When are risk assessments legally required?

Almost every employer and many building operators in Great Britain must assess health and safety risk. The starting point is section 2 of the Health and Safety at Work etc. Act 1974: employers must ensure, so far as is reasonably practicable, the health, safety and welfare of employees and others affected by the work. Regulation 3 of the Management of Health and Safety at Work Regulations 1999 ("the Management Regulations") turns that duty into a clear process: assess risks, put controls in place, and keep the assessment under review.

There is no "under five staff so you are exempt" rule for assessing risk. What changes with size is mainly the writing-it-down rule: if the organisation employs five or more people, the significant findings of the general risk assessment must be recorded in writing (regulation 3(3)). Fewer than five employees still must assess and control risk; the findings simply do not have to be written unless another regulation requires it.

On top of the general assessment, specific regulations require their own assessments where those hazards exist. The most common examples for non-domestic premises are set out below. Missing a specialist assessment when the hazard is present is one of the fastest ways to fail an audit, even when a good general risk assessment exists.

  • General workplace risks (slips, trips, machinery, lone working, violence, stress): Management Regulations 1999.
  • Fire: Regulatory Reform (Fire Safety) Order 2005 (responsible person, not always the employer). See the fire risk assessment guide.
  • Asbestos in non-domestic premises: Control of Asbestos Regulations 2012, regulation 4.
  • Water / legionella: duty under HSE guidance (L8) where artificial water systems exist.
  • Hazardous substances: Control of Substances Hazardous to Health Regulations 2002 (COSHH assessment).
  • Manual handling, noise, vibration, DSE: separate regulations where those exposures exist.
  • Work at height, confined spaces, lifting: additional regimes when those activities are carried out.

What needs to be risk assessed?

The Management Regulations require assessment of risks to employees and risks to non-employees affected by the conduct of the undertaking (for example visitors, contractors, neighbours, and in some settings tenants or pupils). The assessment should cover normal work, foreseeable maintenance, cleaning, deliveries, and reasonable maloperation (someone using equipment in a way that could reasonably be predicted).

Scope the assessment by activity and place, not by job title alone. A useful approach:

  1. List the areas you control (floors, yards, plant rooms, vehicles, homeworking where relevant).
  2. For each area, list the main tasks (production, storage, office work, maintenance, out-of-hours security).
  3. For each task, identify what could cause harm (hazard), who could be harmed, and how serious it could be before controls.
  4. Separate "everyday" hazards from those that need a specialist assessment (fire strategy, asbestos register, legionella scheme, COSHH data sheets).

You do not need to assess trivial risks where the outcome is negligible and controls are obvious (HSE describes these as not reasonably foreseeable). You do need to assess anything where harm is possible and the control is not already clearly adequate. When in doubt, include it and document why the residual risk is low.

The five steps (HSE method)

HSE's five steps to risk assessment map directly onto regulation 3. They are the structure most auditors recognise.

  1. Identify the hazards. Something with the potential to cause harm: moving vehicles, chemicals, work at height, repetitive tasks, poor lighting, aggressive behaviour from the public, and so on. Walk the site, talk to staff, read accident records and near-miss reports, check manufacturers' instructions.
  2. Decide who might be harmed and how. Employees, agency staff, cleaners, contractors, visitors, young or pregnant workers, lone workers, members of the public. Be specific about groups at higher risk, not just "all staff".
  3. Evaluate the risks and decide on precautions. Consider likelihood and severity before controls, then what is already in place. Apply the hierarchy: eliminate the hazard where possible, then substitute, engineer controls, administrative controls, and finally personal protective equipment (PPE) as the last resort.
  4. Record your significant findings. If five or more people are employed, the general assessment must be written. Record hazards that need action, controls already in place, and further measures required.
  5. Review the assessment and update if necessary. See the review section below. An assessment that never changes will be questioned at audit.

Many in-house assessors add a risk matrix (likelihood x severity) to prioritise actions. That is good practice, not a legal requirement. What matters is that priorities are understandable and actions are owned.

How to do it in practice

A workable sequence for a first assessment or a full refresh:

1. Define scope and gather information

Confirm which buildings, floors and activities are included. Collect layout plans, equipment lists, substance inventories, maintenance contracts, training records, RIDDOR history, and any existing specialist reports (fire, asbestos, legionella).

2. Walk the site with the people who do the work

Desk-based assessments miss most of what enforcers challenge. A walk-round with a supervisor or safety representative surfaces informal practices, blocked routes, and equipment that is not on the asset register.

3. Work hazard by hazard, not page filler

Avoid generic libraries copied from the internet ("manual handling: medium risk" on every line). Each entry should say what was seen, who is affected, what control exists, and what still needs doing.

4. Assign actions with owners and dates

An assessment without a clear action list pushes liability back onto the reader. "Install guarding on conveyor 2 by 30 June, owner: engineering manager" is auditable. "Consider improving guarding" is not.

5. Sign off and communicate

Employees must be given comprehensible information on the risks and the measures in place (regulation 10 of the Management Regulations). Briefings, induction packs, and posters at the point of risk all count, provided they match what the assessment actually says.

What to write down

A defensible general risk assessment record typically includes:

  • Scope (site, date, assessor name, who was consulted).
  • A hazard-by-hazard or activity-by-activity breakdown with existing controls noted.
  • Significant findings: what could cause serious harm if nothing more were done.
  • An action table: description, owner, target date, status.
  • Confirmation that employees were informed (or how they will be).
  • Next review date or trigger for earlier review.

Keep specialist assessments as separate documents (fire, asbestos, legionella) but cross-reference them in the general assessment so an auditor can see the full picture in one place. A compliance management system that holds documents, review dates and open actions in one dashboard is what most responsible persons move to once paper files become unmanageable.

When to review

Regulation 3(3) of the Management Regulations requires review when:

  • There is reason to suspect the assessment is no longer valid, or
  • There has been a significant change in the matters to which it relates (premises, plant, substances, processes, staffing, or after a serious incident or enforcement notice).

There is no statutory "every twelve months" rule for the general assessment, unlike some specialist regimes. In practice, annual review is a sensible default for most workplaces. Review sooner when:

  • New equipment, chemicals, or layout changes are introduced.
  • A notifiable accident or dangerous occurrence occurs (see RIDDOR).
  • Enforcement or insurer inspection identifies gaps.
  • Staffing changes materially (large recruitment, lone working introduced, night shift added).
  • A specialist report (fire, asbestos, legionella) is updated.

Record the review itself: date, reviewer, summary of changes (or "no change required"), and the next review date. A one-page review note signed and filed is enough for many sites.

Consultant assessment or in-house?

Many organisations use both. A health and safety consultant may produce the formal general risk assessment and topic-specific reports (fire, asbestos). The in-house team then runs the management system: inspections, training, maintenance, and closing actions.

Use a consultant when hazards are complex, the building is multi-occupied residential, asbestos may be present, or the organisation lacks internal competence. Assess in-house for straightforward activities (offices, retail, light warehousing) where staff know the work and controls are stable.

The legal duty does not transfer to the consultant. The employer or responsible person must still implement findings, monitor contractors, and keep records current. Contracts should state that the consultant is advising, not assuming statutory duties.

Common mistakes

  1. One generic document for every site. Each premises needs its own assessment scoped to layout and activity.
  2. No action list. Narrative without owners and dates is hard to enforce and hard to insure.
  3. Forgetting non-employees. Contractors, visitors and neighbours are in scope.
  4. Treating the fire risk assessment as optional. It is a separate legal duty for most non-domestic premises.
  5. Never reviewing. An assessment dated years ago with no review trail is treated as out of date.
  6. Raising actions nowhere. Findings in a PDF that nobody tracks until the next audit.

Frequently asked

When is a risk assessment legally required in the UK?

Every employer must assess health and safety risks under the Management of Health and Safety at Work Regulations 1999. Separate regulations also require specific assessments for fire, asbestos, hazardous substances (COSHH), display screen equipment, manual handling, noise, vibration and other topics where those hazards exist. If five or more people are employed, the significant findings of the general risk assessment must be written down.

How often should a risk assessment be reviewed?

Review when there is reason to suspect the assessment is no longer valid, or after a significant change to premises, plant, substances, processes or staffing. Annual review is a common default. Record the review even when nothing changed.

Can I do a risk assessment myself?

Yes, if there is enough competence for the hazards involved. Simple premises are often assessed in-house. Complex fire, asbestos or construction risks normally need a specialist. The legal duty stays with the employer or responsible person.

What is the difference between a general and a specific risk assessment?

The general assessment covers everyday workplace risks under the Management Regulations. Specific assessments are required by other laws for particular hazards (fire, legionella, COSHH, DSE, and others). Both are needed where the hazard applies.

Do risk assessments need a 5x5 matrix?

Not legally. A matrix helps prioritise actions. HSE's five steps are what regulation 3 requires: identify hazards, decide who is harmed, evaluate risk and controls, record findings, and review.