Chapter 13: Document significant findings - the theory
13.1 Legislation on documenting the findings
The legal requirements for documenting risk assessments is stated in Regulation 3(6) of the Management of Health and Safety at Work Regulations:
(6) Where the employer employs five or more employees, he (sic) shall record—
(a) the significant findings of the assessment; and
(b) any group of his employees identified by it as being especially at risk.
Although regulation 3(6) of the Management regs only talk about risks to employees, it is clear from the Health and Safety at Work Act that the responsibility applies to anyone affected by the undertaking who might be ‘especially at risk’. But note, there is nothing here about tables and matrices, numbers and multiplication sums. Just the significant findings, and people especially at risk.
13.2 The five employees problem
Legally, you don’t need to document your risk assessment if you have fewer than five employees. But if the work you oversee hurts someone, you will have to prove you thought about the risks, and applied reasonably practicable measures, whether you have one employee or 10,000 employees. The law still requires employers with fewer employees to carry out the risk assessment – the exception related only to the documenting of the assessment.
Ask yourself:
Does having fewer than five employees always equate with ‘low risk’? In which of the following situations could there be significant risks, even with fewer than five employees?
- Voluntary groups with no paid staff (or perhaps one or two) but with multiple volunteers, and many more people receiving a service. Would you expect the scout leader to have carried out a risk assessment for taking scouts hiking and camping up a mountain for the weekend? Or a social club taking a coach load of over 70s to the seaside for the day?
- The gig economy means that technically an organisation might have only a few staff, and multiple contractors. What responsibility does the organisation have to the safety of contractors, particularly when their working hours, routes of travel and activities are all defined by the organisation?
- A roofing contractor employs her son and a friend of his. They have a few ladders, and hire other equipment as it is needed. Their work ranges from clearing and fixing gutters to replacement of tiles on roofs.
Since writing the first version of this chapter, the exception for those with fewer than five employees was removed for fire risk assessments. The original 2005 version of the Regulatory Reform (Fire Safety) Order 2005 (FSO) cloned the exception from the Management regs for documenting fire risk assessments (section 9(6) of the FSO). In 2023 9(6) was simplified to state that the responsible person must make a record of the (fire risk) assessment or review, with any exceptions removed.
A licenced asbestos removal company would need documented controls to meet the regulations, regardless of size. If you have one employee, or even if you’re a sole trader doing anything other than writing documents, it’s worth documenting your risk assessment. But how can you do this in a proportionate way?
13.3 Historical HSE guidance
Appendix 3 provides links to two historical documents from the HSE which provided advice on risk assessment. INDG 163 was the short guide also known as ‘the five steps’, and L21 was the detailed code of practice and guidance on the regulations, including Regulation 3 on risk assessment.
Within an L series document, paragraphs marked as ‘ACOP’ indicate a higher level of expectation from the regulator of the advice being followed than paragraphs marked as ‘guidance.’ Paragraphs 23 to 25 in L21 cover Recording risk assessments and are marked as ‘ACOP’. You can read the full archived document in Appendix 3, but in summary:
Paragraph 23 reminded employers of the legal responsibility to document significant findings where they have five or more employees. By way of expansion, 23 and 24 provided the following requirements:
- This record should represent an effective statement of hazards and risks which then leads management to take the relevant actions to protect health and safety.
- The record can be in writing or ‘other means (eg electronically) as long as it is retrievable for use by management in reviews and for safety representatives or other employee representatives and visiting inspectors.
- Where appropriate, it should be linked to other health and safety documents, including policy, arrangements, procedures and records.
Paragraph 24 reassured employers:
The record [of significant findings] will often refer to other documents and records describing procedures and safeguards.
Paragraph 25 explained that the ‘significant findings’ include:
a) A record of the preventive and protective measures in place to control the risks;
b) What further action, if any, needs to be taken to reduce risk sufficiently;
c) Proof that a suitable and sufficient assessment has been made.
The last statement was accompanied by what I deem unhelpful waffle, stating the same thing in multiple ways without adding any value as to what this should include.
Although L21 is still referred to on the HSE website, it was withdrawn in 2013. At the time, the HSE promised to provide a “structured, well sign-posted guidance including .. revised Five Steps to Risk Assessment.”
There was a revised five steps document in 2014 and a draft revision in 2016. I liked the direction the 2016 version was proposing. It had some hugely encouraging statements, and some helpful advice, including:
A risk assessment is not about creating huge amounts of paperwork, but rather about identifying sensible measures to control the risks in your workplace.
Any record produced should be simple and focused on controls.
You may already have documents, such as guidance to employees (including HSE guidance), method statements, data sheets etc that can serve as your record. You do not need to duplicate these.
Insurers and contractors may ask for more detailed paperwork than the law requires. Ask if you are not sure … if you are being asked to go beyond what the law requires … contact HSE’s Myth Buster Challenge Panel (hse.gov.uk/myth).
This version was never approved, and INDG 163 was withdrawn in 2019. So what of the ‘well sign-posted guidance’ we were promised as an alternative?
13.4 Current HSE guidance
That there are now multiple and conflicting versions of the five steps on the HSE website suggests the signposts might not be that clear. The key guidance from the HSE on step 4, record your risk assessment is less advice than a restatement of the legal requirement in Regulation 3, although it does expand on what findings are ‘significant’..
Step 4 from the HSE:
If you employ 5 or more people, you must record your significant findings, including.
- the hazards (things that may cause harm)
- who might be harmed and how
- what you are doing to control the risks
To help you, we have a risk assessment template and examples. Do not rely purely on paperwork as your main priority should be to control the risks in practice.
‘What you are doing to control the risks’ is simpler language than that in L21, but it misses the emphasis that you should be recording both preventative and protective measures. It also misses the idea that you need to consider what further action might need to be taken.
The HSE provide a risk assessment template as illustrated in Table 13.1. (I urge you to look at the original on the HSE website, as in my effort to make it machine readable, it doesn’t look great in TablePress).
Table 13.1: Based on HSE Risk assessment template
| Company name: | Assessment carried out by: | |||||
| Date of next review: | Date assessment was carried out: | |||||
| What are the hazards? | Who might be harmed and how? | What are you already doing to control risk? | What further action do you need to take to control risk? | Who needs to carry out the action? | When is the action needed by? | Done |
| . | . | . | . | . | . | . |
At the time of writing the HSE risk assessment template and examples (as shown in Table 13.1) all show a simple table with seven columns:
- What are the hazards?
- Who might be harmed and how?
- What are you already doing to control the risks?
- What further action do you need to take to control the risks?
- Who needs to carry out the action?
- When is the action needed by?
- Done (date on which the action is ‘closed’ – something we will talk about later).
The template has moved us from the simple HSE requirement to describe “what you are doing to control the risks” and using other documents as appropriate, to cramming into one table, what you are doing and what you could do, when you might do it, who might do it, and whether or not it’s been done.
Perhaps this was a misunderstanding of the requirement in L21 to state “what further action, if any, needs to be taken to reduce risk sufficiently” This became a permanent column in the risk assessment, as shown in the template.
As a result, I have seen lots of risk assessments full of things that need to be done. This is an admission that the current situation is inadequate. “Here are some things I know I need to do to control risk, and by documenting them I’m suggesting they are reasonable practicable, but I haven’t done them.” I’ve seen these risk assessments filed for another year, and the same “to be done” actions listed the following year.
You might argue that the purpose of the next three columns is to track that the further actions have been done. What then is the check on the controls you already (think) you have in place? Most controls need some form of monitoring, so are rarely ‘complete’. In one fire risk assessment the FRA expert had indicated “make sure fire doors are never left open.” When I asked him if he had access to a time machine, he looked bemused. “How” I asked “can I ensure that the doors are never left open, unless I watch all the doors, for ever, until the end of time?”
The very act of including a ‘done’ column suggests to users of the template that a risk assessment can be ‘finished’ and filed, rather than used as a working tool.
Ask yourself:
Here are some examples of controls in place from risk assessments on the HSE website. Which of these are really ‘in place’ in a way that doesn’t need action?
- Flooring kept dry and quality maintained.
- All staff trained to maintain good housekeeping standards and ensure stock does not project into gangways.
- Cleaner empties bins and removes loose debris daily.
- Pallets stored safely in designated area.
- Protective non-slip footwear supplied and worn.
- The internal roof is load bearing, has full rails and boards around its edge
Who will make sure the floors are kept dry? How often is training needed? If the bins need to be emptied every day, how can you be sure that the control is in place tomorrow? The roof might remain load bearing, but some instructions might be needed to check the rails are still effective.
13.5 Adding (too much) complexity
Although the HSE template does not include risk ratings, many organisations, including those providing training in risk assessment, insist that numbers are added. This can result in two more columns, as shown in Table 13.2, or six more columns where the risk rating requires numbers for severity, likelihood and risk.
The columns become even narrower, with column widths set to match titles rather than content. The assessor is discouraged from adding useful information in the hazard and control columns, and the results will be even harder to interpret as a working document.
When we try to fill the grid in, it gets more complicated. In Table 13.2 we’ve the high level hazard ‘ fire and smoke’. There are two current controls – there’s a sign on doors to remind people to shut them, and there is a smoke detector. Two further suggestions are made in relation to closing the door, and at this point a risk assessment meeting spends the next hour debating how to score each of those improvements.
With just two proposed controls (the closing mechanism and the reminder to staff) there are theoretically 4 outcomes:
- Neither control is implemented – the current risk rating applies.
- The first is implemented alone.
- The second is implemented alone.
- Both are implemented.
Do I use the ‘proposed risk rating’ column to document separately the benefits of implementing either of the proposals? Or do I only include a risk rating for my conclusion if both are implemented?
Further down the line – when the ‘done’ column is completed for one proposed control but not for the other – the facilities team could easily think their action is no longer necessary, since the documented risk assessment implies that reminding staff would be sufficient to reduce the risk to ‘low’.
Table 13.2: Risk assessment template with simple rating columns
| Hazard | Who harmed and how | Current controls | Current risk rating | Proposed controls | Proposed risk rating (residual risk) | Who needs to carry out the action? | By when? | Done |
|---|---|---|---|---|---|---|---|---|
| Fire & smoke | Everyone in the office | Sign on door to keep shut | A number indicating not good enough | Automatic closing mechanism on door | Rating if only this control is applied? | Facilities team to fit | ||
| Remind the staff to close the door | Rating if both controls are applied? | Managers | 15/2/24 | 10/2/24 | ||||
| Smoke detector | Same as above? Or one number for both current controls? | Detectors to be checked | Rating if all 3 controls are applied? | Managers | Weekly | |||
| Facilities team | Six monthly |
There is a second existing control – the smoke detector. The risk has been assessed as medium, but is this based on the overall risk of fire, or the risk that the detector would fail when required? Without regular checks of the detector the likelihood of failure is high. Two types of check have been recommended – a weekly sound check by the managers, and a six-monthly technical check by someone from the facilities team. We have a similar dilemma as above – do we get the risk reduction only if both checks are in place, or will one of these give us the risk reduction we need?
13.6 Getting back in control
Overly complex forms mean that we allow the paperwork run the process. Remember what we have learned in other chapters:
Chapter 6:
- You must apply controls that are required by law before assessing the risk
- If good practice advice exists you should apply it, unless you can provide evidence that you are doing something at least as effective to manage risk.
“If relevant good practice exists and is adopted for all workplace hazards, explicit evaluations of risk rarely need to be made in relation to day-to-day hazards; in these situations the risk assessment duty can be said to be discharged by the appropriate adoption of relevant good practice.” RR151, 2003
Chapters 11 and 12:
In occupational health and safety (as opposed to process safety in high hazard workplaces) ALARP is not about some juggling of numbers on a scale. It is about doing our best to consider a range of controls available and selecting those which it is ‘reasonable’ to apply, prioritising those which will be most effective in our timescales. If you don’t apply a control that you considered you have to provide a rationale as to why you didn’t. Courts are especially hard when cutting costs is used as a reason to cut safety.
“Something is reasonably practicable unless its costs are grossly disproportionate to the benefits.” HSE Cost Benefit Analysis (CBA) checklist
Applied to our example above, if having identified a proposed control in the risk assessment to fit automatic closing mechanisms, dropping the control while leaving it in the paperwork could provide a prosecutor with evidence against you if there is an incident. The case against Morrisons supermarket in 2023 / 2024 illustrates this point.
This chapter:
Step 4 requires only that you record your significant findings, including the hazards, who might be harmed and how and what you are doing to control risk.
13.7 Conclusion
The current (unchanged since 2019) advice on risk assessment from the HSE has lost the clarity in previous guidance that risk assessments do not have to duplicate other health and safety documentation, but should instead refer to other records, procedures and so on. Combined with the seven column templates and an obsession with scoring likelihood and severity, this has led to overly complex recording of risk assessments, producing pages (or screens) of unhelpful but ‘compliant’ documentation.
While the measures outlined in earlier chapters will help us to avoid these failures, documenting the risk assessment provides a further opportunity to catch any earlier errors in the process. In the next two chapters we’ll consider how you can use other documents (Chapter 14), as well as a simplified risk assessment form (chapter 15), to document those significant findings in a way that takes less time, provides more effective control of hazards, and turns risk assessment from a form completion exercise into a management and planning tool. Risk assessment findings must be communicated to the people who have to apply those findings, and getting the documentation right will improve the communication.
You can use the Contact form to send me feedback. If you’d like to receive an email when I add or update a chapter, please subscribe to my ‘book club’
Alternatively, you can go back to the book contents page.