Who is responsible for completing a risk assessment?

The named key support worker is usually the author, with review from a service manager. Some services split responsibility by category, with managers leading on premises and safeguarding risks and workers leading on resident-specific risks. Accountability for the final document rests with whoever signs it off.

What is the difference between a risk assessment and a risk management plan?

A risk assessment identifies and scores risks. A risk management plan sets out what will be done about them. In supported housing the two are usually combined into a single document with a column or section for each. Inspectors expect to see both.

Can a risk assessment be done digitally?

Yes. Digital risk assessments with field-level audit trails are stronger than paper versions because every change is attributable and timestamped. The Care Quality Commission does not mandate paper, it mandates accurate and accessible records.

What happens if a risk assessment is missing or out of date?

It is the single most common finding at inspection. A missing risk assessment can lead to regulatory action where serious harm occurs. Providers with stale or missing assessments face questions under the well-led and safe key questions, and may be required to produce an action plan.

Does the resident need to see the risk assessment?

Yes, in almost all cases. Residents should understand the risks identified about them and should have the opportunity to contribute. A risk assessment written without resident input tends to be partial and paternalistic. Where a resident lacks capacity, an advocate or best-interests decision should be recorded.

Are staff also protected by the risk assessment?

Yes. The assessment names the controls that protect staff as well as residents, which is what the Health and Safety at Work etc. Act 1974 requires. Lone working policies, safeguarding escalation routes, and property safety all fall under this lens.

Risk Assessment for Supported Housing: A Step-by-Step Guide

Q: How often should a risk assessment be reviewed?

Most providers review risk assessments every three months as standard, with annual deep reviews. Any significant event such as an incident, a safeguarding concern, a hospital admission, or a major life change for the resident should trigger an immediate review.

Q: What categories should a supported housing risk assessment cover?

At minimum: risks to self including self-harm and self-neglect, risks to others, risks linked to substance use where relevant, safeguarding concerns involving vulnerable people, environmental risks around the property, fire safety, and any specific risks tied to health conditions or behaviour.

Q: How are risks scored?

Most providers score risks on two axes, likelihood and impact, each usually on a three or five point scale. The combined score gives an overall rating of low, medium, or high. Scoring is a tool for prioritisation, not a verdict. The written commentary matters more than the number.

Q: How does a risk assessment interact with the support plan?

The two are parallel documents that reference each other. A risk in the assessment should be reflected in the support plan if the controls involve support activity. A change to either should trigger a review of the other. Good platforms link them automatically.

Risk assessment in supported housing is the discipline most people do not enjoy and most inspectors read first. A good risk assessment is the difference between a service that keeps residents safe, staff supported, and the organisation out of regulatory trouble, and one that is permanently a few months behind the situation on the ground. This guide walks through the whole process, from identifying risks to reviewing them, with enough specifics to apply tomorrow.

What is a risk assessment in supported housing?

A risk assessment is the structured process of identifying risks to a resident, risks posed by a resident, and risks linked to the property or the service, then recording the controls in place to manage each one. The aim is not to eliminate risk, which is impossible in supported housing, but to make sure every known risk has a named control and a plan.

The output is a document. The value is the thinking that produced it. A provider who treats the assessment as a form to fill in will have a document that technically exists and practically fails. A provider who treats it as a structured conversation about safety will have a document that actually keeps people safer.

Why does supported housing need risk assessments?

Supported housing residents often live with complex and changing risks. Mental health crises, substance use, domestic abuse, safeguarding exposure, tenancy sustainment challenges, and physical health conditions all feature regularly. Staff work alone, visit private homes, and make decisions about vulnerable people with incomplete information. The Health and Safety at Work etc. Act 1974 places duties on employers to protect staff. The duty of care to residents sits alongside it.

Regulators expect to see risk assessment as a core discipline. Under CQC inspection, risk assessment content falls under the Safe key question. Under the Supported Housing (Regulatory Oversight) Act 2023, local licensing is likely to require current assessments as a condition.

Who writes the risk assessment?

The named key support worker is usually the author, with review from a service manager. Some services split responsibility:

Workers lead on resident-specific risks they have direct knowledge of
Managers lead on premises, safeguarding, and service-wide risks
Health and safety leads cover fire, first aid, and environmental hazards
Safeguarding leads cover vulnerable people risks

Accountability for the signed document rests with whoever authors it. Systems should make that visible, not hide it behind shared logins.

What categories should a supported housing risk assessment cover?

At minimum, a structured assessment covers risks across eight categories. Not every category applies to every resident, and some residents will have content in categories not listed here. The list is a starting point.

Risks to self including self-harm, self-neglect, suicidal ideation, and accidents linked to health conditions
Risks to others including violence, threatening behaviour, and exploitation of others
Substance use covering both alcohol and drug risks where relevant, including risks of overdose
Safeguarding covering risks involving children, adults at risk, and any people connected to the resident
Environmental covering the property, shared spaces, and the local area
Fire and health safety covering fire risk specifically plus electrical, gas, and water safety
Health-specific risks tied to diagnosed conditions, medication, or mobility
Relationship and social risks including domestic abuse, exploitation, and loss of social support

Some providers also include a staff-safety category explicitly, though this is often handled at the service level rather than per resident.

How are risks scored?

Most providers score risks on two axes: likelihood and impact. Each axis usually runs on a three or five point scale. The combined score gives an overall rating.

A common five-point scale:

| Likelihood | Impact |

|---|---|

| 1 Very unlikely | 1 Negligible |

| 2 Unlikely | 2 Minor |

| 3 Possible | 3 Moderate |

| 4 Likely | 4 Significant |

| 5 Almost certain | 5 Severe |

Scoring is useful for triage, not diagnosis. A risk rated four by likelihood and five by impact is almost always a priority. The real work is in the written commentary: what makes the risk serious, what has been done about it, and what would trigger a review.

A practical limitation

A numeric score is only as good as the thinking behind it. Two workers reading the same situation will score slightly differently. Build in manager review for any rating of four or five, and do not treat the number as the final answer.

What does a good risk entry look like?

Each individual risk should have:

A clear title. Self-harm through cutting, not mental health concern.
A date the risk was identified, and a date last reviewed.
A likelihood and impact score, with a brief rationale for each.
A written description of the risk, including any history and any triggers.
Controls in place. What the service is doing to manage it. Specific and attributable.
Controls planned. What could be added if the risk escalates.
Resident involvement. What the resident has said about this risk and the plan to manage it.
Review date. When this specific risk will be looked at again.

A risk entry without a control is an observation, not an assessment. A risk entry without a review date is a one-off, not a management plan. Inspectors notice both gaps quickly.

How often should a risk assessment be reviewed?

Most providers review risk assessments every three months, with annual deep reviews. A scheduled review is a minimum. Event-driven reviews matter more.

Events that should trigger an immediate review:

A safeguarding concern raised
An incident logged, whether or not it involved the resident directly
A hospital admission or discharge
A significant change in the resident's mental health, substance use, or behaviour
A change in the resident's relationships, housing status, or legal situation
A change in the risk profile of the property or the local area
A specific request from the resident, a worker, or a partner agency

The review should be documented as a new version of the assessment, not as a separate note. The version history is where inspectors look for evidence of responsiveness.

How does a risk assessment interact with the support plan?

The two are parallel documents. Risks identified in the assessment should be reflected in the support plan if the controls involve support activity. Changes to either should prompt a review of the other.

| In the risk assessment | In the support plan |

|---|---|

| Self-harm risk, last incident March 2026 | Goal: develop two coping strategies by July. Support task: work through the strategies document weekly. |

| Substance use risk, current daily cannabis | Goal: reduce use to weekends only. Support task: weekly check-in on use and triggers. |

| Domestic abuse history, perpetrator not local | Consent: share location only with named agencies. Support task: monthly safety check-in. |

A platform that links the two documents enforces this cross-referencing. Paper systems rely on the worker remembering to update both.

What are the common mistakes?

Four patterns that account for most inspection and audit findings:

Stale assessments. A risk assessment dated fourteen months ago on a resident who has had two incidents since is a visible problem. Regular review cadence fixes this.
Score creep. Workers who rate nearly everything medium because it feels safe produce assessments that cannot distinguish priorities. Train on scoring and audit for consistency.
Controls that are aspirations, not actions. Regular support will be offered is not a control. Key worker visits every Wednesday at 10am is.
No resident voice. Risk assessments that describe the resident without any of their words, preferences, or objections are routinely flagged as paternalistic. The resident does not have to agree with every line of the assessment, but their views should be visible.

Risk assessment is not a prediction. It is a declaration of what the service has thought about and what it plans to do. The value is in the structure and the honesty, not in the accuracy of the forecast.

How does a documentation platform help with risk assessment?

A well-designed platform solves several problems that plague paper-based risk management:

Review scheduling is automatic. The system knows when a review is due and flags it.
Version history is preserved. Every previous version of the assessment is available, not overwritten.
Links to support plan and incidents are enforced. Changes in one trigger review prompts in the other.
Resident involvement is capturable. The platform allows the resident's own words to be recorded inline.
Access control is role-based. Sensitive assessment content is limited to the right roles.
Exports are clean. Evidence packs for inspection include risk assessment versions across the relevant date range.

The Care Quality Commission does not mandate any particular tool, but the quality of the audit trail is usually the difference between a service rated Good and one rated Requires Improvement on documentation indicators.

How does this apply to specific resident groups?

The categories above apply across supported housing, but the weighting shifts by client group.

People with mental health conditions tend to have denser content under risks to self, substance use, and health-specific categories.
Young people leaving care usually require richer safeguarding content and relationship risks.
People with learning disabilities require detailed capacity assessments alongside the risk assessment.
People fleeing domestic abuse need careful thought around information sharing, address confidentiality, and risk from named perpetrators.
People in recovery from substance use often have assessments built around relapse triggers and crisis plans.

Services that sit under Ofsted inspection for supported accommodation for looked-after children have additional requirements set out by the Department for Education.

Data protection and the risk assessment

A risk assessment contains sensitive personal data, including special-category data under UK GDPR. Handling requirements:

Store only on systems that satisfy ICO guidance on UK GDPR
Restrict access to workers with a legitimate need
Retain for the documented retention period, typically six to eight years after the tenancy ends
Share with external agencies only under specific, recorded consent or a lawful basis

The Data Protection Act 2018 sets out the UK detail behind these requirements.

Sources and further reading

Risk assessments that update themselves as things change

Residoc links risk assessments directly to the support plan and to incident records, so changes in one trigger reviews of the others automatically. No stale documents, no missed reviews.

Book a demo