90-day free trialโ€” no card required
Start free โ†’
Complys
Get started free
Home/Blog/Health and safety policy UK 2026: what it must contain (and why templates fail CHAS)
Compliance

Health and safety policy UK 2026: what it must contain (and why templates fail CHAS)

What a UK health and safety policy must legally contain in 2026: the three parts required under Section 2(3) of the Health and Safety at Work Act 1974, when you need one, the arrangements that matter, annual review, and why generic templates get rejected by CHAS and main contractors.

By Complysยท24 May 2026ยท12 min read

Do you legally need a health and safety policy?

If you employ five or more people, yes - and it is not optional. Under Section 2(3) of the Health and Safety at Work etc. Act 1974, every employer with five or more employees must prepare, keep up to date and revise a written statement of their general policy on health and safety, together with the organisation and arrangements in place to carry it out. You also have a legal duty to bring that policy, and any revisions, to the attention of your employees.

If you employ fewer than five people you are not legally required to write it down - but you still have a duty under the same Act to manage health and safety, and in practice you will struggle to win work without a written policy. Main contractors, principal contractors and accreditation bodies routinely ask for one regardless of headcount, because it is the document that shows you take safety seriously before you set foot on site. A two-person scaffolding firm bidding for subcontract work on a commercial site will be asked for a policy just like a fifty-person firm.

So the honest position for most UK trade businesses in 2026 is: whether the law strictly requires it of you or not, you need a written health and safety policy to get work. The question is not whether to have one, but whether the one you have will survive scrutiny when a main contractor or a CHAS assessor actually reads it.

The three parts every health and safety policy must contain

A compliant policy is not one document with a single statement. The Health and Safety at Work Act, reinforced by the Management of Health and Safety at Work Regulations 1999, requires three distinct parts. A policy that contains only the first part - the bit most templates get right - is not compliant, no matter how well written that first part is.

1. Statement of intent

This is the part most people picture when they think of a health and safety policy: a signed statement, by the most senior person in the business (the owner, managing director or CEO), setting out your commitment to the health and safety of your employees and anyone else affected by your work.

It should be clear and concise, and it should commit to specific things, not vague good intentions. A strong statement of intent commits to identifying the main hazards and adequately controlling the risks, providing and maintaining safe plant and equipment, providing the information, instruction, training and supervision people need, consulting employees on matters affecting their health and safety, providing and maintaining a safe working environment, and reviewing the policy regularly. It should commit to providing the resources to actually achieve those things, because an intent with no resources behind it is just words.

It is signed and dated by the senior person, and it gets re-signed when the policy is reviewed. An unsigned statement of intent, or one signed by someone who is not actually the senior person in the business, is one of the most common reasons a policy is queried or sent back. The signature is the point: it is the senior person personally putting their name to the commitment.

2. Organisation (responsibilities)

This part sets out who is responsible for what. It names the roles - the senior person with overall and final responsibility, the managers and supervisors with day-to-day duties, the competent person who provides health and safety advice (Regulation 7 of the Management Regulations requires you to appoint one), and the employees' own duties under Section 7 of the Act to take reasonable care of themselves and others and to co-operate with their employer.

It defines the reporting structure so it is unambiguous who answers to whom on safety, and who an employee raises a concern with. A policy that says "everyone is responsible for safety" without naming roles has not done this part. The organisation section is where an assessor checks that responsibility is real and assigned, not a slogan on a wall. On a construction site that chain of responsibility matters: it is what lets an inspector or a principal contractor see, in writing, who is accountable when something goes wrong.

3. Arrangements

This is the practical part, and the part generic templates handle worst. It describes how risks are actually managed in your business, day to day. The arrangements section is where the policy stops being a statement and becomes a working description of how your business operates safely - and it is where assessors and main contractors spend most of their reading time.

It has to be about your business and your trades, not a template's idea of a generic business. A scaffolder's arrangements look different to an electrician's, which look different to a groundworker's. If the arrangements could belong to any company, they belong to none, and a CHAS assessor will see that immediately.

The arrangements that actually matter

The arrangements section is where most policies are too thin. A proper one covers, at minimum, how your business handles each of the following - and says something specific about each, not just that it "has procedures in place".

  • Risk assessment. How you identify hazards and assess risk, who carries assessments out, how often they are reviewed, and how the findings reach the workforce.
  • RAMS (risk assessments and method statements). How you produce task-specific RAMS for the work you do, who writes them, who briefs them, and how workers sign off that they have read them. This is the operational link between the policy and the job.
  • Training and competence. How you ensure workers hold the right cards (CSCS, CISRS, ECS, Gas Safe and so on), how training needs are identified, and how records are kept and refreshed before they expire.
  • PPE. What PPE you provide, to what standards, how it is maintained and replaced, and how use is enforced on site.
  • First aid. How many trained first aiders you have, where the first aid provision is, and how it scales to the size and risk of each job.
  • Fire and emergency. Your fire risk arrangements, evacuation and muster points, and the emergency procedures for the specific risks your trades create.
  • Accident reporting and RIDDOR. How accidents, incidents and near misses are recorded, investigated and (where required) reported to the HSE under RIDDOR 2013.
  • Manual handling. How you assess and reduce manual handling risk under the Manual Handling Operations Regulations 1992.
  • Working at height. Your arrangements under the Work at Height Regulations 2005 - for many trades this is the single biggest risk, and the policy should show it is taken seriously.
  • COSHH. How hazardous substances - dust, solvents, silica, and trade-specific materials - are assessed and controlled under COSHH 2002.
  • Consultation. How you consult and involve employees on health and safety, as the law requires.
  • Contractors and subcontractors. If you use subcontractors, how you check their competence and compliance before they start - increasingly expected on any policy from a contractor who appoints others.

You do not have to write a chapter on each. But each needs a real, specific paragraph that reflects how your business actually works. The difference between a policy that passes and one that gets sent back is almost always in this section.

Trade-specific arrangements: why one policy does not fit all

The reason a downloaded template fails is that the arrangements section is generic by definition. The high-risk activities in your business are specific to your trade, and the policy has to name them.

A scaffolding firm's arrangements lead on work at height, the CISRS competence of the squad, SG4 safe systems for preventing falls during scaffolding work, manual handling of tube and boards, and the inspection regime for the scaffold. An electrician's arrangements lead on isolation and safe systems of work to the Electricity at Work Regulations 1989, test equipment calibration, and competence to the relevant scheme. A groundworks firm's arrangements lead on excavation, buried services under HSG47, confined spaces, and plant-pedestrian segregation. A roofer's arrangements lead on fragile surfaces, edge protection and HSG33.

A template that lists "working at height, manual handling, COSHH" generically for all of these misses what makes each trade's risk profile real. An assessor reading a scaffolder's policy expects to see scaffolding-specific arrangements. If they see the same generic paragraph they have read a hundred times, the policy is doing nothing to demonstrate that this particular business understands its own risks.

Health and safety policy vs RAMS: how they fit together

People often confuse the two, or think one replaces the other. They do not. The health and safety policy is the high-level, company-wide document: it says how your business manages safety in general, across everything you do. RAMS are task-specific and project-specific: each one says how a particular job, on a particular site, will be done safely.

The policy is the parent; the RAMS are the children. The arrangements section of your policy should say that you produce task-specific RAMS for your work - and then, on each job, the actual RAMS delivers on that promise. A main contractor checking your compliance will usually want both: the policy to see your general approach, and the RAMS to see how you will do their specific job. A business that has a good policy but generic RAMS, or good RAMS but no real policy, has a gap that compliance checks are designed to find.

Why generic templates fail CHAS and main contractors

The internet is full of free health and safety policy templates. The problem is the same one that affects generic RAMS: a template policy describes a generic business, and your business is not generic. Accreditation assessors and main contractors have read thousands of these documents, and a template is obvious within seconds.

CHAS, SMAS, SafeContractor and the other SSIP schemes assess your policy as part of accreditation. Contractors frequently fail or get sent back because of poor or outdated policies, missing arrangements, or a statement of intent that does not match the actual business. A policy that mentions hazards your trade does not have, omits the ones it does, or was clearly downloaded and barely edited, signals to an assessor that safety management on the ground is probably just as thin. Fair or not, the policy is read as a proxy for the safety culture behind it.

The specific failings that come up again and again:

  • Statement of intent not signed, or signed by the wrong person. It must be the senior person, signed and dated.
  • Arrangements that do not match the trade. Generic arrangements that never mention the actual high-risk activities the business carries out.
  • Out of date. A policy dated three years ago, never reviewed, referencing superseded regulations or a structure the business has outgrown.
  • No named competent person. The organisation section has to identify who provides the competent health and safety advice required under the Management Regulations.
  • Headcount and structure that do not match reality. A policy describing a management hierarchy the business does not actually have.
  • One part only. A statement of intent on its own, with no organisation or arrangements - common, and not compliant.

How often must a health and safety policy be reviewed?

There is no fixed statutory interval, but the duty is to revise the policy "as often as may be appropriate". In practice that means at least annually, and immediately whenever something significant changes: a change in the size of the business, the workforce, the work activities, the premises, the plant you use, or the law. A policy that has not been touched in years is a policy that no longer reflects the business, and an assessor will treat it that way.

Date every review, re-sign the statement of intent, and re-issue the policy to employees - and keep a record that you have done so, because being able to show the policy was current and communicated is part of the duty. A common, avoidable failure is a perfectly good policy that lapsed simply because no one diaried the review.

What a good health and safety policy looks like in practice

A policy that does its job is specific, current and signed. The statement of intent reads like the senior person actually wrote it and means it. The organisation section names real roles and a real competent person. The arrangements describe how this business - with its trades, its plant, its sites - actually manages the risks it creates, referencing the real procedures (risk assessment, RAMS, training, PPE, first aid, RIDDOR) rather than listing them generically.

It is also a living document, not a one-off. It is reviewed on a schedule, updated when the business changes, briefed to employees, and produced on request without a scramble. When a main contractor or a CHAS assessor asks for it, a good policy is handed over with confidence because it stands up to reading - and because the rest of the compliance behind it (the RAMS, the training records, the insurance) tells the same consistent story.

Writing it properly: the realistic options

There are three honest routes to a compliant health and safety policy.

Write it yourself from the HSE guidance. The HSE publishes free guidance and a template skeleton. Done properly, working through all three parts and genuinely tailoring the arrangements to your trades, this takes a competent person a full day or more, and it needs revisiting every year. It is free in money and expensive in time, and the quality depends entirely on the effort you put into the arrangements section. Most businesses that go this route end up with a thin arrangements section because that is the hard part.

Pay a consultant. A health and safety consultant will write a bespoke policy and usually include an annual review. The quality is high and it is genuinely tailored, but it is the most expensive route - typically a few hundred pounds for the policy, more for ongoing support - and you are dependent on the consultant for every update, however small.

Generate it from your business details. A tool that knows the three required parts, knows the trade-specific arrangements your work needs, and builds the policy around your business, premises and activities produces a tailored, compliant policy in minutes rather than days - and lets you update and re-issue it yourself whenever the business changes. This is what Complys was built to do: not hand you a template to wrestle with, but generate a company-specific policy with the statement of intent, organisation and arrangements written around the trades you actually do.

Frequently asked questions

How many employees before I legally need a written policy?

Five. At five or more employees a written policy is a legal requirement under Section 2(3) of the Health and Safety at Work Act 1974. Below five you still have to manage health and safety, but you are not legally required to write the policy down - though in practice most do, because clients and contractors ask for it.

Does a sole trader need a health and safety policy?

Legally, a genuine sole trader with no employees is not required to have a written policy. But the moment you take on work for a main contractor or apply for accreditation, you will almost certainly be asked for one. Many sole traders maintain a written policy purely to win work.

How long should a health and safety policy be?

Long enough to cover the three parts properly and no longer. For a small trade business that is typically a handful of pages: a one-page statement of intent, a short organisation section, and an arrangements section that genuinely covers the risks of your trade. Padding it out with generic content does not make it better - specificity does.

Who should sign the health and safety policy?

The most senior person in the business - the owner, managing director or chief executive. The signature is a personal commitment, so it has to be the person at the top, not a manager or an external consultant.

Can I just use a free template?

You can start from one, but you cannot leave it generic. The statement of intent must be signed by your senior person, and the arrangements must reflect your actual trades and risks. A template handed over unedited is the single most common reason a policy is rejected by CHAS or a main contractor.

The bottom line

A health and safety policy is a legal requirement for any UK business with five or more employees, and a practical requirement for almost everyone bidding for construction work. To stand up to CHAS, to main contractors and to the HSE, it has to contain all three parts - statement of intent, organisation and arrangements - and the arrangements have to be about your business and your trades, not a generic template's idea of one. Keep it signed, keep it current, review it at least yearly, and make sure your people have seen it.

If your current policy is a downloaded template you barely edited, treat that as a risk, not a saving. It is the first document an assessor reads, and the one most likely to get you sent back. A proper, company-specific policy is the foundation everything else - your RAMS, your accreditation, your tenders - is built on.

Build a company-specific health and safety policy with Complys

Complys generates a full health and safety policy built around your business, trades and arrangements - the three parts CHAS and main contractors expect, not a generic template you fill in. Edit, brand with your logo, download as a PDF.

Get started free โ†’โ† Back to blog