Do UK Businesses Legally Need a Risk Assessment?

By Assessment First · Published 18 March 2026

Yes — most UK businesses do legally need a risk assessment. Whether you run a busy construction site, a small office, or a sole-trader operation, UK health and safety law requires you to assess the risks created by your work activities.

This guide explains what the law requires, who it applies to, and when your findings need to be written down.

Quick Answer
Most UK businesses legally need a risk assessment. Employers must assess workplace risks to employees and others affected by their work. If the business has 5 or more employees, the significant findings must be recorded in writing. Even with fewer than 5 employees, the risk assessment still needs to be carried out.

What does UK law say about risk assessments?

Businesses with employees have a legal duty to assess the risks created by their work. This duty is established by the Health and Safety at Work etc. Act 1974 and formalised through the Management of Health and Safety at Work Regulations 1999, which require employers to carry out a "suitable and sufficient" risk assessment.

A suitable and sufficient risk assessment does not need to be complicated or exhaustive — but it does need to be proportionate to the actual risks in your workplace. A busy construction site requires a more detailed assessment than a quiet office, but both still need one.

The duty extends beyond just employees. Businesses must also consider risks to contractors, visitors, customers, and members of the public who could be affected by their work activities.

Do small businesses legally need a risk assessment?

Yes. Small businesses — including sole traders and micro-teams — still need to carry out a risk assessment. The size of the business affects whether the assessment must be formally written down, not whether the assessment itself is required.

Fewer than 5 employees: You must still carry out the risk assessment, but you are not legally required to record the significant findings in writing — though doing so is strongly recommended.
5 or more employees: You must carry out the assessment and record the significant findings in writing.

For sole traders working on client premises or in public spaces, the duty to assess risk is particularly relevant — even without any employed staff.

Key distinction: Carrying out a risk assessment is the legal duty. Writing it down becomes mandatory once you employ 5 or more people.

When does a risk assessment need to be written down?

The legal threshold is 5 or more employees. Once a business reaches this size, the significant findings of the risk assessment must be recorded in writing.

Commercial clients, landlords, and site managers often ask to see written risk assessments before work starts.
Insurance providers may require documented evidence of risk management.
Written records create consistency when staff change or new people start work.
They support tendering for contracts in construction, facilities, and public sector work.
They demonstrate that hazards were identified and managed if an incident occurs.

What should a business risk assessment include?

The HSE five-step approach gives a clear structure:

Hazards — Identify what could cause harm.
Who might be harmed — Employees, contractors, visitors, and the public.
Existing controls — What is already in place to reduce the risk.
Further action needed — Any additional steps required.
Responsible person and review date — Who is responsible and when to review.

When should a risk assessment be reviewed?

After an accident or near miss
When work processes or activities change
When new equipment, substances, or sites are introduced
When staffing levels or working conditions change significantly
As part of a regular periodic review — at least annually for most businesses

Do clients and contractors ask for risk assessments before work starts?

Often yes. Commercial clients, principal contractors, schools, landlords, and site managers routinely ask suppliers to provide risk assessments before work begins. In many cases this extends to a full RAMS pack — combining the risk assessment with a method statement.

The easiest way to stay compliant

Assessment First is built for UK businesses that need clear, professional risk assessments without spending hours on admin. Create documents quickly, update them when work changes, generate RAMS packs where needed, and share directly with clients or sites.

Frequently Asked Questions

Is a risk assessment a legal requirement for UK businesses?

Yes. In the UK, employers must assess the health and safety risks created by their work activities. This duty applies to most businesses, whether they operate from an office, site, shop, warehouse or client premises.

Do I need a written risk assessment if I have fewer than 5 employees?

Not usually, but you still need to carry out the risk assessment. HSE guidance says businesses with fewer than 5 employees do not generally have to write the assessment down, although keeping a written record is still a smart and practical step.

What happens if my business has no risk assessment?

A business without a risk assessment may face enforcement issues, weaker evidence after an accident, and problems meeting client or contractor requirements.

Does a self-employed person need a risk assessment in the UK?

Often yes, especially where their work could affect other people. The key question is whether their activities create risks to others such as clients, contractors, visitors or the public.

What is the difference between a risk assessment and a RAMS pack?

A risk assessment identifies hazards, evaluates risk, and sets out control measures. A RAMS pack goes further by combining the risk assessment with a method statement showing how the work will be carried out safely in practice.