A hot and cold water survey hands you a list. Forty-odd observations, a sheet of temperatures, photos of a furred shower head and a couple of valves, and an asset register that mostly matches the building. The survey is not the hard part. Deciding which three things to fix on Monday, which five can wait for the next maintenance window, and which “observation” is actually nothing — that is the job, and it is where most sites lose the thread.
Assessing risk in a hot and cold water system is an act of ranking, not cataloguing. The bacteria do not read your report. They respond to whether warm water is sitting still somewhere it can later be breathed in. So the question to put to every finding is not “is this a defect?” but “how much does this move the risk, and can I prove I’ve dealt with it?”
Why grading findings high, medium and low isn’t enough
Most assessments arrive with each observation graded against the assessor’s risk matrix, and the responsible person works down the list from the reds. That is a reasonable start and a poor finish, for two reasons.
A matrix score is a judgement made on the day of the survey. It does not know that the second floor empties out over the summer, or that the room with the low-use shower is the one you keep for accessible bookings. The number is generic; your building isn’t.
The bigger trap is reading “temperatures all in range” as “risk under control” and closing the file. Temperature is the clearest lever you have. As a general benchmark, HSE guidance points to keeping cold water below 20°C, storing hot water at around 60°C, and distributing it so it reaches roughly 50°C at the outlet within about a minute, or 55°C in healthcare premises [1]. But a compliant reading describes one outlet at one minute. It tells you nothing about the shower in a room that has been shut since the last booking. A clean temperature log and a stagnation problem live happily side by side.
Three questions to ask of every finding
Before you assign a priority to anything the survey turned up, run it through three questions, in this order. Grow, reach, prove.
Can it grow? Is water sitting in the rough 20–45°C band, still, with scale or sediment to feed on? A calorifier returning below its storage temperature, a cold tank warming in a hot riser, a long run that loses heat before the far tap, a capped-but-still-connected dead leg — these are growth opportunities. This is where your temperature monitoring and your knowledge of the pipework earn their keep [2].
Can it reach someone? Does this point throw an aerosol, and who is downstream of it? Showers, spray taps and hoses make the mist that matters; a tap that fills a mop bucket does not. Then add the people: a low-use shower in an accessible room outranks a plant-room valve nobody stands near.
Can you prove it? Today, can you show this point is controlled — a flushing record, a temperature reading, a named owner — or is “it’s fine” an assumption? A proof gap is a risk in its own right, because it means you would not know if control had already slipped.
The priority is not the matrix colour. It is wherever all three line up: warm still water, an aerosol path to a real person, and no evidence you are on top of it. Those are your Monday jobs. Everything else queues behind them.
Putting the lens on real findings
The framework only matters if it changes a decision, so walk it through a few.
A calorifier feeding guest showers returns at 48°C. Grow: yes, the system is drifting into the band. Reach: yes, it feeds aerosol-producing outlets used by guests. Prove: check whether there is a recent reading or whether this is the first time anyone looked. All three light up — this is acted on now, not scheduled.
A cold-water run to an outbuilding reads 23°C on a warm afternoon. Grow: yes, it is above 20°C. Reach: it depends on what the outbuilding is and who uses it. Prove: probably thin. This is a real action, but it pairs with a use-pattern check rather than an emergency callout.
A capped dead leg behind a decommissioned kitchen. Grow: yes. Reach: low — there is no live outlet to aerosolise it. The immediate exposure is small, but the right answer is to remove the dead leg permanently, because flushing it forever costs more than cutting it out once. That is a written-scheme decision, and it sits naturally alongside stagnation-led design fixes.
In each case, write down the decision, not just the task. “This outlet is flushed weekly because use is intermittent; a missed flush escalates to the responsible person; three misses in a quarter triggers a use-pattern review.” That single sentence turns a tick-box into a managed control, and it is the kind of record that makes a logbook actually defensible.
The part of the assessment that actually fails
The technical control is rarely where things go wrong. Temperatures get hit, shower heads get descaled, samples come back clean. What breaks is the handover — from the assessor who wrote the finding, to the maintenance person who should action it, to the record that should prove it happened, to the management review that should notice when it didn’t. Every one of those handoffs is a place where a finding can quietly die without anyone deciding to drop it.
Two things follow that nobody puts in the report.
The assessor’s priority order is not your priority order. Their matrix ranks each finding in isolation. You rank it against your building, your occupancy and your void rooms. A “medium” on a low-use accessible shower can genuinely outrank a “high” on a valve in a plant room no one breathes near. Reranking the report against your own site is not second-guessing the assessor; it is the part of the job only you can do.
And an open action with no owner and no date is the same as no action. The most dangerous line in any assessment is the one marked “to be addressed” with a blank next to it. The fix is dull and it works: every finding gets a name and a date before the report is filed, and the ones that miss their date surface at the next review rather than at the next outbreak.
Where this framework stops
Grow-reach-prove is a way to rank what a survey found in a hot and cold water system. It does not decide for you whether a given reading is acceptable, and it is not a substitute for a competent, site-specific assessment carried out under a recognised code of practice such as BS 8580-1 [3]. The numbers — the exact temperature thresholds, how often you monitor, how fast a finding must be closed out — come from that assessment and the duty holder’s own judgement, not from a rule of thumb.
It is also scoped to hot and cold water. Cooling towers, spa pools and more unusual systems carry their own routes and their own guidance; if your site has a tower, treat it as a separate exercise rather than folding it into the tower-specific risk assessment. Sampling has a place too, but it verifies or investigates — it does not rank — and HSE is clear that testing frequency should follow the system and the risk assessment rather than a fixed calendar [4].
FAQ
Do I need a separate risk assessment for every outlet?
No, but every outlet has to be accounted for. The assessment works from a description of the whole system and its asset register, then monitors representative points — often the nearest and furthest outlets on each loop — rather than every tap individually [2]. The grow-reach-prove questions are how you decide which of those points deserve closer attention.
If all my temperatures are in range, is the assessment basically finished?
No. Temperature is one control among several. A system can hold temperature and still carry real hot and cold water risk through stagnation in low-use outlets, scale and sediment in tanks, or a complete absence of records proving any of it is managed. Temperatures in range tells you one control is working on the day; it does not tell you the system is under control.
How quickly do I have to act on a finding?
It depends on what the finding does to exposure, and your own written scheme of control sets the timescales [5]. Where all three questions light up — warm still water, an aerosol path and a vulnerable user, with no proof of control — treat it as immediate. Underlying management weaknesses, like a missing review trigger, go into the scheme with an owner and a date rather than a callout, but they still get closed.
Sources
[1] HSE, “Hot and cold water systems”. https://www.hse.gov.uk/legionnaires/hot-and-cold.htm [2] HSE, “Legionnaires’ disease: Technical guidance (HSG274)”. https://www.hse.gov.uk/pubns/books/hsg274.htm [3] BSI, “BS 8580-1:2019 - Risk assessments for Legionella control. Code of practice”. https://knowledge.bsigroup.com/products/water-quality-risk-assessments-for-legionella-control-code-of-practice-1 [4] HSE, “Testing and monitoring your water system for legionella”. https://www.hse.gov.uk/legionnaires/testing-monitoring-water-system.htm [5] HSE, “Legionnaires’ disease - what you must do”. https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm