The Safer Choice

What is: suitability and sufficiency?

First published in Health and Safety at Work Magazine, June 2013. Some case studies and references have been updated where the originals are no longer accessible.

When have you done enough? Bridget Leathley explores what makes a risk assessment suitable, and when enough is sufficient.

Scope and meaning

Though the phrase crops up in the Workplace (Health, Safety and Welfare) Regulations (1992) as a requirement for providing handrails, loos, washing and changing facilities and lighting, to most safety practitioners “suitable and sufficient” is more likely to bring to mind risk assessments.

Regulation 3(1) of the Management of Health and Safety at Work Regulations (MHSW) requires every employer to make a suitable and sufficient assessment of the health and safety risks “arising out of or in connection with the conduct by him of his undertaking”.

Doubling up

Elsewhere, when Regulation 12 of MHSW says information for employees must be “sufficient”, it clearly does not mean the information does not need to be suitable. And when the guidance to MHSW (L21 – now withdrawn) advises that precautions should be “suitable” this does not mean they need not be sufficient. So why does Regulation 3(1) need to state that a risk assessment should be both suitable and sufficient?

As we discovered when looking at competence (What is: Competence? HSW June 2013) legislation is not meant to be interpreted using Boolean logic. Suitable and sufficient is perhaps the equivalent of saying “you really, really must take this seriously”. The use of “sufficient” emphasises a second check of suitability. To be acceptable a risk assessment must be suitable (that is, appropriate to the situation) and sufficient (that is, enough to manage the risk). Sufficiency should not be confused with size; more pages do not make an assessment more sufficient — and might make it unsuitable.

Why does it matter?

The lack of a risk assessment is identified in many prosecutions, and while they often refer to suitability or sufficiency, few include examples of exact inadequacies. When the HSE prosecuted a tool manufacturer following the amputation of an operator’s finger when his glove became entangled, the press release explains that the company had failed to carry out a suitable and sufficient risk assessment of the drill. However, whether the assessment was unsuitable, insufficient or simply non-existent is not clarified. Just a note that the risk assessment should have mentioned the need not to wear gloves when using this type of machinery.

In 2012, Walsall Hospital NHS Trust had to pay out more than £100,000 in fines and costs for failing to produce a suitable and sufficient risk assessment. Despite an alert from the Department of Health in 2007 of the danger of patients falling out of windows, Walsall Manor hospital had not installed restrictors on sash windows to prevent them being opened too far. The HSE inspector concerned commented at that the trust had failed to carry out an “effective risk assessment”.

Regulations 3(4) and 3(5) of MHSW require a specific assessment of risks to which young workers may be exposed, taking account of their “inexperience, lack of awareness of risks and immaturity”. Calibra Tree Surgeons had a defective wood chipper, which in the hands of an experienced worker had been used without incident. For an untrained 16-year-old who thought using his foot to speed up the flow was a good idea, it resulted in permanent disability. For the organisation, which had failed to produce a suitable risk assessment, it resulted in fines and costs of nearly £13,000.

The insufficiency of five steps

Anyone who has carried out a risk assessment will know it takes more than five steps. If a risk assessment launches straight into the HSE’s recommended first step: “identify the hazards” without defining the task, location, equipment or role for which the risk assessment is being produced, it is unlikely to be suitable. Even if the assessor has a clear idea of the scope, if they do not write it down, the risk assessment which was suitable for its initial purpose could be misapplied to another situation.

Look at the risk assessment forms you are using; do they encourage a full description of the scope of the task? If not, now is the time to update them. If they do include scope, look at how people use them. “Work at height risk assessment” or “Risk assessment for the shop” will not provide enough information for a future user to work out its suitability. Did it consider contractors, visitors and clients, or only staff? Was it looking at the situation on a particular day under normal circumstances, or did it consider maintenance, cleaning or emergency scenarios?

Once the assessment has dealt with its scope, it must identify the “reasonably foreseeable” hazards, as discussed in a previous article. Where this often goes wrong is in failing to consider the hazards to — and those caused by — people other than employees.

The scaffolding company prosecuted when a heavy pole fell and hit a member of the public had failed to assess the risks to non-employees when working on a pavement.

In 2010, a Veolia employee was killed when the Veolia vehicle he was walking in front of to collect litter was hit from behind by a lorry. Though the waste giant was prosecuted under the Health and Safety at Work Act, the case involved a discussion on the sufficiency of the risk assessment.
Veolia argued that the assessment was sufficient without considering the behaviour of other road users. The courts disagreed, losing the argument cost Veolia more than £300,000 in fines and HSE costs.


Sufficiency should not be confused with size; more pages do not make an assessment more sufficient.


Evaluate hazards

Paragraph 13 of the MHSW code of practice (since withdrawn) explains that “The level of detail in a risk assessment should be proportionate to the risk … insignificant risks can usually be ignored”. But the HSE’s own example risk assessments, published on its website, do not score consequence or likelihood, making it difficult to assess proportionality or significance in a calculated manor.

Prosecutions tend to mention failing to identify a hazard, or failing to adopt a suitable control, not whether someone scored it as a 3 or a 4 for likelihood. And yet health and safety professionals spend much time discussing risk matrices, risk tolerance and risk appetites. You might choose to have a commonly understood way to assess risk across your organisation to help to prioritise it, and to eliminate the trivial, but most risk matrices are unrelated to suitability or sufficiency.

In its explanation of the five steps of risk assessment, the HSE explains: “We do not expect a risk assessment to be perfect, but it must be suitable and sufficient. As illustrated by our example risk assessments, you need to be able to show that:

  • a proper check was made
  • you asked who might be affected
  • you dealt with all the obvious significant hazards, taking into account the number of people who could be involved
  • the precautions are reasonable, and the remaining risk is low, and
  • you involved your staff or their representatives in the process.”

The box below lists further pitfalls that can affect the suitability and sufficiency of your risk assessment.

How not to do it

HSE Research Report RR151 Good Practice and Pitfalls in Risk Assessment offers advice on making a suitable and sufficient risk assessment. The report uses case studies of common pitfalls, including:

  • carrying out a risk assessment to attempt to justify a decision that has already been made
  • using a generic assessment when a site-specific assessment is needed
  • not including employees with practical knowledge of the activity being assessed
  • ineffective use of consultants
  • failure to identify all relevant modes of operation
  • failure to consider common-cause failures
  • failure to identify all hazards associated with a particular activity, for example because a task has not been fully described
  • using a cost benefit analysis to attempt to argue that it is acceptable to reduce existing safety standards
  • not doing anything with the results of the assessment
  • not linking hazards with risk controls.

If the scope definition helps to ensure suitability, and identifying foreseeable hazards contributes to sufficiency, choosing controls relates to both. Are the controls enough (sufficient) to reduce the risk to an acceptable level? Are the controls appropriate (suitable) for the situation? This includes consideration of whether they are reasonably practicable — that is, the cost, time and effort of implementing them are proportional to the risk they control. Controls need to be legally compliant, to follow a hierarchy (elimination at the top, PPE at the bottom) and apply best practice. Controls should also take account of human fallibility, particularly with young or inexperienced workers, or where the public is involved.

Carol Robinson, health and safety adviser at home shopping retailer JD Williams, says: “Suitable and sufficient to me means that I have read and understood the task, how the task will be conducted, I know the specific hazards and risks and how they have been adequately controlled.”

Controls must be described clearly, making it obvious who must do what, and by when. A process must be in place for checking that appropriate equipment has been made available, that it is inspected and maintained, that people understand what they are supposed to do, are given the training and time to do it, and that supervisors provide the right type of reinforcement.

In a suituable and sufficient risk assessment the hierarchy of control is applied

Out of the drawer

The suitability and sufficiency of a risk assessment depends on more than writing down the controls. Too many risk assessments sit in drawers, unread or misunderstood by the people who need them. In an incident reported in last month’s HSW, a lorry driver was killed by his own vehicle while trying to couple it to a trailer. Neither the tractor unit’s handbrake nor the trailer brakes had been applied. Judith McNulty-Green, the HSE inspector involved, explained that though the driver’s employer had a risk assessment identifying the risk of lorries rolling away, it had not communicated and enforced controls.

Perhaps a suitable and sufficient risk assessment is expected to do too much. It is both the way an organisation documents its assessment of risks under MHSW Regulation 3 and the way it communicates with employees in compliance with Regulation 10.

Insufficient statements

Be suspicious if you see these phrases in a risk assessment or method statement:
  • conditional terms such as: “depending on”, “circumstances”, “either … or…” and “suitable” (as in PPE, chemicals, methods, means of access)
  • non-specific terms such as “the cleaning agent”, “tools”, “access equipment” or “PPE”.
All these words suggest decisions to be made on the day. Consider whether these should have been defined in advance for a particular job. For example, if your contractor does not know what access equipment they are going to use on the day it suggests they have not surveyed the site properly. If the correct PPE cannot be specified, the risk assessor may not have understood the hazards. Look for instructions which could have been more specific, or which require reference to another document. For example:
  • “use colour coded buckets and cloths for cleaning” as a control for the hazard of cross contamination when cleaning a toilet area and a kitchen, without stating what colour should be used where.
  • “mix cleaning substances in the correct ratios” as a COSHH control for a cleaner, with no explanation of which cleaning substances in what amounts, or considering whether such mixing could be eliminated.
cleaning chemicals and cloths
Instructions to use the appropriate equipment are insufficient if not backed with details of what is 'appropriate'

Risk assessments are often full of stuff that the end users don’t need. The risk assessor uses it to document consideration of risks which turn out to be trivial or insignificant, or can be eliminated.

These decisions may need to be documented in case of future action, but the end user does not need to see them. Similarly, controls related to management, facilities, procurement, HR and training must be documented, but may be of little use to the end users.

The answer is to stop using risk assessments as the means of fulfilling the requirements of both regulations. The risk assessment that is suitable and sufficient to manage the risks in the background is not the same one that is suitable and sufficient to control the hazards on the day.

Northern Rail tackles this problem using generic and “local” risk assessments. “Generic risk assessments describe common tasks, hazards and control measures or precautions associated with general locations, events or activities, and they fulfil a company’s legal responsibility to provide employees with relevant written risk assessments,” explains Paul Thompson, head of risk and safety performance for Northern Rail. “When carrying out a local risk assessment, managers should draw on generic risk assessments to describe hazards and controls more specific to the local conditions and the specific activities.”

Another way around this problem is to have detailed generic risk assessments to demonstrate assessment of the risks, and method statements to communicate with staff and third parties.

But too often the risk assessment and method statement that is sent out for a job remains overly generic. The boxes above and below outlines some clues to look for that the assessment and method statement have not been tailored for a job.

Generic risk assessments may provide a useful checklist, but will not be suitable or sufficient unless they are made specific to the task. Used inappropriately, generic risk assessments can provide a false sense of security, and discourage assessors from looking at the local hazards on the day.

Checking specialist assessments

It can be difficult for non-specialists to check the suitability and sufficiency of specialist risk assessments. After all, the reason you bring in a specialist is because you have identified a gap in competence. Here are a few checks worth making. Some will be obvious, but all of these have been failed at some point by some specialist risk assessors.

  • Fire risk assessment: can you identify separate findings for sources of ignition, fuel and oxygen, and for fire warning, evacuation, escape and rescue?
  • Asbestos: has the asbestos consultant asked someone in your organisation to go through the priority assessments with them, or have they just made some guesses?
  • COSHH: work through COSHH Essentials for a sample of substances and check whether the results you have been supplied with are consistent.
  • DSE: do most of the controls involve buying some new equipment, such as chairs, ergonomic mice and keyboards, desks, and does the assessor also supply such equipment?
  • Stress: have all the management standards been covered, and does the process match the HSE checklist? Is there a process for tackling problems identified?
  • Noise: look at the controls; has the assessor thought through possible elimination, reduction and isolation measures, or gone straight to recommending signs and ear muffs? This is particularly a problem if the assessor is also a supplier of hearing protection.
  • Wildcard: are locations, roles, equipment, and substances all relevant to your organisation? Beware a risk assessment for a single storey building that refers to basements, lifts, lofts or stairs.
hearing protection sign on a wall
You use specialists because they have more expertise, but you should still make reasonable efforts to check their work