What is a risk assessment?

Businesses of all sizes are legally required to conduct risk assessments. Under the Management of Health and Safety at Work Regulations 1999 (external link), every employer must assess the risk to their employees’ health and safety at work. 

The minimum requirement is that employers: 

• Identify potential causes of injury or illness in their business (hazards) 
• Evaluate the likelihood and severity of harm that could occur (the risk) 
• Implement measures to remove the hazard, or if elimination is unfeasible, manage the risk.¹ (external link) 

This obligation applies equally to small businesses – even if you have just one employee. Those who are self-employed can check if health and safety laws apply to them (external link). 

These regulations are designed to ensure all workplaces maintain basic health and safety standards to protect workers from harm. 

Checking for risks is just one step in managing workplace safety. 

This is general guidance based on current UK regulations and may be subject to change. Consult the Health and Safety Executive (HSE) (external link) or a qualified advisor for the most up-to-date legal requirements.

Risk assessment is an ongoing process. 

Risk assessments should be reviewed regularly to ensure they remain current and effective. HSE recommends an annual review. There are several situations in which you should conduct a risk assessment.² (external link) 

• When you establish a business or start a new operation
• When you introduce new equipment, substances, or procedures that could cause hazards
• When you change existing work processes, layouts, or activities.

You should also conduct a new assessment following any workplace accidents or near-miss incidents, or when employees report new health and safety concerns.³ (external link)

The Management of Health and Safety at Work Regulations require all employers to ensure ‘effective planning, organisation, control, monitoring, and review’ of measures to protect people.⁴ (external link) 

The risk assessment process is a structured approach that can help small business owners identify hazards, evaluate risks, and implement proper control measures. Following a clear framework can help ensure you check thoroughly for potential risks and act appropriately to prevent accidents. 

However, if you cannot do it yourself, the Health and Safety Executive (HSE) – the national regulator for workplace health and safety – recommends that you hire a competent person (external link) to help.

Whether you’re a new business owner or an experienced entrepreneur, it is recommended that you consult HSE guidance relevant to your industry for common workplace risks (external link). You can also find various risk assessment templates and examples (external link), whether you own an office-based business or a motor vehicle repair shop. 

At every stage of the process, you should consult with your workers (external link). 

Identifying the hazards 

The first step is working out the hazards. 

To do this: 

• Walk around your workplace looking for anything that could cause harm (physical, mental, chemical, biological hazards) 
• Ask employees what they think, as they might notice hazards that aren’t immediately obvious 
• Review accident and illness records for less obvious hazards 
• Check manufacturers’ instructions or data sheets for chemicals and equipment 
• Consider long-term health hazards (such as high noise levels or exposure to harmful substances) 
• Document all identified hazards in a consistent format, noting their location and potential consequences.⁵ (external link) 

Outlining the risk rating 

Next, you can establish the level of risk. This involves considering both the likelihood of harm occurring and the potential severity of that harm. 

Many business owners use a simple risk matrix to help quantify and prioritise risks. 

To do this: 

• Determine the likelihood of harm occurring (e.g. low, medium, high) 
• Assess the potential severity of harm (e.g. slight, moderate, extreme) 
• Multiply these factors to produce a risk rating 
• Use this rating to prioritise your actions.⁶ (external link) 

For example, a hazard with a high likelihood and extreme severity would have the highest risk rating, requiring immediate attention.⁷ (external link) 

Considering who is at risk 

When considering who might be harmed by the hazards you’ve identified, HSE recommends you think beyond your immediate employees and identify groups of people rather than individuals.⁸ (external link) 

For example, you could consider: 

• Different work groups within your business who may have specific vulnerabilities 
• Maintenance workers who might be exposed during specific tasks 
• Hired contractors who might be unfamiliar with your operations 
• Visitors who are unaware of workplace hazards 
• Members of the public who might access your site or be affected by your activities 
• Employees from other companies, if you use a shared workspace 
• Vulnerable persons (including new or expectant mothers, young workers, trainees, and those with disabilities or health conditions). 

The Management of Health and Safety Work Regulations specifically require employers to consider these vulnerable groups (external link) in their risk assessments.⁹ (external link) 

Implementing precautions 

The HSE (external link)recommends prioritising control measures. For instance, you could start by asking if you could eliminate the hazard altogether. If not, could you substitute existing materials or processes for less hazardous ones?

1. Elimination: Completely remove the hazard if possible (e.g., replace a hazardous chemical with a safe one)

2. Substitution: Replace the material or process with a less hazardous one.

   If elimination or substitution is not possible:

3. Engineering controls: Install or use additional machinery to control risks
4. Administrative controls: Identify and implement procedures to work safely, including providing training, instruction or information
5. Personal protective equipment (PPE): Only after all the previous control measures have been considered and found ineffective in controlling risks to a reasonably practicable level should PPE be used.¹⁰ (external link)

For each hazard, HSE recommends that you document what control measures are already in place and what additional controls are needed. Set clear deadlines for implementing new controls and assign responsibility to specific individuals if required. 

HSE emphasises that control measures should be practical, cost-effective, and reduce risk to an acceptable level.¹¹ (external link) Remember that your assessment should be proportionate – complex risk matrices might not be necessary for simple operations with obvious hazards. 

You can learn more about how to create a small business health and safety policy in our guide to health and safety for small businesses.