The 7 steps to procuring fire risk assessment programmes

Ben Bradford highlights 7 key considerations issues that organizations should be considered prior to embarking on the procurement of third party fire risk assessors to deliver large fire risk assessment programmes across a multi-site portfolio.

It’s been fifteen years since the Fire Safety Order came into force and during this time many organizations have procured large fire risk assessment programmes which subsequently failed to meet expectations. In England and Wales, Article 9 (1) of the Regulatory Reform (Fire Safety) Order 2005, imposes a legal requirement on the body corporate to undertaken ‘Suitable and Sufficient’ fire risk assessments.

After some considerable time debating issues around competency and the ‘cowboy market’ the fire risk management profession established a national competency criteria and a guide for those seeking to appoint third party fire risk assessors. UKAS accredited third party certification of assessors is being embraced (although not as much as the profession would like) and we are now much clearer on what ‘Suitable and Sufficient’ actually looks like.

It is definitely not a tick box sheet.

A ‘suitable and sufficient’ Fire Risk Assessment should usually be a wordy document and the level of supporting commentary provided allows the client/auditor to gain a full understanding of the related issues in relation to the life safety provisions provided in the building that has been assessed.

Those seeking to formalise their fire risk management system in accordance with BS 9997: 2019 will be aware of the requirement for organizations to implement a procedure for the assessment of competency of fire risk assessors be they internal or external to the organization utilised to deliver the programme.

There have been plenty of articles written on competency so from here on in I will outline what I believe to be, 7 key considerations for those seeking to procure large fire risk assessment contracts.

STEP 1 – Formalise your fire risk management system first!

If asked ‘what came first, the chicken or the egg?’ I cannot tell you for sure.  If asked ‘what should come first, fire risk assessments or the formalisation of organizational fire risk management system?’ I can provide a clear and compelling answer.

We recognise that the process of fire risk assessment is the cornerstone of the fire safety order, and equivalent legislation in Scotland and Northern Ireland, but believe that an organization should formalise its fire risk management system first, in accordance with national guidance contained within BS 9997: 2019, prior to embarking on the procurement and delivery of a large fire risk assessment programme.

There is considerable benefit to be gained by communicating to assessors how governance of fire risk is dealt with at an organizational level. Assessors will better understand how to communicate the findings of the assessments to stakeholders within the organization, and the relevant duty-holders who are charged with addressing them. By approaching fire risk management in a top down approach the organization will minimize the amount of duplication within the FRA findings, especially on matters of established organizational policy and procedure.

STEP 2 – Define the scope and limitations of the FRA programme

Those wishing to formalise their fire risk management system will be aware that BS 9997 that requires the organization to define the scope and limitations of its fire risk assessment programme. Identifying the limitations of the fire risk assessment process and its intended scope are critical in the successful delivery of an FRA programme. The outcomes of this process will vary depending on contextual issues such as; the portfolios age, location, construction type, tenure type and the organisations previous fire experience.

In all cases, these outcomes will consider questions such as ‘is the organisation going to undertake destructive inspections of the building fabric?’ ‘Is the organisation going to require assessors to enter risers, false ceilings, roof spaces etc.?’ These questions should be considered carefully before a fire risk assessment programme commences.

STEP 3 – Choose a suitable and sufficient method of documenting the FRA’s

There is no single correct means of documenting a fire risk assessment, nor are there specific requirements within legislation for the content of a documented fire risk assessment. However, the model pro-forma contained within PAS 79:2012 should be acknowledged. PAS 79 was first prepared in 2005, reviewed in 2007 and we are now working with the latest guidance published in 2012.  We recognise that compliance with the PAS 79 does not necessitate the use of the model pro-forma and indeed that the model pro-forma itself is contained within an Annex and is therefore informative.

Publically available specifications are indeed British Standards and have gone through a robust, process of drafting and consultation. PAS 79 is established national guidance. Why wouldn’t you observe it?

STEP 4 – Decide how you verify and analyse the outcomes

In order for organisations to identify the FRA programmes success it is important to undertake regular review meetings to ensure that the FRA programme is running to plan. This is addressed in BS 9997 and is an opportunity to challenge assessors on issues around ‘risk rating and priority’.  If you are using a third party certificated Fire Risk Assessment Company they will have already undertaken a risk moderation exercise internally in the form of peer review, but they should not be exempt from this process.

Organizations with large multi-site portfolios are now beginning to realise that the success of any fire risk assessment programme is hugely dependent on the organizations ability to manage the outcomes of the assessments. There appears to be three options for an organization preparing to digest the outcomes of a large fire risk assessment programme more holistically. They are as follows:

  • Consider the use of a fire risk assessment software tool
  • Place the burden of accumulating the outcomes of the FRA’s on those delivering the FRA’s
  • Manage the findings internally by allocating some administrative time to this task.

We are yet to come across a piece of fire risk assessment software that is perfect for every organisation. In our experience, we would always advise a clients organization to choose a competent third party certificated fire risk assessment provider first, and a suitable IT solution second. Not the other way around. Organizations should not accept a suitable IT solution in lieu of a suitable and sufficient assessment. Successful usage of IT solutions rely on the professionalism and diligence of those using them and failing to use the right assessment team will be just as damaging as using the wrong IT solution.

STEP 5 – Be prepared for risk acceptance and have a process for risk communication

Fire risk assessment starts with risk identification. Once risks have been identified we move to risk treatment and there may be more than one means of treating a particular risk. High risk outcomes of an assessment may mean high priority but it is often unrealistic for an organization to tackle these within 3 – 6 months.  Organizations must direct their finite resources to where they can make the greatest contribution to safety and therefore an organization may opt for ‘risk acceptance’ and to ensure that the issue does not completely fall off the radar, formalise a procedure for ‘risk communication’. This is identified in BS 9997.

STEP 6 – Auditing the FRA programme

BS 9997 requires the organization to audit the fire risk assessment programme.  An appropriate sample size and methodology for consistently auditing FRA’s should be established.  Third party certificated fire risk assessment providers will be receiving annual surveillance audits by their certification body. An internally delivered Fire risk assessment programme might benefit from an independent review from a competent 3rd party of a desk top and on site sample, this in turn will deliver additional internal assurance to risk committees or the board.

STEP 7 – Review Periods

Organisations will ultimately be responsible for the identification of review periods within their FRA programme (although the FRA itself should identify this on a premise by premise basis). Corporately organisations should consider the context of their organisation and its risk tolerance in order to adequately assess how a review period can be optimised. This would enable organisations to adequately justify review periods outside of the (perceived) requirement of an annual review. Fire Risk Management System Certification works hand in glove with the Primary Authority Scheme initiative, and is a means to facilitate this.


Fire risk assessment should be seen as a piece in the fire risk management puzzle, a means to an end, but not the end in itself. Failure to define policy, develop strategy and implement procedure, prior to initiating the FRA programme, may lead to one that ultimately fails to deliver. If you have been undertaking fire risk assessments on the same portfolio for a number of years now, then maybe it is time to ask yourself, “How much safer are our buildings as a result of the current FRA programme?, and how much safer will they be after the next?”.

Maybe it is time to approach this more strategically.

Ben Bradford BSc Hon’s MSc MBA CEng PPCABE FIFireE FRICS