Artifact GuideUKRisk Assessment Workflow

UK Online Safety Act Risk Assessment Workflow

Risk Assessment Workflow decisions under the UK Online Safety Act should be written in operational language: who is in scope, what must happen, what evidence proves it, and when escalation is needed.

Use this guide to turn official requirements into scope, evidence, owner, and review decisions. This guidance is practical, source-linked, and should be validated against current legal and policy requirements before implementation.

Back to main artifact Review sources

Author

Sorena AI

Published

May 9, 2026

Updated

May 9, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published May 9, 2026

Updated May 9, 2026

Overview

This page helps you determine when UK Online Safety Act obligations apply, who owns each action, the required evidence, and the review path before escalation.

Section 1

How should a Risk Assessment Workflow run under the UK Online Safety Act?

Run the workflow as online-safety triage: first confirm whether the service is in scope, then check whether children are likely to access it, identify the relevant duty or risk type, decide the mitigation or control, record evidence, assign an owner, and set the next review date. If the service is not in scope, close the item; if it is in scope and the risk is unresolved, escalate before implementation.

Check whether the service is a user-to-user service or search service and whether the issue relates to child safety or illegal content.
Confirm the source-linked rule that applies, then choose the required action: close, mitigate, escalate, or send for review.
Record the decision, the owner, the reviewer, the evidence location, and the next review date.
Keep the outcome plain and practical so support, product, legal, security, and compliance teams can use it.

Sources for this answer

Online Safety Act: Protection of Children Codes of Practice - explanatory memorandum

GOV.UK source for children-code context that informs child-risk steps in the UK Online Safety Act risk-assessment workflow.

Online Safety Act - Illegal Content Codes of Practice 2024: explanatory memorandum

GOV.UK source for illegal-content code context that informs risk-type, mitigation, evidence, and review fields in the workflow.

Age assurance for the Children's code

ICO source for age-assurance and children-code privacy context that can affect user-group and child-access fields.

Section 2

What fields should the Risk Assessment Workflow template capture?

A useful template captures service type, user group, risk type, child-access result, code measure, mitigation owner, evidence, review date, and unresolved assumptions. Each field should support a decision, not just store a label.

Link to the source URL and include the source quote that supports the decision.
Identify the entity, product, service, system, data category, and user group involved.
Capture the decision result, control action, owner, reviewer, due date, and escalation reason.
Attach the evidence, approval note, exception note, and review cadence used to reach the decision.

Sources for this answer

Online Safety Act - Illegal Content Codes of Practice 2024: explanatory memorandum

GOV.UK source for illegal-content code context that informs risk-type, mitigation, evidence, and review fields in the workflow.

Age assurance for the Children's code

ICO source for age-assurance and children-code privacy context that can affect user-group and child-access fields.

Children's code strategy: interim impact review

ICO source for practical review observations that support improving risk-assessment fields after service or evidence reviews.

Section 3

How should teams review and improve the Risk Assessment Workflow?

Review the workflow after Ofcom code updates, feature changes, algorithm changes, user-base changes, incident trends, complaints, enforcement notices, or transparency-report cycles. Use each review to decide whether the current controls still reduce the identified risk, whether the evidence is sufficient, and whether the item should stay open, be escalated, or be closed.

Track recurring exception categories and update intake questions.
Remove fields that never affect the decision.
Add fields when reviews show missing source evidence or unclear ownership.
Confirm the public page and working template include the same visible source-linked guidance.

Sources for this answer

Online Safety Act: Protection of Children Codes of Practice - explanatory memorandum

GOV.UK source for children-code context that informs child-risk steps in the UK Online Safety Act risk-assessment workflow.

Online Safety Act - Illegal Content Codes of Practice 2024: explanatory memorandum

GOV.UK source for illegal-content code context that informs risk-type, mitigation, evidence, and review fields in the workflow.

Age assurance for the Children's code

ICO source for age-assurance and children-code privacy context that can affect user-group and child-access fields.

Children's code strategy: interim impact review

ICO source for practical review observations that support improving risk-assessment fields after service or evidence reviews.

Recommended next step

Turn UK Online Safety Act Risk Assessment Workflow into assigned work

Use this UK Online Safety Act guide to turn Risk Assessment Workflow into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena.

Assessment workflow

Open Assessment Autopilot for UK Online Safety Act

Turn Risk Assessment Workflow into scoped questions, evidence fields, and review tasks.

Explore next step

Research workflow

Review UK Online Safety Act source evidence

Use Research Copilot to answer follow-up questions with cited source material.

Explore next step

Talk to Sorena

Talk through implementation

Review scope, evidence, owners, and the next compliance actions with Sorena.

Explore next step