Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you’re running a small business, it’s easy to think of health and safety as something “big companies” worry about.
But in reality, doing a workplace risk assessment is one of the most practical (and legally important) ways to protect your staff, your customers, and your business itself.
Done properly, risk assessments don’t just help you avoid incidents and enforcement action - they help you build a safer, more reliable operation from day one. And the good news is: you don’t need a massive compliance team to get it right. You just need a clear process and the right documentation.
What Is A Workplace Risk Assessment (And Why Does It Matter)?
A workplace risk assessment is a structured way to identify:
- Hazards (things that could cause harm),
- Risks (the likelihood and severity of harm), and
- Control measures (what you’ll do to reduce risk to an acceptable level).
In other words, if you’ve ever walked around your premises thinking, “What could go wrong here, and how do we stop it?”, you’re already thinking in risk assessment terms.
Risk Assessment vs Safety Policy: What’s The Difference?
Small businesses often mix these concepts up.
- A risk assessment is task- or site-specific (for example: “using a ladder to stock shelves” or “hot surfaces in a kitchen”).
- A health and safety policy sets out your overall approach to managing health and safety (who’s responsible, how you report issues, training, etc.).
Many businesses manage both through practical documentation and clear internal procedures, so your team knows what to do in real situations - not just what the law says in theory.
The Legal Basics (In Plain English)
In the UK, the key legal framework includes:
- Health and Safety at Work etc. Act 1974 (your duty to protect employees and others affected by your work), and
- Management of Health and Safety at Work Regulations 1999 (the duty to assess risks and put control measures in place).
You might also need to consider other rules depending on your workplace and activities, such as:
- Fire safety duties (for example, duties under the Regulatory Reform (Fire Safety) Order 2005, which often requires a fire risk assessment in non-domestic premises and shared parts of some buildings),
- COSHH (hazardous substances),
- Manual handling,
- DSE (Display Screen Equipment) for desk-based workers, and
- RIDDOR reporting for certain workplace incidents.
If you’re putting your compliance foundations in place, it’s worth treating health and safety as part of your “core setup”, alongside your contracts and internal rules.
Who Needs A Workplace Risk Assessment In The UK?
In most cases, if you’re an employer, you should assume you need to carry out a workplace risk assessment.
In practice, duties can also apply even if you don’t have employees - for example, where your work could affect contractors, visitors, customers, or members of the public. The law generally expects you to take reasonable steps to keep people safe - and the definition of “reasonable” depends on your business, your premises, and the level of risk.
Do You Need To Write It Down?
As a general rule:
- If you have 5 or more employees, you are typically expected to record the significant findings of your risk assessment in writing.
- If you have fewer than 5 employees, you may not be legally required to write everything down - but it’s still strongly recommended.
Why? Because if there’s an incident, a complaint, an insurance claim, or an inspection, being able to show what you assessed (and what you did about it) is often just as important as having done it.
What If You Don’t Have A Traditional “Workplace”?
A lot of modern small businesses don’t fit neatly into “office” or “shop” categories. You may still need risk assessments if you have:
- Home-based employees (yes, even for desk-based work),
- Remote teams who travel or work on client sites,
- Pop-ups and markets,
- Mobile services (beauty, repairs, catering vans), or
- Shared premises (co-working or “rent a chair” arrangements).
The key question is always: who could be harmed, and how?
What Should A Workplace Risk Assessment Cover?
There’s no one-size-fits-all list, but a strong workplace risk assessment usually covers three broad areas:
1) People Risks (Employees, Contractors, Customers)
- New starters and young workers (who may need closer supervision).
- Pregnant workers or workers with health conditions (where reasonable adjustments may be required).
- Lone workers (opening/closing, delivery drivers, home visits).
- Contractors and temps (who needs to brief them, supervise them, and provide PPE?).
- Members of the public (slips, trips, crowding, aggressive behaviour, accidents in customer areas).
2) Premises And Equipment Risks
- Slips and trips (wet floors, cables, uneven surfaces).
- Working at height (ladders, mezzanines, stockrooms).
- Electrical safety (portable appliance checks, damaged plugs).
- Machinery and tools (guards, maintenance, training).
- Fire safety (exits, alarms, extinguishers, evacuation plans).
3) Work Activities And Processes
- Manual handling (lifting stock, deliveries, warehouse work).
- Use of chemicals (cleaning products, salon chemicals, workshop fluids).
- Food safety processes (temperature control, cleaning, allergen management).
- Work-related stress and fatigue (especially where hours are long or staffing is tight).
- Violence and harassment risks (retail, hospitality, late-night trading).
It’s also worth remembering that “risk” isn’t limited to physical safety. Some workplaces introduce privacy and monitoring issues too - for example, where you’re thinking about CCTV or audio recording.
If you’re considering cameras, make sure you understand the compliance risks before installation - especially if audio is involved - because the rules are stricter than many business owners expect. (This comes up a lot in practice when businesses install security systems.) See CCTV in the workplace and CCTV with audio as a starting point.
How To Do A Workplace Risk Assessment Properly (Step-By-Step)
If you want a process that works (and that you can repeat as your business grows), use this structure. It aligns with what regulators generally expect and keeps things practical for a busy small business owner.
Step 1: Identify Hazards (Do A Walkthrough)
Start with a simple walkthrough of your workplace and your typical work activities.
Look for hazards across:
- entrances/exits,
- workstations and customer areas,
- storage spaces, back rooms and kitchens,
- equipment, machinery, and electrical items,
- cleaning cupboards and chemical storage, and
- any tasks done “occasionally” (stock takes, seasonal setups, events).
Tip: don’t just assess what happens on a good day. Think about busy times, understaffed shifts, poor weather, and inexperienced staff covering roles.
Step 2: Decide Who Might Be Harmed (And How)
This part is often missing from DIY risk assessments, but it’s crucial.
List who could be harmed and how, including:
- employees,
- apprentices or work experience placements,
- contractors and cleaners,
- visitors, and
- customers (including children and vulnerable people, depending on your business).
This is also where you consider people who may need extra support or adjustments.
Step 3: Evaluate The Risk And Put Control Measures In Place
Now decide:
- How likely is harm to occur?
- How serious could it be?
- What controls do you already have?
- What extra controls are needed?
Control measures usually fall into common categories:
- Eliminate the hazard (remove it entirely, where possible).
- Substitute (use a safer product or process).
- Engineering controls (guards, barriers, ventilation).
- Administrative controls (training, signage, procedures, supervision).
- PPE (gloves, goggles, footwear) - usually a last layer, not the only measure.
This is where your day-to-day documentation matters. For many SMEs, risk controls are implemented through internal rules and clear procedures for staff to follow.
Step 4: Record Your Findings (Make It Usable)
Your workplace risk assessment doesn’t need to be fancy, but it does need to be:
- clear (someone else can understand it),
- specific (it relates to your actual workplace), and
- action-focused (it says who will do what and by when).
A good format is:
- Hazard
- Who might be harmed
- Existing controls
- Further action needed
- Responsible person
- Deadline
- Date completed
Be careful with generic templates. They can be a helpful starting point, but if they don’t reflect your real work activities, they won’t protect you when it counts.
Step 5: Implement The Actions (This Is The Part That Counts)
A risk assessment isn’t “done” when you save a document - it’s done when the controls are actually in place.
That might mean:
- training staff,
- changing a layout,
- booking maintenance,
- adding signage,
- updating procedures, or
- introducing a new checklist for opening/closing.
It’s also where your broader Health and Safety approach matters. Risk assessments work best when they’re part of an ongoing system - not a one-off paperwork exercise.
Step 6: Review And Update Regularly
You should review your workplace risk assessment:
- regularly (many businesses do this annually as a baseline),
- after an incident or near miss,
- when you change equipment, layout, or processes,
- when you hire new staff or change roles, and
- if guidance or legal requirements change.
As your business grows, you may also need multiple risk assessments (for example: one for the premises, plus separate assessments for higher-risk tasks).
Common Workplace Risk Assessment Mistakes Small Businesses Make (And How To Avoid Them)
Most risk assessment issues we see aren’t about bad intentions - they’re about busy teams and unclear ownership.
Here are some common pitfalls to watch for.
Using A Generic Template That Doesn’t Match Your Workplace
If your risk assessment says “hard hats required” but you run an office, it’s going to raise questions.
Templates should be customised to reflect:
- your specific work activities,
- your premises,
- your staffing and supervision levels, and
- your customer-facing risks.
Failing To Assign Responsibility
“We should fix that” isn’t a control measure.
A practical risk assessment assigns:
- a named person responsible for each action, and
- a deadline that’s realistic (but not vague).
Not Training Staff On The Controls
If the control measure is “staff must do X”, you need to make sure staff actually know:
- what X is,
- when it applies, and
- what to do if something goes wrong.
This is one reason small businesses often build safety processes into onboarding and written procedures, so it’s consistent as you hire and grow.
Ignoring Data And Privacy Impacts When Introducing Monitoring
Sometimes businesses introduce controls that involve collecting information - for example, access logs, incident reports, or CCTV.
If your safety controls involve personal data, you’ll also need to think about UK GDPR and the Data Protection Act 2018, including transparency and retention practices. Depending on what you’re doing, it may be worth tightening up your privacy compliance through a GDPR package, especially if you’re scaling your operations or using more systems to monitor safety and security.
Not Updating The Paperwork After Changes
Business changes that often trigger the need to update risk assessments include:
- new equipment,
- a refurb or move,
- new chemicals or suppliers,
- expanded opening hours,
- new role responsibilities, or
- new types of customers (for example, events or children’s parties).
If you’re making changes quickly, you might also want a clear internal system for documenting incidents and responses, so you can learn from near misses and tighten controls over time. (This can also overlap with how you respond to data issues, depending on what’s involved.)
Key Takeaways
- A workplace risk assessment is a practical process to identify hazards, assess risk, and put controls in place to protect staff and others.
- Most employers should carry out risk assessments, and duties can apply even without employees where your work could affect others. If you have 5+ employees you’re generally expected to record significant findings in writing.
- A good risk assessment focuses on real work activities and real risks - not generic template wording.
- The best approach is step-by-step: identify hazards, decide who might be harmed, implement controls, record actions, and review regularly.
- Risk assessments work best when they’re supported by clear documentation and day-to-day procedures (so your team knows what’s expected).
- If you’re introducing monitoring measures (like CCTV), make sure your safety plan doesn’t accidentally create privacy and compliance issues.
If you’d like help putting the right documents and processes in place to manage workplace safety properly, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
