“Risk comes from not knowing what you’re doing” – Warren Buffet.
This observation very neatly summarises much worth saying about risk and in the world of health and safety, where understanding and managing risk is central, “knowing what you’re doing” is at its core – in the production of a risk assessment.
I am confident that everyone reading this will be familiar with the legal requirement to carry out a risk assessment and the standard to which risk assessments are held. By way of a reminder, Regulation 3 of the Management of Health and Safety at Work Regulations 1999 says:
3(1) Every employer shall make a suitable and sufficient assessment of—
(a) the risks to the health and safety of his employees to which they are exposed whilst they are at work; and
(b) the risks to the health and safety of persons not in his employment arising out of or in connection with the conduct by him of his undertaking…”
What is suitable and sufficient?
Unhelpfully, the term is not defined in the regulations and has, as a result, been left wide open to different interpretations.
Understanding what amounts to suitable and sufficient seems to me to be critical to compliance. Therefore, gaining insight into the HSE’s interpretation and the courts’ perspective can provide a robust framework for risk assessors to operate within, making it an invaluable resource.
HSE first – in its L21 Approved Code of Practice (ACOP) for the 1999 regulations Management of health and safety at work Management of Health and Safety at Work Regulations 1999 Approved Code of Practice and Guidance L21 (hseni.gov.uk) , says that a suitable and sufficient risk assessment “should identify the risks arising from or in connection with work. The level of detail in a risk assessment should be proportionate to the risk.” It goes on to say that “the level of risk arising from the work activity should determine the degree of sophistication of the risk assessment.”
The ACOP points to the need to take specialist advice where complex processes are being assessed, and to take reasonable steps to help identify risks and to look at guidance, legislation, industry good practice, supplier/manufacturer manuals in doing so.
Cue some case law:
In classic lawyer style, Uren v Corporate Leisure UK Ltd  suggests that what amounts to a suitable and sufficient risk assessment can vary according to circumstances and will be a question of fact in individual cases, i.e., “it depends”. This fits with the broad/slightly woolly guidance in the ACOP.
In Griffiths v Vauxhall Motors Limited , LJ Clarke said “The whole point of a proper risk assessment is that an investigation is carried out in order to identify whether the particular operation gives rise to any risk to safety and, if so, what is the extent of that risk, which of course includes the extent of any risk of injury, and what can and should be done to minimise or eradicate the risk.”
We know “competence” in health and safety is key – a risk assessment must be undertaken by someone with the necessary training, qualifications, and experience. Scott v AIB Group (UK) plc  concluded that if a lack of expertise prevents an employer’s risk assessment from being suitable and sufficient, the employer must seek expert advice – and in Kennedy v Cordia (Services) LLP , the court indicated that expert evidence may be admitted into evidence as to how suitable and sufficient a risk assessment is.
In Kennedy v Cordia Services LLP, Lords Reed and Hodge further commented that the risks that require to be assessed are not limited to those specifically arising from the particular work activity but includes risks arising from the natural environment in which the work is done.
In my judgement, these cases add nuance to an increased understanding of what is “suitable and sufficient” but on a practical level, the most helpful advice comes via the HSE who say that if you can answer “yes” to the following questions, your risk assessment is likely to meet the requirements of the 1999 Regulations:
So, can you answer ‘yes’ to the following?
- ensured commitment from all parties (senior management, employees and their representatives)?
- made a proper check of hazards?
- identified all people at risk?
- considered human factors?
- dealt with significant risks, and demonstrated the use of the hierarchy of controls when determining additional control measures?
- followed all the steps in the risk assessment process?
- focused on prevention and organisational level solutions?
- involved the workforce? (e.g., by seeking their suggestions, advice, and comments on potential solutions to problems)
- considered both routine and non-routine work? (e.g., improvements to working conditions, changes in the way work is organised, etc.)
- included all parts of the organisation’s work? (e.g., design, construction, operation, and maintenance, etc.)
- sought to develop and adopt solutions that are ‘reasonably practicable’?
- communicated the outcomes of the risk assessment with all affected employees?
Ultimately (and unhelpfully), it will be for a court to decide suitability and sufficiency on an individual case by case basis. Lawyers, eh?