Safety Services


Risk Assessment

By assessing risks, we can prevent harm to our employees. Here is information to guide you in conducting a good risk assessment.

By completing risk assessments, we are ensuring that the likelihood of causing harm is minimised. Harm is usually considered to be injury or ill-health but harm can also be damage to property, equipment or the environment. We are also complying with the law.

riskNET provides a simple mechanism for recording risk assessments and its use is mandatory at UCL. Risk assessments should be recorded in riskNET and the information recorded must then be implemented in your work area.

On this page 

The Law

The Management of Health and Safety at Work Regulations 1999 pose duties on employers to undertake a risk assessment and to consider appropriate control measures to control the risks identified. These risk assessments must be recorded if the company employs 5 or more individuals and should be reviewed at regular intervals or in the event of change. 

What is a risk assessment?

A risk assessment is a careful examination of anything in the workplace that could cause harm and a decision about whether there are enough precautions in place.

The factors that must be considered when carrying out an assessment are:

  • the process or work activity
  • the workplace or environment where the work is carried out including unrelated activities going on in the area
  • the people who are directly or indirectly affected

Nearly all new projects or work activities will have elements in common with those already in existence. Break down the activities and tasks into their component parts, note what precautions are already in place and who is involved then you are on the way to creating a risk assessment.

What should the risk assessment cover?

The law states that a risk assessment must be 'suitable and sufficient', that it should show that:

  • a proper check was made
  • you asked who might be affected
  • you dealt with all the obvious significant risks, taking into account the number of people who could be involved
  • the precautions are reasonable, and the remaining risk is low
  • you involved your workers or their representatives in the process

The level of detail in a risk assessment should be proportionate to the risk and appropriate to the nature of the work. Insignificant risks can usually be ignored, as can risks arising from routine activities associated with life in general, unless the work activity compounds or significantly alters those risks.

Your risk assessment should only include what you could reasonably be expected to know - you are not expected to anticipate unforeseeable risks.

What should I consider when completing a risk assessment?

The use of the riskNET risk assessment module is mandatory at UCL to record risk assessments, with the exception of dynamic risk assessment.

Use of riskNET allows for recording of different types of activity assessment under one overarching title, for example covering a whole research project. 

The level of detail needed in any assessment should be in proportion to the risk associated with the work activity.

More hazardous activities may require more detail and/or more sophisticated approaches to assessment. 

Local arrangements for assessment must be documented and approved by the Head of Department and must address the matters outlined below.

Who can carry out assessments?

Those carrying out assessments should be competent i.e. have sufficient knowledge, skills and experience to undertake the assessment. If they are not directly involved in the activity being assessed, they must involve/consult those carrying out the work. The ability to carry out a risk assessment may require specific training and/or specialist input; see the section below on training.

Peer review

Preparation of assessments must always involve those carrying out the work but certain assessments, for example, high risk, complex and/or novel work may also need additional scrutiny by a competent independent individual. 

There are specific requirements for scrutiny of assessments for work with genetically modified organisms.

Departmental Safety Officers may be involved in the risk assessment review process as a means of checking the impact of the work on other activities in the department, or if new hazards are being introduced into the department.


Risk assessments must not be written and approved by the same person. 

Assessments should be approved by the person in management control of the work, for example, the Principal Investigator. Certain activities may require a higher level of approval because of the risk posed by the work, even with identified controls in place. If the person who wrote the risk assessment is in management control of the work and therefore still needs to be listed as an approver, they should seek joint approval from peers of equal status to provide an independent assurance check or seek approval from the overall risk owner.

A Departmental Safety Officer should not be solely responsible for approving assessments but may be a joint approver for assurance purposes.


Risk assessments must be recorded online, using the riskNET database. riskNET provides a central, searchable database of departmental assessments and helps ensure they are suitable and sufficient.


The findings of risk assessments, in particular the control measures identified, must be communicated to all those carrying out, or affected by the work. This can be achieved by the use of the distribution list in riskNET which automatically informs an individual when a risk assessment is approved. Other means of communication should be considered, including the use of ‘tool-box talks’ (presentations) which may be more appropriate for groups without regular computer access such as cleaners and security staff.  

Departmental Codes of Practice or Standard Operating Procedures may also be used to communicate findings of assessments and in particular, the controls measures identified.

How do I complete a risk assessment?

In order to complete a suitable and sufficient risk assessment you should follow 5 steps as detailed below:

Step 1: Identify hazards, i.e. anything that may cause harm

Risk Assessment
A HAZARD is anything that has the potential to cause harm. 

When starting your risk assessment you should identify all of the hazards first. In other words, what is it about the activities, processes or substances used that could injure someone, harm their health or cause damage?

Step 2: Decide who may be harmed, and how

Care of people around you
The obvious answer to this question is anyone carrying out the work but you must also consider that the harm may affect others who are not directly involved:
  • maintenance and cleaning staff
  • visitors
  • neighbours and passers-by
  • the emergency services e.g. the fire brigade
  • anyone who shares your workplace

Step 3: Assess the risks and control

Risk Control
The definition of RISK is the likelihood of a hazard to cause harm and the severity if it does.

Once you have identified the risk there is a standard approach to the order in which precautions must be considered known as a hierarchy of risk control. This approach will help to ensure that the risks have been reduced to a level which is as low as is reasonably practicable. By considering precautions in this order then the most effective measures are considered first and the least effective last. 

View the hierarchy of risk control →

Step 4: Record and communicate findings

riskNET provides a simple mechanism for recording risk assessments and its use is mandatory at UCL. Risk assessments should be recorded in riskNET but the information recorded must then be implemented in your work area.  

Dynamic risk assessments do not need to be recorded in riskNET but must be linked to the original risk assessment on riskNET.  

Managers must communicate the significant findings of risk assessments to anyone who might be affected. This will include making people who may be affected aware of the risks and the appropriate control measures they must follow to control them. This is also likely to include training or instructing staff on the new process as well as supervising them undertaking the activity.

Once you have communicated with staff they have an obligation to co-operate and follow the instructions they have been given for safe working.

Step 5: Review the risk assessment

To ensure the effectiveness of the control measures it's essential that a review is carried out at intervals determined by the assessment. It will need to be sooner if there is any reason to indicate the assessment is no longer valid or if there has been a significant change to the work.

The assessment may no longer be valid because:

  • new information has come to light
  • the results from monitoring activities i.e. inspections indicate that controls are not working or not being used properly
  • an accident or incident has occurred that indicates a failure in the measures to control risk

Video Tutorial on how to create a new risk assessment

> riskNET (UCL Login required)

MediaCentral Widget Placeholderhttps://mediacentral.ucl.ac.uk/Player/GB1He3JJ


Last updated: Tuesday, September 6, 2022