The present UK legal landscape is rightly one that treats health and safety with the utmost seriousness. Risk assessments play a fundamental role in this landscape, which helps to explain why they are a legal obligation for all businesses up and down the country.
A risk assessment can be defined as a formal analysis of any potential hazards that a given workplace presents. By identifying and assessing such possible hazards as heavy machinery, tripping hazards, loud noises, or narrow fire escapes, risk assessments can help organisations across a broad range of industries to ensure both safety and compliance.
Risk assessments are not limited to “best practice” for UK employers, or even something that businesses merely “should” incorporate into their health and safety policies; they have a critically important legal status.
Although – as aforementioned – all businesses in the UK are obliged to conduct risk assessments, there are certain sectors that are particularly associated with risk assessments as a requirement, such as education, property management, and healthcare.
In this article, then, we will take a closer look at why risk assessments matter, the associated legal underpinnings, and the other vital things to know.
What is a risk assessment, and what is its legal basis in the UK?
As well as the definition outlined above, a risk assessment can be described as a structured process to identify, evaluate, and control risks at a particular workplace.
There are various pieces of legislation that effectively enshrine the need for risk assessments in the UK, even if not all of them explicitly mandate risk assessments:
- The Health and Safety at Work Act 1974 (HSWA)
This is the UK’s main, overarching piece of legislation covering workplace health and safety. It places a legal responsibility on employers and self-employed individuals to ensure workplaces are safe.
The HSWA doesn’t specifically stipulate risk assessments as a legal requirement. However, in order to fulfil the above obligations on workplace health and safety, employers will likely need to arrange for risk assessments to be carried out.
- The Management of Health and Safety at Work Regulations 1999 (MHSWR)
This legislation puts in place a requirement for employers to conduct a “suitable and sufficient assessment” of the risks to the health and safety of not only employees, but also other people who may be impacted by their work activities.
In-depth information is provided in these regulations of the various aspects of risk assessments, the different situations in which risk assessments are needed, and the rules for how risk assessments must be recorded and reviewed by other staff members.
Taken together, these UK laws present a legal obligation for employers to consider risks to their employees, as well as to contractors, visitors to the workplace, and members of the public.
Who is legally responsible for conducting risk assessments?
The short answer to this question is that in situations where risk assessments are legally required, it is the employer that is legally responsible for ensuring they are conducted.
This is not the same thing, however, as saying the employer needs to undertake the risk assessment themselves.
The employer has the option of nominating a “competent person” to complete the actual risk assessment. However, the ultimate legal responsibility for workplace health and safety remains with the employer rather than the “competent person”.
Under UK law – primarily the HSWA – employers have a broad “duty of care” to ensure the health, safety, and wellbeing of their employees. Legislation in this country operates on the principle that those who create risk must manage it.
What makes a risk assessment ‘suitable and sufficient’?
As mentioned, it is the MHSWR that outlines the need for risk assessments to be “suitable and sufficient”. However, these regulations don’t define exactly what constitutes “suitable and sufficient” in the eyes of the law.
At minimum, the Management of Health and Safety at Work Regulations require employers to:
- Identify significant hazards that could cause injury or illness in your workplace
- Assess the likelihood of someone being harmed by the given hazards, and how seriously they would be harmed – in other words, the risk the hazards pose
- Implement measures to control or eliminate the hazards you have identified
In practice, the level of detail in the risk assessment – and the measures that you take to minimise the chances of someone coming to harm at your premises – should be proportionate to the level of risk.
Examples of areas of a given business’s operations where they will need to conduct “suitable and sufficient” risk assessments include when they are managing fire, asbestos, legionella, safeguarding, and/or mental health risks.
However, a risk assessment on its own is not sufficient. Businesses must also implement the findings of those assessments, track remedial actions, and ensure that relevant information is shared across teams. This is particularly critical in areas like legionella management, where the risks to health and compliance obligations are ongoing.
It is widely accepted good practice to involve employees and health and safety representatives in the process of identifying and assessing hazards in the workplace.
After all, the workers themselves are familiar with the risks involved, and they are likelier to follow procedures put in place to control risks if they have participated in the development of those health and safety practices. Safety reps can further help to make sure the employer’s assessments are thorough, relevant, and address actual working conditions.
Do you need to document your risk assessment?
Employers in the UK that employ five or more people are legally required to record the significant findings of their risk assessments.
Their documentation for each risk assessment should include:
- The date of the assessment
- The identified hazards and those who would be at risk
- The control measures implemented
- The name(s) of the assessor(s)
However, even if you are a decision-maker for a smaller organisation with fewer than five employees, there can be various benefits of recording your risk assessments.
Such documentation can provide evidence of due diligence, for example, and can be used to show your organisation has complied with regulations. It can also help with training and the communication of safety information to your workers.
How often should risk assessments be reviewed?
The UK Health and Safety Executive (HSE) advises that organisations in the UK must review the controls they have implemented, to ensure they are working. However, the law doesn’t stipulate any specific timeframe for how often UK employers need to review their risk assessments.
In practice, then, you should be looking to review and update your organisation’s risk assessments:
- After significant workplace changes – for example, to equipment, procedures, or staff
- Following incidents or near-misses
- At set intervals depending on risk level
While, then, it will largely be at your organisation’s discretion to decide when a review is deemed necessary, a commitment to continuous improvement and monitoring will be key to your efforts to adhere to health and safety law – including with regard to risk assessments.
What happens if you don’t comply with the legal requirements?
Even putting aside the direct impacts on workplace health and safety, risk assessments cannot be treated as just “optional extras” or “nice to haves”. A failure to carry them out in line with the relevant regulations can bring serious financial and reputational consequences for businesses.
In this situation, your organisation could be subject to enforcement activity by the HSE, such as:
- Improvement or prohibition notices
- Financial penalties
- In extreme cases, criminal prosecution
As well as the reputational damage, an organisation that doesn’t adhere to the legal requirements for risk assessments could experience higher employee turnover and escalating insurance premiums, due to the workplace health and safety risks that go unaddressed.
What types of risk assessments are legally required in specific situations?
Below are examples of specific types of risk assessments that must be carried out in certain circumstances and settings, in accordance with UK law:
- Fire risk assessments, as are required by the Regulatory Reform (Fire Safety) Order 2005. These risk assessments systematically review a particular premises to identify fire hazards, assess the risks they present, and decide on appropriate safety measures
- Control of Substances Hazardous to Health (COSHH) risk assessments, as are required in workplaces where employees store, use, or manufacture hazardous substances
- Manual handling risk assessments, which should be undertaken in any workplace where there could be risks of injury or ill health due to employees needing to lift, carry, and move loads
- Working at height risk assessments, which aim to identify and control hazards that can arise when tasks are performed at elevated locations
- Asbestos risk assessments, which seek to identify, assess, and manage the risks that asbestos-containing materials (ACMs) can pose at particular premises
- Legionella risk assessments, which systematically evaluate water systems to pinpoint potential risks associated with legionella bacteria, must be part of a broader legionella risk management strategy. This includes implementing remedial actions, tracking their completion, and sharing findings and responsibilities across relevant teams to ensure ongoing compliance.
- Mental health and psychosocial risk assessments, which enable organisations to identify and manage potential harm, in healthcare settings as well as in the workplace.
How can technology help ensure legal compliance in risk assessments?
If you are seeking out a complete practical solution that will help your organisation to keep on top of its necessary risk assessments, Vision Pro Software is likely to prove an extremely wise investment.
After all, our cloud-based risk assessment platform:
- Provides a single, centralised, and widely accessible space for risk and audit management
- Incorporates templates that are aligned with PAS 79 and industry standards
- Includes automated reminders, real-time dashboards, and mobile data capture
- Allows for worker participation and live issue tracking
- Cuts reporting time by as much as 74%, and enhances the quality of assessments by up to 68%.
While conducting risk assessments is legally required, compliance doesn’t stop there. The findings of those assessments – particularly in high-risk areas like legionella – must be implemented, monitored over time, and communicated effectively. Vision Pro Software enables this end-to-end compliance cycle, providing tools to assign tasks, track remedial actions, maintain audit trails, and support real-time reporting across your organisation.
Conclusion: legal compliance is just the start
To reiterate what we’ve talked about in this article: risk assessments are far from an “optional extra” or mere “good practice”. Instead, they are a legal requirement for all UK businesses, and play a fundamental part in sound health and safety policies for employers up and down the country.
It should not be a surprise, then, for you to learn that the consequences of non-compliance can be serious for a UK employer. These may encompass fines, improvement or prohibition notices, and/or criminal prosecution in the worst cases.
Ultimately, when it comes to ensuring safety, efficiency, and reputation, risk assessments are a business-critical tool.
True compliance means taking action on assessment findings, verifying that controls are implemented, and maintaining a consistent record for audits and stakeholder visibility – something traditional systems often fail to support. This is where software like Vision Pro proves indispensable.
Why not, then, adopt a proactive and tech-enabled approach to your own organisation’s risk assessments, with the help of Vision Pro Software? Contact our team today to learn more about our proven and sophisticated solution, and to request a demo.
