How Often Should Risk Assessments Be Reviewed? Your 2026
- 4 days ago
- 11 min read
Review risk assessments at least every 12 months, but don't stop there. In UK practice, the standard practice is annual review plus an immediate review whenever something significant changes in the workplace, such as new equipment, substances, procedures, staff arrangements, or evidence that controls are no longer working.
If you're responsible for operations, HR, facilities, or compliance, you've probably had the same thought at some point: the assessments are on file, the dates look recent enough, but are they current? That doubt usually appears when a team changes a process, moves a layout, brings in a contractor, or reports a near miss that the paperwork never really anticipated.
That's why the simple “once a year” answer is only partly useful. It helps you plan. It doesn't protect you on its own. A practical system needs two parts: a scheduled review cycle you can manage, and a trigger-based review process that catches change when it happens.
Table of Contents
Understanding Legal Duty vs Good Practice - What the law expects in practice - Why annual review is only a planning tool
Mandatory Review Triggers You Cannot Ignore - Changes that reset the review clock - Warning signs that controls are failing
Recommended Review Cadence by Industry - Lower-change environments - Higher-risk and faster-moving sectors
A Practical Checklist for Your Review Process - What to do during the review - What good review records look like
Your One-Page Annual Review Schedule Template - The fields to include - How to use it without creating admin for its own sake
The Real Answer to Your Review Question
The short answer to how often should risk assessments be reviewed is this: every 12 months as a baseline, and sooner whenever change makes the existing assessment unreliable.
That distinction matters because many businesses still treat review as a diary exercise. They book a yearly date, update the cover page, and assume they're done. That approach works only in very stable environments, and even then only if nothing drifts between reviews. Real workplaces don't stay still for long.
A risk assessment is only useful while its assumptions remain true. If the task has changed, the people have changed, the equipment has changed, or the controls no longer work as intended, the old assessment stops being a dependable basis for safe work.
Practical rule: If the work is different in any meaningful way, the review date has arrived, whether the calendar says so or not.
Managers usually run into trouble in one of two ways:
They review too late: The annual date is months away, so obvious changes sit unexamined.
They review too often without purpose: Teams rewrite everything on a fixed schedule and still miss hazards because nobody is watching for change events.
The better system is simple. Put every assessment on a planned cycle, then give supervisors, managers, and competent persons clear authority to trigger an earlier review when something shifts. That gives you a structure you can evidence and a process that reflects reality.
A good review system should answer three questions fast:
Question | What you need to know |
|---|---|
When is the next planned review? | The annual date or other scheduled interval |
What would trigger an earlier review? | Change to task, people, equipment, substances, layout, controls, or incident pattern |
Who decides and records it? | Named person with responsibility, not “someone in safety” |
If you can answer those consistently, your review process is already stronger than most dusty folders in a cabinet.
Understanding Legal Duty vs Good Practice
Many people hear that risk assessments must be reviewed “regularly” and translate that into “once a year”. That's understandable, but it's incomplete.
What the law expects in practice
UK guidance doesn't set one fixed statutory interval that applies to every risk assessment. The stronger practical baseline is at least annually, but HSE-linked guidance also makes clear that assessments must be reviewed sooner when there are new machines, substances or procedures that could create new hazards, as explained in this review guidance on updating risk assessments.
That's the point many duty holders miss. The annual benchmark is a planning minimum. It isn't a legal shield if the workplace changed months earlier.
A useful way to explain this to managers is to compare it with a vehicle. Your car has an MOT on a schedule, but if you hit a deep pothole and the steering changes that afternoon, you don't wait for the next test date to check it. Workplace risk assessment review works in much the same way. Scheduled checks matter. Event-driven checks matter just as much.
For organisations trying to anchor this into wider compliance routines, UK employer health and safety obligations make more sense when you treat risk assessment review as a live management activity rather than a yearly document task.
Why annual review is only a planning tool
Annual review is still useful. It gives you a clean cadence, helps with document control, and forces a fresh look even where change has been gradual rather than obvious.
What doesn't work is relying on the annual date as if it overrides events on site. If a business reorganises a storeroom, introduces a new cleaning chemical, changes staffing levels, or swaps a manual task for a machine-assisted one, the original assessment may no longer describe the work accurately.
A compliant review system isn't built around a single date. It's built around a date plus a trigger list.
That's the difference between legal duty and good practice in day-to-day terms:
Legal duty: Review when change or failure means the assessment may no longer be valid.
Good practice: Keep every assessment on a scheduled cycle so nothing gets forgotten.
Teams that understand that difference usually make better decisions. They stop asking, “Has it been a year?” and start asking, “Is this assessment still true?”
Mandatory Review Triggers You Cannot Ignore
The event-driven part of the system is where most businesses either stay compliant or drift out of date. If the workplace changes and nobody links that change back to the relevant assessment, the document quickly becomes historical rather than operational.
Early in the process, it helps to make the triggers visible.
Changes that reset the review clock
UK guidance says risk assessments should be reviewed when controls may no longer be effective or when the workplace changes, including changes to staff, processes, substances, or equipment. It also says the review timer should reset after process changes, incident trends, or failed controls, because those events can invalidate the original assumptions behind the assessment, as outlined in HSE-linked guidance on review frequency.
In practice, that usually means these trigger events:
New equipment arrives: A slicer in a kitchen, a pallet truck in retail, or a new production machine in manufacturing changes the hazard profile.
A process changes: The task may look similar, but the sequence, pace, exposure, or competence requirement has shifted.
A new substance is introduced: Cleaning products, adhesives, paints, fuels, and treatment chemicals all need a fresh look if they alter exposure or handling.
Staffing arrangements change: New starters, agency workers, lone working patterns, night work, or reduced supervision can affect control reliability.
The physical environment changes: A refit, layout change, room conversion, storage relocation, or access route adjustment can create new interactions and pinch points.
If you want a practical way to pick these changes up, a structured health and safety audit process often highlights where operational change has outrun the paperwork.
Warning signs that controls are failing
Not every trigger is obvious on the day it happens. Some appear through drift. A control looked fine when the assessment was signed off, but work on site tells a different story.
A later review is justified when you start seeing:
Near miss patterns: Repeated slips in one area, repeated manual handling strains, repeated contact with hot surfaces, or repeated congestion around a loading point.
Accident findings: An incident investigation exposes that the written control wasn't realistic, wasn't followed, or didn't address the actual task.
Worker feedback: Staff say a guard slows production so it gets bypassed, PPE is unsuitable, or the safe route is blocked during peak periods.
Supervisory concerns: Managers notice shortcuts becoming normal practice.
Control failure evidence: Extraction doesn't perform as expected, segregation barriers are moved, housekeeping standards drop, or maintenance delays affect safety.
Here's a useful discipline. Don't ask only whether an accident happened. Ask whether the current controls still work in the way the assessment assumes they do.
After the trigger list is understood, this short briefing can help reinforce it in teams:
If a supervisor says, “We've changed the job a bit,” that sentence should lead straight to “Which assessment needs reviewing?”
The strongest review systems treat triggers as part of operational change control, not as an afterthought for the safety folder.
Recommended Review Cadence by Industry
A blanket review interval sounds tidy, but it doesn't reflect how UK workplaces operate. A stable office and a live construction project don't carry the same pace of change, and they shouldn't be managed as if they do.
Lower-change environments
In lower-risk, lower-change settings, an annual cycle is often workable provided managers still respond quickly to trigger events.
Typical examples include:
Sector | Sensible baseline |
|---|---|
Corporate offices | Annual planned review, with extra reviews after office moves, refits, team restructures, or workstation changes |
Education admin spaces | Annual review where tasks are stable, plus earlier review if room use, occupancy, or equipment changes |
Back-office retail functions | Annual review if the work is routine and the layout remains stable |
These settings still change. They just tend to change less dramatically. The mistake isn't using annual review here. The mistake is assuming “office-based” means “static”.
Higher-risk and faster-moving sectors
UK guidance supports shorter review cycles for higher-risk activities. For example, manual-handling assessments may be reviewed annually as a guide, but higher-risk organisations may move to quarterly or even monthly reviews. Machinery risk assessments may sit on 1-, 2-, or 3-year cycles only where residual risk is low and there are no trigger events, according to this sector guidance for manufacturing leaders.
That principle plays out differently by sector:
Construction: Review points usually need to track project phases, changing contractors, temporary works, plant movements, and evolving site conditions. A fixed yearly date is rarely enough on its own.
Hospitality: Kitchens, bars, housekeeping, and front-of-house operations often change with menu revisions, seasonal staffing, events, and layout adjustments.
Retail: Refits, promotional displays, stockroom pressure, delivery patterns, and customer flow can all alter risk quickly.
Manufacturing: New machinery, guarding changes, throughput pressure, maintenance conditions, and manual handling arrangements all justify tighter review discipline.
Events and venues: Each event can create a fresh mix of occupancy, staging, contractors, traffic routes, and emergency arrangements.
Education and theatres: Term changes, productions, practical activities, and contractor works often create temporary hazards that standard annual cycles won't catch in time.
Review frequency should follow the pace of change, not the convenience of the admin calendar.
The most practical approach is to assign every assessment one of three categories: stable, variable, or high-change. Once that's done, you can set a planned cadence that matches reality and still rely on triggers to bring reviews forward.
A Practical Checklist for Your Review Process
Most review failures aren't caused by ignorance of the rule. They happen because the review itself is rushed, paper-based, or disconnected from the work.
The fix is to make review repeatable. Not bureaucratic. Just repeatable.
What to do during the review
UK sector guidance treats review as a risk-based cycle. Most businesses review annually, higher-risk activities may need more frequent checks, and controls should be monitored continuously, with the governing principle being annual planned review plus event-driven review, as described in CHAS guidance on review frequency.
That principle only works if the review method is sound. A practical checklist usually looks like this:
Pull the current assessment and related records Gather the latest version, action logs, accident reports, near misses, maintenance notes, training records, and any method statements linked to the task.
Talk to the people doing the work The written process and the actual process are often not identical. Ask what has changed, what slows them down, and what they routinely have to work around.
Observe the task in its working setting Walk the area while the work is in progress. Reviews done from a desk miss congestion, timing pressure, access issues, and informal shortcuts.
Check whether controls still exist and still work Don't assume. Is the barrier in place? Is the extraction used? Is supervision adequate? Is PPE suitable and available?
Look for change since the last version New equipment, different staffing, altered routeing, revised materials, contractor overlap, or changing occupancy all matter.
Record decisions clearly Update the assessment, add actions, set owners, and document the review date and reason for review.
What good review records look like
A strong review trail doesn't need to be long. It needs to be credible.
Use this as a minimum standard:
State what triggered the review: Scheduled annual review, process change, incident follow-up, new equipment, or failed control.
Record what was checked: People consulted, area observed, documents reviewed.
Describe what changed: New hazards, revised controls, removed controls, or no material change found.
Assign actions properly: Name the responsible person and the completion expectation.
Communicate the outcome: Supervisors and staff need to know what changed in practice, not just that a form was updated.
If you're testing whether your wider management system supports that standard, a health and safety gap analysis can show where review routines, ownership, and follow-through are too weak.
One practical option for organisations that need outside support is KODOBI's consultancy service, which includes reviewing quantitative, qualitative, and dynamic risk assessments as part of broader compliance support. That's useful where internal teams have ownership of operations but need a competent external eye on review quality.
The best review is the one that changes the work where needed, not just the date on the document.
Your One-Page Annual Review Schedule Template
A review system becomes easier to manage when everything sits in one live register rather than across separate folders, emails, and reminders. You don't need specialist software to start. A disciplined spreadsheet or central register can work well if ownership is clear.
The fields to include
Keep the master schedule short enough that managers will use it. These fields are usually enough:
Field | What to enter |
|---|---|
Risk assessment title | The name of the task, area, or activity |
Owner | The manager or competent person responsible |
Location | Site, department, or project |
Last review date | The most recent completed review |
Next planned review date | The scheduled date based on your chosen cycle |
Risk category | Stable, variable, or high-change |
Trigger indicators | The events that would force earlier review |
Latest trigger-based review | Date and short note of the last event-driven update |
Open actions | Any controls or improvements still being implemented |
Status | Current, under review, superseded, or archived |
Then add a simple trigger log beneath it:
Trigger date | Trigger event | Assessment affected | What changed | Updated by |
|---|
That second table is what turns the schedule into a living control rather than a calendar list.
How to use it without creating admin for its own sake
The template only works if it sits close to operational management.
A few habits make the difference:
Review it during management meetings: Not every line in detail, but enough to spot overdue actions and upcoming planned reviews.
Tie it to change approval: If a manager introduces a new process or piece of equipment, the register should be checked as part of that decision.
Use plain trigger wording: “New machine installed” is better than vague labels no one interprets consistently.
Archive properly: Keep old versions, but make sure teams can immediately identify the current live assessment.
Give supervisors a route to escalate changes: They often see the first signs that a review is needed.
What doesn't work is building a beautiful schedule that nobody updates after real-world changes. A one-page register is valuable because it forces a simple discipline: plan the annual review, then log the events that pull it forward.
If you adopt that approach, the question stops being “how often should risk assessments be reviewed?” in the abstract. It becomes a practical management answer: every assessment has a planned date, and every meaningful change has a route to immediate review.
If you need support building that kind of system, KODOBI helps UK employers put workable review routines in place across offices, construction, hospitality, retail, education, events, manufacturing, and other changing environments. That can include gap analysis, audits, dynamic risk assessment support, training, and ongoing advice so reviews don't stall at the document stage.
Comments