A risk assessment is only worth what you can act on afterwards. So the real purchase is not a PDF — it is a survey thorough enough to find your dead legs, infrequently used outlets and that disused calorifier in the plant room, written up clearly enough that you can build a control scheme from it. Buy on that, not on the cheapest quote in your inbox.
Choosing the provider is a procurement decision with a compliance tail. Get it wrong and you inherit a document that ticks a box but misses the asset that actually hurts you. Here is how to vet a Legionella risk assessment company before you sign, and the exact questions to put to them.
What the purchase actually has to achieve
Under the Approved Code of Practice (ACoP L8), you as duty holder must appoint a competent person to help you meet your duties, and you keep the accountability even when a contractor does the work [1][2]. That single fact reframes the whole exercise. You are not outsourcing the problem; you are hiring competence to inform a duty that stays with you.
So the assessment has to do three things. Identify the risk across the whole water system, not just the easy bits. Tell you which problems to fix first. And give you a record that stands up to an enforcing officer and feeds your ongoing monitoring. A glossy report that omits the asset register fails on all three.
A selection framework: six things to weigh, and what to ask
Score each prospective provider against these. The questions in quotes are ones I would put verbatim before instructing anyone.
1. Competence of the assessor, not just the company. The badge on the letterhead is the firm; the person walking your site is who matters. Ask: “Who specifically will carry out the survey, what is their Legionella training and experience, and can I see an anonymised sample report they wrote?” Membership of a trade scheme tells you about process, not about the individual surveying your calorifier [1]. For more on what “competent” means here, see Who is qualified to perform a Legionella risk assessment?.
2. Scheme membership, read correctly. Legionella Control Association (LCA) membership is a useful signal that a provider has committed to defined service standards. It is voluntary, and registration is service-category specific, so a firm registered for monitoring is not automatically registered for risk assessment [3]. Ask: “Are you LCA-registered specifically for Legionella risk assessment, and can I see your registration?” Treat it as a starting filter, not proof your duty is discharged — the distinction is unpacked in The Legionella Control Association Code of Conduct explained.
3. Methodology. The assessment should follow a recognised methodology. BS 8580-1 is the code of practice for Legionella risk assessment, and HSG274 underpins the control measures it should reference [4][5]. Ask: “Do you assess to BS 8580-1, and does the report cross-reference HSG274 for the systems on my site?” If the answer is vague, the report will be too.
4. Scope, written down before they start. This is where most disputes begin. Get the boundary in writing: every building, every system — hot and cold water, calorifiers, TMVs, showers, cooling towers if present, plus little-used outlets. Ask: “What is in and out of scope, and will the survey produce a full asset register and schematic, or work from one I provide?” Cheap quotes often quietly exclude the asset register, which is the part you most need.
5. Deliverables you can use. A report that only says “high risk” is useless. You need findings tied to specific assets, a prioritised, risk-ranked action list, and recommendations precise enough to assign and date. Ask: “Will recommendations be prioritised by risk with a clear timescale, and delivered in a format I can load into my logbook?”
6. Independence and aftercare. A firm that assesses and also sells the remedial works has an incentive to find work. That is not automatically disqualifying, but ask the question: “If you find issues, do you quote the remedials yourselves, and how do you handle that conflict?” Also ask how reviews are handled — the assessment should be reviewed regularly and whenever your system or its use changes [2].
What a good report must contain
Use this as a checklist when the draft lands. A competent report should include a description and schematic of the water systems, a populated asset register, an evaluation of risk for each part, clearly prioritised recommendations, and the assessor’s name and date [4][5]. It should flag dead legs, stagnation points and infrequently used outlets by location, not in the abstract. If you cannot trace a recommendation to a specific tap, valve or vessel, it is not yet actionable.
Red flags
A few patterns should make you pause. A fixed price quoted before anyone has seen the site or asked about your asset count. A turnaround so fast a real survey cannot have happened. No asset register in the deliverables. Reluctance to name the surveyor. A template report where the building name has obviously been swapped in. And the quiet one: a recommendation list with no priorities, which leaves you to guess what matters.
When not to buy yet
The pragmatic call: if you genuinely have a single, simple, low-risk system and competent in-house capacity, a professional commission may not be the first spend you need — though most duty holders overestimate their own competence here. The trade-off between doing it in-house and commissioning out is worth weighing properly, which In-house vs professional Legionella risk assessments does in detail. Equally, do not buy a re-survey if nothing has changed and your existing assessment is still valid; a review may be all that is due.
This is general guidance to help you commission well. It is not legal advice, and it does not replace a competent, site-specific assessment of your own premises — the figures, frequencies and priorities for your building come from that assessment, applied to your systems by someone who has seen them.
The next step you can take today
Before you email a single provider, count your buildings and water assets and write a one-line scope. That alone will sharpen the quotes you get back and expose any firm that wants to price blind. Then, when the report arrives, do not let it die as a PDF in a shared drive. Load the asset register and prioritised actions into a digital logbook so each recommendation becomes a dated, assignable task with an audit trail — turning a one-off survey into the live record an inspector actually wants to see.
FAQ
How many quotes should I get for a Legionella risk assessment?
Two or three from providers you have already screened on competence and scope. More than that and you are comparing on price across different scopes, which is meaningless. Make sure every quote covers the same systems and includes the asset register before you compare a single figure.
Is the cheapest Legionella risk assessment a false economy?
Often, yes — but not always. The risk is that low quotes win by narrowing scope: no asset register, no schematic, a desktop skim instead of a site survey. Compare what is included, not just the headline number. A slightly dearer assessment that finds the dead leg you did not know about is the cheaper option in the end.
Does hiring an LCA-registered company mean I am compliant?
No. LCA registration signals a provider has committed to service standards, but it is voluntary and category-specific, and it does not transfer your legal duty [3]. You still appoint the competent person and remain accountable for the system and for acting on the findings [1][2].
Sources
[1] HSE, “Legionnaires’ disease - what you must do”. https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm [2] HSE, “Legionnaires’ disease. The control of legionella bacteria in water systems - ACoP and guidance (L8)”. https://www.hse.gov.uk/pubns/books/l8.htm [3] Legionella Control Association, “Code of Conduct for Service Providers”. https://www.legionellacontrol.org.uk/ [4] BSI, “BS 8580-1:2019 - Risk assessments for Legionella control. Code of practice”. https://knowledge.bsigroup.com/products/water-quality-risk-assessments-for-legionella-control-code-of-practice-1 [5] HSE, “Legionnaires’ disease: Technical guidance (HSG274)”. https://www.hse.gov.uk/pubns/books/hsg274.htm