Risk Assessment Documentation and Prevention Planning: A Complete International Guide

Proper risk assessment documentation and annual prevention planning are fundamental requirements across international health and safety frameworks. This comprehensive guide explains documentation requirements in different jurisdictions, how to structure effective prevention programmes, archiving obligations, and how Health and Safety Consultants help organisations build compliant and practical systems. 

Introduction: The Foundation of Safety Management 

Risk assessment documentation and prevention planning form the foundation of effective safety management in every jurisdiction. While the EU Framework Directive 89/391/EEC established risk assessment as a key principle across Europe, similar requirements exist in the UK, North America, Australia, and beyond. The challenge for organisations, particularly those operating internationally, is understanding how these requirements vary and building systems that satisfy diverse regulatory frameworks. 

Documentation requirements have become increasingly specific in recent years. France, for example, requires the Document Unique d'Évaluation des Risques Professionnels (DUERP) as a mandatory single document containing all risk assessments, with 40-year archiving requirements introduced in 2022. Germany's Gefährdungsbeurteilung (hazard assessment) system requires detailed documentation with regular review. Spain's 2025 reforms strengthened documentation and digitalisation requirements. Even jurisdictions with less prescriptive approaches, such as the UK, expect thorough documentation as evidence of compliance. 

This guide explains documentation requirements across major jurisdictions, provides practical guidance for structuring risk assessment documents and prevention programmes, addresses common questions about implementation, and shows how Health and Safety Consultants help organisations build effective systems. 

Health and Safety Consultants for Documentation Excellence 

Arinite provides comprehensive support for risk assessment documentation and prevention planning. Our CMIOSH-qualified consultants help you build systems that satisfy regulatory requirements while remaining practical and useful for day-to-day safety management. 

Book your free 30-minute Gap Analysis Call: +44 (0)20 7947 9581 

International Documentation Requirements 

Documentation requirements for risk assessment vary significantly across jurisdictions. Understanding these differences is essential for organisations operating internationally and for those seeking to implement best practice regardless of minimum legal requirements. 

France: DUERP and PAPRIPACT 

France has one of the most prescriptive documentation requirements globally. The Document Unique d'Évaluation des Risques Professionnels (DUERP) is a mandatory single document containing all workplace risk assessments. Since March 2022, implementing regulations require keeping each annual DUERP for 40 years. This long retention period reflects the potential for occupational diseases with extended latency periods. 

The French system requires two parallel documents. The daily DUERP is updated continuously as hazards are identified or circumstances change. The archived annual DUERP is a closed version created at each key date on the social agenda, typically when the works council (CSE) is consulted for the annual update. Both documents must be maintained and made available for inspection. 

Alongside the DUERP, organisations with 50 or more employees must maintain the Programme Annuel de Prévention des Risques Professionnels et d'Amélioration des Conditions de Travail (PAPRIPACT). This annual prevention programme derives from the DUERP, particularly critical risks requiring action plans. While PAPRIPACT prioritises actions for the coming year, actions can be planned over longer periods. 

The CSE (works council) must be involved in developing and updating the DUERP and must be consulted on the annual update, providing either a favourable or unfavourable opinion. For multi-site organisations, one DUERP is required per establishment, and the same principle applies to PAPRIPACT for establishments with more than 50 employees. 

Germany: Gefährdungsbeurteilung 

Germany has one of the most comprehensive sets of health and safety regulations globally. The Gefährdungsbeurteilung (hazard assessment) is the central document in German occupational safety. The Federal Institute for Occupational Safety and Health (BAuA) provides authoritative guidance on structure and content. 

German requirements emphasise systematic hazard identification, risk evaluation, and documentation of control measures. The DGUV regulations, developed by the German Social Accident Insurance, provide detailed requirements for equipment inspection and documentation that often serve as benchmarks internationally. Documentation must demonstrate not only that assessments have been conducted but that the process was thorough and systematic. 

Spain: Evaluación de Riesgos Laborales 

Spain's occupational health and safety framework is built on Law 31/1995 (Ley de Prevención de Riesgos Laborales), with significant reforms in 2025 strengthening documentation requirements, digitalisation, and enforcement. Spanish law requires comprehensive risk evaluation documentation covering all work activities and all workers. 

The 2025 updates place particular emphasis on psychosocial risk assessment, gender perspective in risk evaluation, and digitalisation of prevention management. Penalties for non-compliance range from €2,000 for minor infractions to €225,000 for very serious violations that endanger workers' lives or physical integrity. 

United Kingdom 

UK law requires employers with five or more employees to record the significant findings of risk assessments. The Management of Health and Safety at Work Regulations 1999 specify that records must include details of any group of employees identified as being especially at risk. While less prescriptive than some European systems, the UK approach emphasises that documentation should be proportionate to the level of risk. 

The HSE guidance emphasises that documentation should be practical and useful, not bureaucratic. However, in the event of an incident or inspection, adequate documentation is essential evidence of compliance. The UK also requires various specific documented assessments, including fire risk assessments, COSHH assessments, and manual handling assessments. 

United States 

OSHA does not generally require written risk assessments for most employers, but specific standards mandate documentation for particular hazards. Process Safety Management (PSM) requires extensive documentation for hazardous chemical processes. OSHA's Hazard Communication Standard requires written hazard communication programmes and safety data sheets. Various industry-specific standards have their own documentation requirements. 

Despite the absence of general risk assessment documentation requirements, OSHA recommends written safety and health programmes as best practice. Many states with their own OSHA-approved programmes have additional documentation requirements. In practice, effective safety management in the US typically involves comprehensive documentation regardless of minimum legal requirements. 

Australia 

Work health and safety legislation across Australian states and territories requires documented risk management. The model Code of Practice for How to Manage Work Health and Safety Risks recommends that risk assessments be recorded where there are significant or complex risks, where the assessment was required by legislation, or where risks could change over time. 

Australian requirements emphasise the process of consultation with workers in risk assessment and prevention planning. Documentation should demonstrate that workers were involved in identifying hazards and developing controls, reflecting the participative approach embedded in Australian WHS law. 

Health and Safety Audits for Documentation Compliance 

Arinite's Health and Safety Audits assess your documentation against legal requirements and best practice. We identify gaps and provide practical recommendations for improvement. 

Contact us at +44 (0)20 7947 9581 to discuss your requirements. 

Structuring Effective Risk Assessment Documentation 

Regardless of jurisdiction, effective risk assessment documentation shares common characteristics. Good documentation serves multiple purposes: demonstrating legal compliance, guiding practical safety management, enabling trend analysis over time, and providing evidence in the event of incidents or investigations. 

Essential Elements 

Every risk assessment document should identify the work activities, areas, or processes covered. It should identify the hazards present and who might be harmed. It should evaluate the risks, considering both likelihood and severity. It should specify control measures in place and any additional measures required. It should identify who is responsible for implementing controls and by when. 

Documentation should also record the date of assessment, who conducted it, and when review is due. For organisations operating under ISO 45001, documentation must satisfy the standard's requirements for documented information, including evidence of risk assessment processes and results. 

Risk Rating and Prioritisation 

Risk rating is necessary to identify critical risks and prioritise action. While specific rating criteria are typically at the employer's discretion, common approaches assess severity and likelihood to generate a risk score. A simple severity scale might classify outcomes as low (minor injury without absence), medium (injury with absence), serious (permanent disability), or very serious (fatal). 

The rating approach should be consistent across all assessments to enable meaningful comparison and prioritisation. Whatever system you use, document the criteria so that different assessors apply them consistently. 

Psychosocial Risks 

Modern risk assessment must include psychosocial risks alongside physical hazards. The Gollac Report, widely referenced in French and European practice, identifies six psychosocial risk factors now in consensus: intensity and complexity of work, work insecurity, emotional demands, value conflicts, social relationships at work, and autonomy and flexibility. 

It is fundamental to consider psychosocial risks like other risk categories rather than evaluating them separately. You can add questions relating to psychosocial factors to your usual risk assessment process. It may be appropriate to evaluate psychosocial risks with a specific scoring system, for example multiplying the intensity level of a factor by the employee's level of control to obtain a risk score. 

Integrating psychosocial risks into risk assessment is important because failing to address them can result in increased absenteeism, decreased productivity, higher accident and disease costs, higher turnover, and potential legal proceedings, particularly in the event of harassment. Proper assessment enables prevention and improves quality of life at work. 

Multi-Site Documentation 

For organisations with multiple sites, documentation requirements can become complex. The general principle is that each establishment needs its own risk assessment reflecting its specific hazards and circumstances. However, there may be value in developing common templates and approaches that can be adapted for each location. 

For multi-site organisations, it is useful to analyse risk assessments across locations to identify trends and common risk situations. If certain hazards are critical and recurrent across multiple sites, you can create transversal action programmes with concrete measures that apply across the organisation. 

Annual Prevention Planning 

Risk assessment identifies hazards and evaluates risks, but prevention planning translates those findings into action. Effective prevention programmes specify what will be done, by whom, and by when. They prioritise actions based on risk level and track progress to completion. 

Linking Assessment to Action 

Prevention plans should derive directly from risk assessment findings. The highest-priority actions should address the most significant risks identified. However, prevention planning should also consider practical factors including resource availability, technical feasibility, and potential disruption to operations. 

While prevention programmes typically prioritise actions for the coming year, actions can be planned over longer periods where circumstances require. Major capital investments or significant operational changes may need multi-year planning. The key is that actions are specified, scheduled, and tracked rather than left vague or indefinite. 

Action Plan Content 

Each action in a prevention plan should specify what will be done, including clear description of the measure to be implemented. It should identify who is responsible for implementation. It should establish when the action will be completed, with realistic deadlines. It should indicate the resources required, including budget, personnel, and equipment. It should explain how completion and effectiveness will be verified. 

Worker Consultation 

Across jurisdictions, worker consultation in risk assessment and prevention planning is either legally required or strongly recommended. Workers have the best knowledge of their tasks and associated risks. Participation also improves acceptance of measures and facilitates their application in practice. 

In France, the CSE must be consulted on the annual update of the DUERP and PAPRIPACT. In the UK, the Safety Representatives and Safety Committees Regulations require consultation with safety representatives. In Australia, consultation is a fundamental requirement of WHS legislation. Even where not strictly required, involving workers improves both the quality of assessments and the effectiveness of controls. 

Monitoring and Review 

Prevention plans should include arrangements for monitoring progress and reviewing effectiveness. Regular progress reviews ensure that actions are completed as scheduled. Effectiveness reviews assess whether implemented measures have achieved the intended risk reduction. Findings from monitoring and review should inform the next cycle of risk assessment and prevention planning. 

Global Health and Safety Consultants for International Compliance 

Arinite supports organisations across 50+ countries in developing documentation systems that meet local requirements while maintaining consistent global standards. Our International Health and Safety Consultants navigate diverse regulatory frameworks on your behalf. 

Visit www.arinite.com or call +44 (0)20 7947 9581 to learn more. 

Archiving, Version Control, and Traceability 

Proper archiving and version control are increasingly important as documentation requirements become more specific. The French 40-year retention requirement reflects the long latency of some occupational diseases, but even jurisdictions without such explicit requirements expect records to be maintained for reasonable periods. 

Retention Periods 

Retention periods vary by jurisdiction and document type. As a general principle, risk assessments and prevention plans should be retained for at least as long as any potential claim might arise. For occupational health matters, this can be many years after exposure. Jurisdictions with specific retention requirements, such as France's 40-year DUERP requirement, must be followed exactly. 

Version Control 

Tracing changes to each version of risk assessment documentation is essential for demonstrating ongoing compliance and for investigating incidents. The ease of version control depends on the tools used. In spreadsheet-based systems, tracking changes is complicated. Digital safety management tools typically provide better version control through filters, parameters, and audit trails. 

At minimum, each version should be dated, and the reason for changes should be recorded. When risk assessments are revised following incidents, inspections, or changes to work activities, the documentation should clearly show what changed and why. 

Digital Systems 

Health and Safety Consultants and Software solutions increasingly support documentation, archiving, and version control. Digital systems can automatically archive versions at specified intervals, maintain audit trails of changes, and ensure that current and historical versions are readily accessible. For organisations with complex documentation requirements, digital tools can significantly reduce administrative burden while improving compliance. 

How Arinite Supports Risk Assessment Documentation 

Arinite provides comprehensive support for risk assessment documentation and prevention planning. Our CMIOSH-qualified Health and Safety Consultants help organisations build systems that satisfy regulatory requirements while remaining practical and useful for day-to-day safety management. 

Our risk assessment services deliver suitable and sufficient assessments covering all activities and areas. We document findings in clear, consistent formats that satisfy regulatory requirements and provide practical guidance for implementation. Our assessments address both physical and psychosocial hazards, reflecting modern requirements for comprehensive risk management. 

For organisations seeking annual prevention planning support, we help develop structured programmes that translate risk assessment findings into prioritised action plans. We establish monitoring arrangements and support regular review to ensure that actions are completed and effective. 

Our Health and Safety Audits assess existing documentation against legal requirements and best practice. We identify gaps, evaluate whether documentation reflects actual workplace conditions, and provide recommendations for improvement. Audits cover both the content of documentation and the systems for maintaining, updating, and archiving it. 

For international organisations, our Global Health and Safety Consultants help develop approaches that meet diverse jurisdictional requirements while maintaining consistency across operations. We understand how documentation requirements vary across countries and help you build systems that satisfy local requirements everywhere you operate. With support for over 1,500 global businesses across more than 50 countries, we bring experience across diverse regulatory environments. 

Our Health and Safety Consultants and Software approach integrates expert guidance with efficient digital tools. Software can handle routine documentation tasks while consultants provide expertise for complex assessments and strategic advice. The combination creates comprehensive coverage that costs less than developing equivalent internal capability. 

Build Effective Documentation Systems 

Arinite's free 30-minute Gap Analysis Call helps you understand your current documentation arrangements and identify opportunities for improvement. Our Keeping It Simple philosophy means practical systems without unnecessary complexity. 

Book your free call: +44 (0)20 7947 9581 or visit www.arinite.com 

Frequently Asked Questions 

What documentation is legally required for risk assessment? 

Requirements vary by jurisdiction. The UK requires employers with five or more employees to record significant findings. France requires the DUERP as a single comprehensive document. Germany requires documented Gefährdungsbeurteilung. Even where requirements are less prescriptive, adequate documentation is essential evidence of compliance. 

How long should risk assessments be retained? 

Retention periods vary by jurisdiction. France requires 40 years for the DUERP. Where no specific period is mandated, assessments should be retained for at least as long as potential claims might arise. For occupational health matters, this can be many years after exposure. Seek advice for your specific jurisdictions. 

Should we have separate documents for each type of hazard? 

Not necessarily. While specific assessments may be required for particular hazards (such as COSHH in the UK), psychosocial risks should be integrated into general risk assessment rather than treated separately. The key is comprehensive coverage, however the documentation is structured. 

How do we assess psychosocial risks? 

Psychosocial risks should be assessed like other hazards, using recognised frameworks such as the Gollac factors. Add questions about psychosocial factors to your usual risk assessment process. Consider using specific scoring systems that multiply intensity by control levels to prioritise actions. 

What is the relationship between risk assessment and prevention planning? 

They are separate but linked. Risk assessment identifies hazards and evaluates risks. Prevention planning specifies actions to address those risks. Prevention plans should derive directly from risk assessment findings, with highest-priority actions addressing the most significant risks. 

How should we handle multi-site documentation? 

Each establishment generally needs its own risk assessment reflecting its specific circumstances. However, you can develop common templates and identify trends across sites. Transversal action programmes can address hazards that are critical and recurrent across multiple locations. 

Do workers need to be involved in risk assessment? 

Worker consultation is legally required in many jurisdictions and strongly recommended in all. Workers have the best knowledge of their tasks and associated risks. Participation improves both the quality of assessments and acceptance of control measures. 

How do we track changes to risk assessment documents? 

Version control is essential for demonstrating ongoing compliance. Digital systems typically provide better tracking than paper or spreadsheet approaches. At minimum, date each version and record the reason for changes. Maintain both current and archived historical versions. 

What sanctions apply for inadequate documentation? 

Sanctions vary by jurisdiction but can be significant. France imposes fines of €1,500 to €15,000 for DUERP failures. Spain's penalties reach €225,000 for serious violations. Beyond direct penalties, inadequate documentation weakens your position in the event of incidents or enforcement action. 

How can Health and Safety Consultants help with documentation? 

Health and Safety Consultants provide expertise for conducting thorough risk assessments, structuring effective documentation, developing prevention programmes, implementing appropriate systems, and ensuring compliance across jurisdictions. External expertise is particularly valuable for organisations without specialist internal resources or those operating internationally.