Risk Assessment - Suitable and Sufficient?

Resource library Download resource


In December 2018, Network Rail were fined £200,000 with £86,000 costs after being found guilty of an offence under the Health and Safety at Work Act 1974 for an incident which resulted in an employee sustaining life changing injuries. The immediate cause was a car striking a barrier as the employee tried to close it. Underlying cause – according to the Office of Rail and Road investigation, Network Rail's risk assessment was inadequate and, despite the foreseeable risk of a driver failing to see that the gates were being closed, little had been done to protect its employees.

Also in the same month, Nylacast Ltd were fined £293,000 after a fatal accident, again due to inadequate risk assessment.

Every organisation needs to manage health and safety, and control any hazards to employees and others. The adequacy of controls are identified during a risk assessment and there is a duty to ensure the risk assessment is suitable and sufficient. Any adverse incident will draw attention to the risk assessment to ensure it is such. But what makes a risk assessment suitable and sufficient?

The phrase suitable and sufficient is not defined in any legislation but is defined by the Health and Safety Executive within INDG163 Risk assessment brief guide.

This guidance note is designed to clarify the issue of ensuring a risk assessment is suitable and sufficient, covering some of the underlying factors that should be taken into account when carrying out risk assessments.

Why a risk assessment may be suitable and sufficient

  • The person doing the assessment is not competent

Whilst this alone would not constitute that the risk assessment was not suitable and sufficient, someone who is not competent may fail to identify all relevant hazards or evaluate the risk etc. The person conducting the risk assessment must be competent to do so with the degree of competence dependent on what it is that is being assessed. The more complex the subject, the more competent the assessor should be. It is incumbent upon an employer to ensure that if employees are being asked to carry out risk assessments, they are competent. 

The Health and Safety Executive (HSE) defines competence as a “combination of training, skills, experience, and knowledge that a person has and their ability to apply them to perform a task safely”. Additionally,  they also suggest factors such as attitude and physical ability can affect someone’s competence. 

  • A proper check of the hazards was not done

There is a requirement to identify any hazards and reasonably foreseeable risk which may result from the hazard not being controlled. 

In its position paper Reducing Risks, Protecting People (R2P2) published in 2001, the HSE explains: “So as not to impose unnecessary burdens on dutyholders, HSE will not expect them to take account of hazards other than those which are a reasonably foreseeable cause of harm, taking account of reasonably foreseeable events and behaviour.” Part 6 of the Position Paper gives an example of a reasonably foreseeable event regarding the collapse of a building.

Therefore, you cannot do a safety risk assessment sitting at a desk. At some point you will need to record the findings, but to get the full picture you need to walk around the workplace and look for, and take note of what could cause harm – hazards. As you walk round, speak to employees and users and gather information from them on hazards which may not be obvious.

Take note of all issues found as you can discount them later if necessary. Also, if you find a hazard, record as much as you can about it. As an example, oxygen therapy cylinders are hazardous – they pose a risk of musculoskeletal injuries caused by poor manual handling, and a risk of fire and explosion caused by poor maintenance and management of the cylinder resulting in leaks and an enriched oxygen atmosphere. You should record the size of cylinder(s), how many are present, specific location and note any impact on other legislation i.e. under the RRFO or F(S)A, a review of the fire risk assessment will be required and a risk
assessment may be required to comply with DSEAR.

Also, consider other factors which may have a bearing on the hazard being realised such as weather conditions throughout the year (if outdoors), peak times for workloads, annual leave impacts on workloads.

Don’t forget about the ‘Health’ hazard in Health and Safety 

When we talk about health and safety it is easier to foresee a personal injury incident. More difficult, and sometimes overlooked, is the ‘Health’ part - someone suffering from a work related illness caused by exposure to harmful materials. These are normally, but not always, latent illness i.e. prolonged exposure to a substance may cause dermatitis in the future. An example would be a mechanic carrying out
vehicle maintenance and repairs being exposed to used engine oils or exhaust fumes over a number of years, known carcinogens.

Compared to accidents, work-related health problems cause far more absence. HSE statistics for 2017/18 showed that there were 26.8 million work related ill-health working days lost compared to 3.9 million due to non-fatal workplace injuries.

  • You failed to consult or identify those who might be affected

This is not ‘everyone’. It must be categorised into the different exposure types i.e. employee, visitors, member of public, contactor, volunteers resident etc., including approximate numbers of each category. Each category may require different control measures.

Consider if there is anyone especially at risk including children, elderly, lone workers, people with impairments etc. Again, there may be a need for specific controls measures. 

  • You failed to deal with all the obvious significant hazards

The HSE do not provide a general definition of ‘significant hazard’ or ‘significant risk’ however, these can be referenced elsewhere. The Quarries Regulations 1999. Approved Code of Practice, paragraph 295 indicates:

‘The hazard should be considered significant if such a failure would, directly or indirectly, be: 
(a) …; or
(b) likely to kill or seriously injure anyone.’

Within the Glossary to the Construction (Design and Management) Regulations 2015 Guidance on Regulations, reference is made to ‘significant risks’ as being:

‘not necessarily those that involve the greatest risks, but those (including health risks) that are not likely to be obvious, are unusual, or likely to be difficult to manage effectively.’

In dealing with the most significant hazards, you need to implement controls taking account of the number of people who could be involved. Hence recording the approximate numbers for each category at risk of harm. Involve users, employees, and employee representatives, investigate what controls are currently in use and if these are effective and practicable. 

Control measures (precautions) must be reasonably practicable and follow the principles of prevention (see the Management Regs). For some specific legislation such as COSHH, the hierarchy of control will need to
be considered.

Reasonably practicable requires judgement. It is the balance between the cost, time, and effort to implement the control, weighed against the benefit that the control brings. The ethos is linked to the principles of prevention. As an example, the principles of prevention begin with elimination; is it reasonable for you to eliminate the hazard? If not, it may not be reasonably practicable. What is reasonable is also measured by what a similar person would do in the same circumstance given the same information.

  • You failed to ensure the remaining risk is low

When you evaluate the risk, given all the information gathered during observation and research, you need to ensure that you have reduced the risk to a level which is as low as reasonably practicable, sometimes referred to as ALARP. This again is linked to the concept of reasonably practicable and the hierarchy of control. Can we evidence that you have done everything reasonably practicable to reduce the risk? Have you met or exceeded any industrial standards, best practice guides etc.?

Other failures in risk assessment

They are treated as a paper exercise 

Many people see risk assessment and health and safety as ‘bolt-ons’ to their normal work tasks but it is inherent in everything you and your staff do. It is not just a compliance issue or paper exercise. The findings must be acted upon to produce a real improvement in health and safety at work. The controls listed in an assessment are things that your staff are working to every day - wearing PPE, following a safe work method or procedure, implementing knowledge gained on training course(s), providing supervision. Consider it as a positive aspect of ensuring you achieve your outcomes safely with a motivated workforce.

They are not monitored for effectiveness nor reviewed periodically

The employer has a legal duty to review a risk assessment periodically to ensure it is current. There is no defined period as to when this should happen, however this must be related to the risk. Not all risk assessments have a scoring matrix, and if you look at the HSE examples these do not have a scoring matrix either.

With an initial risk assessment, you will want to be informed if the controls are effective and you need to monitor and review it at frequent intervals. If you suspect it is no longer valid then it must be reviewed. New equipment, processes, personnel, new locations, alterations to premises and workplace layouts, and enforcement letters are some matters that will require a review.

Reviewing does not necessarily mean repeating the whole process. If the existing controls in place are still considered adequate, just make a record of that.

Using an off-the-shelf (OTS) product

Given that the HSE have example risk assessments on their website, it would seem OK to use an OTS product, and why ‘reinvent the wheel’. But beware – the risk assessment is yours not the HSE’s or anyone else’s that you have sourced it from. If you are tempted to use an OTS assessment you MUST check that it is valid. You still have a legal duty to ensure it identifies all significant hazards – the only way
you can do that is to observe your workplace.

Not telling employees about the findings

Employers must provide employees and others with information on the risks in the workplace and how they are protected.

In many circumstances, the provision of information, instruction, and training will be part of your control measures.


There are numerous benefits to ensuring your risk assessments are suitable and sufficient.

  • A safer workplace
  • Improved staff morale
  • Positive safety culture
  • Reduction in incidents/reduced downtime/cost savings
  • Improved relationships with stakeholders/ regulators
  • Reduced civil claims and costs
  • Compliance with legal obligations

Risk assessments don’t have to be complicated but need to be reflective of the practices that are employed to ensure employees and others are safe 

Controls need to be reasonable and proportionate to the environment in which they are carried out.

Health and safety will not stop you doing your work but it will help you to work safely.

How can we help you?

For more advice on how we can help lower the cost of your risk, please email UK.London.RMPartners.riskcontrol@rmpartners.co.uk


You can opt out of marketing communications at any time by contacting us.