Risk assessments are often treated as paperwork. A form is filled in, a risk rating is added, and the document is filed away until an inspection, insurance renewal or accident investigation. That is not what the law is asking for, and it is not what keeps people safe. A useful risk assessment is a working decision-making tool. It identifies what can harm people, checks whether current controls are good enough, and sets out what needs to change.

In Ireland, risk assessment is a legal duty for employers. It is also the foundation of the safety statement. If the risk assessment is poor, the safety statement will be poor. If the assessment is generic, the controls will usually be generic too. The result is a document that looks compliant but does not reflect the real workplace.

This guide explains why risk assessments matter, what Irish law requires, what a good assessment should cover, how to avoid common mistakes, and when an employer should bring in competent support.

The Legal Duty

Section 19 of the Safety, Health and Welfare at Work Act 2005 requires every employer to identify hazards in the place of work under their control, assess the risks presented by those hazards, and hold a written risk assessment. The section also requires review where there has been a significant change or where there is another reason to believe the assessment is no longer valid.

Section 20 then requires the employer to prepare a written safety statement based on those hazards and risk assessments. The safety statement must explain how safety, health and welfare at work will be secured and managed. In practical terms, the risk assessment identifies the problem; the safety statement explains the system for managing it.

The HSA makes the same point in plain language. Employers must identify hazards, carry out risk assessments and prepare a written safety statement. The HSA also notes that employers should focus on risks generated by work activities. There is no need to assess every ordinary minor risk in life. The assessment should be proportionate to the work.

What a Risk Assessment Is

A hazard is something with the potential to cause harm. A wet floor, a vehicle route, a sharp blade, a resident transfer, a chemical, an overloaded shelf, a poor work posture or a stressed lone worker can all be hazards. Risk is the chance that harm will occur and the seriousness of that harm if it does.

A risk assessment looks at the work and asks sensible questions. What could go wrong? Who could be harmed? How likely is it? How serious could it be? What controls are already in place? Are they working? What else needs to be done? Who is responsible? When will it be completed?

The aim is not to create a perfect workplace with no risk at all. That is not realistic. The aim is to reduce risk so far as is reasonably practicable, using controls that are suitable for the work and the level of danger involved.

Why Risk Assessments Matter

The first reason is prevention. A proper assessment identifies hazards before someone is injured or becomes ill. It can reveal poor storage, unsafe lifting, weak supervision, missing guards, lack of training, confusing traffic routes, poor lighting, violence and aggression risks, chemical exposure, infection risks or fire safety gaps.

The second reason is prioritisation. Most employers have more actions than time or budget. A good risk assessment helps management decide what matters most. A high-risk machinery guarding issue should not sit behind a low-risk signage improvement. Risk assessment gives structure to those decisions.

The third reason is evidence. If the HSA, an insurer, a client, HIQA or a court asks what the employer did to manage risk, the assessment shows the thinking. It should show that hazards were considered, controls were selected, responsibilities were assigned and follow-up happened.

The Link With the Safety Statement

A safety statement that is not based on real risk assessments is weak. Section 20 specifically links the safety statement to the hazard identification and risk assessment carried out under Section 19. The HSA states that a generic safety statement is not compliant if it does not reflect the employer's own place of work.

This is one of the most common problems in small and medium-sized businesses. The employer has a safety statement, but it could apply to almost any company. It lists slips, trips, manual handling and fire, but it does not say where the real risks are, who is responsible, what controls are in place or what actions are outstanding.

The better approach is simple. Assess the actual work first. Write the safety statement around that assessment. Then make sure staff understand the parts relevant to them.

Who Should Be Considered

Risk assessments should cover employees and others who may be affected by the work. That can include contractors, visitors, customers, delivery drivers, residents, patients, pupils, clients, members of the public and self-employed people working on site. Some people need particular attention because the risk affects them differently.

Examples include young workers, new employees, pregnant employees, lone workers, workers with disabilities, older workers, agency staff, employees whose first language is not English, and people with limited experience of the workplace. In healthcare and care settings, residents and service users may also be directly affected by the way work is organised.

Consulting staff is important. Workers often know where the shortcuts, awkward lifts, poor lighting, difficult residents, unsafe storage and near misses happen. A risk assessment done only from an office desk will usually miss something important.

How to Carry Out a Practical Assessment

Start by walking the workplace. Look at normal work, busy periods, quiet periods, cleaning, maintenance, deliveries, emergencies and unusual tasks. Review accident records, near misses, maintenance reports, safety data sheets, manufacturer instructions, previous HSA or HIQA findings, insurance surveys and staff feedback.

Then describe the hazard and who could be harmed. Avoid vague wording. Machinery is not enough. State which machine, what part of the task creates the risk, and what injury could occur. Manual handling is not enough. State the load, distance, posture, frequency and who is doing it.

Next, evaluate existing controls. Are guards fitted and used? Are staff trained? Is the route clear? Is the equipment maintained? Is supervision realistic? Are procedures followed on night shifts as well as day shifts? A control written in a policy is only useful if it happens in practice.

The Hierarchy of Controls

Control measures should follow a hierarchy. First, can the hazard be eliminated? If not, can it be substituted for something safer? Can engineering controls be used, such as guards, barriers, ventilation, lift tables or traffic segregation? Can the work be organised differently through procedures, staffing, training, maintenance and supervision? PPE should be the last line of defence, not the first answer.

This matters because weak controls create false confidence. Telling staff to be careful is not a proper control for a serious hazard. Training is important, but training alone rarely fixes a badly designed task. If the work can be changed so the hazard is removed or reduced, that is usually stronger than relying on behaviour.

Specific Risk Assessments

Some risks need their own assessment because legislation or good practice requires more detail. Manual handling assessments should look at the task, load, environment and individual capability. Display screen equipment assessments should look at workstation layout, posture, screen, chair, keyboard, lighting and work organisation. Chemical assessments should consider exposure, storage, ventilation, safety data sheets, emergency arrangements and health surveillance where needed.

Fire risk assessments look at ignition sources, fuel, escape routes, detection, alarm, emergency lighting, extinguishers, compartmentation, staff training and evacuation procedures. In healthcare, additional assessments may cover biological agents, violence and aggression, resident handling, infection control, medication risks, sharps, oxygen, psychosocial hazards and lone working.

The general workplace assessment should not try to bury all of those details in one line. Where a risk is significant, give it enough space to be understood and managed.

When to Review

Section 19 requires review where there has been a significant change or where there is another reason to believe the assessment is no longer valid. In practice, review should happen after an accident, near miss, new equipment, new process, new substance, changed layout, changed staffing, new vulnerable worker, new guidance, inspection finding or evidence that controls are not working.

Annual review is good practice for most assessments, but the calendar is not the only trigger. A new machine installed the week after the annual review should be assessed before it is used, not eleven months later. The assessment must remain current.

Common Mistakes

The first mistake is using a generic document. The second is rating every risk as medium, which avoids making decisions. The third is listing controls that are not actually in place. The fourth is failing to assign actions to named people. The fifth is never checking whether the actions were completed.

Another common problem is over-reliance on PPE. Gloves, masks, hi-vis vests and safety shoes have their place, but they do not remove the hazard. If the hazard can be eliminated, substituted, guarded, segregated or redesigned, that should be considered first.

A final mistake is treating the assessment as a consultant's document. A consultant can help, but management owns the risk. The employer must provide resources, implement controls, consult staff and review the assessment when the work changes.

Risk Ratings and Action Plans

Risk ratings are useful when they help decisions. They are not useful when they become a mathematical distraction. Many employers use a simple likelihood and severity matrix. That can work well, provided the scoring is honest and the action plan is clear. A high score should lead to prompt action, not just a red box on a spreadsheet.

A practical action plan should state what needs to be done, who owns it, when it is due, and how completion will be verified. Replace vague recommendations with specific actions. Improve housekeeping is weak. Remove stored stock from the rear escape route each day before opening, with the duty manager checking and signing the route inspection, is much clearer.

Risk ratings should also be reviewed after controls are added. The purpose of control measures is to reduce risk. If a risk remains high after the control is supposedly in place, either the control is not strong enough or the rating has not been updated properly.

Healthcare and Care Settings

Healthcare risk assessments need particular care because the workplace risk can also be a resident risk. A manual handling decision affects the carer and the resident being moved. A fire door defect affects staff, residents and visitors. A violence and aggression risk may involve a vulnerable person whose behaviour is linked to illness, distress or cognitive impairment.

For nursing homes and designated centres, risk assessment should connect with governance, staffing, care planning and HIQA expectations. It should cover staff hazards such as moving and handling, biological agents, sharps, stress, lone working, violence and slips. It should also consider resident-facing hazards such as falls, unsafe evacuation arrangements, poor supervision, environmental hazards, oxygen use and infection risk.

The assessment should not sit apart from the care system. If resident dependency changes, staffing risk changes. If a resident begins smoking, the fire risk changes. If a bedroom allocation changes, evacuation planning may change. If agency staff are used regularly, induction and supervision need to be assessed honestly.

Records That Prove Control

A risk assessment should be supported by evidence. If the assessment says that staff are trained, there should be training records. If it says that lifting equipment is maintained, there should be service records. If it says that weekly checks are carried out, there should be completed checklists. If it says that contractors are controlled, there should be contractor documents and sign-in records.

The records do not need to be complicated, but they should be available. An HSA inspector will usually look beyond the document and ask whether the control is happening. A well-kept record gives the employer confidence that the system is working and gives staff a clear route for reporting problems.

Records also help after an incident. They show what was known, what was assessed, what was done and what was still outstanding. That can be important for investigation, insurance, enforcement and learning. A risk assessment with no follow-through is hard to defend.

Good records also make reviews faster because management can see what changed, what improved and what still needs attention, without rebuilding the history from memory during each review meeting.

Competence and External Support

There is no rule that every risk assessment must be written by an external consultant. For simple low-risk work, a competent employer or manager may be able to complete suitable assessments using HSA guidance. For complex or higher-risk work, competent support is sensible.

Competence means having enough training, knowledge and experience for the task. A person competent to assess office DSE may not be competent to assess machine guarding, construction work, chemical exposure, healthcare violence risk or fire evacuation in a nursing home. Match competence to the risk.

Phoenix STS provides health and safety risk assessments and wider health and safety consultancy for employers across Ireland. We also prepare safety statements based on workplace-specific risk assessments, not generic templates.

Frequently Asked Questions

Are risk assessments a legal requirement in Ireland?

Yes. Section 19 of the Safety, Health and Welfare at Work Act 2005 requires employers to identify workplace hazards, assess the risks and hold a written risk assessment.

Do small businesses need risk assessments?

Yes. The duty applies to employers regardless of size. The limited Code of Practice route for employers with three or fewer employees relates to safety statements where a relevant HSA code exists. It does not remove the need to assess risk.

Can I use a template?

A template can help with structure, but it must be completed for the actual workplace. A generic assessment that does not reflect the real hazards, controls and responsibilities is unlikely to be adequate.

How often should risk assessments be reviewed?

They should be reviewed when work changes, when there is reason to believe the assessment is no longer valid, after incidents or near misses, and at planned intervals. Annual review is sensible for most workplaces.

What happens if I do not have risk assessments?

The HSA may take enforcement action, including requiring improvement, stopping unsafe work or prosecuting. Current penalties for relevant offences can include a fine of up to EUR 5,000 or imprisonment for up to 12 months on summary conviction, and up to EUR 3,000,000 or imprisonment for up to two years on indictment.

Contact Phoenix STS

For workplace risk assessments, safety statements or competent health and safety support, contact Phoenix STS on 043 334 9611 or use the Phoenix STS contact page.

This article is for general information only and is not legal advice. Employers should refer to current legislation, HSA guidance and competent health and safety advice for their own workplace.