Who can carry out risk assessments on a premises?

Q: What's the difference between a competent person and a responsible person?

The competent person (MHSWR 1999) provides the technical advice and assistance — typically the person who actually carries out risk assessments. The responsible person (RRO 2005, Article 3) is the employer or person in control of the premises, who carries the legal accountability. In a small business, both roles often sit with the same person — usually the owner.

It's one of the first questions a small business owner asks when they're told they "need a risk assessment". And the honest answer is more interesting than the rules suggest.

The law doesn't say you need a specific qualification. It doesn't name a job title. It doesn't require you to hire a consultant. What it does require is something both broader and harder to pin down: a competent person.

That word — "competent" — is doing a lot of work. Whether you actually meet it is the question that decides whether your business is genuinely protected or just paperwork-compliant.

The short answer: Anyone who is competent for the specific risks involved. Under Regulation 7 of the Management of Health and Safety at Work Regulations 1999 (MHSWR 1999), a "competent person" is anyone with sufficient training, experience, knowledge, or other qualities to do the job properly — no specific qualification is mandated by law. For most small, low-risk businesses, the owner is often the most competent person to carry out their own risk assessments, provided they understand their hazards and document their reasoning properly.

The law in plain English

The relevant duty sits in Regulation 7 of the Management of Health and Safety at Work Regulations 1999 (MHSWR 1999). It says every employer must "appoint one or more competent persons to assist [them]" in meeting their health and safety obligations.

Notice what it doesn't say. It doesn't say the person must be a consultant. It doesn't say they need an external certificate. It doesn't say it can't be the business owner. In fact, Regulation 7(8) explicitly states that where there's an equal choice between an external adviser and an internal employee, the employee should be preferred — because they understand the work, the people, and the risks better than any outsider could.

So who is "competent"? Regulation 7(5) defines it like this:

"A person shall be regarded as competent... where he has sufficient training and experience or knowledge and other qualities to enable him properly to assist in undertaking the measures..."

That word "or" matters. The law accepts that competence can come from training, OR from experience, OR from knowledge combined with other personal qualities. There is no single qualification required. There is no single path.

This is the grey area. And it's grey by design.

"Competent person" vs "responsible person"

Before going further, it's worth clearing up a confusion that catches a lot of small business owners.

The competent person under MHSWR 1999 is whoever provides the technical advice and assistance — the person who actually carries out risk assessments, identifies hazards, recommends controls.

The responsible person is a separate concept that comes from the Regulatory Reform (Fire Safety) Order 2005 (RRO 2005). Under Article 3 of that Order, the responsible person is the employer or whoever has control of the premises. They carry the legal accountability for fire safety arrangements.

You'll often find both roles sitting with the same person in a small business — typically the owner. That's fine, and the law accommodates it. What matters is that whoever signs off on a risk assessment must be competent for the risks being assessed, and that competence has to be defensible if challenged.

What the HSE actually expects from small businesses

The HSE's latest annual statistics make the scale of the problem clear. In 2024/25 there were 124 worker fatalities and an estimated 680,000 workers sustained non-fatal workplace injuries. Employers reported 59,219 specific incidents under RIDDOR. Work-related injuries and ill health together cost UK business an estimated £22.9 billion annually and result in roughly 40.1 million lost working days. Most of those incidents happened in workplaces where someone — competent or otherwise — was responsible for the risk assessment.

If you read the Health and Safety Executive's guidance for managing risk, one thing becomes obvious very quickly: the HSE is not trying to scare small business owners away from doing their own risk assessments.

The opposite, in fact. They state explicitly:

"For most small, low-risk businesses the steps you need to take are straightforward and are explained in these pages."

The HSE's view is that an owner of a small, low-risk business — an office, a small retail unit, a service business — is often the most competent person to assess the risks in their own premises. They understand the work, they know the people, they see the hazards every day. With the right framework and a willingness to take it seriously, they can produce a perfectly defensible risk assessment.

The supporting guidance to MHSWR 1999 makes the same point: competence does not necessarily depend on holding particular qualifications. Simple situations may require nothing more than understanding current best practice, awareness of your own limitations, and a willingness to learn.

A few quick legal anchors while we're here: if you have five or more employees, you must record the significant findings of your risk assessment in writing. If you have fewer, you don't have to — but it's still strongly advised so you have a defensible record.

Where the grey area becomes dangerous

This is where I'd urge caution.

The HSE's position on competence comes with an essential second half: "more complex or highly technical situations will call for specific applied knowledge and skills." In other words, the further your work moves from "small, low-risk office or service business", the higher the bar for competence becomes.

A few examples where a generalist — even a well-intentioned, well-read one — should hand over to a specialist:

Asbestos surveys and management — covered by the Control of Asbestos Regulations 2012. Not something you should attempt without proper training.
Construction projects under the Construction (Design and Management) Regulations 2015 — particularly anything notifiable to the HSE.
Fire risk assessments for complex premises — multi-storey, multi-occupancy, high-risk usage. The duty is on the responsible person, but the assessment itself should usually come from a competent fire risk assessor.
Hazardous substances under COSHH 2002 where you're dealing with serious chemicals, not just office cleaning products.
Specialised equipment under regulations like LOLER (lifting equipment) or PSSR (pressure systems).

For any of these, the law's "or" still applies — qualifications aren't strictly mandatory if experience is sufficient — but practically speaking, the level of risk and the consequences of getting it wrong mean specialist competence really is required. Software, templates, and tools don't substitute for that.

An honest perspective

I'll share where I sit on this personally.

I hold the NEBOSH International General Certificate in Occupational Health and Safety and the NEBOSH Construction Certificate. Before that, I worked in construction. I'm currently a full-time operational firefighter. I've spent more hours than I can count standing in the rubble of preventable failures.

Even with all of that, I still consult specialists for assessments outside my own competence. Asbestos work? I'd call a UKATA-registered surveyor. Complex fire risk in a multi-occupancy building? I'd commission a properly qualified fire risk assessor. Anything outside my direct experience, I'd default to "I'm not the right person for this."

That's not weakness. That's the system working as intended.

What I would say with confidence is this: a small business owner who has taken the time to genuinely understand the hazards of their own workplace, who has read the relevant HSE guidance, who has perhaps done an IOSH Managing Safely course, and who documents their reasoning honestly — that person is, in most cases, competent to assess the everyday risks in their own premises. The law was written to recognise them, not to lock them out.

What a small business owner should actually do

If you're a small business owner reading this and wondering whether you can — or should — be carrying out your own risk assessments, here's the framework I'd suggest:

Educate yourself. The HSE's free guidance is excellent. The IOSH Managing Safely course is a sensible entry point. For those who want a deeper foundation, the NEBOSH National General Certificate is the standard professional baseline.
Be honest about your work environment. Are you a low-risk office, retail unit, or service business? You're likely competent. Are you a construction site, an engineering workshop, a multi-occupancy commercial building, or working with hazardous substances? Some of it you can probably handle; some of it you should not.
Document your reasoning thoroughly. The legal duty isn't to produce a paper artefact — it's to demonstrate that you've genuinely thought about the hazards, identified them, and put proportionate controls in place. Your documentation is your defence if anything ever goes wrong.
Know your limits, and call in specialists when you cross them. There is no shame in saying "this is beyond my competence" and bringing in someone qualified. That itself is a sign of competence.
Use tools to accelerate the work, not replace the thinking. A good piece of compliance software can save you hours of formatting, scaffolding, and re-doing work. It cannot, and should not, replace your understanding of the hazards in your own workplace.

A word about ClearSafe

GetClearSafe.com is built precisely for the small and medium business owner described above: someone who is competent for their everyday risks, who wants to do the work properly, but who doesn't have hours to spend wrestling with templates and re-formatting assessments.

The platform structures your thinking, asks the right questions for your industry, and produces well-documented, defensible records. It doesn't claim to make you competent — competence still has to come from you. What it does is scaffold the work, make compliance practical, and give you a system that holds up to scrutiny from HSE inspectors, insurers, and customers who increasingly ask for proof.

If you can read your own workplace and recognise where the hazards are, the rest is solvable with the right framework. That's what we're trying to build.

Frequently asked questions

Do I need a NEBOSH qualification to carry out a risk assessment?

No. The law (MHSWR 1999 Regulation 7) does not mandate any specific qualification — it requires competence, which can come from training, experience, knowledge, or a combination of these. A NEBOSH qualification helps demonstrate competence, particularly for higher-risk environments, but it is not a legal requirement for most small business risk assessments.

Do I have to record my risk assessment in writing?

If you have five or more employees, yes — UK law requires you to record the significant findings of your risk assessment in writing. If you have fewer than five employees, you don't have to record it in writing, but it's strongly advised so you have a defensible record if anything ever goes wrong.

What's the difference between a competent person and a responsible person?

The competent person (MHSWR 1999) provides the technical advice and assistance — typically the person who actually carries out risk assessments. The responsible person (RRO 2005, Article 3) is the employer or person in control of the premises, who carries the legal accountability. In a small business, both roles often sit with the same person — usually the owner.

Can I outsource risk assessments to a consultant?

Yes, but Regulation 7(8) of MHSWR 1999 states that where there's an equal choice between an internal employee and an external consultant, the internal person should be preferred — because they understand the work better. Crucially, the legal duty to ensure safety remains with the employer regardless of who carries out the assessment. Outsourcing the work does not outsource the liability.

How often should I review my risk assessment?

There's no fixed timeframe in law, but the HSE expects assessments to be reviewed whenever there's reason to suspect they're no longer valid — after an accident, a near-miss, a change to the workplace, new equipment, or new working practices. As a practical baseline, an annual review is a sensible default for most small businesses, plus immediate reviews whenever anything significant changes.

Closing

So: who can carry out a risk assessment on a premises?

Anyone who is competent for the risks involved. That might be you. It might be an employee. It might be an external consultant. It might be all three for different parts of the work. The law deliberately leaves the door open because reality is varied.

Take it seriously. Educate yourself. Document your reasoning. Use the right tools. Know when to call for help.

Compliance isn't a paperwork exercise. It's a working understanding of how your business could hurt someone, and a documented record of what you've done about it. Most small business owners can absolutely take ownership of that — they just need to do it properly.