Most guidance either hands you a blank form or describes the process in the abstract. This page does neither. Below you will find a single, fully completed risk assessment for a realistic UK workplace scenario — a small office with six employees, including a lone worker and regular display screen equipment (DSE) users — with every cell filled in, every column annotated to show which part of the legal duty it satisfies, and a worked matrix showing exactly how a control measure changes a risk rating.
The Legal Duty Behind Every Column
Before reading the example, understand what compels you to produce this document at all.
Management of Health and Safety at Work Regulations 1999 (SI 1999/3242), regulation 3(1) requires every employer to make a suitable and sufficient assessment of the risks to the health and safety of their employees while at work, and of persons not in their employment who may be affected by the conduct of the undertaking — for the purpose of identifying the measures needed to comply with statutory health and safety requirements.
Regulation 3(2) extends the same duty to relevant self-employed persons in relation to their own health and safety and to others who may be affected.
Regulation 3(6) then adds a recording obligation: where an employer has five or more employees, they must record the significant findings of the assessment and identify any group of employees found to be especially at risk.
Those three paragraphs explain why every column in the table below exists. The HSE's five-step framework — (1) identify hazards, (2) assess the risks, (3) control the risks, (4) record your findings, (5) review the controls — is the HSE's recommended approach to meeting that reg 3 duty, not a separate statutory obligation in its own right. Think of it as the clearest available map to a legal destination.
What a Completed Risk Assessment Looks Like — The Full Worked Example
Scenario: Brightwell Admin Services Ltd, ground-floor office, 6 employees (5 permanent, 1 lone worker who opens the premises before other staff arrive). Activities include DSE work, use of a printer/photocopier, document filing with ladder access to high shelving, and receipt of deliveries.
How to read this table: The annotations in italics beneath each column heading explain which HSE step the column satisfies and what an inspector expects to find there.
Worked Risk Assessment — Brightwell Admin Services Ltd
Date of assessment: 14 July 2025 | Assessed by: Sarah Okonkwo, Office Manager | Review date: See trigger checklist below
| # | Hazard | Who might be harmed & how | Existing controls | Likelihood (L) 1–5 | Severity (S) 1–5 | Risk rating (L × S) | Additional controls needed | Responsible person | Target date |
|---|---|---|---|---|---|---|---|---|---|
| 1 | Trailing power and data cables across walkways — tripping hazard | All staff; visitors receiving deliveries; lone worker (Sarah M.) with no colleague present to assist if injured | Cables partially routed under desks; general awareness briefing given at induction | 3 | 3 | 9 | Install cable management trunking to all workstations; add weekly cable-check to Monday opening rota; brief lone worker on calling in before opening | Sarah Okonkwo | 28 July 2025 |
| 2 | DSE use — prolonged static posture, eye strain, upper limb discomfort | All 5 permanent staff (daily users); particularly James R. (reports existing back discomfort) | Adjustable chairs provided; monitor arms fitted to 3 of 5 workstations | 4 | 2 | 8 | Complete DSE workstation assessments for all 5 users; procure monitor arm for remaining 2 workstations; offer eye-test entitlement reminder | Sarah Okonkwo | 11 August 2025 |
| 3 | Lone working (early opening, 07:30–09:00, one person on site) | Sarah M. (lone worker) — delayed response to medical emergency, slip/fall, or intruder | Mobile phone carried; manager holds emergency contact | 2 | 4 | 8 | Implement buddy check-in: Sarah M. texts manager on arrival and at 08:30; define escalation if no contact within 15 min; post emergency numbers at reception | Sarah Okonkwo | 28 July 2025 |
| 4 | Use of stepladder to access top-shelf filing (approx. 2.4 m) | Any staff member retrieving archived files — fall from height, dropped files striking others | A-frame stepladder available; no formal instruction given | 3 | 3 | 9 | Restrict ladder use to trained staff only; introduce two-person rule (one footing); log ladder inspections quarterly; consider whether top-shelf files can be relocated | Sarah Okonkwo | 11 August 2025 |
| 5 | Manual handling — moving boxes of paper (500-sheet reams, typically 5–10 reams per box) | Staff receiving deliveries and restocking printer — back strain, crush injury to hands | No formal instruction; trolley available but not always used | 3 | 2 | 6 | Mandate trolley use for all deliveries; deliver toolbox-talk on correct lifting technique; add handling guidance to induction checklist | Sarah Okonkwo | 28 July 2025 |
Groups especially at risk (reg 3(6)): Sarah M. (lone worker); James R. (pre-existing back condition — monitor DSE controls closely).
Column-by-Column Annotations
| Column | HSE Step it satisfies | What an inspector expects |
|---|---|---|
| Hazard | Step 1 — Identify hazards | Specific, not vague ("trailing cables across walkways", not "cables"). References how the hazard arises from actual work activity. |
| Who might be harmed & how | Step 2 — Assess the risks | Named groups, not just "employees". Vulnerable workers (lone worker, person with health condition) called out explicitly to satisfy reg 3(6). |
| Existing controls | Step 3 — Control the risks | Honest account of what is actually in place — not a wish list. Gaps left visible so additional controls can be targeted. |
| Likelihood / Severity / Rating | Step 2 — Assess the risks | Scores reflect the situation with existing controls in place. The 1–5 × 1–5 matrix is industry best practice, not a statutory requirement. |
| Additional controls needed | Step 3 — Control the risks | Concrete, actionable — names a specific measure ("cable management trunking"), not a vague instruction ("improve housekeeping"). |
| Responsible person | Step 4 — Record findings | A named individual, not a job title alone. Inspector will check this person knew they were responsible. |
| Target date | Step 4 — Record findings | Realistic and tracked. Overdue actions with no follow-up record are a common enforcement prompt. |
Step 1 — Identifying Hazards: What to Look For and How to Record It
The HSE directs employers to think about: how people work and how plant and equipment is used; what chemicals and substances are used; what safe or unsafe work practices exist; and the general state of the premises. Past accident and ill-health records are also a recommended source, as are non-routine operations such as maintenance or changes to production cycles.
In the Brightwell example, the lone-working hazard was identified partly because a previous near-miss (Sarah M. locked herself out at 07:45 with no escalation procedure) was on record. That record directly informed the assessment — exactly the purpose the HSE framework intends.
Practical rule: If you cannot describe the hazard in one specific sentence that names the source, the activity, and the potential harm, it is not yet defined well enough to control.
Step 2 — Who Might Be Harmed and How: Employees, Contractors, Visitors, Lone Workers
Regulation 3(1)(b) of SI 1999/3242 explicitly covers persons not in your employment. In a small office that means delivery drivers, visiting clients, and maintenance contractors. The HSE guidance specifically highlights vulnerable workers — young workers, new or expectant mothers, people with disabilities — as groups requiring particular consideration.
In the worked example, James R.'s pre-existing back condition elevates the DSE hazard for him relative to his colleagues. Reg 3(6) requires that any group of employees identified as especially at risk is recorded. That is why the worked table includes a named note beneath it.
Step 3 — Evaluating Risk: The Likelihood/Severity Matrix Explained
The 1–5 × 1–5 scoring matrix is industry convention, not statute. It exists because "high / medium / low" labels are subjective and inconsistent between assessors. Numerical scoring forces a decision and creates an auditable record of reasoning.
How the Same Hazard Moves From Rating 9 to Rating 2
Hazard: Trailing cables across office walkways
| Stage | Existing controls | Likelihood (1–5) | Severity (1–5) | Rating (L × S) | Status |
|---|---|---|---|---|---|
| Before additional controls | Cables partially under desks; verbal briefing only | 3 | 3 | 9 | Unacceptable — action required |
| After additional controls | Cable trunking installed to all workstations; weekly cable check on Monday opening rota; lone worker briefed | 1 | 2 | 2 | Acceptable — monitor |
Scale reference (best practice):
| Score | Likelihood | Severity |
|---|---|---|
| 1 | Very unlikely | Negligible (minor discomfort) |
| 2 | Unlikely | Minor injury, no lost time |
| 3 | Possible | Lost-time injury |
| 4 | Likely | Serious injury / hospitalisation |
| 5 | Almost certain | Fatal or multiple serious injuries |
Rating interpretation (indicative):
- 1–4: Acceptable — document and monitor
- 5–9: Moderate — schedule improvements; increase supervision
- 10–15: High — implement controls urgently; consider stopping the activity
- 16–25: Unacceptable — stop the activity until controls are in place
Step 4 — Recording Your Findings: What 'Suitable and Sufficient' Means in Practice
Regulation 3(6) of SI 1999/3242 states that where an employer employs five or more employees, they must record the significant findings of the assessment and any group of employees identified as especially at risk.
'Suitable and sufficient' is not defined by word count or column count. In practice it means the document must:
- Identify the real hazards present (not a generic list copied from the internet)
- Reflect the actual workforce and premises, including any vulnerable workers
- Show what controls are already in place and what further action is planned
- Name a responsible person and a target date for outstanding actions
- Be retrievable — a document that cannot be found during an inspection has no evidential value
⚠️ Note: A risk assessment is a distinct document from a RAMS (Risk Assessment and Method Statement). A RAMS combines a risk assessment with a method statement and is typically a contractual or procurement requirement on construction projects. Regulation 3 of SI 1999/3242 requires a risk assessment; it does not prescribe the RAMS format.
Step 5 — Reviewing and Updating: When Must You Reassess?
Regulation 3(3) of SI 1999/3242 sets out the legal test: an assessment must be reviewed if (a) there is reason to suspect it is no longer valid, or (b) there has been a significant change in the matters to which it relates. Where a review identifies that changes are required, those changes must be made.
The regulation does not prescribe a universal annual review cycle. Annual review is common practice in many organisations and can be a sensible default, but the legal trigger is the validity test in reg 3(3), not the calendar.
Review Trigger Checklist
Use this checklist alongside your live risk assessment record. A review is required when any of the following applies:
| # | Trigger | Why it matters under reg 3(3) |
|---|---|---|
| 1 | New or changed work equipment or substances introduced | The matters to which the assessment relates have changed — reg 3(3)(b) |
| 2 | New or significantly changed work process or layout | Changes in how work is done alter both hazard profile and existing controls |
| 3 | Significant change in the workforce — including a new young worker, a worker who declares a health condition, or a change in staffing levels affecting lone-working arrangements | May create new vulnerable groups requiring separate consideration under reg 3(4)–(6) |
| 4 | Accident or near-miss on site | Provides reason to suspect the assessment is no longer valid — reg 3(3)(a) |
| 5 | Worker raises a concern about a hazard not covered in the current assessment | Provides reason to suspect the assessment is no longer valid — reg 3(3)(a) |
| 6 | Significant time has elapsed and no review has taken place | Good practice default: if nothing else has triggered a review, periodic revalidation confirms the assessment still reflects actual conditions |
Note: Triggers 1–5 derive directly from the reg 3(3) validity test. Trigger 6 is a practical safeguard — the interval should be proportionate to the level of risk and rate of change in the workplace.
Common Mistakes That Make a Risk Assessment Invalid
❌ Common Mistakes Callout
1. Vague hazard descriptions "Slips and trips" is not a hazard. "Wet floor surface at the entrance lobby during rain, due to absence of matting" is. Vague descriptions produce vague controls.
2. No named responsible person Writing "management" or "all staff" against an action means nobody owns it. An inspector will ask who was responsible and whether they knew.
3. Missing or overdue target dates An action with no date — or a date that has passed with no evidence of completion — signals the document is not being actively managed.
4. Copying a generic template without site-specific detail A photocopied assessment that does not reflect your actual premises, equipment, or workforce does not satisfy the "suitable and sufficient" test in reg 3(1). It is the most common reason assessments fail scrutiny.
5. Scoring risk before existing controls, not after Likelihood and severity should reflect the current situation with controls in place. Scoring the uncontrolled risk and then adding controls creates a misleading picture and makes it impossible to judge residual risk.
6. No record of especially at-risk groups Regulation 3(6) requires this explicitly where five or more employees are employed. Omitting it is a direct gap against the statutory text.
Who Must Carry Out a Risk Assessment?
Under regulation 3(1) of SI 1999/3242, the duty falls on every employer. Under regulation 3(2), relevant self-employed persons carry an equivalent duty in relation to their own work and its effect on others.
The HSE is explicit that risk management can be carried out by the employer themselves or by a competent person appointed to help. There is no requirement to engage an external consultant. A small business owner who understands the work, the premises, and the people can complete their own assessment — provided it genuinely reflects those specifics and is not a generic document.
Competence here means having sufficient knowledge of the work activity, the hazards involved, and the appropriate controls — not a specific qualification. Where the hazards are complex or technical, appointing someone with relevant expertise is sensible practice.
How Ramsdocs Makes Building and Reviewing Compliant Risk Assessments Faster
Ramsdocs provides structured risk assessment documents that are pre-formatted to cover every field required by the reg 3(6) recording obligation — hazards, who might be harmed, controls in place, significant findings, and especially-at-risk groups. Every document is designed to be PC review-ready and to reduce rework on resubmission.
Because reg 3(3) requires you to review and update whenever the validity test is triggered, Ramsdocs documents are built to be edited, not filed. The column structure mirrors the worked example above, so adding a new hazard row or updating a control measure takes minutes rather than requiring a full redraft.
Frequently Asked Questions
What does a completed risk assessment actually look like, with all columns filled in? See the Brightwell Admin Services worked table above — every column is populated with scenario-specific content, including likelihood and severity scores, named responsible persons, and target dates.
What five steps must a risk assessment cover to be legally compliant? The HSE's recommended five steps are: (1) identify hazards, (2) assess the risks, (3) control the risks, (4) record your findings, and (5) review the controls. These are the HSE's guidance framework for meeting the duty in regulation 3 of SI 1999/3242.
Who is legally required to carry out a risk assessment in the UK? Every employer, under regulation 3(1) of SI 1999/3242. Relevant self-employed persons have a parallel duty under regulation 3(2). The assessment can be carried out by the employer or a competent person they appoint.
How do you score or rate a risk — what scale should you use? A 1–5 likelihood × 1–5 severity matrix is widely used industry best practice. It is not a statutory requirement. The resulting score (L × S, maximum 25) gives a consistent, auditable basis for prioritising controls.
What must be recorded in a written risk assessment, and when is writing it down legally required? Regulation 3(6) of SI 1999/3242 requires that where an employer employs five or more employees, they record the significant findings of the assessment and any groups of employees identified as especially at risk. Check current HSE guidance for confirmation of the applicable threshold in your circumstances.
How often should a risk assessment be reviewed and what triggers an immediate review? Regulation 3(3) of SI 1999/3242 requires a review if there is reason to suspect the assessment is no longer valid, or if there has been a significant change in the matters to which it relates. The six triggers in the checklist above operationalise that test. There is no universal statutory annual review requirement.
Can a small business owner complete a risk assessment themselves, or must they hire someone? Yes — the HSE states that risk management can be carried out by the employer themselves or by a competent person appointed to help. External consultants are not required; what matters is that the person doing the assessment has sufficient knowledge of the work, the hazards, and appropriate controls.
Disclaimer: This page and the worked example within it are provided for general guidance only. They do not constitute legal advice. All risk assessments must be reviewed and adapted to the specific site, task, workforce, and circumstances by a competent person before use. Ramsdocs documents are designed to be PC review-ready and to reduce rework — they do not remove the need for site-specific assessment and cannot guarantee acceptance by any enforcing authority, principal contractor, or client. What is RAMS and when is it expected on a UK construction site? RAMS — Risk Assessment and Method Statement — is the standard combined document used on construction sites to both identify hazards and define the safe sequence of work for a given task. Producing a method statement alongside a risk assessment is not itself a distinct statutory duty, but principal contractors routinely require RAMS as a condition of engagement for high-hazard activities such as work at height, hot works, lifting operations, and confined space entry. A RAMS should name the responsible person, identify the plant, equipment, and PPE required, and be agreed and signed off before work starts, so that supervision on site has a clear, pre-approved safe system to follow.
Sources Used
This guide is checked against official source material. Verify current legal duties against the live legislation and HSE guidance before relying on the content for a live project.
- Management of Health and Safety at Work Regulations 1999, regulation 3 (legislation.gov.uk)
- Construction (Design and Management) Regulations 2015 (legislation.gov.uk)
- Managing risks and risk assessment at work (HSE)
- Planning for construction work (HSE)
Put This Guide To Work
Use the related templates, trade hubs and free tools below to turn the guidance into a site-specific RAMS workflow.