Get AI summaries of any video or article — Sign up free
How to get Risk Assessments right thumbnail

How to get Risk Assessments right

Citation Ltd·
6 min read

Based on Citation Ltd's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

Risk assessments are required under the Management of Health and Safety at Work Regulations and must be suitable and sufficient for significant risks.

Briefing

Risk assessments are a legal requirement under the Management of Health and Safety at Work Regulations—and they function as an organization’s first line of defense against both criminal and civil consequences. The core message is straightforward: businesses must identify hazards, assess who could be harmed and how, evaluate the likelihood and severity of harm based on existing controls, then record, communicate, and regularly review the assessment. Doing it well matters because weak or missing assessments can lead to enforcement action, prosecutions, civil claims, reputational damage, and financial penalties.

The legal landscape splits into two streams. Criminal law is typically driven by Acts of Parliament and regulations, with guidance and approved codes issued by bodies such as the Health and Safety Executive, Environment Agency, Fire Authority, and local authorities. The most commonly cited foundation is the 1974 Health and Safety at Work Act. Civil claims are more common in practice: an individual can bring a case alleging negligence (a tort of negligence), usually heard in the County or High Court. Civil cases tend to be easier to pursue because the burden of proof is lower than in criminal matters. In both settings, a strong risk assessment helps demonstrate that the organization followed sensible, consistent steps—preventing incidents where possible, and showing how risks were mitigated when problems arose.

A risk assessment must be “suitable and sufficient.” It should be conducted whenever considering a task, not merely when legislation explicitly demands written documentation. The process begins by identifying hazards—anything with the potential to cause harm—then deciding who might be harmed (employees, contractors, visitors, and vulnerable groups such as young or inexperienced workers, including those under 18, and pregnant workers whose exposures may change). Next comes evaluating risk: how likely the hazard is to cause harm, and how severe the harm could be, taking into account existing control measures.

The assessment should incorporate standard safe working practices and training requirements. For example, someone should not be put on a forklift truck until they can demonstrate competence for that specific vehicle, not just complete a generic awareness course. Precautions should be realistic and actually implemented; “ideal” controls that won’t be done don’t count. If residual risk remains high after controls, the assessment needs revision to drive risk down—ideally toward low risk.

Recording and communication are treated as non-negotiable. Verbal-only documentation is hard to defend, so organizations should keep documentary evidence and make it available to those doing the work and to impacted third parties. Communication can take the form of toolbox talks, short training sessions, and recorded acknowledgements (including signatures where possible). Finally, risk assessments must be reviewed and updated—typically at least annually, but also after incidents, accidents, or changes in circumstances. Near misses are highlighted as early warning signals that something is not quite right.

To make the method concrete, the talk uses an intentionally absurd example: a shark in a swimming pool. The hazard is the shark (and the potential for severe injury), controls include barriers/exclusion to prevent access, affected parties include family and any subcontractors involved (like pool cleaners), and the assessment is recorded, circulated, and reviewed—especially if circumstances change or the risk becomes redundant. The takeaway is that a risk assessment left “on the shelf” is useless; it must be actively understood and applied on the ground.

Cornell Notes

Risk assessments are required under UK health and safety law and serve as protection against both criminal and civil action. A “suitable and sufficient” assessment identifies hazards, determines who could be harmed (including vulnerable groups like young workers and pregnant employees), evaluates likelihood and severity using existing controls, and sets out practical precautions. The process must be documented, communicated to everyone involved, and reviewed regularly—at least annually, and immediately after incidents or changes. Near misses are treated as key indicators that the workplace controls need adjustment. A good assessment isn’t paperwork; it’s a working system that reduces risk and provides evidence that sensible steps were taken.

What makes a risk assessment legally and practically “suitable and sufficient”?

It must be conducted whenever considering a task and must cover the significant risks to health and safety. “Suitable and sufficient” means identifying hazards, deciding who might be harmed and how, evaluating likelihood and severity based on existing controls, and then setting out precautions that are actually in place. It also requires proper documentation (not just verbal claims) and communication so the people doing the work understand and follow the controls. Finally, it must be reviewed and updated when circumstances change or when incidents occur.

How do criminal and civil health and safety cases differ, and why does that affect risk assessment quality?

Criminal action is based on legislation such as the 1974 Health and Safety at Work Act and regulations made under it, with enforcement typically involving bodies like the Health and Safety Executive, Environment Agency, Fire Authority, and local authorities. Civil claims are usually brought by individuals alleging negligence (tort of negligence) and are heard in the County or High Court. Civil cases are more common and have a lower burden of proof, so strong risk assessments help defend organizations by showing consistent, sensible steps were taken and risks were mitigated.

What’s the difference between a hazard and a risk, and how should that show up in the assessment?

A hazard is something with the potential to cause harm; a risk is the chance that the harm will actually occur, considering existing controls. The assessment should therefore start by listing what can cause harm, then quantify likelihood and severity. The talk emphasizes that people often confuse hazard with likelihood, but the method requires both: identify the potential source of harm and then evaluate how likely it is to cause injury or damage.

Who must be considered as “people at risk,” beyond employees?

The assessment should include anyone who could be harmed by the task or workplace conditions: staff operating the procedure, contractors and subcontractors working on the organization’s behalf, and members of the public or visitors who might enter the area. It also calls out vulnerable groups—young and inexperienced workers (including those under 18) and pregnant workers, whose exposures may change during pregnancy (for example, chemical exposures that may be acceptable for others may require additional controls).

What should precautions look like in a good risk assessment?

Precautions should reflect standard safe working practices and training requirements that are actually implemented. The talk uses forklift trucks as an example: competence must be demonstrated for the specific vehicle, not just completion of a generic awareness course. It also warns against recording “ideal” precautions that won’t be undertaken. If residual risk remains high after controls, the assessment should be revised to reduce risk—ideally toward low risk.

Why do communication and review matter as much as the assessment itself?

Documenting risk without communicating it leaves controls unused and hard to defend. The talk recommends keeping documentary evidence and sharing it with those doing the work and impacted third parties, using methods like toolbox talks and recorded acknowledgements. Review is equally critical: assessments should be updated at least annually, more frequently when needed, and immediately after incidents, accidents, or changes in process or personnel. Near misses should trigger attention because they often signal that controls are failing before a serious incident occurs.

Review Questions

  1. Which steps in the five-step process ensure that vulnerable groups (young workers and pregnant workers) are not overlooked?
  2. How should an organization respond in its risk assessment if residual risk remains high after existing controls are considered?
  3. What evidence and communication practices help defend a risk assessment in both criminal and civil contexts?

Key Points

  1. 1

    Risk assessments are required under the Management of Health and Safety at Work Regulations and must be suitable and sufficient for significant risks.

  2. 2

    Health and safety enforcement can be criminal or civil; civil negligence claims are more common and have a lower burden of proof.

  3. 3

    A strong assessment identifies hazards, determines who could be harmed (including contractors, visitors, and vulnerable groups), and evaluates likelihood and severity using existing controls.

  4. 4

    Precautions must be practical and implemented, not aspirational; training and competence requirements should be specific to the task or equipment.

  5. 5

    Risk assessments must be documented and communicated so staff and relevant third parties actually follow the controls.

  6. 6

    Assessments require regular review—typically annually, but also after incidents, accidents, near misses, or changes in circumstances.

  7. 7

    Leaving a risk assessment unused (“on the shelf”) undermines both safety outcomes and the organization’s ability to demonstrate due diligence.

Highlights

A risk assessment must be “suitable and sufficient” and cover significant risks, not just paperwork compliance.
Civil negligence claims are more likely than criminal prosecutions, so strong assessments matter even when no incident has yet occurred.
Competence must be task- and equipment-specific—generic awareness training isn’t enough for operating equipment like forklift trucks.
Precautions should be real and implemented; recording controls that won’t happen doesn’t reduce risk or strengthen defense.
Near misses are treated as early warning data that should trigger review and updates to the assessment.

Topics

  • Health and Safety Law
  • Risk Assessment Process
  • Hazards and Risk
  • Training and Competence
  • Review and Communication

Mentioned

  • Pete Doyle

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library