← All posts

Risk Assessment Template for Construction: The Complete UK Guide

Last reviewed: 24 February 2026

Most construction risk assessment templates floating around online share the same problem: they're generic Word documents with a logo swapped in. They list hazards that don't match the site, control measures nobody actually follows, and risk ratings that look like they were picked at random.

That might get you through the gate on a lenient site. It won't hold up when a principal contractor reads it properly, and it definitely won't help you if HSE turns up after an incident.

This guide covers exactly what UK law requires in a construction risk assessment template, how to write one that reflects your actual work, and where common templates fall short. We've researched the regulations, the enforcement data, and the reasons documents get rejected — so you don't have to piece it together from twenty different HSE pages.

What is a construction risk assessment?

A risk assessment is a structured record of the hazards present in your work, who could be harmed, and what you're doing to control those risks. Under UK law, it isn't optional — it's a specific legal duty.

The legal basis sits in Regulation 3 of the Management of Health and Safety at Work Regulations 1999 (SI 1999/3242). Regulation 3(1) states:

Every employer shall make a suitable and sufficient assessment of the risks to the health and safety of his employees to which they are exposed whilst they are at work.

Regulation 3(1)(b) extends this to risks to people who aren't your employees — members of the public, other contractors on site, clients walking through.

The phrase "suitable and sufficient" is doing heavy lifting here. HSE's own guidance (INDG163, Risk Assessment: A Brief Guide to Controlling Risks in the Workplace) clarifies that this means the assessment must:

  • Identify the real hazards present
  • Address who might actually be harmed and how
  • Evaluate whether existing precautions are enough or whether more needs doing
  • Be proportionate to the level of risk

A suitable and sufficient risk assessment for a domestic rewire looks completely different from one for a commercial demolition project. That difference is exactly where generic templates break down. If your work involves hazardous substances, you'll also need separate COSHH assessments alongside your risk assessment — see our COSHH guide for construction for which substances most tradespeople miss.

When do you legally need a risk assessment?

The short answer: always, if you employ anyone or are self-employed and your work could affect others.

Here's the breakdown:

Under the Management of Health and Safety at Work Regulations 1999

  • Employers with 5 or more employees must record the significant findings in writing (Regulation 3(6)).
  • Employers with fewer than 5 employees still need to carry out the assessment — they're just not required to write it down. In practice, every principal contractor and most clients will demand a written one regardless.
  • Self-employed persons must assess risks to others who may be affected by their work (Regulation 3(1)(b) and Section 3(2) of the Health and Safety at Work etc. Act 1974).

Under the Construction (Design and Management) Regulations 2015

CDM 2015 adds specific construction duties on top of the general risk assessment requirement:

CDM 2015 duty holder Key risk assessment obligations
Principal contractor Must plan, manage, and monitor the construction phase to ensure work is carried out without risks to health or safety (Regulation 13). Must ensure contractors provide suitable risk assessments.
Contractor Must plan, manage, and monitor their own work and that of their workers (Regulation 15). Must not begin work unless satisfied appropriate risk assessments are in place.
Workers Must report anything they see on site that is likely to endanger health or safety (Regulation 14(2)).

The practical effect: if you're a subcontractor on any construction site in the UK, the principal contractor will ask for your risk assessment before you're allowed to start. This isn't bureaucratic box-ticking — it's a legal requirement flowing from Regulations 13 and 15 of CDM 2015.

For more detail on whether subcontractors specifically need their own documents, see our guide on whether subcontractors need their own RAMS.

What must a construction risk assessment contain?

HSE outlines five steps to risk assessment. These aren't suggestions — they form the framework that HSE inspectors use to evaluate whether your assessment is "suitable and sufficient."

The five steps

  1. Identify the hazards — What could cause harm? Walk the site (or review the site information provided). Think about the activities you'll carry out, the materials you'll use, and the environment you'll work in.

  2. Decide who might be harmed and how — Not just your own workers. Consider other trades on site, visitors, members of the public nearby. Be specific about the type of harm: electric shock, fall from height, musculoskeletal injury from manual handling.

  3. Evaluate the risks and decide on precautions — For each hazard, assess how likely harm is and how severe it would be. Then record what control measures you'll use. Apply the hierarchy of control: eliminate, substitute, engineering controls, administrative controls, PPE (in that order of preference).

  4. Record your significant findings — Write it down. Who is at risk, what you've decided to do about it. The record should be specific enough that someone else could read it and understand the plan.

  5. Review and update — A risk assessment is a living document. Review it when the work changes, when something goes wrong, or at regular intervals. HSE suggests reviewing at least annually for ongoing work, and whenever there's a significant change in the work activity.

Source: HSE INDG163 (rev5), hse.gov.uk/simple-health-safety/risk

What the written record should include

A construction risk assessment that meets legal requirements and will actually be accepted by a principal contractor should include all of the following:

Section What to include
Project details Site address, client name, principal contractor (if applicable), project description, expected duration
Company details Your company name, competent person who carried out the assessment, date of assessment
Scope of work Specific tasks you'll perform on this project — not a list of everything your company can do
Hazard identification Each hazard relevant to the work and site, with specific descriptions (not just "working at height" but "working at height from a 3.6m scaffold platform to access external first-floor cabling")
Persons at risk Who is exposed to each hazard — your operatives, other trades, public
Risk evaluation Likelihood and severity rating for each hazard, producing a risk level (typically using a 5x5 matrix)
Control measures What you'll do to reduce each risk, referencing specific equipment, procedures, qualifications, and PPE
Residual risk The remaining risk level after controls are applied
Emergency procedures What to do if something goes wrong — first aid, fire, evacuation, spill response
Review schedule When the assessment will be reviewed and by whom
Signatures The assessor, and ideally the workers who have read and understood the document

Why generic construction risk assessment templates fail

We researched the reasons RAMS documents get rejected by principal contractors. The same problems come up repeatedly.

1. They're not site-specific

A template that says "working at height — use appropriate PPE" is meaningless. It doesn't describe the specific height, the specific access equipment, or the specific fall protection. A principal contractor reading this learns nothing about how you'll actually work safely on their site.

HSE's enforcement position is clear. Their guidance on risk assessment (INDG163) states the assessment must address the specific hazards of the specific work. An assessment that could apply to any site, for any project, is not "suitable and sufficient" under Regulation 3.

2. Hazards don't match the actual work

A generic electrical risk assessment template might list hazards for industrial three-phase installations when you're doing a domestic consumer unit replacement. Or it might miss hazards entirely — like asbestos exposure in a pre-2000 property, or confined space risks in a plant room.

An electrician working in a residential loft conversion faces different hazards from one doing a commercial fit-out: limited headroom, existing insulation (potential asbestos in older properties), temporary lighting requirements, shared access with other trades in a confined space. A template written for general electrical work won't capture any of this.

3. Risk ratings are arbitrary

Many templates come with pre-filled risk matrices where every hazard is rated "Medium" before controls and "Low" after. If every risk conveniently lands on the same rating, that's a clear sign nobody actually evaluated anything. Principal contractors spot this immediately, and HSE inspectors certainly will.

4. Control measures are vague

"Ensure adequate ventilation" — how? "Use appropriate PPE" — which PPE? "Follow safe working procedures" — whose procedures? Control measures need to be specific enough to be actionable. If a worker reads the risk assessment, they should know exactly what equipment to use, what procedure to follow, and what to do if conditions change.

5. Enforcement consequences are real

The consequences of inadequate risk assessments go beyond rejected paperwork. HSE issued 7,013 enforcement notices in 2023/24, and construction remains the most-inspected sector. Fines for health and safety failures in construction regularly reach six and seven figures. For specific enforcement examples and fine data, see our breakdown of HSE construction fines in 2024-2025.

How to write a site-specific risk assessment: step by step

Here's a practical process for writing a risk assessment that reflects real site conditions. We'll use the example of an electrician carrying out a full rewire on a 1970s semi-detached house.

Step 1: Gather site information

Before writing anything, collect the facts:

  • Site address and access arrangements — Where is the property? How do you get in? Is parking available for your van?
  • Building details — Age of property (1970s = potential for asbestos in textured coatings, floor tiles, fuse box backing boards), construction type, number of storeys, loft access.
  • Existing services — Current electrical installation condition (is there an existing EICR?), gas supply location, water services.
  • Other people on site — Will the homeowner be present? Are other trades working simultaneously? Children or pets?
  • Client requirements — Has the client or principal contractor specified any particular requirements for documentation format or content?

Use the RAMS requirements checker to see what specific documentation your project may need based on CDM 2015 and the client's requirements.

Step 2: List every task you'll perform

Break the job down into specific activities:

  1. Initial survey and isolation of existing circuits
  2. Lifting floorboards for cable runs
  3. Working in the loft space to run cables
  4. Chasing walls for new cable routes
  5. Installing new consumer unit
  6. First fix — running cables to all positions
  7. Second fix — installing sockets, switches, and light fittings
  8. Testing and commissioning
  9. Reinstatement and making good

Each of these tasks has different hazards, and your risk assessment should address each one.

Step 3: Identify hazards for each task

For our 1970s rewire example:

Lifting floorboards:

  • Manual handling injury (repetitive bending, heavy boards)
  • Nail puncture wounds
  • Damage to hidden services (gas pipes, water pipes under floors)
  • Dust inhalation (accumulated dust under floors in a 50-year-old house)

Working in the loft space:

  • Working at height (access via loft ladder)
  • Limited headroom — head injury risk
  • Heat stress (lofts in warm weather)
  • Stepping through ceiling between joists
  • Exposure to mineral wool insulation (skin and respiratory irritation)
  • Potential asbestos in older insulation materials or textured ceiling coatings below

Chasing walls:

  • Vibration exposure (HAVS risk from prolonged chaser use)
  • Silica dust from cutting masonry
  • Noise exposure exceeding 85dB(A) action level
  • Hitting hidden cables or pipes

Installing new consumer unit:

  • Electrical shock risk during changeover from old to new
  • Working in a confined cupboard space
  • Isolation verification requirements (GS38 guidance on test equipment)

Step 4: Assess and rate each risk

Use a consistent risk matrix. The standard 5x5 matrix multiplies likelihood (1-5) by severity (1-5):

Severity 1 (insignificant) Severity 2 (minor) Severity 3 (moderate) Severity 4 (major) Severity 5 (catastrophic)
Likelihood 5 (almost certain) 5 10 15 20 25
Likelihood 4 (likely) 4 8 12 16 20
Likelihood 3 (possible) 3 6 9 12 15
Likelihood 2 (unlikely) 2 4 6 8 10
Likelihood 1 (rare) 1 2 3 4 5

Risk level thresholds:

  • 1-4: Low risk — manage by routine procedures
  • 5-9: Medium risk — specific controls required
  • 10-15: High risk — immediate action needed, senior management attention
  • 16-25: Very high risk — stop work, reassess, consider whether the task can be done differently

For our example — electrical shock during consumer unit changeover:

  • Uncontrolled: Likelihood 3 (possible) x Severity 5 (catastrophic) = 15 (High)
  • With controls (isolation procedures, lock-off, GS38-compliant test equipment, competent person carrying out the work, safe isolation procedure verified): Likelihood 1 (rare) x Severity 5 (catastrophic) = 5 (Medium)

The severity stays at 5 because electrical shock can still be fatal if controls fail — but the likelihood drops because the controls make contact with live parts extremely unlikely. This is realistic risk rating. If your template shows electrical shock dropping to "Low" after controls, that should raise questions.

Step 5: Specify control measures precisely

Vague control measures are the single most common reason risk assessments get rejected. Compare:

Weak (typical template):

"Ensure safe isolation before working on electrical systems. Use appropriate PPE."

Specific (site-specific):

"Before commencing work on the existing installation, the competent electrician will follow the safe isolation procedure per BS 7671 and HSE GS38. The specific steps are: (1) Identify the circuit at the existing fuse board, (2) Switch off and isolate using the main switch and individual MCBs/fuse carriers, (3) Lock off using a personal lock-off kit with unique key, (4) Prove the voltage tester is working using a known source (proving unit), (5) Test for dead at the point of work, (6) Prove the tester again. Only GS38-compliant test probes with retractable tips will be used. The operative holds a current ECS card (JIB Approved Electrician grade) and has completed safe isolation training within the last 3 years."

The second version tells the principal contractor exactly what will happen. It references specific standards (BS 7671, GS38), describes the actual procedure, and confirms the competence of the person doing the work.

Step 6: Document emergency procedures

Your risk assessment should state:

  • First aid provision — Who is the appointed first aider? What first aid kit is on site? For lone working, what's the check-in procedure?
  • Emergency contact numbers — Site-specific: nearest A&E (name and address, not just "local hospital"), client contact, your company emergency contact.
  • Specific emergency procedures — For electrical work: what to do in case of electric shock (isolate supply, do not touch the casualty until supply confirmed off, call 999). For asbestos discovery: stop work immediately, do not disturb, seal the area, contact the client and a licensed asbestos removal contractor.

Step 7: Get it signed and communicate it

A risk assessment sitting in a filing cabinet is worthless. Every worker covered by the assessment must:

  • Read it (or have it read to them, if English isn't their first language)
  • Understand the controls
  • Sign to confirm they've understood
  • Know where to find it on site

Under CDM 2015 Regulation 14, workers have a duty to report unsafe conditions — but they can only do that if they know what the safe conditions are supposed to look like.

Common mistakes that get risk assessments rejected

Based on our research into why principal contractors reject RAMS submissions, here are the recurring issues:

  1. Company name changed, nothing else — The fastest way to get rejected. Principal contractors have seen the same template from multiple companies. Some keep a library of previously submitted templates specifically to catch this.

  2. Site address missing or wrong — Sounds obvious, but it happens frequently. If the risk assessment doesn't name the specific site, it's not site-specific.

  3. Dates don't align — A risk assessment dated six months ago for a project that was only tendered last week. Or a review date that's already passed. Both raise immediate red flags.

  4. Hazards that don't match the project scope — Listing "crane operations" when you're a domestic electrician. Or listing "excavation" hazards when you're working on an internal fit-out. It shows the assessment was copied, not written.

  5. No COSHH assessments referenced — If your work involves substances hazardous to health (adhesives, sealants, dust, solvents), the risk assessment should reference specific COSHH assessments for those products. Saying "use in a well-ventilated area" without referencing the material safety data sheet isn't sufficient.

  6. Missing method statement — A risk assessment identifies hazards and controls. A method statement describes the sequence of work. Many principal contractors require both — this is what "RAMS" means (Risk Assessment and Method Statement). Submitting one without the other often results in a rejection.

  7. No evidence of competence — The risk assessment should reference relevant qualifications, training, and experience. For electrical work: ECS card details, BS 7671 certification date, any specialist training (e.g., 18th Edition). For work at height: PASMA or IPAF certification where relevant.

  8. Review section left blank — If the review section says "to be reviewed as necessary" with no date, no reviewer named, and no trigger events listed, it signals the document was written once and never looked at again.

Frequently asked questions

Do I need a risk assessment for every job?

Legally, yes — you must assess the risks of every work activity. Under Regulation 3 of the Management of Health and Safety at Work Regulations 1999, this applies to all employers and to self-employed persons whose work could affect others. For routine, low-risk tasks you repeat frequently (like installing a standard socket outlet in a new-build), you can use a generic risk assessment — but it must still be reviewed against site-specific conditions each time. For any non-routine work, or work on sites with particular hazards, you need a site-specific assessment.

Can I use a free risk assessment template I found online?

You can use a template as a starting framework, but you cannot submit it as-is. The assessment must reflect the specific hazards, site conditions, and control measures for your actual project. HSE guidance (INDG163) is explicit that the assessment must address your specific work situation. A template with your name added is not "suitable and sufficient" under the Regulations. Principal contractors reject these regularly because they can tell when a document is generic.

Who is qualified to write a construction risk assessment?

The Regulations require the assessment to be carried out by a "competent person." Under Regulation 7 of the Management of Health and Safety at Work Regulations 1999, a competent person is someone with sufficient training, experience, knowledge, and other qualities to properly carry out the task. For most trades, a skilled tradesperson with health and safety awareness training (like the CITB Site Safety Plus courses) is considered competent to assess the risks of their own trade activities. Complex or high-risk projects may require input from a specialist health and safety consultant.

How often do risk assessments need to be reviewed?

There is no fixed legal frequency. Regulation 3(3) requires you to review and update when there is reason to suspect the assessment is no longer valid, or when there has been a significant change in the work. In practice, HSE recommends reviewing at least annually for ongoing activities. For construction projects, review whenever site conditions change — new trades arriving, weather conditions affecting the work, unexpected hazards discovered (such as asbestos or contaminated ground), or if there's a near-miss or accident.

What's the difference between a risk assessment and a method statement?

A risk assessment identifies hazards, evaluates risks, and specifies control measures. A method statement describes the step-by-step sequence of work, incorporating those control measures into a practical plan. Together they form a RAMS package. Most principal contractors and clients require both. The risk assessment answers "what could go wrong and how do we prevent it?" The method statement answers "how will we actually do the work, safely, in order?"

Can HSE fine me for not having a risk assessment?

Yes. Failure to carry out a suitable and sufficient risk assessment is a breach of Regulation 3 of the Management of Health and Safety at Work Regulations 1999, enforceable under the Health and Safety at Work etc. Act 1974. HSE can issue improvement notices, prohibition notices, or prosecute. For construction specifically, the HSE inspection regime targets risk assessment compliance as a standard check. Fines are set according to the Sentencing Council's Health and Safety Offences guidelines (2016), and even for small organisations, fines for inadequate risk assessments — particularly after an incident — can reach tens of thousands of pounds. For larger companies, fines regularly exceed six figures. See our analysis of recent HSE construction fines for specific cases.

Do subcontractors need separate risk assessments from the principal contractor?

Yes. Under CDM 2015, every contractor (including subcontractors) has duties under Regulation 15 to plan, manage, and monitor their own work. The principal contractor's risk assessment covers site-wide coordination, but each subcontractor must assess the risks specific to their own work activities. We cover this in detail in our guide on whether subcontractors need their own RAMS.

Writing risk assessments that actually work

The whole point of a risk assessment isn't to produce a document. It's to think through the hazards before you get on site and make sure you've got a plan to deal with them. The written record is evidence of that thinking.

If your current process involves downloading a template, changing the company name, and printing it out — you're meeting neither the legal standard nor the practical purpose. The document should reflect the work you're actually going to do, on the site you're actually going to do it, with the equipment you're actually going to use.

That said, writing site-specific risk assessments from scratch for every project is genuinely time-consuming. It's one of the main reasons tradespeople end up reusing generic documents — not because they don't understand the risks, but because formalising that knowledge into a compliant document takes hours.

That's the problem we're building TradeRAMS to solve. Rather than starting from a blank template, you answer guided questions about your trade, your project, and your site conditions — and get a site-specific risk assessment that reflects the actual work. It's not a template with blanks filled in; it's a document built around your answers.

We're currently in development and taking names for the waitlist. If you're a tradesperson who'd rather spend time on tools than on paperwork, join the TradeRAMS waitlist and we'll let you know when it's ready.