The Teal Book: Part A
The purpose of managing health, safety and security in project delivery is to ensure the public and people engaged in government work are not at risk and that government property and information, public assets and citizen and employee data are protected from harm. Managing health, safety and security is a critical part of managing risk within a portfolio, programme or project.
Protecting the health and safety of employees and members of the public involved in, or affected by, government work or activities is a critical part of risk management in government project delivery. Failure to consider health and safety can have catastrophic results for individuals and organisations. Health and safety law applies to everyone but places particular duties on organisations and employers, whose leaders can have both collective and individual responsibility for health and safety and can be personally liable if these duties are not met.
Protecting the security of employees and members of the public involved in, or affected by, government work and activities is also a critical part of risk management and is closely linked to health and safety. Failure to manage security, whether of people, property, services, information and data, makes them vulnerable to attack or exploitation, putting employees and the public at risk, with potential to cause harm, loss or threat to life to individuals or to the UK. Government security is also subject to certain legal requirements, notably the Official Secrets Act 1989 and statutory provisions on data protection and cyber security (see Chapter 24: Information and data management).
Managing health and safety involves establishing the framework for managing health and safety, identifying and assessing risks and implementing control measures (see Chapter 20: Risk management), monitoring and reviewing performance (see Chapter 17: Controlling), and acting on lessons learned (see Chapter 38: Learning from experience). It should combine a systemic approach to preventing and controlling health and safety risks with a strong focus on human behaviours and wellbeing. There are various industry-specific approaches to managing health and safety, typically based on the ‘Plan, Do, Check, Act’ approach recommended by the Health and Safety Executive, as described in Managing for health and safety.
Employers have a legal duty to put in place suitable arrangements to manage health and safety, both in terms of securing the health, safety and welfare of people at work and protecting others against risks to their health or safety arising out of or in connection with work activities.
The Health and Safety at Work etc Act 1974 and the Health and Safety at Work (Northern Ireland) Order 1978 are the primary pieces of legislation covering occupational health and safety. They require employers to protect their workers and others from getting hurt or ill through work. If they do not, action can be taken against them by a regulator (such as the Health and Safety Executive or local authority) under criminal law and/or a person affected can make a claim for compensation against them under civil law.
These provisions apply to all organisational activities, and organisations should have established health and safety policies and procedures as part of their governance and management framework which should be followed. However, portfolios, programmes and projects, in initiating new work and delivering change, can raise different considerations for health and safety and create new risks that require changes in practice or behaviour.
In addition, change itself can be stressful, both for those delivering it and those affected by it. These impacts of change can also present risks to health and wellbeing that need to be managed (see Chapter 35: Management of organisational and societal change).
The context of the work has a significant impact on requirements for health and safety.
Infrastructure, construction and military capability work requires a rigorous focus on physical health and safety, designed to keep workers and members of the public safe and minimise the risk of accidents and other harmful impacts, for example resulting from the release of dangerous substances and emissions. It also requires a strong focus on the welfare and wellbeing of employees, who often work in challenging and stressful environments, which can impact significantly on physical and mental health.
Digital and transformation work can affect health and safety in several ways. Changes to organisational layouts and working arrangements may need updated fire safety procedures. However, such work typically requires a strong focus also on the handling of potentially significant impacts for individuals, in terms of changes to jobs, teams and working practices, and managing the impacts of this is also a critical consideration for health and safety.
International work has safeguarding risks. Steps need to be taken to safeguard staff, other people involved in the work, and beneficiaries. Health and safety requirements for different countries being worked in must also be cosnidered.
There are a range of specific laws and regulations governing health and safety in different industries and environments which need to be followed. Further guidance on the different statutory requirements and on health and safety in general is provided on the Health and Safety Executive website.
In government organisations, the organisation’s accounting officer has overall accountability for health and safety within the organisation, supported by the executive board and audit and risk committee, and oversees the organisational governance and management framework for managing health and safety. Each organisation is also expected to designate an individual responsible for health and safety in the organisation, accountable to the accounting officer.
At least 1 health and safety representative independent of the organisation’s chain of command might be appointed by trade unions or elected by employees. They represent the interests and concerns of co-workers and respond on their behalf, typically at an organisation level.
Within this framework, the portfolio director responsible for a portfolio, or the senior responsible owner of a programme or project, is accountable for ensuring health and safety within the work for which they are responsible, acting in line with wider organisational and government policies.
Day-to-day oversight of health and safety is the responsibility of the portfolio, programme or project manager, who can also appoint individuals to manage health and safety within the team, depending on the scale and complexity of the work.
Legal requirements for managing health and safety relevant to the work should be identified as early as possible. These must be complied with and should be reflected in the governance and management framework for the work (see 7.4.3.2). Note in particular the provisions of the Health and Safety at Work etc. Act 1974 and associated regulations, including the Management of Health and Safety at Work Regulations 1999. These require employers to ensure that:
Organisations are also required to establish arrangements to improve health (physical and mental) and wellbeing in the workplace by:
Specific regulations govern the reporting of work-related accidents, injuries, occupational diseases, dangerous occurrences and gas incidents, under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013, often referred to as RIDDOR. These require all work-related deaths, specified reportable injuries to, and occupational diseases affecting workers and members of the public, and specified dangerous occurrences and gas incidents to be reported to the Health and Safety Executive by employers and other ‘responsible persons’, including the self-employed and those in control of premises. In government this is typically through organisation-level reporting arrangements, other than where specific procedures are in place. A culture of reporting should be encouraged to ensure safety arrangements are sufficient and strategic hazard reviews are comprehensive.
Health and safety is led from the top of the organisation and responsibility is delegated throughout the management chain. Leaders and managers in portfolios, programmes and projects are expected to ensure that employees are aware of organisational and local health and safety arrangements and put in place any support needed to respond to specific health and safety considerations arising as part of the work. This should include ensuring that building and facilities management procedures, including fire safety requirements, always followed. It should also include ensuring that employees are aware of any employee wellbeing initiatives and services, for example employee assistance programmes and occupational health services, which are often provided at organisational level.
Further information on health and safety legislation is available on the Health and Safety Executive website, and information on employee wellbeing in government in the Government Functional Standard for People.
Managing health and safety should be an integral part of the governance and management framework for a portfolio, programme or project. The approach and arrangements for managing health and safety should be aligned to those of the host organisation but should be primarily determined by the nature and context of the work. This should be underpinned by an assessment of the risk profile and linked to or part of the wider risk management framework (see Chapter 20: Risk management).
The governance and management framework should set out how health and safety is to be organised and managed as part of the work. This should include how it is considered in planning and decision-making, and integrated with other governance and management practices. It should set out the aims for health and safety through the life cycle and how performance is to be measured.
The framework should also set out expectations on health and safety in terms of workplace behaviours and attitudes, and particularly on:
The level of detail within the framework on health and safety should be tailored to the scale, complexity and risk profile of the work and should be reviewed regularly to ensure that it continues to meet the requirements, to identify patterns of near-misses and incidents, and to reflect new risks arising as the work progresses through the life cycle.
Everyone involved in working on a portfolio, programme or project needs to know how to work safely and without risk to their health. This includes those working under contract as well as visitors to a building, site or other facility. This means ensuring that everyone has appropriate information, instruction and training on hazards, risks and the control measures in place to deal with them, and knows how to follow emergency procedures.
Where work is delivered through a delivery partner, there should be a joint approach to risk assessment, agreement on the approach to managing health and safety, and agreed common practices adopted where possible, particularly where people from different organisations are co-located.
Workers are often the best people to understand risks in the workplace as they are closest to them; they should be included in the risk assessment process. This means creating an active health and safety culture where the focus is on prevention rather than reaction to incidents after the event. Health and safety should be routinely considered in meetings as part of risk management and factored into planning and reporting. Senior leaders and managers have a vital role to play here, by actively championing health and safety, challenging unsafe behaviours, ensuring prompt action in response to risks, issues and ideas for improvement, and that lessons learned followed through.
Employers are legally required to consult workers on health and safety, allowing employees to raise concerns and influence decisions on managing health and safety, either directly or through a health and safety representative. While formal consultation is typically done at organisational level, seeking the views of employees is also important in the context of a portfolio, programme or project, particularly where there are specific considerations on health and safety.
Programmes and projects can also present particular challenges for health and safety in terms of continuity. People joining and leaving the team regularly can result in gaps in awareness of hazards and risks, safe systems or work and management systems. This makes it essential to have systematic arrangements for providing up-to-date information, instruction and training on health and safety, particularly as part of induction for new joiners, when people change roles or take on extra responsibilities, and for people with health and safety responsibilities (see Chapter 39: Project delivery team induction and training).
Young workers are particularly vulnerable to accidents, and there are specific laws under the Management of Health and Safety at Work Regulations 1999 in relation to the protection of young workers, for example apprentices and those on work experience. New and expectant mothers are also protected under this regulation.
In addition, under the Equality Act 2010 those individuals with a protected characteristic as described in the act should be subject to risk assessment under the Management of Health and Safety at Work Regulations (1999), with reasonable adjustments prescribed as necessary.
Further guidance on promoting a strong culture of health and safety with employees and all other stakeholders is provided in Managing for health and safety.
Health and safety should be monitored and reported on in line with organisational and any local requirements, supported by relevant key performance indicators. Monitoring and reporting should be proportionate to the nature, scale and complexity of the work. It should normally include both active methods (for example, controls implemented, training compliance, inspection results) and reactive methods (for example, accidents and incidents, ill-health and sickness, wellbeing surveys).
Monitoring and reporting must include the mandatory recording and reporting of work-related accidents, injuries, incidents and other categories under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR), typically through wider organisational reporting arrangements (see 7.4.3.2 on creating the framework for managing health and safety). This also includes reporting by the employer of incidents involving people employed under contract.
The causes of any accidents, incidents or near-misses should be investigated and reported, with corrective actions put in place to reduce or eliminate the chances of a similar incident recurring. and to share lessons learned. Further guidance on accident and incident investigation is described in Managing for health and safety.
It is important to monitor trends on health and safety over time, using key performance indicators appropriate to the hazard profile of the work, and to act where these indicate risks or issues arising. If there are particular concerns, an in-depth review or audit should be commissioned.
Reviewing health and safety performance, on the basis of data gathered over time, provides a view on how arrangements are working and whether any changes are needed, for example because some things are no longer necessary or new factors or risks have arisen.
The timing of a review depends on the nature of the work, its risk profile, and where it is in the life cycle. For example, a review could be important if a project is due to move from planning into delivery, to inform detailed planning for the next phase of the work; or in a portfolio to inform learning from experience across multiple projects and/or programmes. Further guidance on reviewing health and safety is included in Managing for health and safety.
Reviews of health and safety play a critical part in enabling lessons to be learned and reducing risks and incidents. A review also provides the opportunity to recognise success in health and safety management and promote positive lessons for the future (see Chapter 38: Learning from experience).
Security management is concerned with the protection of government security and includes strategy and planning, prevention and detection, incident management and reviews from lessons learned, protecting:
Protective security in government comprises of 4 interconnected domains, through which attacks are perpetrated: physical, personnel, cyber and technical. Although they are considered as separate domains, they rarely occur in isolation and are managed holistically.
Physical security is the practice of protecting elements of government infrastructure, estates, physical assets and personnel against attacks or compromises in the physical (tangible and real-world) environment.
Personnel security is the practice of ensuring the security of government information and infrastructure against threats arising from government personnel, others working to government and those who formerly worked in government circles. This could include deliberate attacks, criminal activity for profit, unmalicious and unwitting insider threat, or gross negligence, and could manifest in a variety of environments, including the physical or virtual environments. Such individuals could join government service intending to commit such acts, or decide to do so after employment.
Cyber security comprises technologies, processes and controls that are designed to protect systems, networks and data from the deliberate and inadvertent exploitation of computer systems, technology dependent enterprises and networks.
Technical security is the practice of detecting the compromise of protective security systems, analysis and prevention of technical attack, mitigation of technology vulnerabilities and the deployment of countermeasures.
Government security also extends to the security of its supply chain, referred to as industry security. Maintaining oversight of the security arrangements of any third-party suppliers that provide goods and services to government or which hold government or international partners’ classified information is essential for the overall management of security.
The Government Functional Standard for Security sets out the expectations for managing security in government, and is underpinned by subject specific standards which define the requirement for physical, personnel, cyber, and incident management. Guidance on information and data security is also available in the Government Functional Standard for Digital. Further guidance and information is available at security.gov.uk.
Information management is closely allied to security in government and requires the implementation of protective security measures that mitigate insider threat and ensure consistency and efficiency between government organisations. All organisations are required to have policies, systems and processes for information handling that are compliant with HM Government information security policies and standards, and relevant legislation and regulations, such as the Data Protection Act 2018 and the Public Records Act 1958 (as amended)(see Chapter 24: Information and data management).
Also allied to security management is the management of activity to counter fraud, bribery and corruption, which cuts across a number of domains. More information on this is in Chapter 29: Finance, and in the Government Functional Standard for Counter-Fraud.
The Prime Minister is ultimately responsible for the security of HM Government, and delegates accountability to the cabinet secretary, who in turn delegates accountability to departmental permanent secretaries and accounting officers.
Policy on national security is led by the National Security Council, working with the Cabinet Office’s National Security Secretariat and other bodies concerned with security across government. Functional leadership on security is provided by the Government Security Group.
Expert advice and support are provided in the four domains of security from the UK National Technical Authorities: the National Protective Security Authority (NPSA) on physical and personnel security; the National Cyber Security Centre (NCSC) on cyber security; and the UK National Authority for Counter-Eavesdropping (NACE) on technical security. Work to counter fraud, bribery and corruption is led by the Public Sector Fraud Authority.
In a government organisation, the accounting officer has primary accountability for managing the organisation’s risks, including security and fraud, supported by the executive board and audit committee, and sets the organisational governance and management framework in accordance with government policy. Each organisation is expected to designate a separate individual responsible for security, for information security, and for countering fraud, accountable to the accounting officer. Other specialist roles are defined to suit the needs of the activities being undertaken.
Within this framework the portfolio director responsible for a portfolio, or the senior responsible owner of a programme or project, is accountable for managing security and fraud risks within the work for which they are responsible, acting in line with organisational and government policies.
Day-to-day oversight of security is the responsibility of the portfolio, programme or project manager, who can also appoint individuals to manage security and fraud risks within the team, should the scale and complexity of the work make this necessary, working with specialists in the organisation and other parts of government as required. Information asset owners also have particular responsibilities for security in relation to the assets they oversee.
Everyone who works with government (including employees, contingent labour and suppliers), has a duty of confidentiality and a responsibility to safeguard any government assets, information or data that they access. Individuals are accountable for their own security decisions and should complete any security training mandated by their organisation.
The Government Functional Standard for Security sets the expectations for consistent and coherent security behaviours across government. Its provisions apply to those working within and for the government who have a responsibility to ensure security practices are followed, including employees and third-party suppliers.
These expectations are designed to protect:
Government security policy operates within the context of domestic law, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Official Secrets Act 1989, and other provisions relating to freedom of information (see Chapter 24: Information and data management). The security policy provides the underpinning framework supporting the Government Functional Standard for Security.
The government personnel security controls. These ensure that anyone (whether an employee or someone employed under contract) given access to government assets is subject to appropriate checks to confirm their identity and to provide a level of assurance as to their trustworthiness, integrity and reliability. This requires, as a minimum, passing the Baseline Personnel Security Standard (BPSS), but often more detailed clearance to different levels through National Security Vetting. Further information on security levels and requirements is provided in the HMG personnel security controls.
To manage information in line with the Government Functional Standard for Security, the Government security classifications policy provides an administrative system for the government and its partners to protect information assets appropriately against prevalent threats. Any information that is created, processed or moved (whether sent or received) as a part of government work falls within the classifications policy.
The policy uses 3 classification tiers (OFFICIAL, SECRET and TOP SECRET). Each classification provides a set of protective security controls and baseline behaviours that are proportional to the potential impact of any compromise, accidental loss or incorrect disclosure of information, and to the level of interest expected from threat actors that might arise from this.
Most of the day-to-day business of government is held at the OFFICIAL tier and uses appropriate commercial solutions used by many large corporate organisations. Assets held at SECRET and TOP SECRET typically require bespoke additional security controls. Guidance on security controls for all tiers can be found in Guidance 1.5: Considerations for security advisers.
All government information should be clearly marked with a classification level (unless this requirement is superseded by organisational policy), other than OFFICIAL information cleared for public release or disclosure, or which is freely available in the public domain. Material assets can also be given a security classification due to the information they could reveal. Additional considerations apply to the handling and sharing of data with international partners, and advice should be sought. Further information is available in the Government security classifications policy.
As set out in the Government Functional Standard for Property, all government organisations are expected to provide a safe and secure working environment and protect employees and the public from a wide range of threats (including theft, terrorism or espionage), through:
The reliance on tehcnology and data-driven solutions brings with it a heightened risk of cyber threats, making cyber security an essential component of project delivery. Cyber security encompasses the practices, technologies, and processes designed to protect networks, devices, programs, and data from unauthorised access or attacks.
All government portfolios, programmes and projects should be run and operated in compliance with the Government cyber security standard and should comply with all relevant data protection law.
Products and services developed must also meet the requirements set out in the Government cyber security standard, including meeting outcomes specified by the Cyber assessment framework, and complying with the Secure by design principles. Good cyber security outcomes should be considered as part of the outcomes, benefits and social value of the work.
Identifying the security-related threats and measures needed to manage them is a critical part of early planning for the work and designing the solution, as this can have a significant impact on requirements, solution design and development, resourcing, timescales and costs. For instance:
Identifying potential threats to the security and integrity of the solution early is essential to avoid additional costs, delays and scope changes further down the line. Further guidance on designing solutions for security is provided in Secure by design.
Often, the organisational context and nature of the solution determine the security considerations. For example, the development of military capability is subject to very rigorous standards of security, which are likely to be common across a particular portfolio. Sometimes, however, this is much less clear cut: some organisational portfolios include multiple programmes and projects operating at very different levels of security. Even within a single programme or project, different parts of the work can be subject to different security considerations and requirements, for example to protect specific parts of a solution against threat.
Security needs to be considered both in terms of the conduct of the work and the use of the solution, to ensure that the solution developed is not vulnerable to exploitation or attack. Sometimes, risks are not evident, so it is important to consider the potential threats that might arise in each of the security domains, individually and operating together – physical, personnel, cyber, technical and industry security – during conduct of the work and during use and disposal of the solution.
Protecting the work and future solution against the risk of fraud, bribery and corruption is also a critical consideration, closely allied to security. This can arise as a threat across the different domains and should therefore also be considered as part of risk assessment. All government organisations are required to have a counter fraud, bribery and corruption strategy, and this should be considered in identifying risks and setting goals for the work. For further information see Chapter 29: Finance, and the Government Functional Standard for Counter Fraud.
Initial assessment of the potential security and fraud risks should be carried out as part of early planning. This work should underpin development of the framework for managing security and fraud risks (see 7.5.3.3 on creating the framework for managing security), which should be part of the wider risk management framework for the portfolio, programme or project, as appropriate. The security and fraud risk assessments should be developed as planning progresses, typically as part of wider risk assessment.
Government Major Projects Portfolio and mandatory fraud assessments
Programmes and projects on the Government Major Projects Portfolio must conduct an initial fraud risk assessment (see 29.6.1.6 on protecting against fraud, bribery and corruption for more information).
Managing security should be an integral part of the governance and management framework for a portfolio, programme or project (see Chapter 4: Governance and management). The approach and arrangements should be aligned to those of the host organisation but also need to take account of the nature and context of the work. The framework should be underpinned by the initial security and fraud risk assessment (see 7.5.3.2 on identifying potential threats relating to the work and the solution) and linked to the wider risk management framework for the work (see Chapter 20: Risk management).
The governance and management framework should set out how security requirements and activities are to be organised and managed as part of the work. This should include how they are considered in governance and management practices, including planning and decision-making. It should consider how activities need to evolve through the life cycle, and arrangements for assurance, incident management and reporting, which should be aligned to those of the host organisation.
The framework should also set out expectations on security in terms of workplace behaviours and attitudes, and particularly on:
The level of detail within the framework on security should be tailored to the scale, complexity and risk profile of the work and should be reviewed regularly to ensure that it continues to meet the requirements and risks arising as the work progresses through the life cycle.
Everyone involved in working on a portfolio, programme or project in government needs to be aware of the importance of protecting security, and their personal accountability for following procedures and raising any concerns. This includes those working under contract as well as visitors to a building, site or other facility. Security aspects should be clearly defined as part of all contracts with third-party suppliers (see Chapter 25: Procurement and contract management).
Those working on programmes and projects should be encouraged to play an active role in raising security risks and reporting incidents promptly through the defined routes. Senior leaders and managers have a vital role to play in actively championing security, challenging inappropriate behaviours, and ensuring that incidents are managed and followed up effectively.
Programmes and projects can present particular risks to security, with people joining and leaving the team on a frequent basis as work packages start and finish. This makes it especially important to put in place
For further information on national security vetting and allied requirements, see guidance on HMG personnel security controls.
Organisations also provide a range of security education and awareness activities to help ensure members of the workforce are aware of and understand the organisation’s security and counter-fraud policies, processes, systems and controls, and people should be encouraged to take this up as appropriate. Further guidance on promoting an active security culture is set out in the Government Functional Standard for Security.
In the context of security, an incident is any circumstance that arises where assets may be damaged, compromised, lost or leaked as a result of failure of policy or codes of conduct, existing security measures or controls, or something that requires an action or response following a direct threat or individual action, or to prevent one of the above. These could be accidental or deliberate acts by those internal or external to the department.
A security incident, when detected, should be reported as soon as possible within the organisation’s defined timeframe, so it can be investigated. Individuals with security-related responsibilities have legal obligations for reporting incidents to organisation management boards and to other interested parties, such as the Government Security Group and the Information Commissioner’s Office (see Chapter 24: Information and data management).
Where a security incident is reported an incident manager is appointed by, and reports to, the senior officer accountable for security in the organisation, not the portfolio director or senior responsible owner. The incident manager leads the response to an incident and any subsequent breach, in particular assessing:
Following the event, incident or crisis, a post-response review should be carried out and the security response plan updated, if necessary, to include learning that can streamline the response process and to ensure that the same situation cannot be repeated. Identified vulnerabilities should be remediated and degree of risk should be reassessed. Organisations should implement necessary changes to their security governance and management framework or put in place training to prevent further occurrences. Further information on incident management is set out in the Government Functional Standard for Security and the National Cyber Security Centre’s 10 steps to cyber security.
Page permissions updated for public launch.
First published for closed beta consultation.