Risk assessments are key to identifying hazards and putting controls in place to prevent workplace incidents. They’re fundamental to good health and safety management – but only if they’re done properly.
In this blog, we outline ten common risk assessment mistakes, and how to avoid them.
Ten common risk assessment mistakes to avoid
Planning and communication mistakes
1. Using vague or ambiguous language
A frequent issue is using language that’s unclear or open to interpretation.
Your risk assessment should be clear, specific, and easy to understand.
For example, if you’re assessing work at height, don’t just say ‘tall’ or ‘high.’ Specify the exact height: ‘All personnel working on the 15m platform must wear full-body harnesses with double lanyards attached to certified anchor points.’
If you use acronyms, spell them out the first time. Don’t assume every reader will know what they mean: ‘Emergency exit on Floor Level (FL) 3 requires larger, illuminated signage visible from all approach angles.’
2. Having no output or action plan
A risk assessment without clear follow-up actions achieves very little. Once completed, every assessment should produce an action plan.
List identified risks in order of priority so that the most serious can be addressed first. Management should have a clear plan to reduce or eliminate them, with responsibilities and deadlines assigned.
Identification and assessment errors
3. Not sharing or using the assessment
Even a well-written risk assessment is ineffective if it isn’t shared, read, and understood by the people it’s meant to protect.
Creating a risk assessment is not a box-ticking exercise. Failure to communicate risk assessments effectively can put your workforce at serious risk.
With Notify, you can digitally assign assessments to colleagues and track when they’ve read and acknowledged them. If an incident does occur, you can see whether that individual accessed the risk assessment prior to completing the work – providing a clear audit trail.
4. Not reviewing it regularly
Risk assessments can quickly become outdated if they aren’t reviewed and updated regularly.
Best practice recommends reviewing them annually – but also whenever there has been:
- An incident, accident, or near miss
- A change in legislation
- A change in process, equipment, environment, or personnel
If an incident occurs, and your last risk assessment was completed three years ago, you’ve likely failed in your duty of care. Make it standard practice to review all risk assessments at least once a year, or sooner if there has been a significant change.
5. Failing to identify all the hazards
It’s easy to spot obvious hazards, such as noise, chemicals, or machinery, but many assessments miss the less visible risks that can still cause harm. These could include:
- Rotating shift patterns disrupting sleep cycles
- Long shifts causing fatigue
- High production targets creating stress or burnout
These ‘invisible’ hazards can lead to poor decisions, accidents, and long-term health issues. Involving frontline workers when creating the risk assessment can help identify them.
Also consider long-term health effects that can develop gradually – such as hearing loss or tinnitus from prolonged noise exposure. These may not appear immediately but can have lasting impacts on wellbeing.
6. The risk level isn’t sufficiently reduced
When completing your assessment, risks must be reduced to as low as reasonably practicable (ALARP).
All too often, hazards are identified and left at a high-risk rating without further effort to reduce them.
For example, a construction project identifies multiple high risks around working at height. The site manager lists existing controls (e.g., scaffolding, harnesses) but takes no further action.
Instead, the team should explore ways to bring those risks down:
- Can prefabrication be used?
- Can permanent floor decking be installed earlier?
- Can mobile elevated work platforms (MEWPs) replace scaffolding in some cases?
Each high-risk task should have a clear action plan, e.g. ‘Reduce working at height risk from high to medium by implementing measures X, Y, and Z by [Date].’
If an incident occurs, you must be able to show that every reasonable option was considered to reduce risk.
Process and strategy failures
7. Conducting the risk assessment alone
One of the most common mistakes is trying to complete a risk assessment in isolation.
Risk assessments should be completed collaboratively to ensure that all hazards and risks are identified. Involving other team members – especially frontline workers – provides valuable insight and accountability.
A competent person must also be involved. This is someone appointed by your organisation to help meet your health and safety duties, with the knowledge and skills required to recognise hazards and implement controls.
Avoid completing risk assessments remotely, for example, from an office 100 miles away from site. They should always be carried out on-site, through direct observation and conversations with those doing the work.
8. Poor version control
Confusion often arises when there are multiple versions of the same risk assessment circulating.
Before creating a new risk assessment, check what already exists. Multiple versions can make it difficult to track which one is the most up to date. If workers are using an outdated assessment, they may miss newly identified hazards or updated control measures – putting people and processes at risk.
Using digital risk assessment tools such as Notify helps maintain version control by displaying only the most current document for users.
9. Only covering obvious control measures
Many organisations focus on the immediate control measures but overlook how to maintain control over time.
It’s not enough to simply identify control measures and move on. You also need to plan how they’ll be tested, monitored, and sustained.
For example, a risk assessment might state, ‘Emergency stop buttons are installed on all machinery.’
It’s an important first step, but to stay in control, you’ll need to ask:
- Have all buttons been tested to confirm they work?
- Is there a monthly testing schedule?
- Who’s responsible for it?
- What happens if a button fails – is there a process to lock out that machine immediately?
Taking your assessment a step further strengthens safety even if initial controls fail.
10. Not following the hierarchy of controls
Too often, organisations jump straight to PPE without considering more effective control options higher up the hierarchy.
It’s essential to follow the hierarchy of controls, which ranks control measures from most to least effective.
For example, when assessing the risk to workers exposed to solvent fumes during paint spraying, a basic assessment might state, ‘Respirators provided to all spray painters.’
That approach relies on the least effective control. Instead, consider:
- Elimination: Can the hazard be removed entirely? (E.g., switch to powder coating)
- Substitution: Can a less hazardous material be used? (E.g., water-based paints)
PPE should be the last resort, not the first. While it may sometimes be the only appropriate measure, you must still consider (and rule out) the other levels of the hierarchy first.
How Notify can help you avoid common risk assessment mistakes
1. Using vague or ambiguous language → clear, specific language
Notify’s risk assessment software allows you to build custom risk templates that encourage detailed control measures and precise descriptions (e.g. specific PPE types). So, you can steer clear of vague terms and assumptions.
2. Having no output or action plan → producing clear action plans
Corrective actions can be created, assigned, and tracked from one central location. Open tasks can be monitored through dashboards and email notifications until closure.
3. Not sharing or using the assessment → ensuring assessments are actually used
Notify enables digital assignment and sign-off of risk assessments, allowing you to track who has read, understood, and acknowledged each one — creating a full audit trail if an incident occurs.
4. Not reviewing it regularly → keeping assessments up to date
Automatic email reminders alert users when reviews are due, helping ensure assessments stay current and you remain compliant.
5. Failing to identify all the hazards → identifying hidden hazards
Risk assessments can be carried out directly on-site using tablets, or other mobile devices, encouraging input from those closest to the hazards. This helps surface risks, such as fatigue or shift stress, that might otherwise be overlooked.
6. The risk level isn’t sufficiently reduced → proving risk reduction
With custom matrices, you can clearly compare initial and residual risk scores to demonstrate risk reduction.
7. Conducting risk assessments alone → avoiding lone assessments
Notify supports collaboration by allowing multiple users – including frontline workers and competent persons – to access and contribute to risk assessments in real time, wherever they are.
8. Poor version control → eliminating version control issues
Only the latest approved version of a risk assessment is visible for viewing or sign-off, ensuring everyone works from the most current guidance and preventing outdated documents from circulating.
9. Only covering obvious control measures → going beyond the obvious controls
With built-in action tracking, you can assign and monitor follow-up actions tied to risk assessments, such as verifying that controls are regularly tested and remain effective.
10. Not following the hierarchy of controls → enforcing the hierarchy of controls
Custom templates guide users to consider each level of the hierarchy (elimination, substitution, engineering, administrative, and PPE) before finalising controls – aligning with HSE best practice.
Final thoughts
Risk assessments are one of the most important tools for protecting your workforce’s health and safety. By following the guidance in this article, you can avoid common pitfalls and ensure assessments are thorough, accurate, and effective in preventing incidents.