Who Carries the Duty?
UXO and the Residual Risk to UK Construction – Part 3 of 6
Why the regulatory architecture puts the residual risk in the duty holder’s hands, and what that means for how UXO advice should be procured.
In Part 2, I closed by saying that under CDM 2015, the duty for managing UXO risk on a project sits with the duty holder. It cannot be transferred to the consultancy. The consultancy advises. The duty holder owns the residual.
That’s the architecture of the entire UK regulatory framework for UXO risk management. It’s also the part of the framework most often misunderstood, and the part where the commercial pressure to misrepresent it is highest. So this piece is about what the duty actually is, who actually carries it, and what the answer means for how duty holders should think about commissioning UXO advice.
What CDM actually says
The Construction (Design and Management) Regulations 2015 establish a clear chain of duties on UK construction projects. The client (which I’ll use here interchangeably with “duty holder” for simplicity) controls the project’s overall approach to health and safety through programming, budget, and the appointment of key roles, including the principal designer and principal contractor. The client provides pre-construction information, including any data relating to UXO. The client verifies that the arrangements for managing risks within the construction phase plans are adequate.
CIRIA C681, the UK’s foundational UXO guidance, makes the consequence of this explicit, and italicises it for emphasis:
“The client duties and responsibilities under CDM cannot be transferred.”
That sentence is doing a lot of work. It says the duty is the client’s. It says the duty stays with the client even when the client appoints a principal designer, a principal contractor, a UXO specialist, or any other competent person. The appointed roles assist the client in discharging the duty. They do not take the duty over.
C681 reinforces this in its discussion of the CDM coordinator’s role: “the appointment does not remove the clients’ responsibilities for health and safety.” The same principle applies to UXO specialists, geotechnical consultants, and any other advisors. Advice does not equal transfer of duty.
What the UXO specialist actually provides
C681 defines the UXO specialist’s role precisely:
“an individual or company that provides expert knowledge and opinion to the client on the most appropriate and cost-effective approach to UXO risk management at a site. This should include an assurance of unbiased advice on any risk mitigation measures required.”
Note the language. Expert knowledge. Opinion. Advice. Assurance of unbiased advice. None of that is the language of duty transfer. The UXO specialist is an advisor inside a regime where the client holds the duty.
This is not a small distinction. It’s the entire architecture of how UK health and safety regulation handles specialist advice. The client carries the duty because the client controls the project. The advisors provide the expert input the client needs to discharge that duty. The advisors carry professional liability for the quality of their advice, which is a different legal mechanism with different tests. They do not carry the duty itself.
Why this architecture matters
Three things follow from getting the architecture right.
The duty holder’s question is the right question. When something is found on site, the regulator’s first questions go to the duty holder. What did you commission? What did the assessment tell you? Did you act on it? Did you keep it under review? The duty holder needs to be able to answer those questions in their own voice, with their own evidence trail, not by pointing at a report a consultancy produced two years ago. The assessment is an input to that evidence trail. It is not, on its own, the answer.
This means the duty holder needs to know what the assessment is telling them. Not just the conclusion, but the inputs, the assumptions, the conditions under which the conclusion holds, and what changes would invalidate it. A consultancy that produces a single-descriptor output and walks away leaves the duty holder unable to answer the regulator’s questions properly. A consultancy that articulates residual risk in terms the duty holder can act on gives the duty holder what they actually need.
Adding a layer doesn’t transfer the duty. There’s a commercial proposition currently circulating in the UK construction sector that holds, more or less, that duty holders should commission a separate “verification” or “assurance” review of their UXO consultancy’s output, on the basis that this verification will give them a more defensible position. The implication is that the verification layer absorbs some of the duty.
It doesn’t. CDM is unambiguous on this. Adding a third party to the chain doesn’t transfer the duty back up to the client; the duty was already there. What an additional layer can do is add cost, add time, and create the illusion that the duty has been somehow shared out. The actual duty remains exactly where it was: with the client, who must be able to demonstrate they commissioned competent advice, acted on it, and kept it under review.
I’m not arguing that third-party assurance is never appropriate. On very large infrastructure programmes with complex risk environments, an independent assurance review can have value, particularly where multiple consultancies are operating in parallel and consistency matters. But the test is whether the additional layer gives the duty holder more useful information for managing their actual duty, not whether it provides comfort that someone else has signed off on the work. Comfort is not a regulatory category.
The duty is discharged by competent advice, acted on. The honest answer to “how do I discharge my CDM duty for UXO?” is straightforward, even if it’s less commercially appealing than the alternatives. Commission a competent UXO consultancy. Get advice that articulates residual risk in operational terms. Act on the advice. Document the decision trail. Revise the assessment when conditions change. Keep the consultancy in the loop through construction so they can update the position if something is found.
That’s the entire discharge mechanism. It’s not glamorous. It’s not a procurement product. It is what the regulations actually require, and any UK duty holder who does it consistently has discharged their duty as well as the framework allows.
The implication for procurement
If the duty is discharged by competent advice acted on, the procurement question for any duty holder is straightforward: how do I tell competent advice from the alternative?
Three signals matter.
First, methodology transparency. Competent advice exposes its inputs and assumptions. It tells you why the conclusion is what it is, not just what the conclusion is. If the report doesn’t show its working, you can’t act on it confidently.
Second, residual risk articulation. Competent advice tells you what residual remains after mitigation, in terms you can act on. A descriptor on its own is not enough.
Third, named sign-off. Competent advice has a named author who will be available to revise the assessment, answer questions during construction, and stand behind the work if something is found. If you can’t reach the person who wrote the report, you can’t manage the residual properly.
These are also, as it happens, the questions Part 1 closed with. They’re not coincidentally aligned. The procurement signals matter because they’re the inputs to a defensible duty holder position. Get those right and the duty is discharged. Get them wrong and no amount of additional verification will fix the underlying problem.
Where this leads
Across the first three pieces in this series, the argument has been cumulative. Part 1 established that “low risk” is a more limited descriptor than most clients realise. Part 2 established that residual risk is foundational to the regime, not a flaw in it. Part 3 has now established that the duty for managing the residual sits with the duty holder, and is discharged by competent advice acted on.
The next question is the one Part 4 takes up: what does competent advice actually look like, and why is the future of UXO risk assessment quantitative rather than qualitative?
Because if the duty holder owns the residual, and the descriptor doesn’t articulate it usefully, then the methodological answer is to articulate it differently. That’s not a departure from CIRIA. It’s what CIRIA explicitly supports in C681, and what the sector has been slow to adopt. Part 4 will explain why.
The duty is yours. The consultancy advises. The mechanism for discharging it is competent advice, acted on, documented, revised when conditions change. There is no shortcut. There is no transfer. There is no additional layer that absorbs the duty.
Previous: Part 2 – Why a UXO find on a “low risk” site is not, on its own, evidence that the system failed
Next: Part 4 – Beyond the descriptor
For regular updates, project insights, and industry guidance, follow Brimstone UXO on LinkedIn, Facebook, Instagram, and YouTube.

"*" indicates required fields