InsightGovernanceOSA

UK OSA Illegal Harm Risk Assessment: about 1 Month Left Until the Deadline – How Far Along Are You?

Get to know what is a risk assessment under the OSA, what lessons from other regulated sectors can be applied in these cases, and how you can demonstrate your best efforts to manage risks.

By Tremau T&S Research Team

  • 02/17/2025

Regulatory expectations for online safety are evolving rapidly. Platforms serving UK users must now comply with the Online Safety Act (OSA) while maintaining a safe and trustworthy ecosystem.

At Tremau, we recently had an insightful discussion with Bird & Bird and Ofcom on the OSA risk assessment framework, exploring best practices, challenges, and practical compliance steps. With just 1 month left until the risk assessment deadline, where do you stand? Here’s what you need to know—and how to get started efficiently.

Understanding Risk Assessment in the OSA Framework

At the heart of Ofcom’s risk assessment framework are two critical data sources that help platforms gauge the likelihood and impact of specific harms:

  • Core Inputs – Internal data sources such as flagged content, user reports, and moderation trends.
  • Enhanced Inputs – External sources like industry reports, expert consultations, and regulatory guidelines, providing a broader context for risk evaluation.

Since no two platforms face the same risk landscape, a one-size-fits-all approach won’t work. The key is to know your platform, understand the unique risk factors, and structure your assessment accordingly.

Pro Tip: Start by analyzing your platform’s user base, moderation systems, and design choices to understand how risks manifest in your ecosystem. Conduct internal walkthroughs, clarify roles and responsibilities, and examine existing data points to identify key risk areas.

Key Lessons from Other Regulated Sectors: What Can You Learn?

1. Governance & Oversight Matter

Regulatory Expectation: The UK Codes of Practice mandate that senior governing bodies must review risk assessment results, ensuring clear accountability.

This isn’t just a box-ticking exercise—strong governance provides crucial oversight. Leaders should challenge assumptions, ensure access to the right information at the right time, and drive strategic risk management.

2. Data-Driven Risk Assessments

Other industries rely on historical data, predictive modeling, and scenario analysis for risk management. Similarly, online platforms can apply data-driven strategies to assess and mitigate risks.

  • Leverage existing data reports—engage Trust & Safety (T&S) and content moderation teams to access reports they already monitor (daily, weekly, and monthly).
  • Define data parameters clearly—ensure transparency in time span, justification, and user demog

Are Alternative Compliance Measures Feasible?

Ofcom allows businesses to implement alternative compliance measures, but only if they can justify them. Many companies are still in the discovery phase, but as you refine your internal processes, consider:

  • Distinguishing between gaps in documentation and actual missing practices—some measures may exist but lack formalization. Draw up a plan to standardize them into policies and Standard Operating Procedures (SOPs).
  • Focusing on high-impact risks first—when resources are limited, allocate efforts based on harm severity.

Demonstrating Best Efforts to Manage Risk

Demonstrating best efforts to manage risk is key. Effective risk management does not mean eliminating risks entirely but ensuring they are prevented, detected, and appropriately responded to.

To effectively manage risks, organizations must distinguish between proactive risk control measures and reactive risk responses. Here’s how they differ:

Risk Control (also called Risk Treatment or Risk Mitigation)

  • Focuses on reducing the likelihood of risks occurring or minimizing their impact if they do occur.
  • Includes preventive controls (to stop risks from occurring) and detective controls (to identify risks when they happen).

Risk Response

Involves decisions made after a risk has been identified and analyzed to determine the appropriate action. The response could be:

  • Avoidance – Eliminating the risk entirely (e.g., discontinuing a risky platform feature).
  • Reduction/Mitigation – Implementing controls to minimize the risk (e.g., stronger moderation policies).
  • Sharing/Transfer – Offloading the risk through insurance, outsourcing, or third-party partners.
  • Acceptance – Acknowledging the risk and monitoring it proactively when avoidance or mitigation isn’t feasible.

The Right Mindset: Embrace Continuous Improvement

The first year of OSA compliance will have a steep learning curve, but the governance framework is designed to help iterate and refine risk models over time.

How far along are you? The deadline is closing in fast—start now!

Compliance isn’t just a requirement—it’s a business advantage.

Think of this not as a compliance exercise, but as a value driver for your business!

  • Boost user trust – Strengthen credibility and foster long-term customer loyalty.
  • Attract advertisers – Call to brands that prioritize responsible and transparent partnerships.
  • Future-proof operations – Stay ahead of regulatory changes and evolving industry standards.

Final thoughts

With just 1 month, now is the time to assess, refine, and implement your risk assessment strategy. Take a data-driven, governance-led, and proactive approach to ensure compliance—and turn it into a competitive advantage.

🚀 Need guidance on your OSA compliance journey? Get in touch with our Policy and Advisory team: Agne Kaarlep (agne@tremau.com), Haneen Qarout (haneen@tremau.com), Toshali Sengupta (toshali@tremau.com).

Advancing Trust & Safety

T&S Platform
Nima, the end-to-end Trust & Safety Platform
Advisory
Decoding Trust & Safety in the Digital Landscape
Resources
Company
© Copyright 2025 Tremau