How to read your Legionella risk assessment report
- May 13
- 9 min read
A Legionella risk assessment report lands on your desk and it is tempting to file it away once the audit is done. That is a costly mistake. Under the ACoP L8 framework, the report is not simply a record of a site survey; it is the foundation for your entire written scheme of control and the backbone of day-to-day water safety across your facility. Understanding what the document actually says, and what it demands of you, is the difference between genuine compliance and a paper trail that unravels the moment an inspector arrives.
Table of Contents
What is a Legionella risk assessment report and why does it matter?
Decoding the structure: What should you expect in your report?
Turning findings into action: Interpreting controls and recommendations
Reviewing, updating, and benchmarking: Ongoing compliance in practice
The uncomfortable truth: Why most risk assessments fall short in real-world application
Key Takeaways
Point | Details |
Foundation for control | A risk assessment report should be read as the basis for your water hygiene controls, not just a legal record. |
Actionable findings | Use the findings and recommendations to set up real-world monitoring, checks, and accountable ownership. |
Keep it current | Review and update the report regularly or whenever changes impact water system risks. |
Benchmark with evidence | Rely on your own recorded results and controls as proof of ongoing compliance, not just the initial assessment. |
What is a Legionella risk assessment report and why does it matter?
A Legionella risk assessment is a formal, structured evaluation of all water systems across your premises that could present a risk of Legionella bacteria proliferating and being inhaled by occupants, visitors, or contractors. In UK law, the obligation to carry out such an assessment stems from the Control of Substances Hazardous to Health Regulations 2002 (COSHH) and is supported in detail by ACoP L8 and its associated technical guidance.
The report is not a standalone document. It sits at the centre of a compliance chain:
Risk assessment identifies hazards and evaluates the level of risk for each water system.
Written scheme of control translates those findings into documented procedures, monitoring frequencies, and responsibilities.
Logbook and records provide the ongoing evidence that the scheme is being followed.
Responsible person owns and oversees each step.
“A Legionella risk assessment report should be read as the foundation for a written scheme of control, not just a site survey record.” ACoP L8, HSE.
The concept of a suitable and sufficient assessment is central to legal validity. According to LegionellaCheck, a suitable and sufficient approach must cover identifying sources of risk, preparing a written scheme of control, implementing and monitoring it, keeping records, and appointing a responsible person. An assessment that only lists water outlets without assigning control measures or accountability is neither suitable nor sufficient in the eyes of the HSE.
For facility managers, the practical implication is clear: when you receive a risk assessment, your role is not passive. You are responsible for reviewing a Legionella risk assessment critically, understanding what each finding demands operationally, and ensuring those demands are embedded into your team’s routines.
Decoding the structure: What should you expect in your report?
A well-constructed Legionella risk assessment follows a logical, evidence-based structure. Each section should build on the last, creating a clear chain from site observations through to actionable controls. If your report skips steps or reads like a generic template, that is a warning sign worth acting on.
Here is what a quality report should contain, in order:
Site and system description — A detailed inventory of all water systems: hot and cold storage, distribution pipework, showers, cooling towers, TMVs (thermostatic mixing valves), and any ancillary outlets. If the system description does not match your actual site, the rest of the report is built on incorrect information.
Identified hazards — Specific conditions that could support Legionella growth: deadlegs, infrequently used outlets, tepid water temperatures, scale and corrosion, and inadequate disinfection.
Risk evaluation — Each hazard should be assessed for likelihood and severity, producing a risk rating. This is not just a traffic-light exercise; a meaningful evaluation explains why a risk is rated as it is.
Recommended controls — Specific, actionable measures for each identified risk. Generic statements like “monitor temperatures” are insufficient. Good recommendations specify where, how often, at what threshold, and who is responsible.
Monitoring schedule — Frequencies for temperature checks, water sampling, TMV servicing, showerhead descaling, and visual inspections. These should be traceable back to HSG274 and ACoP L8 guidance.
Accountability — Named roles or job titles assigned to each control measure.
The HSE is explicit that risk assessments must follow structured hazard-to-control logic and be suitable and sufficient to protect people from foreseeable harm. A report that trails off after listing hazards without recommending specific controls does not meet that standard.
Quality indicator | What to look for | Red flag |
System description | Matches current site layout | Generic or out-of-date schematics |
Hazard identification | Site-specific findings | Identical wording across unrelated sites |
Risk ratings | Justified with reasoning | Unexplained traffic-light scores |
Recommended controls | Specific, measurable, assigned | Vague phrases like “as required” |
Monitoring schedule | Frequencies aligned with HSG274 | No schedule provided |
Review date | Clearly stated | No review date included |
ACoP L8 confirms that tracing evidence to control measures is the defining exercise in reading a Legionella report: evidence leads to hazard, hazard leads to control measure, control measure leads to monitoring record, monitoring record leads to an accountable owner.
Pro Tip: A concise, 20-page report tailored to your specific site will almost always be more actionable than a 60-page generic template padded with boilerplate text. Length is not quality. Specificity is.
If you manage healthcare premises, the expectations are even more demanding. Healthcare water risk assessments carry additional layers of obligation under HTM 04-01, and the standard for what constitutes a “suitable and sufficient” assessment is correspondingly higher.
Turning findings into action: Interpreting controls and recommendations
Understanding what your report says is step one. Translating it into measurable, daily practice is where most organisations struggle. The bridge between the two is HSG274, the HSE’s technical guidance for controlling Legionella in water systems.
HSG274 Part 2 is the most relevant section for the majority of managed premises: offices, hotels, schools, care homes, and retail environments. It sets out specific temperature targets, sample point requirements, and inspection frequencies for hot and cold water systems. Your risk assessment should align its recommendations directly with these parameters.
Here is a summary of the core control requirements for hot and cold water systems under HSG274 Part 2:
Parameter | Hot water systems | Cold water systems |
Storage temperature | 60°C or above | Below 20°C |
Distribution temperature | 50°C within 1 min at outlets | Below 20°C at outlets |
Monitoring frequency | Monthly temperature checks | Monthly temperature checks |
Sentinel outlet checks | Weekly (first draw, hot outlets) | Weekly (first draw, cold outlets) |
System inspection | Annually as minimum | Annually as minimum |
Water sampling | Risk-based, typically quarterly | Risk-based, typically quarterly |
According to Safety Clarity’s HSG274 guide, temperature and water-system condition are central to interpreting report findings, particularly for hot and cold water systems where controls must keep hot water above and cold water below their respective target temperatures at the correct monitoring points.
When you read your risk assessment’s control recommendations, cross-reference every temperature-related action against these thresholds. If the report recommends monitoring but does not specify the target temperature, sample point location, or acceptable tolerance, you need to go back to the assessor for clarification.
Your actual monitoring results matter enormously. Do not fall into the trap of treating the risk assessment’s original temperature survey as permanent assurance.
Pro Tip: Your own ongoing monitoring data is far more valuable as “empirical” assurance than a set of photographs taken on the day of the risk assessment. A single temperature reading in the report tells you about one day. Your monthly logbook tells you about the system’s real behaviour over time.
For practical guidance on what to do when results fall outside acceptable ranges, our resource on interpreting Legionella water samples sets out a clear decision framework. Pair that with a robust Legionella logbook system and you have the documentation backbone that regulators and insurers expect.
Reviewing, updating, and benchmarking: Ongoing compliance in practice
A Legionella risk assessment is not a one-time exercise. It is a living document that must evolve as your building, its systems, and its occupants change. The ACoP L8 explainer from LegionellaCheck is clear: risk assessments must be reviewed regularly and whenever there is reason to believe the assessment may no longer be valid.
Here is a structured approach to keeping your assessment current:
Scheduled periodic review — In the absence of any changes, most assessors recommend a full review every two years for low-risk premises and annually for higher-risk sites. This is a professional judgement call, not a fixed legal interval.
System change triggers — Any modification to your pipework, storage vessels, heating plant, or distribution network requires an immediate review. Even seemingly minor changes, such as adding a new shower or extending a pipe run, can introduce deadlegs or alter flow patterns.
Change of use triggers — A building that moves from office use to residential, or a wing that is mothballed and then reopened, changes the risk profile significantly. Stagnation in little-used sections is one of the most common causes of Legionella proliferation.
Monitoring anomalies — If your temperature records consistently show cold water above 20°C or hot water below 50°C at distribution points, your current control scheme is failing. That failure should prompt an immediate review of the relevant sections of your risk assessment.
Post-incident review — Any positive Legionella detection in water sampling results, or any suspected or confirmed case of Legionnaires’ disease linked to your premises, must trigger a full reassessment.
Benchmarking is an underused discipline in water hygiene compliance. Rather than waiting for a review cycle, compare your current monitoring data against the baseline figures in your original risk assessment. If temperatures have drifted or usage patterns have shifted, that trend is meaningful intelligence. Your Legionella logbook is the tool that makes this comparison possible.
Pro Tip: Treat your risk assessment as a live guidance document, not static paperwork. Add a review date to your compliance calendar the moment a new assessment is issued, and flag trigger events as standing agenda items in your monthly facilities review.
The uncomfortable truth: Why most risk assessments fall short in real-world application
Here is something we see consistently across the facilities we support: the majority of compliance failures are not caused by a lack of risk assessments. They are caused by risk assessments that are filed, forgotten, and never properly operationalised.
There is a significant difference between demonstrable compliance and paper-based compliance. Paper-based compliance exists when a report sits in a folder (physical or digital), the recommended controls are known in theory, but no one on site can tell you what the monitoring schedule is or when the last sentinel outlet check was completed. Demonstrable compliance is when your monitoring logbook tells a continuous, coherent story that aligns directly with the risk assessment’s recommendations.
The disconnect usually happens at the handover stage. A risk assessment is delivered, reviewed briefly, and then responsibility fragments. Someone in the management chain assumes someone else is implementing the controls. The responsible person may have changed roles. The controls that seemed straightforward during the assessment visit are difficult to apply in practice because the report did not account for operational realities, like a shower that is hard to access or a water heater that consistently underperforms.
What separates organisations that manage this well is active ownership. They assign named individuals to each control measure, they brief those individuals on the why behind each task (not just the what), and they build monitoring into team routines rather than treating it as a separate compliance exercise. Looking at a real-world Legionella compliance case study makes this point vividly: the difference between a well-managed site and one that ends up in difficulty is rarely the quality of the risk assessment itself. It is the quality of the implementation that follows.
Our strong recommendation is to treat every section of your risk assessment as a standing instruction, not a historical observation. Walk through the report with your team. Map each recommended control to a named person and a scheduled date. Then monitor that monitoring.
Get expert help turning risk assessments into safer systems
Reading a risk assessment clearly is the first step; putting it into consistent practice across a busy facility is the real challenge.
At Bespoke Compliance Solutions, we work alongside facility managers and compliance officers to bridge exactly this gap. Whether you manage Legionella compliance for offices or a complex multi-site estate, our team translates risk assessment findings into practical control programmes, bespoke logbook systems, and scheduled monitoring regimes that hold up under scrutiny. Our Legionella awareness training equips your onsite team to understand and own the controls assigned to them. We also provide structured implementation support through our method of works framework, ensuring nothing slips between the assessment and day-to-day operation. If you want compliance that is real, not just recorded, we are here to help.
Frequently asked questions
How often should a Legionella risk assessment report be reviewed?
You should review your risk assessment regularly and whenever anything changes in your water systems or building use; reviews must be triggered by system modifications, changes in use, or monitoring anomalies, as there is no single fixed legal interval.
What does ‘suitable and sufficient’ mean in a Legionella risk assessment?
It means the assessment must be detailed enough to predict and control foreseeable risks, following a structured approach that covers hazard identification, control measures, monitoring, and accountability. The HSE’s standard is that it must protect people from harm that can reasonably be anticipated.
Who is responsible for implementing the recommendations in the report?
The dutyholder or appointed responsible person carries the legal obligation to implement and manage the recommended control scheme. ACoP L8 requires that this person is competent and clearly identified.
How do I check if the report’s recommendations match HSG274 requirements?
Cross-reference every temperature control, sample point, and inspection frequency in the report against HSG274 Part 2 schedules for hot and cold water systems to confirm the recommendations are aligned with current technical guidance.
Can I use a generic template for a complex water system?
No. A generic template will not capture the specific hazards, deadlegs, or control points of a complex system. A quality report must be proportionate to your system’s actual complexity, and a short, tailored assessment for a simple site is always preferable to a lengthy generic document that does not reflect operational reality.
Recommended
Comments