Blog
Health and safety
Risk assessments for small businesses: what you actually need to do

Risk assessments for small businesses: what you actually need to do

15 min read  |   Last updated: 31 March, 2026  |   By Daisy Andrews  |   Summarise this post with ChatGPT

Two workers are walking through an office space with a clipboard, performing a risk assessment for their small business.
    
Risk assessments for small businesses: what you actually need to do
17:21

In our SME health and safety risks webinar, we asked attendees a simple question: what's the hardest part of health and safety to stay on top of? Risk assessments came out on top and the questions that flooded the chat made it clear this was something people genuinely needed help with.

So we decided to go deeper. We hosted a small, interactive roundtable with Effective HRM founder, Emma del Torto, and her colleague, Jon Ireson (Chartered Safety & Health Professional & Health and Safety Business Partner) and gave attendees the chance to bring their real questions and specific scenarios to the table.

This blog outlines the practical steps on how to handle risk assessments in a small business, with key insights from Emma and Jon.

Skip to:

 

If you’re in an office, you’re probably in one of the safest environments there is

 

If your business is office-based, Jon offered reassurance. A well-managed office is one of the safest environments you can work in - often safer than your own home. 

That doesn’t mean you can ignore risk assessments altogether though. It’s about managing the risks and taking steps to prevent them. 

 

The four hazards every office-based business needs in a formal risk assessment

 

Rather than trying to cover every conceivable risk, Jon was clear: concentrate on the significant hazards - the ones that can cause real harm, whether that’s short-term or long-term.

For most office-based small businesses, those are:

  • Slips, trips and falls - the classic, and still very much worth addressing.

  • DSE and musculoskeletal issues - display screen equipment and the physical strain that comes with desk-based work.

  • Stress and mental health - this isn’t just an HR issue. According to Health and Safety Executive figures (HSE), there were 964,000 workers reported suffering with work-related stress, depression and anxiety in 2024/25. This means that for the first time ever work-related stress accounts for over 50% of work-related illness. All businesses - no matter the size - have the same legal duty to address mental health as any physical hazard and it’s becoming increasingly important.

 

How to carry out a risk assessment

 

A workplace risk assessment, at its core, is a structured way of thinking through what could go wrong in your place of work, and what you’re going to do about it.

Here’s a simple way to approach it:

 

1. Identify potential hazards

Walk around your workplace, or in the case of home working, ask your employees to do the same in their own environments. What could realistically cause harm? Focus on the things most likely to hurt someone, whether that’s now or over time.

You don’t need to list every single thing. You just need to identify the significant hazards - the ones that could cause real, meaningful harm. But do pay attention to potentially less obvious hazards too, like poor lighting or repetitive tasks.

Want to give your employees a good guide of what to be looking for? Share this working from home health and safety compliance checklist. There’s a version for employers and line managers too.

 

Blue banner promoting free working from home checklists for employees to keep their home working set-ups safe and compliant.

 

2. Decide who might be harmed and how

Think about who’s affected by each hazard. That includes your employees, contractors, visitors and anyone else who might be on your premises or impacted by your work.

Don’t forget people working from home, people working alone, or those with health conditions that might make them more vulnerable to certain risks. New or expectant mothers may also face higher risk from certain hazards.

 

3. Evaluate the risks and put controls in place

For each hazard, ask: what’s already in place to control it, and is that enough? If not, what else needs to happen? A simple way to do this is to think about the likelihood of harm and the severity of that harm. Some businesses use a risk rating to help prioritise what needs attention first.

Controls don’t need to be complicated. They just need to be proportionate. Simple signage, training, adjusted processes, or better equipment can all count.

 

4. Involve other people in the risk assessment process

This is the step most people skip in the risk assessment process, and it matters. One person completing a risk assessment can’t spot everything alone. Talk to your employees - the people doing the work. They’ll often know things you don’t, and they might also reassure you that something you were worried about isn’t a significant concern after all.

 

5. Keep your risk assessments somewhere people can actually find them

You can have the most thorough risk assessments in the world. But if they're sitting in a folder nobody opens, they're not protecting anyone. A filing cabinet or the hard-drive of a single desktop computer aren’t usually the best choice. Ironically, a fire could easily destroy your risk assessment evidence.

Keeping a digital copy of your risk assessments in the cloud is a better option. Health and safety software takes it a step further, letting you control who can access what. And if your health and safety and HR documents live in the same system, even better. It means everything your team needs is in one place, with permission-based access and shared visibility across the people who need it.

Important note: If you have five or more employees, recording the significant findings of your risk assessment is a legal requirement.

 

Banner CTA - Manage HR and health and safety together in Breathe

 

6. Train your people and get acknowledgements

Use your completed risk assessment to shape the training you give your team. Make sure employees, contractors and agency workers complete training based on the workplace health and safety risks relevant to them, and get them to confirm they’ve done so in writing, either via a digital acknowledgement or an e-signature. That acknowledgement is one of the most important things you can do for both safety and legal protection.

Jon put it plainly: communication and acknowledgement are among the most important elements of the whole process.

Emma connected this directly to the importance of using a system like Breathe for e-learning where training is easy to access and you can track who’s completed what training, when.

 

Training and compliance - Breathe Learn - free trial


Five tips from health and safety experts, Emma and Jon, for small business risk assessments

 

1. You don’t need to over-engineer

Over the years, Jon’s seen businesses go so deep into the risk assessment process that they end up assessing every tiny hazard they can think of - including, at one extreme, an office stapler.

This kind of over-engineering doesn’t protect anyone. It just wastes time and creates a false sense of security. The goal is an assessment that’s suitable and sufficient - not exhaustive.

 

2. Controlling the risk isn’t just one person’s responsibility

If you’re the person tasked with health and safety in your business, it’s easy to feel like the weight of it sits entirely on your shoulder. It doesn’t.

Jon was clear that risk assessments should be a collaborative process. Involve others. Have conversations. Someone else might spot a hazard you’ve missed.

Emma added that employees have obligations here too. They’ve got a duty to raise concerns, whether that’s flagging stress, a health condition, or something they’ve noticed in the environment.

The accountability, however, always sits with the directors of the business. While day-to-day responsibility can be delegated to a “competent person” or “persons”, if something goes wrong, the buck stops at the top.

 

3. Your duty of care extends to employees who work from home

In recent years, the definition of “the workplace” has expanded significantly. And with that expansion comes an expanded duty of care - covering both physical and psychological risks in your employees’ home environments.

The good news is you don’t need to visit everyone’s home to make this work. A practical, pragmatic approach is all that’s needed, according to Jon. For example, sharing a template and empowering employees to complete a self-assessment (with manager support available if needed) is more than adequate.

This is often called a home working or working from home risk assessment. You can find a free template here. These risk assessments should include things like:

 

    • Stress, mental health and lone working considerations. Think about your employee’s mental health, isolation and the sense of disconnect that can come from working alone from home.

  • DSE and workspace set-up. Just because someone’s at home, it doesn't mean their desk set-up stops mattering.

 

One note on sensitivity: if you’re asking employees to fill in a self-assessment, be thoughtful about the way you phrase questions and that you’re not setting unrealistic expectations. Not everyone has a dedicated home office room.

4. Try dynamic risk assessments for practical tasks

Getting the paperwork right is one thing. Getting people to actually stop and think before they act is another.

Jon gave the example of a worker who was doing everything properly - using the right equipment, following the right process - until they decided to clamber out of a scissor lift onto a roof to finish the job. The desire to get things done overrode the instinct to pause and assess.

This is one of the biggest challenges businesses face, and there's no overnight fix. But dynamic risk assessments (DRAs) can help. These are short, individual assessments for specific tasks - essentially a structured prompt to stop, think and check before proceeding. For teams that carry out practical work, especially on client sites, they can be genuinely life-saving.

5. You can’t know everything, but you can be prepared

Sometimes, employees will choose not to share health conditions or personal circumstances. That doesn’t mean you’re unprotected.

Providing a pre-employment health questionnaire after you make a job offer is one way to open the door. It puts you on notice that adjustments may be needed for that employee to work safely, and it sits within the framework of the Equality Act.

But disclosure doesn’t just happen at the start. Annual DSE assessments and working from home risk assessments give employees a regular low-pressure opportunity to flag any concerns or new conditions. Regular one-to-ones with their managers can do the same.

Emma highlighted that this is where psychological safety really matters. If people feel comfortable being open and honest, without fear of backlash or consequences, they’re far more likely to tell you what you need to know.

If issues do come to light during employment, an occupational health referral gives you a clear, factual basis for deciding what support or changes are needed for an employee.

As Jon said, risk assessments aren’t foolproof, but they don’t need to be. What matters is reasonable foreseeability: doing what a reasonable employer would do with the information they have.

 

Blog banner CTA - Breathe Growth Academy_Line Manager Essentials training


Risk assessment responsibilities for contractors and third parties

 

One of the final things we discussed in our roundtable was what risk assessment responsibilities small employers have for contractors and third parties.

If you’re bringing contractors onto your site, you do have a duty to assess their competence - even if you can’t fully evaluate the technical content of their business’s risk assessment and method statement (RAMs).

Jon provided a practical checklist to run through:

 

  • Check if they have valid insurance

  • Confirm they’re a member of a relevant trade body

  • Ask for their RAMs and look for the big-ticket hazards (working at height, electrical safety, etc)

  • Where possible, ask for training certificates for the individuals doing the work

 

If a contractor responds to a RAMs request with silence or confusion, that’s a red flag before they’ve even set foot on site.

And when you’ve got employees working on a client’s site and you can’t get safety information from the client, again this is where Jon recommends using a dynamic risk assessment. He suggests training your people to assess conditions on arrival and make sure they feel confident raising concerns without fear of repercussion.

 

Ready to get started? Try our free risk assessment templates

 

We’ve put together a free risk assessment template starter pack, created with guidance from health and safety experts in the Breathe Partner Programme. It includes templates for a general workplace risk assessment, a working from home and DSE assessment, and an office-based DSE assessment, all designed to give small businesses a clear, practical starting point.

A blue banner promoting a free risk assessment template starter pack for small-to-medium sized businesses.

 

And if you’re looking for a way to manage risk assessments, log incidents, train employees and keep important records organised alongside your HR data, Breathe can help. It brings everything into one clear system, so nothing gets lost in a filing cabinet or buried in a shared drive.

 

A blue banner showing product imagery from the Breathe Health & Safety module with the text 'You can now manage health and safety with Breathe' and a purple 'Find out more' button.

 

Emma, Jon and the team at Effective HRM have been supporting small businesses across the UK with practical, honest, guidance for over 15 years on everything from risk assessments and compliance to employment law and day-to-day people management. If you’d like tailored professional advice on your specific HR or health and safety situation, you can contact them here.

 

Risk assessments: frequently asked questions

 

Are risk assessments a legal requirement?

Yes. Under health and safety law, risk assessments are a legal requirement for every employer, workplace and self-employed person. If you have five or more employees, you're also legally required to record the significant findings of your risk assessment in writing. Even if you have fewer than five employees, it's still good practice to document what you've done.

 

Who can carry out a risk assessment?

The Health and Safety Executive (HSE) doesn't always require formal qualifications.* What matters is that the person doing it is a competent person with a good working knowledge of the workplace and the hazards involved. That could be a business owner, a manager, or someone appointed specifically for the role. If you're not confident, bring in a colleague or an external specialist.

*Take note that for fire risk assessments, a 2026 government consultation will decide on whether specific certification is required for those assessing fire risk.

 

What's the difference between a formal risk assessment and a dynamic risk assessment?

A formal risk assessment is a planned, written assessment of the significant hazards in your workplace, the people who might be harmed, and the control measures you've put in place. A dynamic risk assessment is shorter and carried out in the moment, usually before a specific task. It's a structured prompt to stop, think and check, particularly useful for practical or unpredictable work.

 

What should I include in a risk assessment?

The risk assessment process involves identifying potential hazards (including less obvious hazards like stress or repetitive strain), deciding who might be harmed and how, evaluating the risks, putting control measures in place to control the risks, and reviewing regularly. Don't forget to consider groups like new or expectant mothers, lone workers, and anyone with health conditions that may put them at higher risk.

 

How often should I review my risk assessment?

There's no fixed rule, but you should review it whenever something changes, whether that's a new employee, a change in working practices, a workplace accident, or new risks being introduced. For lower-risk environments, an annual review is usually sufficient.

 

What happens if I don't do a risk assessment?

Failing to carry out a risk assessment can lead to workplace accidents and ill health, financial loss through sick pay or compensation claims, and potential legal fines. Beyond the legal consequences, it means you may not have taken reasonable steps to protect your people, which is ultimately what risk assessments are there to do.

 

Do I need a risk assessment template?

You don't have to use one, but a risk assessment template can make the process much simpler, especially if you're doing this for the first time. It helps make sure you've covered all the key areas, from identifying hazards to recording your existing control measures. We've put together a free risk assessment template starter pack designed specifically for small businesses.

 

Daisy

Author: Daisy Andrews

As Content Marketer at Breathe, Daisy crafts content that makes complex ideas clear and compelling, helping people to understand products, ideas and value. With five years experience in marketing and a BA in English Literature (First Class Honours), she brings strong storytelling skills, editorial precision, and a deep understanding of audience needs to all her projects. Drawing on broad experience across product marketing, emails, events, social and lead-gen campaigns, Daisy thinks beyond individual assets, delivering cohesive, high-impact content that informs and engages.

Posted on 31 March, 2026

By Daisy Andrews

in

Blog tag icon Health and safety

Back to listing

Sign up to get the latest HR and people management insights straight to your inbox
#