Risk Assessments: Suitable and Sufficient

Risk Assessments: What “Suitable and Sufficient” Actually Means

Every employer in Great Britain has a legal duty to assess the risks created by their work activities. That much most people know. What far fewer understand is what “suitable and sufficient” — the standard set by the Management of Health and Safety at Work Regulations 1999 — actually looks like in practice.

When HSE inspectors, insurers or courts consider whether a risk assessment meets the required standard, they are not impressed by length. They are looking at whether it reflects the real work being carried out.

What the law requires

Regulation 3 of the Management of Health and Safety at Work Regulations 1999 requires employers to make a suitable and sufficient assessment of the risks to employees and others affected by their work activities.

For employers with five or more employees, the significant findings must be recorded in writing. If you have fewer than five employees, you still need to carry out the assessment — you just are not legally required to write it down, although doing so is strongly advisable.

“Suitable and sufficient” is not about producing the longest document. A risk assessment meets the required standard when it identifies the real risks from actual work activities, considers who might be harmed and how, evaluates whether existing controls are adequate, and records what further action is needed.

A generic template downloaded from the internet and left unedited is not a suitable and sufficient risk assessment for your workplace.

The most common failures

In workplace inspections and post-incident reviews, the same types of failure appear repeatedly:
Risk assessments that are generic or template-based, with no evidence they reflect the specific workplace, task or workforce.
Assessments that identify hazards but fail to properly evaluate the risk. Listing “slips and trips” without considering floor condition, lighting, footwear, housekeeping or cleaning arrangements is not useful.
No proper consideration of vulnerable workers, including young workers, new or expectant mothers, lone workers, inexperienced staff or workers with health conditions that may affect risk.
Risk assessments that have never been reviewed, despite changes to equipment, processes, premises or staffing.
Controls listed as “in place” that either no longer exist, are not being followed, or were never properly implemented.

A risk assessment should be evidence that you have thought carefully about the risks in your workplace. If you cannot explain what the controls are and why they are adequate, the assessment is unlikely to stand up to scrutiny.

When does a risk assessment need to be reviewed?

Regulation 3(3) of MHSWR requires a review where there is reason to believe the assessment is no longer valid or where there has been a significant change.

In practice, this means reviewing the assessment:

after an accident, incident or near miss;
when work processes change;
when new equipment, substances or tasks are introduced;
when the workplace or work area changes;
when the workforce changes in a way that may affect risk;
when control measures are found to be ineffective;
periodically as part of good health and safety management.

There is no fixed legal review interval. As good practice, many businesses review risk assessments annually, as well as whenever there is reason to believe the assessment is no longer valid or there has been a significant change.

What matters is that the review is genuine. Simply changing the date on a document is not a meaningful review.

Practical steps for getting it right

Walk the job, do not just fill in a form. The person carrying out the risk assessment should understand how the work is actually done, not just how it is supposed to be done.

Involve your workers. They often know where the real risks are, where shortcuts are being taken and where controls are not working as intended. Regulation 13 of MHSWR also requires employers to consider employees’ capabilities when assigning tasks.

Record your reasoning. If your assessment says a risk is adequately controlled, explain why. What is the control? How does it work? How do you know it is effective?

Make actions clear. If further action is needed, record who is responsible, what needs to be done and when it should be completed.

Review properly. Build risk assessment review into your health and safety management system rather than leaving it to happen by accident.

Need support?

North East Health and Safety provides competent person support, risk assessment reviews, policy writing and practical health and safety consultancy for UK businesses.

Last reviewed: June 2026