20 min read

Health and Safety Risk Assessment: Complete Guide for Small Businesses

risk-assessmentcompliance

Key Takeaways

  • A risk assessment is a legal requirement for almost every employer in the UK and Ireland — not just large companies.
  • In the UK, businesses with five or more employees must record their risk assessment in writing. In Ireland, every employer must have a written safety statement regardless of size.
  • The HSE’s 5-step process (identify hazards, decide who might be harmed, evaluate risks, record findings, review regularly) is the recognised standard for carrying out a compliant risk assessment.
  • The most common mistake small businesses make is treating the risk assessment as a one-off paperwork exercise rather than a living document.
  • Getting it wrong can lead to fines of up to £20,000 in a UK magistrates’ court (unlimited in the Crown Court) or up to EUR 3,000,000 in Ireland.

What Is a Health and Safety Risk Assessment?

A health and safety risk assessment is simply a careful look at what could cause harm to people in your workplace, so you can decide whether you have done enough to prevent it — or whether you need to do more.

That is the plain English version. The slightly more formal definition is that a risk assessment is a systematic process of identifying hazards, evaluating the likelihood and severity of harm, and putting sensible measures in place to control those risks.

It is not about wrapping everyone in cotton wool. It is about making sure the people who work for you, visit your premises, or are affected by your business activities go home safe at the end of the day.

Why It Matters for Your Business

Beyond the obvious moral reason — nobody wants someone to be injured or become ill because of their work — there are hard practical reasons to take risk assessments seriously.

First, it is the law. We will cover the specific legislation in the next section, but the short version is that failing to carry out a suitable and sufficient risk assessment is a criminal offence that can result in prosecution, significant fines, and even imprisonment for the most serious cases.

Second, it protects your business. If an employee or a member of the public is injured and you cannot demonstrate that you assessed the risks and took reasonable precautions, you leave yourself wide open to civil claims, increased insurance premiums, and reputational damage that can be fatal for a small business.

Third, a good risk assessment actually saves you time and money in the long run. It helps you spot problems before they become incidents, reduces sickness absence, and gives you a clear framework for training and day-to-day decision-making.

Who Needs to Do One?

The short answer is: if you employ anyone, you almost certainly need a risk assessment. But the specific requirements differ between the UK and Ireland.

In the UK, the Management of Health and Safety at Work Regulations 1999 require every employer (and every self-employed person whose work could affect others) to carry out a suitable and sufficient risk assessment. If you have five or more employees, you must record the significant findings in writing. If you have fewer than five employees, you still need to carry out the assessment — you just do not technically have to write it down (though it is strongly recommended that you do, because you will have no evidence of compliance if you are ever inspected or face a claim).

In Ireland, the requirements are stricter. Under the Safety, Health and Welfare at Work Act 2005, every employer — regardless of the number of employees — must carry out a risk assessment and prepare a written safety statement based on that assessment. There is no exemption for small businesses. If you employ even one person, you need a written safety statement.

You will also need a health and safety policy alongside your risk assessment. The two documents work together: the policy sets out your commitment and general arrangements, while the risk assessment deals with the specific hazards and controls relevant to your business.

Understanding exactly what the law requires is important, because the obligations in the UK and Ireland come from different pieces of legislation and there are some notable differences.

United Kingdom

The overarching duty comes from the Health and Safety at Work etc. Act 1974, specifically Section 2, which places a general duty on every employer to ensure, so far as is reasonably practicable, the health, safety and welfare at work of all employees. This includes providing safe systems of work, a safe working environment, and adequate information, instruction, training and supervision.

The more specific requirement to carry out risk assessments comes from the Management of Health and Safety at Work Regulations 1999, Regulation 3. This regulation requires every employer to make a suitable and sufficient assessment of the risks to the health and safety of employees and anyone else who may be affected by the business (such as contractors, visitors, customers, or members of the public).

If you employ five or more people, Regulation 3 also requires you to record the significant findings of the assessment and any group of employees identified as being especially at risk.

The Health and Safety Executive (HSE) is the primary enforcement body in Great Britain. Local authorities also enforce health and safety law in certain workplaces such as offices, shops, and hospitality venues.

Penalties for non-compliance: Health and safety offences heard in a magistrates’ court can attract fines of up to £20,000 per offence. Cases referred to the Crown Court face unlimited fines, and individuals can be sentenced to up to two years’ imprisonment for the most serious offences. The Sentencing Council’s health and safety guidelines also mean that fines are scaled to turnover, so even small businesses can face proportionally significant penalties.

Ireland

In Ireland, the governing legislation is the Safety, Health and Welfare at Work Act 2005. Section 19 specifically requires every employer to identify hazards, assess risks, and prepare a written safety statement setting out how those risks will be managed.

The safety statement must be based on the risk assessment, must specify the hazards identified, must detail the protective and preventive measures taken, and must be brought to the attention of employees. It must also be reviewed whenever there is a significant change in the workplace or if there is reason to believe it is no longer valid.

The Health and Safety Authority (HSA) is the enforcement body in Ireland.

Penalties for non-compliance: The 2005 Act provides for fines of up to EUR 3,000,000 and/or up to two years’ imprisonment on conviction on indictment. Summary offences can attract fines of up to EUR 5,000. The HSA has the power to issue improvement notices, prohibition notices, and to prosecute employers who fail to meet their obligations.

The Bottom Line

Whether you are based in the UK or Ireland, the message is the same: carrying out and documenting a risk assessment is not optional. It is a fundamental legal requirement, and the penalties for getting it wrong are severe enough to put a small business under.

The 5-Step Risk Assessment Process

The HSE’s 5-step approach is the most widely recognised framework for carrying out a risk assessment. It is straightforward, practical, and designed to be used by non-specialists — which makes it ideal for small business owners and sole traders who are managing their own compliance.

Step 1: Identify the Hazards

A hazard is anything that has the potential to cause harm. Your job in this first step is to walk through your workplace (or think carefully about your work activities if you work on different sites) and identify everything that could reasonably be expected to cause injury or ill health.

There are several ways to do this effectively:

  • Walk around your workplace and look at what could cause harm. Think about the physical environment, the equipment you use, the substances you handle, and the way work is organised.
  • Talk to your employees (or subcontractors, if you use them). The people doing the work often know better than anyone where the real risks are.
  • Check manufacturer instructions and data sheets for equipment and chemicals. These will highlight specific hazards you might not be aware of.
  • Review your accident and near-miss records. If something has gone wrong before, there is a good chance the hazard still exists.
  • Think about long-term health risks as well as immediate safety hazards. Noise exposure, repetitive strain, stress, and exposure to harmful substances can all cause serious harm over time.

Common hazards that apply to many small businesses include slips and trips, manual handling, working at height, electrical safety, fire, hazardous substances, display screen equipment, and lone working.

If your business uses chemicals, cleaning products, or any substances that could be harmful, you will also need to carry out a separate COSHH assessment for each hazardous substance. The risk assessment and COSHH assessment work together, but they are distinct documents with different legal requirements.

Step 2: Decide Who Might Be Harmed and How

For each hazard you have identified, think about who could be harmed and what kind of harm they might suffer. Do not just think about your full-time employees — consider everyone who might be affected:

  • Employees and workers (including part-time, temporary, and agency workers)
  • Contractors and subcontractors working on your site or alongside your team
  • Visitors and clients — anyone who comes to your premises
  • Members of the public who might be affected by your work, particularly if you work on client sites or in public areas
  • Vulnerable groups — young workers, new or expectant mothers, people with disabilities, and lone workers may face additional or different risks

For each group, think about how they might be harmed. A slip hazard in a corridor, for example, could affect employees, visitors, and cleaning contractors. A chemical stored in a workshop could affect the person using it, but also anyone else in the vicinity if there is a spill or if ventilation is inadequate.

Being specific here is important. “Someone might get hurt” is not useful. “An employee could suffer a back injury from manually lifting stock weighing over 20kg from floor level to shelving at shoulder height” gives you something you can actually act on.

Step 3: Evaluate the Risks and Decide on Precautions

Once you know what the hazards are and who might be harmed, you need to evaluate the level of risk and decide what precautions to take. Risk is typically evaluated by considering two factors: the likelihood of harm occurring and the severity of that harm if it does.

A simple risk matrix can help you categorise risks as low, medium, or high. This is not about mathematical precision — it is about making a reasonable judgement so you can prioritise your actions. High-risk items need to be dealt with first, and may require immediate action. Low-risk items still need to be managed, but may be acceptable with basic controls in place.

When deciding on precautions, you should follow the hierarchy of controls, which is the recognised order of preference for managing risks:

  1. Elimination — Can you remove the hazard entirely? This is always the best option. For example, if a cleaning chemical is hazardous, can you switch to a non-hazardous alternative?
  2. Substitution — Can you replace the hazard with something less dangerous? For example, using a less toxic chemical or a lighter piece of equipment.
  3. Engineering controls — Can you isolate people from the hazard? This includes things like physical guards on machinery, ventilation systems, or barriers.
  4. Administrative controls — Can you change the way people work to reduce the risk? This includes training, safe working procedures, job rotation, and signage.
  5. Personal protective equipment (PPE) — As a last resort, provide PPE such as gloves, eye protection, or respiratory equipment. PPE should only be relied on when higher-level controls are not reasonably practicable.

The key phrase throughout UK and Irish health and safety law is “so far as is reasonably practicable.” You do not have to eliminate every conceivable risk. You have to do what a reasonable person in your position would do, balancing the level of risk against the cost, time, and effort of reducing it. But the greater the risk, the more you are expected to do.

Step 4: Record Your Findings and Implement Them

This is where the risk assessment becomes a document rather than just a thought process. You need to record:

  • The hazards you have identified
  • Who might be harmed and how
  • What you are already doing to control the risk (existing controls)
  • What further action is needed (additional controls)
  • Who is responsible for implementing each action
  • When the action will be completed

Your risk assessment does not need to be perfect, and it does not need to be written in formal or legal language. What it does need to be is specific, practical, and based on an honest assessment of your workplace. Inspectors are not looking for a polished document — they are looking for evidence that you have genuinely thought about the risks and taken sensible steps to manage them.

If you need a professionally formatted risk assessment template tailored to your specific trade, our compliance kits include pre-built templates you can customise in minutes. They are designed for small businesses and sole traders, so they include the most common hazards for your industry and follow the HSE’s 5-step structure.

Once recorded, the most important thing is to actually implement the controls you have identified. A beautifully written risk assessment that sits in a drawer and is never acted on is worse than useless — it is evidence that you knew about the risks and chose not to do anything about them.

Make sure you communicate the findings to your employees. In the UK, you must bring the significant findings to the attention of your employees. In Ireland, the safety statement must be made available to all employees and brought to their attention.

Step 5: Review and Update

A risk assessment is a living document, not a one-off exercise. You must review and update it regularly and whenever there is a significant change, such as:

  • New equipment, substances, or processes are introduced
  • A new job role is created or existing roles change significantly
  • You move to new premises or make significant changes to the layout
  • After an accident, near miss, or case of ill health related to work
  • New legislation or industry guidance is published
  • Following feedback from employees or observations during routine inspections

As a general rule, you should formally review your risk assessment at least once a year, even if nothing has obviously changed. Things evolve gradually — a new piece of equipment here, a new employee there — and an annual review helps you catch anything that may have slipped through.

Document each review, noting the date, who carried it out, and any changes made. This creates an audit trail that demonstrates ongoing compliance.

Industry-Specific Considerations

While the 5-step process applies to every business, the specific hazards you need to assess will vary depending on your industry. Here are some of the key considerations for common small business sectors.

Cleaning Businesses

Cleaning businesses face a distinctive mix of hazards. Hazardous substances are a major concern — cleaning chemicals including bleach, degreasers, and sanitisers can cause skin irritation, respiratory problems, and chemical burns. You will need COSHH assessments for each hazardous substance alongside your general risk assessment.

Slips, trips, and falls are among the most common causes of injury in the cleaning industry, particularly when floors are wet during and after cleaning. Lone working is also a significant risk, as many cleaners work alone in client premises, often outside normal business hours. Your risk assessment should include specific controls for lone workers, such as check-in procedures and emergency contact arrangements.

Manual handling — moving heavy equipment, carrying buckets of water, pushing and pulling floor machines — is another key area to address.

Construction and Trades

If you work in construction or the trades, your risk assessments will typically be more complex and may need to be site-specific. The most significant hazards include:

Working at height remains the single biggest cause of fatal injuries in the construction industry. Even relatively low-level work — using stepladders, working on roofs, accessing loft spaces — must be assessed and controlled.

Electrical safety is critical, whether you are working with existing electrical installations or using power tools on site. Manual handling is another major concern, given the physical nature of most trade work.

Noise and vibration from power tools can cause long-term hearing damage and conditions such as hand-arm vibration syndrome (HAVS). Dust and hazardous substances, including construction dust, asbestos (in older buildings), paints, adhesives and solvents, all require careful assessment.

Beauty and Grooming

Beauty and grooming businesses — hairdressers, barbers, beauty therapists, nail technicians — deal with a specific set of hazards that are sometimes overlooked.

Chemical exposure is the primary risk, from hair dyes and bleaches to nail products, adhesives, and cleaning agents. Dermatitis is one of the most common occupational health problems in the beauty industry. Sharps — scissors, razors, needles (for treatments such as acupuncture or semi-permanent makeup) — create a risk of cuts and potential infection.

Infection control is essential, particularly for any treatments that break the skin. Musculoskeletal problems from prolonged standing, repetitive movements, and awkward postures are also common in this sector.

Office-Based Businesses

Do not assume that because you work in an office, there is nothing to assess. Office environments have their own set of hazards.

Display screen equipment (DSE) is the most obvious — prolonged computer use can cause musculoskeletal problems, eye strain, and headaches. Under the Health and Safety (Display Screen Equipment) Regulations 1992, employers must carry out DSE assessments for habitual users.

Fire safety must be assessed in any workplace. Slips, trips, and falls — from trailing cables, wet floors, cluttered walkways — are relevant in every office. And work-related stress is increasingly recognised as a significant occupational health risk that must be managed. We will touch on this more in the next section.

Common Mistakes to Avoid

Having seen thousands of risk assessments from small businesses, certain mistakes come up again and again. Avoiding these will put you ahead of the majority of businesses and significantly reduce your compliance risk.

1. Being Too Generic or Copy-Pasting

This is the single most common problem. Downloading a generic risk assessment template from the internet and putting your company name on it does not meet your legal obligations. Your risk assessment must be specific to your workplace, your activities, and your people.

An inspector can spot a generic, copy-pasted risk assessment immediately, and it actually works against you — it suggests you have not genuinely engaged with the process. A shorter, more focused risk assessment that clearly relates to your actual business is far more valuable than a lengthy generic document.

2. Not Involving Your Employees

Your employees are your best source of information about workplace hazards. They do the work every day and they know where the real problems are. Failing to consult them is not only a missed opportunity — it is also a legal requirement in both the UK and Ireland to consult with employees (or their representatives) on health and safety matters.

Even if you are a sole trader with one or two employees, have a conversation with them about the hazards they see and the improvements they would suggest. Document that you have done this.

3. Forgetting to Review and Update

As mentioned in Step 5, a risk assessment is not a one-off exercise. Yet many small businesses complete a risk assessment when they first set up, file it away, and never look at it again. If your risk assessment is three years old and your business has changed in that time — new premises, new equipment, new employees, new work activities — it is almost certainly no longer fit for purpose.

Set a reminder to review it at least once a year, and make sure you also review it after any significant change or incident.

Health and safety is not just about physical hazards. Work-related stress, anxiety, and depression are now the leading causes of work-related ill health in the UK, accounting for a significant proportion of all working days lost to ill health each year.

Your risk assessment should consider psychosocial hazards — excessive workload, lack of control, poor support, workplace bullying, lone working, and uncertainty about roles and responsibilities. These are just as real as a trip hazard or a faulty piece of equipment, and the law requires you to manage them.

5. Poor Documentation

Even if you have carried out a thorough risk assessment in your head, if it is not written down properly, you have no evidence. This matters when an inspector visits, when an insurance company asks for your records, or when you need to defend a claim.

Your documentation should be clear, dated, and signed. It should show who carried out the assessment, what hazards were identified, what controls are in place, what further action is needed, and when it was last reviewed.

6. Failing to Act on the Findings

A risk assessment that identifies a serious hazard but shows no evidence of any action being taken is potentially more damaging than having no risk assessment at all. It demonstrates that you were aware of the risk and chose not to address it. If someone is then injured as a result of that hazard, your position is extremely difficult to defend.

Make sure each action in your risk assessment has a named person responsible and a target date for completion. Then follow through.

Our free sample includes a sample risk assessment so you can see exactly what a compliant document looks like before you commit. It is a useful benchmark to compare against your own documents.

Documentation and Record-Keeping

Good documentation is the backbone of demonstrable compliance. Even the most thorough risk assessment process is undermined if you cannot produce the paperwork when it matters.

What Must Be Documented

At a minimum, your risk assessment records should include:

  • The date the assessment was carried out and who carried it out
  • The hazards identified
  • Who might be harmed and how
  • The existing controls in place
  • Any additional controls needed, with named responsible persons and target dates
  • The date of each review and any changes made
  • Evidence of employee consultation — even a brief note recording that you discussed the assessment with your team

In Ireland, your safety statement must contain all of the above plus specific reference to the protective and preventive measures taken, the plans and procedures for dealing with emergencies, and the names and job titles of the people responsible for health and safety in your organisation.

How Long to Keep Records

There is no single statutory retention period for risk assessments in the UK, but the generally accepted best practice is to keep records for a minimum of three years after the date they were last in force, and longer if the risks involve health hazards with long latency periods (such as exposure to hazardous substances or noise, where illness may not develop for years or even decades).

For most small businesses, a practical approach is to keep the current risk assessment and at least the two previous versions, so you can demonstrate an ongoing process of review and improvement.

In Ireland, the safety statement must be kept for as long as it is relevant, and you should retain previous versions to demonstrate your compliance history.

Who Must Be Able to See Them

Your risk assessment records must be accessible to:

  • Your employees — they have a right to see the risk assessment findings that are relevant to their work
  • Safety representatives — if your employees have appointed or elected safety representatives, they must have access
  • Enforcement officers — HSE inspectors in the UK and HSA inspectors in Ireland can require you to produce your risk assessment at any time
  • Insurance companies — your employer’s liability insurer may request sight of your risk assessment as a condition of cover

Keep your records somewhere accessible and well-organised. Whether you use paper files or digital storage, make sure you can find and produce the relevant documents quickly if asked. A risk assessment that exists but cannot be located when an inspector calls is not much use.

Compliance Alignment

This guide references the following legislation:

  • UK: Health and Safety at Work etc. Act 1974, Section 2; Management of Health and Safety at Work Regulations 1999, Regulation 3
  • Ireland: Safety, Health and Welfare at Work Act 2005, Section 19

Both jurisdictions require employers to carry out risk assessments and implement appropriate control measures. The principles are broadly similar, but the specific documentation requirements differ — particularly Ireland’s requirement for a written safety statement regardless of employer size. Always refer to the most current version of the legislation and any relevant approved codes of practice or guidance published by the HSE (UK) or HSA (Ireland).

Key Takeaways and Next Steps

Here is what you should take away from this guide and what to do next:

  • Start with a walkthrough. Walk through your workplace (or think through your work activities if you are mobile) and list every hazard you can identify. Talk to your employees and get their input.
  • Follow the 5-step process. The HSE’s framework — identify, assess, evaluate, record, review — is simple, widely recognised, and will keep you on the right side of the law in both the UK and Ireland.
  • Write it down. Even if you are a UK employer with fewer than five employees and not technically required to record your findings, do it anyway. It is your evidence of compliance and your protection if anything goes wrong.
  • Make it specific to your business. Resist the temptation to use a generic template without tailoring it. Your risk assessment must reflect your actual workplace, your actual activities, and the actual people affected.
  • Review it regularly. At least once a year and after any significant change. Date each review and note any updates.
  • Act on it. The whole point of a risk assessment is to identify what needs to change and then make those changes. A risk assessment that gathers dust in a drawer is a liability, not a protection.

If you are starting from scratch or want to make sure your existing documents are up to standard, our compliance kits are designed specifically for small businesses and sole traders in the UK and Ireland. They include risk assessment templates, health and safety policies, COSHH assessments, and all the core documents you need — pre-formatted and ready to customise for your trade.

Related Articles

Annual Health and Safety Review Checklist for Small Businesses A complete checklist for your annual H&S review. Covers what to check, what to update, and what records to keep — so you stay compliant year after year without paying a consultant. Beauty Salon Risk Assessment: What to Include and How to Write One How to write a risk assessment for your beauty salon or mobile beauty business. Covers chemical hazards, dermatitis, hygiene, electrical safety, and what inspectors and insurers expect. Cleaning Company Risk Assessment: What to Include and How to Write One How to write a risk assessment for your cleaning company. Covers the specific hazards, the HSE 5-step process, what inspectors look for, and where to get a ready-made template.