The Management of Health and Safety at Work Regulations 1999 (MHSWR 1999) are the cornerstone of UK workplace health and safety law. They require every employer to assess the risks to their employees and others affected by their work, and to put sensible control measures in place. Regulation 3 is the direct legal basis requiring employers to carry out risk assessments — making MHSWR 1999 the most important regulation for any UK business to understand and comply with.
These regulations apply to all workplaces and all work activities in Great Britain. If you employ even one person, you must comply. This guide explains what the Management Regulations actually require, who they apply to, and what a compliant risk assessment looks like in practice.
What the Management of Health and Safety at Work Regulations 1999 Require
MHSWR 1999 came into force on 29 December 1999, replacing the earlier 1992 regulations. They were made under the Health and Safety at Work etc. Act 1974 and implement the EU Framework Directive (89/391/EEC) into UK law. Post-Brexit, MHSWR 1999 remains in full force in Great Britain as retained EU law.
The regulations contain 29 separate requirements covering risk assessment, health and safety arrangements, health surveillance, appointing competent persons, providing information and training, and duties in relation to temporary workers, new and expectant mothers, and young persons. Regulation 3 — the duty to assess risks — is the foundation upon which all other duties rest.
Under Regulation 3(1), every employer must make a suitable and sufficient assessment of the risks to the health and safety of their employees to which they are exposed whilst they are at work, and the risks to the health and safety of persons not in their employment arising out of or in connection with the conduct of their undertaking. This means assessing risks not just to your own staff, but to contractors, visitors, clients, members of the public, and anyone else who might be affected by your work activities.
Regulation 3(6) states that where an employer employs five or more employees, they must record the significant findings of the risk assessment and any group of employees identified as being especially at risk. This is the origin of the requirement for a written risk assessment — a requirement that applies to the vast majority of UK businesses.
The assessment must be reviewed by the employer under Regulation 3(3) if there is reason to suspect it is no longer valid, or there has been a significant change in the matters to which it relates. A risk assessment is not a one-time document — it is a living record that must be kept up to date.
Who the Management Regulations Apply To
MHSWR 1999 applies to every employer in Great Britain who employs one or more employees. This includes:
- Limited companies and PLCs of any size
- Sole traders and partnerships who employ staff
- Charities, schools, and educational establishments
- NHS trusts, local authorities, and public sector organisations
- Franchises, agencies, and labour providers
- Construction contractors and subcontractors
- Retail, hospitality, and service sector businesses
- Manufacturing, warehousing, and logistics operations
Self-employed individuals must also comply under Regulation 3(2), but only in respect of risks to persons not in their employment. A self-employed person working entirely alone with no employees and no contact with others has minimal duties under MHSWR 1999. As soon as their work affects others — customers, clients, the public, or other contractors — the duty to assess risks applies in full.
There are no exemptions based on industry, business size, or turnover. A one-person company employing a part-time administrator has the same fundamental duty to assess and control risks as a FTSE 100 multinational.
Key Duties at a Glance
The Management Regulations impose a wide range of specific duties on employers. Here are the most important:
- Regulation 3 — Risk assessment: Assess risks to employees and others, record findings if you employ five or more, review when circumstances change.
- Regulation 4 — Principles of prevention: Where possible, avoid risks altogether; evaluate unavoidable risks; combat risks at source; adapt work to the individual.
- Regulation 5 — Health and safety arrangements: Make and give effect to arrangements for planning, organising, controlling, monitoring and reviewing preventive and protective measures. Must be recorded in writing if you employ five or more.
- Regulation 6 — Health surveillance: Provide appropriate health surveillance for employees where the risk assessment identifies a significant risk to health (e.g. noise-induced hearing loss, vibration, hazardous substances exposure).
- Regulation 7 — Appointing competent persons: Appoint one or more competent persons to assist in undertaking the measures needed to comply with health and safety law. A competent person has the necessary skills, knowledge and experience.
- Regulation 10 — Information for employees: Provide employees with comprehensible and relevant information on risks identified by the risk assessment, preventive and protective measures, emergency procedures, and the identity of competent persons.
- Regulation 13 — Training: Provide adequate health and safety training on recruitment, on being exposed to new or increased risks, and repeated periodically where appropriate. Training must take place during working hours.
- Regulation 16 — Risk assessment for new or expectant mothers: Where work could involve risk to the health and safety of a new or expectant mother or her baby, take action to avoid the risk, alter working conditions or hours, or if that is not reasonable, suspend the employee on full pay.
Each of these duties is a separate criminal offence if breached. The HSE does not prioritise one regulation over another — all are enforced.
Penalties for Non-Compliance
Breaches of MHSWR 1999 are prosecuted under Section 33 of the Health and Safety at Work etc. Act 1974. In the magistrates' court, the maximum fine is £20,000 per offence. In the Crown Court, fines are unlimited and custodial sentences of up to two years can be imposed.
The HSE's sentencing guidelines for health and safety offences categorise breaches by culpability (deliberate, reckless, negligent, or low) and harm risked (high, medium, or low). A medium-sized company found to have no risk assessment — a negligent breach creating high risk of harm — faces a starting point fine of £190,000 in the Crown Court. Large organisations face starting point fines in the millions.
In 2022/23, the HSE secured 432 convictions for health and safety offences across all sectors. The average fine per conviction was £42,277. Failure to carry out a suitable and sufficient risk assessment under Regulation 3 is cited in the majority of HSE prosecutions — it is the most commonly breached regulation in UK health and safety law.
Beyond criminal prosecution, the HSE operates a Fee for Intervention (FFI) scheme. When an inspector identifies a material breach of health and safety law, the HSE invoices the employer at £163 per hour for all time spent investigating and taking enforcement action. A single inspection visit resulting in an improvement notice can easily generate an FFI invoice exceeding £1,000. FFI is payable in addition to any fine imposed by a court.
How the Management Regulations Relate to Risk Assessments
Regulation 3 of MHSWR 1999 is the legal requirement that makes risk assessments mandatory. Every other piece of UK health and safety law — COSHH, Manual Handling, Work at Height, Fire Safety, and dozens more — refers back to the duty to assess risks under MHSWR 1999.
A suitable and sufficient risk assessment must identify the significant hazards in your workplace or arising from your work activities. It must evaluate the likelihood and severity of harm, consider who might be affected (including vulnerable groups), and record what you are already doing to control the risk. Where existing controls are inadequate, the assessment must identify what further action is needed, by whom, and by when.
The assessment does not need to be perfect, but it must be competent. The HSE's guidance (INDG163) states that a risk assessment should be straightforward in most cases. For typical office, retail or hospitality businesses, a few pages covering the main hazards is sufficient. For higher-risk activities — construction, manufacturing, logistics, healthcare — the assessment will necessarily be more detailed.
If you employ five or more people, the significant findings must be written down. This does not mean recording every trivial risk. The HSE accepts that risks from everyday office activities (using stairs, making tea, sitting at a desk) do not need individual assessment unless there is a particular concern (e.g. a vulnerable employee, a history of incidents, or unusual workplace layout).
Need a compliant risk assessment now? Anyrisks generates a MHSWR 1999–compliant risk assessment in under 2 minutes for any UK workplace or work activity, delivered as a PDF and editable Word document for £29.
MHSWR 1999 and the Construction Industry
Construction is the sector most closely associated with health and safety regulation, and MHSWR 1999 applies in full to every construction employer. The Construction (Design and Management) Regulations 2015 impose additional duties on clients, designers, principal designers, principal contractors and contractors — but they do not replace the requirement for risk assessments under Regulation 3 of MHSWR 1999.
A small contractor carrying out domestic or commercial building work must comply with both CDM 2015 and MHSWR 1999. In practice, this means conducting a site-specific risk assessment before starting work (MHSWR Regulation 3), appointing a competent person to supervise health and safety (MHSWR Regulation 7), ensuring workers are trained (MHSWR Regulation 13), and — where the project involves more than one contractor — preparing a construction phase plan (CDM Regulation 12).
Construction accounted for 45 worker fatalities in Great Britain in 2022/23 — the highest of any sector, according to HSE statistics. The most common causes were falls from height, being struck by moving vehicles, and being struck by moving or falling objects. Every one of these incidents was preventable through proper risk assessment and control measures under MHSWR 1999.
MHSWR 1999 and Early Years Settings
MHSWR 1999 applies to all employers, including nurseries, pre-schools, childminders employing assistants, and out-of-school clubs. The Early Years Foundation Stage (EYFS) statutory framework explicitly requires providers to carry out risk assessments under MHSWR 1999 and to review them regularly.
An early years setting must assess risks to children, staff, and visitors. This includes premises hazards (trip hazards, sharp edges, access to cleaning products), activity hazards (outdoor play, cooking, use of scissors or tools), and off-site hazards (trips to parks, farms, or swimming pools). The assessment must consider the age and developmental stage of the children — a risk that is trivial for a 5-year-old may be significant for a 2-year-old.
Ofsted inspects compliance with EYFS requirements, including risk assessment. Settings judged inadequate on safeguarding (which includes health and safety) can be issued with a welfare requirements notice or have their registration suspended. Compliance with MHSWR 1999 is not optional for early years providers — it is a condition of registration.
Related Regulations and Guidance
MHSWR 1999 works alongside a suite of more specific regulations covering particular risks:
- Control of Substances Hazardous to Health Regulations 2002 (COSHH): Requires assessment and control of exposure to hazardous substances including cleaning chemicals, dust, fumes, and biological agents.
- Manual Handling Operations Regulations 1992: Requires assessment of manual handling tasks that involve a risk of injury, and implementation of controls to avoid or reduce the risk.
- Work at Height Regulations 2005: Requires assessment of all work at height (any place where a person could fall and injure themselves) and implementation of a hierarchy of control measures.
- Regulatory Reform (Fire Safety) Order 2005: Requires a fire risk assessment for all non-domestic premises, identifying fire hazards, people at risk, and fire safety measures.
Each of these regulations requires a risk assessment specific to that hazard. In practice, most employers integrate these into a single comprehensive risk assessment document that addresses all significant risks. This is acceptable provided each specific regulation's requirements are met.
The HSE's approved code of practice and guidance for MHSWR 1999 is published as L21 (Management of Health and Safety at Work). While not law itself, an approved code of practice has special legal status: if you follow the code, you will be doing enough to comply with the law in respect of those matters covered by the code. Failure to follow the code can be used as evidence against you in a prosecution.
