ClearCut.tools
Health & Safety5 April 20264 min read

How to Write a Risk Assessment: A Plain-English Guide for UK Small Businesses

A step-by-step guide to writing a workplace risk assessment for UK small businesses. Covers the HSE 5-step process, who needs one, common mistakes, and how often to review.

A risk assessment is not a bureaucratic box-tick. It is a structured way of identifying what could go wrong in your workplace and deciding what you will do about it. Get it right and you protect your people, your business, and yourself from legal liability.

What Is a Risk Assessment?

Under the Management of Health and Safety at Work Regulations 1999, every employer in Great Britain must carry out a suitable and sufficient risk assessment of the risks to employees and others affected by their work. If you have five or more employees, you must record the significant findings in writing.

A risk assessment is not a guarantee that nothing will go wrong. It is a documented process that shows you have thought systematically about hazards, who might be harmed, and what controls you have put in place.

Who Needs to Do One?

Every business that employs people — or where people work — needs a risk assessment. This includes:

  • Offices and retail premises
  • Construction, trade, and maintenance businesses
  • Hospitality, catering, and food service
  • Warehouses and manufacturing sites
  • Home-based businesses where clients or contractors visit

Even sole traders need to consider risks to members of the public or contractors on their premises.

The HSE 5-Step Process

The Health and Safety Executive sets out a clear five-step process for risk assessment. Following it methodically will satisfy your legal duty.

Step 1: Identify the hazards. Walk around your workplace and look for things that could cause harm. Talk to your employees — they often know the risks better than anyone. Hazards include physical dangers (trailing cables, heavy loads), chemical risks (cleaning products, solvents), biological agents, and psychosocial risks like lone working or excessive workload.

Step 2: Decide who might be harmed and how. Think beyond your direct employees. Consider contractors, delivery drivers, visitors, members of the public, and any workers with specific vulnerabilities such as new or expectant mothers, young workers, or those with disabilities.

Step 3: Evaluate the risks and decide on precautions. For each hazard, consider the likelihood of harm occurring and the severity if it does. Have you already taken steps to reduce the risk? Are those steps sufficient? The HSE hierarchy of controls — eliminate, substitute, engineering controls, administrative controls, personal protective equipment — gives you a framework for deciding what more to do.

Step 4: Record your findings and implement them. Write down what hazards you found, who is affected, and what controls you have in place. If you have five or more employees this is a legal requirement. The record does not need to be lengthy, but it must be meaningful.

Step 5: Review the assessment and update if necessary. A risk assessment is a living document, not a one-off exercise.

Try the Risk Assessment Generator - free, instant results.

Open tool

How Often Should You Review?

Review your risk assessment whenever something significant changes — new equipment, a new process, new staff, or after any accident or near-miss. As a minimum, review it at least annually. The HSE does not specify a fixed review period, but "suitable and sufficient" implies keeping it current.

Common Mistakes Small Businesses Make

Being too generic. A risk assessment that says "trip hazard — keep floors clear" without identifying the specific location or who is responsible for keeping it clear is of limited value and may not satisfy an HSE inspector.

Focusing only on obvious physical risks. Stress, lone working, and workplace violence are all risks that must be assessed. Mental health risks are increasingly scrutinised.

Not involving employees. Workers have practical knowledge of day-to-day hazards. Failing to consult them is not just a missed opportunity — under the Health and Safety (Consultation with Employees) Regulations 1996, you have a duty to consult.

Completing it once and forgetting it. A risk assessment completed three years ago for a business that has since moved premises or changed its processes is not suitable and sufficient.

Overstating controls. Do not write down controls you intend to put in place as if they already exist. Record what is actually in place now.

Free vs Professional Assessments

A free template can be a starting point, but it will not know the specific layout of your premises, the chemicals you use, or the particular vulnerabilities of your workforce. For low-risk offices, a template may be sufficient. For higher-risk environments — construction, food production, care settings — a tailored assessment is worth the investment.

The HSE provides free guidance and example risk assessments at hse.gov.uk. These are industry-specific and a good first reference for most trades.

Try the Risk Assessment Generator - free, instant results.

Open tool

Related Tools

Risk Assessment Generator
Generate a complete risk assessment for any activity or workplace using AI.
Health & Safety Policy Generator
Generate a full health and safety policy document for your business using AI.
Back to all guides