Ensuring the safety and health of employees is a cornerstone of responsible business practice in the UK. At the heart of this responsibility lies the legal requirement to carry out workplace risk assessments – a duty enshrined in the Management of Health and Safety at Work Regulations 1999 (MHSWR). This article sets out the legal framework surrounding risk assessments, outlines practical steps for compliance, and includes expert insights from Andrew Sanderson of Kingsley Napley and Craig Lydiate of Eighty20 Risk Systems.
The legal framework: what the law requires
The MHSWR 1999, made under the Health and Safety at Work etc. Act 1974, places a duty on employers to assess the risks to the health and safety of employees and others affected by their work activities.
Key legal duties include:
- Regulation 3: Requires every employer to make a "suitable and sufficient" assessment of the risks to employees and others.
- Regulation 5: Requires employers to make appropriate health and safety arrangements based on the outcomes of the risk assessment.
- Regulation 7: Requires the appointment of competent persons to assist in undertaking protective and preventive measures.
- Regulation 10: Mandates employers to provide comprehensible and relevant information on risks and preventive measures.
Employers with five or more employees must record the significant findings of their risk assessments and any groups of employees especially at risk (e.g. young workers, pregnant workers, disabled persons).
Hazard identification and control measures
Risk assessment is a five-step process that focuses on systematically managing workplace hazards:
- Identify hazards: What in your workplace could cause harm?
- Decide who might be harmed and how: Employees, contractors, visitors, the public.
- Evaluate risks and decide on precautions: What is the likelihood and severity of harm? What control measures are already in place, and what further steps are needed?
- Record findings and implement them: If employing five or more people, maintain written documentation.
- Review and update regularly: Risk assessments must be reviewed if there is reason to believe they are no longer valid, or if there has been a significant change.
According to Craig Lydiate, Director at Eighty20 Risk Systems, "Too often we see organisations treat risk assessments as a ‘tick-box’ exercise. But the most effective assessments are dynamic—they reflect operational changes, seasonal work patterns, and new technologies. Risk management must be a living process.”
The role of training
To be effective, risk assessments require competent persons – those with the necessary training, experience, and knowledge. Training should focus on:
- Recognising workplace hazards.
- Applying appropriate control measures.
- Understanding legal obligations.
- Documenting and reviewing assessments effectively.
Craig Lydiate adds "Empowering staff through targeted training not only enhances safety but creates a culture where risk awareness is second nature. This is what drives real change on the ground.”
Practical tips for compliance
- Appoint a competent person: Whether internal or outsourced, ensure that someone with the right level of competence takes charge of the process.
- Use sector-specific templates: While templates are not a substitute for critical thinking, industry-specific formats (such as from the HSE) can guide your approach. Eighty20’s E20 platform helps to design and deliver consistent standards.
- Embed risk assessment in planning: Don’t conduct assessments retrospectively. Integrate them into project planning, procurement, and policy development.
- Communicate outcomes: Make sure findings are shared with staff through training, briefings, signage, and digital platforms.
- Audit and monitor: Schedule regular audits of risk assessments and ensure implementation of control measures.
According to Andrew Sanderson, a health and safety specialist at Kingsley Napley LLP "Legal compliance is not just about avoiding enforcement – it’s about ensuring that risk is proportionately and demonstrably managed. Failure to undertake adequate risk assessments can expose employers to criminal liability, civil claims, and reputational harm.”
Enforcement and penalties
The Health and Safety Executive (HSE) and local authorities are responsible for enforcing the MHSWR. They have broad powers to:
- Enter and inspect premises.
- Issue Improvement Notices or Prohibition Notices.
- Prosecute individuals or organisations under the Health and Safety at Work etc. Act 1974.
Penalties for non-compliance include unlimited fines and, in serious cases, imprisonment for responsible persons.
Andrew Sanderson warns "We are increasingly seeing the HSE taking a more assertive approach to enforcement, especially where there is a pattern of neglect or where vulnerable groups are affected. The courts have also shown little leniency for businesses that fail in their risk assessment duties.”
Final thoughts
A well-executed risk assessment is not just a legal requirement – it is a vital tool in protecting your workforce, ensuring productivity, and maintaining your organisation’s integrity.
Employers should view the MHSWR not as an administrative burden but as a structured framework to prevent harm before it occurs.
As Craig Lydiate aptly concludes "Good risk assessment isn’t just about compliance – it’s about leadership. It’s about sending the message that people’s safety comes first.”
About the authors
Andrew Sanderson specialises in the transport sector, with particular expertise in road transport matters including Public Inquiries before the Traffic Commissioners and Transport Appeal Tribunal, defending road transport prosecutions in the Magistrates’ and Crown Court, health and safety, corporate manslaughter, and Coroners’ Inquests.
Craig Lydiate is the Managing Director at Eighty20 Risk Systems, a web-based H&S Software supplier, providing our award winning E20 platform to all sectors of the economy, from manufacturing and construction firms to housing groups and charitable bodies.
Join the conversation
