%201.svg)
A risk assessment is a careful look at what in your work could cause harm to people, and a documented decision about whether you've done enough to prevent it. UK law requires every employer to carry one out, and the standard each assessment must meet — "suitable and sufficient" — is set in the Management of Health and Safety at Work Regulations 1999.
That phrase does most of the work. It tells you what's expected without prescribing exactly how to get there: identify the hazards a reasonable person could anticipate, decide who could be harmed, evaluate whether your controls are adequate, write down what you find, and check the assessment when something changes. The detail of how you do that varies by industry and complexity, but the underlying duty is the same whether you run an office in Leeds or a roofing business in Cornwall.
This page is the starting point. It covers what an assessment is, why the law exists, who must carry one out, and how the work breaks down. The methodology pages and the vertical guides — fire, legionella, COSHH, manual handling and the rest — each sit downstream of the core concepts here.
Why the law requires risk assessments
The current framework comes from the early 1970s. Before the Health and Safety at Work etc. Act 1974, occupational safety in the UK was a patchwork of older Acts and Factories Inspectorate rules. The Robens Report in 1972 recommended bringing the whole system under a single framework with one regulator and one general duty: employers must protect the health, safety and welfare of their workers "so far as is reasonably practicable". That phrase is still the legal test today.
The 1974 Act is the parent legislation; it sets the duty but doesn't say how to meet it. The Management of Health and Safety at Work Regulations 1999 fill in the method. Regulation 3 is the one that matters for our purposes: every employer must make a suitable and sufficient assessment of the risks to workers and to anyone else affected by the work. Where the employer has five or more employees, the significant findings must be recorded.
The 1999 regulations implement an EU framework directive that set the floor for occupational safety law across the bloc. After Brexit they remain part of UK law, and the Health and Safety Executive — the regulator — continues to enforce them. The HSE's published statistics for 2024/25, which carry official statistics accreditation, record 1.9 million workers suffering from work-related ill health and 124 worker fatalities — figures that explain why the law exists and why "reasonably practicable" still carries weight in the courts.
Hazard, risk, and control measures
Three terms appear on every risk assessment and trip up most beginners.
A hazard is anything with the potential to cause harm. A trailing extension lead, a hot pan, a kerb. The hazard exists regardless of whether anyone is exposed to it.
A risk is the chance that someone will actually be harmed by the hazard, combined with how serious the harm could be. A trailing lead in a locked cupboard is a hazard with negligible risk. The same lead across a busy corridor is a hazard with substantial risk.
A control measure is anything you put in place to reduce the risk. Tucking the lead behind the desk, fitting cable management, training staff to spot trip hazards, or — better still — eliminating the lead by adding a permanent socket.
The distinction matters because the law doesn't require you to eliminate hazards. It requires you to reduce the risk so far as is reasonably practicable — to balance the level of risk against the cost, time and effort of controlling it. A hazard you can't eliminate at sensible cost is fine if the residual risk is properly controlled and the controls actually work.
The five steps, at a glance
The HSE's recommended method has five stages. We cover the detail of each on our guide to the five steps of a risk assessment, but the outline is short enough to set out here.
Step one is to identify the hazards. Walk the workplace, talk to the people doing the work, look at accident records, think about non-routine tasks like cleaning and maintenance, and consider long-term health risks alongside acute injury risks.
Step two is to decide who might be harmed and how. Different people face different risks in the same workplace. Pregnant workers, young workers, lone workers, contractors, visitors and members of the public all need separate consideration.
Step three is to evaluate the risks and decide on precautions. Compare what you're already doing with what good practice looks like for the activity, and decide whether the gap requires action. This is where a risk assessment matrix often comes in — as a structured way of comparing severity and likelihood, not as a substitute for judgement.
Step four is to record the significant findings and put the controls into practice. If you have five or more employees the record is a legal requirement; even if you have fewer, writing it down protects you when something goes wrong.
Step five is to review and update. Assessments aren't one-off documents. They have to be revisited when something significant changes or when there's reason to believe they're no longer valid.
Who must carry out a risk assessment
The employer is responsible. That doesn't always mean the employer personally writes the assessment, but they carry the legal duty and they answer for any breach. Self-employed people have the same duty to themselves and to anyone affected by their work.
The person who actually carries out the assessment has to be "competent", which the regulations define as someone with the skills, knowledge, experience and training appropriate to the task. Competence is not the same as a particular qualification. An experienced site supervisor may be competent to assess routine construction hazards without holding a NEBOSH certificate; a NEBOSH-qualified consultant new to a specific industry may not be competent to assess its niche risks. We go into this in more detail on our page covering who can carry out a risk assessment.
For higher-risk activities, the courts and the HSE take a stricter line on competence. Fire risk assessment in multi-occupied residential buildings is one example; legionella risk assessment for complex healthcare water systems is another. In those contexts, the employer is expected to engage a specialist or to invest in proper Risk Assessment Training for in-house staff before relying on them.
Types of risk assessment
The general risk assessment under the 1999 regulations is the umbrella requirement. Several specific risks have their own regulations on top — each requiring its own assessment, each building on the same underlying method.
Fire risk assessment is required for almost all non-domestic premises under the Regulatory Reform (Fire Safety) Order 2005, as updated by the Fire Safety Act 2021 and the Building Safety Act 2022.
Legionella risk assessment sits under the Control of Substances Hazardous to Health Regulations 2002, supported by HSE Approved Code of Practice L8.
COSHH risk assessment covers hazardous substances generally — chemicals, dusts, fumes, biological agents — excluding asbestos, lead and ionising radiation which each have their own regulations.
Manual handling risk assessment is required under the Manual Handling Operations Regulations 1992, with the well-known TILE framework (Task, Individual, Load, Environment).
DSE risk assessment covers workstation set-up for anyone who uses a screen for an hour or more a day as a significant part of their work.
Stress risk assessment is built around the HSE Management Standards — six areas of work design where mismanagement reliably produces ill health.
Others include lone working, working at height, working from home, pregnancy, and young persons. Each is its own page; each plugs into the same five-step method.
A separate category — dynamic risk assessment — covers the on-the-spot judgement needed when conditions change faster than a written assessment can keep up with. It supplements the general assessment rather than replacing it, and it originated in the UK fire service.
How risks are scored
Most workplace risk assessments use some form of matrix to put a number on each hazard. A 5x5 grid with likelihood on one axis and severity on the other is the most common pattern in the UK. Multiply the two scores and you get a risk rating between 1 and 25, which most organisations colour-code as green, amber or red.
The matrix is a structured way of comparing risks against each other. It is not a precise calculation of harm. Two assessors looking at the same hazard will often score it differently, and a score of 12 isn't twice as serious as a score of 6 in any meaningful sense. The value of the matrix is consistency within an organisation — everyone using the same scoring conventions — not mathematical accuracy.
Some industries use 3x3 matrices for simpler operations; some major-hazard sectors use much more elaborate scoring tied to quantitative risk assessment methods. For most workplaces the 5x5 is a sensible default, and we cover its construction and limitations in detail on the risk assessment matrix page.
Recording, reviewing and revising
The 1999 regulations require a written record of significant findings when the employer has five or more workers. "Significant findings" means the hazards identified, who is at risk, the controls in place, and any further action needed — not a verbatim transcription of everything considered.
There is no fixed legal review period. The duty under regulation 3 is to review the assessment when there is reason to suspect it is no longer valid, or when significant change has taken place. Significant change includes new equipment, a new process, a new workplace layout, a new member of staff in a different role, an accident or near-miss, a change to the regulations, or simply the passage of enough time that conditions have drifted.
Many organisations land on an annual cycle as good practice. That isn't a legal requirement, but it's a sensible default. Higher-risk activities — especially anything involving fire, legionella, hazardous substances or working at height — warrant more frequent review. We cover the triggers and the typical cadence on our page covering how often a risk assessment should be reviewed.
Common mistakes
The five errors below account for most of the assessments that get challenged in inspections and civil claims.
Treating the assessment as paperwork
The legal duty is to control the risk in practice. A perfectly drafted document with controls that nobody actually applies is worse than useless — it documents the employer's knowledge of the hazard.
Generic templates without site-specific detail
A downloaded "office risk assessment" template is a starting point, not a complete assessment. The 1999 regulations require the assessment to be suitable and sufficient for your workplace, not for offices in general.
Confusing hazard and risk
Listing every possible hazard without thinking about who is actually exposed produces bloated, unreadable documents. The assessment should focus on the hazards that pose a real risk to real people doing real work.
Not consulting the workforce
The people doing the work usually know where the risks sit. An assessment carried out without them tends to miss the practical issues that drive accidents.
Failing to review
An assessment from three years ago describing the old layout, the old equipment and people who no longer work there isn't a current assessment. Reviewing routinely is cheaper than defending a stale one after an incident.
Where this leads
A risk assessment isn't a one-off exercise; it's a way of working. The methodology is the same across every industry and every type of risk — what changes is the technical detail of the hazards and the controls. The vertical pages on this site cover that detail. The methodology pages cover the underlying technique. The two FAQ pages cover the most-asked questions about competence and review frequency.
If you or your team need to build the competence to carry out assessments yourselves, our Risk Assessment Training courses cover the full HSE method and lead to a recognised certificate.
Frequently asked questions
What is the legal definition of a risk assessment in the UK?
There isn't a single statutory definition. The Management of Health and Safety at Work Regulations 1999 require employers to make a "suitable and sufficient" assessment of the risks to workers and others affected by the work. The HSE's plain-English version is that an assessment is a careful examination of what could cause harm so the employer can decide whether enough has been done to prevent it.
Who is legally required to carry out a risk assessment?
Every employer, and every self-employed person whose work could affect themselves or others. The employer remains legally responsible even if the assessment is carried out by an external consultant.
Do I have to write the assessment down?
If you have five or more employees, yes — the significant findings must be recorded. If you have fewer, the assessment is still required but doesn't have to be written. Writing it down is sensible regardless, because it's the only practical way to demonstrate compliance if anything goes wrong.
What is the difference between a hazard and a risk?
A hazard is anything with the potential to cause harm. A risk is the chance that someone will actually be harmed by the hazard, combined with how serious that harm could be. Removing the hazard removes the risk; reducing exposure or adding controls reduces the risk without removing the hazard.
What does "reasonably practicable" mean?
It's the legal standard for how far an employer must go to control a risk. The level of risk has to be balanced against the cost, time and trouble of controlling it. A high risk justifies significant investment in controls; a trivial risk may not. The phrase has been interpreted by the courts repeatedly since the 1949 case Edwards v National Coal Board and remains the standard test.
