A risk assessment is the structured process by which an employer identifies workplace hazards, evaluates the likelihood and severity of harm, puts controls in place, and records the findings. It is not a bureaucratic formality — it is the foundation on which every other health and safety obligation rests, and it carries a direct statutory duty under UK law.
What Is a Risk Assessment and Why Is It Legally Required?
Under Regulation 3(1) of the Management of Health and Safety at Work Regulations 1999, every employer must make a suitable and sufficient assessment of:
- the risks to the health and safety of their employees whilst at work; and
- the risks to the health and safety of persons not in their employment who may be affected by their work activities —
for the purpose of identifying the measures the employer needs to take to comply with relevant statutory provisions.
Relevant self-employed persons carry the same duty under Regulation 3(2) in relation to their own health and safety and that of others affected by their work.
The phrase "suitable and sufficient" is the statutory standard. It does not mean exhaustive or perfect — but it must be proportionate to the nature of the work and genuinely address the real risks present. An assessment that is generic, untailored, or produced only to satisfy an audit is unlikely to meet that standard.
Jurisdiction note: The Management of Health and Safety at Work Regulations 1999 apply in Great Britain (England, Wales, and Scotland). Employers operating in Northern Ireland should refer to equivalent duties enforced by HSENI under Northern Irish health and safety law.
Who Must Carry One Out — and Who Counts as a 'Competent Person'?
The legal duty to ensure a suitable and sufficient assessment is made sits with the employer. HSE confirms that employers can conduct the risk assessment themselves or appoint a competent person to help them (HSE, Steps needed to manage risk).
Critically, appointing someone to assist does not transfer the Regulation 3 obligation away from the employer. The employer retains the duty; the competent person assists in discharging it.
What makes someone competent? HSE's guidance points to the ability to make a reliable judgement about risk and control for the work activity in question. In practice, this means the person should have sufficient knowledge of the work process, familiarity with the hazards involved, and enough practical experience to evaluate whether controls are adequate. There is no single prescribed qualification — competence is assessed against the specific task, not a general threshold.
HSE also stresses involving workers directly: employees often have the most detailed understanding of how work is actually carried out and where unsafe practices arise.
The 5 Steps to a Risk Assessment: A Legal Walkthrough
HSE defines risk management as a five-step process: identify hazards → assess the risks → control the risks → record your findings → review the controls (HSE, Steps needed to manage risk). Each step carries specific obligations under the "suitable and sufficient" standard of Regulation 3.
Key distinction: A hazard is anything with the potential to cause harm. A risk is the likelihood that harm will actually occur and how serious it could be. Conflating the two is one of the most common reasons an assessment fails the suitable-and-sufficient test.
Step 1 — Identify Hazards
Walk the workplace and consider: how people work and how plant and equipment are used; what chemicals and substances are used; what safe or unsafe work practices exist; and the general state of the premises (HSE). Review accident and ill-health records. Include non-routine operations such as maintenance or changes in production cycles. Consider vulnerable groups: young workers, new or expectant mothers, migrant workers, and people with disabilities.
Step 2 — Assess the Risks
For each hazard, decide who might be harmed and how, how likely harm is, and how serious the consequence could be. Document what controls are already in place and identify gaps.
Step 3 — Control the Risks
HSE's hierarchy of control asks first: can the hazard be eliminated entirely? If not, can it be substituted, engineered out, or managed through safe systems of work? Personal protective equipment sits at the bottom of the hierarchy — not the first response. You are not expected to eliminate all risks, but you must do everything reasonably practicable to protect people from harm (HSE).
Step 4 — Record Your Findings
Where an employer employs five or more employees, Regulation 3(6) requires recording: (a) the significant findings of the assessment; and (b) any group of employees identified as being especially at risk (MHSWR 1999, reg 3(6)).
Step 5 — Review the Controls
The assessment must be reviewed if there is reason to suspect it is no longer valid, or if there has been a significant change in the matters to which it relates (MHSWR 1999, reg 3(3)). There is no fixed statutory interval — review is triggered by circumstances, not a calendar.
Worked Example: Manual Handling on a Construction Site
Scenario: A groundworks subcontractor with seven direct employees is working on a live commercial construction site. The task involves manually carrying precast concrete kerb units (approximately 35 kg each) from a flatbed delivery vehicle to a laying position roughly 40 metres away across uneven ground.
Step 1 — Identify Hazards
The site supervisor walks the route and notes: uneven, muddy ground between vehicle and laying position; no mechanical lifting aid currently on the work area; kerb units are awkward to grip; task will last approximately four hours continuously; two of the seven workers are under 18.
Hazards recorded: manual handling (heavy, awkward load); slips and trips (ground condition); sustained physical loading (duration of task); specific vulnerability (young workers).
Step 2 — Assess the Risks
| Hazard | Who might be harmed | Likelihood | Severity | Risk level |
|---|---|---|---|---|
| Manual handling of 35 kg kerb units | All 7 workers, especially the 2 young workers | Medium | High (musculoskeletal injury, crush) | High |
| Slips/trips on uneven ground | All workers carrying load | Medium | Medium (fall while loaded) | Medium |
| Sustained physical loading | All workers | High | Medium (cumulative MSK harm) | High |
Step 3 — Control the Risks
Immediate controls agreed and implemented:
- Site manager to arrange a telehandler for bulk delivery to a drop-off point within 5 metres of the laying position — eliminates the 40-metre carry.
- Where residual manual handling remains, kerb units to be handled by two persons only — eliminates single-person lift.
- Ground route to be boarded with temporary trackway before work begins.
- Task duration broken into maximum 30-minute carrying phases with enforced rest breaks.
- Young workers not to carry kerb units solo under any circumstances; supervisor to confirm this verbally at daily briefing.
Step 4 — Record Your Findings
Because the employer has seven employees (≥5), Regulation 3(6) requires the significant findings and any especially-at-risk group to be recorded in writing. The ramsdocs risk assessment record captures: hazard descriptions, risk ratings (pre- and post-control), named control measures, responsible persons, and the identification of young workers as an especially-at-risk group — satisfying the reg 3(6) requirement.
Step 5 — Review the Controls
Review triggers noted on the assessment record: if the telehandler becomes unavailable mid-task; if additional young workers join the crew; if ground conditions deteriorate further; or following any near-miss or incident. No fixed date — reviewed when circumstances change.
What Must You Record — and When?
Regulation 3(6) is explicit: employers with five or more employees must record the significant findings and any especially-at-risk employee groups. "Significant findings" means the hazards that present a real risk — not every conceivable observation.
Review trigger table — when must the assessment be revisited?
| Trigger event | Regulation 3 basis |
|---|---|
| Reason to suspect the assessment is no longer valid | reg 3(3)(a) |
| Significant change in the work process or task | reg 3(3)(b) |
| New equipment introduced that changes the hazard profile | reg 3(3)(b) |
| Significant change in the workforce (e.g. new young workers or new and expectant mothers) | reg 3(3)(b); also reg 3(4) for young persons |
| Post-incident or near-miss review | reg 3(3)(a) — basis to suspect validity |
| A worker raises a concern that existing controls are not working | reg 3(3)(a) |
There is no prescribed fixed review interval in Regulation 3. A risk assessment that is dated "reviewed annually" without any of the above triggers being checked is not evidence of a valid review process.
Regulation 3 Compliance Checklist
Use this checklist to verify your risk assessment document meets the statutory requirements of Regulation 3 before submission to a principal contractor or client.
| Regulation 3 requirement | What it requires in practice | ramsdocs field / feature |
|---|---|---|
| reg 3(1)(a) — assess risks to employees | Every employee-facing hazard identified and rated | Hazard register with employee exposure fields |
| reg 3(1)(b) — assess risks to non-employees | Contractors, visitors, members of the public considered | "Persons at risk" field includes non-employees |
| reg 3(1) — suitable and sufficient standard | Assessment is task-specific, not generic | Site and task fields force location/task specificity |
| reg 3(3) — review obligation | Review triggers listed; record updated when triggered | Review trigger log with date and reason fields |
| reg 3(4)/(5) — young persons | Assessment made or reviewed before young person starts; inexperience, immaturity and risk exposure documented | Young persons flag + mandatory additional control fields |
| reg 3(6)(a) — record significant findings (5+ employees) | Hazards, affected persons, and controls recorded in writing | Significant findings summary, auto-generated on completion |
| reg 3(6)(b) — record especially-at-risk groups | Named vulnerable groups (e.g. young workers) documented | At-risk group identification field |
Common Mistakes That Make a Risk Assessment 'Not Suitable and Sufficient'
| Failing | Why it fails the reg 3 standard |
|---|---|
| Generic/template wording not adapted to the actual site or task | Assessment does not address the real risks present |
| Hazard and risk conflated (e.g. "risk: manual handling") | Cannot demonstrate that likelihood and severity were evaluated |
| Controls listed are aspirational, not confirmed as in place | Does not demonstrate measures have been identified and implemented |
| No especially-at-risk groups recorded where young workers are employed | Fails reg 3(5) and reg 3(6)(b) |
| "Reviewed annually" with no trigger-based review process | Does not meet the reg 3(3) review obligation |
| PPE listed as the primary or only control measure | Fails the reasonably practicable hierarchy |
| Non-employees (visitors, members of public) not considered | Fails reg 3(1)(b) |
How ramsdocs Automates Risk Assessment Documentation Without Removing Employer Accountability
ramsdocs structures the documentation process so that each section of your risk assessment record corresponds to a specific Regulation 3 obligation. The platform prompts you to record hazards, rate risks, confirm controls are in place, identify at-risk groups, and log review triggers — producing a PC review-ready document designed to reduce RAMS rework.
What ramsdocs does not do: it does not discharge your legal duty. Regulation 3 places the obligation on the employer (or relevant self-employed person). The software generates a structured record; the employer or appointed competent person is responsible for ensuring that the content is accurate, site-specific, and reflects actual conditions on the ground. Every assessment produced through ramsdocs must be reviewed and adapted by a competent person before use.
Frequently Asked Questions
What is a risk assessment? A risk assessment is a systematic examination of a work activity to identify hazards (things that can cause harm), evaluate the level of risk (likelihood and severity of harm), and determine what controls are needed. It is a statutory requirement under Regulation 3 of the Management of Health and Safety at Work Regulations 1999.
What are the 5 types of risk assessment? There is no statutory list of risk assessment "types" — the law requires one suitable and sufficient assessment of the risks. The five types commonly described in training material are: generic (baseline for a standard task), site-specific (adapted to the actual location and conditions), dynamic (on-the-spot reassessment as conditions change), qualitative (judgement-based scoring), and quantitative (numerical probability data). In construction practice the distinction that matters most is generic versus site-specific — principal contractors routinely reject generic assessments that haven't been made site-specific.
What are the 5 C's of risk assessment? The "5 C's" is a memory aid used in some training, not a regulatory framework — versions vary, but a common one is: Competence (who assesses), Communication (telling those affected), Controls (what reduces the risk), Compliance (meeting the legal duty), and Checking (review). The legally grounded structure remains HSE's five steps: identify hazards, assess the risks, control the risks, record the findings, review the controls.
Why is a risk assessment legally required in the UK? Regulation 3(1) of the MHSWR 1999 places a direct duty on every employer to make a suitable and sufficient assessment of risks to employees and others affected by their work. Failure to do so is a breach of the Regulations and can form the basis of enforcement action by HSE.
What are the five steps of a risk assessment? HSE defines the five steps as: (1) identify hazards, (2) assess the risks, (3) control the risks, (4) record your findings, and (5) review the controls (HSE, Steps needed to manage risk).
Who is responsible for carrying out a risk assessment? The employer holds the Regulation 3 duty. They may carry out the assessment themselves or appoint a competent person to assist — but the employer's obligation is not transferred by that appointment.
What must be recorded in a risk assessment document? Where an employer has five or more employees, Regulation 3(6) requires recording: (a) the significant findings of the assessment; and (b) any group of employees identified as being especially at risk.
How often should a risk assessment be reviewed? There is no fixed statutory interval. Regulation 3(3) requires review when there is reason to suspect the assessment is no longer valid, or when there has been a significant change in the matters to which it relates. See the review trigger table above for the specific events that should prompt reassessment.
What makes someone a 'competent person' to conduct a risk assessment? HSE's guidance points to having sufficient knowledge of the work activity and the hazards it presents to make a reliable judgement about risk and control. Competence is assessed against the specific task — it is a practical question, not a qualification threshold.
Disclaimer: This page is provided for general information only. The content must be reviewed and adapted to your specific site, task, workforce, and circumstances by a competent person before any risk assessment is used or relied upon. ramsdocs documentation is designed to support — not replace — that professional judgement. Nothing on this page constitutes legal advice. Does CDM 2015 add risk assessment duties on top of MHSWR 1999 for construction projects? Yes — for construction work, the Construction (Design and Management) Regulations 2015 operate alongside MHSWR 1999 rather than replacing it. CDM 2015 applies to the whole construction process from concept to completion and assigns specific duties to duty holders including clients, principal designers, principal contractors, and contractors; the principal contractor or sole contractor must also prepare and maintain a construction phase plan designed to help plan, manage, and monitor the work so it is carried out in a way that secures health and safety (Construction method statements (managing the work)). Your MHSWR Regulation 3 risk assessment and your CDM construction phase plan are separate obligations — having one does not discharge the other.
Are there specific risk assessments required beyond the general MHSWR assessment on a construction site? Certain regulations require risk assessments for specific hazards and state in more detail what is required; these include work at height, hazardous substances (COSHH), manual handling, noise, vibration, and lead (Construction method statements (managing the work)). A COSHH assessment is therefore a parallel, task-specific duty triggered whenever workers may be exposed to hazardous substances such as silica dust, solvents, or cement, and it must be carried out in addition to — not instead of — the general site risk assessment. In practice, the findings of each specific assessment should feed back into the overall construction phase plan so that controls are co-ordinated across the site.
Sources Used
This guide is checked against official source material. Verify current legal duties against the live legislation and HSE guidance before relying on the content for a live project.
- Management of Health and Safety at Work Regulations 1999, regulation 3 (legislation.gov.uk)
- Construction (Design and Management) Regulations 2015 (legislation.gov.uk)
- Managing risks and risk assessment at work (HSE)
- Planning for construction work (HSE)
Put This Guide To Work
Use the related templates, trade hubs and free tools below to turn the guidance into a site-specific RAMS workflow.