In the UK, the duty to assess risk sits with the employer and applies across a wide range of workplaces, including offices, warehouses, and other non-construction environments. The requirement is not about producing lengthy documents or following a rigid format. It is about identifying risks created by work, putting sensible controls in place, and keeping those controls under review as work changes.
Understanding these expectations helps employers focus on what matters, avoid unnecessary complexity, and manage health and safety in a way that is proportionate to their workplace and activities.
Key Takeaways:
- UK employers are legally required to assess the risks created by their work activities, regardless of business size, sector, or perceived risk level.
- The duty to carry out a health and safety risk assessment applies to all workplaces, including offices, warehouses, and other non-construction environments.
- Employers must assess risks to employees and to anyone else who may be affected by the work, including contractors, visitors, and members of the public.
- A suitable and sufficient risk assessment identifies workplace hazards, considers who may be harmed, and sets out proportionate control measures to manage risk effectively.
- There is no legally required format or template for risk assessments; the focus is on whether risks are properly identified, controlled, and kept under review.
- Health and safety risk assessments are not a one-off exercise and must be reviewed when work activities, equipment, processes, staffing, or conditions change.
- Employers can delegate the task of carrying out risk assessments, but legal responsibility for managing workplace risk always remains with the employer.
- Effective risk assessment supports compliance with UK health and safety law and helps employers manage risk in a proportionate and practical way.
What Does The Law Require Employers To Do About Risk Assessment?
In the UK, employers are required to assess the risks created by their work activities. This duty applies to everyday work, not just higher-risk tasks or unusual situations.
The requirement covers risks to employees and to anyone else who may be affected by the work. This includes visitors, contractors, and members of the public who come into contact with the workplace or work activities.
What the law expects could be described as a proportionate approach. Employers are not required to eliminate all risk or produce excessive documentation. The level of assessment should reflect the nature of the work being carried out and the level of risk involved. Lower-risk workplaces will generally require simpler assessments, while more complex or higher-risk activities require greater attention.
At its core, the legal requirement is about understanding and sensibly managing workplace risks, and keeping that understanding under review as work changes.
When is a workplace risk assessment legally required?
A workplace risk assessment is a legal requirement for all employers in the UK. Every workplace creates some level of risk, even in lower-risk environments such as offices, which means employers are expected to assess and manage those risks. There does not need to be an incident, complaint, or inspection for this duty to apply.
The requirement is not based on business size or industry. Employers with small teams and lower-risk workplaces still have a duty to assess risks created by their work, even where those risks may appear limited. This includes office-based and other lower-risk environments.
The duty is also ongoing. If work changes or an incident highlights a risk that was not previously identified or properly controlled, employers are expected to review and update their risk assessment so it continues to reflect how work is actually carried out.
So, in practice, risk assessment is not a one-off exercise. It starts when work begins and continues as work activities, conditions, or risks change over time.
What must a workplace health And safety risk assessment include?
A workplace risk assessment is expected to cover a small number of core areas to show that an employer has properly considered risk and how it is being managed in the workplace.
Hazard Identification
Employers must identify the hazards created by their work activities. This means recognising anything with the potential to cause harm, whether that comes from tasks, equipment, the working environment, or how work is organised.
Identifying hazards is the starting point for understanding risk. Without this step, it is not possible to make informed decisions about control measures.
Who May Be Harmed
Risk assessments are expected to consider who could be affected by the hazards identified. This includes employees, but also others such as:
- Contractors
- Visitors
- Members of the public
- Anyone who may come into contact with the workplace
This helps ensure risks are not assessed in isolation and that vulnerable or less obvious groups are not overlooked.
Existing Controls
Employers are also expected to record what measures are already in place to manage risk. These controls might include:
- Documented procedures or policies
- Physical safeguards
- Training
- Supervision
- Safety equipment
Recording existing controls shows how risks are currently being managed and provides a baseline for deciding where further action might be needed.
Further Actions
Where existing controls are not sufficient, risk assessments are expected to identify what additional steps are required. This is about recognising gaps and setting out what needs to change to reduce risk to a reasonable level.
Including further actions demonstrates that the assessment is not just descriptive, but actively supports improvement.
Review
Risk assessments are expected to be kept under review. Workplaces change over time, and risks can increase, reduce, or shift as activities, equipment, or staffing change.
Including a review element shows that the assessment is intended to remain relevant and reflect how work is actually carried out, rather than being treated as a one-off record.
Who is responsible if you outsource risk assessments?
Employers can delegate health and safety tasks, but they cannot delegate responsibility. Under UK law, the duty to manage workplace risk always sits with the employer, even where others are involved in carrying out assessments or controls.
In practice, many employers rely on managers, supervisors, or external health and safety consultants to support risk assessments and other activities. These people may help identify risks, carry out assessments, or advise on controls, but the employer ultimately remains accountable for making sure suitable arrangements are in place and kept under review.
This distinction matters because risk assessment is not just about who completes a document. It is about ensuring risks created by work are properly understood and managed across the workplace. Delegation can support that process, but it does not remove the employer’s overall duty to ensure it is done effectively.
Keeping responsibility clear helps avoid gaps or assumptions about ownership, particularly in larger workplaces or where roles overlap.
How often are employers required to carry out or review a risk assessment?
There is no fixed schedule in law for how often a workplace risk assessment must be carried out. What employers are required to do is ensure their risk assessments remain suitable and reflect how work is actually being done.
In practice, this means risk assessments should be reviewed and updated when something changes that could affect risk. Common triggers include changes to work activities, new equipment or processes, alterations to the workplace, or changes in staffing or supervision.
Risk assessments are also expected to be reviewed following incidents or near misses. If something happens that highlights a risk was not properly identified or controlled, employers are expected to revisit the assessment and make any necessary updates.
Alongside change-driven reviews, employers are expected to keep risk assessments under periodic review. This helps ensure assessments remain accurate over time, even where work appears broadly the same. The frequency of these checks should be proportionate to the level of risk and the pace of change in the workplace.
The key expectation is not how often an assessment is reviewed, but whether it remains relevant. Risk assessments should change when the risk changes.
How Health And Safety Training Relates To Workplace Risk Assessment
Health and safety training is closely linked to risk assessment, but it does not sit separately from it. Employers are expected to provide information, instruction, training, and supervision where these are needed to manage workplace risks effectively.
Risk assessments help employers identify:
- Where training is required
- Who needs it
- What that training should focus on
When a risk assessment highlights hazards that cannot be fully controlled through physical measures or procedures alone, training becomes one of the ways those risks are managed.
Training supports the controls identified through risk assessment, but it does not replace the need to assess risk in the first place. Providing training without understanding the risks present in the workplace does not meet an employer’s duty to manage health and safety effectively.
Training also needs to remain relevant over time. That means you may need to introduce it or update it when changes happen across:
- Work activities
- Equipment
- Processes
Understanding this relationship helps employers take a proportionate approach, so training is meaningful and aligned with the real risks present in the workplace.
Do different workplaces have different requirements?
The legal duty to assess risk is the same for all employers, but how that duty is applied varies depending on the workplace and the activities taking place. For example:
- In office environments, risks are often linked to display screen work, manual handling of light loads, fire safety, and lone working.
- Warehouses typically involve higher levels of manual handling, vehicle movement, storage systems, and equipment use.
- Retail settings introduce public access, changing layouts, and fluctuating footfall, while healthcare environments involve additional considerations around patient care, infection control, and vulnerable people.
What changes between workplaces is not the requirement to carry out a risk assessment, but the focus of that assessment.
Where work has sector-specific risks, more tailored assessments are usually needed. For example, retail risk assessments often need to account for customer movement and live trading conditions.
Understanding Your Responsibilities As An Employer
If you’re unsure whether your current workplace risk assessments meet what’s required, it can help to step back and review them against how work is actually being carried out. THSP supports employers by clarifying legal duties, identifying gaps, and carrying out risk assessments that are proportionate and fit for purpose. Reach out for more information or to speak with one of our health and safety consultants.
Frequently Asked Questions About Employer Requirements for Workplace Risk Assessments
Do employers need a written risk assessment?
In most cases, yes. Employers are expected to record the significant findings of their risk assessments so risks and controls can be clearly communicated and reviewed. Written assessments are particularly important where work involves more than minimal risk or where multiple people are affected.
Is there a standard format employers must use for risk assessments?
No. The law does not require a specific format or template. What matters is that the assessment clearly identifies risks, who may be harmed, and how those risks are being managed in practice.
Do employers need separate risk assessments for different tasks?
Sometimes. Where different activities create different risks, a single general assessment may not be enough. Employers are expected to ensure risks are assessed at a level that reflects how work is actually carried out, particularly where tasks vary or involve higher risk.
Are risk assessments required for office-based workplaces?
Yes. Office-based work is often lower risk, but it still creates risks that need to be assessed. These may include display screen work, manual handling, fire safety, lone working, and visitors on site.
Who should carry out a risk assessment in the workplace?
Employers are responsible for ensuring risk assessments are carried out, but the task itself can be completed by someone else on their behalf. This might be a manager, supervisor, or a competent external adviser. What matters is that the person involved understands the work being done and the risks it creates. Responsibility for the outcome always remains with the employer.
Which regulations require a risk assessment in the workplace?
The requirement to assess workplace risks is set out primarily in the Management of Health and Safety at Work Regulations 1999. These sit alongside the Health and Safety at Work etc. Act 1974, which places a general duty on employers to protect the health and safety of employees and others affected by their work.
Are employers required to carry out fire risk assessments as well?
Yes. Fire risk assessments are a separate legal requirement under fire safety legislation and apply to most workplaces. While they sit alongside general workplace risk assessments, they focus specifically on fire hazards, evacuation, and fire controls.
Can risk assessments be shared across different workplaces or sites?
Risk assessments can be based on a common framework where workplaces and activities are similar, but they must still be reviewed and adapted to reflect local conditions. Differences in layout, staffing, equipment, or how work is carried out can all affect risk. Employers are expected to ensure each workplace assessment reflects the reality of that site, rather than relying on a shared document alone.