Skip to content

HSE inspections up 47% - HSE carried out over 13,200 workplace inspections in 2024/25.

Blog/HEALTH & SAFETY

Health and Safety Policy: A Guide for Office, Tech, and Finance Firms

A
Arinite Health & Safety Consultants
June 15, 2026
21 min read
Health and Safety Policy: A Guide for Office, Tech, and Finance Firms

A health and safety policy is the foundational document of any organisation's health and safety management, the written statement of how a business manages risk, who is responsible, and what arrangements are in place to protect people. For employers with five or more employees it is a legal requirement under Section 2(3) of the Health and Safety at Work Act 1974, not an optional nicety. Yet office-based firms, technology companies, fintechs, and professional services businesses are among the most likely to treat it as a box-ticking exercise, downloading a generic template, filing it, and forgetting it. That approach fails on every count: it does not meet the legal standard, it does not protect anyone, and it does not survive the scrutiny of an investor due-diligence process, an enterprise client's procurement check, or an HSE inspection. This guide explains what a health and safety policy is, what it must contain, what office and tech firms get wrong, and how to get it right.

Why the Health and Safety Policy Matters for Office and Tech Firms

There is a common belief in office-based businesses, particularly fast-moving tech and finance firms, that a health and safety policy is paperwork for industrial companies, something to be downloaded, signed, and never looked at again. This belief is mistaken, and it creates real exposure.

The health and safety policy is the document that sets out, in the organisation's own words, how it takes its legal duties seriously and how it discharges them. It is the first thing an HSE inspector asks for, the first item on a procurement health and safety questionnaire, and a standard request in the due-diligence process when a tech or finance firm raises investment or is acquired. A generic, outdated, or absent policy signals, to all of these audiences, that health and safety is not genuinely managed.

For office, tech, and finance firms specifically, the policy must address the risks that actually apply to knowledge work, display screen equipment, hybrid and home working, work-related stress, and fire in shared buildings, not the industrial hazards of a generic template. A policy that talks about machinery guarding and forklift trucks for a software company is not just useless; it actively demonstrates that no genuine assessment was done.

Health and Safety Consultants develop policies that are specific, current, and genuinely protective, the foundation on which credible health and safety management is built.

1. What a Health and Safety Policy Is

A health and safety policy is a written document that sets out an organisation's approach to managing health and safety, its commitment, its allocation of responsibilities, and its practical arrangements for controlling risk.

It is not a risk assessment, a procedure, or a training record. It is the overarching document that frames all of these, the statement of intent and the structure of accountability that everything else sits beneath.

A health and safety policy answers three fundamental questions:

  • What does the organisation commit to? Its general intention and approach to health and safety.
  • Who is responsible for what? The allocation of health and safety duties across the organisation, from the most senior leader down.
  • How are risks actually managed? The specific arrangements, practical measures, and systems that turn commitment into protection.

These three questions correspond to the three parts of a health and safety policy, the statement of intent, the organisation section, and the arrangements section, explored in detail below.

A good policy is specific to the organisation. It reflects what the business actually does, the risks it actually faces, and the arrangements it actually has. A policy that could belong to any company belongs to none, and meets neither the spirit nor the letter of the law.

2. The Legal Requirement: Section 2(3) of the Health and Safety at Work Act

The health and safety policy is a legal requirement, not best practice, for most employers.

What the law requires: Section 2(3) of the Health and Safety at Work Act 1974 requires every employer with five or more employees to prepare, and keep up to date, a written statement of their general policy on health and safety, and the organisation and arrangements for carrying it out, and to bring it to the attention of employees.

The key obligations within this:

  • Written: The policy must be a written document, not an unwritten understanding.
  • General policy statement: It must set out the organisation's general approach and commitment.
  • Organisation and arrangements: It must describe who is responsible and how health and safety is managed in practice.
  • Kept up to date: It is not a one-off document, it must be reviewed and revised as the business changes.
  • Brought to employees' attention: Staff must be made aware of it, a policy filed away and never communicated does not meet the requirement.

The five-employee threshold: The written requirement applies at five or more employees. However, every employer, even those with fewer than five, has the underlying duties the policy documents, and benefits from having one. For any growing tech or finance firm, five employees arrives quickly, and establishing the policy early is far easier than retrofitting it.

The connection to wider duties: The policy sits within the broader framework of the Management of Health and Safety at Work Regulations 1999, which require risk assessment and the appointment of a competent person. The policy describes how these duties are met.

3. The Three Parts of a Health and Safety Policy

A compliant health and safety policy has three distinct parts, each serving a specific purpose. Understanding them is essential to producing a policy that works.

Part 1: The Statement of Intent The opening declaration of the organisation's commitment to health and safety. It sets out the general aims, the commitment to comply with the law and to protect employees and others, and the organisation's overall approach. Critically, it must be signed and dated by the most senior person in the organisation, the CEO, managing director, or senior partner, demonstrating leadership commitment at the top. An unsigned statement of intent is a common and serious failing.

Part 2: The Organisation Section This sets out who is responsible for what, the allocation of health and safety duties throughout the organisation. It names roles (and often individuals) and describes their responsibilities, from the board or senior leadership, through managers, to individual employees. For an office or tech firm, this section establishes that health and safety accountability runs from the top, important both legally and, for regulated finance firms, in the context of governance frameworks such as SMCR.

Part 3: The Arrangements Section The largest and most practical part, setting out the specific arrangements for managing health and safety, how risks are assessed, how training is provided, how incidents are reported, how fire safety is managed, how DSE assessments are conducted, how contractors are managed, and so on. This is where the policy becomes specific to the organisation, and where generic templates most obviously fail, because the arrangements must reflect what the business actually does.

A policy missing any of these parts, or with a generic arrangements section that does not reflect the real business, does not meet the legal standard.

4. What Office, Tech, and Finance Firms Get Wrong

Office-based firms make a recurring set of mistakes with their health and safety policy. Recognising them is the first step to avoiding them.

The generic template trap: The most common error. A firm downloads a free template, inserts its name, and files it. The result is a document full of arrangements for hazards the firm does not have (machinery, hazardous substances, manual handling of heavy loads) and silent on the risks it does have (DSE, hybrid working, stress). It looks like a policy but is not suitable, and an inspector, auditor, or due-diligence reviewer spots this immediately.

The unsigned statement: A statement of intent that is not signed and dated by the most senior person fails to demonstrate the leadership commitment the policy is meant to show.

The set-and-forget policy: A policy written once, years ago, and never reviewed, while the business has doubled in size, moved offices, adopted hybrid working, and changed its leadership. It no longer reflects the organisation and no longer meets the duty to keep it up to date.

The uncommunicated policy: A policy that exists but that no employee has ever seen. The law requires it to be brought to employees' attention, and a policy nobody knows about protects nobody.

The missing office risks: A policy that does not address the risks that actually matter for knowledge work, DSE and screen use, home and hybrid working arrangements, work-related stress, and fire safety in shared buildings, because the template it came from was written for a different kind of business.

A professional policy avoids all of these, it is specific, signed, current, communicated, and addresses the firm's real risks.

5. What a Health and Safety Policy Must Cover for an Office or Tech Firm

For an office, tech, finance, or AI firm, the arrangements section of the policy must address the risks that genuinely apply to knowledge work, the risks a generic template ignores.

Display screen equipment (DSE): The defining office hazard. The policy must set out how the firm assesses workstations for all habitual screen users, in the office and, critically, at home, and how it acts on the findings. With virtually every employee in a tech or finance firm a screen user, this is central.

Hybrid and home working: The policy must address how the firm manages health and safety for employees working from home, including home workstation assessment, the home working environment, and lone working arrangements, an obligation the HSE confirmed in 2025 extends fully to home and hybrid workers.

Work-related stress and mental health: With stress, depression, and anxiety the leading cause of work-related ill health, and finance and tech among the highest-exposure sectors, the policy must set out how the firm assesses and manages psychosocial risk, typically referencing the HSE Management Standards.

Fire safety: The policy must address fire safety arrangements, including for firms in multi-tenant buildings, how evacuation, fire marshals, and coordination with the building are managed. This connects to the firm's fire risk assessment.

Other office arrangements: First aid, accident and incident reporting (including RIDDOR), electrical safety, welfare, new and expectant mothers, young workers, and contractor and visitor management.

A policy covering these genuinely reflects an office firm's risk profile, the test of a policy that is suitable and sufficient rather than generic.

6. Who Is Responsible for the Health and Safety Policy

The allocation of responsibility, the organisation section of the policy, matters legally and, for office and finance firms, increasingly in governance terms.

Ultimate responsibility sits at the top: Legal responsibility for health and safety rests with the employer, and within the organisation, ultimately with the most senior leadership, the board, the CEO, the managing director, or the senior partners. The statement of intent is signed at this level precisely to demonstrate this.

Responsibility cascades: The organisation section sets out how responsibility cascades, senior leadership setting direction and providing resources, managers implementing arrangements within their areas, and all employees having duties to work safely and follow the arrangements.

The competent person: The policy identifies the competent person appointed under Regulation 7 to assist with compliance, whether internal or, as for most office firms, an external consultant.

The SMCR dimension for regulated finance firms: For FCA-regulated firms and fintechs, health and safety responsibility intersects with the Senior Managers and Certification Regime. Where a Senior Manager holds responsibility for premises, people, or operations, health and safety governance falls within their accountabilities. The policy's organisation section should align with the firm's SMCR accountability map, making health and safety responsibility explicit at senior level, a point generic templates never address.

Responsibility cannot be delegated away: While tasks can be delegated to managers or outsourced to consultants, legal responsibility remains with the employer. The policy documents how that responsibility is discharged, not transferred.

7. When to Review and Update a Health and Safety Policy

The legal duty to keep the policy up to date means review is not optional. For fast-moving office and tech firms, the triggers for review arise frequently.

Review at least annually: As a baseline, the policy should be reviewed at least once a year, even if nothing major has changed, confirming it remains current and accurate.

Review on significant change, of which there are many for growing firms:

  • Growth: A firm that has grown from 10 to 100 employees has a different organisation and different arrangements. The policy must keep pace.
  • New premises or offices: A move, or a new office, changes fire arrangements, welfare, and more.
  • Adopting or changing hybrid working: A shift in working patterns changes the firm's risk profile significantly.
  • Leadership or role changes: When the people named in the organisation section change, the policy must be updated.
  • New activities or services: Changes to what the firm does may introduce new risks.
  • Following an incident: An accident or near miss may reveal that arrangements need revising.
  • Legal change: New legislation or guidance may require the policy to be updated.

The risk of the stale policy: A policy that has not kept pace with a growing firm is one of the most common findings in audits and due-diligence reviews. For a tech or finance firm scaling rapidly, an annual review plus review-on-change is essential, and is exactly the kind of ongoing maintenance that professional support provides.

8. Health and Safety Policy vs Procedures, Risk Assessments, and Other Documents

The policy is often confused with the other documents in a health and safety management system. Understanding the distinctions clarifies what the policy is and is not.

Policy vs risk assessment: The policy sets out how the firm manages health and safety in general; a risk assessment identifies specific hazards and the controls for them. The policy says the firm assesses risks; the risk assessments are the assessments themselves. Both are required, and they are different documents.

Policy vs procedures and safe systems of work: Procedures describe how specific tasks are done safely, the step-by-step detail. The policy is the overarching framework; procedures are the operational detail beneath it.

Policy vs the policy statement: The policy statement (the statement of intent) is just the first part of the full policy. People sometimes use "policy" to mean only the one-page signed statement, but the full policy includes the organisation and arrangements sections too.

How they fit together: The policy is the top of the structure. Beneath it sit the risk assessments (identifying specific risks), the procedures and safe systems of work (controlling them), the training (ensuring competence), and the records (evidencing it all). The policy frames and connects all of these, which is why getting it right, specific and current, matters so much. A coherent set of documents, managed together, often through Health and Safety Consultants and Software, is what genuine compliance looks like.

9. The Health and Safety Policy in Due Diligence and Procurement

For tech and finance firms specifically, the health and safety policy has a commercial dimension that goes well beyond HSE compliance, it is a standard item in the scrutiny these firms regularly face.

Investment and acquisition due diligence: When a tech firm or fintech raises institutional investment, or is acquired, the due-diligence process examines its compliance, including health and safety. A current, professional, specific policy demonstrates that the firm is well run and its risks managed; an absent or generic policy is a red flag that can affect valuation, delay completion, or require remediation as a condition.

Enterprise client procurement: When a tech or finance firm sells to large enterprise clients, or financial institutions, the procurement process frequently requires a health and safety policy as part of supplier onboarding. A firm that cannot provide a credible policy may be excluded from the opportunity.

Tenders and frameworks: Public sector and major private tenders routinely require a health and safety policy as a pass or fail item. The policy is the entry ticket.

Investor and board governance: For firms with institutional investors or formal boards, a current policy is part of the governance evidence expected, and for regulated firms, part of the SMCR and ESG picture.

In each of these contexts, the policy is not just a compliance document, it is a piece of commercial evidence that the firm is credible and well managed. This is one of the strongest reasons for office and tech firms to ensure their policy is genuinely professional, not a downloaded template.

10. International Health and Safety Policy for Multi-Country Firms

Tech and finance firms frequently operate across borders, and the health and safety policy must account for this.

The UK policy covers UK operations: A UK health and safety policy, meeting Section 2(3) of the Health and Safety at Work Act, covers the firm's UK operations. It does not satisfy the requirements of other countries.

Other countries have their own requirements: A firm with employees in the Netherlands, France, Germany, or elsewhere must meet each country's requirements, which differ in form and content. A UK policy alone does not discharge obligations in these jurisdictions.

Coordinated international approach: International Health and Safety Consultants help multi-country firms develop a coherent approach, a group-level framework supported by locally compliant documentation in each jurisdiction. This is increasingly important for tech and finance firms whose international investors and enterprise clients expect consistent governance across all operations.

ISO 45001 as the framework: For firms operating internationally, structuring health and safety management around ISO 45001, the internationally recognised management system standard, provides a consistent policy and management framework across all countries, with local requirements incorporated as needed. This is the kind of systematic, internationally credible approach that sophisticated investors and clients increasingly look for.

11. Getting Your Health and Safety Policy Right

Producing a policy that is compliant, credible, and genuinely useful comes down to a few principles.

Make it specific: The policy must reflect the actual business, its real activities, real risks, and real arrangements. This is the single most important principle and the one generic templates fail. A policy written for your firm, addressing DSE, hybrid working, stress, and fire as they actually apply to you, is what suitable and sufficient looks like.

Sign it at the top: The statement of intent must be signed and dated by the most senior person, demonstrating leadership commitment.

Keep it current: Review at least annually and whenever the business changes. A current policy reflects a managed firm; a stale one does the opposite.

Communicate it: Bring the policy to employees' attention, through onboarding, the intranet, or a Health and Safety Consultants and Software platform that records acknowledgement. A policy nobody has seen does not meet the duty.

Connect it to the wider system: The policy should sit coherently above the firm's risk assessments, procedures, training, and records, not stand alone.

Get professional input: For most office and tech firms, the most efficient route to a genuinely compliant, specific, credible policy is professional support, a consultant who develops the policy properly, keeps it current, and ensures it reflects the firm's real risks and meets the legal standard. This is far more reliable than a template, and far cheaper than the consequences of getting it wrong.

12. How Arinite Develops Health and Safety Policies

Arinite develops health and safety policies for office, tech, finance, and professional firms as part of comprehensive support to over 1,500 businesses across the UK and 50+ countries, with a 95%+ client retention rate.

Arinite's policy service:

Specific, professional policies: Policies developed for the actual business, addressing the risks that genuinely apply to office and knowledge work, DSE, hybrid working, stress, and fire, not generic templates. See health and safety policy.

Properly structured: A complete policy with a signed statement of intent, a clear organisation section (aligned, for regulated finance firms, with SMCR accountabilities), and a specific arrangements section.

Kept current: Ongoing review and updating, at least annually and whenever the firm changes, so the policy keeps pace with growth, new offices, and changing working patterns.

Connected to the wider system: The policy developed coherently alongside risk assessments, training, and the competent person appointment, as part of a complete management system.

Due-diligence and procurement ready: Policies that stand up to investor due diligence, enterprise client procurement, and tender requirements, the scrutiny tech and finance firms regularly face.

Health and Safety Audits: Audits that verify the policy is implemented in practice, not just written, and drive its improvement over time.

Health and Safety Consultants and Software: A platform holding the policy, recording employee acknowledgement, flagging reviews, and connecting it to the wider management system.

International capability: International Health and Safety Consultants supporting multi-country firms with coherent group policy and locally compliant documentation, often within an ISO 45001 framework.

Named clients including Bell Rock Capital (financial services), Figma, Akamai, SUSE, and Nikon (technology) demonstrate Arinite's experience developing policies for exactly the office, tech, and finance firms this guide addresses.

Frequently Asked Questions

Yes, for employers with five or more employees. Section 2(3) of the Health and Safety at Work Act 1974 requires a written health and safety policy setting out the organisation's general approach, the allocation of responsibilities, and the arrangements for managing health and safety, kept up to date and brought to employees' attention. Firms with fewer than five employees still have the underlying duties and benefit from a policy.

What are the three parts of a health and safety policy?

A compliant policy has three parts: the statement of intent (the signed declaration of commitment), the organisation section (who is responsible for what), and the arrangements section (the specific, practical measures for managing risk). A policy missing any part, or with a generic arrangements section that does not reflect the real business, does not meet the legal standard.

What should an office or tech firm's health and safety policy cover?

The arrangements section should address the risks that genuinely apply to office and knowledge work: display screen equipment (DSE), hybrid and home working, work-related stress and mental health, and fire safety (including in multi-tenant buildings), alongside first aid, incident reporting, electrical safety, and welfare. Generic templates that cover industrial hazards but ignore these office risks are not suitable.

How often should a health and safety policy be reviewed?

At least annually, and whenever there is significant change, growth, a new office, a shift to hybrid working, leadership changes, new activities, after an incident, or when the law changes. For fast-growing tech and finance firms, change is frequent, so annual review plus review-on-change is essential.

Why does a health and safety policy matter for investment or procurement?

A current, professional, specific policy is a standard item in investment and acquisition due diligence, enterprise client procurement, and tenders. It is commercial evidence that the firm is well run and its risks managed. An absent or generic policy is a red flag that can affect valuation, delay deals, or exclude a firm from opportunities.

Can I use a health and safety policy template?

A generic template rarely produces a compliant policy, because the arrangements section must be specific to the actual business and its real risks. Templates typically cover hazards an office firm does not have and ignore the DSE, hybrid working, and stress risks it does. For a genuinely compliant, credible policy, professional development is far more reliable, and far cheaper than the consequences of an inadequate policy.

Taking the Next Step

A health and safety policy is the foundation of compliance and a standard piece of commercial evidence for office, tech, and finance firms. Getting it right, specific, signed, current, communicated, and genuinely reflective of your firm's real risks, protects your people, satisfies the law, and stands up to the investor, client, and regulatory scrutiny these firms regularly face.

Assess your current policy: Take our Health and Safety Quiz to evaluate where your firm stands.

Discuss your needs: Book a free Gap Analysis Call with an Arinite consultant to review your policy and wider compliance.

Get a professional policy: Contact Arinite to learn how our Health and Safety Consultants develop policies for office, tech, and finance firms across the UK and beyond.

Arinite develops health and safety policies and provides Health and Safety Consultants services to over 1,500 businesses across the UK and 50+ countries. Key external resources: HSE guidance on health and safety policy | Health and Safety at Work Act 1974 | Management of Health and Safety at Work Regulations 1999 | HSE enforcement statistics | OSHCR consultant register

Share this article
HEALTH & SAFETY
A

Written by

Arinite Health & Safety Consultants

Health & Safety Expert at Arinite

More Articles

Related Articles

Health and Safety Consultants: A Complete Guide for Finance Firms
HEALTH & SAFETY

Health and Safety Consultants: A Complete Guide for Finance Firms

June 15, 2026
19 min read
Health and Safety Support: What It Is and How to Get the Right Level
HEALTH & SAFETY

Health and Safety Support: What It Is and How to Get the Right Level

June 14, 2026
18 min read
Outsourced Health and Safety: What It Is and How It Works
HEALTH & SAFETY

Outsourced Health and Safety: What It Is and How It Works

June 13, 2026
19 min read
Free Resources

Health & Safety Factsheets

Download our comprehensive library of expert guides, checklists, and templates.

Browse Library
Get Professional Help

Need Expert H&S Advice?

Our qualified consultants are ready to support your specific business needs.

020 7947 9581Contact Us