October 2026: the duty to prevent sexual harassment is changing. Find out if you're ready Check your readiness
Chloe Wallace

How to carry out a sexual harassment risk assessment

A sexual harassment risk assessment is the foundation of meeting your legal duty. Here is how to carry one out, what to look for, and how often to review it.

Scenari article: How to carry out a sexual harassment risk assessment

A sexual harassment risk assessment is a structured look at where and how harassment could happen in your workplace, and what you will do to reduce the chances of it. Under the law in place since October 2024 it is the single most important step you can take, because the regulator, the Equality and Human Rights Commission, has said you are unlikely to meet your legal duty without one. Here is how to do it, in plain terms.

Why it matters

Since October 2024, employers have had a legal duty to take reasonable steps to prevent sexual harassment, and from October 2026 that becomes all reasonable steps. The Equality and Human Rights Commission (EHRC) is the statutory regulator for the Equality Act 2010, and therefore for this duty, and it could not be clearer: an employer is unlikely to be able to comply unless it has carried out a risk assessment.

The EHRC also has real teeth. It can investigate an employer, issue a formal unlawful act notice, enter into a legally binding agreement requiring an employer to put things right, and apply to court for an injunction to stop unlawful acts. Separately, if a sexual harassment claim succeeds at tribunal and the duty was not met, compensation can be increased by up to 25 percent.

A good risk assessment is about identifying where harm is most likely to occur, and why, so you can put the right measures in place before it does. It is the foundation the rest of your prevention work sits on.

The steps

You can keep this straightforward. A sound risk assessment runs roughly like this:

  1. Look at where the risk sits. Go through your workplace honestly and identify the situations and conditions where harassment is more likely (see the list below).
  2. Judge how likely and how serious each risk is. Not every risk carries the same weight, so focus your effort where the danger is greatest.
  3. Decide what you will do to reduce each one. For every risk, set out a practical control measure. This is the heart of it.
  4. Write it into an action plan. Record the risks, the steps you will take, who is responsible, and by when. The EHRC suggests appointing a named person to own this, and even publishing your plan.
  5. Review it regularly. A risk assessment is not a one-off. Revisit it when things change, and check that the steps you took are actually working.

What to look for

The EHRC sets out factors that can increase the risk of sexual harassment. It is worth working through each and asking whether it applies to you:

  • A male-dominated workforce, or significant power imbalances between people.
  • A culture that tolerates crude or sexist "banter" or other disrespectful behaviour.
  • Lone working, or staff working alone with customers, clients or the public.
  • Customer-facing roles, and any setting where alcohol is involved, such as work events.
  • Night working, or staff staying away from home overnight.
  • Any history of the organisation not responding well to previous reports.

The duty now covers harassment by third parties too, such as customers and contractors, so build that into your thinking.

One assessment is rarely enough

A single, organisation-wide risk assessment will not capture everything, because risks differ from place to place and role to role. If you run, say, a head office alongside retail and hospitality sites, each is likely to need its own assessment, since the risks on a shop floor or behind a bar look very different from those in an office.

It is also worth running separate assessments for specific situations, not only permanent ones. Work social events, parties, conferences and exhibitions carry their own raised risks, often involving alcohol, unfamiliar settings and people letting their guard down, and each deserves a quick, focused assessment of its own before it happens.

A few things that make it work

  • Ask your people. Staff doing the work often see risks management does not. Surveys, one-to-ones and honest conversations surface a great deal.
  • Keep a record. The assessment and your action plan are exactly the kind of evidence that shows you took the duty seriously.
  • Do not let it gather dust. Diarise a date to review it, and update it when roles, sites or circumstances change.
  • Act on what you find. A risk assessment that identifies risks and then changes nothing is worse than none at all.

Where training comes in

A risk assessment will almost always point to the same conclusion: your people, and your managers especially, need to be genuinely able to prevent, spot and handle these situations. That is a control measure in its own right, but only if the training works. As the courts have made clear, training that has gone stale, or that no one remembers, will not protect anyone or satisfy the duty.

That is what Scenari is built for: realistic practice that builds genuine capability, with a record of what your people have done. And if you would like expert support to develop or review your risk assessments, our sister organisation OneSource HR, a trauma-informed HR specialist in sexual misconduct at work, provides exactly that consultancy and support.

Common questions

Is a sexual harassment risk assessment a legal requirement?

The law does not name it as compulsory in those exact words, but the EHRC has said an employer is unlikely to comply with the duty without one, so in practice it is essential.

What should it cover?

The situations where harassment is more likely in your workplace, how serious each risk is, and the practical steps you will take to reduce them, set out in an action plan.

How often should we review it?

It should not be a one-off. Review it regularly and whenever circumstances change, and check the steps you took are working.

Does it have to cover customers and clients?

Yes. The duty covers harassment by third parties such as customers, clients and contractors, so your assessment should consider those risks.

Sources

  • Equality and Human Rights Commission, Sexual harassment and harassment at work: technical guidance, and Employer 8-step guide (risk factors at paragraphs 4.10 to 4.15; "unlikely to comply without a risk assessment" at paragraph 3.31).
  • Worker Protection (Amendment of Equality Act 2010) Act 2023, in force 26 October 2024.
  • Employment Rights Act 2025 (duty strengthens to "all reasonable steps" from October 2026).