skip to primary navigationskip to content

How to do Risk Assessment

Risk Assessment

For most tasks it is adequate to follow the simple method outlined in the text below. This is available in printable format from this link.

Where it is necessary to quantify the risk in some way, reference should be made to the various techniques outlined in the advanced guide



This code of practice describes a simple method of risk assessment that is suitable for the majority of projects. It is entirely qualitative.


  1. Risk Assessment - What Requires It And When
  • What Sort Of Activity Requires Risk Assessment?
  • What Is Risk Assessment For?
  • Who Is Responsible For Risk Assessment?
  • When Should It Be Done?
  • Case Law
  • How Risk Assessment Should Be Done
    • The Five Key Steps
    • Hazard Identification
    • Risk
    • The Standards To Which Risk Must Be Controlled
    • Control Measures: The Hierarchy
    • Records
  • Worked Example
  • Appendix: Legal Requirements And Key Terms

    Risk Assessment - What Requires It And When

    1.1 What Sort Of Activity Requires Risk Assessment ?

    All the following require formal (written) risk assessment:


    • All 'hands-on' work such as laboratory work, activities in workshops, classes, gardening, maintenance etc,
    • All public events, conferences, displays, field trips, etc.
    • Office activities, such as use of computers,
    • Moving loads - e.g. of paper, books, goods, etc,
    • Work experience placements

    You may decide to split up the task in a number of ways:

    • Risk assess the job or experiment, which is an approach that is suitable for research projects
    • Focus on the person - which is suitable for people such as cleaners, secretaries, electricians, etc
    • Focus on the equipment - an approach suitable for large items such as lathes, etc.

    Risk assessment lies at the heart of the UK approach to health and safety. The legal requirement to do risk assessment is absolute - see Appendix A.

    Risk Assessment is a very effective way of managing safety. It gets away from the prescriptive approach that defines what you can and what you cannot do, and allows a great deal of freedom in approach, provided safety is assured. There are relatively few absolute prohibitions, but you do have to control the risk to quite a low level. The real difficulty in a research environment is to give staff and students an insight into what would be judged by the enforcing authorities to be an acceptable level of risk.

    1.2 What Is Risk Assessment For?

    Risk assessment is the process for deciding

    • What you are going to do,
    • What dangers are associated with it (both those attached to the way it should work, and those attached to reasonably foreseeable failures)
    • How you are going to control the risk to an acceptable level, using engineering control, procedural control etc.

    Supervisory staff are expected to have an in-depth knowledge of scientific principle, and knowledge of how their specialised equipment works. They need to develop knowledge of the current legislative constraints on the construction and use of such equipment so that their equipment is safe and is not condemned by the HSE.

    The role of the Safety Officer is to have a comprehensive knowledge of legislation, and a reasonable grasp of all of the specialities. Thus relatively straightforward matters can be sorted out by the Safety Officer alone. In-depth advice on matters outside your own speciality should be sought from competent persons where needed, e.g. from the Head of Electronics on electrical matters, from the Chemical Safety Technician on chemical matters, the Occupational Health team at Fenners, etc. A list of the specialists in the department is maintained by the Safety Officer, and is published on the front cover of the Cavendish list, and on the website.

    1.3 Who Is Responsible For Risk Assessment?

    Risk Assessment is something to which we should all contribute. It is a skill, and is best done by more than one person, especially where there are serious risks to control. However, it is also an activity that people at all levels in the organisation should be involved with. The responsibility for risk assessment ultimately lies with management and those with a supervisory role. They must satisfy themselves that the risk assessment is suitable and sufficient, and that the control measures that are specified are adequate and are put into operation.

    A practical approach to risk assessment is to encourage the people who are going to do the job to draft the risk assessment. Staff at supervisory level should then check to see that the risk assessment is adequate, and monitor how it is put into practice.

    Independent research workers must also do risk assessments, and it is strongly recommended that research groups set up systems of peer review to assist them. They are a particularly vulnerable group of people, since they are competent in research, but few have had sufficient guidance within the UK legal system to undertake risk assessment adequately. Many will not have heard of the concept before arriving here. Degree programmes even in the UK do not universally include this element, and many of these workers originate from other countries, where the legal systems are different.

    1.4 When Should It Be Done ?

    Risk assessment must always be done before the work is carried out. It is good practice to do preliminary risk assessments at the planning stage, because it is at this stage that any major problem areas should be addressed, such as where to put gas supplies, ventilation levels required, etc.

    There should be a set of generic risk assessments to cover the more widespread or routine activities, such as use of display screen equipment, fire precautions, changing and connecting gas cylinders, etc. You do not need to do risk assessments for the kind of activities that you also do at home, such as washing up. However, if what is done at work differs significantly in scale from what is done at home, then risk assessment should be carried out.

    Risk assessments should be living documents. They need periodic review, to ensure that they are still valid. They also need to be revised if there is an accident, near miss or other evidence to suggest that they are not right, or if there is a material change in the work that would invalidate the assessment. As part of their induction, new personnel must (by law) be shown the risk assessments relevant to their work, and guided through the system of work specified.

    1.5 Case Law

    Prosecutions for failing to undertake risk assessment are very common. One of the first items that is demanded by the HSE and the injured party following a serious accident is the risk assessment. If it does not exist the odds are beginning to stack against you, since it is a criminal offence to fail to conduct risk assessments.

    Be especially wary of over-using generic risk assessments. They can save a lot of time and effort, but you must ensure that they are effective:

    A student was killed when he fell from a tree while practising his tree-felling skills. The training organisation had undertaken only a generic risk assessment, not one specific to the site in question. They were prosecuted successfully, citing regulation 3 of the Management Regulations - see Appendix A.

    How Risk Assessment Should Be Done

    2.1 The Five Key Steps

    There are some key steps that are universal:

    1. Spot the hazards - these are the things that have the potential to do harm
    2. Decide who might be harmed and how
    3. Evaluate the risks
    • What could go wrong?
    • Where is there likely to be a problem?
    • Why might it happen?
    • When could it happen?
    • Are the existing precautions adequate, or should more be done?
    • Have we done everything the law requires?
  • Record the findings in writing
  • Review the situation, to ensure that you are keeping up to date with technology, legislation, etc. and revise it if necessary.
  • As you can see, the term 'risk assessment' is something of a misnomer, since it only describes the first part of the process.

    2.2 Hazard Identification

    A hazard is something that has the potential to do harm. Therefore a brick on the deck of a scaffold three storeys up is a hazard. It has the potential to kill if it falls on someone's head. The risk of this happening is a combination of the intrinsic hazard (i.e. the amount of harm it can do), the probability of it being knocked off and the probability of someone being underneath at that time. This kind of accident would be so widespread that the control measures to prevent them are in fact prescribed by law - boards at the edge of scaffolding to stop things from falling over the edge, and the wearing of hard hats.

    The following is a list of hazards that you should at least consider (but it is not considered to be an exhaustive list). The risks arising from those marked with an asterisk must be controlled to comply with specific legal standards. The remainder must be controlled in accordance with the general requirements of the Health and Safety at Work Act.

    1. Biological hazards,*
    2. Confined spaces,*
    3. Dangerous (flammable)substances and explosive atmospheres, *
    4. Electricity,*
    5. Excavation,*
    6. Experimental rigs,
    7. Exposure to extreme temperatures,*
    8. Falls from a height,*
    9. Falling objects, collapsing structures,*
    10. Fire and explosion,*
    11. Ionising radiations,*
    12. Lifting operations using lifting equipment,*
    13. Manual handling,*
    1. Noise,*
    2. Non-ionising radiation,
    3. Lone working, personal safety,
    4. Pressure systems,*
    5. Slips, trips and falls,
    6. Substances hazardous to health,*
    7. Transport of dangerous substances,*
    8. Vibration,
    9. Work equipment,*
    10. Work-related stress,
    11. Working environment,*
    12. Workplace transport,*
    13. Work-related upper limb disorders.*

    The hazard may be present all the time, or it may arise due to a fault condition. You need to take both into account.

    2.3 Risk

    Simple situations can be analysed without resorting to any special techniques - for instance it is obvious that the coexistence of electricity and water is particularly risky, so that connections to water supplies would need to be of high integrity in this situation (or better, the system should be designed to avoid their proximity).

    People's perception of risk is extremely varied - what is an acceptable risk to one person is not to another. There are many factors that determine this mis-match, some of which are

    • The degree to which the person feels in control
    • The number of times the person has done the task
    • The number of accidents of which the person is aware - this can lead to consistent underestimation of the risk,
    • Their age and personality - some of us are 'risk takers' and some are not.

    The real factors that determine the likelihood of an accident are factors such as:

    • The number of times the situation occurs
    • The position of the hazard
    • Distractions
    • Lighting
    • Quantities of materials involved
    • Environmental conditions
    • Competence of the people involved
    • Condition of the equipment.

    The following are some guidelines for assessing the level of risk or likelihood that a hazard will lead to harm.

    Risk of the event is certain or imminent if: No control measures are applied, or
    The hazard is a cause of large numbers of injuries or ill health in national statistics, or
    People are exposed to the hazard continuously, or
    The hazard is difficult to see, or
    The hazard is encountered in adverse environmental conditions, or
    Safety is not considered to be high priority by those involved.
    For these reasons working at height is subject to strict precautions, exposed live electrical wires at dangerous voltages are generally illegal.
    Harm is very likely if: Control measures depend on an individual using them on every occasion, and
    If training and supervision are minimal.
    For these reasons we need to take care how we impose control measures in the University, for fear that they may be ineffective.
    Harm is likely if: Control measures depend on the individual using them each time, and
    Training is given and the work is normally supervised.
    If a person has to remember to use a control measure for protection, then sooner or later they will forget or find in inconvenient to take the trouble. This is unsound.
    Harm may happen if: Control measures are those that do not depend on the individual, but can break down or be removed, or
    There are a large number of people exposed, or
    The project is exploratory or new.
    Harm is unlikely if: There is a defined system of maintenance of control measures and 
    If training is given and repeated regularly, or
    The hazard is only the cause of few injuries or ill-health, or
    Few people are exposed.
    Harm is very unlikely if: Control measures are unlikely to break down or be removed or defeated easily.

    More complex situations may need semi-formal methods of analysis to predict the outcome of a particular event. There are several techniques that can be used, some of which are outlined in the Advanced Guide to Risk Assessment. They are extremely useful in situations where you need to predict and control risks for which you have no previous experience (e.g. when developing a new technique or process). The more formal methods are also useful for conducting an analysis of the possible failure modes of equipment. It is permissible to develop a hybrid technique to suit the particular circumstances: the ultimate test is whether it is adequate.

    The more formal techniques are strongly recommended if your project is to produce a product that will leave the university and be used at work elsewhere by employees of another organisation. In these situations you have Statutory obligations to produce a piece of equipment that meets all the necessary standards, bears a CE mark, has the correct type of written declaration and the correct documentation. Please consult the Safety Officer if this applies to you. She has experience in CE marking.

    2.4 The Standards To Which Risk Must Be Controlled

    The standards to be achieved in health and safety are found both in Statute and in Common Law. Every employer has common law duties of care to both his employees and others. He has a duty to take reasonable care by providing a safe place of work, with safe equipment, a safe system of work, and reasonably competent fellow employees.

    Things that should be taken into account in your assessment include:

    • Industry is expected to learn from experience (including that of others). (i.e. the first accident of its type may not be held to be the fault of the employer, but a second probably would if he had not taken steps to avoid it.)
    • Cost-benefit (and standards of care may differ in an emergency).
    • Custom and practice in "the Industry".

    The employer has particular responsibilities to:

    • Instruct and train
    • Provide equipment that is suitable
    • Care for visitors

    The standard to which safety must be ensured in any particular instance depends on the precise wording of the Regulations. The default standard is 'so far as is reasonably practicable', but there are instances where the standard required is higher, that is, there are some absolute duties. When undertaking a risk assessment the assessor needs to know this. Some examples are given in Appendix A.

    2.5 Control Measures: The Hierarchy

    When devising methods of controlling risk, there are some key principles that are universal in Health and Safety Law. There is a hierarchy among protection measures, and one should always choose measures by starting from the top.

    The hierarchy is:

    • Avoid the problem altogether - do it another (safer) way.
    • Isolate the problem at source - for example by enclosure or guarding, or removing a hazardous dust at source.
    • Isolate the person from the hazard - for example by placing a person in a refuge from noise.
    • Reduce the amount of time that the person spends in the hazardous environment.
    • Provide the person with personal protective equipment (note that this may be required to augment other measures, but should not be chosen instead.).
    • Provide welfare facilities (e.g. washing facilities for removing contamination).
    • Train the person so as to reduce the risk (again training is always a requirement, but is used to augment other risk reduction measures, not to replace them.)

    2.6 Records

    A risk assessment must be recorded in writing. A form that you can use is at Appendix C, with an annotated version at Appendix B. You are free to alter it to suit your purpose, or to record your risk assessment in a laboratory book.

    The files containing the blank forms are at 
    RAform.pdf (pdf), or
    riskassess.doc (Word)

    3 Worked Example

    Worked example of a purely qualitative approach to risk assessment:

    Task - mowing the grass with an electric rotary mower.
    Description of work activity: Mowing the grass with an electric rotary mower
    1. Catching foot in the blade
    2. Short circuit in the wet
    3. Flying stones/sticks
    4. Cutting the cable
    Who they affect
    1. The operator
    2. The operator
    3. The operator and others nearby
    4. The operator
    Reasonably foreseeable outcome
    1. Cuts, or amputation of toe(s)
    2. Electrocution
    3. Cuts, bruises, possible serious eye injury
    4. Electrocution
    Standards that should be achieved
    1. Minimise the risk by wearing safety shoes or boots.
    2. and 4. Fit earth leakage circuit breaker to minimise electrocution risk. Avoid mowing when the grass is very wet, to avoid hazard no. 2. and also minimise the risk of slipping and catching foot in blade. Adopt a mowing pattern that reduces the likelihood of mowing over the cable.
    3. Operator to inspect the grass for loose stones and sticks before mowing. Avoid mowing at times when there are people wanting to use the area. Operator to wear safety goggles. Operator to wear long trousers.
    Control measures already in place
    Record here the items that are already done.
    Actions to be taken to achieve required standard
    Record here the items that need to be improved on (with dates and responsibilities!)

    This approach is totally adequate - it prevents the reasonably foreseeable injuries.

    Appendix: Legal Requirements and Key Terms

    The requirement for risk assessment arises in the first instance from the Management of Health and Safety at Work Regulations, regulation 3:

    'Every employer shall make a suitable and sufficient assessment of 
    (a) the risks to the health and safety of his employees to which they are exposed whilst they are at work; and
    (b) the risks to the health and safety of persons not in his employment arising out of or in connection with the conduct by him of his undertaking ......
    ..for the purpose of identifying the measures he needs to take to comply with the requirements and prohibitions imposed on him by or under the relevant statutory provisions'

    Risk assessment is also cited in several other sets of Regulations as a specific legal requirement. Some of these are:

    Ionising radiation
    Display screen equipment
    Manual handling
    Personal protective equipment
    Substances hazardous to health and dangerous substances
    Young persons (i.e. those under 18 years of age)
    First aid

    In Statute, the Health and Safety at Work Act stands at the top of the hierarchy, laying down that the employer has a statutory duty to ensure, so far as is reasonably practicable, the health and safety at work of his employees, and the health and safety of others who may be affected by his undertaking.

    Subordinate to the Act, but still embedded within criminal law, are all the Regulations, dealing with such specialised items as electricity, chemicals, pressure systems, confined spaces, young people, noise, work equipment, etc.

    The words of the Regulations themselves are law. They are usually published with accompanying advice, and the status of this advice varies. If it is an 'Approved Code of Practice', signed by the Secretary of State, then the advice should be taken literally, and only varied when we can do something to a better standard. This is because failure to abide by the advice of such a code is prima facie evidence of failure to meet the requirements of the regulations, subject to the defence that we have achieved at least the same standard of safety some other way.

    Other advice comes under the heading of 'guidance notes'. These are extremely useful, as they help us to interpret 'so far as is reasonably practicable' (see below).

    Absolute Duties

    A regulation is absolute when it uses the words 'shall' or 'shall not'. The requirement must be complied with regardless of cost, effort or any other consideration.


    'Where necessary to prevent danger, suitable means (including, where appropriate, methods of identifying circuits) shall be available for -
    (a) cutting off the supply of electrical energy to any electrical equipment; and
    (b) the isolation of any electrical equipment'

    (Regulation 12, Electricity at Work Regulations 1989)

    'No person shall be engaged in any work activity where technical knowledge or experience is necessary to prevent danger or, where appropriate, injury, unless he possesses such knowledge or experience, or is under such degree of supervision as may be appropriate having regard to the nature of the work'

    (Regulation 16, Electricity at Work Regulations 1989).

    Duties Modified By 'So Far As Is Practicable'

    A regulation which bears the phrase 'so far as is practicable', or similar, demands a high standard of precautions. It is not practicable to take precautions against a danger that is not known to exist, although once the danger is known then it becomes practicable. A precaution is not practicable if it is not within the current realms of knowledge or invention. However, inconvenience and expense cannot be taken into consideration. In short: if it can be done, it must be done.


    '(1) Every employer shall ensure that measures are taken in accordance with paragraph (2) which are effective -
    (a) to prevent access to any dangerous part of machinery or to any rotating stock-bar; or
    (b) to stop the movement of any dangerous part of machinery or rotating stock-bar before any part of a person enters a danger zone.
    (2) The measures required by paragraph (1) shall consist of - 
    (a) the provision of fixed guards enclosing every dangerous part or rotating stock-bar where and to the extent that it is practicable to do so, but where or to the extent that it is not, then
    (b) the provision of other guards or protection devices where and to the extent that it is practicable to do so, but where or to the extent that it is not, then
    (c) the provision of jigs, holders, push sticks or similar protection appliances used in conjunction with the machinery where and to the extent that is practicable, but where or to the extent that it is not, then
    (d) the provision of information, instruction, training and supervision.'

    Regulation 11, Provision and Use of Work Equipment Regulations 1998. (Note that this regulation contains an absolute requirement in paragraph 1, and a 'to the extent that it is practicable' approach to the hierarchy of control measures in paragraph 2).

    Regulations specifying duties to be discharged to this level are relatively uncommon.

    Duties Modified By 'So Far As Is Reasonably Practicable'

    This is a lesser standard. The amount of risk can be balanced against the sacrifice in time, money or trouble to avoid the risk. If there is a gross disproportion between the sacrifice and the risk, i.e. the risk is insignificant in proportion to the cost, then the employer can demonstrate that it is not reasonably practicable to take the measures.

    All health and safety requirements that are not demanded to an absolute standard, or a practicable standard are required to this standard, by default, since the Health and Safety at Work Act states:

    'It shall be the duty of every employer to ensure so far as is reasonably practicable the health safety and welfare of all of his employees while they are at work' (and imposes a similar requirement for those not in his employment who may be affected).

    Unfortunately, balancing the cost of preventive measures against a risk of injury is not easy. This is where the wealth of Health and Safety Executive booklets (guidance notes) is useful. Following HSE advice, where it is available, is generally a good strategy, and can lead to considerable peace of mind. Other sources of good advice include British Standards and industry codes of practice such as those produced by the British Compressed Gases Association.