How to perform a HSE risk assessment: step-by-step guide

Updated on: 15th April 2026

Every employer has a legal duty to assess the risks their workers face. A well-executed HSE risk assessment identifies workplace hazards, evaluates the likelihood and severity of harm, and puts controls in place to keep people safe.

This guide explains what a risk assessment is, why it matters for enterprise organisations, and how to carry one out using the five-step framework recommended by the Health and Safety Executive (HSE).

Table of contents

Click on a specific section below to navigate to that area:

• 1. What is a risk assessment?
• 2. Why risk assessments matter for enterprise safety programmes
• 3. How many steps are in a HSE risk assessment?
• 4. The five steps to a risk assessment (HSE framework)
• 5. Who is responsible for risk assessments?
• 6. Frequently asked questions

What is a risk assessment?

A risk assessment is a structured process used to identify workplace hazards, evaluate the likelihood and severity of harm, and implement controls to reduce risk and protect workers.

The significant findings of this process are often recorded in a written document that captures:

• 1. The hazards present in a workplace
• 2. The risks those hazards create
• 3. The measures put in place to control them

A hazard is anything with the potential to cause harm. This could be a piece of machinery, a chemical substance, working at height, or a poorly lit stairwell.

Risk is the likelihood that a hazard will actually cause harm, combined with how serious that harm could be and how many people might be affected.

Why risk assessments matter for enterprise safety programmes

For large organisations operating across multiple sites, risk assessments are not just a legal obligation. They are a practical tool for maintaining consistent safety standards at scale.

Enterprise safety programmes face specific challenges: varied work environments, large and diverse workforces, complex contractor relationships, and the need to demonstrate compliance across jurisdictions. A standardised risk assessment process is a core component of any safety management system.

The benefits extend beyond compliance. A thorough risk assessment improves visibility of hazards before incidents occur, supports better decision-making about where to invest in safety improvements, and creates a documented record that protects both workers and the organisation. When assessments are reviewed regularly and findings are communicated across teams, they become a living part of safety culture in the workplace rather than a box-ticking exercise.

Employers who conduct consistent, well-documented risk assessments are better placed to respond to regulatory inspections, insurance requirements, and incidents if they do occur.

For a broader view of how risk management is evolving across the industry, EcoOnline’s Mega Trends Report explores the key shifts shaping workplace safety in 2026 and beyond.

How many steps are in a HSE risk assessment?

Most workplace risk assessments follow five key steps recommended by the Health and Safety Executive:

• 1. Identify hazards
• 2. Decide who may be harmed and how
• 3. Evaluate the risks and implement controls
• 4. Record the findings
• 5. Review and update the assessment

This five-step framework applies across industries and organisation sizes. It is the recognised standard in the UK and is consistent with international safety management guidance.

The five steps to a risk assessment (HSE framework)

Step 1: Identify workplace hazards

The first step is a systematic search for anything in the workplace that has the potential to cause harm. Hazards fall into several broad categories:

• Physical hazards include manual handling, slips, trips and falls, working at height, fire, driving for work, and using poorly maintained equipment.
• Occupational health hazards include noise, vibration, dusts, and work-related stress.
• Chemical hazards include cleaning agents, industrial solvents, and pesticides.
• Biological hazards include viruses, bacteria, and allergens.
• Psychosocial hazards include violence, bullying, and harassment.

To identify these hazards effectively, walk the workplace and observe what is actually happening. Review manufacturers’ manuals and safety data sheets. Analyse previous incident and near-miss reports. Speak to the people doing the work as they have firsthand knowledge of where problems occur and where existing controls fall short. Safety audits and inspections are also valuable methods for identifying hazards across your workplace.

No hazard identification process should rely on a single method. A combination of observation, documentation review, and worker consultation gives the most complete picture.

Step 2: Decide who might be harmed and how

Once hazards are identified, the next step is to think carefully about who is at risk. This goes beyond direct employees. Any risk assessment should consider:

• Contractors, agency workers, and maintenance personnel who may not be on-site every day but are exposed to hazards when they are.
• Visitors and members of the public who access the premises.
• Cleaners, delivery drivers, and others whose contact with the workplace may be brief but real.

Certain groups require particular attention because they face elevated risk. For example, young workers may lack experience or awareness of specific hazards. Pregnant and post-natal employees may be more vulnerable to certain physical or chemical safety risks. Protecting your workers around chemicals is especially important when assessing roles where exposure is likely. Night and shift workers may face hazards that are not present during standard hours.

People with disabilities or those for whom English is not a first language may need additional controls or communication adjustments.

For organisations with multiple sites and shifting contractor populations, this step requires a robust system for tracking who is on-site and under what conditions.

Step 3: Evaluate the risk level and implement controls

Risk evaluation involves estimating both the likelihood of harm occurring and the severity of that harm if it does. Combining these two factors gives a risk rating. Most organisations use a risk matrix to make this assessment consistent and auditable.

A simple rating system works as follows:

• Low risk: The likelihood of harm is low and the severity is minor. For example, occasional computer use at a well-arranged workstation.
• Medium risk: The likelihood, severity, or number of people exposed is greater. For example, manual handling of heavy loads without mechanical aids. Controls are required to bring the risk down.
• High risk: There is a real likelihood of serious injuries or fatalities. For example, vehicles reversing in an area where pedestrians are present without adequate controls. These risks must be prioritised and treated immediately.

Once the risk rating is established, the decision is whether to accept the risk or treat it. When determining which controls to put in place, the hierarchy of control provides the correct order of priority:

• Eliminate the risk entirely if possible. Remove the hazard or the activity that creates it.
• Substitute the hazard with something less dangerous. Replace a hazardous chemical with a safer alternative.
• Apply engineering controls to isolate people from the hazard. Install guarding on machinery. Separate pedestrian and vehicle routes.
• Apply administrative controls such as safe systems of work, training, job rotation, and procedures that reduce exposure.
• Provide personal protective equipment (PPE) as the last line of defence. PPE should always be used alongside other controls, not instead of them.

In practice, most risk controls involve a combination of these measures. The goal is to reduce residual risk to the lowest reasonably practicable level.

Step 4: Record your findings

Risk assessments must often be documented. This is a legal requirement for employers with five or more employees in Great Britain, and documentation is required for all employers in Ireland as part of a written risk assessment and Safety Statement.

A risk assessment record should capture the hazards identified, the people at risk, the current controls in place, the residual risk rating, any additional controls required, the person responsible for implementing those controls, and the target completion date.

The format can vary. Many organisations use a risk assessment template, and EHS software platforms allow assessments to be completed, stored, and retrieved digitally. For enterprise organisations managing assessments across multiple sites, a centralised digital system is the most effective way to maintain consistency, ensure version control, and make findings accessible to the people who need them.

Completed risk assessments must be communicated to the workers they affect.

Step 5: Review and update the assessment

Risk assessments are not a one-time activity. They must be reviewed regularly and revised whenever circumstances change.

A review should be triggered by any of the following:

• A change in work processes, equipment, or materials
• An incident or near miss
• The introduction of new legislation or guidance
• Significant changes to the workforce
• A scheduled periodic review

HSE guidance recommends that risk assessments be kept current and revisited at regular intervals even in the absence of obvious triggers.

For enterprise safety teams, building a review schedule into an EHS management system ensures that assessments do not become outdated. Automated reminders, version history, and audit trails all support a robust review process.

Who is responsible for risk assessments?

Employers carry the ultimate legal responsibility. Top management must ensure that risk assessment stages are conducted, documented, reviewed, and acted upon. In UK and Irish law, employers must do all that is reasonably practicable to eliminate or control workplace risk.

EHS managers, safety leaders, and operations managers typically lead the process in practice. In larger organisations, this is often a multidisciplinary effort involving teams with direct knowledge of the work being assessed.

Employees play an important role. Workers have firsthand knowledge of how tasks are actually performed and where existing controls fall short. Consulting employees during the risk assessment stages is not just good practice; it is a legal obligation.

How EcoOnline supports risk assessment at scale

Managing risk assessments across a large organisation requires consistency, visibility, and a clear audit trail. EcoOnline’s risk management software allows safety teams to carry out risk assessments online, standardise processes across sites using shared templates, and get better visibility of risk areas across the organisation. All safety documentation is stored centrally, so nothing falls through the cracks.

EcoOnline has an edge against other providers in the market. The main reason is the user interface is very friendly. The ability to interact with other platforms is also important for us, the ability to have a mobile app, and the ability to report through the QR code because it allows everybody in the company to report an event.

See how Hitachi Rail standardised risk assessment and safety reporting across 50 countries and five continents with EcoOnline.

See the impact

Access demo library