Conducting a thorough risk assessment is the core requirement for all services within scope of the UK's Online Safety Act. Today, Ofcom published a report summarising their findings after reviewing 104 risk assessments conducted by regulated services. Their findings highlight some clear gaps, recurring mistakes, and straightforward opportunities for improvement. Below, we've outlined 8 key steps to ensuring your approach to regulatory compliance meets Ofcom's expectations.

1. Go beyond identifying risk factors:  explain how they influence likelihood and impact

One of the most consistent weaknesses in the reviewed Risk Assessments was a lack of causal explanation. Simply listing your risk factors isn’t enough. Services must show how each factor affects:

• Likelihood of harm: for example, does the feature increase friction? Expand the surface area for harmful interactions? Reduce the visibility of signals your safety measures depend on?
• Impact of harm: for example, could harms be more severe for particular users? Does the feature expose large groups to risk simultaneously? Does the platform’s structure magnify the consequences?

This level of reasoning demonstrates maturity, transparency, and a credible grasp of harm pathways. Without it, an assessment can appear superficial or incomplete.

2. Recognise that larger services inherently carry greater risk

Across all harm types, scale matters. Larger services face:

• A higher probability that harmful interactions occur
• Vastly more content, which reduces the relative effectiveness of moderation
• More diverse and often anonymous user bases, creating more vectors for harm

Even with strong controls, scale increases both exposure and potential impact. Acknowledging this openly increases the credibility of your Risk Assessment.

‍

3. Treat low-risk ratings as exceptional, and justify them rigorously

Ofcom expects that low-risk assessments are backed by:

• Robust, clearly presented evidence
• Reasoning that addresses all relevant risk factors
• Proof that mitigations are effective, not just that they exist

If you can’t demonstrate why the risk is genuinely low - especially when multiple risk factors are present - Ofcom advises services to default to a higher risk rating. This is the safer and more defensible regulatory position.

‍

4. Don’t rely on ToS or self-declared age to estimate the number of child users

If your service does not use highly effective age assurance (HEAA), Ofcom will not accept broad statements that “we are a13+ service” as evidence of a low number of children being present. Instead:

• Take a conservative view of potential child users
• Explain the uncertainty
• Use indirect signals such as audience behaviour, product design, marketing reach, and platform appeal

If you cannot prove children aren’t using the service, you must assume that they might be.

‍

5. Strengthen evidence and governance around the effectiveness of your measures

Ofcom found “surprisingly low” evidence that measures are effective in practice. A strong RA should:

• Clearly state who owns each measure (teams, roles, governance lines)
• Describe how effectiveness is monitored, including insights from content moderation
• Explain how issues are identified, escalated, and resolved
• Provide metrics, or where unavailable, show evidence of your processes such as review cadences

This doesn’t just satisfy the regulator - it builds internal accountability and operational clarity.

‍

6. Provide harm-specific explanations for controls used across multiple risks

Copy-pasting one generic justification is a common error. Each harm category has a distinct pathway, so each mitigation needs a customised explanation.

For example:

• Rate limiting might reduce exposure harms by controlling volume
• But its relevance to grooming harms may depend on slowing persistence or preventing persistent contact

This nuance signals to Ofcom that you understand the mechanics of risk on your platform.

‍

7. Show what strong safety governance looks like

Governance is one of the most powerful levers available - and often one of the easiest to implement. Your Risk Assessment should describe:

• How risk assessments are created, reviewed, challenged, and approved
• The cross-functional teams involved (legal, policy, engineering, T&S, analytics)
• How often reviews occur
• How decisions are documented and communicated
• How controls are assigned to owners and tracked

Regulators increasingly look for governance maturity as a proxy for organisational seriousness. Illuminate Tech's platform OSCAR, built by ex-Ofcom online safety regulators, intuitively integrates strong governance into your risk assessment and regulatory compliance processes.

‍

8. Explain how you keep your Risk Assessment up to date — especially around significant change

Many services failed to show how they monitor changes to risk over time. A compliant Risk Assessment should demonstrate:

• How significant changes are identified
• Who decides whether a Significant Change Assessment (SCA) is required
• Which teams input into that decision (product, analytics, engineering, legal)
• How annual reviews work, including whether SCAs are part of that cycle
• How feature launches, experiments, and updates are monitored

If your internal “Significance Test” currently lacks governance, strengthen it by documenting:

• The criteria for triggering a review
• The workflow between teams
• Evidence and documentation requirements
• Links to dashboards or monitoring systems

This is critical: Ofcom will expect to see evidence of a structured process, not informal judgement calls. OSCAR contains a dedicated "significance test" workflow follows provides a robust scoring logic and enables you to have extreme clarity around your review processes.

‍

Key regulatory timelines to prepare for

The next 12 months are crucial. Ofcom can request your Risk Assessment at any time from 1 May to 31 July 2026. Your 2025/26 Risk Assessment must be complete, defensible, and ready to produce. Categorised services must formally submit their Risk Assessment in October 2026, shortly after the categorised services register is published in July 2026. New guidance for categorised services will be released in the first half of 2026; your internal processes should be flexible enough to adapt quickly once this guidance is published.

‍

OSCAR by Illuminate Tech enables time-poor teams platforms to complete risk assessments to the highest standards, all while transforming their internal governance processes to ensure they're ready for regulatory scrutiny. To learn more or book a demo, get in touch at hello@illuminatetech.co.uk.