When should a risk assessment be carried out?

Regardless of your compliance duties and responsibilities, be they under health and safety, environmental law, data protection and privacy, building safety regulations, competition law, rules set by your industry’s regulator and/or terms in your commercial contracts, risk assessments are essential to understanding the challenges that face your organisation’s ability to comply so you can put in place policies and procedures to reduce or mitigate those risks. Undertaking risk assessments provides numerous benefits, including:

Minimising your insurance claims and (hopefully) the premiums you pay.

Protecting your commercial reputation by demonstrating that you take the safeguarding of matters such as personal data and employee health and safety seriously.

Demonstrating to potential investors that you run a well-organised business and the risk of resource draining, disruptive regulatory investigations have been minimised.

Customers can be confident that your business practices are sustainable and its directors are conscious of mitigating any negative impacts on the environment and people’s health and welfare.

Reducing the risk of costly and stressful legal disputes.

So how often should risk assessments be undertaken to ensure your business gets to enjoy all the wonderful benefits mentioned above?

In this article, we provide the answers you need. But first, let’s quickly recap on what a risk assessment actually is.

What is a risk assessment?

A risk assessment forms part of your organisation’s risk management process. It involves examining hazards within the work place or work practices and evaluating the associated risks. Once the risks have been identified, the second step is to implement reasonable measures to eliminate or mitigate those risks. For example, if your organisation processes personal data belonging to customers in the UK and the EU, you need to have adequate risk assessments in place to ensure that you comply with the GDPR and Data Protection Act 2018. Article 35 of the UK GDPR specifically requires Data Impact Assessments to be undertaken where: “a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons”. The requirement for law firms to comply with anti-money laundering regulations is also an example of where risk assessments need to be carried out to ensure instances where a breach of the regulations could occur have been identified, and processes and procedures implemented to eliminate those risks.

When should a risk assessment be carried out?

Risk assessments should be carried out:

When starting a new venture, project, or activity – risk assessments should be part of the planning stage of any new project. The person or team responsible for managing the assessments must first discover the legislation and regulations that apply to the particular project, including international laws in relation to cross-border ventures. Once the risks and control measures have been identified, they must be documented and shared to relevant people in the organisation.

When changing the method in which an activity is carried out – using a different method to carry out a particular activity can change compliance requirements. For example, if your organisation holds or processes data in the form of paper records, the UK GDPR will not apply (although the Data Protection Act 2018 does). However, If you transfer paper files to a digital format and begin to process them electronically, you will need to ensure you undertake a GDPR risk assessment.

When there are employee changes – variations in personnel can result in new risks. For example, a fresh health and safety risk assessment may need to be carried out if your business employs someone with a disability. When identifying and putting in control measures in this type of situation, it is wise to seek professional advice to ensure that when complying with health and safety legislation, you do not inadvertently breach the Equality Act 2010 provisions.

Even if none of the above situations apply, a schedule for reviewing and updating each risk assessment should be in place. Laws and regulations often change, and different elements of your business may shut down, making particular risk assessments redundant. In addition, if an incident such as a data breach, breach of contract, or an accident involving an employee occurs, the relevant risk assessment should be evaluated in order to gain an understanding of:

Whether the risk was identified,
How the control measures were implemented,
Why, despite the identification of risk and implementation of control methods, the incident occurred, and
What changes must be made to ensure the incident does not happen again.

The last point is particularly important if an enforcement body such as the HSE or SRA is investigating the incident. Providing full co-operation and demonstrating that you are taking the incident seriously and facilitating steps to prevent such an event occurring in the future may help lessen the severity of any penalty imposed.

Wrapping up

Undertaking adequate risk assessments at the right time will help insulate your business from regulatory and/or enforcement/criminal investigations, provide confidence to consumers and investors, and minimise legal disputes, especially in relation to contracts.

To find out how we can assist you with undertaking risk assessments, please email us at info@43legal.com or phone 0121 249 2400.

The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article, please contact 43Legal.