What “Low Risk” Actually Means
UXO and the Residual Risk to UK Construction – Part 1 of 6
If your UXO risk assessment says “low risk”, you should know what you’ve actually been told. It probably isn’t what you think.
A 250kg unexploded bomb was found on a previously developed site in Plymouth. The risk assessment said low risk. Both statements are true at the same time, and most clients reading this don’t yet understand why.
I’ve spent the last 24 years in Explosive Ordnance Disposal (EOD) and Search. I started in the Royal Engineers as part of a search team and later, after commissioning from the Royal Military Academy Sandhurst, qualified as a bomb disposal officer. For the past ten years in the commercial sector I’ve been running one of the UK’s leading UXO consultancies. In that time a fair number of risk assessments have crossed my desk, and I’ve signed off on a lot of them.
Here’s what I’ve come to believe. The single biggest gap in how UK construction manages UXO risk isn’t in the assessments themselves. It’s in what clients think the assessments are telling them. “Low risk”, in particular, is one of the most misunderstood phrases in the sector.
After Plymouth, that gap matters more than ever. So this piece, the first in a six-part series, is for any duty holder who has ever opened a UXO risk assessment, read the conclusion, and assumed it meant something it doesn’t.
What “low risk” doesn’t mean
When your UXO consultancy concludes that a site is “low risk”, three things are not being said.
First, it does not mean there is no UXO present. It means the assessed likelihood of encountering UXO during your proposed works has been judged low. UXO may still be on the site. The assessment is a probability statement, not a guarantee of absence.
Second, it does not mean the same thing across the sector. There is no UK-wide standard for what constitutes “low risk”. Different consultancies apply different evidence thresholds, different mitigating-factor weightings, and different professional judgements. A “low risk” conclusion from one consultancy may rest on materially different assumptions than the same descriptor from another. You usually can’t see those assumptions in the report.
Third, it does not survive design changes automatically. The descriptor is conditional on the proposed works as described. Increase your pile depths, add a basement, change your foundation methodology, and the assessment may no longer hold. A “low risk” conclusion from six months ago, when the design looked different, is not necessarily a “low risk” conclusion today.
What it actually means
A qualitative “low risk” conclusion is the consultancy’s professional judgement that, given everything they have considered, the chance of you encountering UXO during the works as described is low. That’s it. It’s a triage output, not an operational instruction.
It is genuinely useful as a triage output. Most UK sites with potential UXO exposure will, on competent assessment, screen out as low risk. That conclusion has commercial value: it lets the project proceed without further mitigation work. But the descriptor on its own gives you very little to put into a project risk register, defend in a CDM audit, or use to make a tolerability decision about specific work activities. It’s a category, not an answer.
“Low risk” answers the question “how worried should we be?”. It does not answer the question “what should we actually do about the residual?”.
Why the descriptor isn’t enough anymore
Three things have shifted in the last few years that put pressure on the descriptor-only approach.
Construction is going deeper. Modern projects routinely involve piling, basements, and intrusive works at depths well below the post-war development that historically reduced UXO encounter likelihood. “Low risk” conclusions based on shallow disturbance assumptions don’t always hold for 18m piles.
Brownfield sites are scarcer and more contested. The remaining brownfield stock in heavily bombed UK cities increasingly includes sites where post-war reconstruction used contaminated backfill, where bombing was historically dense, or where the available records are incomplete. The mitigating factors that supported “low risk” conclusions on a generous reading of the data are thinning out.
Recent finds have made the gap visible. The Plymouth UXB, found on a site assessed as low risk after a professional assessment, is the latest in a series of finds that have demonstrated, publicly, what residual risk actually means in practice. Duty holders are reading the news and asking what they’re actually being told when their own consultancy says “low”. That’s a fair question, and it deserves a clear answer.
What you should be asking
If you commission UXO risk assessments, here are five questions worth putting to whoever produces them. They apply to Brimstone, to our competitors, and to any consultancy you might engage.
- What does “low”, “moderate”, or “high” mean in your methodology? Ask for the underlying inputs and the criteria that distinguish one category from another.
- What is the residual risk after mitigation? Mitigation reduces risk, it rarely eliminates it. Ask what residual remains and how it should be managed during construction.
- Will the same person stand behind this assessment during construction? If something is found on site, you want to call the person who wrote the report, not a generic helpdesk.
- What changes would invalidate this assessment? Risk assessments are conditional. Ask what design changes, depth increases, or methodology shifts would require a revisit.
- What does this give me for my CDM duty? You’re the duty holder. Ask explicitly what the report gives you to demonstrate, in a regulatory or legal context, that you’ve managed UXO risk so far as is reasonably practicable.
Where this series is going
Over the next five articles, I’ll go deeper into each of these questions. Why residual risk is built into the regulatory regime and isn’t a flaw in the methodology. Why the duty for managing it sits with you, not with your consultancy, and what that means for how you commission UXO advice. Why the future of UXO risk assessment is quantitative articulation of residual risk rather than qualitative descriptors. And what good looks like in practice.
None of this is an attack on the descriptor. The descriptor has its place. But after Plymouth, the sector owes its clients more than a category. We owe them an articulation of residual risk that they can actually use to manage their duty.
If you’re a developer, principal contractor, or anyone with a CDM duty on a project that includes UXO exposure, this series is for you. If you’re in the UXO sector, I hope it’s useful too.
Plymouth wasn’t a failure of the system. It was a demonstration of what the system was always built to expect. The question is whether we’re giving duty holders enough to manage what the system expects to leave behind.
Next: Part 2 – Why a UXO find on a “low risk” site is not, on its own, evidence that the system failed
For regular updates, project insights, and industry guidance, follow Brimstone UXO on LinkedIn, Facebook, Instagram, and YouTube.

"*" indicates required fields