How to Write CDM-Compliant Risk Assessments in 2025

The Construction (Design and Management) Regulations 2015 transformed how the UK construction industry approaches health and safety. For anyone creating risk assessments and method statements (RAMS) for construction projects, understanding CDM compliance isn't optional—it's the law.

With penalties for non-compliance ranging from £80,000 to £900,000, getting CDM risk assessments right matters. This guide explains exactly how to write CDM-compliant RAMS in 2025.

Understanding CDM 2015 Requirements

The CDM Regulations apply to all construction projects from conception to completion. They establish clear duties for everyone involved, and risk assessment sits at the heart of CDM compliance.

CDM 2015 defines three key documents:

Pre-Construction Information (PCI): Outlines project risks and safety requirements before work begins

Construction Phase Plan (CPP): Details how health and safety will be managed during the build

Health and Safety File: Maintained throughout the project for future reference

Your risk assessments must integrate with all three documents and demonstrate that you've properly considered CDM-specific hazards.

Why Generic Templates Fail CDM Compliance

Generic risk assessment templates create a false sense of security. CDM regulations specifically require assessments to be suitable for the nature of work. This means:

• Project-specific hazards must be identified: Ground conditions, overhead lines, adjacent structures, public access
• Work sequence must be considered: Risks change as the project progresses
• Interface risks must be addressed: Multiple contractors working simultaneously
• Site constraints must be accounted for: Limited access, confined areas, residential proximity

A blank template can't capture this level of detail. CDM compliance demands active thinking about the specific project, not box-ticking.

The Hierarchy of Controls in CDM Context

CDM regulations emphasize preventing risks at source rather than managing them with PPE. Your risk assessments must demonstrate systematic application of the control hierarchy:

1. Eliminate

Design out the hazard entirely. Can work be done at ground level instead of at height? Can prefabrication off-site eliminate on-site assembly risks? CDM encourages elimination through design.

2. Reduce

Substitute dangerous materials or methods. Use water-based products instead of solvents. Use mechanical lifting instead of manual handling. Reduce the risk level through smarter choices.

3. Isolate

Physically separate workers from hazards. Barriers, guards, edge protection, segregated work zones. Engineering controls that create physical barriers.

4. Control

Administrative measures like permits to work, signage, training, supervision. These controls rely on people following procedures.

5. PPE

The last resort. While hard hats and hi-vis are standard on construction sites, they should supplement higher-level controls, not replace them. CDM assessments that list only PPE as a control measure will fail inspection.

What Must Be In Every CDM RAMS

CDM-compliant risk assessments must include specific elements:

Task Description

Clear description of the work activity. Be specific: "Excavation of foundation trenches to 2.5m depth using 13-tonne excavator" not just "excavation work."

Relevant Legislation

Must cite CDM 2015 plus any other applicable regulations:

• Work at Height Regulations 2005 (scaffolds, ladders, roof work)
• COSHH 2002 (cement, solvents, dust)
• Confined Spaces Regulations 1997 (manholes, tanks, voids)
• Manual Handling Operations Regulations 1992

Comprehensive Hazard Identification

CDM requires consideration of:

• Health hazards (dust, noise, vibration, substances)
• Safety hazards (falls, struck by, trapped by, electrocution)
• Environmental hazards (ground conditions, weather, overhead lines)
• Public safety (traffic management, pedestrian protection)
• Welfare provisions (toilets, washing, drinking water, rest areas)

Risk Ratings

Show both initial risk (before controls) and residual risk (after controls). Use a consistent matrix: Likelihood × Severity = Risk Level. Document the methodology used.

Control Measures

Specific, practical controls that follow the hierarchy. Include:

• What control will be used
• Who is responsible for implementation
• When it must be in place
• How compliance will be monitored

Emergency Procedures

What happens if something goes wrong? Evacuation routes, first aid provisions, emergency contacts, incident reporting procedures.

Competence Requirements

What training, qualifications, or experience is needed to perform the task safely? CSCS cards, CPCS tickets, specific certifications.

Task-Specific vs Generic Assessments

CDM distinguishes between routine tasks that can use standardized assessments and non-routine tasks requiring specific evaluation.

Standardized assessments work for:

• Regular maintenance activities
• Repetitive tasks with consistent conditions
• Common construction activities in typical settings

Task-specific assessments required for:

• Unusual or complex activities
• Work in hazardous environments
• Tasks with significant public interface
• Activities with changing conditions

Common CDM Mistakes to Avoid

1. No CDM 2015 Reference

Failing to explicitly reference CDM 2015 regulations suggests the assessment wasn't prepared with CDM requirements in mind.

2. PPE as Primary Control

Listing hard hats and boots as the main control measure contradicts the hierarchy of controls and CDM principles.

3. No Evidence of Design Input

CDM requires designers to eliminate or reduce risks. Your RAMS should show how design has contributed to risk reduction.

4. Missing Interface Considerations

On multi-contractor sites, failing to address how your work affects others (or how their work affects yours) is a major CDM failing.

5. Inadequate Welfare Provisions

CDM mandates welfare facilities. Not addressing toilets, washing, drinking water, and rest areas in your assessment is non-compliant.

Phase-by-Phase Approach for Larger Projects

Large construction projects require dynamic risk management across multiple phases:

• Pre-construction phase: Site setup, welfare facilities, boundary security
• Groundworks phase: Excavation, piling, drainage, foundations
• Superstructure phase: Frame erection, floor slabs, stairs
• Envelope phase: External walls, roof, windows
• Services phase: M&E installation, internal fit-out
• Finishing phase: Decorations, external works, landscaping

Each phase requires updated risk assessments as hazards evolve. What was a fall risk during frame erection becomes a different risk profile during roof installation.

Modern Approach: Dynamic Risk Management

CDM 2015 encourages proportionate, dynamic risk management rather than bureaucratic paperwork. The focus is on managing actual risks, not generating documents for their own sake.

This means:

• Assessments should be living documents, updated as conditions change
• Site teams should have immediate access to current versions
• Workers should contribute to hazard identification
• Controls should be reviewed based on actual site feedback

Automated risk assessment platforms align perfectly with CDM's dynamic approach. They enable:

• Instant updates when site conditions change
• Mobile access for site teams
• Automatic CDM 2015 compliance checking
• Version control and audit trails
• Integration with construction phase plans

Key Takeaways

• CDM 2015 requires risk assessments be project-specific, not generic templates
• Penalties for non-compliance range from £80,000 to £900,000
• Control hierarchy must be demonstrated: eliminate, reduce, isolate, control, PPE
• Assessments must include task description, legislation, hazards, risk ratings, controls, emergency procedures, and competence requirements
• Common mistakes: no CDM reference, PPE-only controls, missing interface risks, inadequate welfare provisions

CDM compliance doesn't have to be complicated, but it must be thorough. Whether you're a principal contractor on a major project or a small trade contractor, understanding these requirements protects your business, your workers, and the public.