Legal Requirements for Risk Management in HSE

Risk Assessment and Management

Purpose

This Knowledge Providing Task is designed to ensure learners understand how UK law transforms risk assessment from a technical exercise into a legal and managerial duty.

At Level 7, learners must:

  • Interpret legislation beyond compliance checklists
  • Understand why legal duties exist
  • Recognize how failures in risk management lead to criminal, civil, and corporate liability
  • Apply legislation strategically within engineering operations

This KPT emphasizes legal causation of incidents, not academic summaries of law.

Legal Framework Governing Risk Assessment in the UK

UK health, safety, and environmental law operates on risk-based principles, meaning duty holders are expected to anticipate harm and take proactive measures.

Key features of UK law:

  • Goal-setting rather than prescriptive
  • Emphasis on management systems
  • Focus on prevention over reaction
  • Strong enforcement powers

Health and Safety at Work etc. Act 1974 (HSWA)

Legal Status and Scope

The HSWA is the primary enabling legislation for all health and safety law in the UK.

It places duties on:

  • Employers
  • Employees
  • Designers
  • Manufacturers
  • Contractors
  • Senior management

Risk Assessment Implications

While HSWA does not explicitly mention “risk assessment,” it establishes the legal duty to manage risk by requiring employers to ensure, so far as reasonably practicable:

  • Health
  • Safety
  • Welfare

Professional Interpretation:

  • Risk assessment is the mechanism through which HSWA duties are fulfilled.

Incident Causation and HSWA Breaches

Incidents often occur when:

  • Risks were foreseeable
  • Controls were known
  • Management failed to act

Courts assess:

  • Whether risks were identified
  • Whether controls were implemented
  • Whether decisions were justified under ALARP

Management of Health and Safety at Work Regulations 1999 (MHSWR)

Central Role in Risk Assessment

MHSWR explicitly requires employers to:

  • Conduct suitable and sufficient risk assessments
  • Implement preventive and protective measures
  • Appoint competent persons
  • Establish emergency procedures

“Suitable and Sufficient” – Professional Meaning

A risk assessment is not suitable and sufficient if it:

  • Is generic or copied
  • Ignores non-routine tasks
  • Fails to consider human factors
  • Is not reviewed after changes or incidents

Incident Link:

  • Many prosecutions arise from assessments that exist on paper but fail operational reality.

Control of Substances Hazardous to Health Regulations 2002 (COSHH)

Risk-Based Chemical Control

COSHH requires:

  • Identification of hazardous substances
  • Assessment of exposure risks
  • Implementation of control measures
  • Health surveillance where required

Risk Management Failures Under COSHH

Common failures include:

  • Underestimating chronic exposure
  • Inadequate ventilation
  • Overreliance on PPE
  • Poor training

Professional Insight:

  • COSHH breaches often indicate systemic failures in risk assessment methodology, not isolated errors.

Provision and Use of Work Equipment Regulations 1998 (PUWER)

Risk Control Through Engineering Design

PUWER requires equipment to be:

  • Suitable
  • Maintained
  • Inspected
  • Used by trained personnel

Incident Patterns Under PUWER

Incidents typically arise when:

  • Equipment is modified without reassessment
  • Guards are bypassed
  • Maintenance risks are ignored

Risk Assessment Implication:

  • PUWER compliance depends heavily on task-based and maintenance risk assessments.

Control of Major Accident Hazards Regulations (COMAH)

High-Consequence Risk Governance

COMAH applies to major hazard sites handling dangerous substances.

Key requirements:

  • Major Accident Prevention Policy (MAPP)
  • Safety Reports
  • Emergency planning
  • Risk-based land-use planning

Strategic Risk Management Failures

Major incidents often result from:

  • Normalization of deviation
  • Weak safety leadership
  • Poor change management
  • Misinterpretation of ALARP

Level 7 Expectation:

  • Learners must understand systemic risk governance, not just site-level controls.

Environmental Protection Act 1990

Environmental Risk as Legal Duty

The Act imposes duties to:

  • Prevent pollution
  • Manage waste responsibly
  • Protect land, air, and water

Environmental Risk Assessment Failures

Environmental incidents often occur when:

  • Environmental risk is separated from safety risk
  • Emergency planning is inadequate
  • Contractors are poorly controlled

Professional Insight:

  • Environmental harm is increasingly treated as a management failure, not an accident.

Corporate Manslaughter and Corporate Homicide Act 2007

Management Accountability

This Act applies where death results from gross breaches of duty of care.

Risk assessment relevance:

  • Failure to identify foreseeable risks
  • Inadequate control measures
  • Poor senior management oversight

Strategic Consequences

Convictions lead to:

  • Unlimited fines
  • Publicity orders
  • Severe reputational damage

Enforcement, Investigation, and Risk Evidence

Regulators assess:

  • Risk assessments
  • Management decisions
  • Training records
  • Incident history
  • Change management documentation

Critical Point:

  • After an incident, risk assessments become legal evidence.

Why Incidents Happen Despite Legal Frameworks

Common systemic causes:

  • Compliance-driven documentation
  • Cost-driven risk acceptance
  • Inadequate leadership engagement
  • Poor communication of controls

Law fails only when risk management culture fails.

Targeted Analytical and Decision-Making Questions

  1. Why does UK law favor risk-based duties over prescriptive rules?
  2. How does “suitable and sufficient” influence professional liability?
  3. In what ways do COSHH failures reflect weak risk methodology?
  4. How does PUWER link design decisions to operational risk?
  5. Why are major accidents often rooted in management decisions?
  6. How does environmental law expand the scope of risk assessment?
  7. What role does senior leadership play in legal compliance?
  8. How do courts assess ALARP after serious incidents?

Learner Task

Learner Task:

You are required to demonstrate legal-risk integration competence.

  1. Select one UK regulation discussed in this KPT.
  2. Explain its purpose in relation to risk assessment and management.
  3. Identify a realistic engineering scenario where this regulation applies.
  4. Analyze how failure to comply could lead to an incident.
  5. Propose legally compliant risk management actions aligned with ALARP.