Contractor Safety Management: What UK Business Owners Are Responsible For (and What Catches Them Out)

Table of Contents

Most business owners assume that when they hire a competent contractor, the safety risk transfers with the contract. The contractor has their own insurance, their own risk assessments, their own method statements, and their own people. The client signs a purchase order, lets them on site, and gets on with running the business. Whatever happens during the work feels like the contractor's problem, because the contractor is the one doing the work.

The law has taken a different view since 1974, and the courts confirmed it definitively in 1996. If something goes wrong on your premises or in the course of your operation, the assumption that you've outsourced the risk is the assumption that catches owners out.

The legal position most owners get wrong

Section 3 of the Health and Safety at Work etc. Act 1974 places a duty on every employer to conduct their undertaking so that people who are not their employees are not exposed to risks to their health or safety, so far as is reasonably practicable. Contractors fall squarely inside that duty. So do their employees, their subcontractors, visitors, and members of the public who happen to be affected by what's going on.

The point that gets missed is that this duty cannot be delegated. You cannot hand it to the contractor along with the work. The seminal case is R v Associated Octel Co Ltd, decided by the House of Lords in 1996. Octel had hired a specialist contractor, Resin Glass Products, to repair the lining of a tank inside a chlorine plant during a planned maintenance shutdown. An RGP employee was badly burned in an explosion inside the tank. Octel argued that RGP was an independent contractor, that RGP dictated how the work was done, and that the work therefore fell outside Octel's "undertaking" for the purposes of Section 3.

The House of Lords disagreed. The maintenance work was part of the conduct of Octel's undertaking. Whether the work was done by employees or by independent contractors did not change that. Whether Octel had practical control over how the work was carried out did not change that either. The duty under Section 3 stayed with Octel because Octel's business depended on that maintenance being done.

The principle has not moved since. If a contractor is doing work that forms part of how your business operates, in your premises or under your direction, the safety duty sits with you alongside the contractor. The HSE treats this as settled law. "We hired a competent firm" is part of a defence, but it is never the whole defence on its own.

For construction work specifically, a second framework sits on top of Section 3. That's where it gets more involved.

Where CDM 2015 changes everything (and where it doesn't apply)

The Construction (Design and Management) Regulations 2015 apply to all construction work in Great Britain. The trap is that the definition of construction work is much broader than most owners assume. Building extensions, fit-outs, refurbishments, demolition, alterations to fixed plant, structural maintenance, redecoration involving access work, installing heavy machinery — all of this can fall inside CDM, even if your business has nothing to do with construction.

Under CDM 2015, when you commission this kind of work, you are the Client. That's a defined role with defined duties. Among other things, the Client must make suitable arrangements for managing the project, allocate sufficient time and resources, ensure that anyone they appoint has the skills, knowledge, experience and (where relevant) organisational capability to do the work safely, provide pre-construction information to designers and contractors, and on projects involving more than one contractor, appoint a Principal Designer and a Principal Contractor in writing before construction begins.

Two things tend to surprise owners when they read this for the first time.

The first is that if you fail to appoint a Principal Designer or Principal Contractor when one is required, the duties of those roles fall back on you. You don't escape them by failing to appoint someone. You inherit them. The British Safety Council reported 17 CDM prosecutions in a recent twelve-month period, with one client fined £170,000 for failing to make suitable arrangements on a project involving asbestos. Another case in October 2023 saw a client, principal designer and principal contractor fined a combined £410,000 after a slate tile fell from a hotel roof during renovation works and injured a three-year-old child.

The second is that "Client" duties apply regardless of project size. There is no de minimis exception for small jobs. The duties are proportionate to the risk and complexity of the work, but they exist on every project. If you're a manufacturer commissioning a mezzanine installation, or an office occupier commissioning a fit-out, you are a CDM Client, and the regulations apply to you in the same way they apply to a property developer.

For everything that isn't construction work, CDM doesn't apply, but Section 3 still does. So a manufacturer using maintenance contractors, a facilities management firm sending engineers to client sites, an office occupier using cleaning contractors out of hours — all of these sit under Section 3 alone, with the same non-delegable duty established in Octel.

The five places contractor management actually fails

The catch-outs are not usually about owners ignoring safety. They are about owners doing some things well and assuming the rest takes care of itself. These are the patterns that surface repeatedly in prosecution evidence and HSE inspector commentary.

Treating "competent contractor" as a one-off check. Owners often vet a contractor properly at the point of appointment, then never revisit the assessment. Years later, the same firm is still on site, but the people doing the work have changed, the supervisor has moved on, the safety culture has drifted, and nobody has checked. Reasonably practicable steps include ongoing assurance, not just the initial appointment. The HSE expects you to have noticed if the contractor's standards have slipped while they've been working for you.

Assuming the contractor's risk assessment covers your site. A contractor's generic risk assessment for, say, working at height, will cover the activity in general. It will not cover the specific hazards of your site: the overhead power line near where they need to set up the scaffold, the chemical storage in the adjacent bay, the forklift route that crosses the work area at shift change. The Section 3 duty makes those site-specific hazards your responsibility to communicate. If you don't, and the contractor's generic assessment doesn't catch them, the gap is yours to explain.

Permits to work that get signed but not read. Permit-to-work systems exist to force a structured conversation between the person doing the work and the person controlling the site. The conversation is the control. The signed paper is the evidence that the conversation happened. When permits become a paperwork formality, signed in advance and filed without a meaningful exchange, the system fails silently. An HSE investigator looking at a permit signed at the start of a shift for work that didn't begin until two hours later, with no record of what was discussed, will draw the obvious conclusion. The Tata Chemicals Europe case in 2024, which resulted in a £1.125 million fine after the death of a contractor erecting scaffolding, was prosecuted in part on a failure to operate a robust permit-to-work system.

Long-term contractors blurring into the workforce. A contractor who has been on your site three days a week for two years feels like part of the team. Inductions get skipped because everyone knows them. Site-specific briefings stop happening because they've been here longer than half your staff. New subcontractors brought in by the long-term contractor get a quick wave-through because they're with someone you trust. None of this is illegal in itself. All of it weakens the audit trail that proves you discharged your duty. When something goes wrong, the gap between the formal arrangements and the actual practice is what gets prosecuted.

Subcontractors arriving without anyone vetting them. Your competent main contractor brings in a specialist subcontractor for one specific element of the job. The subcontractor turns up, gets pointed at the work, and starts. Nobody on your side has checked their competence, their insurance, their method statement, or their training. Section 3 makes no distinction between the contractor you hired and the subcontractor they brought in. If the subcontractor is doing work that forms part of your undertaking, and they're doing it on your site, your duty extends to them too. The principal contractor has duties of their own, but those duties don't replace yours.

These patterns describe how monitoring discipline tends to drift over time, which is part of a wider question about how safety culture holds up when commercial pressure builds. Where contractor management is concerned, the practical response is not more paperwork but stronger ongoing oversight of the contractors actually working on your site.

What "reasonably practicable" actually means when something goes wrong

The phrase "so far as is reasonably practicable" appears throughout health and safety legislation and is widely misunderstood. It is not vague. It has a specific evidential meaning, established by case law and applied consistently by the HSE and the courts.

Reasonably practicable means that the cost, time, and effort required to control a risk must not be grossly disproportionate to the level of risk being controlled. If a control measure is cheap, well-known, widely used, and would have prevented the harm, the burden on the duty holder to explain why it wasn't in place is heavy. If a measure is expensive, novel, and would have produced only a marginal reduction in risk, the calculation tips the other way.

When a contractor is injured on your site, the HSE will ask what you did to assess the contractor's competence, what site-specific information you provided, what monitoring you put in place during the work, what evidence you can produce that it actually happened, and what you did when standards started to slip. The investigator is not looking for perfection. They are looking for evidence that a reasonable, properly run business put proportionate controls in place and operated them.

The burden of proof on this point sits with you. Section 40 of HSWA reverses the usual position: where a duty holder is charged with failing to do something so far as was reasonably practicable, the duty holder has to prove that it was not reasonably practicable to do more than they did. That reversal is why your records, your inductions, your monitoring evidence, and your supervisory rhythm matter so much. They are not bureaucracy. They are the defence.

The director-level question

Section 37 HSWA brings personal liability into the picture. Where a body corporate commits an offence, and that offence is proved to have been committed with the consent or connivance of, or to be attributable to neglect on the part of, a director, manager, secretary or similar officer, that individual can be prosecuted alongside the company.

The pattern in recent years has shifted. The HSE is more willing to bring director-level prosecutions than it was a decade ago, particularly where the failings are systemic rather than one-off. In May 2024, the director of a small contractor was disqualified from being a director for five years and given a community sentence after the company failed to comply with HSE Improvement Notices. The same year, a Hampshire farmer received a six-month custodial sentence, suspended for eighteen months, after a self-employed labourer fell to his death dismantling a cow shed. The investigation found that no measures had been put in place to prevent or mitigate a fall from height.

For an MD, the practical implication is straightforward. The systems your business uses to manage contractors are not just a corporate compliance question. They are part of your personal exposure. If the systems exist on paper but nobody is operating them, and you knew or ought to have known, the gap between policy and practice becomes the basis of the case against you personally. This is covered in more depth in our piece on what business owners and directors actually need to know about their personal H&S exposure.

What good contractor management actually looks like in practice

The owners who pass scrutiny are not the ones with the thickest manuals. They are the ones who can show, when asked, that a small number of disciplines actually operate.

Before any contractor starts work, there is a documented assessment of their competence that goes beyond a tick-box questionnaire and includes evidence of how they have performed previously, ideally including references from other clients and confirmation of relevant qualifications. Before the work begins on site, there is a site-specific induction that covers the hazards of your premises, the people the contractor needs to know, the rules they need to follow, and the points at which they must stop and check in. While the work is happening, somebody on your side has a defined responsibility for monitoring it, with a clear rhythm of checks proportionate to the risk. When standards slip, there is a documented escalation route that doesn't depend on goodwill. When the work is finished, there is a short review that captures what worked and what didn't, and that informs how you handle the next contract.

None of this is exotic. All of it is what an HSE investigator expects to see in a competently run SME. The difference between businesses that pass scrutiny and businesses that don't is rarely the policy document. It is whether anybody actually does the things the policy says they will.

If a contractor was injured on your site next Tuesday, what would you be able to put in front of an HSE inspector by Friday? If the answer is "the framework agreement and the contractor's RAMS" and not much else, you have a contractor management gap that's worth a private conversation before something forces it.

Frequently Asked Questions

Am I responsible if a contractor is injured on my site?

Under Section 3 of the Health and Safety at Work etc. Act 1974, you have a non-delegable duty to ensure that people who are not your employees are not exposed to risks from your undertaking, so far as is reasonably practicable. This duty was confirmed in R v Associated Octel Ltd (1996), which established that hiring a competent contractor does not transfer the duty. You and the contractor can both be prosecuted if reasonably practicable steps were not taken. Whether you are found liable depends on what you did to assess competence, share site-specific information, monitor the work, and respond to standards slipping.

Does CDM 2015 apply to my business if I'm not in construction?

Yes, in many cases. The Construction (Design and Management) Regulations 2015 apply when you commission construction work, regardless of your industry. Construction work includes building, refurbishment, alterations, demolition, structural maintenance, and the installation of fixed plant. If your manufacturing business is having an extension built, your office is being fitted out, or your facility is being refurbished, you are a CDM Client and you have specific duties under the regulations, including (on projects with more than one contractor) appointing a Principal Designer and Principal Contractor in writing before construction begins.

What's the difference between a contractor and a subcontractor for liability purposes?

For Section 3 purposes, the distinction matters less than owners often think. If a subcontractor is doing work that forms part of your undertaking, on your premises or under your direction, your duty extends to them as well as to the main contractor. The main contractor has their own duties, but those do not displace yours. In practical terms, this means that letting a subcontractor onto your site without checking their competence, even when they are brought in by a contractor you trust, leaves a gap in your defence if something goes wrong.

Can I be personally prosecuted if a contractor has an accident?

Section 37 HSWA allows the prosecution of directors, managers, secretaries and similar officers personally where a body corporate commits an offence with their consent or connivance, or where the offence is attributable to their neglect. Director prosecutions have become more common in recent years. Personal exposure is highest where systems exist on paper but are not actually operated, where warnings have been ignored, or where the director was clearly aware of a risk and failed to address it.

How often should I review a contractor's safety competence?

There is no fixed frequency in regulation, because the test is what is reasonably practicable given the risk. For a long-term contractor doing higher-risk work on your site, an annual formal review is a sensible baseline, supplemented by ongoing operational oversight. For a one-off project, the assessment is done at appointment and reinforced through monitoring during the work. The principle is that competence assessment is not a one-time event. If the contractor's people, supervisors, or methods change during the engagement, your assurance arrangements need to keep pace.