One of the issues I come across a lot as a consultant is the number of companies that do not fully understand what makes a risk assessment ‘suitable and sufficient’.

For some, risk assessments are just yet more paperwork. For others, good intentions may be hampered by guidance being misinterpreted due to lack of information or training.

The failure to carry out a ‘suitable and sufficient’ risk assessment can result in:

  • Accidents (injury/ill health/death)
  • Fines
  • Prosecutions
  • Injury claims
  • Poor product quality
  • Higher insurance fees
  • Lost time (due to injuries)
  • Reduced productivity (due to poor maintenance schedules)
  • Bad reputation (finding your company on the news or across social media for all the wrong reasons and the knock-on consequences this may have on lost business)

In September 2023, a waste management firm was fined a total of £3 million following the deaths of two workers in separate incidents. Whilst investigating, the HSE found the organisation had “failed to carry out a suitable and sufficient risk assessment into skip operations meaning that safe systems of work and appropriate training were not implemented, and skips were not maintained in an efficient state”. 

So, we’re clear that completing a ‘suitable and sufficient’ risk assessment is important but, how do we determine what a ‘suitable and sufficient’ risk is and who is ‘competent’ when it comes to risk assessments?

Where does the term ‘suitable and sufficient’ come from?

As an employer, you're required by law to protect your employees, and others, from harm.

Under the Management of Health and Safety at Work Regulations 1999, the minimum you must do is:

  • identify what could cause injury or illness in your business (hazards)
  • decide how likely it is that someone could be harmed and how seriously (the risk)
  • take action to eliminate the hazard, or if this isn't possible, control the risk

The regulation states:

3.—(1) Every employer shall make a suitable and sufficient assessment of—

(a)the risks to the health and safety of his employees to which they are exposed whilst they are at work; and

(b)the risks to the health and safety of persons not in his employment arising out of or in connection with the conduct by him of his undertaking

‘Suitable and sufficient’ is not actually defined in the Regulations. In practice it means the risk assessment should identify the risks arising from or in connection with work and the level of detail in a risk assessment should be proportionate to the risk. The level of risk arising from the work activity should determine the degree of sophistication of the risk assessment. More detailed specifics are provided in the Regulation. Organisations should review the Regulation and determine the requirements based on the exact task or activity being carried out.

Who can write a risk assessment?

A risk assessment should be carried out by someone who has the skills, knowledge, and experience to conduct risk assessments as well as a good understanding of the task being assessed. Having the right attitude is a must and a key to getting this right. You might have heard this referred to as a ‘Competent Person’.

A competent person could be the employer, a manager, supervisor, engineer, sub-contractor, or a cleaner.  Roles and responsibilities depend on the size of the company. Regardless, the important bit to remember is that whoever you choose must have an understanding of the work being carried as well as the risk assessment process. Additionally, they should know how to carry out a risk assessment for your company. As alluded to above, one organisation is different to another and a risk assessment should take this into account.

If the person carrying out the risk assessment has the working experience of the task but does NOT have experience in the risk assessment process itself (i.e. know the 5 key steps of risk assessment) or how to identify hazards and put in the relevant controls to mitigate the risk (for example, by using the 5 steps of hierarchy of controls) then they cannot be deemed ‘competent’. This is because, at least one person (depending on the work and size of organisation) must be trained in conducting risk assessments and have experience of doing so.

In this example, the risk assessment should be carried out by a trained risk assessor, who is capable of carrying out the risk assessment, with the support of the worker, who is familiar with the task. This combination of knowledge, skill, and experience ensures that a ‘careful examination’ of the working area takes place.

Involving workers in producing risk assessments helps ensure that all working risks are highlighted, and therefore reduced. Additionally, this involvement encourages workers to follow the risk assessment and raise any future issues. In turn, this boosts safety culture within the organisation.

(For more information on the competent person, see Who is ‘competent’ when it comes to Risk Assessments? | Make UK).

Additional considerations

So far, so good. You have a risk assessment produced by a trained risk assessor with the involvement of people who complete the task being assessed.

But, this is only halfway to having a ‘Suitable and Sufficient’ risk assessment.

Once you have evaluated the risks and decided on actions to mitigate them, you should communicate the information to anyone who needs to know. If you have 5 or more employees, then this will also need to be documented onto a written risk assessment.

This will enable people performing the task to follow the risk assessment and any other linked processes. A high-quality risk assessment will highlight any gaps in training and make sure that people have been given the information and instructions to carry out their work safely.

Finally, risk assessments should be regularly reviewed to ensure that they remain relevant and accurate.

How suitable and sufficient are your risk assessments?

Answering the following questions will help determine how suitable and sufficient your risk assessments are:

  • Has the risk assessment been carried out by a person trained to conduct risk assessments?
  • Has the risk assessment had the involvement of the people carrying out the task being assessed?
  • Did the production of the risk assessment involve the health and safety person/team?
  • Is the risk assessment relevant to the nature and scale of the work or activity being carried out?
  • Does the risk assessment consider who could be harmed, including vulnerable people, by the task?
  • Has the risk assessment considered the environmental impact?
  • Has the risk assessment considered all factors, such as heavy loads, stress, noise, vibrations, etc., that can affect the task?
  • Has the potential for emergencies or accidents been considered?
  • Does the work have enough health and safety systems or safe systems of work to avoid people getting hurt or injured?
  • Has PPE been identified?
  • Has the risk assessment considered the relevant regulations, ACOPs, and guidance?
  • Have all the relevant controls been implemented correctly to reduce the risk as low as reasonably practicable?
  • Has the risk assessment been communicated to everyone who needs to know about it?
  • If 5 or more employees, has the risk assessment been documented?
  • Is the risk assessment is reviewed regularly (for example, after significant changes or in the event of an incident)?

How did you get on?

If you are doing all the above and more, then it is likely that your risk assessments are ‘suitable and sufficient’, and you are protecting your workforce.

As a proactive measure and confidence check of your health and safety management systems, we would always recommend engaging a third party to conduct an audit of your risk assessments. This will provide an unbiased check to make sure you’re doing it right.

If you answered ‘no’ to any of the above, or are not sure, then your risk assessments could be “unsuitable and insufficient”!

As highlighted above, completing a ‘suitable and sufficient’ risk assessment is extremely important, we would therefore recommend an immediate review of your risk assessments.

More than just paperwork

A risk assessment should never be completed just for the piece of paper. It is a lot deeper than that. Often, risk assessments show the culture of a business - how the employer and employees work together to ensure that the workplace remains a safe and happy place to work.

For further guidance or advice on this topic please get in touch - we’d love to support you in meeting your legal and moral duties.