Carrying out a workplace risk assessment is a legal and practical cornerstone of managing health and safety in the UK. For employers, HR professionals, and health and safety leads, it is not just a box‑ticking exercise but a legal requirement that safeguards employees, contractors, and anyone affected by work activities. A well‑executed assessment helps identify potential hazards, evaluate risks, and take steps to prevent accidents or ill‑health before they occur.
Under the Health and Safety Executive (HSE) framework, employers must complete a “suitable and sufficient” risk assessment to comply with UK law. This requirement ensures that all foreseeable hazards are managed proportionately and effectively.
At Kingfisher Professional Services, we support employers in completing and reviewing risk assessments that meet HSE standards. Our team provides expert guidance, templates, and training to help you stay compliant, reduce risk, and maintain a safe workplace.
Understanding the Legal Duty and What “Suitable & Sufficient” Means
What is the legal foundation?
The legal requirement to carry out a risk assessment arises from the Management of Health and Safety at Work Regulations 1999, specifically Regulation 3(1). This regulation states that every employer must make a suitable and sufficient assessment of the risks to employees and others who may be affected by work activities. It applies to all workplaces, regardless of size or sector.
The purpose is straightforward: to identify what could cause harm, determine the likelihood of that harm occurring, and implement measures to control or eliminate the risks. The Health and Safety Executive (HSE) enforces these duties, and failure to complete a proper assessment can result in enforcement action, fines, or even prosecution. In serious cases, employers have faced penalties following preventable incidents where risk assessments were inadequate or not carried out at all.
What does “suitable and sufficient” actually mean?
A risk assessment must be both suitable and sufficient to meet the legal standard. “Suitable” means that it is appropriate for the work being done and considers all relevant hazards. “Sufficient” means it contains enough detail to demonstrate how those hazards are controlled and what steps are being taken to protect people.
The HSE expects a suitable and sufficient risk assessment to:
- Properly identify significant hazards and who may be affected.
- Consider all routine and non‑routine work activities.
- Evaluate risks and determine adequate control measures.
- Record findings and assign responsibilities for action.
- Be reviewed and updated regularly.
The level of detail should be proportionate to the level of risk. High‑risk activities demand thorough documentation and detailed control measures, whereas low‑risk work may require a simpler approach.
The Five‑Step Risk Assessment Process
The HSE recommends a clear five‑step approach to completing a workplace risk assessment. Following these steps ensures that your assessment is structured, practical, and compliant.
Step 1: Identify the hazards
A hazard is anything that could cause harm, such as equipment, substances, work processes, or environmental factors. In the workplace, hazards might include moving machinery, electrical systems, manual handling tasks, hazardous chemicals, or even work‑related stress.
To identify hazards:
- Conduct a walk‑through inspection of your workplace.
- Review accident, incident, and near‑miss reports.
- Consult employees about potential risks and unsafe conditions.
- Check manufacturer safety data sheets and maintenance manuals.
It is also important to consider non‑routine activities, such as cleaning, maintenance, and emergency procedures, and to account for vulnerable workers, including young employees, new starters, expectant mothers, and contractors.
Step 2: Decide who might be harmed and how
Once hazards have been identified, determine who might be affected and how they could be harmed. This might include:
- Employees carrying out specific tasks.
- Contractors or temporary workers.
- Visitors or members of the public.
Consider groups with specific vulnerabilities. For example, lone workers, inexperienced staff, or those with health conditions may face greater risk. Understanding how they could be harmed, whether through slips, exposure to substances, or physical strain, is essential for developing effective controls.
Step 3: Evaluate the risks and decide on precautions
After identifying hazards and those at risk, the next stage is to evaluate the level of risk – considering both the likelihood and severity of harm. This helps prioritise which risks need urgent attention.
Examine what controls are already in place and whether they are adequate. Then decide what additional actions are needed, using the hierarchy of controls:
- Elimination – Remove the hazard entirely.
- Substitution – Replace the hazard with something safer.
- Engineering controls – Isolate people from the hazard (e.g. guarding machinery).
- Administrative controls – Change work procedures or provide training.
- Personal Protective Equipment (PPE) – Use PPE as a last resort.
For example, to control manual handling risks, employers might redesign tasks to reduce lifting, provide lifting aids, and train staff on correct handling techniques. Effective controls should always be reasonably practicable, balancing risk reduction with the cost and effort required.
A risk assessment is not just paperwork; it must lead to real, effective action to protect people.
Step 4: Record your findings and implement them
All businesses must conduct risk assessments. However, if your organisation employs five or more people, there is a legal requirement to record the significant findings of every risk assessment you carry out. This ensures compliance with the Management of Health and Safety at Work Regulations and provides a clear record of how risks are controlled.
This record should include:
- Identified hazards and associated risks.
- Who may be harmed and how.
- Existing and proposed control measures.
- Names of those responsible for implementing actions and deadlines.
Documentation should be accessible and shared with relevant staff. Implementation is key – actions identified in the assessment must be followed through, monitored, and reviewed.
Step 5: Review your assessment and update if necessary
Risk assessments should never be static. Regular reviews ensure they remain accurate and effective. Reassessment is essential when:
- Work activities or equipment change.
- Incidents or near‑misses occur.
- New substances or processes are introduced.
- Staffing levels or responsibilities change.
Conduct formal reviews at least annually or sooner if significant changes take place. Keeping an audit trail demonstrates due diligence and ongoing commitment to workplace safety.
Practical Guidance for Employers & H&S Leads
Ensuring competence and workforce involvement
A competent person should always carry out or oversee the risk assessment. This means someone with appropriate knowledge, training, and experience in health and safety and an understanding of the work being assessed. Employers may designate internal H&S leads or use external consultants to meet this requirement.
Involving the workforce is crucial. Employees often have first‑hand knowledge of the tasks and associated risks, so their input improves both the accuracy and practicality of assessments. Encourage open discussions, safety briefings, and feedback mechanisms.
Practical steps include:
- Assigning clear roles and responsibilities.
- Providing training in risk assessment methods.
- Embedding risk assessment into standard operating procedures.
Documentation, communication and hierarchy of controls
Completing a risk assessment is only effective if its outcomes are communicated and implemented. Ensure all staff understand the control measures, have access to documentation, and receive necessary training. Follow up to confirm actions have been completed and remain effective.
Using risk assessment templates and checklists helps standardise the process and ensures consistency across sites and teams. Kingfisher offers downloadable templates designed to align with HSE expectations.
Common pitfalls to avoid
Many employers fall into traps that undermine the effectiveness of their assessments. Common mistakes include:
- Using generic or outdated templates that ignore site‑specific hazards.
- Failing to involve staff directly engaged in the work.
- Recording assessments but not acting on findings.
- Neglecting regular reviews when conditions change.
Even where risk appears low, you still need a suitable and sufficient assessment to demonstrate compliance and due care.
How Kingfisher Professional Services Can Help
We support organisations in building robust, compliant health and safety frameworks that embed risk assessment into day‑to‑day operations. Our services include:
- Comprehensive workplace risk assessments, reviews, and documentation checks to ensure they are suitable and sufficient.
- Tailored training for managers, supervisors and staff, helping them carry out assessments confidently and apply control measures effectively.
- Development of practical templates, checklists and systems for ongoing reviews, updates and monitoring.
- Expert advice on control measures, hierarchy of controls, and compliance with HSE expectations.
- Ongoing retainer and consultancy support, including audits, updates, and competent advice.
Our consultants combine practical health and safety management expertise with in‑depth knowledge of UK health and safety law and HSE good practice. By partnering with Kingfisher, employers can reduce liability, improve employee welfare, and maintain full confidence that their organisation meets its legal duties.
Conclusion
Completing a workplace risk assessment is a fundamental step in protecting people and ensuring legal compliance under UK health and safety law. A “suitable and sufficient” assessment enables you to identify hazards, evaluate risk levels, and implement proportionate control measures that keep your team safe.
Following the HSE’s five‑step process – identify hazards, determine who may be harmed, evaluate risks, record findings, and review regularly – creates a strong foundation for a safer work environment.
While templates can help, the real value lies in embedding risk assessment into your daily operations. Kingfisher Professional Services can guide you through this process, helping you stay compliant, reduce risk, and safeguard both your workforce and your reputation.
FAQs
Do I need to write down a risk assessment if I have fewer than five employees?
No, it is not a legal requirement to write down a risk assessment if you have fewer than five employees. However, it is good practice to do so to demonstrate compliance and support consistent action.
Exception: Fire risk assessments for commercial premises must be recorded in full regardless of employee numbers under current fire safety legislation.
How often should I review my risk assessment?
You should review your risk assessment at least annually and whenever there are significant changes, such as new equipment, work processes, or incidents.
Can I use generic risk assessments across my business?
Only if they are adapted to reflect the specific hazards and conditions of each site or task. Generic assessments alone are unlikely to meet the “suitable and sufficient” standard.
Who should carry out a risk assessment?
A competent person with relevant knowledge, experience, and training in health and safety should complete or oversee the assessment.
What happens if I do not carry out a suitable risk assessment?
Failing to complete a proper risk assessment can lead to HSE enforcement action, fines, reputational damage, and an increased likelihood of workplace accidents or ill‑health.