Health & Safety Compliance for UK Employers: COSHH, Risk Assessments & Beyond 

UK employer health and safety compliance is the legal duty to protect the health, safety, and welfare of employees and others affected by the business, supported by the active management of risk assessments, hazardous-substance controls, training records, incident reporting, and document review. The legal framework is set by the Health and Safety at Work etc. Act 1974 and the regulations made under it; the operational reality is a set of recurring processes that HR teams typically own or coordinate in growing organisations. 

This guide covers the core legal duties, the operational practices that meet them, and the technology choices that make compliance manageable and defensible across a workforce. It is written for HR managers, HR directors, business owners, and operations leaders who hold or share responsibility for workplace safety, not for safety professionals studying for a qualification. 

The Definitive Guide to UK Payroll & Workforce Compliance (2026/27)

Sources: Health and Safety at Work etc. Act 1974; Management of Health and Safety at Work Regulations 1999; Control of Substances Hazardous to Health Regulations 2002 (COSHH); Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR); HSE guidance at hse.gov.uk. 

Core Health & Safety Obligations 

The Health and Safety at Work etc. Act 1974 

The Health and Safety at Work etc. Act 1974 (HSWA) is the foundation of UK workplace health and safety law. Section 2 places a general duty on every employer to ensure, so far as is reasonably practicable, the health, safety, and welfare at work of all employees. Section 3 extends a parallel duty to non-employees affected by the business, including visitors, contractors, and members of the public. 

“So far as is reasonably practicable” is the operative test. It does not mean every conceivable measure must be taken regardless of cost or effort. It requires the employer to weigh the level of risk against the time, trouble, and expense of controlling it, and to take the action a reasonable employer would take in the circumstances. Where risk is high, the bar for what is reasonably practicable is also high. The HSE enforces the Act, alongside local authorities for certain sectors. 

The general duty under Section 2 is filled in by specific regulations covering particular risks: the Management of Health and Safety at Work Regulations 1999 (which require risk assessment); COSHH for hazardous substances; the Manual Handling Operations Regulations 1992; the Personal Protective Equipment at Work Regulations 2022; the Health and Safety (Display Screen Equipment) Regulations 1992; and the Regulatory Reform (Fire Safety) Order 2005 for fire safety. An employer’s compliance position is the sum of how it meets all of these, not the general Act alone. 

Understanding COSHH Regulations 

The Control of Substances Hazardous to Health Regulations 2002 (COSHH) apply wherever work activities may expose employees or others to substances that can cause harm. The scope is wider than many employers assume. COSHH covers chemicals, fumes, dusts, vapours, mists, gases, asphyxiating gases, and biological agents such as bacteria, viruses, and fungi. It applies in offices and warehouses as well as laboratories and factories: cleaning products, photocopier toner, printer fumes, mould in poorly ventilated spaces, and dust from construction or refurbishment work all fall within scope. 

COSHH does not cover asbestos, lead, or radioactive substances. Each of these is regulated under its own dedicated regime. Where an employer has potential exposure to any of these, the relevant separate regulations apply in addition to general health and safety law. 

COSHH requires eight connected actions: 

• Assess the risks from any hazardous substances used or generated by work activities 
• Decide what precautions are needed before any work that may cause exposure
• Prevent or adequately control exposure — prevention is the priority; control is the fallback where prevention is not reasonably practicable 
• Ensure control measures are used and maintained — a control measure that is not used or is allowed to deteriorate is no control at all 
• Monitor exposure where the assessment shows it is necessary or where a workplace exposure limit applies 
• Carry out health surveillance where the assessment indicates it 
• Prepare plans and procedures for foreseeable accidents, incidents, and emergencies 
• Ensure employees are properly informed, trained, and supervised — awareness alone is not training; training must be specific and recorded 

Each COSHH assessment must be specific to the substances, activities, and people involved. Generic assessments copied from supplier safety data sheets without contextual adaptation do not meet the regulatory standard. The HSE’s common finding in COSHH inspections is not that no assessment exists, but that the assessment is generic, out of date, or not communicated to the people doing the work. 

The Operational Roadmap for Compliance 

Conducting and Updating Risk Assessments 

Regulation 3 of the Management of Health and Safety at Work Regulations 1999 requires every employer to undertake a suitable and sufficient risk assessment of the risks to the health and safety of employees and others arising from work activities. Where the employer has five or more employees, the significant findings must be recorded; in practice, recording is operationally necessary regardless of size. 

The HSE’s standard methodology is the five-step approach. It is straightforward in description but rigorous in execution: 

The most common risk assessment failure is not the absence of a document but its disconnect from the workplace it describes. An assessment completed two years ago that has not been reviewed since a new piece of equipment was introduced, or since a new team moved into the building, is not a current assessment regardless of how comprehensive it was at the time. 

Risk assessments must be communicated to the people they affect. An assessment held by HR or the operations manager that the employees doing the work have never seen does not satisfy the regulatory intent. The control measures the assessment identifies have to be understood and followed at the operational level. 

Managing Training and Competence 

Training is one of the more visible parts of health and safety compliance, partly because the training requirements are clearly defined in individual regulations and partly because the consequences of untrained staff carrying out hazardous activities are immediate and obvious. The categories of training most employers need to manage include: 

• Fire safety: staff awareness, designated fire wardens, and evacuation procedures under the Regulatory Reform (Fire Safety) Order 2005 
• First aid: appointed persons or first aiders in line with the Health and Safety (First-Aid) Regulations 1981, based on the workplace first aid needs assessment
• Manual handling: for any role involving lifting, carrying, pushing, or pulling, under the Manual Handling Operations Regulations 1992 
• Display screen equipment: for DSE users, under the Health and Safety (Display Screen Equipment) Regulations 1992
• Personal protective equipment: on the correct use, maintenance, and limitations of PPE, under the Personal Protective Equipment at Work Regulations 2022 
• Role-specific training: working at height, confined spaces, food safety, lone working, asbestos awareness, and other categories driven by the specific risks of the role 

Most categories have expiry dates: first aid certification typically lasts three years, fire warden refreshers are commonly annual or biennial, and role-specific training often has its own renewal cycle. The administrative challenge is not delivering the training; it is tracking who is trained on what, when their certification expires, and ensuring renewals are scheduled before the expiry date. 

Consider a distributed team of forty staff across three sites. Each site has different role mixes: an office team in one location, a warehouse operation in another, and a mixed-use facility in the third. The HR manager needs to know, at any moment: who is a current first aider at each site (and is the coverage adequate?); whose manual handling training expires in the next ninety days; who has not yet completed the new starter induction; and which fire wardens are due for refresher training. Maintaining that picture in a spreadsheet is operationally possible but error-prone; the larger and more distributed the workforce, the wider the gap between what the spreadsheet shows and what is actually true. 

Incident Reporting and Record keeping 

Three connected obligations apply to workplace incidents. First, the employer must maintain an accident book or equivalent record of workplace injuries, retained for three years from the date of the last entry. Second, where an incident meets the threshold for the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR), it must be reported to the HSE. Third, the employer should investigate to understand the cause and prevent recurrence. 

RIDDOR-reportable incidents include: 

• Deaths arising from work activities
• Specified injuries including fractures (other than fingers, thumbs, and toes), amputations, serious burns, loss of sight (temporary or permanent), and crush injuries causing internal organ damage 
• Over-seven-day incapacitation — injuries causing the worker to be away from work, or unable to perform their normal duties, for more than seven consecutive days (not including the day of the accident) 
• Occupational diseases including carpal tunnel syndrome, severe cramp of the hand or forearm, occupational dermatitis, hand-arm vibration syndrome, occupational asthma, tendonitis or tenosynovitis, and any cancer or biological disease attributed to a work exposure 
• Dangerous occurrences — specified incidents that did not result in injury but could have done, such as the collapse of lifting equipment, the unintended ignition of explosives, or the release of biological agents 
• Gas incidents including unsafe gas appliances or installations identified by registered gas engineers 

Reports are made through the HSE online reporting system. Deaths and specified injuries must be reported without delay; over-seven-day incapacitation must be reported within fifteen days; certain occupational diseases must be reported as soon as the employer is informed by a doctor. Records of RIDDOR reports must be kept for three years. 

Investigation is not strictly a RIDDOR requirement but is an essential operational discipline. An incident that is recorded and reported but not understood gives no protection against recurrence. The investigation should identify the immediate cause, the underlying contributory factors, and the corrective action required, with named owners and completion dates. 

The Technology Foundation for Workplace Safety 

Why Paper-Based Processes Fail 

Health and safety record-keeping is well within the technical capability of spreadsheets, paper files, and email reminders. The reason these approaches accumulate gaps is operational, not technical. 

• Missed renewals: a manual reminder system depends on someone remembering to check it. Once a calendar event is dismissed, a recurring task fades from view, or a spreadsheet is not opened for a month, the expiry slips past unnoticed 
• Poor version control: a risk assessment held as a Word document on a shared drive can exist in three versions simultaneously, with different teams using different copies. The “current” version is whichever one someone happens to open 
• Inconsistent ownership: a paper-based or fragmented system depends heavily on individuals. When the person who maintained the training spreadsheet leaves, the institutional knowledge of how it worked leaves with them 
• Weak audit trails: producing evidence for an HSE visit, an insurance audit, or an Employment Tribunal claim requires assembling documents from multiple locations. The assembly itself is evidence that no integrated record existed 
• Distance from operations: records held centrally that the people doing the work cannot easily access become invisible to the operations they are meant to govern. Compliance becomes an HR exercise rather than a workplace reality 

The pattern is not that paper-based processes fail catastrophically. They fail gradually, through accumulating small gaps that only become visible at the point when they matter most: after an incident, during an HSE visit, or when a tribunal disclosure request lands. 

How Centralised HR Systems Help 

A centralised HR platform addresses these failure modes by changing where the records live and how they are surfaced. Documents are stored against the employee record rather than in a separate filing system. Training requirements are configured by role, so that the system knows what each employee should hold. Reminders are generated automatically against expiry dates. Ownership of each action is recorded and visible. 

The supervisory and audit benefit is the production of a complete, exportable evidence trail in response to a request, rather than the assembly of one from fragmented sources. The operational benefit is that managers and employees see the current position in real time, rather than relying on the HR team to push it out to them. 

How to Choose HR Software for Growing UK Businesses

UK Employment Law Updates 2026: What HR Managers Need to Prepare For

How IRIS Supports Compliance 

IRIS HR is a cloud-based HR platform that supports UK employers in managing the recurring compliance work that health and safety duties generate. The product is not a substitute for the employer’s judgement, the risk assessments themselves, or the qualified advice that complex situations require. It is the operating layer that holds the records together and surfaces what needs attention. 

In the health and safety context, IRIS HR supports: 

• Centralised document storage: risk assessments, COSHH assessments, method statements, policies, and procedures held against the relevant role, team, or location with version history 
• Training matrix and tracking: the training each role requires is configured by job category; the system shows who holds current certification, what is approaching expiry, and what is overdue 
• Automated reminders: renewals trigger alerts at configurable intervals before expiry, surfaced to the employee, the line manager, and the HR team 
• Incident and accident logging: workplace incidents are captured against the employee record, with investigation notes, root cause analysis, and corrective action tracking 
• Manager visibility: line managers see the compliance position of their direct reports without depending on HR-produced reports 
• Audit-ready evidence: the integrated record produces a structured evidence pack on demand, with timestamps and named users against each entry 

What the platform does not do, and should not be expected to do, is replace the underlying compliance work. The risk assessments still have to be carried out competently. The training has to be delivered to a competent standard. The incidents have to be investigated thoroughly. What well-configured HR software does is reduce the operational gap between what the employer’s policy requires and what is actually happening across the workforce. 

Compliance record checklist: what an HR team should be able to produce on request 

• A current general risk assessment for each site or activity, with the date of the last review •  COSHH assessments for each hazardous substance in use, with their associated control measures •  Fire risk assessment for each premises, with the date of the last review 
• Training matrix showing required training by role and current status by employee 
• Records of completed training with dates, providers, and certification expiry where applicable 
• Accident book entries for the last three years 
• RIDDOR reports submitted in the last three years, with supporting investigation notes 
• Health and safety policy statement signed and dated, reviewed at a defined interval 
• PPE issue records for roles requiring personal protective equipment 
• Health surveillance records for any exposure requiring it (retention periods vary; up to 40 years for COSHH) 

Health & Safety Compliance: Frequently Asked Questions 

How often should workplace risk assessments be reviewed? 

There is no fixed statutory review interval. Regulation 3 of the Management of Health and Safety at Work Regulations 1999 requires that risk assessments be reviewed if there is reason to suspect they are no longer valid, or where there has been a significant change in the matters to which the assessment relates. In practice, most employers adopt an annual default review cycle, with trigger-based reviews whenever something material changes: new equipment, new processes, new premises, an accident or near miss, a change in workforce composition, or a regulatory update. An assessment that has not been reviewed for several years is unlikely to be considered suitable and sufficient regardless of how well it was carried out originally. 

What happens if COSHH obligations are not met? 

COSHH breaches are enforced by the HSE through improvement notices, prohibition notices, and prosecution where the breach is sufficiently serious. An improvement notice requires the employer to take specific action within a stated period; a prohibition notice prevents an activity continuing until the risk is addressed. Prosecution can result in unlimited fines in the magistrates’ court for most offences, and unlimited fines and up to two years’ imprisonment for individuals on conviction on indictment. Beyond the legal consequences, COSHH failures can result in occupational ill health that affects employees over years or decades, with the corresponding personal injury claims and reputational consequences. The HSE’s enforcement approach is generally proportionate: employers who engage cooperatively and remediate quickly typically face a lighter response than those whose breaches are deliberate or persistent. 

What records should employers keep for health and safety compliance? 

Retention requirements differ by record type. Risk assessments should be retained at least until they are superseded by the next review. Accident book entries must be kept for three years from the date of the last entry. RIDDOR reports must be kept for three years. COSHH health surveillance records must be kept for at least forty years, reflecting the long latency period for some occupational diseases. Training records are typically retained for the duration of employment plus a reasonable period; specific retention periods may apply for industry-regulated training. 

In practice, employers should retain records in a form that supports retrieval well beyond the minimum: an Employment Tribunal claim, a civil personal injury claim, or an HSE retrospective investigation may require records that pre-date the strict statutory minimum. Records that exist but cannot be retrieved within a reasonable period are operationally equivalent to records that do not exist. 

Can HR software help track mandatory training renewals? 

Yes. HR software designed for UK workforces typically supports a training matrix configured by role, with expiry dates against each certification and automated reminders triggered ahead of renewal. The benefit is not in the alerts themselves — a calendar can produce reminders — but in the integration: training requirements linked to job role, certifications linked to the employee record, expiry tracking linked to the line manager workflow, and the whole picture exportable as a compliance position at a point in time. Software supports the process; the employer remains responsible for ensuring the training is delivered, competently completed, and appropriately evidenced.