The health and safety of employees is the responsibility of all employers.  Failure to ensure the safety of employees can result in prosecution, fines and significant reputational damage, particularly where this results in the death, or serious injury of an individual.  Health and safety therefore presents significant risks to organisations and there is consequently a need for robust systems in place to control them.

Health and safety is governed by a range of legislation and regulations, principally the Health and Safety at Work Act (1974).   The Health and Safety Executive (HSE) is the UK body responsible for health and safety in the workplace.   The HSE website provides a source of useful information on assessing health and safety risks within organisations.

Boards, audit committees and management will be concerned about the risks that health and safety pose to the organisation.  This is because the risks to the organisation are significant with the potential for criminal prosecution, fines and significant reputational damage should a health and safety risk materialise.  The audit committee is likely to have responsibility for the oversight of risk and an understanding of the health and safety risks is therefore essential given their potential impact on the organisation.

Some organisations will be subject to a greater risk from health and safety incidents than others, depending on the industry, sector or environment in which they work: for example organisations that operate in the mining or construction industries.

Although some risks to employees' health and safety are obvious and well known, other risks may not come to light for a significant period of time: for example the risks of working with asbestos that were identified when the health of individuals started to deteriorate.

Particular attention needs to be paid to areas where a large number of individuals are potentially at risk, such as in the case of landlords failing to check the safety of gas boilers in residential premises: an explosion caused by a faulty gas boiler could cause the death or serious injury of a number of individuals.  This type of risk may be recognised by regulators, such as the Homes and Communities Agency.  This underlines the seriousness with which regulators will view health and safety responsibilities, even where the risk has not materialised.

To reduce the risks of a health and safety incident occurring there are a number of steps that the organisation should take, including:

  • Having a safety aware culture that is supported by senior management and the Board.  There should be a zero tolerance approach for risks that put the health and safety of individuals at risk
  • A documented health and safety policy and procedure that is up-to-date and available to staff
  • Health and safety risks clearly documented along with the steps that the organisation has taken to mitigate these
  • Risk assessments undertaken on a timely basis, the results of these recorded and action taken where deficiencies are identified
  • Clearly defined responsibilities of staff for health and safety
  • Incidents reported to an appropriately senior level within the organisation, potentially via a health and safety committee where one exists.

Given the high level of risk posed by health and safety issues, what should internal audit be doing?  Internal audit has the responsibility for checking that risks to the organisation, including health and safety risks, are adequately controlled.  Although internal audit will not necessarily understand the detailed legislative and regulatory requirements for health and safety, it should be able to review the framework within which it operates.  This may include consideration of the areas detailed above.

Health and safety will often feature on organisations' risk registers and therefore should be considered for review by internal audit.  This may involve looking at the monitoring arrangements for health and safety risks, reviewing the work undertaken by an in-house health and safety team or checking compliance with organisational procedures.

In some cases internal audit may wish to work in partnership with in-house health and safety compliance teams.  The audit will then benefit from the detailed compliance knowledge of a health and safety expert whilst focusing on the effectiveness of the controls in place that manage the key risks.

Failing to manage health and safety risks to an organisation can result in the death or serious injury of an employee, member of the public or other stakeholder.  The resultant impact to the organisation is likely to be significant.  Failure to manage health and safety may therefore be a failure to manage one of the biggest risks of all.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.