Health and Safety Risk Assessment — Practitioner Reference

This reference provides practitioner-level depth on UK workplace health and safety risk assessment — the MHSWR 1999 framework, the SFAIRP qualifier, the hierarchy of control, the specific-regulation interface, and the records that support defensibility. The layman version is at /health-safety-risk-assessment.

1. Legal framework

The principal regulations and duties:

• The Health and Safety at Work etc. Act 1974 (HSWA) — the primary statute.
• The Management of Health and Safety at Work Regulations 1999 (MHSWR) — SI 1999/3242. The operative regulations for general risk assessment.
• Specific regulations for specific hazards (covered below).
• The Construction (Design and Management) Regulations 2015 (CDM 2015) — for construction work risk assessment.
• The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR) — for incident reporting that informs subsequent assessment review.

1.1 HSWA section-by-section

• Section 2 — General duty to employees, qualified by SFAIRP. Covers safe systems of work, plant and equipment, substances, training, supervision, working environment.
• Section 3 — Duty to non-employees, qualified by SFAIRP.
• Section 4 — Duty of persons in control of premises (non-employees in non-domestic premises).
• Section 7 — Duty of employees to take reasonable care for self and others, to cooperate with employer.
• Section 33 — Offences (the enforcement provision).
• Section 37 — Liability of directors and other officers where corporate breach was attributable to their consent, connivance, or neglect.

1.2 MHSWR core duties

• Regulation 3 — Risk assessment. The duty to make a "suitable and sufficient" assessment.
• Regulation 4 — Principles of prevention to be applied (the hierarchy of control).
• Regulation 5 — Health and safety arrangements.
• Regulation 6 — Health surveillance.
• Regulation 7 — Health and safety assistance (the competent person duty).
• Regulation 8 — Procedures for serious and imminent danger.
• Regulation 9 — Contacts with external services.
• Regulation 10 — Information for employees.
• Regulation 11 — Cooperation and coordination between employers sharing a workplace.
• Regulation 12 — Persons working in host employers' undertakings.
• Regulation 13 — Capabilities and training.
• Regulation 14 — Employees' duties.
• Regulation 15 — Temporary workers.
• Regulation 16 — Risk assessment for new and expectant mothers.
• Regulation 19 — Protection of young persons.

2. The SFAIRP test

"So Far As Is Reasonably Practicable" is the qualifier that runs through HSWA sections 2 and 3 and many of the supporting regulations. It establishes that the duty is not absolute — duties are balanced against the cost of additional measures.

2.1 The Edwards test

The leading authority is Edwards v National Coal Board [1949] 1 KB 704:

"'Reasonably practicable' is a narrower term than 'physically possible' and seems to me to imply that a computation must be made by the owner in which the quantum of risk is placed on one scale and the sacrifice involved in the measures necessary for averting the risk (whether in money, time or trouble) is placed in the other, and that, if it be shown that there is a gross disproportion between them — the risk being insignificant in relation to the sacrifice — the defendants discharge the onus on them."

The Edwards test establishes:

• The duty is to do everything reasonably practicable
• "Reasonably practicable" is judged at the time the decision was made, against the information then available
• The burden of proof on the defendant is the civil standard (balance of probabilities) — see also Section 40 HSWA
• The "gross disproportion" between risk and cost is the trigger for excusing further measures

The Edwards test continues to be applied by the courts. Practitioners advising clients on residual risk should articulate the SFAIRP decision in those terms — what is the risk, what would further measures cost, is there gross disproportion.

2.2 The reverse burden of proof — Section 40 HSWA

Section 40 of HSWA places the burden of proving SFAIRP on the defendant:

"In any proceedings for an offence under any of the relevant statutory provisions consisting of a failure to comply with a duty or requirement to do something so far as is practicable or so far as is reasonably practicable, or to use the best practicable means to do something, it shall be for the accused to prove (as the case may be) that it was not practicable or not reasonably practicable to do more than was in fact done to satisfy the duty or requirement, or that there was no better practicable means than was in fact used to satisfy the duty or requirement."

This reverse burden was challenged in R v Chargot Limited (t/a Contract Services) and Others [2008] UKHL 73 and confirmed as compatible with Article 6 ECHR. The practitioner implication: documented reasoning behind control decisions is essential — without it, the defendant cannot discharge the Section 40 burden.

3. The hierarchy of control — MHSWR Regulation 4

MHSWR Regulation 4 sets out the principles of prevention. Schedule 1 elaborates these:

1. Avoiding risks
2. Evaluating the risks which cannot be avoided
3. Combating the risks at source
4. Adapting the work to the individual
5. Adapting to technical progress
6. Replacing the dangerous by the non-dangerous or the less dangerous
7. Developing a coherent overall prevention policy
8. Giving collective protective measures priority over individual protective measures
9. Giving appropriate instructions to employees

The practical translation is the hierarchy of control:

1. Eliminate — remove the hazard entirely. Most effective. 2. Substitute — replace with something less hazardous. 3. Engineering controls — physical changes that separate people from the hazard (guards, ventilation, isolation, automation). 4. Administrative controls — procedures, training, signage, work systems, permits. 5. Personal protective equipment — the last line of defence.

The hierarchy is not a menu — controls are selected in order. PPE is acceptable only where higher controls cannot reduce the risk to an acceptable level. A workplace where PPE is the primary control for a hazard that could have been engineered out has not followed the hierarchy.

3.1 Common hierarchy failures

Patterns in audited workplaces:

• PPE-as-default where engineering controls were available
• Training treated as a substitute for engineering controls
• Administrative controls relied upon without verification of compliance
• Substitution opportunities not explored
• Elimination dismissed without serious analysis

The defensibility implication: if the hierarchy was not followed, the reasoning should be documented. "We considered eliminating X but the operational impact made it not reasonably practicable for these specific reasons" is defensible. "We didn't consider it" is not.

4. "Suitable and sufficient" — practitioner standards

After an incident, the question is rarely "did you have a risk assessment" but "was your risk assessment suitable and sufficient." The standards:

4.1 Premises-specific and activity-specific

Generic templates that have not been adapted to actual work do not pass. The assessment must show evidence of:

• Walk-through of the actual workplace
• Examination of the actual work activities
• Engagement with the people doing the work
• Identification of hazards specific to this work in this workplace

4.2 Covering all foreseeable hazards

Not just the obvious ones. The assessment should consider:

• Routine activities and routine hazards
• Non-routine activities (maintenance, cleaning, alteration)
• Foreseeable emergencies
• Hazards arising from interaction between activities
• Hazards specific to vulnerable workers (new mothers, young persons, persons with disabilities)
• Lone working
• Out-of-hours work

4.3 All persons at risk

The duty extends beyond employees:

• Contractors and subcontractors
• Visitors
• Members of the public affected by the work
• Vulnerable users (children, elderly, disabled, language barriers)
• Other workers in shared premises

4.4 Hierarchy of control applied

The assessment should evidence application of the hierarchy. Where PPE is the primary control, the assessment should record why higher controls were not selected.

4.5 Actionable findings

The assessment should produce specific actions with priorities, ownership, and target dates. Generic recommendations without specific delivery accountability fail this test.

4.6 Current

A risk assessment that no longer matches the work it covers is not suitable. Annual review and trigger-event review are the operational mechanism.

4.7 Integrated with specific assessments

The general RA should reference and integrate the specific assessments. References without integration are a deficiency.

5. Specific regulation interface

The general H&S RA under MHSWR Regulation 3 sits at the top of a stack. Specific regulations require dedicated assessments for specific hazards.

5.1 Fire — Regulatory Reform (Fire Safety) Order 2005

The fire risk assessment is required under the RRO 2005 Article 9. Covered in detail at /fire-risk-assessment/professional.

Interface: the general H&S RA identifies fire as a hazard category present and references the FRA. The FRA provides the detailed content.

5.2 Legionella — HSWA / COSHH / ACoP L8

The legionella risk assessment is required under HSWA and COSHH, with L8 as the ACoP. Covered at /legionella/professional.

Interface: the general RA identifies legionella as a biological agent hazard and references the L8 assessment.

5.3 COSHH — Control of Substances Hazardous to Health Regulations 2002

COSHH assessments are required for any substance hazardous to health. Scope includes:

• Chemicals classified hazardous under CLP Regulation (EC) No 1272/2008 (as retained in UK law)
• Substances assigned workplace exposure limits in EH40
• Biological agents
• Dusts (including wood, silica, flour)
• Fumes and aerosols
• Asbestos (covered separately under CAR 2012)
• Lead (covered separately under CLAW 2002)

The COSHH assessment must:

• Identify substances and exposure routes (inhalation, ingestion, skin contact, injection)
• Assess risk
• Apply the hierarchy of control
• Provide information, instruction, and training (Regulation 12)
• Monitor exposure where required (Regulation 10)
• Provide health surveillance where required (Regulation 11)
• Plan for accidents and emergencies (Regulation 13)

Safety data sheets under CLP regulation 31 are the principal information source for hazardous substances; the SDS specifies hazards, control measures, and emergency procedures.

5.4 DSE — Health and Safety (Display Screen Equipment) Regulations 1992

DSE assessments are required for users (significant DSE use as a part of normal work). Scope:

• The screen
• The keyboard and input devices
• The work surface
• The chair
• The environment
• The software
• The user

The post-2020 hybrid working shift has made home workstation assessment a current concern. Workstations used by employees as part of work are in scope regardless of location.

5.5 Manual handling — Manual Handling Operations Regulations 1992

MHOR requires:

• Avoidance of manual handling where reasonably practicable
• Risk assessment where avoidance is not reasonably practicable
• Reduction of risk to the lowest level reasonably practicable

Assessment factors include: the task, the load, the working environment, individual capability.

5.6 Working at height — Working at Height Regulations 2005

WAHR applies wherever work involves any place from which a person could fall a distance liable to cause personal injury. The regulations apply a strict hierarchy:

1. Avoid work at height where reasonably practicable
2. Use existing safe places of work
3. Use equipment to prevent falls (guard rails, scaffold, MEWPs with edge protection)
4. Use equipment to minimise distance and consequence of falls (fall arrest, nets)

Risk assessment must drive selection up the hierarchy.

5.7 Noise — Control of Noise at Work Regulations 2005

CNWR requires assessment where workers may be exposed to noise. Action values:

• Lower exposure action value: 80 dB(A) daily personal exposure / 135 dB(C) peak sound pressure
• Upper exposure action value: 85 dB(A) daily personal exposure / 137 dB(C) peak sound pressure
• Exposure limit values: 87 dB(A) daily personal exposure / 140 dB(C) peak sound pressure (with hearing protection effects considered)

Different control duties apply at each threshold.

5.8 Vibration — Control of Vibration at Work Regulations 2005

CVWR applies to hand-arm vibration (HAV) and whole-body vibration (WBV).

Hand-arm vibration:

• Daily exposure action value (EAV): 2.5 m/s² A(8)
• Daily exposure limit value (ELV): 5 m/s² A(8)

Whole-body vibration:

• Daily EAV: 0.5 m/s² A(8)
• Daily ELV: 1.15 m/s² A(8)

Health surveillance is required for any worker exposed at or above the EAV.

5.9 Other specific regulations

The specific regulation framework extends further:

• Construction (Design and Management) Regulations 2015 (CDM 2015)
• Confined Spaces Regulations 1997
• Control of Lead at Work Regulations 2002
• Control of Major Accident Hazards Regulations 2015 (COMAH)
• Dangerous Substances and Explosive Atmospheres Regulations 2002 (DSEAR)
• Personal Protective Equipment at Work Regulations 1992 (as amended 2022)
• Provision and Use of Work Equipment Regulations 1998 (PUWER)
• Lifting Operations and Lifting Equipment Regulations 1998 (LOLER)
• Pressure Systems Safety Regulations 2000

Each requires specific assessment for its specific hazards. The general H&S RA identifies which apply and integrates them.

6. The Regulation 5 arrangements

MHSWR Regulation 5 requires every employer to have arrangements for:

• Planning
• Organisation
• Control
• Monitoring
• Review

These arrangements should be documented for employers with five or more employees. The arrangements are the operational embedding of the assessment findings — how the controls are delivered in practice.

Common deficiencies:

• Assessment exists but no arrangements for implementation
• Arrangements documented but not followed
• Monitoring absent or nominal
• Review cycle not established
• Arrangements held by safety advisor rather than line management

7. Regulation 6 — Health Surveillance

Health surveillance is required where:

1. There is an identifiable disease or adverse health condition
2. Valid techniques exist to detect indications
3. The techniques pose low risk to the worker
4. Surveillance is likely to further protection

Specific regulations trigger specific surveillance:

• COSHH Schedule 6 — substances with workplace exposure limits
• Control of Noise at Work Regulations 2005 — workers above the upper action value
• Control of Vibration at Work Regulations 2005 — workers above the action value
• Control of Asbestos Regulations 2012 — workers exposed at or above the action level
• Control of Lead at Work Regulations 2002 — workers above the suspension levels

Surveillance is conducted by occupational health practitioners. Records are retained for substantial periods (40 years for asbestos, lead surveillance, and certain COSHH categories).

8. Regulation 7 — Competent Persons

MHSWR Regulation 7 requires the appointment of one or more competent persons to assist with health and safety measures. Competence is functional — sufficient training, experience, and knowledge to perform the function.

8.1 Competence by business profile

Small low-risk businesses (offices, basic retail):

• Competent management with IOSH Managing Safely (3-4 day course) typical
• Self-assessment supported by HSE published guidance
• External advice on specific matters where in-house competence is exceeded

Medium businesses with mixed risks:

• NEBOSH National General Certificate as the practical baseline qualification
• IOSH Technical (TechIOSH) or Graduate (GradIOSH) membership for senior responsibility
• Specific training for specialist hazards

Larger businesses or higher-hazard work:

• NEBOSH National Diploma or equivalent
• Chartered IOSH membership (CMIOSH) for senior safety practitioners
• Specialist consultancy support for complex matters

Specific sectors:

• Construction — NEBOSH Construction Certificate, CITB SMSTS for site management
• Healthcare — sector-specific awareness, HSG65 and HSG274 (for legionella) competence
• Manufacturing — NEBOSH Diploma or equivalent, process safety competence where applicable
• Hazardous industries (chemicals, oil and gas) — process safety competence, CCPS membership

8.2 Appointment

The Regulation 7 appointment should be documented:

• Identification of the competent person
• Documentation of their qualifications and experience
• Definition of their scope of responsibility
• Reporting line within the organisation
• Resources made available

"We have not appointed anyone" is not a defensible answer to a Regulation 7 query.

9. Method statements and RAMS

A risk assessment identifies risks; a method statement explains how the work will be done safely. Together they are commonly known as RAMS.

RAMS are required:

• By principal contractors before subcontractors start work (CDM 2015)
• By clients commissioning specialist work
• By insurers as a condition of cover for higher-risk work
• Under permit-to-work systems

A method statement is not a substitute for a risk assessment, nor vice versa. Both are required where risk and operational sequence both need to be controlled.

Good method statements:

• Reference the underlying risk assessment
• Sequence the work step by step
• Specify the controls at each step
• Identify the competent persons and their roles
• Address foreseeable variations and emergencies
• Are signed off by the appropriate authority

10. Records — the documentary regime

MHSWR Regulation 3(6) requires recording where there are five or more employees:

"the significant findings of the assessment; and (b) any group of his employees identified by it as being especially at risk."

In practice the record is the documentary trail that supports defensibility. Elements:

• The general H&S RA, current edition
• All previous editions retained
• The Regulation 5 arrangements
• The specific assessments referenced (fire, COSHH, DSE, MHOR, WAHR, noise, vibration)
• Action plan with progress
• Annual and trigger-event review records
• Method statements where applicable
• Records of incidents and near misses
• Training records linked to identified controls
• Inspections, audits, and monitoring records
• Health surveillance records (long-term retention)
• Regulation 7 competent person appointments

Retention should be for the working life of the activity plus a substantial period — five years minimum, longer for higher-risk activities or where claims could reach back. Specific records (health surveillance, asbestos exposure, ionising radiation) have statutory retention periods that may extend to 40 years or longer.

11. Review

MHSWR Regulation 3(3) requires review where:

• There is reason to suspect the assessment is no longer valid
• There has been a significant change

Practitioner triggers:

• New equipment, materials, processes
• New staff (particularly young workers, new mothers, pregnant workers)
• Workplace layout changes
• Incidents or near misses
• Regulatory change
• Changes to the work activity itself

Industry consensus: annual review as the baseline, trigger-event review as required, full reassessment every 3-5 years even without changes.

12. Enforcement and case law

HSE enforcement under HSWA and MHSWR is active across all sectors. The Sentencing Council Guideline for Health and Safety Offences (in force since February 2016) has produced substantially higher penalties than previous practice.

12.1 Sentencing framework

The Guideline establishes a culpability and harm matrix:

Culpability — Low / Medium / High / Very High, assessed against factors including:

• Disregard for life and safety
• Failure to put in place recognised industry standards
• Failure to heed warnings
• Cost-cutting at the expense of safety

Harm — Low / Medium / High, assessed against:

• Risk of harm (the seriousness of harm risked and the likelihood of that harm)
• Actual harm caused
• Number of workers at risk

The matrix produces a starting point fine, adjusted by aggravating and mitigating factors. For very large organisations (turnover £50m+), starting points reach into seven figures.

12.2 Section 37 — director liability

Under HSWA Section 37, directors, managers, and other officers can be personally liable where the corporate offence was attributable to their consent, connivance, or neglect.

Recent prosecutions have included:

• Custodial sentences for directors of small businesses
• Suspended sentences with significant community orders
• Director disqualifications under the Company Directors Disqualification Act 1986

12.3 Enforcement themes

Inadequate risk assessment. Premises where the assessment did not address the actual hazards or had not been reviewed despite significant change.

Hierarchy failures. Workplaces where PPE was the primary control for hazards that could have been engineered out, particularly where injury resulted.

Competence failures. Work performed by uncompetent persons, particularly where the Regulation 7 appointment was nominal or absent.

Reverse burden under Section 40. Defendants unable to discharge the burden because the documented reasoning for control decisions was inadequate.

Director liability. Section 37 prosecutions of directors and senior managers, particularly in cases involving fatal or life-changing injury.

This pillar should be read alongside the layman version at /health-safety-risk-assessment and the related professional pillars on fire risk assessment, legionella, and workplace safety training.