rospa-logo
Basket
Sub Total: VAT Total
Checkout
28/10/2025
Risk Assessment The common pitfalls_Banner

Risk Assessment: The common pitfalls and how to avoid them

Bridget Leathley offers valuable advice on avoiding the most frequent mistakes made while conducting risk assessments.

A good risk assessment process is not about tables and matrices; it’s a process. The UK Health and Safety Executive (HSE) emphasised this by producing “Five steps to Risk Assessment” in 1998. While the original versions of this have been withdrawn, the five steps are still outlined on the HSE website. We’ll look at some common mistakes made at each step, with suggestions on how to overcome the pitfalls.

  1. Identify hazards

Before you try to identify hazards, you need a task analysis.

If you haven’t defined the task clearly, you can easily miss hazards. Does the “changing a fuse” risk assessment apply to a fuse in a plug or in a distribution board? Does the “work at height” assessment cover using a step ladder to change a lightbulb or using a mobile elevating work platform (MEWP) to clean process equipment?

A chemical company was fined £100,000 in August 2025 for an inadequate risk assessment. A 23‑year‑old worker suffered serious scalding, leading to permanent scars, when the steam hose he was using to clean a process tank spun around and directed steam at him. Because he was in a MEWP, he had first to lower the basket before he could escape the steam, delaying access to the deluge shower.

A task analysis for this cleaning task would have identified the use of the pressure hose and the steam hose, on the ground and at height. It would have identified the hazards of pressure and steam, as well as the less likely risk of falling from the MEWP.

At its simplest, a task analysis is a list of the steps needed to complete a task. You might already have a documented procedure or method statement. If you do, check with the people carrying out the task that this represents the process they actually follow. If there isn’t a written procedure, get those same people in a room around a whiteboard to map out how they currently do the task. What workarounds have they found? What equipment do they use?

As well as helping you to define the task you are going to risk assess, you will also collect information to help in the other steps. You will find out what hazards they already know about, and how they manage these. If people feel psychologically safe, they might tell you where it’s gone wrong before, even if those incidents were never formally reported.

  1. Assess the risk

The assessment step goes wrong because we misjudge risk and misuse tools. We tend to see things from our own perspective. Perhaps you can drive 200 miles or work 12 hours a day without a meal break to meet tight targets. But someone with an existing physical or mental health condition might respond differently. The risk might be higher for some people than others.

Then we try to apply an ill-defined risk matrix to our biased judgement of risk. Different assessors choose different scores, undermining any value a matrix might have. In most cases, prioritising a risk with a matrix is unnecessary. Measure things that need to be measured – like noise, vibration, radon or hazardous substance concentration in the air. If you are doing a task in a way that breaks the law, fix it. If there is a safer way of doing something, adopt the safer way, unless you can show that the cost of doing so is grossly disproportionate.

Even consistent scores discard the detail we need in the next step. On a 5x5 matrix, a score of 10 could mean high severity but low likelihood, or low severity but high likelihood. You need to focus on the high severity hazard first, to make sure the likelihood is as low as you think it is. Putting the same effort into reducing the likelihood of a low severity outcome might not be a good use of resources.

Instead of numbers, write harm statements that describe what you think could happen. “Driving” might have several harm statements, from “a motorway crash resulting in multiple fatalities, including the death of an employee” through to “drivers spending long hours driving without a break suffer musculoskeletal pain and time off work.”

  1. Control risk

If all you have is “driving scores 10 on the matrix” your controls will be inadequate. But equipped with a task description, a comprehensive list of relevant hazards and harm statements you can focus on reducing the likelihood of hazardous events.

Looking at our driving harm statements, “planning journeys to ensure there is time for proper breaks” will be a useful control for all scenarios. But controls for the risk from a motorway crash might involve vehicle maintenance checks, driver training and policies discouraging drivers from using a mobile phone (even hands-free) while driving. The musculoskeletal hazard might be controlled by teaching drivers how to adjust their seats, and rules on when breaks should be taken.

Involve the people doing the task. Workers can tell you whether a suggested schedule for breaks is practical, or show you how the hard hat doesn’t work with the hearing protection. Together, work through the hierarchy of control for each hazard. If you’re relying on hearing protection, can you instead reduce the noise at source? If the only control to keep people away from dangerous machinery is a line on the floor, can you install a physical barrier or light curtain?

  1. Record your findings

The longer the document, the less likely people are to read and understand the controls they need to apply - even if they are made to sign it.

Risk assessments often include a mix of tasks done by different people. Procurement purchase safe equipment, facilities maintain it, supervisors check it, contractors make additional measurements, and hidden somewhere, are the steps that the worker needs to follow.

Think about different ways of recording the significant findings. You might have a large management document that includes everything, but each group of people can have their tasks incorporated into their own workflows. The procurement system could include a prompt for the buyer to check whether there is a safety reason for not going with the cheapest supplier; the supervisor and maintenance staff can have their regular checks built into their job system as planned preventative maintenance (PPMs). The person doing the job might be given a tailored method statement, with on-the-day controls clearly identified.

The task analysis you did in step 1 will be a valuable resource for updating or creating method statements. Generic statements like “use appropriate equipment” or “check that readings are within parameters” should be replaced with specific instructions such as “use a calibrated thermometer available from Facilities” and “check that cold tap temperatures are 20 degrees or below within two minutes of running the tap.”

Tailor the presentation of the findings to the needs of the workers who must implement the controls or involve them in creating memorable novel formats like videos or posters.

  1. Review the controls

Too often, review is seen as an annual (or less often) paperwork exercise. Update the company logo, change the date and leave it for another year (or so). Standard risk assessment tables support this idea by providing a column to sign off when a control has been done – as if it’s a one-off process.

Each new control needs to be reviewed. Suppose a new control has been added for security staff to check that all fire doors are closed at 6pm. A week after implementation, walk around at 6.30pm and see if it’s working. Perhaps security can’t check 200 doors at the same time, or someone working late reopens a door. The control might need to be improved now – not in a year’s time.

Once the initial reviews have made sure new controls are effective, periodic checks should take place, depending on the reliance the system has on the control and the reliability of that control. An essential control that relies on a lone worker to remember to do something will need more frequent oversight than a physical barrier everyone can see.

Additional reviews are needed when an incident suggests that the controls might not be working as you thought they would – or that there are additional hazards you hadn’t identified.

Periodic reviews should consider advances in technology. 25 years ago, it wouldn’t have been practical to suggest that all lone workers carry a mobile phone – now it’s taken for granted. Reviews could consider the practicability of the Internet of Things (IoT) for monitoring equipment, and wearable devices to provide real-time health statistics and location monitoring.

Conclusion

If you’re constructing a building, you need firm foundations. If you’re assessing risk, your firm foundations are a description of the task and clear statements about the harm that could be caused. Without these, your risk assessment will fall into one of the pitfalls described here or by the HSE in RR151: Good practice and pitfalls in risk assessment (2003).

Want to learn more about assessing risk and other key elements of protecting the safety of others? Browse our training courses to find a learning opportunity that suits you: www.rospa.com/health-and-safety-courses

 

With a first degree in computer science and psychology, Bridget Leathley started her working life in human factors, initially in IT and later in high-hazard industries. After completing an MSc in Occupational Health and Safety Management, she moved full-time into occupational health and safety consultancy, training and writing.