Skip to content

HSE inspections up 47% - HSE carried out over 13,200 workplace inspections in 2024/25.

Blog/HEALTH & SAFETY

Health and Safety Risk Assessment: A Complete Guide

A
Arinite Health & Safety Consultants
June 20, 2026
20 min read
Health and Safety Risk Assessment: A Complete Guide

A health and safety risk assessment is the systematic process of identifying the hazards in a workplace, evaluating the risk they present, and deciding what must be done to control them. It is the foundation of all health and safety management, and for every UK employer it is a legal requirement. Under Regulation 3 of the Management of Health and Safety at Work Regulations 1999, every employer must carry out a suitable and sufficient assessment of the risks to employees and others, and where five or more people are employed, record the significant findings. Despite being so fundamental, risk assessment is one of the most frequently misunderstood and poorly executed duties in workplace health and safety, with generic templates and superficial assessments leaving businesses exposed while believing they are compliant. This guide explains what a health and safety risk assessment is, the law behind it, the five-step process, who can carry one out, and how to get it right, for organisations in the UK and internationally.

Why Health and Safety Risk Assessment Is the Foundation of Everything

Risk assessment sits at the heart of health and safety management because everything else flows from it. The controls a business puts in place, the training it provides, the procedures it writes, the equipment it buys, and the policies it adopts should all derive from a proper assessment of the actual risks the business faces. Without that assessment, health and safety management is guesswork.

This is why the law makes risk assessment the central duty. The Health and Safety at Work Act 1974 requires employers to protect people so far as is reasonably practicable, and the Management of Health and Safety at Work Regulations 1999 make risk assessment the mechanism through which that duty is met. An employer who has not assessed its risks cannot know what controls are reasonably practicable, and cannot demonstrate that it has met its duty.

The consequences of getting it wrong are serious. Inadequate risk assessment is among the most common findings in enforcement action, and in 2024/25 the HSE secured over £33 million in fines across 246 prosecutions, many involving failures that a proper risk assessment would have identified and prevented.

Health and Safety Consultants help businesses carry out genuinely suitable and sufficient risk assessments, the foundation on which all credible health and safety management is built.

1. What a Health and Safety Risk Assessment Is

A health and safety risk assessment is a careful, systematic examination of what, in a workplace, could cause harm to people, so that the business can decide whether it has taken enough precautions or should do more.

It is a forward-looking, preventive process. Rather than waiting for harm to occur, risk assessment identifies hazards in advance and ensures controls are in place before anyone is hurt.

The key concepts:

Hazard: Anything with the potential to cause harm, machinery, chemicals, working at height, electricity, manual handling, stress, a wet floor.

Risk: The likelihood that the hazard will cause harm, combined with the severity of that harm. Risk assessment evaluates both.

Control measures: The actions taken to eliminate or reduce the risk, removing the hazard, substituting something safer, engineering controls, procedures, or, as a last resort, personal protective equipment.

What a risk assessment produces: A risk assessment identifies the significant hazards, the people who could be harmed, an evaluation of the risk, the existing controls, and any further controls needed, set out as actions. For employers with five or more employees, the significant findings must be recorded.

A risk assessment is not a one-off document to be filed and forgotten, but a living tool that informs how work is done safely and is reviewed and updated as circumstances change.

Risk assessment is a clear and central legal duty, and understanding the requirement is essential for every employer.

Regulation 3 of the Management of Health and Safety at Work Regulations 1999: This is the core duty. Every employer must make a suitable and sufficient assessment of the risks to the health and safety of employees while at work, and to others affected by the business, such as visitors, contractors, and the public. The purpose is to identify the measures needed to comply with health and safety law.

Recording the findings: Where five or more people are employed, the significant findings of the assessment must be recorded. In practice, almost all businesses should keep written records as evidence of compliance.

Review: The assessment must be reviewed if there is reason to suspect it is no longer valid, or if there has been a significant change. Risk assessment is an ongoing duty, not a one-time task.

Specific regulations: Beyond the general duty, many specific regulations require particular risk assessments, manual handling, display screen equipment (DSE), COSHH for hazardous substances, fire (under separate fire safety legislation), noise, and others. Each carries its own requirements.

The "suitable and sufficient" standard: This is the legal benchmark, explored in detail below. A risk assessment must be suitable and sufficient, genuinely appropriate to the actual risks, not a generic or superficial exercise. The HSE provides guidance on risk assessment explaining the expected approach.

3. The Five Steps of a Risk Assessment

The HSE sets out a recognised five-step approach to risk assessment that provides a clear, systematic methodology.

Step 1: Identify the hazards Examine the workplace and the work activities to identify everything with the potential to cause harm, physical hazards, chemical hazards, biological hazards, ergonomic hazards, and psychosocial hazards such as stress. This involves walking the workplace, consulting employees, reviewing incident records, and considering manufacturers' information.

Step 2: Decide who might be harmed and how For each hazard, identify who could be harmed, employees, visitors, contractors, members of the public, and how. Pay particular attention to those at greater risk, new and young workers, expectant mothers, lone workers, disabled workers, and anyone with specific vulnerabilities.

Step 3: Evaluate the risks and decide on precautions Evaluate the likelihood and severity of harm, consider what controls are already in place, and decide what further action is needed to reduce the risk so far as is reasonably practicable. This should follow the hierarchy of control, eliminate the hazard if possible, then substitute, then engineering controls, then administrative controls, with PPE as the last resort.

Step 4: Record the significant findings Record the significant hazards, the people at risk, the controls in place and needed, and the actions arising, with responsibilities and timescales. For employers with five or more employees this is a legal requirement.

Step 5: Review and update Review the assessment regularly and whenever there is a significant change, new equipment, new processes, new staff, a change of premises, or following an incident, and update it as needed.

This methodology ensures the assessment is systematic and genuinely suitable and sufficient, rather than a superficial exercise.

4. What "Suitable and Sufficient" Actually Means

The legal standard for a risk assessment is that it must be "suitable and sufficient." Understanding this phrase is crucial, because it is where most inadequate assessments fail.

What suitable and sufficient requires: A suitable and sufficient assessment identifies the significant risks arising from the actual work, is proportionate to those risks, considers everyone who might be affected, identifies the precautions needed, and reflects the real workplace and activities. It does not need to be perfect or cover every trivial risk, but it must address the genuine, significant hazards properly.

Why generic templates often fail this standard: The most common failure is the generic template, a document downloaded or copied, lightly edited, that describes hazards the business may not have and ignores those it does. A template risk assessment for an office that does not address the actual layout, the actual equipment, the actual activities, and the actual people is not specific to the workplace, and may not be suitable and sufficient. It looks like compliance but is not.

The specificity test: The clearest test of a suitable and sufficient assessment is specificity. Does it reflect this workplace, these activities, these people, and these hazards, or could it apply to any business? A genuine assessment is recognisably about the actual workplace; a generic one is not.

Why this matters: When an HSE inspector, a civil court, or a procurement process examines a risk assessment, the suitable and sufficient standard is what it applies. An assessment that fails it provides no defence and no protection, despite the business believing it was compliant. This is why professional, specific risk assessment matters so much, and why Health and Safety Consultants focus on producing assessments genuinely tailored to the workplace.

5. The Types of Risk Assessment a Business Needs

Most businesses need not one risk assessment but several, addressing the different hazards and the specific requirements of various regulations.

General workplace risk assessment: The overarching assessment of the workplace and its activities under Regulation 3, covering the general hazards present.

Display screen equipment (DSE) assessment: For habitual screen users, an assessment of each workstation, in the office and, increasingly, at home, under the DSE Regulations. For office, technology, and finance firms, this is among the most widely applicable assessments.

COSHH assessment: For any hazardous substances used or produced, an assessment under the Control of Substances Hazardous to Health Regulations.

Manual handling assessment: For tasks involving lifting, carrying, pushing, or pulling, under the Manual Handling Operations Regulations.

Fire risk assessment: A specific assessment under fire safety legislation, addressed by Arinite's fire risk assessment service.

Stress and psychosocial risk assessment: Assessment of work-related stress, the leading cause of work-related ill health, using the HSE Management Standards, a legal requirement under the Management Regulations.

Specialist assessments: Depending on the work, assessments for noise, vibration, work at height, confined spaces, and other specific hazards.

Assessments for specific groups: Assessments for new and expectant mothers, young workers, and others at particular risk.

A proper programme identifies which assessments the business needs and ensures each is suitable, sufficient, and current, a task a competent consultant manages systematically.

6. Who Can Carry Out a Risk Assessment?

A common and important question: who is qualified to carry out a risk assessment? The answer affects both compliance and the quality of protection.

The legal position: Risk assessments must be carried out by a competent person, someone with sufficient training, experience, and knowledge to do so properly. The employer is responsible for ensuring assessments are carried out competently.

Can a business do its own? For simple, low-risk workplaces, a suitably informed person within the business may be able to carry out assessments using HSE guidance. For anything beyond the simplest situations, however, genuine competence is needed, the knowledge to identify hazards that may not be obvious, to evaluate risk properly, and to specify adequate controls. Many businesses lack this internally.

Why competence matters: An assessment carried out without genuine competence may miss significant hazards, underestimate risk, or specify inadequate controls, leaving people exposed and the business non-compliant. The quality of the assessment depends on the competence of the assessor.

The competent person duty: Regulation 7 of the Management of Health and Safety at Work Regulations 1999 requires every employer to appoint a competent person to assist with health and safety, including risk assessment. For most businesses without internal competence, this means engaging external support.

The professional route: For most businesses, engaging competent Health and Safety Consultants to carry out or oversee risk assessments ensures they are genuinely suitable and sufficient, and provides the documented competence that compliance requires, far more reliable than attempting complex assessments without the necessary expertise.

7. How Often Should Risk Assessments Be Reviewed?

Risk assessment is an ongoing duty, and keeping assessments current is as important as carrying them out in the first place.

The legal requirement: The Management Regulations require assessments to be reviewed if there is reason to suspect they are no longer valid, or if there has been a significant change. There is no fixed statutory interval, but the duty to keep them current is clear.

Regular review: Good practice is to review risk assessments regularly, commonly annually, even if nothing major has changed, to confirm they remain valid and accurate.

Review on significant change: Assessments must be reviewed and updated whenever there is a significant change, including:

  • New equipment, machinery, or substances
  • New or changed work processes or activities
  • Changes to the workplace or premises
  • New staff or changes in who does the work
  • Following an accident, incident, or near miss that reveals a risk was not adequately controlled
  • Changes in legislation or guidance

The risk of the stale assessment: An assessment that no longer reflects the workplace, because equipment, activities, or premises have changed, is no longer suitable and sufficient, and leaves the business exposed. For growing and changing businesses, regular review is essential.

Managing the review cycle: Tracking which assessments are due for review across a business, particularly a multi-site one, is a significant task. Health and Safety Consultants and Software platforms manage this, scheduling reviews, flagging those due, and ensuring no assessment silently expires.

8. Common Risk Assessment Mistakes

Understanding the common mistakes helps businesses carry out risk assessments that genuinely protect and comply.

Generic templates: The most common mistake, using a generic template that does not reflect the actual workplace, activities, and hazards. The result looks like a risk assessment but is not suitable and sufficient.

Treating it as a paperwork exercise: Carrying out the assessment to produce a document, rather than to genuinely identify and control risk. A risk assessment that does not lead to real controls being implemented achieves nothing.

Not involving the workforce: The people who do the work understand its hazards best. An assessment carried out without consulting them often misses real risks and practical realities.

Missing less obvious hazards: Focusing on obvious physical hazards while missing less visible ones, particularly psychosocial risks such as stress, which is the leading cause of work-related ill health and a required part of assessment.

Not implementing the controls: Identifying the controls needed but never implementing them, the single most damaging failure, leaving the risk uncontrolled despite the assessment identifying it.

Never reviewing: Carrying out the assessment once and never reviewing it, so it becomes outdated as the workplace changes.

No records: Failing to record the significant findings, leaving no evidence of compliance.

The solution: A genuinely suitable and sufficient risk assessment, specific to the workplace, involving the workforce, addressing all significant risks including psychosocial ones, leading to implemented controls, recorded, and reviewed, avoids all of these. This is what professional risk assessment delivers.

9. Risk Assessment, Audits, and the Wider Management System

Risk assessment is the foundation, but it works as part of a broader health and safety management system, and understanding the connections leads to better management.

Risk assessment vs audit: A risk assessment identifies hazards and the controls needed; a Health and Safety Audit checks whether the whole management system, including whether risk assessments are suitable, current, and acted upon, is genuinely working. The two are different and complementary, assessment identifies risk, audit verifies the system that manages it.

Risk assessment and policy: The health and safety policy sets out the organisation's arrangements; risk assessment is the process that identifies what those arrangements must address.

Risk assessment and training: The training a workforce needs is determined by the risks identified in assessment. A training needs analysis flows from the risk assessments, connecting assessment to training.

Risk assessment and the competent person: The competent person ensures risk assessments are carried out competently and kept current, as part of assisting the employer with compliance.

The system view: Within a health and safety management system, risk assessment is the foundational component from which controls, training, procedures, and monitoring flow, all verified by audit and overseen by the competent person. Managed this way, as part of a coherent system rather than as isolated documents, risk assessment genuinely protects the workforce and demonstrates compliance.

10. Risk Assessment for International Operations

For organisations operating across borders, risk assessment carries an international dimension, because the requirements and forms of assessment vary by jurisdiction.

Different countries, different requirements: Every country has its own risk assessment obligations, often with specific named documents and processes. UK risk assessment does not satisfy the requirements of other jurisdictions.

The key international frameworks: - Netherlands: The RI&E (Risico-Inventarisatie en -Evaluatie), mandatory, with certified review required above certain employee thresholds - France: The DUERP (Document Unique d'Évaluation des Risques Professionnels), mandatory from the first employee with long retention requirements, addressed by Arinite's PAPRIPACT and wider French support - Germany: The Gefährdungsbeurteilung, the risk assessment required under DGUV and German law, which must include psychosocial hazards - Other jurisdictions: Each with its own requirements and forms

Consistent methodology, local compliance: The effective international approach applies a consistent risk assessment methodology across all locations while meeting each jurisdiction's specific requirements and producing locally compliant documentation, delivering both group consistency and local compliance.

Coordinated international support: International Health and Safety Consultants help multinational organisations carry out risk assessment across all their locations, meeting each country's requirements while maintaining consistent standards, often within an ISO 45001 framework, with Health and Safety Consultants and Software providing consolidated visibility of assessment status across all countries.

11. Technology and Risk Assessment

Modern risk assessment is greatly enhanced by Health and Safety Consultants and Software, which improves both the efficiency and the management of assessments.

What risk assessment software provides:

Guided creation: Structured templates with hazard prompts guiding the assessor through a thorough, consistent process, helping ensure assessments are suitable and sufficient.

Configurable frameworks: Assessment types for the full range of hazards, general, DSE, COSHH, manual handling, stress, configurable to actual conditions, including for international jurisdictions.

Version control: Every assessment stored with full history, so the current version is always clear.

Automatic review scheduling: Each assessment carries a review date with alerts before it falls due, preventing assessments from silently expiring.

Action generation and tracking: Where an assessment identifies a control to implement, the system creates a tracked action with an owner and deadline, escalating if overdue, closing the most damaging gap, where controls are identified but never implemented.

Oversight and dashboards: Management visibility of all assessments across the organisation, which are current, which are due, and which actions are outstanding, invaluable for multi-site and international operations.

The competence point: Software supports risk assessment but does not replace the competence to carry it out well. A platform helps a competent assessor work efficiently and manage assessments systematically, but the quality of the assessment still depends on the expertise behind it. The combination of competent consultants and capable software delivers the best result.

12. How Arinite Delivers Risk Assessment

Arinite provides professional risk assessment as part of comprehensive health and safety support to over 1,500 businesses across the UK and 50+ countries, with a 95%+ client retention rate.

Arinite's risk assessment service:

Suitable and sufficient assessments: Risk assessments carried out by CMIOSH-qualified, OSHCR-registered professionals, genuinely specific to the workplace, activities, and hazards, meeting the suitable and sufficient standard rather than generic templates.

The full range: General workplace, DSE (office and home), COSHH, manual handling, stress and psychosocial, fire, and specialist assessments, identifying which the business needs and delivering each properly.

The competent person: A named competent person ensuring assessments are carried out competently, kept current, and connected to the wider management of health and safety.

Review and currency: Assessments kept current through scheduled review and update on change, so they remain suitable and sufficient as the business evolves.

Health and Safety Consultants and Software: A platform managing assessments, scheduling reviews, tracking actions, and providing oversight across the organisation.

Integrated with wider support: Risk assessment delivered as the foundation of a coherent management system, connected to policy, training, and independent Health and Safety Audits.

International Health and Safety Consultants: Risk assessment across 50+ countries, meeting local requirements, the RI&E, DUERP, and Gefährdungsbeurteilung among them, while maintaining consistent group standards.

Named clients including Bell Rock Capital, Figma, Akamai, SUSE, Nikon, Shutterstock, Hearst, IPG, and B&Q rely on Arinite for risk assessment and the wider management of their health and safety obligations.

Frequently Asked Questions

What is a health and safety risk assessment?

A health and safety risk assessment is a systematic examination of a workplace to identify hazards, evaluate the risk they present, and decide what controls are needed to prevent harm. It is a forward-looking, preventive process and the foundation of all health and safety management, identifying the significant hazards, who could be harmed, and the precautions required.

Yes. Regulation 3 of the Management of Health and Safety at Work Regulations 1999 requires every employer to make a suitable and sufficient assessment of the risks to employees and others. Where five or more people are employed, the significant findings must be recorded in writing. Many specific regulations require particular assessments too.

What does "suitable and sufficient" mean?

A suitable and sufficient risk assessment identifies the significant risks from the actual work, is proportionate to those risks, considers everyone who might be affected, and identifies the precautions needed, genuinely reflecting the real workplace. The clearest test is specificity: a suitable assessment is recognisably about the actual workplace, not a generic template that could apply to any business.

What are the five steps of a risk assessment?

The HSE's five steps are: identify the hazards; decide who might be harmed and how; evaluate the risks and decide on precautions (following the hierarchy of control); record the significant findings; and review and update the assessment regularly and when circumstances change.

Who can carry out a risk assessment?

Risk assessments must be carried out by a competent person with sufficient training, experience, and knowledge. For simple, low-risk workplaces a suitably informed person within the business may suffice, but for anything more complex genuine competence is needed. Most businesses without internal expertise engage Health and Safety Consultants to ensure assessments are genuinely suitable and sufficient.

How often should a risk assessment be reviewed?

It must be reviewed if there is reason to suspect it is no longer valid, or when there is a significant change, new equipment, processes, premises, or staff, or following an incident. Good practice is to review regularly, commonly annually, even absent major change. A stale assessment that no longer reflects the workplace is no longer suitable and sufficient.

Taking the Next Step

A health and safety risk assessment is a legal requirement and the foundation of everything else in health and safety, the process from which all controls, training, and protection flow. Getting it right, with genuinely suitable and sufficient assessments, specific to the workplace, leading to implemented controls, and kept current, protects your people and demonstrates compliance. Getting it wrong, with generic templates and superficial exercises, leaves the business exposed while believing it is safe.

Assess your position: Take our Health and Safety Quiz to evaluate your risk assessment and wider compliance.

Discuss your needs: Book a free Gap Analysis Call with an Arinite consultant to understand what risk assessments your business needs.

Get professional risk assessment: Contact Arinite to learn how our Health and Safety Consultants deliver suitable and sufficient risk assessments for businesses across the UK and 50+ countries.

Arinite provides risk assessment, Health and Safety Consultants, and Health and Safety Audits services to over 1,500 global businesses across the UK and 50+ countries. Key external resources: HSE guidance on risk assessment | Management of Health and Safety at Work Regulations 1999 | Health and Safety at Work Act 1974 | HSE enforcement statistics | OSHCR consultant register

Share this article
HEALTH & SAFETY
A

Written by

Arinite Health & Safety Consultants

Health & Safety Expert at Arinite

More Articles

Related Articles

Legionella Risk Assessment: What It Is, the Law, and Who Needs One
HEALTH & SAFETY

Legionella Risk Assessment: What It Is, the Law, and Who Needs One

June 20, 2026
20 min read
Health and Safety Training: A Complete Guide for Employers
HEALTH & SAFETY

Health and Safety Training: A Complete Guide for Employers

June 19, 2026
19 min read
Health and Safety Companies: What They Do, How to Choose One, and What to Look For
HEALTH & SAFETY

Health and Safety Companies: What They Do, How to Choose One, and What to Look For

June 19, 2026
20 min read
Free Resources

Health & Safety Factsheets

Download our comprehensive library of expert guides, checklists, and templates.

Browse Library
Get Professional Help

Need Expert H&S Advice?

Our qualified consultants are ready to support your specific business needs.

020 7947 9581Contact Us