Risk management is a step-by-step process for controlling health and safety risks caused by hazards in the workplace. The HSE defines the five steps as: Identify hazards → Assess the risks → Control the risks → Record your findings → Review the controls. (HSE)
This page walks through every step with concrete guidance, a complete worked example for a small construction firm, and a step-completion checklist that tells you not just what to do — but how to know when each step is genuinely finished.
What the 5-Step Process Is — and the Regulation That Makes It a Legal Duty
The duty to carry out a risk assessment is not guidance or best practice. It is a statutory obligation.
Management of Health and Safety at Work Regulations 1999, regulation 3(1) requires every employer to make a suitable and sufficient assessment of:
- the risks to employees while they are at work, and
- the risks to persons not in their employment arising from the conduct of the undertaking —
for the purpose of identifying the measures needed to comply with relevant statutory provisions. (reg 3)
Regulation 3(2) extends the same duty to relevant self-employed persons in relation to their own health and safety and that of others. The five-step process is the HSE's practical framework for discharging that duty.
Before You Start: Hazard vs Risk
Getting this distinction right shapes every subsequent decision.
| Term | Definition | Example |
|---|---|---|
| Hazard | Anything with the potential to cause harm | An exposed live conductor |
| Risk | The likelihood that the hazard will cause harm, combined with the severity of that harm | The chance that a worker contacts the live conductor and receives an electric shock |
Confusing the two leads directly to the most common risk assessment failure: rating the hazard rather than evaluating the likelihood and severity of actual harm to real people.
Step 1 — Identify the Hazards
Look around your workplace and consider everything that may cause harm. According to the HSE, you should think about: how people work and how plant and equipment are used; what chemicals and substances are used; what safe or unsafe work practices exist; and the general state of the premises. (HSE)
Practical sources to check:
- Walk the task or site — look at the actual work, not a theoretical version of it
- Review your accident and near-miss records (less-obvious hazards often appear here first)
- Consider non-routine operations: maintenance, start-up, emergency procedures
- Talk to your workers — they are closest to the task and usually have the most useful observations
- Think about hazards to health as well as safety: manual handling, chemical exposure, noise, stress
Vulnerable groups require explicit consideration. The HSE guidance identifies young workers, migrant workers, new or expectant mothers, and people with disabilities as groups with particular requirements. Regulation 3(4) makes the assessment of risks to young persons a specific legal precondition to employing them. (reg 3(4))
Step 2 — Decide Who May Be Harmed and How
A hazard without an identified harm pathway is incomplete. For every hazard identified in Step 1, name every distinct group who could be harmed and describe how that harm could occur.
Groups to consider beyond your direct employees:
- Sub-contractors and labour-only trades sharing the work area
- Visitors, clients, and delivery drivers
- Members of the public adjacent to the site
- Lone workers whose isolation increases certain risks
- Young persons (under 18), whose inexperience is explicitly called out in reg 3(5)
Step 2 is only complete when you have named every distinct group exposed to each hazard and written a credible harm pathway for each — not just "employees could be harmed" but "first-fix electricians working in the ceiling void could contact live tails left by the previous trade, resulting in electric shock or cardiac arrest."
Step 3 — Evaluate the Risks and Decide on Control Measures
Once you know who could be harmed and how, assess how likely harm is and how severe it would be, then decide whether existing controls are adequate or further action is needed.
Using a risk matrix: A 5×5 likelihood/severity matrix is a widely used practical tool. It is not mandated by the Regulations — it is an aid to consistent decision-making. Score likelihood (1 = very unlikely → 5 = almost certain) and severity (1 = minor injury → 5 = fatal/catastrophic), then multiply. A score above a threshold you define (commonly ≥15) signals that current controls are inadequate.
The hierarchy of control measures (from most to least effective):
- Eliminate the hazard entirely
- Substitute with something less hazardous
- Engineer controls (guarding, local exhaust ventilation, isolation)
- Administrative controls (safe systems of work, permit-to-work, training)
- Personal protective equipment (last resort, not a substitute for higher-level controls)
The HSE is explicit that you are not expected to eliminate all risks — but you must do everything reasonably practicable to protect people, balancing the level of risk against the cost, time, and effort of control measures. (HSE)
Critical error to avoid: Do not assign your residual risk rating until the controls you intend to implement are actually in place. Rating residual risk against controls that are only planned overstates how safe the task currently is.
Step 4 — Record Your Findings
When is recording a legal requirement? Regulation 3(6) states that where an employer employs five or more employees, the employer shall record:
- the significant findings of the assessment, and
- any group of employees identified as being especially at risk.
If you employ fewer than five people, recording is not explicitly required by reg 3(6) — but in practice, a written record is always advisable. It demonstrates compliance, supports briefings, and provides evidence if an incident occurs.
What a legally adequate record must contain (drawn directly from reg 3(6) and HSE guidance): the hazards found, who might be harmed and how, and the controls in place to manage the risks. (HSE) (reg 3(6))
The HSE guidance is clear that paperwork alone is not the goal — the main priority is controlling risks in practice. The record should reflect what is actually happening on the ground.
Step 5 — Review and Update Your Controls
A risk assessment is not a one-off document. Regulation 3(3) requires the employer to review the assessment if:
- there is reason to suspect it is no longer valid, or
- there has been a significant change in the matters to which it relates.
Where a review concludes that changes are required, those changes must be made. (reg 3(3))
Trigger events for an unplanned review (drawn from HSE guidance):
- Controls may no longer be effective
- Changes to staff, a process, or the substances or equipment used
- Workers have spotted problems
- An accident or near miss has occurred
Scheduled reviews — the Regulations set no fixed interval; a periodic review (for example, annually, or at the start of each new project phase) is good practice to catch drift between trigger events.
Worked Example: A 4-Person Electrical Sub-Contractor (First-Fix Commercial Fit-Out)
Scenario: A 4-person electrical sub-contracting firm is preparing a RAMS document in ramsdocs for a first-fix installation inside a commercial office fit-out. The principal contractor requires a reviewed risk assessment before work commences. Here is how each of the five steps translates into real decisions and real content.
Step 1 — Hazards Identified
| Hazard | Source identified from |
|---|---|
| Live conductors from adjacent trades (energised at 230 V) | Site walk + conversation with site manager |
| Trailing cables creating trip hazards in corridors | Observation of existing work area |
| Confined ceiling void: restricted movement, possible dust accumulation | Pre-start site visit |
| Manual handling of cable drums and trunking lengths | Review of delivery manifest |
| Working at height from platform steps to access ceiling void | Method review |
| Dust exposure during drilling through blockwork | Process review |
Step 2 — Who May Be Harmed and How
| Hazard | Group | Harm pathway |
|---|---|---|
| Live conductors | Electricians, other trades in adjacent areas | Contact with energised conductors → electric shock, cardiac arrest, burns |
| Trailing cables | All site operatives, visitors | Trip → fall → fracture, head injury |
| Confined ceiling void | Electricians working above ceiling tiles | Restricted egress → delayed rescue in emergency; dust inhalation → respiratory harm |
| Manual handling (cable drums, trunking) | Electricians | Musculoskeletal injury from awkward postures or sustained repetitive lifting |
| Working at height | Electricians, persons below | Fall from platform steps → fracture, fatal injury; falling objects → head injury to persons below |
| Drilling dust | Electricians, adjacent trades | Respiratory sensitisation or harm from silica-containing dust |
Step 3 — Risk Evaluation and Controls (5×5 Matrix)
| Hazard | Likelihood (pre-control) | Severity | Initial score | Control measures | Likelihood (post-control) | Severity | Residual score |
|---|---|---|---|---|---|---|---|
| Live conductors | 3 | 5 | 15 | Permit-to-work; confirm isolation and prove dead before work; GS38-compliant test equipment | 1 | 5 | 5 |
| Trailing cables | 4 | 2 | 8 | Cable management routes defined; daily housekeeping checks; signage | 2 | 2 | 4 |
| Confined ceiling void | 3 | 3 | 9 | Buddy system; lone working prohibited in void; void assessed for air quality before entry | 1 | 3 | 3 |
| Manual handling | 3 | 3 | 9 | Team lifts planned for heavy drums; correct posture briefing; mechanical aids where available | 2 | 2 | 4 |
| Working at height | 3 | 4 | 12 | Inspected platform steps only; exclusion zone below; operatives briefed | 2 | 4 | 8 |
| Drilling dust | 3 | 3 | 9 | P2 FFP2 masks; dampen before drilling; LEV where sustained drilling | 2 | 2 | 4 |
Scores ≥ 15 trigger escalation to the principal contractor before work commences.
Step 4 — Record
The completed risk assessment is recorded within the ramsdocs RAMS document, capturing all six hazards, harm pathways, and the controls listed above, together with the assessor's name, date, and the employer's review schedule.
Step 5 — Review Triggers Noted
The team notes three specific triggers for an unplanned review: any change to the permit-to-work system by the PC; any near miss involving trailing cables; introduction of a new operative, particularly a young person under 18, which would require a review under reg 3(4).
Step-Completion Checklist and Common Failure Modes
| Step | Step complete when… | Common failure mode | ramsdocs field |
|---|---|---|---|
| 1 — Identify hazards | Every hazard from the physical environment, equipment, substances, work practices, and non-routine operations is listed | Generic lists copied from templates without a site walk — hazards unique to this task are missed | Hazard register / activity breakdown |
| 2 — Who may be harmed | Every distinct group (employees, sub-contractors, visitors, lone workers, young persons) is named with a credible harm pathway for each hazard | Writing "employees" as the only group; omitting sub-contractors, visitors, and lone workers | People exposed / harm pathway field |
| 3 — Evaluate and control | Initial risk score assigned; control measures specified at the appropriate hierarchy level; residual score assigned only after controls are confirmed in place | Assigning residual risk before controls are actually implemented, not just planned | Risk matrix / control measures field |
| 4 — Record findings | Significant findings recorded in writing, including hazards, persons at risk, and controls; especially-at-risk groups named | Recording controls as intentions ("we will provide PPE") rather than confirmed arrangements | RAMS record / significant findings section |
| 5 — Review | Review date or trigger events documented; assessment updated after any significant change or reason to suspect invalidity | Treating the assessment as permanent; no review after an accident, near miss, or change in personnel | Review date / review trigger log |
How ramsdocs Structures All 5 Steps Inside a Single RAMS Document
A RAMS (Risk Assessment and Method Statement) is a combined document common in construction, where the risk assessment and method statement are presented together for principal contractor review. Note: a method statement is not itself a requirement of the five-step process — it is a separate construction-industry convention.
ramsdocs structures the document so that each of the five steps has a dedicated section, in sequence. This means:
- The hazard register (Step 1) must be completed before the harm pathway fields unlock (Step 2)
- The risk matrix (Step 3) prevents a residual score being entered without a control measure in the preceding field
- The record is auto-populated from the entries made, satisfying the reg 3(6) recording duty for employers with five or more employees
- The review date field and trigger-event log (Step 5) are built into the document footer
The result is a PC review-ready RAMS that follows the statutory structure — but every document produced must still be reviewed and adapted to the specific site and task by a competent person before use.
Frequently Asked Questions
What are the exact 5 steps to a risk assessment? Identify hazards → Assess the risks → Control the risks → Record your findings → Review the controls. (HSE)
What is the legal basis that makes a risk assessment compulsory in the UK? Management of Health and Safety at Work Regulations 1999, regulation 3. It requires every employer to make a suitable and sufficient assessment of risks to employees and to others affected by their undertaking. (reg 3)
Who is qualified to carry out a risk assessment? The HSE states the process can be carried out by the employer themselves or by a competent person appointed to help. (HSE) There is no statutory requirement for a specific qualification — the key test is whether the person has sufficient knowledge, experience, and understanding of the task and workplace to produce a suitable and sufficient assessment.
What must be recorded, and when does a record become a legal requirement? Regulation 3(6) requires employers with five or more employees to record the significant findings of the assessment and any group of employees identified as being especially at risk. (reg 3(6))
How often should a risk assessment be reviewed, and what triggers an unplanned review? Regulation 3(3) requires a review whenever there is reason to suspect the assessment is no longer valid, or there has been a significant change in the matters to which it relates. The HSE also identifies accidents, near misses, worker-reported problems, and changes to staff, processes, substances, or equipment as review triggers. No fixed minimum interval is set by the Regulations.
What is the difference between a hazard and a risk? A hazard is anything with the potential to cause harm. A risk is the likelihood of that harm occurring combined with its severity. A live conductor is a hazard; the chance that a worker contacts it and suffers electric shock is the risk.
How do you decide whether control measures are adequate? The test is whether you have done everything reasonably practicable — balancing the level of risk against the cost, time, and effort of the control measures. Use the hierarchy of controls (eliminate → substitute → engineer → administrate → PPE) and work down it as far as practicable before relying on PPE alone.
Disclaimer: This page is intended as practical guidance only. Every risk assessment must be reviewed and adapted to the specific site, task, and workforce by a competent person before use. Nothing on this page constitutes legal advice or guarantees compliance with any statutory duty. ramsdocs documents are designed to support — not replace — site-specific professional judgement.
Sources Used
This guide is checked against official source material. Verify current legal duties against the live legislation and HSE guidance before relying on the content for a live project.
- Management of Health and Safety at Work Regulations 1999, regulation 3 (legislation.gov.uk)
- Construction (Design and Management) Regulations 2015 (legislation.gov.uk)
- Managing risks and risk assessment at work (HSE)
- Planning for construction work (HSE)
Put This Guide To Work
Use the related templates, trade hubs and free tools below to turn the guidance into a site-specific RAMS workflow.