"We've got a health and safety policy."
It's one of the most common responses when businesses are asked about their safety management arrangements. And while having a policy is a legal requirement and a perfectly good starting point, it's a bit like saying "we've got a recipe" when someone asks if you can cook.
A policy tells people what you intend to do. A safety management system is how you actually do it.
Every employer with five or more employees must have a written health and safety policy. It's a legal requirement under Section 2(3) of the Health and Safety at Work Act 1974.
A health and safety policy has three parts. The statement of intent sets out the organisation's commitment to health and safety — the "what we believe" section, usually signed by the most senior person in the organisation. The organisation section describes who is responsible for what: who manages day-to-day safety, who conducts risk assessments, who investigates incidents, who provides training. The arrangements section describes how health and safety is managed in practice: risk assessment procedures, training programmes, emergency arrangements, monitoring processes.
A good health and safety policy is a clear, concise document that sets the direction for health and safety in the organisation. It's the foundation — but it's not the building.
A safety management system (SMS) is the complete framework of policies, procedures, processes, responsibilities, records and reviews that an organisation uses to manage health and safety on an ongoing basis. If the policy is the statement of intent, the SMS is the operational machinery that turns that intent into daily practice.
An effective SMS typically includes the policy (as described above), risk assessment processes and registers, safe systems of work and method statements, training needs analysis and delivery, competence frameworks, incident reporting, investigation and analysis, performance monitoring (leading and lagging indicators), audit programmes, management review processes, emergency procedures, contractor management, change management, document control and continual improvement mechanisms.
The most widely recognised framework for a safety management system is ISO 45001, but there are others including HSG65 (the HSE's Plan-Do-Check-Act model) and various industry-specific standards.
The difference matters because a policy without a system is a piece of paper. It might satisfy a basic legal check, but it won't protect people, won't prevent incidents and won't stand up to scrutiny from the HSE, a court, a client audit or an insurance assessor.
Consider this scenario: your health and safety policy says "all employees will receive appropriate health and safety training." Excellent. But who identifies what training is needed? How is it delivered? How do you verify competence? How do you record it? How do you identify when refresher training is due? How do you know the training is actually effective?
The policy sets the commitment. The management system provides the process, the accountability, the records and the review mechanism that makes it happen.
In practice, most SMEs sit somewhere between a policy and a full management system. They have a policy, some risk assessments, some training records, maybe an incident book and a fire evacuation procedure. But these elements exist in isolation — in different folders, managed by different people, reviewed at different times (or not at all), with no overarching structure connecting them.
The step from "we have individual elements" to "we have a system" is less about creating new documents and more about connecting the existing ones into a coherent framework with proper governance, review cycles and accountability.
For an SME, a safety management system doesn't have to be a thousand-page manual. It needs to be proportionate to the organisation's size and risk profile. For a 20-person office, a well-structured document set, some clear procedures and a quarterly review cycle might be entirely adequate.
For a larger or higher-risk business — manufacturing, construction, care — the system needs to be more comprehensive. But the principles are the same: clear responsibilities, documented processes, active monitoring, regular review and genuine commitment from the top.
The key indicator of a working SMS is evidence of the "system" part. Not just documents existing, but documents being used, reviewed, updated and acted upon. Risk assessments that reflect current activities. Training records that are up to date. Incidents that have been investigated and led to changes. Management reviews that happen and result in decisions.
Beyond legal compliance, there are compelling business reasons for moving from a policy to a system. Clients increasingly want evidence of structured safety management — particularly in supply chains, tender processes and contractor pre-qualification. Insurance assessors look more favourably on businesses with documented management systems. Staff retention improves when employees see that safety is taken seriously and managed systematically. And incident rates genuinely fall when organisations move from reactive safety (dealing with problems after they happen) to proactive safety management (preventing problems before they occur).
Ready to build a proper safety management system? Get an SMS Consultation →
York Green Safety Partners helps businesses across the UK build practical, proportionate safety management systems. Based in Cheshire, covering the whole country.