SC06 - Risk management
06 Dec 2010







Print PDF version

PDF icon  BiteSize SHE

Related U​KRI code



1Initial launchJanuary 2007
1.1Added Quantitative risk assessmentsAugust 2007
2.0Following audit of RA code, code updated t​o include “On the job risk assessment”, modify responsibilities and remove group leader role and checklist. Addition of new responsibility to consider the need for the use of structured risk assessment tools (HAZOP etc). Remove Group leader responsibilitiesNovember 2012
2.1Amendments to audit checklistMay 2013
2.2Minor change to Line Manager training requirementsFebruary 2014

Added Document Retention Policy

Minor changes to Appendix 3

November 2014
​​Minor changes related to launch of SHE Assure
​October 2018
​Amendments and updates to most sections following audit of RA code and audit of SHE Management systems. ​
​April 2021
​Update to reflect Assure name change.
​April 2022

NB - The changes to version 3.0 were considerable and readers should assume that significant portions of the body and Appendices have changed.​

​1. Purpose

Under the provisions of the Management of Health and Safety at Work Regulations (1999) a ‘suitable and sufficient’ risk assessment must be carried out for any work, activity or procedure, and the risk assessment of significant risks documented.

Risk Assessment is the fundamental basis of effective safety management. As well as being a statutory requirement under the Management Regulations, risk assessment is a valuable tool in planning work, developing procedures, informing and training staff, and reducing the number of accidents in the workplace. Some legislation requires topic specific risk assessments, for example:

  • The Control of Substances Hazardous to Health Regulations 2002 (COSHH);
  • The Genetically Modified Organisms (Contained Use) Regulations 2000;
  • Display Screen Equipment regulations 1992 (DSE);
  • The Provision of Personal Protective Equipment at Work Regulations 1992; and
  • The Manual Handling Operations Regulations 1992 (as amended).

Use of this code should identify those areas where such specialist assessments are required and address those where no such specific legislation applies.

The aim of this code is to ensure that risk assessment is carried out consistently across the STFC and to a standard that is ‘suitable and sufficient’. The term ‘suitable and sufficient’ is defined in Section 3.1 and an aide memoir included in Appendix 6 to ensure any completed risk assessment meets these criteria.

Risk assessment is a simple tool to prompt the proactive consideration of the health, safety and environmental implications of any activity and should be used to inform decisions about how an activity is carried out. It is a structured, systematic way of targeting control measures at significant risks. The HSE defines 'significant risks' as those which are not trivial and are capable of presenting a real risk to health and safety which a reasonable person would appreciate and take steps to prevent.

Pragmatic application of this code relies on the judgment of managers and employees to ensure that:

  • those activities where significant injury, ill health or environmental harm could arise are the subject of a documented risk assessment; and
  • the risks associated with changes to the scope or extent of work during the execution of a specific work activity are also managed.

The outcome of a risk assessment for an activity can range from endorsement of the current health and safety controls; identification of additional actions to further minimise risk; to avoidance of an activity or in extreme cases, cessation of an activity where the health and safety of those involved, or the environmental impact cannot be managed.

2. Scope

The requirements of this code apply to all activities undertaken by STFC staff whether working at STFC sites or other locations on Council business.

Carrying out a general risk assessment may indicate the need to conduct a more specialist risk assessment under specific legislation, for example working with hazardous substances, in confined spaces, or for working with heavy equipment, etc. These specialist assessments must be referenced in the general assessment but the topic-specific assessment need not be rewritten in the general risk assessment, but should be linked or cross referenced to it.

Risk assessments for facility user experiments are the responsibility of those responsible for the experiment, they should be based on hazard information provided by the relevant users.

This code does not apply to contractors working on behalf of the STFC. The responsibility for undertaking a risk assessment for such activities lies with the contractor’s management. The STFC has a clear responsibility to ensure that all relevant information is provided to enable a suitable and sufficient assessment to be undertaken by contractors.

Tenants are responsible for undertaking their own risk assessments according to their own systems and standards. However, where there is direct impact beyond the tenant’s boundary that could affect STFC staff, contractors, visitors, etc., STFC must have access to these documented risk assessments.

3. Definitions

3.1 Hazard, significant hazards, risk, ALARP and suitable and sufficient

‘Hazard’ and ‘risk’ are the two most important concepts in risk assessment. Although the terms are often used interchangeably, they have specific definitions in health and safety and it is important to understand the distinction.​

A HAZARD is anything that has the potential to cause harm. It is helpful to sub-divide ‘Hazard’ into several different types. These can be:

  • physical safety hazards such as working with electricity or working from ladders;
  • health hazards such as working with hazardous chemicals, biological agents or allergenic materials. There are also, psychosocial hazards that could lead to work-related mental ill-health issues such as stress, anxiety or depression; or activities where staff may be subject to violence or aggression (e.g. front line, customer or public facing staff)
  • environmental hazards such as activities leading to harmful emissions to atmosphere or contamination of our waste water systems.

RISK is the likelihood that a person may be harmed or suffer adverse health effects if exposed to a hazard and the severity of the harm. Risk is therefore a combined assessment of the ‘harm’ and ‘likelihood’ for any given hazard and can be assigned a value (e.g. numerical or descriptive words such as high, medium or low) to identify and rank the most serious outcomes. This allows those involved to target and prioritise action on the most significant risks associated with the task/activity. The highest risks should appear first in the risk assessment.

Deciding whether or not a documented risk assessment is required is a subjective decision, but a sound knowledge of the situation, task, activity or process and objective, informed judgement is essential. Training (Appendix 5) aims to establish consistency across STFC. The key determinant will be whether the activity could foreseeably cause harm to the work environment or any person involved directly or indirectly with it. If yes, then the risk assessment should be performed and documented. Harm can be anywhere on a scale from minor to serious:​


​​Slight - Pe​rson is likely to recover fully e.g. a bruise from hitting head on equipment or a cut from a sharp object.

​​Major - Fatality, e.g. a fall from significant height or hit by fast moving vehicle.​​

The risk assessment should address all significant hazards. Significant hazards are those that could potentially cause harm. Activities which only present risks which are trivial or associated with life in general do not require a risk assessment, e.g. paper cuts from working in an office or pulling a muscle when climbing a flight of stairs or donning a lab coat, unless the work activity compounds or significantly alters those risks.

All reasonably foreseeable risks should be considered. ‘Reasonably foreseeable’ risks are those that an average person would identify and take action to avoid. For example, when working with flammable material and a source of ignition, fire would be a reasonably foreseeable risk.

Critical to the effectiveness of any general risk assessment process is its pragmatic application. STFC is required to reduce risks “so far as is reasonably practicable (SFAIRP)”. Sometimes shortened to “as low as reasonably practicable (ALARP)”. This means taking into account the ‘cost’, i.e. money, time and effort needed to reduce the risk against its likelihood of occurrence and potential severity. This process is subjective and will depend on the nature of the hazard, the extent of the risk and the control measures to be adopted. The option(s) with the lowest residual risk should be chosen, provided the costs incurred are not grossly disproportionate. There is no requirement to eliminate all risk, but residual risks must be actively managed.

“Suitable and Sufficient” Risk assessment

​​The law states that a risk assessment must be 'suitable and sufficient'. What this means is that the assessment must deal with all obvious significant risks, take into account those who may be affected, ensure precautions taken are reasonable, that the residual risk is as low as possible and that workers involved in the activity being assessed are consulted. The level of detail in the risk assessment should be proportionate to the risk. The more complex the task/activity/process and the higher the risks involved, then the greater the:

  • detail to be recorded in the risk assessment;
  • ffort required for identifying control measures;
  • monitoring(1) of implementation of these control measures; and
  • level of training required for people undertaking the task. 

Appendix 6 provides more detail to assist in the assessment of a risk assessment to ensure it is ‘suitable and sufficient’.

(1)Note that the monitoring referred to in this context means the ongoing checks undertaken to confirm that the control measures are consistently and properly applied, and that they remain effective in the control of the relevant hazard.

3.2 Documented risk assessments

The documented risk assessment should be written using the STFC proforma (Appendix 2B). This sets out a series of steps and prompts to ensure: a thorough assessment of the hazards; the groups of people at risk are identified; and the required control measures have been carried out prior to the activity taking place. Recording in this way also helps to ensure a consistent approach to documenting the risk assessment. The outcome of the assessment must be shared with the people carrying out the work. Ready access to the assessment is important as it is a reference document and training tool for people who may be new to the activity. The documented risk assessment should be logged on Evotix Assure, providing both an audit trail for assurance and a means to demonstrate legal compliance with the Management Regulations.

There are some circumstances when a documented risk assessment will not be possible, for example when on-the-spot decisions are made and/or time does not allow for a documented risk assessment to take place. If this is a work-related activity then consideration should be mentally given to whether there are existing control measures in place to control the risks present, essentially a ‘dynamic’ risk assessment is performed. This may involve unforeseen events such as emergency situations. If this activity is likely to take place again in the future (now known and no longer unforeseen), then it should be recorded in a new risk assessment or included in an existing one. Risk assessments are not needed for everyday tasks such as climbing a flight of stairs or crossing a road but are required for work-related activities.

The risk assessment should be completed by a team of people including those with expertise in the activity being assessed and active participation should be encouraged. The line manager has overall responsibility for this process and must ensure, once complete, that the risks and requirements to control them are effectively communicated to all relevant people, and that a copy of the risk assessment is uploaded to Evotix Assure.​

3.3 'On the Job' (OtJ) risk assessments

The “On the job” (OtJ) Risk Assessment can be used to supplement an existing documented risk assessment when there are last minute changes which must be documented but where there is insufficient time to re-write the original RA. For example, staff sickness absence on the day of an activity, results in a lone working situation. The control measures to manage this situation are detailed on the OTJ risk assessment and this document is stored until the activity is complete. The OTJ RA should not be used in isolation as this alone does not produce a ‘suitable and sufficient’ risk assessment.

3.4 Method statements

Method statements (sometimes called ‘safe systems of work’) are an effective way to plan, manage and monitor major/complex projects and work involving contractors to ensure risk is managed and there is effective communication between all parties. See Appendix 7 for more information regarding method statements and a link to the STFC proforma for method statements.​

4. Responsibili​​ties and Duties​

4.1. ​Directors shall:
  • 4.1.1 Ensure all significant safety, health and environmental hazards within their area of responsibility have been risk assessed and a record of the risk assessment recorded in the STFC risk assessment database (​Evotix Assure​), and that these risk assessments are actively reviewed every 2 years. or when there is a significant change.
  •  ​
  • 4.1.2 Ensure that sufficient resource is made available to implement risk control measures which have been identified by risk assessment and where those measures are considered reasonably practicable.
  • 4.1.3 When their responsibility includes User Facilities, ensure that a system to risk assess Facility User Experiments is put in place and managed by their staff.
4.2. Line managers/Supervisors shall:
  • 4.2.1 Undertake risk assessments for all activities, existing and planned, within their control. Where the risks are significant the assessment must be documented. Risk assessments should be carried out in conjunction with those who are planning and doing the work. See Appendix 1 and Appendix 2​.
  • 4.2.2 Ensure that as appropriate, actions arising from risk assessments to implement additional controls are prioritised (when a range of actions compete for resource and priority), and implemented prior to undertaking the activity.
  • 4.2.3 Ensure that risk assessments are effectively communicated to all those who are undertaking an activity and who may be affected by an activity, and that it is understood.
  • 4.2.4 As a minimum, all documented risk assessments should be reviewed every two years, or when:
    • there is a significant change to the workplace, activity or equipment;
    • there is a significant change in the personnel undertaking the task (e.g. their level of competence, or sudden temporary impairment);
    • a health, safety or environmental incident has occurred;
    • there have been changes to relevant guidance or legislation; or
    • new information emerges on technological advances, including:
      • new techniques;
      • new control measures
      • improved designs and products; or
      • safer equipment or materials
  • 4.2.5 The aim is to ensure that the risk assessment continues to reflect the way the process is actually undertaken and that the risks continue to be managed effectively. The Line Manager’s check list in Appendix 3 can be used as a tool to help review risk assessments.
  • 4.2.6 When the ‘main assessor’ named in a risk assessment leaves employment with STFC, their name should be removed and an alternative ‘main assessor’ identified to take ownership. This new named main assessor should ensure they are familiar with any current risk assessment(s) for which they are responsible.
  • 4.2.7 Ensure that the control measures identified in all risk assessments continue to be monitored (i.e. checked and reviewed) for effective and consistent implementation, and maintained in the case of safety-related equipment, where activities are ongoing. In areas where significant hazards are present the control measures will require more frequent monitoring. The results of such monitoring should be used to inform the review of any relevant risk assessment.
  • 4.2.8 Ensure that where staff, or those working for them, may be required to undertake activities for which the use of the OTJ risk assessment process is necessary that those staff, and others, are given training and instruction  in the use of the OTJ assessment process. See Appendix 2.
  • 4.2.9 For major projects with multiple task risk assessments, including projects using the STFC Project Management system, managers should consider if the overall project requires the use of project risk assessment tools such as HAZOP, HAZID or HAZAN (see Appendix 4). Where such tools are utilised a member of the STFC SHE Group must be consulted.
4.3. Staff, users, tenants and visitors shall:
  • 4.3.1 Actively contribute to the risk assessment process for the activities they are involved in. See Appendix 1 and Appendix 2.
  • 4.3.2 Discuss with their line manager or supervisor if any significant risks cannot be managed using the resources immediately available.
  • 4.3.3 Ensure they understand the health, safety and environmental risks associated with activities they undertake, as appropriate asking their supervisor or line manager. Where the risks are significant, read a copy of the risk assessment to ensure they understand the control measures that should be in place prior to undertaking that activity.
  • 4.3.4 Employ the “On the job” (OTJ) risk assessment process to manage additional risks that arise during the course of work that has not been subject to a documented risk assessment but warrants more than a simple mental risk assessment. See Appendix 2.
  • 4.3.5 Implement the control measures established by any risk assessment process (whether this is an OTJ risk assessment or a fully documented risk assessment) for activities they undertake and actively monitor these control measures to ensure they remain in place.
4.4. Safety, Health and Environment (SHE) Group shall:
  • 4.4.1 Maintain electronic storage systems to provide:
    • a secure database of risk assessments, and management of actions arising from the risk assessment process; and
    • data to support and assess the implementation of this Code across the STFC for management teams and committees.

Contact: Smith, Andrew (STFC,DL,COO)