Guide

Manage workplace risk assessments under MHSW 1999

Your legal duties for risk assessment under the Management of Health and Safety at Work Regulations 1999. Covers employer duties, the principles of prevention, competent person requirements, health surveillance, and when you must record findings in writing.

UK-wide

Your legal duty to assess risks

The Management of Health and Safety at Work Regulations 1999 (MHSW 1999) place a fundamental duty on all employers to assess workplace risks. This is not optional - it applies to every employer from day one, regardless of business size or sector.

Under Regulation 3, you must make a "suitable and sufficient" assessment of:

  • The risks to health and safety of your employees while at work
  • The risks to others (contractors, visitors, members of the public) arising from your work activities

The purpose is to identify what measures you need to take to comply with health and safety law. A risk assessment is not paperwork for its own sake - it is the foundation for all your health and safety decisions.

What "suitable and sufficient" means

Your risk assessment must be thorough enough to identify the significant risks in your workplace. You do not need to identify every trivial risk, but you must capture anything that could realistically cause harm.

Suitable means appropriate for your workplace - an office needs a different assessment from a construction site or a chemical plant.

Sufficient means comprehensive enough to identify all significant hazards and the people who might be harmed.

For most small, low-risk businesses, the HSE recommends a straightforward three-step approach:

  1. Identify hazards - what could cause injury or illness in your workplace?
  2. Assess the risk - how likely is it that someone could be harmed, and how seriously?
  3. Control the risk - take action to eliminate the hazard or, if that is not possible, control the risk

The nine principles of prevention

When you implement control measures, Regulation 4 requires you to apply the general principles of prevention set out in Schedule 1 of the regulations. These principles, derived from EU law, establish a hierarchy for managing risks:

1. Avoiding risks
Eliminate the hazard entirely if possible - the most effective control
2. Evaluating unavoidable risks
For risks that cannot be avoided, assess their nature and severity
3. Combating risks at source
Address hazards at their origin rather than managing exposure
4. Adapting work to the individual
Design workplaces, equipment and methods to suit workers, reducing monotonous or repetitive tasks
5. Adapting to technical progress
Take advantage of technological improvements that reduce risk
6. Replacing dangerous with less dangerous
Substitute hazardous substances or processes with safer alternatives
7. Developing coherent prevention policy
Create an overall approach covering technology, work organisation, conditions and training
8. Collective measures over individual
Prioritise controls that protect everyone (guards, ventilation) over individual protection (PPE)
9. Giving appropriate instructions
Ensure employees understand risks and how to work safely

In practice, this means you should always try to eliminate hazards first. If that is not reasonably practicable, substitute with something less dangerous. Engineering controls (physical barriers, ventilation) come before administrative controls (procedures, training). Personal protective equipment should be a last resort, not a first response.

When to review your risk assessment

A risk assessment is not a one-off exercise. Regulation 3 requires you to review it if:

  • You have reason to suspect it is no longer valid
  • There has been a significant change in the matters to which it relates

In practice, you should review when:

  • You introduce new equipment, processes or substances
  • There is a change in workplace layout or working patterns
  • An accident, near miss or case of ill health occurs
  • New information about risks becomes available
  • New employees join who may have different vulnerabilities
  • You move to new premises or take on new activities

Even if nothing obvious has changed, good practice is to review assessments at least annually to confirm they remain valid.

Health and safety arrangements (Regulation 5)

Beyond risk assessment, you must make and give effect to appropriate arrangements for:

  • Planning - setting health and safety objectives and priorities
  • Organisation - allocating responsibilities and ensuring competence
  • Control - implementing and maintaining risk controls
  • Monitoring - checking that controls are working
  • Review - learning from experience and improving

These arrangements must be appropriate to the nature of your activities and the size of your undertaking. A small office has simpler needs than a manufacturing plant, but both need some system for managing health and safety actively.

Health surveillance (Regulation 6)

You must provide health surveillance where your risk assessment identifies specific health risks. Health surveillance means systematic, regular health checks to detect early signs of work-related ill health.

When health surveillance is typically required:

  • Workers exposed to excessive noise - audiometry (hearing tests)
  • Workers exposed to hand-arm vibration - regular questionnaires and checks
  • Workers exposed to respiratory sensitisers (isocyanates, flour dust) - lung function tests
  • Workers handling substances causing dermatitis - skin checks

Health surveillance is not a substitute for controlling exposure. It detects problems early so you can take action, but the primary goal must always be to prevent exposure in the first place.

Appointing a competent person (Regulation 7)

You must appoint one or more competent persons to assist you in meeting your health and safety duties. Competence means having sufficient training, experience, knowledge and other qualities to help you manage health and safety properly.

Key requirements:

  • The law prefers you to appoint someone from your own workforce rather than an external consultant - they know your workplace better
  • You must ensure the number of competent persons, the time available to them, and the resources at their disposal are adequate for your size and risks
  • If you appoint multiple people, you must ensure they cooperate and coordinate
  • If you appoint an external consultant, you must give them information about your workplace and the risks

For very small businesses: If you are a sole trader or partner and have the necessary knowledge and skills, you can be your own competent person. For larger or higher-risk businesses, consider sending a staff member on IOSH or NEBOSH training, or engaging a qualified external consultant.

Special assessments for vulnerable workers

The regulations require additional assessment considerations for:

Young workers (under 18)

Before employing anyone under 18, you must specifically assess risks arising from their:

  • Inexperience and lack of awareness of risks
  • Immaturity (physical and psychological)
  • The nature of the work, equipment and substances involved

Certain work is prohibited for young people, including work beyond their physical or psychological capacity, exposure to toxic or carcinogenic agents, and work with serious accident risks they cannot recognise.

New and expectant mothers

If women of child-bearing age work in your business and could face risks from their work (physical, biological or chemical agents, or certain processes), you must assess those risks. If a worker notifies you she is pregnant, has given birth within the past 6 months, or is breastfeeding, you must:

  1. First, try to alter her working conditions or hours to avoid the risk
  2. If that is not reasonable, offer suitable alternative work on equivalent terms
  3. If neither is possible, suspend her on paid leave for as long as necessary

Getting your risk assessment right

Common mistakes to avoid:

  • Treating it as a one-off task - risk assessment is an ongoing process, not a document you file away
  • Copying generic templates without adapting them - your assessment must reflect your actual workplace
  • Focusing only on physical hazards - consider stress, fatigue, violence, lone working
  • Identifying hazards without implementing controls - the point is to take action, not produce paperwork
  • Not involving workers - employees often know where the real risks are

Proportionality: Your risk assessment should be proportionate to the actual risks in your business. A simple office does not need the same level of detail as a chemical plant. HSE provides free, simple templates for small, lower-risk businesses.

  1. Identify all hazards in your workplace

    Walk through your premises and activities. Consider equipment, substances, manual handling, working at height, electricity, vehicles, stress, and lone working. Ask employees what concerns them.

  2. Assess who might be harmed and how

    Consider all workers including part-time, temporary, agency staff, and contractors. Identify anyone with particular vulnerabilities: young workers, pregnant workers, disabled workers, inexperienced staff.

  3. Evaluate risks and decide on controls

    For each hazard, consider how likely harm is and how serious it could be. Apply the hierarchy of controls - eliminate first, PPE last. Record what controls you already have and what more is needed.

  4. Record your findings (required if 5+ employees)

    Document significant hazards, who is at risk, current controls, and further action needed. Use HSE templates if helpful. Keep it proportionate - focus on what matters.

  5. Appoint a competent person

    Identify who will help you manage health and safety. This could be you (if you have the knowledge), a trained employee, or an external consultant. Ensure they have adequate time and resources.

  6. Implement your control measures

    Put your identified controls in place. Inform and train workers. Make sure everyone knows what the risks are and how to work safely.

  7. Review regularly

    Review after accidents, when work changes, or at least annually. Update your assessment when needed. Keep records of reviews.

Enforcement and penalties

The Health and Safety Executive (HSE) and local authorities enforce the MHSW Regulations. Inspectors can visit without notice and:

  • Issue improvement notices requiring you to fix problems within a set time
  • Issue prohibition notices immediately stopping dangerous activities
  • Prosecute for serious breaches

Penalties:

  • Magistrates' Court: fines up to £20,000 and/or up to 6 months imprisonment
  • Crown Court: unlimited fines and/or up to 2 years imprisonment
  • Both the company and individual directors or managers can be prosecuted

Beyond legal penalties, failing to manage risks properly can result in worker injury or death, civil compensation claims, increased insurance premiums, reputational damage, and loss of contracts.

MHSWR 1999 compliance checklist

Audit-ready compliance checklist covering all key duties under the Management of Health and Safety at Work Regulations 1999. Use this to verify your compliance across risk assessment, competent persons, emergency procedures, information, training, and vulnerable worker protections.

Read guide

Checklist for employing young persons safely

Compliance checklist for employers of workers under 18. Covers the specific risk assessment factors under MHSWR 1999 Regulation 19, prohibited work, parent notification, working hours, and night work restrictions.

Read guide