Construction Risk Assessments: How to Write Them Properly and Stay Compliant

An HSE inspector asks to see your risk assessments. You hand over a 40-page document that was written three years ago for a completely different project. The inspector flips to the front page, sees a different site address, and you already know where this conversation is heading.

Risk assessments aren't a one-and-done piece of paperwork you file away and forget about. They're a legal duty under the Management of Health and Safety at Work Regulations 1999 (Regulation 3), and in construction, they need to be specific, current, and actually used by the people doing the work.

This guide explains how to get them right.

Why Risk Assessments Are a Legal Requirement

Every employer in the UK — and every self-employed person who works in conditions that could affect others — is legally required to carry out a suitable and sufficient risk assessment. This isn't guidance or best practice. It's the law.

For construction specifically, the duties are reinforced by:

• The Health and Safety at Work etc. Act 1974: The overarching duty to ensure the health and safety of employees and others
• The Management of Health and Safety at Work Regulations 1999: The specific requirement to assess risks
• CDM 2015: The requirement for risk management throughout design and construction (see our guide to CDM duty holders)
• The Work at Height Regulations 2005, COSHH Regulations 2002, Noise at Work Regulations 2005: Activity-specific regulations that all require risk assessment

If you employ 5 or more people, you must record the significant findings of your risk assessment in writing. Even if you employ fewer than 5, you still need to carry out the assessment — you're just not legally required to write it down (though you absolutely should, because an unrecorded assessment is impossible to prove).

The 5-Step Risk Assessment Process

HSE's established framework for risk assessment has five steps. It's simple, practical, and works for everything from a one-day repair job to a multi-year construction programme.

Step 1: Identify the Hazards

Walk the site (or review the project plans if work hasn't started). Look at what could cause harm. Talk to workers — they know the risks on the ground better than anyone sitting in an office.

Construction-specific hazards to consider:

• Working at height: Falls remain the single biggest killer in UK construction
• Manual handling: Moving materials, lifting heavy loads, repetitive tasks
• Noise and vibration: Power tools, plant machinery, piling
• Dust and airborne contaminants: Silica dust, wood dust, asbestos (especially in refurbishment)
• Hazardous substances: Solvents, adhesives, cement (COSHH assessments needed)
• Electrical hazards: Overhead power lines, buried cables, temporary site supplies
• Confined spaces: Manholes, tanks, excavations
• Moving plant and vehicles: Excavators, dumpers, delivery vehicles on site
• Collapse: Excavations, temporary structures, scaffolding
• Fire: Hot works, flammable materials storage, temporary accommodation

Don't limit yourself to the obvious. Think about what could go wrong during deliveries, during bad weather, at shift changeovers, and during commissioning or handover.

Step 2: Decide Who Might Be Harmed and How

This isn't just your own workers. Consider:

• Employees of other contractors on site
• Visitors and client representatives
• Members of the public (especially on sites adjacent to roads, footpaths, or occupied buildings)
• Young workers and apprentices (who may be less experienced in recognising risks)
• Workers with specific vulnerabilities (e.g. new or expectant mothers, those with health conditions)

Be specific. "Workers might be harmed" is not sufficient. "Groundworks operatives could suffer crush injuries from excavation collapse" is useful because it tells you exactly what to control.

Step 3: Evaluate the Risks and Decide on Precautions

For each hazard, decide what you're already doing to control the risk, and whether you need to do more. Apply the hierarchy of controls:

1. Eliminate: Can you remove the hazard entirely? (e.g. prefabricate at ground level instead of working at height) 2. Substitute: Can you replace something dangerous with something less dangerous? (e.g. use water suppression to reduce silica dust) 3. Engineering controls: Physical measures to reduce exposure (e.g. edge protection, LEV systems, barriers) 4. Administrative controls: Procedures, permits, training, signage, supervision 5. PPE: Personal protective equipment as a last resort, not a first response

Record the controls you've decided on. These form the basis of your method statement — and together, the risk assessment and method statement make up your RAMS (Risk Assessment and Method Statement), the standard document package expected on UK construction sites.

Step 4: Record Your Findings

Write it down. Your recorded risk assessment should include:

• The hazards you've identified
• Who might be harmed
• What you're already doing to control risks
• What further action you need to take
• Who is responsible for implementing each action
• When the actions need to be completed by

Keep the language plain. The people reading this document will be site operatives, supervisors, and subcontractors — not health and safety consultants. If they can't understand it, it won't protect anyone.

Step 5: Review and Update

A risk assessment is a living document. You must review it:

• Regularly: At least annually for ongoing activities, or at key project milestones for construction work
• When something changes: New equipment, new process, change in scope, new subcontractor
• After an incident: Any accident, near-miss, or dangerous occurrence should trigger a review of the relevant assessment
• When new information becomes available: Updated manufacturer guidance, new HSE alerts, changes in legislation

Record when reviews take place and what changes were made. An assessor or inspector wants to see evidence of ongoing review, not a pristine document that was clearly written once and never touched again.

Generic vs Site-Specific Risk Assessments

There's an important distinction between the two, and you'll likely need both.

Generic risk assessments cover activities your business carries out regularly across multiple sites — bricklaying, electrical first fix, scaffolding erection. These capture the common hazards and standard controls for that activity.

Site-specific risk assessments cover the particular conditions on a specific project — nearby overhead power lines, contaminated ground, occupied adjacent buildings, restricted access, specific client requirements.

Your RAMS for a project should combine both: the generic assessment for the activity, supplemented by a site-specific assessment that addresses the unique conditions of that site. Just submitting your generic assessment without tailoring it to the site is one of the most common failures flagged in audits.

Who Should Write Them

The law requires that risk assessments are carried out by a competent person — someone with sufficient training, experience, knowledge, and other qualities to do the job properly.

This doesn't mean you need an external health and safety consultant (though you might choose to use one). It means the person writing the assessment must:

• Understand the work being assessed
• Know the hazards associated with that work
• Be familiar with the relevant legal requirements and industry standards
• Be able to evaluate risk and determine appropriate controls

In practice, this is often a site manager, supervisor, or experienced operative — ideally someone who actually does or oversees the work. Risk assessments written by people who've never set foot on a construction site tend to be generic, impractical, and ignored.

Common Mistakes

• Copy-pasting from another project: If your risk assessment has someone else's site address on it, it's immediately obvious. More importantly, it won't address the actual risks on your site.
• Writing them after the work has started: The whole point is to identify risks *before* work begins, so controls can be put in place. A retrospective risk assessment is useless.
• Not involving workers: The people doing the work understand the hazards better than anyone. Regulation 3 of the Management Regulations requires consultation with employees. Use toolbox talks and briefings to get input.
• Treating them as static documents: Writing an assessment once and filing it for three years doesn't meet the legal standard. Reviews must happen, and they must be recorded.
• Relying on PPE as the primary control: PPE should be the last line of defence, not the first. An assessment that lists "wear hard hat and hi-vis" for every hazard without considering elimination, substitution, or engineering controls is inadequate.
• Making them too long and complicated: A 30-page risk assessment that nobody reads is less effective than a clear, concise 3-page document that every worker on site has actually reviewed.

Keeping Your RAMS Organised

If you're running multiple projects with different subcontractors, each producing their own RAMS, the volume of paperwork builds up fast. Tracking which assessments have been submitted, which need reviewing, and which are out of date is a compliance task in itself. ComplianceVault's readiness checker helps you manage this by centralising your documentation and flagging when reviews are due, so nothing slips through the cracks.

Summary

• Risk assessments are a legal requirement under the Management of Health and Safety at Work Regulations 1999 — not optional guidance.
• Follow the 5-step process: identify hazards, decide who's at risk, evaluate and control, record findings, review and update.
• Always produce site-specific assessments that address the actual conditions on your project — generic templates alone are not sufficient.
• Risk assessments must be written by a competent person and reviewed regularly, after incidents, and whenever conditions change.
• Combined with method statements, your risk assessments form your RAMS — the standard compliance document expected on every UK construction site.