendation rather than a strict obligation.
What does "suitable and sufficient" mean?
It's the legal standard for the assessment, set out in regulation 3 of the 1999 regulations. The assessment must identify the significant risks arising from the work, be appropriate to the nature of the work, and account for any specific groups of workers who are particularly at risk. The HSE has explicitly said that a suitable and sufficient assessment doesn't have to be perfect, but it does have to be proportionate to the level of risk.
How long does a typical risk assessment take?
For a small low-risk workplace, half a day to a day for an experienced assessor. For a construction site, a manufacturing facility or a complex premises with multiple activities, considerably longer — and often the work is broken into separate assessments for each major activity. The time isn't the metric that matters; the quality of the controls and the documentation is.
