For some “the more the better” approach prevails, with tomes of health and safety management documentation covering every conceivable hazard. For others it can be next to nothing – as we all too often see in the latest prosecutions making the news.

Advice from the Health and Safety Executive (HSE) states, ‘keep health and safety documents functional and concise, with the emphasis on their effectiveness rather than sheer volume of paperwork.’ While this signals something of a middle ground, with electronic systems offering the ability to capture everything and an increasingly “prove it” mentality to enforcement, the tendency is to “go large”.

So environmentally as well as health, safety and welfare – what is the right answer for your organisation? In considering that question we need to rephrase our initial enquiry from “how big is your health and safety management system” to “how effective is your health and safety management system?”

When considering your health and safety management systems here are some aspects you may want to reflect on.

1. Who is doing what and why?

Setting a clear policy is critical to identifying the objectives of what you are looking to achieve and your statement of intent in approaching your management.

As with the Health and Safety at Work etc. Act 1974 your policy should be goal setting in nature. Your policy should also look to reflect your organisational culture and language and be clearly understood by your employees and others.

Look to reflect responsibilities too and the level of expectation placed on each level of management in achieving the goals. This further helps in considering where responsibility and ownership for areas of the premises or tasks starts and finish – which is particularly important with multi-let premises or where you have or are tenants etc.

Your policy should be approachable, easy to read and absorb – a maximum of two pages of policy and responsibilities with appended arrangements covering the specific risks, is much more likely to be read and used than a seventy page tome (yes they do exist and you’d be surprised how many of them there are).   

2. Risk management not risk assessment

The need to assess risk is fundamental for health and safety in the UK. Although do remember that it is the start not the end of the risk management process.

Your health and safety management system should be based on a risk register of activities relevant to your business and the potential hazards associated with them. Each element should be assessed and scored as to the effect and severity it could have if realised and then managed accordingly. The size of your risk register will of course depend on your organisational activities, locations and people

Your risk register combined with your health and safety policy and responsibilities gives you the outline of what you need to manage. It will not only provide a focus for your arrangements but it will also eliminate aspects that are not relevant and so do not need to be considered or covered.

Each scored risk in addition provides its relative significance to your organisation and so offers a reasoned approach to its management – be it avoid, reduce, transfer or accept. As the management of each risk improves its score, so your risk register can be reviewed to keep it current.

3. Scheme away…

Where your risks need managing, arrangements including a written scheme of control should be produced - there are a number of options available to you through the various hierarchy of control models (acronyms including - ERICPD, DESIRESHIP, PIGSRISE, ESCAPE).

Again look to make these as usable as possible. Highlight why these issues need managing as well as indicating any specific factors relevant to your business/organisation.

Keep them succinct – people will only refer to long or complicated arrangements/control schemes when something has gone wrong and depending on what has been said versus what you are doing, these can be as much a hindrance as a help.

Include in these procedures not only what success looks like, but a description of the task(s), who is responsible for performing it, where it needs recording and how often it need to be carried out. Where you have specific control measures in place “what if” statements detailing what you should do if the parameter is out of control are also important and useful.

If you have a contractor performing any of these tasks on your behalf vet what their procedures are saying to make sure they are at least to the standards you expect of your own organisation.

4. Training and competence

While competence is a mixture of training experience and knowledge, – attitude also plays a big part – there is a heavy reliance on training in most organisations.

For your higher risk activities as a minimum (using your risk register of course), develop a training matrix to cover the skill sets and information needed to perform that/those tasks competently.

Where you are using contractors at your site, ask the competence questions about the specific individuals performing the tasks, as well as the task themselves. If there is a lot or high turnover of people visiting your site keep an even closer eye on this. 

5. Check, inspect and monitor

Make sure your management is active and encourage not just the checks, inspections and monitoring covered by regulation, but build in audits of your own. Use your risk register to target particular areas/aspects and write these into the process too.

Incorporate a mechanism for reporting out of tolerance/out of control parameters and how these will be communicated and actioned (see previous section).

Be flexible, your performance history may indicate you need to be doing checks etc. over and above the “legal minimum”. If so, document in the procedure why you are taking such action.

6. Records

In most instances, as well as your policy and responsibilities you will need to record:

  • The significant findings of any risk assessments;
  • Your schemes of control and its implementation;
  • The results of all the checks, inspections and monitoring; and
  • Other relevant activities/information.

How you keep these is up to you, although the manor and ease with which you can retrieve the information you need is a good bellwether for how well the system is being managed.

Particularly with areas such as fire and Legionella, a considerable amount of ongoing records can be produced. For lifts and other periodically inspected items, you may not need as much space.

Whether you keep your records electronically or in hard copy, keep them you must. So when contractors change where they have been the focus for checking and inspecting on your premises, make sure they are not leaving with the information and records you may need to rely on at some point in the future.

In recent years there has been an increase in “compliance management” software tools and systems available for organisations to buy and use. These can vary in nature and sophistication from simple document storage to an all singing and dancing integrated management system (and everything in between).

They can and do provide an excellent management too, but like all software however they rarely exactly match need and degrees of tailoring are required. It is imperative you understand full what you want to achieve from the system once implemented, so you don’t either overcomplicate it and/or create a data monster.

Also, don’t over rely on it, the system will only ever be as good as the information you are putting into it and the quality/accuracy of reporting it produces. It needs to be challenged and it needs to be managed. How much direct support do you get from your service provider and to what level?

7. Review

This is not about what you’ve done, but what you’ve learned. Whether formally as part of an annual review or systems assessment, or just as a check, look at what’s been done/recorded and how this relates to your policy aims and objectives.

Do your risk assessments remain relevant? Are your schemes of control effective? Do your checks and inspections indicate control is being maintained/managed?

Document it. 

8. Standardising your approach

Different organisations apply different mechanisms for managing business process. Some like to formalise it through certification, others prefer an informal system and there are those who by virtue of their business type are tied into a process.

For health and safety the same is true, you can:

  • Adopt a standardised approach, through for example ISO 45001:2018 Occupational health and safety management systems (this was previously OHSAS 18001);
  • Develop your own informal/in-house standards and procedures; and
  • Recognise a sector-specific framework such as the Energy Institute’s High-level framework for process safety management or Chemical Industries Association's Responsible Care framework.

Whatever system you use it must work for you and be designed and implemented in a way where you manage the system and not the other way around.

Assurity Consulting are leading experts in workplace health, safety and environmental compliance. We have provided help and advice on an extensive range of health and safety topics to organisations all over the UK. If you feel that there are areas of your workplace health and safety management systems that need reviewing, please contact us on tel. +44 (0)1403 269375 or email us

DOWNLOAD PDF