---
title: "Acting on your risk assessment: setting priorities"
source_url: https://legionella.io/articles/acting-on-your-risk-assessment-setting-priorities/
canonical_url: https://legionella.io/articles/acting-on-your-risk-assessment-setting-priorities/
pillar: "Legionella Risk Assessment"
summary: "Your assessor's High/Medium/Low column isn't a work order. Re-rank risk assessment actions by exposure, permanence and drift, and record what you defer."
primary_keyword: "risk assessment actions"
date_published: 2025-08-24
date_reviewed: 2026-06-26
author: "Legionella.io editorial team (REMOTE TECH LTD)"
reviewed_against: "HSE L8 and HSG274 guidance"
region: "United Kingdom"
license: "(c) REMOTE TECH LTD. Quote freely with attribution and a link to source_url."
---

# Acting on your risk assessment: setting priorities

Your assessor hands back the report and it runs to twenty-three recommendations, each tagged High, Medium or Low. The natural move is to start at the top of the High column and work down until the budget runs out. That natural move is also how a genuinely dangerous outlet ends up untouched in month six, while three paperwork fixes get ticked off first.

The priority column is a useful start. It is not a work order. The person who wrote it saw your building once, scored each finding against a generic matrix, and went home. They did not know your occupancy, your budget cycle, or which of those controls you can realistically keep running after they leave. Turning their findings into your programme is a separate job, and it is yours.

## Why the rating isn't the running order

A risk rating answers one question: how bad is this finding if nobody touches it? That is worth knowing. But "worst if ignored" and "do first" are different orderings, and treating them as the same thing is the most common mistake duty holders make with a fresh assessment.

L8 puts the assessment of risk and the management and review of control measures on Approved Code of Practice footing, so acting on what the assessment finds is a duty, not a courtesy [1]. HSE's own summary of what a duty holder must do reads as a sequence — identify and assess the sources of risk, put a written scheme in place to prevent or control it, then implement, manage and review that scheme [2]. Nowhere in that sequence does it say "do the reds, defer the rest." The sequencing is left to you, because you are the one who knows the site.

## Re-rank before you spend a penny

Take the list of remedial actions and run every line past four questions. They reorder the list faster than any scoring matrix.

- **Exposure — who actually breathes it?** A finding only becomes a risk to a person when there is a route from the water to someone's lungs. A neglected spray tap or a low-use shower in a room full of susceptible people outranks a cosmetic defect on plant nobody stands near, whatever colour the assessor gave each.
- **Permanence — fix once, or mind forever?** Some actions delete a hazard; others add a recurring task. Capping and removing a redundant length of pipe is a one-off that lowers your burden every week after — removing dead legs and redundant pipework is exactly the kind of design-out measure HSG274 favours over endless management [3]. Adding that same dead leg to a flushing rota is a debt you pay for years. Prefer the fix that disappears.
- **Drift — failing now, or only in theory?** A hot return that arrives lukewarm, or an outlet with a run of missed flushes, is a control failing in real time. A theoretical weakness on a capped, isolated main is not. Live drift goes ahead of latent risk.
- **Proof — can you evidence it cheaply?** Some of the highest-value actions are not physical at all. Closing a gap where a control exists but nothing records that it works can cost an afternoon, and it transforms how defensible your position is.

Run the list through those four and it stops being twenty-three equal-looking jobs and becomes four piles: do now, design out, schedule, and decide-and-record. The first pile is small and urgent. The second is where capital spend earns its keep. The third is routine. The fourth is the one people forget exists.

Use the asset register and schematics to sanity-check the re-rank, because an action sitting on an outlet you cannot actually locate is its own finding. If the report didn't arrive with a usable register, that gap belongs near the top of the do-now pile — you cannot do meaningful risk ranking on a system you cannot see.

## The list you'll be judged on is the one you didn't action

Here is the part that rarely makes it into the guidance. When something goes wrong and the file gets pulled, the document that gets read hardest is not the risk assessment. It is the record of what you chose not to do, and why.

Completed actions look after themselves; a closed item with a date is self-evidently fine. The exposure sits in the deferrals. An item quietly bumped down the list with no reason and no review date is the single weakest thing in most compliance files — it reads as a hazard you knew about and ignored. The same item, recorded as "deferred to Q3 pending tank access during the planned shutdown; interim flushing in place; responsible person to review by 1 September," reads as a managed decision instead.

So the discipline isn't really about doing more. It is about writing down the decision behind every line you don't action yet: the reason, the interim measure, the owner, and the date you'll look again. A deferral with a date is control. A deferral without one is just a gap waiting to be found.

## Where the framework runs out

This is a way to sequence and resource a list, not a licence to overrule it. You cannot move a statutory finding down the order because it is expensive, and you should not downgrade a hazard your assessor flagged without a competent person comfortable with the call and a note explaining it. If a recommendation doesn't make sense to you, ask the assessor before you defer it, rather than guessing at their reasoning months later.

Sampling deserves the same caution. A clean result is evidence for the conditions sampled, not a reason to drop an action — and HSE is clear that testing frequency follows the system and the risk assessment, not a number you picked to feel covered [4]. The four questions help you order the work; they do not replace the competent judgement behind the assessment itself, which is what the British Standard for Legionella risk assessments exists to underpin [5].

## What to do with this week's report

Open the recommendation list and add three columns: exposure, permanence, drift. Score each line in a word or two, re-sort, then split the result into do-now, design-out, schedule and decide-and-record. Go back through everything that landed in "schedule" or "decide-and-record" and give each a reason, an owner and a review date before you close the file. That single pass turns a survey into a programme — and turns a list of jobs into a record that shows you managed them.

For the wider rhythm that sits around this — when to revisit the whole assessment rather than just its actions — see [Reviewing and updating your Legionella risk assessment regularly](https://legionella.io/articles/reviewing-and-updating-your-legionella-risk-assessment-regularly/). And if the findings outran the quality of the report itself, [Writing a Legionella risk assessment report](https://legionella.io/articles/writing-a-legionella-risk-assessment-report/) covers what a usable assessment should contain in the first place.

## FAQ

### Should I always do the High-rated actions first?
Not automatically. A High rating tells you what is worst if left alone, not what to tackle first. Re-rank by who is actually exposed, whether you can remove the hazard for good rather than manage it forever, and whether a control is already drifting out of range. A "Medium" on a daily-use shower used by vulnerable people can fairly outrank a "High" on isolated plant.

### How should I record an action I can't do yet?
Capture four things against the item: why it is deferred, what interim control is holding the risk in the meantime, who owns it, and the date you will review it. A dated, reasoned deferral with an interim measure is a defensible decision; an undated one with no holding control reads as neglect if the file is ever examined.

### Can I change the priority my assessor assigned?
You can change the order you work in, and usually you should, because you know the building. What you should not do is quietly downgrade the hazard itself. If you think a rating is wrong, raise it with the assessor and record the agreed position rather than overwriting their judgement on your own.

## Related reading

- [Writing a Legionella risk assessment report](https://legionella.io/articles/writing-a-legionella-risk-assessment-report/)
- [Reviewing and updating your Legionella risk assessment regularly](https://legionella.io/articles/reviewing-and-updating-your-legionella-risk-assessment-regularly/)
- [Using data loggers for water temperature monitoring](https://legionella.io/articles/using-data-loggers-for-water-temperature-monitoring/)
- [The Legionella Control Association Code of Conduct explained](https://legionella.io/articles/the-legionella-control-association-code-of-conduct-explained/)

## Sources

[1] HSE, "Legionnaires' disease. The control of legionella bacteria in water systems - Approved Code of Practice and guidance (L8)". https://www.hse.gov.uk/pubns/books/l8.htm
[2] HSE, "Legionnaires' disease - what you must do". https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm
[3] HSE, "Legionnaires' disease: Technical guidance (HSG274)". https://www.hse.gov.uk/pubns/books/hsg274.htm
[4] HSE, "Testing and monitoring your water system for legionella". https://www.hse.gov.uk/legionnaires/testing-monitoring-water-system.htm
[5] BSI, "BS 8580-1:2019 - Risk assessments for Legionella control. Code of practice". https://knowledge.bsigroup.com/products/water-quality-risk-assessments-for-legionella-control-code-of-practice-1