Every employer in the UK has a legal duty to protect the health, safety and welfare of their employees. This is not a matter of best practice or good intention. It is a statutory obligation, enshrined in the Health and Safety at Work Act 1974 and supported by a wide body of more specific regulations covering everything from manual handling and hazardous substances to electrical safety and work at height. Understanding what those obligations actually require in practice, and how to meet them without unnecessary complexity, is something every business manager and building owner should have a clear handle on.
The consequences of falling short are serious. The Health and Safety Executive has the power to issue improvement notices, prohibition notices and substantial fines. In cases involving serious injury or death, individual directors and managers can face personal prosecution. Beyond the legal exposure, a workplace incident carries reputational damage, disruption to operations, and a human cost that no insurance policy fully addresses.
The starting point for managing any workplace risk is a suitable and sufficient risk assessment. This is a requirement under the Management of Health and Safety at Work Regulations 1999 and applies to virtually every employer regardless of size or sector. For businesses operating premises where staff or contractors need to access rooftops, elevated structures or other areas at height, the risk assessment must specifically address those activities. In many cases the assessment will point towards a technical solution such as a horizontal safety line system, guardrails, or other permanent fall protection infrastructure as the appropriate control measure.
The Hierarchy of Control
UK health and safety law does not simply require employers to do something about risk. It requires them to do the right thing, in the right order. The hierarchy of control is the framework that structures this thinking and it applies across all categories of workplace hazard.
The first priority is elimination. If a task can be redesigned so that the hazard does not exist at all, that is always preferable to managing risk through protective measures. In practice, elimination is not always possible. Rooftop plant still needs to be maintained. Facades still need to be inspected. Gutters still need to be cleared.
Where elimination is not possible, the next step is substitution, replacing a higher-risk method with a lower-risk alternative. After that comes engineering controls, which are physical measures built into the workplace or equipment that reduce risk without relying on individual behaviour. Fall protection systems, machine guarding and local exhaust ventilation all fall into this category. Administrative controls, such as safe systems of work, permit-to-work procedures and supervision arrangements, come next. Personal protective equipment sits at the bottom of the hierarchy and should be seen as a last line of defence rather than a primary control measure.
This hierarchy matters practically because it shapes the way a risk assessment should be written and the way control measures should be selected and implemented. An employer who reaches immediately for PPE without first considering whether engineering controls are practicable is not applying the hierarchy correctly and may not be meeting their legal duty.
Conducting a Risk Assessment
A risk assessment does not need to be a lengthy document, but it does need to be thorough. For a small business with straightforward hazards, a few well-considered pages may be entirely sufficient. For a larger organisation or a more complex workplace, a more detailed assessment is appropriate.
The assessment should identify the hazards present, determine who might be harmed and how, evaluate the level of risk taking into account existing controls, and then decide whether further action is needed. The findings should be recorded in writing for any business employing five or more people.
Critically, a risk assessment should be a genuine evaluation of the workplace rather than a form-filling exercise. Assessors need to actually observe the tasks being carried out, speak to the people doing them, and think carefully about what could realistically go wrong. Hazards that are not obvious from a desk review but which are well understood by the people on the ground will not appear in an assessment produced purely from a template.
Risk assessments should be reviewed whenever there is reason to believe they are no longer valid. A change in working practice, the introduction of new equipment, an incident or near miss, or simply the passage of time are all triggers for review. The law does not specify a fixed review interval but annual review is a sensible discipline for most workplaces.
Safe Systems of Work
A safe system of work is a formal procedure that defines how a particular task should be carried out safely, taking into account the hazards involved and the control measures in place. Safe systems of work are particularly important for non-routine or higher-risk tasks where the steps to be followed are not obvious and where deviation from the correct method could result in injury.
For tasks involving work at height, confined space entry, work near live electrical equipment, or the use of hazardous substances, a written safe system of work is usually essential. Permit-to-work systems are a more formal version of the same principle, adding a checking and authorisation stage that provides an additional layer of control for the highest-risk activities.
The value of a safe system of work depends entirely on it being followed in practice. A document that sits in a filing cabinet but is never consulted by the people carrying out the work offers very little protection. Employers need to ensure that safe systems are communicated, understood, and actively used, which means training, supervision and a workplace culture where following the procedure is the norm rather than the exception.
Training and Competency
Providing information, instruction and training is a fundamental employer duty. Workers cannot be expected to carry out their tasks safely if they have not been told about the hazards involved, shown the correct methods, and given the opportunity to demonstrate that they have understood and can apply what they have been taught.
Training needs vary by role. A worker who occasionally uses a step ladder to access a shelf needs a different level of instruction from one who regularly accesses an industrial rooftop using a fall arrest system. The level of training should be proportionate to the risk and the complexity of the work.
Competency is a broader concept than training. A competent person is someone who has the combination of knowledge, experience and skills needed to carry out a task safely. Training contributes to competency but does not guarantee it. Employers should assess whether people are actually able to apply their training effectively in the workplace before allowing them to work unsupervised on higher-risk tasks.
Records of training should be maintained. These serve both as evidence of compliance and as a practical management tool for identifying when refresher training or updates are needed.
Managing Contractors
Many workplace incidents involve contractors rather than direct employees. The legal position is clear: the occupier of premises retains responsibility for health and safety on those premises, including in relation to contractors working there. This does not mean the occupier takes over the contractor’s responsibility for their own people, but it does mean the occupier must satisfy themselves that contractors are competent, that the risks associated with their work have been considered, and that the interface between contractor activities and the rest of the workplace has been managed.
Before appointing a contractor, it is reasonable to ask for evidence of relevant qualifications, insurance, accreditations and experience. A contractor who cannot demonstrate competence in the specific type of work involved should not be engaged, regardless of price.
Once on site, contractors should be inducted into the site’s health and safety rules, advised of relevant hazards, and provided with any information they need to carry out their work safely. For higher-risk activities, a permit-to-work or formal coordination arrangement may be needed, particularly where contractor work could affect others on the premises.
Incident Reporting and Investigation
Certain workplace incidents must be reported to the Health and Safety Executive under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013, commonly known as RIDDOR. Reportable events include deaths, specified injuries such as fractures and amputations, injuries that result in a worker being incapacitated for more than seven consecutive days, and certain dangerous occurrences where no one was hurt but something went seriously wrong.
Beyond the legal requirement to report, there is a strong practical case for investigating all significant incidents and near misses, whether or not they are RIDDOR-reportable. A near miss is a valuable signal that something in the system of work, the physical environment, or the behaviour of individuals is not as it should be. Investigating it and addressing the root cause reduces the likelihood of a future incident where someone is actually hurt.
Investigations should focus on understanding causes rather than allocating blame. A blame-focused culture suppresses reporting, which means problems go unidentified and unaddressed. An organisation that treats incidents and near misses as learning opportunities is one that continuously improves its safety performance over time.
Documentation and Records
Good record-keeping supports effective health and safety management and provides evidence of compliance if questions are ever asked. Essential records for most businesses include risk assessments, safe systems of work, training records, maintenance and inspection logs for safety-critical equipment, incident and near miss reports, and records of any statutory inspections required under specific regulations.
Records do not need to be complex but they do need to be accessible and up to date. An outdated risk assessment that has not been reviewed following a change in working practice may be worse than no assessment at all, because it creates a false impression that the risks have been considered when in fact the relevant hazard has not been identified.
Building a Safety Culture
Compliance with health and safety law is necessary but not sufficient. A workplace where the rules are followed because people fear enforcement is a less safe workplace than one where safety is a genuine shared value. Building a positive safety culture requires visible leadership commitment, open communication about risk, genuine involvement of workers in safety decisions, and consistent application of standards across the organisation regardless of seniority.
Leaders who prioritise production targets over safety procedures, who make exceptions for themselves or for favoured individuals, or who respond to safety concerns dismissively, undermine the culture that effective safety management depends on. Conversely, leaders who take safety seriously, who are visible on the shop floor or in the field, who listen to concerns and act on them, and who recognise good safety practice, create an environment where people look out for each other.
Culture cannot be mandated but it can be shaped by the decisions and behaviours of people in positions of authority. The investment is worth making: organisations with strong safety cultures consistently outperform those without on every measurable indicator, including productivity, staff retention and legal compliance.
Final Thoughts
Meeting health and safety obligations in the UK does not require an army of specialists or an impenetrable library of documentation. It requires employers to think clearly about what could go wrong in their workplace, to put sensible and proportionate controls in place, to ensure that people know what they need to know to work safely, and to learn from things that go wrong.