12 Reasons for a Review of the Health and Safety Policy

TL;DR

• If your organization has restructured, merged, or changed leadership → your health and safety policy almost certainly references roles, reporting lines, and responsibilities that no longer exist. Review immediately.
• If legislation has changed and you haven’t checked your policy against it → you may be enforcing arrangements that no longer meet the legal standard of “reasonably practicable.” Review against the current legislative register.
• If more than 12 months have passed since the last documented review → you are outside the minimum review frequency accepted by HSE UK, ISO 45001 audit practice, and OSHA recommended guidance. Schedule the review now.
• If an incident investigation or audit has identified a systemic gap → a procedural fix alone is insufficient. Ask whether the policy framework itself failed to require the right controls. Review at policy level.

A health and safety policy should be reviewed whenever a significant change occurs — organizational restructuring, new legislation, incidents, changes in personnel or work methods — and at minimum annually, as recommended by the HSE (UK), ISO 45001, and OSHA (US). The review ensures the policy remains legally compliant, operationally relevant, and effective at protecting workers from current hazards.

In 2024/25, HSE prosecutions in Great Britain resulted in a 96% conviction rate and fines exceeding £33 million (HSE Annual Report, 2025). Behind many of those enforcement outcomes sits a document that was supposed to prevent harm: the organization’s health and safety policy. When regulators request that policy — and its review history — during an investigation, what they find often tells the governance story before a single witness is interviewed. An undated policy, an unsigned statement of intent, or a review record that shows nothing but annual signatures with no substantive evaluation — these are not the cause of the incident, but they are powerful evidence of a management system that stopped paying attention.

That gap between a policy that exists on paper and a policy that governs operations is precisely what a review is designed to close. This article sets out 12 specific reasons that should trigger a review of the health and safety policy, organized into scheduled and event-driven categories, and follows them with practical guidance on how to conduct a review that produces documented, auditable, defensible evidence of governance. Whether you are managing compliance under UK law, aligning with ISO 45001, or building a safety program against OSHA’s recommended practices, the triggers are largely the same — and so are the consequences of ignoring them.

What Is a Health and Safety Policy Review?

A policy review is a formal, documented evaluation of whether the health and safety policy remains suitable, adequate, and effective for the organization’s current operations, hazard profile, and legal obligations. That definition matters because it distinguishes three activities that are routinely conflated: endorsement, review, and revision.

Endorsement is a signature — senior management confirming they have seen and approved the policy. Review is the substantive evaluation process: examining the policy’s content against current operations, legislation, incident data, and organizational structure to determine whether it still reflects reality. Revision is the act of changing the policy where the review identifies gaps. A review may conclude that no revision is needed — but the review itself must still happen and must still be documented.

Under UK law, Section 2(3) of the Health and Safety at Work etc. Act 1974 requires employers to prepare and revise “as often as may be appropriate” a written statement of general health and safety policy. The Management of Health and Safety at Work Regulations 1999, Regulation 5, reinforces this by requiring arrangements for the effective planning, organisation, control, monitoring, and review of preventive and protective measures. ISO 45001:2018 Clause 9.3 requires top management to review the OH&S management system at planned intervals, with the OH&S policy explicitly listed as an input to that review. OSHA’s Recommended Practices for Safety and Health Programs (OSHA 3885, 2016) recommend reviewing the entire safety program — including policy — at least annually and whenever a significant change occurs.

The practical output of a meaningful review should include three things: a documented assessment of what was evaluated, a decision record capturing what was changed and what was retained (and why), and a communication plan for informing the workforce. The most frequent non-conformity raised in ISO 45001 audits on this topic is not the absence of a policy — it is the absence of evidence that the policy was actually evaluated. The signature page is updated. The date changes. But no record exists of what questions were asked, what data was examined, or what conclusions were drawn.

Activity	What It Involves	What It Produces
Endorsement	Senior management signs/approves	Signed statement of intent
Review	Systematic evaluation against current operations, law, and data	Documented assessment, decision record
Revision	Amending policy content where review identifies gaps	Updated policy sections, communication plan

Why Should You Review Your Health and Safety Policy?

The legal obligation to review is clear across jurisdictions, but the operational case runs deeper than compliance alone. A health and safety policy is not an archive document — it is the governance framework that determines how risk is identified, who is accountable, and what arrangements are in place to prevent harm. When that framework falls out of alignment with the organization’s actual operations, the gap creates uncontrolled exposure.

The scale of what is at stake is measurable. In Great Britain alone, 40.1 million working days were lost to work-related ill health and injury in 2024/25, with the estimated annual cost reaching £22.9 billion (HSE, 2025). These figures represent the aggregate outcome of every workplace where controls were either absent, insufficient, or — critically — present on paper but disconnected from operational reality. A policy that has not been reviewed is a policy that may no longer describe the organization it governs.

Beyond the human and financial cost, an unreviewed policy creates specific downstream failures. Insurance providers increasingly request evidence of policy review dates and documented management review outputs during renewal due diligence. Pre-qualification schemes — CHAS, SafeContractor, Constructionline — require demonstrable policy currency as a condition of approval. A prosecution defence built on “we had a policy” collapses when the prosecution demonstrates that the policy had not been reviewed in three years and referenced legislation that had since been amended.

HSE’s Plan-Do-Check-Act guidance on reviewing performance positions policy review within the “Act” phase of the PDCA cycle — the point where monitoring and investigation findings are fed back into the management system to drive improvement. The judgment call for any organization is straightforward: review the policy proactively and on schedule, or wait for an incident, an enforcement notice, or an auditor to reveal that it no longer governs anything.

Watch For: Organizations with the weakest review discipline are often those that have not had a serious incident. The absence of incidents breeds complacency about the policy’s relevance — when the reality may be that luck, not governance, is holding the line.

12 Reasons For A Review Of The Health And Safety Policy

The triggers for reviewing a health and safety policy fall into two categories. Scheduled reasons are time-based — they apply regardless of whether anything has visibly changed. Triggered reasons are event-driven — they respond to a specific change, finding, or external input that alters the context in which the policy operates.

This distinction matters because most organizations handle triggered reviews reasonably well when the trigger is obvious (a major incident, a new regulation), but fail to recognize the subtler triggers — and almost universally underperform on scheduled reviews, treating them as a signature exercise rather than a substantive evaluation.

The 12 reasons below are numbered for reference, not ranked by importance. Any single trigger is sufficient grounds for a full review.

1. Significant Organizational Changes

Mergers, acquisitions, restructuring, downsizing, site closures, and expansions into new operational areas all fundamentally alter the context in which a health and safety policy operates. A policy written for a single-site manufacturing business does not govern a multi-site operation that now includes warehousing, distribution, and a newly acquired chemical processing division.

ISO 45001 Clause 6.1.1 requires organizations to determine risks and opportunities arising from changes to the OH&S management system — and organizational restructuring is among the most significant changes a system can undergo. Workflow changes introduce new interfaces between departments. Role changes shift supervisory accountability. Facility changes bring new physical hazards, different building services, and altered emergency egress.

The failure mode here is predictable: post-merger policy integration is routinely delayed six to twelve months because both legacy organizations assume the other’s policy governs transitional operations. Neither policy fully applies. Workers operate in a governance gap where accountability is ambiguous, reporting lines are unclear, and risk assessments reference processes that no longer exist in their pre-merger form.

2. Changes in Key Personnel

When directors, managing directors, HSE managers, competent persons, or safety representatives change, the policy’s ownership and enforcement structure changes with them. New senior management may bring different risk tolerance, different safety priorities, and different expectations for how safety is resourced.

The most common and most easily avoidable failure is the “named person” gap. Policies routinely reference specific individuals by name and title — the health and safety director, the competent person, the emergency coordinator. When those individuals leave the organization, the policy continues to assign responsibility to someone who is no longer there. This creates a chain-of-accountability gap that any regulator will identify immediately during an inspection.

The practical reading of UK Management of Health and Safety at Work Regulations 1999, Regulation 7, requires employers to appoint competent persons to assist with health and safety arrangements. When the appointed person changes, the policy arrangements section must reflect that change — not six months later when someone notices during an audit, but as part of the personnel transition itself.

3. Legislative or Regulatory Updates

Changes in statute, regulation, approved codes of practice, and regulatory guidance documents are among the most straightforward triggers for policy review — yet organizations consistently miss them. The reason is that most compliance tracking focuses on headline legislation while overlooking updates to approved codes of practice and guidance notes, which often carry quasi-legal force and can shift the standard of “reasonably practicable” without primary legislation changing.

In the UK, legislative changes are typically implemented on Common Commencement Dates in April and October. A current example is the UK Terrorism (Protection of Premises) Act 2025 — commonly known as Martyn’s Law — which received Royal Assent in April 2025 with a two-year implementation period (Osborne Clarke, 2026). This creates a new legislative trigger requiring many organizations to review their health and safety policies for security and emergency planning obligations that did not previously exist.

In the US, OSHA standards updates and new National Emphasis Programs (NEPs) similarly require policy-level assessment. Within the EU, Framework Directive 89/391/EEC, Article 6, requires employers to adapt preventive measures to account for changing circumstances — a provision that member states transpose into national law with varying specificity.

The assessment should cover both direct applicability (does the new regulation apply to our operations?) and indirect impact (does the change alter the interpretation of existing arrangements even if it doesn’t directly regulate us?).

4. Introduction of New Work Methods or Technologies

Adopting new machinery, automation systems, AI-driven processes, collaborative robots, drone inspection programmes, or new chemical processes changes how work is performed — and therefore changes the hazard profile that the policy must govern.

The gap that consistently appears is between risk assessment and policy. Organizations frequently update their risk assessments when new equipment is introduced — as they should — but neglect to cascade those changes upward into the policy’s arrangements section. The risk assessment is current. The safe system of work is current. But the policy that is supposed to establish the framework requiring those assessments and safe systems has not been updated to reference the new activity, the new competency requirements, or the new training obligations.

Under UK PUWER (Provision and Use of Work Equipment Regulations 1998), employers must ensure work equipment is suitable, maintained, and that users are adequately trained. When new equipment introduces hazards not addressed in existing policy arrangements, the policy review must determine whether the current framework is sufficient or whether new arrangements are needed.

5. Changes to Working Arrangements or Processes

This trigger covers how work is organized rather than what tools are used: shift pattern changes, introduction of remote or hybrid working, hot-desking, increased reliance on temporary workers, contractor management changes, and alterations to procedural workflows.

Post-pandemic hybrid working policies were bolted on as addenda in many organizations rather than integrated into the core policy arrangements. The result is a disconnect between the “main” policy — which implicitly assumes site-based work — and the working reality of a significant proportion of the workforce. DSE assessment obligations, lone working arrangements, mental health and wellbeing provisions, and emergency contact procedures all require different treatment for remote workers, and those differences should be reflected in the policy framework, not buried in a supplementary document that half the workforce has never seen.

Multi-employer worksites create additional complexity. When contractor management arrangements change — new principal contractors, different supply chain structures, or revised permit-to-work systems — the policy must address how shared duties of care are coordinated.

6. Employee Consultation and Feedback

The legal obligation to consult employees on health and safety matters exists across all major jurisdictions. In the UK, this is established through the Safety Representatives and Safety Committees Regulations 1977 and the Health and Safety (Consultation with Employees) Regulations 1996. EU Framework Directive 89/391/EEC, Article 11, requires balanced participation and consultation. ISO 45001 Clause 5.4 mandates worker participation and consultation in the development, planning, implementation, performance evaluation, and actions for improvement of the OH&S management system.

What makes employee feedback a policy review trigger — rather than merely a consultation box to tick — is that frontline workers are uniquely positioned to identify mismatches between the written policy and daily operational reality. The most meaningful policy improvements often come not from top-down audit findings but from workers reporting that a procedure described in the policy is not how the work is actually done, or that a hazard the policy does not address is a routine part of their shift.

Audit Point: When ISO 45001 auditors assess Clause 5.4 compliance, they look for evidence that consultation outputs are fed into the management review process. A policy review that does not reference employee feedback as an input is missing a required element.

Organizations that treat consultation as a genuine input — rather than a record-keeping exercise — produce policies that workers actually follow, because the policy reflects the work rather than an idealized version of it.

7. Findings from Risk Assessments or Incident Investigations

Post-incident root cause analysis should distinguish between individual errors and systemic policy failures. The question is not only “what went wrong?” but “does our policy framework adequately address this category of risk, or did the system fail because the policy was silent on it?”

Risk assessment reviews identifying new or changed hazards not addressed in the current policy, near-miss trend analysis revealing emerging risk patterns, dangerous occurrence reports under RIDDOR, and health surveillance data suggesting occupational health risks not captured in the policy — all of these constitute evidence that the policy may no longer be fit for purpose.

The failure mode is consistent across organizations: incident investigation recommendations focus exclusively on immediate corrective actions. Fix the broken guard. Retrain the operator. Add a warning sign. These are necessary, but they address the proximate cause. The governance-level question — whether the policy arrangements section required the right controls in the first place — is rarely asked. If the answer is that the policy was silent on the activity, the equipment, or the hazard that caused the incident, then a procedural fix is treating a symptom while the systemic gap remains open.

In Great Britain, 124 workers were killed in work-related incidents in 2024/25, and 1.9 million workers suffered from work-related ill health — the highest figure on record (HSE, 2025). Behind each of those numbers is a chain of causation that, in many cases, traces back through inadequate risk assessment, insufficient arrangements, and — at the governance level — a policy framework that did not require the right controls for the right hazards.

8. Updated Information from Manufacturers or Suppliers

Safety data sheet (SDS) revisions, product safety alerts, equipment modification notices, and manufacturer-issued recall or advisory notices all constitute new hazard information that must be assessed against the current policy.

Under COSHH (Control of Substances Hazardous to Health Regulations 2002), a revised SDS that reclassifies a substance or changes its exposure limits requires reassessment of the COSHH assessment — and if the substance is used in a process governed by the policy’s arrangements, the policy must reflect the updated control requirements. Under PUWER, manufacturer advisory notices about equipment may alter maintenance schedules, training requirements, or operational restrictions.

The vulnerability is almost always an information silo. Manufacturer safety updates are received by procurement or maintenance departments and filed appropriately within those departments. But the information never reaches the person responsible for policy review. The data exists within the organization; the governance failure is that no mechanism connects it to the policy review process.

9. Insurance Company Advice or Requirements

Employers’ liability insurance conditions frequently reference policy adequacy as a coverage requirement. Insurer loss prevention surveys identify gaps. Premium calculations increasingly factor in evidence of safety governance, including policy review frequency and management review documentation.

The practical intersection between insurance compliance and health and safety policy review is often underestimated. A policy with no documented evidence of review is a red flag during renewal due diligence. Insurers do not simply ask whether a policy exists — they ask when it was last reviewed, what the review assessed, and whether identified gaps were closed. An evidently unreviewed policy can affect coverage terms, premium loadings, and — in the event of a claim — the insurer’s willingness to defend.

Field Test: During your next insurance renewal, check whether your broker has requested your policy review records. If they have not, ask them whether your insurer’s terms include a policy currency condition. Many organizations discover this condition only after a claim is challenged.

10. External Audit or Inspection Findings

ISO 45001 certification audit findings, client or contractor audit findings, HSE inspector observations, and third-party accreditation body reports all generate data that should feed into the policy review process.

A distinction exists between non-conformities that directly reference the policy — “the OH&S policy does not include a commitment to worker consultation as required by Clause 5.2(e)” — and those that reveal policy gaps indirectly. An auditor may flag a missing risk assessment for a specific activity. The organization writes the assessment, closes the non-conformity, and moves on. But nobody asks whether the policy arrangements section even required a risk assessment for that activity in the first place. If it did not, the root cause is a policy gap, and closing the non-conformity at the procedural level leaves the systemic vulnerability intact.

Client pre-qualification audits through schemes such as CHAS, SafeContractor, and Constructionline require demonstrable policy currency as a condition of approval. Loss of pre-qualification status can directly affect contract eligibility and revenue.

11. Enforcement Action by Regulators

An improvement notice, prohibition notice, prosecution, or fee-for-intervention (FFI) invoice is the strongest possible signal that the policy framework is inadequate. Enforcement action under Sections 21–22 of the UK HSWA 1974, or OSHA citations under the US regulatory framework, demands immediate and comprehensive policy review — not just a procedural response to the specific breach.

Sites cited under a specific regulation should examine not only the area of breach but the entire policy arrangements section. The reasoning is straightforward: if one area of the policy failed to keep pace with operational reality, there is a high probability that adjacent areas are similarly outdated. An enforcement notice targeting inadequate confined space procedures should prompt the question: are our working at height arrangements, our COSHH arrangements, and our contractor management arrangements equally current — or has the same drift affected them too?

Court-imposed requirements following prosecution may include specific obligations regarding management system review, competent person appointments, and documented evidence of governance improvement. These become binding conditions that the policy must address.

12. Time Elapsed Since the Previous Review

The scheduled annual review is the safety net that catches gradual drift even when no single discrete trigger event has occurred. HSE UK guidance recommends at least annual review. ISO 45001 requires review at “planned intervals” — and annual is the accepted minimum in certification audit practice. OSHA Recommended Practices for Safety and Health Programs recommend annual programme review.

The concept underpinning this trigger is “policy drift” — small cumulative changes that individually seem insignificant but collectively render the policy unfit. A role title changes here. A procedure is informally modified there. A piece of legislation is amended in a way that shifts interpretation. None of these individually triggers an obvious review event. But over twelve months, their combined effect can leave the policy describing an organization that no longer exists in its described form.

The annual review is the floor, not the ceiling. Organizations in high-risk sectors or those undergoing rapid change should review more frequently. Quarterly management review meetings with a standing policy-adequacy agenda item — examining whether any of the 11 triggered reasons have occurred since the last meeting — is a hallmark of mature safety management systems.

How to Conduct a Meaningful Health and Safety Policy Review

Knowing the 12 reasons for a review of the health and safety policy is the diagnostic half. The operational half — how to actually conduct the review — is where most organizations fall short. The gap is not knowledge but process: the review happens, but no documented evidence exists of what was evaluated, what was decided, and why.

The following steps outline a review process that produces the documented, auditable output that regulators, auditors, and insurers expect.

1. Assign ownership and assemble the review team. Top management retains accountability for the policy under ISO 45001 Clause 5.1 and UK HSWA 1974. The HSE department facilitates the review process. Worker representatives must be consulted — this is a legal requirement, not a courtesy. The review team should include operational managers who can verify whether the policy reflects current site-level reality.
2. Gather review inputs. Before the review meeting, compile the data that will inform it: incident and near-miss reports since the last review, risk assessment register updates, legislative register changes, audit findings (internal and external), employee consultation records, manufacturer or supplier notifications, insurance correspondence, and enforcement communications. Each input corresponds to one or more of the 12 triggers above.
3. Evaluate each policy section against current operations. Review the statement of intent against current senior management commitment and priorities. Review the organisation section against actual roles, responsibilities, and reporting lines. Review the arrangements section against current procedures, risk assessments, training records, and safe systems of work. For each section, ask: does this accurately describe how we operate today?
4. Document findings, decisions, and actions. Record what was assessed, what was found, and what decision was made. Where changes are needed, document the specific revision, who is responsible for implementing it, and the deadline. Where no change is needed, document the rationale — confirming continued suitability is itself a finding.
5. Approve and communicate changes. Senior management must approve revised content. Once approved, communicate changes to the workforce through established channels — toolbox talks, intranet updates, team briefings, or whatever mechanisms the organisation uses. The communication method should be documented.
6. Record the review for audit evidence. Retain evidence of the review date, participants, inputs examined, sections assessed, decisions made, changes approved, communication actions taken, and the next scheduled review date. This documentation is what auditors and regulators will examine — without it, the review is invisible.

Pro Tip: Maintain a standing agenda item in quarterly management review meetings that asks one question: “Has any of the 12 review triggers occurred since the last meeting?” This converts the review from a once-a-year event into a continuous governance function — and it produces a documented trail of ongoing monitoring.

What Happens If You Don’t Review Your Health and Safety Policy?

In 2024/25, HSE completed 246 criminal prosecutions with a 96% conviction rate and fines exceeding £33 million (HSE Annual Report, 2025). In enforcement proceedings, one of the first documents regulators request is the health and safety policy and its review history. An undated, unsigned, or evidently unreviewed policy does not cause the incident — but it powerfully demonstrates a systemic governance failure that intensifies both the penalty and the reputational damage.

The consequences extend beyond prosecution. Insurance coverage disputes arise when the policy is demonstrably outdated — if the policy referenced arrangements that were not in place at the time of an incident, the insurer has grounds to challenge whether the organization met its coverage conditions. Liability exposure in personal injury claims increases when claimants can demonstrate that the employer’s policy had not been reviewed against known risks. Loss of accreditation through pre-qualification schemes directly affects contract eligibility and revenue.

The less visible but equally damaging consequence is cultural. A workforce that knows the policy has not been reviewed — that the document pinned to the notice board references a manager who left two years ago, or describes procedures that nobody follows — draws a rational conclusion: management does not take this seriously. Safety culture erodes not through dramatic failures but through accumulated signals of indifference, and an unreviewed policy is one of the clearest signals an organization can send.

The cost data reinforces the scale: £22.9 billion in annual costs from workplace injuries and new cases of work-related ill health in Great Britain (HSE, 2025), with HSE annual workplace health and safety statistics showing 1.9 million workers suffering from work-related ill health — the highest figure on record. These are not abstract numbers. They represent the aggregate consequence of every workplace where governance — including policy review — did not keep pace with risk.

Frequently Asked Questions

Conclusion

Pull your organization’s health and safety policy off the shelf — or out of the shared drive — and answer three questions. When was it last reviewed, and is there documented evidence of what was assessed? Does the statement of intent name a senior leader who still holds that role? Do the arrangements described in the policy match the work your people actually do today?

If any of those answers reveal a gap, at least one of the 12 triggers in this article has been active and unaddressed. The review of the health and safety policy is not a bureaucratic cycle — it is the governance mechanism that keeps the entire management system aligned with the risks your workforce faces right now. Every trigger missed is a period during which the policy governs an organization that no longer exists in its described form.

The process is not complicated. Gather the data. Evaluate each section. Document what you found, what you changed, and what you kept. Communicate it. Record it. The organizations that do this well are not the ones with the most sophisticated policies — they are the ones that treat the policy as a living document and the review as the discipline that keeps it alive.