Risk assessments are meant to be living documents that actively prevent harm. In reality, many pass audits while quietly failing to meet legal or best-practice requirements. The most dangerous non-compliances are rarely dramatic - they’re subtle, familiar, and often repeated across organisations.

Here are the most common ones that hide in plain sight.

1. Generic Hazards With No Real Context

What it looks like

• “Slips, trips and falls”

• “Manual handling”

• “Working at height”

Why it’s non-compliant. Regulators expect hazards to be specific to the task, environment, and people involved. Generic hazards fail to demonstrate that the risks have been properly identified or evaluated. UK guidance is clear that risk assessments must be “suitable and sufficient” - generic wording often isn’t.

Common miss. The same risk assessment reused across sites with different layouts, equipment, or conditions.

2. Missing or Inadequate Risk Evaluation

What it looks like

• No severity or likelihood scoring

• Risk rating filled in but never explained

• All risks marked “low” by default

Why it’s non-compliant. A risk assessment without a defensible evaluation process cannot justify control measures. Many standards explicitly require a structured method for assessing risk levels. ISO 45001 requires organisations to establish criteria for risk assessment and apply them consistently.

Common miss. Scores are copied forward from old documents without reassessment.

3. Control Measures That Don’t Follow the Hierarchy of Control

What it looks like

• PPE listed as the primary control

• Training used instead of engineering controls

• “Be careful” or “Follow procedure” as a control

Why it’s non-compliant. The hierarchy of control is not optional guidance - it’s embedded in UK and international safety expectations. Relying on PPE or administrative controls when elimination or engineering controls are feasible is a frequent audit finding.

Common miss. No explanation of why higher-level controls were not reasonably practicable.

4. No Clear Link Between Risk and Control

What it looks like

• Long lists of controls with no mapping to hazards

• Controls copied verbatim between unrelated risks

Why it’s non-compliant. Assessors expect to see a logical relationship: hazard → risk → control. When that link is unclear, it suggests the assessment was assembled, not analysed. This is a common failure highlighted during inspections following incidents.

Common miss. Controls that mitigate a different risk than the one listed.

5. Responsibilities Are Vague or Missing

What it looks like

• “Management to ensure…”

• “Employees must…”

• No named role or owner

Why it’s non-compliant. Risk controls without ownership are rarely implemented or maintained. ISO 45001 explicitly requires assignment of roles, responsibilities, and authorities.

Common miss. Responsibility assigned at organisational level, not task level.

6. Review Dates That Never Trigger Action

What it looks like

• Review date set years in the future

• “Review annually” with no last review recorded

• No review after changes or incidents

Why it’s non-compliant. Risk assessments must be reviewed when circumstances change - not just on a calendar cycle. UK law requires review following significant changes or after an incident.

Common miss. Out-of-date assessments still in use after process or equipment changes.

7. Vulnerable Groups Not Considered

What it looks like

• No mention of young workers, new starters, pregnant workers, or contractors

• “All staff” assumed to be equally exposed

Why it’s non-compliant. Specific groups often face different levels of risk, and UK regulations require these differences to be assessed explicitly.

Common miss. Contractors covered by generic statements but no task-specific assessment.

Why These Issues Persist

These non-compliances usually exist because:

• Documents are copied and edited instead of reassessed

• Time pressure prioritises completion over quality

• Reviews focus on presence, not substance

They’re rarely intentional - but they’re still enforceable.

A Practical Takeaway

If you want to stress-test a risk assessment quickly, ask:

1. Could someone unfamiliar with the task understand the real risks?

2. Can each control be clearly justified?

3. Is there evidence this document has been actively reviewed?

If the answer is “no” to any of these, there’s likely a hidden non-compliance.