Skip to main content

If you’re drafting a health and safety policy for the first time — or you’ve dug out an old template and realised it doesn’t match your business anymore — you’re not alone. For many UK SMEs, the challenge isn’t wanting to do the right thing. It’s knowing what needs to be in the policy, what belongs in risk assessments, and how to keep everything practical (not paperwork for paperwork’s sake).

HSE’s message is straightforward: every business needs a policy for managing health and safety, and if you have five or more employees it must be written down.

This guide breaks it down into a simple structure and health and safety checklist you can use today.

What a health & safety policy is (and what it isn’t)

Think of your policy as the “how we manage health and safety” document. It sets out your overall approach, who is responsible for what, and the systems you use to manage risks.

A policy is not the same as a risk assessment. Your policy explains your commitment, responsibilities, and your arrangements for managing safety day to day. Your risk assessments identify specific hazards (like slips, manual handling, stress, COSHH, fire) and record the control measures you’ll use to reduce risk.

In other words: the policy is the framework; the risk assessments are the detail.

The 3 core sections your policy should include

HSE’s small business guidance breaks a policy into three main parts: a statement of intent, an organisation section, and an arrangements section.

1) Statement of intent (your commitment)

This is your opening statement. It’s where senior leadership sets the tone: “this matters here, and we’re taking it seriously”.

Your statement of intent should clearly confirm that you’re committed to protecting employees and anyone else affected by your work, such as clients, visitors, and contractors. It should also state that you’ll meet legal requirements and manage risks in a sensible, proportionate way, and explain your commitment to consultation and communication so staff know how they’ll be involved.

Finally, it should be signed and dated by the most senior person in the business (for example, the owner, a director, or the MD) and include a review date — ideally with a commitment to review annually and after any significant change.

Tip for SMEs: keep it short, human, and specific. Generic statements don’t build confidence and rarely reflect reality.

2) Organisation (who does what)

This section answers a simple question: who is responsible for health and safety in your business and what does that actually mean in practice?

HSE expects your policy to clearly say who does what, when and how.

Include:

  • Named responsibilities for directors/owners, managers/supervisors and employees
  • Who provides competent health and safety support (internal or external)
  • Who completes and reviews risk assessments
  • Who investigates accidents and near misses
  • Who manages contractors and visitor safety (if relevant)

Tip for SMEs: naming roles without naming people often leads to gaps (“someone” becomes “no one”). Put names in, and review them when roles change.

3) Arrangements (how you manage risks day to day)

This is usually the largest section, because it describes the processes you use to control risk. It should link directly to your risk assessments, training, and procedures.

A good SME arrangements section usually covers:

  • How you complete, record, and review risk assessments
  • How you train, induct, and supervise staff
  • How you report and investigate accidents, incidents, and near misses
  • Emergency arrangements (fire, first aid, evacuation)
  • How you communicate safety information and consult staff
  • How you monitor compliance (checks, inspections, audits)

A simple SME checklist: what to include in the “arrangements” section

Use this checklist to sense-check your policy. You won’t need every item, but you should be able to justify what you do and don’t include based on your business risks.

Core arrangements most SMEs should include

  • Risk assessment process (who, when, how often, how changes are handled)
  • Induction and training (including refresher training and record keeping)
  • Accident/incident/near miss reporting and investigation
  • First aid arrangements (cover, locations, how to get help)
  • Fire safety arrangements (evacuation, drills, responsibilities, testing)
  • Workplace inspections and basic monitoring (how you spot issues early)
  • PPE/workwear rules (if needed) and how it’s managed
  • Contractor management (selection, supervision, permits where required)
  • Young workers, new/expectant mothers, and vulnerable worker considerations (where relevant)

Additional topics to include where relevant to your risks

You should also include any additional topics that are relevant to your specific risks. For example, if you use hazardous substances — including everyday cleaning chemicals, you’ll need to cover COSHH arrangements.

If your team lifts, carries, delivers goods, or moves people or equipment, your policy should reference how you manage manual handling risks.

Where staff work at screens (whether in the office, at home, or in a hybrid set-up), include your approach to DSE assessments and controls. If anyone drives as part of their job, outline how you manage driving for work safely. And if workload, lone working, or organisational change could affect wellbeing, make sure you address work-related stress and mental health as part of your overall risk management approach.

Keep it practical: if it’s in the policy, you should be able to show it happens (training records, checks, completed assessments, drill logs). Otherwise, it becomes a risk in itself.

Common mistakes SMEs make (and how to avoid them)

These are the issues that most often cause problems during client audits, insurer questions, or after an incident. A common one is relying on a generic template that hasn’t been tailored to your specific work activities, premises, or risks.

Another is failing to assign clear, named responsibilities, or keeping names in place long after roles have changed. Many SMEs also miss the basics by leaving out a review date and not setting trigger points for updating the policy.

Even when the policy is well written, it can still let you down if it hasn’t been properly communicated to staff (because a document sitting in a folder doesn’t count). Finally, there’s often confusion between the policy and risk assessments, your policy should set the framework, not try to list every hazard in the business.

HSE’s own guidance emphasises that your policy should explain how you will manage health and safety and who does what — it’s meant to be used, not filed away.

When should you review your policy?

At a minimum, build in an annual review, plus reviews after significant change — such as new equipment, new processes, growth, relocation, incidents, or changes in working arrangements.

If you’re not sure whether your policy still reflects reality, that’s a good sign it’s time for a proper review.

How The Health & Safety Dept can help

If you want a policy that’s compliant, practical, and tailored to your business, The Health & Safety Dept can support you with:

  • Bespoke policy drafting (written around your activities, premises and risks)
  • Gap analysis against what you have in place now
  • Competent person support if you need ongoing guidance and updates
  • Policy review and refresh so your documentation stays current and defensible

If you’d like, we can review your existing policy and tell you, plainly, what’s missing, what’s out of date, and what needs tightening — without drowning you in paperwork.

Call our experts to keep your business safe

H&S Expert headshot H&S Expert headshot H&S Expert headshot H&S Expert headshot H&S Expert headshot H&S Expert headshot H&S Expert headshot
Excellent Trustpilot