Preventing Sexual Harassment: Time To Review Your Risk Assessment And Refresh Your Training?

With the first anniversary of the new legal duty to prevent sexual harassment in the workplace approaching, now is the perfect time for employers to take stock of whether they are doing enough. We explain how to refresh your risk assessments and training.

On 26 October 2024, a new law was passed in Great Britain requiring employers to take reasonable steps to prevent staff from being sexually harassed in the course of employment. As we approach the first anniversary of the new law, it's a good time for employers to reflect on what steps they've taken, and how effective they've been. This is especially important in light of even greater responsibilities planned for October next year (2026), when the duty is set to change to "all" reasonable steps and employers can become directly liable for harassment of staff by third parties.

The legal duty introduced last year is a proactive one, requiring employers to anticipate when staff might be sexually harassed and implement control measures. It puts the focus on preventing sexual harassment, rather than dealing with it afterwards.

There is detailed guidance from the Equality and Human Rights Commission (EHRC) on complying with the duty. The guidance emphasises that employers should not wait until a complaint of sexual harassment has been raised before they take any action.

Two essential steps you'll want to take involve risk assessments and training. We look at each below.

Why do a risk assessment?

The EHRC guidance is clear and categoric that employers are unlikely to be able to demonstrate compliance with the preventative duty if they have not carried out a risk assessment.

There's no particular format. The EHRC has not published a template, and it is largely up to each organisation to decide on its approach. You do not even necessarily need a standalone sexual harassment risk assessment if, for example, you want to include the risks of sexual harassment as part of your wider health and safety risk assessment – as long as the risks and control measures are specifically identified. But your risk assessment needs to be bespoke to your business, your workforce and your work environment. You can't just copy an example and put your name to it.

Who should be responsible for doing a sexual harassment risk assessment?

In our experience, organisations are generally giving overall responsibility to the HR team. Whichever team takes responsibility is going to need to involve several other teams in the organisation including, for example, legal, compliance/risk, health and safety, facilities and commercial.

There's no specific requirement about whether you need a separate risk assessment for each part of the business, or a single risk assessment. It largely depends on whether work in different business areas involves different risks. If yes, it may be sensible to have separate risk assessments. You may even want a separate risk assessment for individual projects or events, if they pose specific risks. Last year, for example, we saw several organisations doing a risk assessment specifically about their Christmas party and graduate recruitment events.

How do we go about identifying risks of sexual harassment?

In our experience, many organisations started with a desk research exercise, involving listing out potential risks to consider (we can help you with this, if you'd like us to do so). They then set out to gather further information from various internal stakeholders.

Ideally, you would gather more information from staff, so that your risk assessment is based on their experience as well as the theoretical risks you've identified. To do this, you could analyse data from exit interviews, grievances and complaints as well as staff surveys, or even look to carry out a full culture review. If you have an employee forum and/or employee resource groups, it is a good idea to consult them and take their feedback on board. The more you engage with your staff, the more likely it is you will understand the risks they are exposed to. Also, if you haven't anticipated a situation which later turns out to give rise to a sexual harassment incident, it will help if you've asked your employees and they didn't see the situation as a key risk either.

If you did an initial risk assessment last year based purely on desk research, then now is a good time to review this and look to supplement your risk assessment with more information.

In thinking about risks, we recommend that you think about your:

• working environment (including your workforce's engagement with third parties)
• workplace requirements and behaviours
• management composition and workforce structures
• systems for training, reporting and monitoring.

Should we be identifying risks that we can't do anything about?

This was a common concern among organisations embarking on their risk assessments last year. While it is completely understandable to worry about drawing attention to these risks, we think it's best to include them but be honest about the extent to which they can be effectively controlled. Otherwise, the integrity of the risk assessment and usefulness as a management tool suffers. You may find there are steps you can take to mitigate risks, even if you cannot eliminate them. Speak up channels are important in this context (it's true that these measures haven't prevented the original incident, but they are still part of the measures you can take to prevent it from happening again, escalating to worse behaviour, or happening to others).

In some cases, there may genuinely be nothing more you can reasonably do. In those cases, it will help if you've consulted employee forums, employee resource groups and the employees themselves and they have not thought of additional sensible actions.

How should we assess or evaluate sexual harassment risks, beyond just describing them?

It is sensible to try to size the risks to help you identify priorities for action. The EHRC has not issued any specific guidance on whether or how you should do this for sexual harassment risks, but one approach is to consider the likelihood of the risk materialising taking account of your own workforce, and what you know about where the vulnerabilities lie.

When assessing risk, you should take account of the control measures you already have in place. It is not a hypothetical exercise of looking at the risks as if you were doing nothing about them.

What are we supposed to say and do about controlling sexual harassment risks?

There are no generic or standard control measures and, in our view, the EHRC guidance is relatively limited in this regard. In time, more standard practice may emerge but at a minimum, we recommend you raise staff awareness about sexual harassment and about support available. Train your employees in your expectations around appropriate behaviours, consequences for breaching those expectations and speak-up options. It will be helpful to have consulted with employees to capture any suggestions they may have for specific control measures. We can also help you with identifying additional control measures for specific risks, if you would like us to do so.

In general terms, your control measures will be aimed at either reducing the likelihood of the risk occurring or reducing its impact (by, for example, setting up systems to intervene before something escalates). The control measures do not necessarily need to eliminate the risk altogether (in many cases that would be unrealistic) but you are aiming to reduce the risks to a more tolerable level.

If you are reviewing your risk assessment this year, you'll want to consider what additional control measures to put in place, bearing in mind how effective your current controls have proven to be.

When should we review our sexual harassment risk assessment?

There is no guidance on how often you should repeat your risk assessment, but we think you should do so at least every 12 months. That's why now is a good time to review any risk assessment you did last year.

You will want to review any incidents of sexual harassment that have happened since you first did your risk assessment, as they may indicate that the measures you've taken have not gone far enough.

Bear in mind that you'll want to be able to demonstrate that you are taking "all" reasonable steps to prevent sexual harassment by October 2026, when the changes to sexual harassment law under the Employment Rights Bill are expected to take effect. This means potentially going further than you have done to date.

Do we need to repeat our training?

The EHRC guidance is clear that staff must be trained on what harassment involves, what victimisation is, what to do if they experience it and how to handle complaints of harassment. Training should be tailored towards the nature of the employer, the target audience (in terms of, for example, the seniority and job roles of the audience and the best method to deliver the training to them) and the employer's policy to maximise its impact. In industries where third-party harassment from customers is more likely, training should be provided on how to address it. Whatever form your training takes, make sure you capture a record of who attended and form a plan for those who missed it.

The guidance says that training should be refreshed at regular intervals and whilst there is no clear indication of how often you should repeat it, you should not see this as a "once and done". Now, a year on, is a good time to think not only about your new joiners but also about a general refresh for all staff to ensure the message around sexual harassment is clearly understood. Perhaps if you made the decision to offer e-learning last year, now is a good time to consider some live discussion sessions to encourage a speak-up culture within your organisation. Consider, too, specific sessions for managers to help them deal with some of the tricker issues like how to help someone who reports something but then tells the manager not to do anything about it.

One thing to consider is broadening your refresher training to cover respect in the workplace generally and to help staff understand the concept of allyship and the importance speaking up in support of each other. This training can bolster the knowledge you have given them already about sexual harassment and give both employees and managers a greater understanding of the practical ways that can help to foster a psychologically safe environment.

In conclusion

With the first anniversary of the new preventative duty fast approaching, and even more rigorous requirements in prospect, it's time to take stock and ensure that your risk assessments and training approach are up to date and effective. We are seeing increasing focus on workplace behaviours from various regulators including the SRA and the FCA and the blurred line between what is work and what is private is under constant scrutiny. Helping your employees understand their role and their obligations will go a long way to demonstrating the steps you are taking to prevent workplace behaviours from tipping into a harassment risk.