Assessing Health and Safety Risks FAQs

A Risk Assessment and Method Statement (RAMS) are two documents that form part of a safe system of work.

RAMS are typically used for activities that carry a high degree of risk (e.g. working on a roof, or hot work). A RAMS may require tasks to be undertaken in a specific order and need a high level of understanding and monitoring to reduce the risk.

The risk assessment details the hazards and measures required, whereas the method statement outlines the process, the equipment and supervision.

These documents need to be understood by those completing the activities and often form part of a safety briefing before works are undertaken.

The frequency of risk assessment reviews depends on the nature of the hazards, the activity, the industry, and regulatory requirements.

Risk assessments should be reviewed whenever there are significant changes in a workplace that could mean the current risk assessment is no longer valid. This could be a change in process, new or modified work equipment or new competence requirements. Risk assessments should be reviewed after an internal incident, or as part of an industry safety notice.

The HSE recommends reviewing risk assessments annually as a general guide.

The Management of Health and Safety at Work Regulations 1999 states that a risk assessment must be carried out by a ‘competent person’.

Under the Regulations a person is ‘competent’ when they have ‘sufficient training and experience or knowledge and other qualities to enable him to properly assist in undertaking the measures…’

Simple, low risk activities should not need the expertise of an in-house competent person or consultant. Higher risk activities may require the risk assessment to be undertaken by a team bringing in operational experience alongside pragmatic risk assessing skills.

The length of time a risk assessment takes depends on the complexity. For example, a display screen equipment (DSE) risk assessment might be completed in half an hour, whereas a fire risk assessment may be completed over several days.

Employers can carry out risk assessments themselves if they are competent to do so. Under the Management of Health and Safety at Work Regulations 1999 competency is defined as having sufficient training and experience or knowledge to undertake the task.

SMEs usually appoint a health and safety consultant to support their risk assessments to ensure they meet their legal responsibilities to protect employees and others affected by their activities.

By law, someone who carries out a manual handling risk assessment must be competent to do so. This means they must have the knowledge and experience to be able to identify and address risks effectively.

Someone who has practical experience of managing manual handling and has been trained on both manual handling and risk assessment  has the knowledge to carry out the  assessment.

If the manual handling activity is a high risk, then consulting an experienced safety professional is  advisable.

These are some hazards that might be included in a general office risk assessment, or specific risk assessments might be created depending on the work environment.

• Accessibility
• Asbestos
• Display screen equipment
• Electricity
• Work equipment
• Fire
• Gas
• Hazardous substances
• Manual handling
• Radiation
• Slips, trips and falls
• Stress
• Vehicles
• Work at height

Yes, all employers must undertake a risk assessment of the risks to the health and safety of employees whilst at work, as well as the risk to those who are not employees but may be affected.

Employers must review the assessment when there is reason to suspect it is no longer valid, or there has been a significant change.

When an employer employs five or more employees the significant findings of the risk assessment must be recorded.

A hazardous substances risk assessment should be reviewed:

• Annually as good practice.
• After incidents or near-misses.
• When processes or substances change.
• Following legal updates.
• If controls fail or worker health concerns arise.

This ensures safety and compliance with the Control of Substances Hazardous to Health Regulations 2002.

In line with the Control of Substances Hazardous to Health (COSHH) Regulations 2002, a hazardous substance risk assessment follows these steps:

1. Identify the hazardous substances. Determine which substances are present and could cause harm.
2. Assess the risks. Evaluate how exposure to the substances might occur and the potential effects on health.
3. Control the risks. Implement measures to prevent or reduce exposure, such as ventilation, PPE, or substitution.
4. Record the findings. Document the assessment, including hazards, risks, and control measures.
5. Review and update. Regularly review the assessment to ensure it remains relevant and effective, especially after changes or incidents.

A dynamic risk assessment is a continuous, real-time process of assessing risks in rapidly changing or unpredictable environments. Unlike a formal, pre-planned risk assessment, a dynamic one is conducted on the spot, helping employees to adapt to emerging hazards or evolving situations.

The benefits of a dynamic risk assessment include:

• Real-time hazard identification. It enables employees to assess risks as they arise, ensuring emerging hazards are addressed immediately.
• Enhanced situational awareness. Promotes awareness of the environment, improving decision-making in changing conditions.
• Flexibility. Enables quick adaptation to unforeseen risks or hazards not covered by pre-planned assessments.
• Improved safety. Reduces the likelihood of accidents or incidents by addressing risks proactively in dynamic situations.
• Empowered employees. Encourages individuals to take responsibility for their safety and that of others in unpredictable scenarios.
• Practicality in high-risk environments. Ideal for emergency services, construction, or lone working, where conditions can change rapidly.

Dynamic risk assessments complement formal assessments, providing an additional layer of safety in real-time operations.

A dynamic risk assessment may be prompted by:

• Unforeseen hazards. Encountering risks not identified in a formal risk assessment, such as spills or equipment failures.
• Changing conditions. Environmental changes like weather, lighting, or terrain that alter the level of risk.
• Emergencies. Situations requiring immediate action, such as fires, medical incidents, or security threats.
• New tasks or procedures. Undertaking unplanned work activities or methods not previously assessed.
• Interactions with others. Presence of external parties, such as contractors or the public, introducing new risks.
• Equipment malfunction. Tools or machinery failing during use, necessitating immediate evaluation and response.
• Time-critical decisions. Scenarios where action must be taken quickly to prevent harm, leaving no time for formal assessment.
• Deviation from plans. Workers encountering unexpected scenarios that differ from initial risk assessments.

A risk assessment should be reviewed after incidents, process changes, new hazards, regulatory updates, ineffective controls, worker concerns, or as part of routine periodic reviews.

Conducting risk assessments improves workplace safety, ensures legal compliance, reduces costs from incidents, boosts employee morale and productivity, informs better decisions, and enhances organisational reputation.

A good risk assessment is:

1. Comprehensive. Identifies all significant hazards and assesses their risks thoroughly.
2. Specific. Tailored to the workplace, tasks, and individuals involved, rather than being generic.
3. Practical. Includes realistic and effective control measures to manage risks.
4. Legally compliant. Meets the requirements of relevant regulations, such as the Management of Health and Safety at Work Regulations 1999.
5. Easily communicated. Clear and accessible to all employees, ensuring they understand the hazards and controls.
6. Dynamic. Regularly reviewed and updated to reflect changes in the workplace, processes, or regulations.
7. Documented. Properly recorded to provide evidence of compliance and a basis for review.

A good risk assessment effectively protects people and supports a proactive safety culture.

A risk assessment identifies and controls hazards across a workplace or process, while a job safety analysis (JSA) focuses on specific task steps, identifying and managing hazards at each stage. Both improve safety but differ in scope and detail.

The Health and Safety Executive (HSE) recommends following five steps for risk assessment:

1. Identify hazards. Spot potential dangers in the workplace.
2. Assess the risks. Determine who might be harmed and how.
3. Control the risks. Decide on and implement precautions.
4. Record your findings. Document hazards, controls, and actions.
5. Review and update. Regularly reassess to keep the assessment relevant.

A complete risk assessment includes:

• Hazard identification. A list of potential hazards in the workplace or activity.
• Risk evaluation. An analysis of the likelihood and severity of harm, identifying who might be affected and how.
• Control measures. Details of existing controls and additional measures needed to minimise risks.
• Action plan. Steps to implement new controls, with assigned responsibilities and timelines.
• Documentation. A clear record of the hazards, risks, controls, and actions for legal compliance and reference.
• Review process. A plan for regularly reviewing and updating the assessment as conditions change.

This ensures risks are effectively managed and compliance with the Management of Health and Safety at Work Regulations 1999.

To ensure safety and compliance, prioritise hazards with the greatest risk:

• High severity (e.g., falls from height, toxic substances).
• High likelihood (e.g., slips on wet floors, repetitive strain injuries).
• Legal hazards (e.g., asbestos exposure, manual handling risks).

Yes, if your organisation has five or more employees, you are legally required to record the significant findings of your risk assessment.

Under the Management of Health and Safety at Work Regulations 1999, employers must document:

• The main hazards identified
• Who might be harmed and how
• The control measures in place
• Any further action required

If you have fewer than five employees, you are not legally required to keep a written record. However, it is strongly recommended as good practice and provides evidence of compliance if inspected.

There is no specific legal time limit set for retaining general risk assessment records under the Management of Health and Safety at Work Regulations 1999. However, records should be kept for as long as they remain relevant and useful.

In practice, employers should:

• Keep current risk assessments for as long as the activity or hazard exists
• Retain previous versions for a reasonable period to demonstrate review and compliance
• Keep records longer where there is potential for future claims (for example, up to six years in line with general civil claims time limits)

Some assessments require longer retention. For example, records relating to hazardous substances under COSHH may need to be kept for 40 years where health surveillance is involved.

Maintaining clear, dated records helps demonstrate legal compliance and supports insurance and enforcement enquiries if required.

Employers must communicate the significant findings of a risk assessment to employees so they understand the risks and the control measures in place.

Under the Management of Health and Safety at Work Regulations 1999, this can be done through:

• Team briefings or toolbox talks
• Written summaries or safe systems of work
• Training sessions
• Noticeboards or intranet updates

Information should be clear, practical and relevant to the job role. Workers need to understand what the hazards are, how they may be affected, and what controls they must follow.

Consulting employees and encouraging questions also helps ensure the findings are properly understood and applied in practice.

Employers have responsibility for ensuring that control measures identified in a risk assessment are put in place and maintained.

Under the Health and Safety at Work etc. Act 1974 and the Management of Health and Safety at Work Regulations 1999, employers must implement appropriate safeguards, provide supervision and training, and monitor compliance.

Managers and supervisors are normally responsible for enforcing controls day to day, ensuring procedures are followed and equipment is used correctly.

Employees also have a legal duty to cooperate with their employer, follow safety instructions, and use control measures as required. Health and safety is therefore a shared responsibility, with accountability sitting primarily with the employer.

There is no specific qualification required, but you must be competent under the Management of Health and Safety at Work Regulations 1999.

To be considered competent, you should have:

• Knowledge of the work activity and associated hazards
• Training in basic risk assessment principles
• Experience relevant to the task or environment
• Understanding of appropriate control measures

For low-risk environments, general health and safety training may be sufficient. Higher-risk activities (e.g. construction, chemicals, complex machinery) may require more specialised training or external support.

Employers must ensure the person conducting the assessment has the right level of competence for the risks involved.

Under the Management of Health and Safety at Work Regulations 1999, a competent person is defined as someone who has sufficient training and experience or knowledge and other qualities to enable them to properly assist the employer in complying with health and safety law.

In practical terms, this means the person must:

• Understand the work and associated hazards
• Be able to assess risks appropriately
• Know what control measures are suitable
• Recognise the limits of their expertise and seek specialist advice where necessary

The level of competence required will depend on the nature and complexity of the work being assessed.

Yes. Health and safety law requires employers to consider specific risks to both new or expectant mothers and young workers.

Under the Management of Health and Safety at Work Regulations 1999:

• Regulation 16 requires employers to assess risks to new or expectant mothers and take action to remove or control those risks. This may involve adjusting working conditions or hours, offering suitable alternative work, or suspending the employee on paid leave if necessary.
• Regulation 19 requires employers to assess risks to young persons (under 18), taking into account their lack of experience, awareness of risks and physical or psychological immaturity.

This often means carrying out a specific or additional risk assessment tailored to the individual, even if a general workplace risk assessment is already in place.

Employers have the same duty of care for home workers as for office-based staff under the Health and Safety at Work etc. Act 1974 and the Management of Health and Safety at Work Regulations 1999.

To carry out a home working risk assessment:

• Identify hazards – often display screen equipment (DSE), workstation set-up, electrical safety, stress or isolation.
• Assess the risks – consider posture, working hours, workspace suitability and wellbeing.
• Implement controls – provide guidance on workstation set-up, suitable equipment, regular breaks and communication arrangements.
• Record and review – document significant findings (where required) and review if circumstances change.

In most cases, this can be done using a self-assessment questionnaire supported by guidance and follow-up where concerns are identified. The focus should be on practical, proportionate measures rather than intrusive inspection.

A generic risk assessment covers common hazards and control measures for a type of activity or task. It is normally used as a template across multiple sites where the work is broadly similar.

A site-specific risk assessment is tailored to a particular location. It considers the actual environment, layout, people involved, equipment used and any unique risks present at that site.

Key differences:

• Generic: Broad, reusable, often used as a starting point.
• Site-specific: Detailed, location-focused, reflects real conditions.
• Generic: May not account for local variations.
• Site-specific: Adjusted to ensure controls are suitable and effective in practice.

In most cases, a generic assessment can be adapted to create a compliant site-specific version, but it should never be used without review and amendment where site conditions differ.

A hazard is anything with the potential to cause harm. This could include substances, equipment, work processes, or environmental conditions.

A risk is the likelihood that the hazard will cause harm, combined with how severe that harm could be.

Residual risk is the level of risk that remains after control measures have been put in place.

Even when hazards are reduced through engineering controls, safe systems of work or supervision, it is not always possible to remove all risk completely. The remaining level of risk is known as residual risk.

For example:

• A machine may be fitted with guards (control measure), but there may still be a small remaining risk of injury.
• Slips may be reduced through good housekeeping, but cannot always be eliminated entirely.

Residual risk should be reduced to a level that is as low as reasonably practicable (ALARP) and must be acceptable before work continues.

A risk matrix helps you evaluate the level of risk by comparing likelihood (how probable an incident is) against severity (how serious the harm could be).

To use a risk matrix:

1. Identify the hazard.
2. Score the likelihood of harm occurring (e.g. rare to very likely).
3. Score the severity of potential harm (e.g. minor injury to fatality).
4. Multiply or cross-reference the scores using the matrix.
5. Determine the risk rating (e.g. low, medium, high).
6. Decide on appropriate control measures based on the level of risk.

After controls are implemented, you should reassess the hazard to determine the residual risk.

A risk matrix supports decision-making but should not replace professional judgement, especially in higher-risk environments.