How I Use the Risk Assessment Template with Customers in Pilla

I'm Liam Jones, NEBOSH-qualified health and safety consultant and founder of Pilla. This is how I approach risk assessment policies in a health and safety management system, based on close to twenty years in frontline operations and advising hundreds of businesses on compliance. You can email me directly; I read every email.

Risk assessment is the document that most businesses have and fewest businesses do well. I've reviewed health and safety management systems across hundreds of operations, and the pattern is almost always the same: there's a folder of assessments, most of them downloaded from a template site, half of them describing activities that don't match what actually happens on site. The assessments exist. They just don't work.

The gap between a filed risk assessment and a useful one is usually the same thing: specificity. A good assessment describes your hazards, your people, your controls, not a generic version of them. That's what this article covers. I'll walk you through what the law requires, give you a template you can edit for your own operation, and explain the bits that actually matter when an HSE inspector pulls your assessments off the shelf.

Key Takeaways

  • What is risk assessment in health and safety? Risk assessment is the process of identifying hazards in your work activities, evaluating who could be harmed and how, and deciding what control measures to put in place. It's the foundation that every other part of your health and safety management system sits on
  • Why do you need a risk assessment policy? Regulation 3 of the Management of Health and Safety at Work Regulations 1999 requires employers to carry out a suitable and sufficient assessment of workplace risks and record the significant findings. An HSE inspector will check your assessments are specific to your activities, not copied from a generic template
  • How do you set it up in Pilla? Use the knowledge hub template below, edit it to match your operation, and share it with your team through the app so everyone has access and you can track who's read it
  • How do you automate the follow-up? Set up Poppi to chase staff who haven't acknowledged the policy and flag when it's due for review

Article Content

Understanding What's Required of You

Risk assessment is the foundation of your health and safety management system. Everything else, your safe systems of work, your training programme, your PPE provision, traces back to an assessment that identified the need. Without it, you're guessing which controls to put in place and hoping you've guessed right.

The legal requirement sits in Regulation 3 of the Management of Health and Safety at Work Regulations 1999. Every employer must carry out a suitable and sufficient assessment of the risks to employees and anyone else who might be affected by their work activities. If you have five or more employees, you must record the significant findings. In practice, I'd record them regardless of headcount, because an unrecorded assessment is difficult to defend if something goes wrong.

"Suitable and sufficient" is the phrase that matters. It doesn't mean exhaustive. You don't need to document every conceivable scenario. It means your assessment must identify the significant hazards, evaluate who could be harmed and how, and set out the control measures you've put in place. An HSE inspector wants to see that you've thought about your specific activities and reached sensible conclusions, not that you've produced a 40-page document that nobody reads.

There's a hierarchy of controls that runs through every risk assessment: eliminate the hazard, substitute with something less hazardous, use engineering controls, use administrative controls, and then PPE as a last resort. I still see businesses jumping straight to PPE because it feels like the obvious answer. It's usually the weakest one. A guarding system on a machine is more reliable than relying on someone to wear goggles every single time.

One area that gets missed regularly is vulnerable groups. Your assessment needs to consider lone workers, new starters, pregnant workers, young workers, and anyone with a disability that might affect their exposure to risk. I reviewed an assessment last year for a warehousing operation that had lone workers on night shifts and no mention of them anywhere in the documentation. That's the sort of gap that turns a routine inspection into an enforcement notice.

The other piece that catches people out is communication. It's not enough to complete the assessment and file it. You need to train employees on the key findings and record that you've done so. An HSE inspector doesn't just want to see that the assessment exists. They want evidence that the people doing the work know what the risks are and how to control them.

Setting It Up as a Knowledge Hub Entry

I've built a risk assessment template in Pilla covering hazard identification, control measures, vulnerable groups, training requirements, and review schedules. It gives you the structure the regulations require, but you need to edit it to reflect your actual operation.

In the knowledge hub, create a new entry and tag it with "Health and Safety System". Use the same tag across all of your health and safety policies so they are grouped together and Poppi can track them as a set. Assign the entry to all teams so that everyone in the business can access it.

The template is designed to be edited, not just filed. Read through every section. Where it says something generic, replace it with what actually happens in your business. If you don't have sub-contractors on site, remove that reference. If you have specific high-risk activities like working at height or confined space entry, name them. The HSE inspector wants to see that your policy reflects your operation, not that you've copied a generic document.

Knowledge Hub Template·Risk Assessment

Risk Assessment

Management of Health and Safety at Work Regulations 1999

To comply with the legislation above, the company will undertake a suitable and sufficient assessment of the risks to employees and any others who may be affected by our business undertakings, and to record the significant findings of that assessment. This record should represent an effective statement of the hazards and risks, which then leads management to put in place the relevant control measures to ensure the health and safety of its workforce, sub-contractors, visitors and, when appropriate, the general public.

Process

The process the company will use throughout the risk assessment process will be:

  • Responsible Persons to undertake risk assessments for the business
  • Identify the significant risks arising from our work activities
  • Prioritise the measures that need to be taken to comply with relevant statutory provisions
  • Ensure that all relevant risks and hazards are addressed by the implementation of suitable and sufficient control measures
  • Ensure that all groups of employees and others who might be affected are considered in the documented risk assessment and informed of the risks. Identify groups of workers who might be vulnerable or at particularly at risk like lone workers
  • Take account of existing preventive or precautionary measures
  • Identify whether further control measures are required to reduce the risk of employees or others to a safe level
  • Address the further control measures required, so the risk assessment process can be used positively by the company to change working procedures and improve health and safety performance
  • Provide training regarding the key findings to all employees associated to the work task or who use the equipment assessed. Process of communication must be recorded to evidence that staff are aware of the safe working practices
  • Review all risk assessments regularly and ensure that all activities, use of equipment or areas which have the potential to cause harm, have been assessed

This is a preview of the template. In Pilla, you can edit this to match your business.

What I'd want to see when reviewing this:

The process section is the backbone of the whole policy. I'd want to see that your responsible persons are named, not just referenced as a job title. Who actually carries out your assessments? They need to be competent, which means they understand the work activities, the hazards involved, and the principles of risk evaluation. "The manager does it" isn't good enough if the manager has had no training in risk assessment.

The control measures need to follow the hierarchy. I'd want to see evidence that you've considered elimination and substitution before jumping to administrative controls or PPE. Where you can't eliminate a hazard, I'd want to see a clear explanation of why, and what you've done instead.

The training and communication section matters more than most people think. Your assessment is only useful if the people doing the work know what it says. I'd want to see a clear process for communicating findings, recording who's been trained, and confirming they understood the key points.

Common mistakes I see:

The biggest one is assessments that don't match reality. The policy describes a systematic process for identifying hazards, but the actual assessments were downloaded from a template site and haven't been edited. If your assessment says "the company will identify the significant risks arising from our work activities" but your documented assessments are generic, there's a disconnect that an HSE inspector will spot immediately.

Vulnerable groups get left out. The template specifically requires you to consider workers who might be particularly at risk, like lone workers. I regularly see assessments that only consider the "standard" employee and ignore anyone whose circumstances create additional risk. Pregnant workers, young workers, people with disabilities, lone workers: if they're affected by the activity, they need to be in the assessment.

The review section often says "we review all risk assessments regularly" but there's no schedule and no evidence of reviews actually happening. Regular means you've defined what regular is (annually, after an incident, when processes change) and you can show that reviews took place on that basis. A risk assessment dated three years ago with no review record is a red flag.

Training records are missing or incomplete. The template requires that communication is recorded to evidence staff awareness. I see businesses that claim they've briefed their teams on risk assessment findings but have no record of it. If you can't prove the training happened, it didn't happen as far as an HSE inspector is concerned.

Automate the Follow-Up with Poppi

Writing the policy is one thing. Making sure your team has actually read it is another. Poppi can handle the chasing so you don't have to.

If you mark the knowledge hub entry as mandatory, Poppi will track who's read it and who hasn't. You can set up automations to chase staff who are behind, notify managers when someone completes the policy, and get a regular report showing where the gaps are.

Here are three automations I'd set up for any knowledge hub policy:

Overdue training reminders

Automatically chase team members who have mandatory policies they haven't read yet. Poppi sends the reminder so you don't have to.

Poppi
Poppi

Tom, you have 2 overdue policies to read and acknowledge

Video completion alerts

Get notified when a team member finishes reading or watching a policy, so you can track progress without chasing.

Poppi
Poppi

Emma has completed a mandatory policy

Training gap analysis

Get a regular AI report showing which team members are behind on mandatory policies and where the gaps are across your team.

Poppi
Poppi

Training Report: 87% team completion. Tom and Sarah behind on 2 mandatory policies, due 3 days ago.