Risk assessments are much more than mere administrative exercises across the UK’s workplaces and buildings. They are legal, practical, and strategic requirements that greatly help protect people, property, and organisations from harm.
Under key UK legislation, risk assessments are mandatory. The Management of Health and Safety at Work Regulations 1999 set out that employers with five or more staff must make a “suitable and sufficient” assessment to identify workplace hazards, evaluate risks, and implement control measures to prevent harm to employees and visitors.
The importance of consistent and methodical risk assessment
A consistent and methodical approach to risk assessments matters, because risks do inevitably vary across different contexts. After all, it is not only general workplace safety that risk assessments are designed to address; there are also specific threats that must be accounted for, such as fire, asbestos, and/or legionella.
Poor or superficial risk assessments can lead to serious consequences for responsible persons. Such individuals may be subject to enforcement action from the UK Health and Safety Executive (HSE), fines, prosecution, civil claims, and/or even severe reputational damage.
To help avoid these adverse effects, it is crucial for responsible persons to understand that truly effective risk assessment is an ongoing management process, rather than a one-off document. In line with this, a risk assessment must be reviewed and updated to stay relevant.
Understanding the risk assessment’s purpose and scope
Let’s clearly define what a risk assessment is in legal and practical terms. A risk assessment is a careful examination of what could conceivably cause harm at a given workplace or premises. It enables the responsible person to weigh whether enough precautions are in place or more should be done.
From a legal standpoint, a risk assessment must be “suitable and sufficient” to identify hazards, evaluate risks, and determine controls to reduce risks so far as is reasonably practicable. The latter concept, also referred to as “SFAIRP” (So Far As Is Reasonably Practicable), is a balancing test that entails the sacrifice (time, cost, and trouble) being weighed against the risk reduction achieved.
In a risk assessment, it is crucial for a distinction to be made between:
- Hazard identification, which involves spotting potential sources of harm such as flammable materials or asbestos-containing materials; and
- Risk evaluation, which is concerned with the likelihood and severity of harm occurring.
Accountability ultimately rests on the outcomes of risk assessments, rather than just paperwork. In other words, these processes need to be genuinely effective at preventing harm.
The responsible person – often the employer, building owner, landlord, or duty holder – remains ultimately accountable, even if specialists help.
Responsibility for the risk assessment cannot be fully delegated. While competent experts can conduct assessments, it is still the responsible person who must ensure they are appropriate. Furthermore, the responsible person is required to understand the findings and implement controls.
A one-size-fits-all approach to risk assessments fails, because it fails to account for specific nuances across different premises and risk types. This underscores the essential role that specialist knowledge can play in the management of such complex risks as asbestos and legionella.
Preparation and planning
Before you begin a risk assessment in earnest at your site, you will need to gather key information in relation to:
- Building use, occupancy levels, layout, and vulnerable groups
- Existing assessments, surveys, and records (for example, the site’s asbestos register)
- Maintenance regimes, management arrangements, and past incidents
Any missing or outdated information at this stage could undermine the accuracy of your risk assessment. For example, if you are working off an old plan for a given building, this may cause you to miss recent layout changes.
Understanding how the building is actually used is crucial. The designed purpose of a particular structure may differ markedly from the real-world activities that take place within it. Changes over time with regard to occupancy, layout, and activities should all be considered, as should the impact of contractors, visitors, and vulnerable individuals.
Identifying hazards
A central part of the risk assessment process is the systematic identification of hazards through structured inspections, walkthroughs, and input from staff. While referring to checklists can help ensure coverage, professional judgement is vital for context-specific issues.
Various common hazards and issues can often be overlooked in commercial buildings, such as:
- Management failures, like poor housekeeping and/or inadequate training
- Interface risks between systems, contractors, and tenants
- Temporary risks – for example, refurbishments or changes to operations
It is important for risk assessments to cover relatively obvious hazards such as trailing cables, as well as less immediately visible hazards, like poorly maintained water systems that could present a significant legionella risk.
Evaluating risk
The proper evaluation of a given site goes beyond simply listing hazards. That’s because it is also crucial to assess likelihood (the probability of harm coming to pass) versus severity (how serious the harm could be, if it was to occur).
In this regard, qualitative judgement can often prove more reliable than rigid scoring systems or generic risk matrices. It is advisable for responsible persons to focus their assessments on realistic scenarios, rather than theoretical “worst cases”.
The risk evaluation process should include consideration of who might be harmed, as well as how. Individuals who could conceivably come to harm at a given site may encompass employees, occupants, contractors, members of the public, and particularly high-risk groups such as disabled people, lone workers, and young persons.
The responsible person will need to evaluate realistic harm pathways. For instance, they might ask themselves how a fire could spread, or how asbestos fibres could become airborne.
Controlling and mitigating risk
In their efforts to reduce risk at a given site, the responsible person should apply the following hierarchy of control:
- Elimination, whereby the hazard is removed entirely
- Substitution, which involves replacing the hazard with a safer alternative
- Engineering controls to isolate or contain the hazard (for example, using ventilation to help guard against legionella risks)
- Administrative controls encompassing relevant procedures, training, and signage
- Personal protective equipment (PPE) as a last resort – for example, respiratory protection for asbestos work.
It is often insufficient to rely on procedures alone. Higher-level controls are preferrable, and should therefore be implemented if possible.
Decisions will need to be made on what is “reasonably practicable”, by balancing risk against time, cost, and effort. The HSE’s expectations will be that controls are put in place at a particular site, unless the given measures would be grossly disproportionate.
Recording and action planning
For most employers, particularly those with at least five employees, it is essential for findings to be recorded in writing. This should encompass information on significant hazards, who might be harmed, the controls that are already in place and/or may be needed, and responsibilities.
Responsible persons should always avoid generic templates or copy-and-paste content in their writing and documentation of risk assessments. Instead, they should tailor their approach to the specific premises for credibility.
It is important to prioritise actions based on risk level, rather than convenience. Responsible persons will need to assign ownership with realistic timescales, in addition to tracking progress. They should also take steps to integrate specific actions into their wider compliance and maintenance systems.
Review and ongoing management
A risk assessment should be reviewed and/or updated when certain legal triggers happen – for example, changes being made to the premises or how the buildings are used. The responsible person should also arrange to look at the risk assessment again after an incident or near-miss.
Even in the absence of the above circumstances or events, reviews of a risk assessment should take place at regular intervals.
The review cycle that the responsible person chooses should be based on the specific risk the given site presents. At a high-risk premises, for instance, a review may happen once a year, while in the case of a lower-risk site, a review may not take place so frequently.
Working with competent specialists
Competent specialists can play a critical role in a responsible person’s compliance drive, when it comes to aspects where in-house knowledge may be limited. Examples of such specialised areas include asbestos, fire, and legionella assessments.
Legally, “competence” in risk assessment means the given person possessing relevant qualifications, experience, sector expertise, and the ability to apply judgement.
Conclusion: how does a robust risk assessment protect people, property, and responsible persons?
The risk assessment process is a cornerstone of safe and compliant building management. It is an undertaking that demands method, competence, and follow-through, including the proper identification of hazards, the realistic evaluation of risks, the application of effective controls, thorough documentation, and diligent reviewing.
Ultimately, effective risk management is about proactive and informed decisions, rather than simply ticking compliance boxes.
To learn more about how the Assets & Compliance Managed Services (ACMS) team can help you approach risk assessments as a strategic asset to drive safer and more resilient operations, please don’t hesitate to enquire to us today.
