I have recently updated the HKW Risk Management policy statements and thought it would be a good opportunity to reflect on why we write them and what they should include. There are various reasons why a business would want or need policy statements including:

• Legal requirements – the Health and Safety at Work Act requires a “written statement of […] general policy”
• ISO requirements – the standards we work with all require a documented policy (clause 5.2)
• Desire to ‘do the right thing’ and lead by example
• Set out in a formal way the aims or values or intentions of the business

Policy statements are often perceived as dry, dusty things on a noticeboard, but they really should be a reflection of your business and what is important to you. I encourage all my clients to structure their policy statements in 3 sections (as per the 3^rd day of Christmas of our 2021 blog post series)

1. The descriptive bit: HKW Risk Management Ltd is a B2B consultancy working with businesses in Bristol and the South West. We believe in making management systems simple and we offer straightforward risk management advice in an approachable and friendly way…

2. The commitments bit: We are committed to protecting the environment and encouraging our clients to do so, the prevention of work-related injury and ill health, continually improving our management system and the services we offer our clients

3. The management bit: we are committed to continual improvement, this policy is reviewed annually to ensure that it remains appropriate to our strategic direction and is suitable, adequate and effective…

The ‘descriptive bit’ should be a few paragraphs describing what you do. I have come across some terrible policies in the past, full of dry legal language which didn’t tell me anything about what the business actually did. Some tips are to:

• Clearly explain what your business does in a simple way
• Use the business ‘tone’ and any company specific language (colleagues rather than employees, leadership rather than management etc)
• Match the words to your website and marketing materials
• Use the business colours, font, branding – this is a key document and needs to look like one!

The ‘commitments bit’ can be a set of statements, if you have a set of business values or a purpose / mission statement, reference it here. I’ve structured this section of our policies around our values, with an explanatory statement on how I interpret that value in the context of the discipline of that policy. For example the ‘Keep it simple’ value is interpreted as follows:

• Quality “we translate the quality management principles and ISO requirements into straightforward actions to improve business processes and outcomes”
• Environment “we translate sometimes complex legal requirements into straightforward actions which help to manage environmental impacts”
• Health and Safety “we translate sometimes complex legal requirements into straightforward actions which control hazards in a proportionate manner”

This bit should also have a section listing key legal or ISO requirements that your business needs to comply with such as the requirement to provide suitable access to a safe place of work (Health & Safety at Work Act 1974, section 2.2.d) or the commitment to preventing pollution (ISO 14001:2015 clause 5.2,b) or providing a framework for setting quality objectives (ISO 9001:2015 clause 5.2,b). A key commitment from an ISO requirements point of view is to ‘continually improve’ the management system (see this blog post on the difference between continuous and continual!) and this sentence should be in all your policy statements.

The ‘management bit’ is an opportunity for a final paragraph explaining how you will manage the policy itself, for example:

• How the policy is made available to employees (induction, noticeboards, online etc)
• How the policy is made available to other interested parties (usually via your website)
• When it is reviewed – annually is best practice (or earlier if there are significant changes), either in line with your financial year, the calendar year (new year, new you and all that) or I like to review mine in September in line with that ‘back to school’ feeling
• How you will check that it remains appropriate to your strategic direction and is suitable, adequate and effective

At the very end, the one page policy statement should be signed by somebody in a Top Management position such as the MD / CEO / Nominated Director which helps to demonstrate leadership and commitment.

Of course, a piece of paper on its own never improved anything, so it is critical is that there is a management system behind the policy to help you meet the commitment statements you make. For the majority of our clients, this usually is summarised in a manual or arrangements document which sets out how things are actually done. This is best practice for disciplines such as quality and environmental, but is a legal requirement to have the following three sections for occupational health and safety:

1. Statement
2. Responsibilities
3. Arrangements

This article by Louise Hosking (now the President of IOSH) is one I refer to and provides a very good overview of what should be included in the three different sections of your health and safety policy.

The organisation responsibilities section should cover information such as:

• Who has overall responsibility for health and safety (usually at Director level)
• How day to day operations are managed (for example, who is responsible for checking the guards and interlocks on machines before use? Who is responsible for carrying out risk assessments? Who is the Competent Person?)
• What about emergency arrangements – first aiders, fire marshals, checking escape routes remain clear etc

The arrangements section should describe the processes used to meet the commitments in the policy statement. For example a commitment to “eliminate hazards, manage and reduce risks to an acceptable level’ would require information on the risk assessment process:

• Who carries out risk assessments? What training do they need?
• How are they recorded? Is there a specific template?
• Where are the completed risk assessments kept?
• How are they reviewed and updated?
• How are the results of a risk assessment communicated? Through a tool box talk? Where are records of these kept?

I usually structure these arrangements documents in alphabetical order, with brief details on how each hazard or issue is managed, where key information is held and what templates or reference documents to use.

The key message of this blog post is that your policy statements should be something that you and your business are proud of and they should be backed up by sufficient information and processes to make things happen! If you would like any help reviewing, updating or writing your policy statements and supporting manual, please contact us.