
Health and safety for directors: what personal responsibility actually means when something goes wrong
When the HSE letter arrived, the director of a sixty-person manufacturing business read it twice before the wording properly registered. It was addressed to him personally. The company was named further down, and the health and safety manager he had hired two years earlier, precisely so that letters like this would never reach his desk, was not named at all. An employee had trapped a hand in a machine whose guarding had been flagged in an internal audit eight months before. The company was under investigation, and so, it turned out, was he.
His first reaction was the one almost every director gives in that moment. We have someone for this. There is a policy, there are risk assessments, and there is a competent person with the right letters after their name. He had done what a responsible business owner is supposed to do, and he had the payroll entry to prove it.
The law reads his situation differently, and understanding why is worth twenty minutes of any director's time. Health and safety for directors is one of the least understood areas of UK business law, largely because those to whom it applies assume it applies to someone else.
Hiring someone competent changes less than you think
The duty to ensure the health and safety of employees, so far as is reasonably practicable, belongs to the employer under the Health and Safety at Work etc. Act 1974. Appointing competent help is itself a legal requirement under the Management of Health and Safety at Work Regulations 1999, but the appointment does not transfer the duty. The company still carries it, and the people who direct it bear the consequences of how well it is discharged.
That second part is where section 37 of the Act comes in, and it deserves to be far better known among owner-managers than it is. Where a health and safety offence committed by a company is proved to have been committed with the consent or connivance of a director, or to be attributable to any neglect on their part, the director can be prosecuted personally, alongside the company. Consent and connivance both require knowledge. You knew and agreed, or you knew and looked away.
Neglect is the ground that catches SME directors, because it requires no knowledge at all. It covers what a director should have known but failed to find out: the audit finding that was never pursued to closure, or the guarding budget that was quietly deferred over two financial years. In the eyes of an investigator, not asking is a decision too.
There is a further point that matters specifically at the SME scale. Prosecutions of individual directors concentrate on smaller businesses, because in a company of forty or eighty people, the distance between the boardroom and the shop floor is short. A court is far less willing to accept that the person running the business had no way of knowing what was happening inside it, and HSE's own enforcement guidance sets out exactly when inspectors should proceed against both a director and the company.
What "reasonably practicable" means for the person at the top
"Reasonably practicable" is a weighing exercise. The risk goes on one side, the cost and effort of controlling it on the other, and a control can only be justifiably set aside where its cost is grossly disproportionate to the risk it addresses. Directors tend to read the phrase either as "do everything conceivable" or as "do what the budget allows this year", and it means neither of those things.
For the person at the top, the phrase carries an implication that very few business leaders have ever been told. Under section 40 of the Act, once a prosecution is brought, the burden of proof reverses. The business has to prove, on the balance of probabilities, that nothing more was reasonably practicable. HSE does not have to prove that it was.
Consider what that does to the ordinary record of a company's decisions. Every risk that was assessed and controlled becomes evidence. So does every risk that was assessed and parked. The director who can show why a particular control was judged disproportionate, with the reasoning written down at the time, has a defence to argue. The director whose position amounts to "I assumed it was being dealt with" has a payroll entry and very little else.
Where the personal exposure runs
A director convicted under section 37 faces the same penalties as the company would for the underlying offence; for serious breaches, this means an unlimited fine and, for individuals, imprisonment. Separately, the Company Directors Disqualification Act 1986 gives the court power to disqualify a person convicted of an offence connected with the management of a company, and health and safety offences qualify. That power needs no additional investigation or evidence. It is simply available at the point of sentencing.
Where someone dies, the exposure changes character altogether. Gross negligence manslaughter is a common-law offence against the individual, and directors of smaller companies have been imprisoned for it. One HSE-published case involved the managing director of a manufacturing business of around one hundred people, jailed after an employee was killed by an unguarded conveyor that had been a long-standing problem. His defence was that he had not been aware of the guarding issue. The court's view was blunt: whether he knew was beside the point, because he should have.
The purpose of setting this out is proportion rather than alarm. Director prosecutions remain a minority of enforcement outcomes, and they concentrate where the neglect was real and demonstrable. But the pattern in those cases is remarkably consistent, and it is the pattern the rest of this article is about.
The difference between delegated comfort and genuine oversight
In the cases that go wrong, the director has almost always done something. There is a consultant on a retainer, or a manager with a NEBOSH qualification, and a folder of risk assessments that would pass a casual inspection. What is missing is any evidence that the person at the top ever engaged with what the paperwork was telling them.
Delegated comfort is the monthly report that says "no issues" and is never questioned, or the audit findings that are received, filed, and never tracked to closure. It is also very common for the contractor to believe they are under control because a RAMS is on file, when nobody has looked at how contractor work is actually controlled on site. The paperwork exists. The engagement with it does not.
Genuine oversight is a different habit of mind rather than a bigger system. The director does not write the risk assessments, but they know what the handful of risks are in their business that could genuinely kill or maim someone, and they could name them if asked. They see the audit findings themselves rather than a filtered summary, and they know which ones are overdue. When money for a control is requested and refused, the reasoning gets recorded because that refusal is precisely the decision an investigator will later reconstruct. And every so often, they walk the floor and check whether what is written down matches what actually happens, which remains the fastest way to find out whether a safety system is real or ornamental.
HSE and the Institute of Directors publish joint guidance on this, Leading Health and Safety at Work, and it is worth a director's time to read. The document matters less than the behaviours, though. A board that treats safety as a set of live decisions, rather than receiving it as a report, already has the substance of what the guidance asks for.
What this looks like in a business of 25 to 150 people
At this size, there is rarely a safety department, and there need not be one. The real test of oversight is whether the director can answer a small number of questions without ringing anyone first. What are the risks in this business that could put someone in the hospital or worse? What did the last audit or inspection find, and is any of it still open? When did we last spend money on a control, when did we last decline to do so, and where is that reasoning written down? And if HSE walked in tomorrow, who would speak for how safety decisions are made here, and what would the paper behind those decisions show?
A director who can answer those questions has oversight. A director who would need to make three phone calls to find out has delegation, and delegation on its own is exactly where section 37's idea of neglect begins. For a business without full-time safety capability, the answer is usually not more paperwork but practical health and safety support built around how the business actually operates, with the director kept close enough to the findings to answer for them.
The director in the opening scenario was not reckless, and he had spent real money on safety over the years. What he could not do, when it mattered, was show that he had ever engaged with the one audit finding that ultimately came before an investigator. That is the exposure this article describes, and it is closed by attention rather than expenditure.
If you run a business and you are not certain where you would personally stand if HSE ever asked, a short message through the chat on this page gives you a direct read on your exposure and the two or three things that would matter most if that day ever came. It comes back directly from Nick, usually the same day, not from a call centre and not as a templated report.

