---
title: "Legionella risk assessment basics: what it is and why you need it"
source_url: https://legionella.io/articles/legionella-risk-assessment-basics-what-it-is-and-why-you-need-it/
canonical_url: https://legionella.io/articles/legionella-risk-assessment-basics-what-it-is-and-why-you-need-it/
pillar: "Legionella Risk Assessment"
summary: "What a Legionella risk assessment actually has to prove, why a filed report is not control, and how to turn survey findings into ranked, owned actions."
primary_keyword: "Legionella risk assessment"
date_published: 2025-05-06
date_reviewed: 2026-06-26
author: "Legionella.io editorial team (REMOTE TECH LTD)"
reviewed_against: "HSE L8 and HSG274 guidance"
region: "United Kingdom"
license: "(c) REMOTE TECH LTD. Quote freely with attribution and a link to source_url."
---

# Legionella risk assessment basics: what it is and why you need it

A Legionella risk assessment answers three blunt questions about your building's water: where could the bacteria grow, how could contaminated droplets reach someone, and who would be harmed if they did. The asset list, the schematic drawings, the photographs of plant — all of it exists to support honest answers to those three. Get them right and you know exactly what to control. Leave them vague and you have a report, not a risk assessment.

If you have just commissioned one, or inherited a folder from a predecessor, it helps to know what you are actually meant to be holding. Not a certificate. Not a pass mark. A decision document that tells you what to do, in what order, and who owns each action.

## What the assessment is actually for

In UK practice the duty to assess and control Legionella risk sits with the duty holder — usually the employer, the building owner, or whoever is in control of the premises [1]. The Approved Code of Practice, L8, gives risk assessment a formal place in that duty: it is a required step, and the controls that come out of it have to be written into a scheme and kept under review, not left as suggestions on a shelf [2]. BS 8580-1 is the code of practice that sets out how a competent assessment should be carried out and what it ought to cover [3].

Strip away the standards language and the job is plain. A competent assessor walks the system, builds a picture of everywhere water is stored, heated, cooled or left to stand, and works out which of those places could let Legionella multiply and then escape as a breathable mist. HSG274 is the technical reference for what that picture should contain and how the risks are weighed [4]. The output that matters is a ranked set of findings: this dead leg is urgent, that one can wait; this unused shower is a priority; this part of the system is fine as it stands.

## How it plays out on a real building

Picture a mid-sized office: a cold water storage tank in the roof void, a calorifier in the plant room, kitchen and toilet outlets on every floor, and two shower rooms nobody has used since the on-site gym closed. A genuine risk assessment does not just confirm those things exist. It records temperatures at sentinel points, traces the pipework, finds the dead leg left behind when a wall was moved, flags the showers sitting stagnant, and notes who actually uses each area — including anyone more vulnerable to infection.

Then it ranks and assigns. A useful report separates the immediate defect (a capped pipe feeding nothing, a hot return arriving tepid) from the underlying management weakness (nobody has recorded a temperature in a year). It names who owns each action and sets a date against it. And it is written so the maintenance team can act on it — a technically immaculate document nobody on site can use changes nothing.

## What people get wrong about it

The fastest way to misjudge a risk assessment is to misunderstand what kind of thing it is. A handful of assumptions catch people out:

| What's assumed | What's actually the case |
| --- | --- |
| The risk assessment is the compliance job, done | It is the start of the work. Control lives in the written scheme and the routine that follows it |
| A survey and a risk assessment are the same thing | A survey lists what is there; an assessment judges what it means and ranks what to do about it |
| "No significant risk found" means nothing more to do | It usually means your current controls are working — true only while you keep them up and review on schedule |
| The assessor carries the risk | The assessor advises; the duty holder owns the risk, the decisions and the records [1] |
| Once it is done, it is done for years | It is a living document. A refit, a change of use, or a change in who occupies the building can date it overnight |

## The one mistake beginners make

They treat the assessment as the finish line. The pattern is familiar: commission a thick report, skim the summary, file it, and assume the building is now compliant. The report controls nothing. What controls risk is what happens next — a written scheme that states how each control is delivered, who delivers it, what result is acceptable, and what to do when a result falls outside that limit.

It helps to keep two documents straight in your head. The risk assessment finds and ranks the risks. The written scheme is the standing instruction for keeping them controlled day to day. Conflating the two is how a building ends up with an impressive assessment and no actual programme behind it.

## What to do this week

You do not need the perfect document to make progress. A few practical moves:

- Find your current Legionella risk assessment and check two things: its date, and whether it has produced actions with named owners — or whether it has simply been sitting in a drawer.
- Walk the obvious risk features yourself: stored water, low-use outlets, and anything that produces spray, such as showers and spray taps.
- Pick one open action that has no owner, and give it one today.

If you cannot find an assessment, or yours predates a refit, a change of use, or a change in occupants, that is your trigger to get a competent one carried out or reviewed — [When to conduct a Legionella risk assessment: frequency and triggers](https://legionella.io/articles/when-to-conduct-a-legionella-risk-assessment-frequency-and-triggers/) covers when reviews fall due. For the detail of what a thorough assessment should contain, [Key components of a Legionella risk assessment](https://legionella.io/articles/key-components-of-a-legionella-risk-assessment/) breaks down the components.

## A note on what this can and can't tell you

This is general guidance on what a Legionella risk assessment sets out to do — it is not a substitute for one, and it cannot judge your building. Which risks count as significant, which controls suit your system, how often to monitor, and when to sample are decisions for someone competent to make on site, working to L8 and BS 8580-1. Sampling can support an assessment or an investigation, but HSE is clear that how often you test should follow the system and the risk assessment rather than a fixed calendar [5]. Treat anything here as a way to ask sharper questions of your assessment, not as findings about your own water.

## FAQ

### Who is allowed to carry out a Legionella risk assessment?
Someone competent to do it — meaning the right training, knowledge and experience for your type of system, whether they are in-house or an external consultant. Bringing in a contractor does not move the duty: the duty holder still owns the risk, the decisions and the records [1].

### What's the difference between the risk assessment and the written scheme?
The risk assessment identifies and ranks where Legionella could grow and reach people. The written scheme is the practical plan that says how each of those risks is controlled, by whom, and to what standard. L8 expects both — the assessment first, then a scheme that acts on it [2].

### How long does a Legionella risk assessment stay valid?
There is no fixed shelf life. Review it on the schedule the assessment itself sets, and sooner if something material changes — new plant, altered pipework, a change of use, different occupants, or signs your controls are slipping [2].

## Related reading

- [UK Legionella compliance 101: laws and responsibilities](https://legionella.io/articles/uk-legionella-compliance-101-laws-and-responsibilities/)
- [When to conduct a Legionella risk assessment: frequency and triggers](https://legionella.io/articles/when-to-conduct-a-legionella-risk-assessment-frequency-and-triggers/)
- [Key components of a Legionella risk assessment](https://legionella.io/articles/key-components-of-a-legionella-risk-assessment/)

## Sources

[1] HSE, "Legionnaires' disease - what you must do". https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm
[2] HSE, "Legionnaires' disease. The control of legionella bacteria in water systems - Approved Code of Practice and guidance (L8)". https://www.hse.gov.uk/pubns/books/l8.htm
[3] BSI, "BS 8580-1:2019 - Risk assessments for Legionella control. Code of practice". https://knowledge.bsigroup.com/products/water-quality-risk-assessments-for-legionella-control-code-of-practice-1
[4] HSE, "Legionnaires' disease: Technical guidance (HSG274)". https://www.hse.gov.uk/pubns/books/hsg274.htm
[5] HSE, "Testing and monitoring your water system for legionella". https://www.hse.gov.uk/legionnaires/testing-monitoring-water-system.htm