health safety

Do I Need a Health and Safety Policy?

Find out if you legally need a written health and safety policy, what to include in each section, who must sign it, and how to communicate it effectively to your employees.

This guide includes a free downloadable checklist.

Get the checklist

Every employer wants to keep their workforce safe, but do you legally need a written health and safety policy? The answer depends on how many people you employ — and if you do need one, it must cover three specific sections.

How many employees do you have?

This determines your legal requirement for a written policy.

The legal requirement

Section 2(3) of the Health and Safety at Work etc. Act 1974 (HSWA 1974) states:

"Except in such cases as may be prescribed, it shall be the duty of every employer to prepare and as often as may be appropriate revise a written statement of his general policy with respect to the health and safety at work of his employees and the organisation and arrangements for the time being in force for carrying out that policy, and to bring the statement and any revision of it to the notice of all of his employees."

In plain English:

  • If you employ 5 or more people, you must have a written health and safety policy
  • It must describe your policy (overall approach), organisation (who does what), and arrangements (how you manage specific risks)
  • You must bring it to the attention of all employees
  • You must review and update it when necessary
Key Point

The threshold is 5 employees, not 5 full-time equivalents. Part-time workers, temporary staff, and casual employees all count. If you regularly employ 5 or more people at any one time, you need a written policy.

Why does this requirement exist?

The written policy serves several purposes:

  • Forces planning — writing things down makes you think systematically about risks and controls
  • Communication — ensures everyone knows the approach to health and safety
  • Clarity — defines who is responsible for what
  • Evidence — demonstrates to inspectors (and courts) that you take health and safety seriously
  • Accountability — creates a benchmark against which performance can be measured
Note:

Even if you have fewer than 5 employees and aren't legally required to have a written policy, documenting your approach is good practice. It demonstrates commitment and helps ensure consistency.

The three parts of a health and safety policy

A compliant health and safety policy has three distinct sections:

Part 1: Statement of Intent

This is the "what and why" — your organisation's general commitment to health and safety.

What to include:

  • Declaration of commitment to protecting employees and others
  • Recognition that health and safety is a business priority
  • Promise to comply with legal requirements
  • Statement that you'll provide resources for health and safety
  • Commitment to continuous improvement
  • Signature of the most senior person in the organisation
  • Date of issue and review date

Who signs it:

The most senior person with authority:

  • Managing Director or Chief Executive for companies
  • Owner or senior partner for partnerships
  • Chair of trustees for charities
  • Head teacher (often with governor endorsement) for schools
Key Point

The signature matters. It demonstrates that health and safety has board-level commitment, not just lip service from middle management. It also signals accountability at the top.

Example wording:

"As Managing Director of [Company Name], I recognise that ensuring the health, safety, and welfare of our employees and others affected by our activities is fundamental to our success.

We are committed to:

  • Providing and maintaining safe working conditions, equipment, and systems
  • Ensuring safe use, handling, storage, and transport of materials and substances
  • Providing information, instruction, training, and supervision for all employees
  • Consulting with employees on health and safety matters
  • Continuously improving our health and safety performance
  • Complying with all relevant health and safety legislation

This policy will be reviewed annually and revised as necessary to reflect changes in our operations or legal requirements.

Signed: [Name] Position: Managing Director Date: [Date] Next review: [Date]"

Part 2: Organisation

This is the "who" — defines who is responsible for what in your organisation.

What to include:

  • Overall responsibility (usually managing director or senior manager)
  • Day-to-day responsibility (often operations manager or health and safety coordinator)
  • Specific responsibilities for managers and supervisors
  • Responsibilities of all employees
  • Details of competent person(s) appointed to assist with health and safety
  • Names and roles of key people (or at least job titles if names change frequently)

Organisation Structure Example

Management Responsibilities

  • Managing Director: overall policy and resource allocation
  • Operations Manager: day-to-day implementation
  • Line Managers: ensuring safe systems in their areas
  • H&S Advisor (external): competent advice and audits
  • Facilities Manager: maintenance and workplace safety
  • HR Manager: training, consultation, and reporting

Employee Responsibilities

  • Take reasonable care for own safety and that of others
  • Co-operate with health and safety arrangements
  • Use equipment and PPE as instructed
  • Report hazards, defects, and near misses
  • Attend training and follow procedures
  • Not interfere with or misuse safety measures

Bottom line: Clear definition of responsibilities ensures everyone knows their role. Management provides leadership and resources; employees take personal responsibility for working safely and reporting concerns.

Avoid vague statements like:

  • "Everyone is responsible for health and safety" (too broad, creates confusion)
  • "The health and safety officer will manage all risks" (unrealistic and incorrect)

Instead, be specific:

  • "The Operations Manager is responsible for conducting monthly workplace inspections and maintaining inspection records."
  • "Line managers must ensure all new employees receive induction training within their first week, including site-specific hazards."

Part 3: Arrangements

This is the "how" — the practical systems and procedures you have in place to manage risks.

What to include:

This section should cover all significant risks in your workplace and how you manage them. Common topics include:

General arrangements:

  • Risk assessment process
  • Monitoring and review
  • Accident and incident reporting and investigation
  • Emergency procedures (fire, first aid, evacuation)
  • Consultation with employees
  • Training and competence
  • Contractor management

Specific hazards (relevant to your business):

  • Fire safety
  • First aid provision
  • Manual handling
  • Display screen equipment (computers)
  • Work at height
  • Electrical safety
  • Hazardous substances (COSHH)
  • Personal protective equipment (PPE)
  • Workplace transport
  • Lone working
  • Noise and vibration
  • Stress and mental health
  • New and expectant mothers
  • Young persons
  • Violence and aggression
  • Asbestos (if present in building)
  • Legionella (if you manage water systems)
Tip:

Your arrangements section should be a living document that reflects what you actually do, not an idealised version copied from a template. Inspectors will check if your written arrangements match your real practices.

Example arrangement (Fire Safety):

"Fire Safety

  • A fire risk assessment is conducted and reviewed annually by [External Consultant Name/Internal Competent Person].
  • Fire detection and alarm systems are tested weekly by the Facilities Manager, with records kept in the fire log.
  • Emergency lighting is tested monthly, with full discharge tests annually.
  • Fire extinguishers are serviced annually by [Service Company].
  • Fire evacuation drills are conducted twice yearly, with findings recorded and acted upon.
  • All new employees receive fire safety briefing during induction.
  • Fire exits are checked daily to ensure they remain clear and accessible.
  • A designated fire marshal (or warden) is appointed for each floor/area.
  • The fire risk assessment and evacuation plans are available at [location]."

This shows:

  • What you do (assessments, testing, training)
  • How often you do it (annually, monthly, daily)
  • Who does it (roles, not just names)
  • Where records are kept
Warning(anonymised)

Company prosecuted for policy-practice gap

The Situation

A manufacturing company had a comprehensive health and safety policy stating that all machinery would be subject to regular maintenance and inspection. Following a serious injury, HSE investigation found that maintenance records were incomplete, several machines had defects, and the written procedures were not being followed.

What Went Wrong
  • Written policy promised regular maintenance schedules
  • In practice, maintenance was reactive and inconsistent
  • No one was specifically responsible for oversight
  • Employees were aware but felt pressure to keep production running
  • Policy had not been reviewed for 3 years despite changes in equipment
  • Management was unaware of the gap between policy and practice
Outcome

The company was prosecuted under Section 2 of HSWA 1974 and fined £120,000 plus costs. The court noted that the written policy created a higher standard against which the company was judged. The gap between what they promised and what they delivered was seen as evidence of poor safety culture.

Key Lesson

Your policy must reflect reality. Don't copy impressive-sounding procedures you can't sustain. It's better to have honest, modest arrangements that are actually followed than ambitious policies that exist only on paper. And ensure someone is accountable for checking compliance.

What makes a good policy?

It's proportionate

A one-person accountancy firm working from serviced offices doesn't need a 50-page policy covering confined spaces, radiation, and heavy machinery. Equally, a construction company shouldn't have a two-page generic policy.

Match the detail to the risks:

  • Low-risk office: 5-10 pages may be sufficient
  • Medium-risk retail or light manufacturing: 15-25 pages
  • High-risk construction, engineering, or chemicals: 30+ pages with appendices

It's specific to your business

Generic policies downloaded from the internet are obvious and useless. Good policies:

  • Use your company name, not "[Insert Company Name]"
  • Reference your actual premises, processes, and equipment
  • Name (or at least define roles for) real people
  • Describe your genuine arrangements, not theoretical best practice

It's accessible and understandable

Written in plain English, not jargon. Structured logically with headings and sections. Available where employees can actually read it (not just locked in the MD's office).

It's signed and dated

The statement of intent must be signed by the most senior person, with a clear date and next review date. This demonstrates commitment and currency.

It's reviewed and updated

Health and safety policies are not "write once and forget." They must be reviewed:

  • At least annually
  • When significant changes occur (new premises, equipment, processes)
  • After serious incidents
  • When legal requirements change
  • If inspection or audit identifies gaps
Key Point

An out-of-date policy can be worse than no policy. If your policy references people who left years ago, equipment you no longer use, or premises you've moved from, it signals that health and safety is not taken seriously.

Who needs to sign the policy?

The Statement of Intent

Must be signed by the most senior person in the organisation:

Limited companies: Managing Director, Chief Executive Officer, or most senior director

Partnerships: Senior partner or managing partner

Charities and voluntary organisations: Chair of trustees or chief executive

Schools: Head teacher (often countersigned by chair of governors)

Public sector: Chief executive, director, or equivalent accounting officer

Why seniority matters

The signature demonstrates:

  1. Board-level commitment — health and safety is not delegated away completely
  2. Accountability — the senior person is publicly associated with the policy
  3. Authority — signals to employees that this has top-level backing
  4. Legal compliance — Section 37 of HSWA 1974 allows personal prosecution of directors and senior managers for offences committed with their consent, connivance, or neglect
Warning:

A policy signed by a junior manager, HR administrator, or external consultant does not meet the spirit of the law. Inspectors will question whether the board really owns health and safety if they won't put their name to the policy.

What if the senior person is reluctant to sign?

This is a red flag. If your managing director or chief executive won't sign the health and safety policy, ask why:

  • Do they not understand it? (They should read and approve it before signing)
  • Do they think it's too ambitious? (Scale it back to what's realistic)
  • Do they not think health and safety is important? (They have a legal duty — this is not optional)

The signature is a legal requirement for policies under Section 2(3). If the senior person won't sign, the policy is not compliant.

How often should the policy be reviewed?

Legal requirement

The Act says "as often as may be appropriate" — there's no fixed interval. However:

Best practice: Review annually as a minimum, with documented evidence of the review.

Triggers for earlier review

You should review and update your policy whenever:

  1. Significant changes to your business:

    • New premises or major refurbishment
    • New equipment, processes, or substances
    • Organisational restructuring
    • Significant expansion or contraction
    • Change of senior personnel

  2. After serious incidents:

    • Major injury or dangerous occurrence
    • Near-miss that could have caused serious harm
    • Enforcement action (improvement or prohibition notice)
    • Prosecution or formal caution

  3. Changes in legislation or guidance:

    • New or amended regulations
    • Updated Approved Codes of Practice
    • Industry-specific guidance changes

  4. Audit or inspection findings:

    • HSE or local authority inspection identifies gaps
    • Internal or external audit recommendations
    • Insurance survey highlights issues

Policy Review Schedule

Annually
Scheduled policy review

Review all sections, update names/roles, check arrangements still reflect practice, obtain fresh signature and new date

After major changes
Event-triggered review

Immediate review if you move premises, introduce new high-risk activities, or restructure significantly

After incidents
Incident-driven review

Review relevant sections after accidents or near-misses to ensure arrangements are adequate

When prompted by authorities
Enforcement-driven review

Update immediately if inspector identifies gaps or if new regulations come into force affecting your business

Document the review

Keep a record of when you reviewed the policy and what (if anything) you changed. Simple log example:

Review DateReviewed ByChanges MadeNext Review Due
10/01/2024J. Smith (MD)Updated fire marshal names, added homeworking arrangements10/01/2025
15/03/2024J. Smith (MD)Added new warehouse procedures following expansion10/01/2025

This demonstrates that the policy is a living document, not a static compliance exercise.

Communicating the policy to employees

Having a written policy is pointless if your employees don't know it exists or what it says.

Legal requirement

You must "bring the statement and any revision of it to the notice of all of his employees."

This doesn't mean every employee needs to read every word of a 40-page document, but they must:

  • Know the policy exists
  • Know where to find it
  • Understand the key points relevant to their role
  • Be made aware when it's updated

Effective communication methods

Ways to Communicate Your Policy

Initial Communication (New Policy or Major Update)

  • Induction training for new starters
  • Team meetings to introduce the policy
  • Email to all staff with summary and link
  • Notice on physical and digital noticeboards
  • Include in employee handbook
  • Toolbox talks or safety briefings

Ongoing Accessibility

  • Copy available in staff common areas
  • Uploaded to company intranet or shared drive
  • Relevant sections in work area (e.g., kitchen, workshop)
  • Reference in safety training sessions
  • Discussed during performance reviews
  • Mentioned in safety campaigns or notices

Bottom line: Effective communication is not a one-off announcement. The policy should be woven into your workplace culture — referenced in training, visible in work areas, and reinforced through management example.

What about non-English speakers?

If you employ people who don't read English well, you must communicate the policy in a way they can understand:

  • Translate key sections into their language
  • Use visual aids, diagrams, or videos
  • Provide face-to-face briefings with interpreters if needed
  • Ensure safety-critical information is definitely understood
Key Point

Section 2 of HSWA 1974 requires employers to provide information, instruction, training, and supervision. If language barriers prevent understanding, you haven't met this duty. Take reasonable steps to ensure everyone comprehends key safety messages.

Evidence of communication

In the event of an incident or inspection, you may need to prove you communicated the policy. Keep records such as:

  • Induction training sign-off sheets
  • Email distribution lists and read receipts
  • Photos of noticeboards displaying the policy
  • Training attendance registers
  • Meeting minutes where policy was discussed

Small business exemption (under 5 employees)

If you employ fewer than 5 people, Section 2(3) does not require you to have a written health and safety policy.

What you still must do

The exemption is only from the written policy. You still have all the same health and safety duties:

  • Ensure the health, safety, and welfare of your employees (Section 2(1))
  • Protect non-employees affected by your work (Section 3)
  • Conduct risk assessments (Management of Health and Safety at Work Regulations 1999)
  • Implement control measures
  • Provide information, instruction, training, and supervision
  • Appoint a competent person
  • Consult with employees

Should you have a policy anyway?

Even if you're not legally required to, many small businesses choose to document their approach:

Benefits of a written policy for small businesses:

  • Clarity — forces you to think through your arrangements systematically
  • Consistency — ensures everyone knows what's expected
  • Evidence — demonstrates commitment if questioned by insurer, client, or inspector
  • Professionalism — reassures customers and employees that you take safety seriously
  • Preparation — if you grow to 5+ employees, you'll already have the foundation

Proportionate approach for micro-businesses:

You don't need 30 pages. A simple 2-3 page document covering:

  1. Brief statement of your commitment
  2. Who is responsible (probably you as the owner)
  3. Key arrangements (risk assessments, first aid, fire, reporting)

This takes a couple of hours to prepare using a template but gives you a solid foundation.

Success Story(anonymised)

Three-person consultancy documents their approach

The Situation

A small consultancy firm with 3 employees was not legally required to have a written health and safety policy. However, when bidding for a contract with a large corporate client, they were asked to provide evidence of their health and safety arrangements.

What Went Right
  • Prepared a simple 3-page policy covering their office and travel risks
  • Conducted and documented risk assessments for their main activities
  • Appointed the office manager as competent person (after IOSH training)
  • Kept basic records of training, fire drills, and equipment checks
  • Investment: about 6 hours of time and £400 for training
Outcome

They won the contract. The client was impressed that such a small firm took health and safety seriously. When they later recruited two more employees (taking them to 5), they already had a policy in place and just needed to update it. The initial investment paid for itself many times over.

Key Lesson

Even when not legally required, documenting your health and safety approach has business benefits. It's a mark of professionalism, can win you contracts, and prepares you for growth.

Self-employed and no employees

If you're genuinely self-employed with no employees, you don't need a health and safety policy.

Your duties under HSWA 1974

Under Section 3(2), self-employed persons must:

"Conduct his undertaking in such a way as to ensure, so far as is reasonably practicable, that he and other persons (not being his employees) who may be affected thereby are not thereby exposed to risks to their health or safety."

In practical terms:

  • Protect yourself — don't take unnecessary risks with your own safety
  • Protect others — ensure your work doesn't harm clients, members of the public, or other workers
  • Manage risks — assess what could go wrong and put controls in place
  • Comply with specific regulations — e.g., electrical safety, working at height, use of equipment

When working on others' premises

If you work on a client's site or in their building, you must:

  • Follow their health and safety rules
  • Co-operate with their arrangements
  • Not create risks for their employees or visitors
  • Provide information about any risks your work introduces

Similarly, the client or building owner has duties to you under Section 3 and Section 4.

When might you still want a documented approach?

Even without a legal requirement, some self-employed people prepare a simple health and safety document because:

  • Clients ask for it — particularly corporate or public sector clients tendering work
  • Insurance requires it — some insurers want evidence of risk management
  • Supply chain demands — if you're part of a larger project, the principal contractor may require documentation
  • Good practice — demonstrates professionalism and thought about risks

A simple 1-2 page document covering how you manage your main risks (e.g., driving, working at height, electrical tools, lone working) may be sufficient.

Common mistakes with health and safety policies

1. Copying a template without customisation

The mistake: Downloading a generic policy and just changing the company name, leaving placeholder text like "[Insert risk assessment process]" or references to hazards you don't have.

Why it's a problem: Inspectors spot generic policies immediately. It suggests you haven't thought about your actual risks and arrangements.

The fix: Use templates as a starting point, but make them specific to your business. Remove irrelevant sections, add details about your real processes, name actual people or roles.

2. Filing it and forgetting it

The mistake: Creating a policy to tick a compliance box, then never looking at it again until an inspector asks for it 5 years later.

Why it's a problem: An out-of-date policy is evidence that health and safety is not actively managed. It may reference people who've left, equipment you no longer have, or procedures you don't follow.

The fix: Schedule annual reviews in your calendar. Assign someone (competent person or senior manager) to review it and ensure it's current.

3. Making it inaccessible

The mistake: The policy exists only as a printed document in the MD's locked filing cabinet, or a file on someone's personal computer.

Why it's a problem: Employees can't read or refer to it. You haven't "brought it to their notice" as required by law.

The fix: Make it accessible — physical copies in common areas, uploaded to shared drives, referenced in induction, summarised on noticeboards.

4. Promising more than you can deliver

The mistake: Writing ambitious arrangements that sound impressive but aren't realistic for your organisation (e.g., "Weekly health and safety committee meetings" when you can barely manage quarterly).

Why it's a problem: Creates a gap between policy and practice. You'll be judged against the standards you set yourself. If you promise monthly inspections but don't do them, that's evidence of failure.

The fix: Be honest. Document what you actually do and can sustain. Modest, realistic arrangements that are followed are better than impressive-sounding promises that aren't.

5. No ownership or accountability

The mistake: Vague statements like "Everyone is responsible for health and safety" without specific roles or accountabilities.

Why it's a problem: When everyone is responsible, no one is responsible. Key tasks fall through gaps.

The fix: Define specific responsibilities clearly. Name roles (or job titles) and state exactly what each is accountable for.

6. Not involving employees

The mistake: The policy is written in a back office by HR or an external consultant, with no input from the people who actually do the work.

Why it's a problem: You miss practical insights. Employees don't buy in because it was imposed on them. Arrangements may not reflect reality on the ground.

The fix: Consult employees (or their representatives) when preparing or reviewing the policy. They often know the risks and practical solutions better than management.

Warning:

HSE inspectors are skilled at spotting the gap between written policies and real practice. They'll ask to see the policy, then walk the workplace and interview employees. If what you've written doesn't match what they see and hear, expect enforcement action.

UK regulatory context

Health and Safety at Work Act 1974, Section 2(3)

The requirement for a written health and safety policy comes from Section 2(3) of the HSWA 1974:

"Except in such cases as may be prescribed, it shall be the duty of every employer to prepare and as often as may be appropriate revise a written statement of his general policy with respect to the health and safety at work of his employees and the organisation and arrangements for the time being in force for carrying out that policy, and to bring the statement and any revision of it to the notice of all of his employees."

The Employers' Health and Safety Policy Statements (Exception) Regulations 1975

These regulations prescribe the exception: employers with fewer than 5 employees are not required to prepare a written statement.

Relationship to other regulations

While the policy requirement comes from HSWA 1974, your policy must reflect compliance with other regulations, including:

  • Management of Health and Safety at Work Regulations 1999 — risk assessment, arrangements for competent assistance, health surveillance
  • Workplace (Health, Safety and Welfare) Regulations 1992 — workplace conditions, facilities
  • Fire Safety Order 2005 — fire risk assessment and emergency procedures
  • Specific regulations relevant to your industry (COSHH, working at height, electricity, etc.)

Your policy's "arrangements" section should demonstrate how you comply with these regulations.

Enforcement

Failure to prepare a written policy (when required) or to bring it to employees' attention is a breach of Section 2(3) and can result in:

  • Improvement notice requiring you to prepare a policy within a specified time
  • Prosecution if you fail to comply
  • Fine (unlimited in Crown Court)

In practice, lack of a policy is often one of several breaches identified during an investigation following an incident or complaint.

Key Point

The policy itself is not the end goal — it's evidence of your systematic approach to managing health and safety. Inspectors care more about whether you actually manage risks effectively than whether your policy document is beautifully formatted. But the absence of a policy (when required) signals that health and safety may not be taken seriously.

Frequently asked questions

Yes. The law doesn't specify full-time equivalents. If you regularly employ 5 or more people at any one time, regardless of their hours, you need a written policy. For example, if you employ 8 people each working 20 hours per week (equivalent to 4 full-time), you need a policy because you have 8 employees.

If you regularly or predictably employ 5 or more people, you should have a policy. It's safer to prepare one if you're borderline. The law doesn't require daily recalculation — if your headcount fluctuates around the threshold, having a policy is sensible.

Yes, templates are a useful starting point and can save time. However, you must customise the template to reflect your actual business, risks, people, and arrangements. A generic template with just the company name changed is obvious and ineffective.

There's no set length. It should be proportionate to your risks and complexity. A low-risk office might have a 5-10 page policy; a construction company might need 30+ pages with appendices. Quality and relevance matter more than length.

Often it's drafted by your competent person (internal health and safety coordinator or external consultant) and then reviewed and approved by senior management. The key is that it reflects genuine consultation and buy-in from those who will implement it, and is signed by the most senior person.

Yes, as long as it's accessible to all employees. If some employees don't have computer access, you'll need printed copies available in workplaces. The requirement is to 'bring it to the notice of' employees — the format is flexible as long as it's genuinely accessible.

It's a breach of Section 2(3) of HSWA 1974. An inspector can issue an improvement notice requiring you to prepare one within a specified time. Failure to comply can lead to prosecution and an unlimited fine. More importantly, lack of a policy suggests poor health and safety management, which may lead to scrutiny of other areas.

Not necessarily. You can have one overarching company policy with site-specific appendices or arrangements. However, employees at each site must be aware of the arrangements relevant to their location. Multi-site organisations often have a corporate policy supplemented by site-specific procedures.

While not explicitly required for the policy itself, you have general duties to consult employees on health and safety matters (under the Health and Safety (Consultation with Employees) Regulations 1996 or the Safety Representatives and Safety Committees Regulations 1977 if there's a recognised union). In practice, involving employees improves the quality and buy-in of the policy.

The policy is your overall approach, organisation, and arrangements for managing health and safety. Risk assessments are specific evaluations of particular hazards or activities. The policy should include a commitment to conduct risk assessments and describe how you do them, but the assessments themselves are separate documents.

Next steps

If you need a written health and safety policy:

  1. Assess your risks — conduct or review risk assessments so you know what your policy needs to address
  2. Define organisation — clarify who is responsible for what in your business
  3. Document arrangements — write down how you actually manage the key risks (or how you will, if starting from scratch)
  4. Draft the statement — prepare the signed commitment from your senior person
  5. Consult employees — get input from those who do the work
  6. Finalise and communicate — obtain signature, date it, and make it accessible to all employees
  7. Schedule review — set a reminder for annual review (and review earlier if significant changes occur)

Need help creating a compliant, practical health and safety policy for your business? A qualified health and safety consultant can assess your risks, draft tailored arrangements, and ensure your policy reflects best practice and legal requirements.

Speak to a professional

Related articles:

Useful tools: