News & Blogs
UK HSE Compliance Mistakes Your SME Can't Afford to Make in 2026 - Part 1
The numbers from 2025 Health and Safety Executive (HSE) fines tell a sobering story. HSE fines ranged from tens of thousands to eye-watering sums – £800,000 for a construction fatality, over £6 million for a busway disaster. These were not just headline-grabbing cases from corporate giants. They reflected a consistent pattern: serious failings in construction, chemical handling, transport, and healthcare sectors that the HSE won't overlook, regardless of business size.
What drove these penalties? Systemic failures that sound all too familiar – inadequate risk assessments, poor maintenance of pipework and equipment, breaches of work-at-height regulations, fire safety violations. The Health and Safety at Work Act and its associated regulations don't differentiate between organisations based on their headcount or turnover when it comes to fundamental duties of care.
A few months ago, we worked with a business owner who received an enforcement notice from the HSE. His company employed 23 people. The issue? A gap in their risk assessments that had been sitting there for two years. "I thought we were too small to worry about all that," he told us.
He is not alone in thinking that way.
The landscape of UK HSE compliance has shifted considerably, and 2026 brings challenges that many SMEs simply are not prepared for. While sentencing guidelines do consider company turnover and culpability, the HSE's prosecution policy shows no leniency based on company size when serious harm occurs. With enforcement activity up 18% year-on-year and high-profile cases demonstrating the real cost of non-compliance, the stakes have never been higher for commercial services businesses.
In the first of our 3-part series, let us walk you through the first two critical mistakes we are seeing repeatedly – and more importantly, how to avoid them.
The "We're Too Small" Fallacy
Before we delve into discussing the two mistakes as promised, let's “decode” or debunk this myth many SMEs have: “We’re a small organisation and we don’t need to bother”. But here's the uncomfortable truth: HSE fines hit SMEs disproportionately hard. While a £200,000 penalty might be manageable for a multinational, it can close the doors of a 30-person or less operation overnight.
The Health and Safety at Work etc. Act 1974 does not distinguish between your local facilities management company and a Fortune 500 giant. Section 2 places the same duty of care on all employers, regardless of size. The Management of Health and Safety at Work Regulations 1999 expect suitable and sufficient risk assessments from everyone.
We have watched businesses with fewer than ten employees face huge fines under Section 33 of the HSWA. The sentencing guidelines consider harm and culpability, not your headcount.
What does this mean practically? Every employer in the UK – whether you employ five people or five thousand – must ensure, so far as reasonably practicable, the health, safety and welfare at work of all employees. There is no exemption clause for small businesses, no grace period for startups, and no reduced expectations for companies with limited resources.
The phrase "so far as reasonably practicable" is crucial here. It's a legal test that balances risk against the cost and difficulty of control measures. Courts interpret this pragmatically, but they won't accept "we couldn't afford it" as a defence if the risk was serious and the control measure was standard industry practice.
At CIPHER QHSE Consulting Ltd, we work extensively with SMEs who've discovered this reality too late. The good news? With the proper health and safety consultancy support and guidance we provide, even the smallest businesses can achieve robust compliance without breaking the bank.
Haven’t cleared the above fallacy, let’s then dive into the mistakes that you can’t or shouldn’t afford to make in 2026.
Mistake #1: Treating Risk Assessments Like a Tick-Box Exercise
Walk into most SMEs and ask to see their risk assessments. You'll likely find one of two scenarios: either there aren't any, or there's a generic template downloaded five years ago gathering digital dust on the shelves.
Under Regulation 3 of the Management of Health and Safety at Work Regulations 1999, your risk assessments must be suitable and sufficient. That means specific to your operations, regularly reviewed, and actually implemented. Generic templates don't cut it when an inspector arrives.
We recently worked with a cleaning services company that had "completed" risk assessments using an industry template. When we dug deeper, none of their actual work environments were reflected. They cleaned medical facilities, schools, and industrial sites—each presenting entirely different hazards. Their paperwork mentioned none of it.
The HSE's approach to inspections has evolved significantly. Inspectors now expect to see evidence that risk assessments inform actual working practices. They'll talk to your employees, observe work being done, and compare what they see against what's documented. Any disconnect raises immediate red flags.
What Makes a Risk Assessment Suitable and Sufficient?
The HSE's guidance is clear. Your risk assessment should:
· Identify all significant hazards arising from work activities
· Consider who might be harmed and how
· Evaluate existing control measures
· Identify what additional controls are needed
· Be appropriate to the nature of the work
· Remain valid for a reasonable period
"Reasonable period" doesn't mean set-it-and-forget-it. We have seen companies prosecuted because their risk assessments hadn't been reviewed despite significant changes to their operations. New equipment, different work methods, lessons learned from incidents, changes to relevant legislation – all of these trigger the need to review your risk assessment.
For SMEs, the challenge often isn't understanding what's needed but finding the time and expertise to do it properly. That's where professional risk assessment services become invaluable. At CIPHER QHSE Consulting Ltd, our health and safety consultancy includes working alongside your team to develop risk assessments that actually reflect your operations, not generic industry assumptions.
The Real-World Consequences
Consider this recent prosecution case by the HSE. A tree service company was prosecuted after an employee “suffered life-altering back injuries when he fell over 30 feet from a MEWP basket” while he was carrying out tree surgery. The company had a risk assessment for work at height, but it was generic and didn't address the specific risks of the task they were working on that day. The work at height regulations require task-specific assessment, including a rescue plan as well as the correct information, instruction and training for working at height. The fine: £20,000 plus costs. Now, assuming that it is a company with less than twelve employees and an annual turnover of less than £100,000, this could be devastating. The company indeed had the paperwork, but paperwork alone has never been enough. The HSE's enforcement policy emphasises that documentation should evidence a management system that actually prevents harm. If your risk assessments don't drive decisions about how work is planned and executed, they're just expensive wallpaper.
Making Risk Assessments Work for You
The fix isn't complicated, but it requires honesty. Here's what actually works:
1. Start with real conversations. Walk your sites with the people doing the work. They know where the hazards are. We have learned more from a thirty-minute site walk with operatives than from hours reviewing paperwork.
2. Document real hazards in plain language. Forget about impressing inspectors with technical terminology. Write risk assessments that your newest employee could understand and follow.
3. Review when things change. New client site? Different equipment? Near-miss that highlighted an unexpected hazard? These all trigger reviews. Keep a simple log of when you last looked at each assessment and why.
4. Make them accessible. Risk assessments filed away in the office are useless to someone making real-time decisions on site. Consider how your team actually accesses information – toolbox talks, induction briefings, site-specific documents.
The HSE's guidance document HSG245 (Investigating Accidents and Incidents) makes it clear: your risk management system should be dynamic, not static. Risk assessments are living documents that evolve with your understanding of hazards and your business operations.
If you're uncertain whether your current risk assessments meet legal requirements, a professional health and safety audit can identify gaps before the HSE does. CIPHER QHSE's health and safety consultancy service includes comprehensive audits that benchmark your documentation against current HSE expectations and industry best practice.
Mistake #2: Ignoring the Mental Health Elephant in the Room
Recent data from the Health and Safety Executive reveals an unprecedented mental health crisis in Britain's workplaces. During 2024/25, nearly one million workers—964,000—experienced work-related stress, depression, or anxiety. These mental health conditions represent a major portion of the 1.9 million total work-related illness cases recorded that year.
The economic and human cost is substantial. Stress-related absences typically last almost 23 days, contributing to millions of lost working days across the country. Mental health issues have emerged as the leading driver of workplace illness, generating annual costs in the billions for the UK economy. The problem is particularly acute in public administration, education, construction and healthcare sectors, where rates significantly exceed the national average.
Mental health is no longer a "nice to have" in health and safety conversations. It's a legal requirement under the Health and Safety at Work Act 1974, and the courts are taking it seriously.
The HSE's working definition of work-related stress – “the adverse reaction people have to excessive pressures or other types of demand placed on them" – has teeth. The Management Standards for Work-Related Stress aren't legally binding in themselves, but they represent good practice that tribunals increasingly expect to see.
I've watched this shift happen over the past five years. Cases that would have been dismissed as "just workplace stress" are now resulting in successful claims and HSE enforcement action. Employers who thought mental health was solely the domain of HR are discovering it falls squarely within their Section 2 HSWA duties.
Why SMEs Are Particularly Vulnerable
SMEs in commercial services face particular pressures that create mental health risks: tight margins mean fewer staff handling more work, demanding clients with immediate expectations, lone working without peer support, and unsociable hours that disrupt work-life balance.
We have worked with facilities management companies where supervisors were regularly working 50-hour weeks to cover gaps. Property management firms where individual employees handled impossibly large portfolios. Commercial cleaning operations where workers felt pressured to cut corners to meet unrealistic schedules.
These aren't just employee wellbeing concerns – they're health and safety risks that employers have a legal duty to manage.
What the Law Actually Requires
Section 2(1) of the Health and Safety at Work Act requires employers to ensure, so far as reasonably practicable, the health, safety and welfare of employees. "Health" isn't qualified – it includes mental health.
Regulation 3 of the Management of Health and Safety at Work Regulations 1999 requires risk assessments to cover "all health risks." Again, no exclusion for psychological risks.
The precedent is clear. In cases like Hatton v Sutherland and subsequent Court of Appeal decisions, employers have been found liable when they failed to take reasonable steps to prevent work-related stress and mental health issues.
Practical Steps That Actually Work
You don't need an expensive wellness programme or a team of occupational health psychologists. You need systematic attention to psychosocial hazards, just as you would to physical hazards.
1. Start with risk assessment. The HSE's Management Standards identify six key areas: demands, control, support, relationships, role, and change. Evaluate your workplace against each. Are workloads reasonable? Do people have sufficient control over how they work? Is support available when needed?
2. Create genuine channels for concerns. Regular one-to-ones where people feel safe raising workload issues. Anonymous feedback mechanisms. An actual willingness to act on what you hear.
3. Train your managers/key employees. They don't need to become counsellors, but they should recognise early warning signs – changes in behaviour, increased sickness absence, reduced performance, withdrawal from colleagues. Knowing when to have a conversation and when to seek professional support is crucial.
4. Monitor and respond to indicators. Sickness absence patterns, staff turnover, grievances, and near-miss reporting rates—all can signal underlying stress and mental health issues. Look for patterns rather than isolated incidents.
Our health and safety training services include mental health awareness for managers, helping them understand their role in preventing work-related stress without overstepping into areas requiring professional mental health support.
The Cost of Getting It Wrong
We have seen businesses lose good people – and in some rare cases face legal consequences – because they didn't spot the warning signs or didn't take them seriously when they did.
But here's what is interesting: companies do not ignore employees' work-related stress issues out of malice or indifference. They simply don't recognise that managing mental health/psychosocial risks is part of their legal duty as an employer. They usually think that health and safety are only about hard hats and risk assessments for physical work.
Making Mental Health Part of Your Health and Safety System
Integration is key. Mental health shouldn't be a separate initiative—it should be woven into existing health and safety management systems.
Include psychosocial hazards in your risk assessments. Discuss mental health in induction and regular training. Make it part of incident reporting and investigation. Review sickness absence data for patterns that might indicate underlying issues.
The HSE's Management Standards approach provides a practical framework that works for businesses of any size. It's free, it's straightforward, and most importantly, it demonstrates you've taken reasonable steps to prevent psychological harm. It could also help if your company implements the ISO 45003:2021 - Psychological health and safety at work.
If you're unsure where to start, professional guidance can help. CIPHER QHSE's health and safety consultancy includes support for integrating mental health risk management into your existing systems, without creating unnecessary bureaucracy or requiring specialist resources you don't have.
What These Mistakes Mean for Your Business Right Now
These first three mistakes – inadequate risk assessments, and ignoring mental health, – share a common thread: they're all about treating health and safety as a genuine management function rather than a compliance burden.
The businesses that avoid enforcement action aren't necessarily those with the biggest budgets or the most sophisticated systems. They're the ones that:
- Understand their legal duties clearly
- Implement practical systems that work for their size and sector
- Keep documentation relevant and current
- Involve their teams in identifying and controlling risks
- Take action when issues are identified
If you've recognized your business in any of these mistakes, you're not alone. Most SMEs we work with have gaps in their health and safety management when we first meet them. The difference between those who face enforcement and those who don't often comes down to one thing: they acknowledge the gaps and take action to address them.
In Part 2, we'll explore three more critical mistakes – poor contractor management, inadequate training records – plus practical guidance on what 2026 demands from your business and how to move forward.
Need help identifying gaps in your health and safety management? CIPHER QHSE Consulting provides comprehensive health and safety audits for SMEs across commercial services sectors. We'll help you understand exactly where you stand and provide practical, cost-effective solutions that work for your business. Get in touch for a free initial consultation.