Water risk: The health and safety manager's critical role
- May 12
- 9 min read
Half of all Legionnaires’ disease cases in England and Wales occur in clusters or outbreaks, a figure that should immediately reframe how you think about water risk in your organisation. According to 2024 surveillance data, 238 of the 472 cases reported were linked to one or more additional cases, accounting for 50.4% of the total. That is not a fringe risk. It is a structural one, shaped significantly by how organisations manage their water systems. This guide unpacks what health and safety managers are legally required to do, what good practice looks like in reality, and where the most common compliance failures occur.
Table of Contents
Key responsibilities: From risk assessment to ongoing control
The difference between paper compliance and real-world risk control
Managing competencies and resources: Getting the right expertise
Why water risk management is an ongoing leadership challenge, not an annual checkbox
Expert Legionella and water risk compliance support for your organisation
Key Takeaways
Point | Details |
Legal duty is ongoing | As a health and safety manager, you cannot delegate away water risk accountability and must maintain oversight. |
Practical controls matter | Written procedures alone are not enough; regular monitoring, record-keeping, and timely reviews are vital. |
Competence is essential | Your team must be competent and, if not, you should seek qualified external support to remain compliant. |
Prevention over paperwork | Putting prevention and early warning at the centre of your system prevents real-world outbreaks. |
Leadership sets standards | Sustained leadership and process improvement prevent complacency and drive real water safety outcomes. |
The scope of the health and safety manager’s legal duties
Many health and safety managers inherit responsibility for Legionella control without a clear map of what the law actually requires. The result is often fragmented records, vague ownership, and an organisation that looks compliant on paper but is exposed in practice.
The foundation document is HSE ACOP L8, which sets out a clear sequence of duties for those who own, occupy, or manage premises with water systems. These duties are not optional guidance. They carry legal weight, and an inspector who finds you have not followed them will require you to demonstrate why an alternative approach offered equivalent protection.
ACOP L8 requires dutyholders to:
Identify and assess sources of risk within water systems
Prepare a written scheme to prevent or control identified risks
Implement, manage, and monitor the control scheme
Keep accurate records of all assessments, actions, and monitoring
Appoint a competent manager responsible for overseeing all others involved
That final point is where accountability crystallises. Legal responsibility cannot be transferred to a contractor, a water treatment company, or a facilities management partner. The dutyholder retains it.
“The dutyholder must ensure that someone with sufficient authority and competence is appointed to take day-to-day responsibility for implementing the control scheme.” HSE ACOP L8 (4th edition)
The table below compares a robust compliance framework with the patchy arrangements found in many organisations:
Compliance element | Robust approach | Common gap |
Risk assessment | Conducted by a competent person, documented fully | Out of date or incomplete scope |
Control scheme | Written, site-specific, regularly reviewed | Generic template not tailored to premises |
Monitoring records | Logged consistently, retained and auditable | Gaps in logs, no escalation pathway |
Responsible person | Named, trained, and empowered | Role unclear or informally assigned |
Review triggers | After changes, incidents, and periodically | Annual-only, often missed |
For Legionella compliance duties to be credible, the documentation must reflect what is actually happening on-site. Inspectors are skilled at spotting the difference between a well-maintained system and a system that merely has a folder of paperwork attached to it. The same principle applies equally in educational settings, where school water risk management must account for seasonal shutdowns, variable occupancy, and ageing infrastructure.
Key responsibilities: From risk assessment to ongoing control
Understanding your legal duties is one thing. Operationalising them across a real organisation, with real constraints, is where most health and safety managers find the work begins in earnest.
Here is how a sound Legionella control cycle looks in practice:
Commission a site-specific risk assessment. This must be conducted by a competent person and cover every water system on-site, including hot and cold water distribution, cooling towers, spa pools, and any infrequently used outlets. Generic assessments that do not reflect your actual building configuration are not fit for purpose.
Develop a written control scheme. This is not a manufacturer’s leaflet or a standard template. It is a document that describes the specific control measures for your site: temperature parameters, monitoring frequencies, disinfection protocols, and the responsibilities of named individuals.
Implement controls consistently. This includes flushing infrequently used outlets, maintaining hot water above 50°C at the point of use, ensuring cold water stays below 20°C, checking showerheads and thermostatic mixing valves (TMVs), and conducting routine water sampling where required.
Monitor and record. Monitoring only has value if it is recorded accurately and reviewed. Spot-checking temperature logs during an HSE inspection is one of the most common ways non-compliance is identified.
Review when circumstances change. A refurbishment, a change in building use, a significant occupancy drop, or a positive Legionella sample are all triggers for an immediate review of your control scheme. Not just an annual date in the calendar.
The responsible person appointed under your scheme must be competent to carry out these tasks, understand the reasoning behind each control measure, and know when to escalate. This is not a role to assign because someone is available; it is a role that requires genuine understanding of water system risks and controls.
Pro Tip: When reviewing your control scheme after any significant building works, do not limit the review to the directly affected area. Pipework changes can alter flow rates and temperatures throughout a system in ways that are not immediately obvious.
Common pitfalls that undermine otherwise well-intentioned compliance programmes include:
Incomplete temperature monitoring logs with unexplained gaps
Responsible persons who have changed roles or left without a formal handover
Risk assessments not updated after extensions or changes of use
Monitoring carried out but not reviewed, leaving out-of-range readings unaddressed
Reviewing outbreak case studies from healthcare settings demonstrates that these are not theoretical concerns. They are the documented failures behind real incidents. Ensuring your risk assessment review process is timely and thorough is one of the most valuable investments you can make.
Action | Frequency | Responsible |
Temperature checks at sentinel outlets | Monthly minimum | Responsible person or competent staff |
Showerhead descale and disinfection | Quarterly minimum | Competent person |
Water sampling (where required) | As per scheme | Competent contractor or in-house staff |
Risk assessment review | After changes or periodically | Competent assessor |
Full system inspection | As scheme dictates | Specialist contractor |
The difference between paper compliance and real-world risk control
The most dangerous assumption in water risk management is that having a completed risk assessment and a signed logbook means your system is safe. It does not. Paper compliance is a starting point, not a destination.
Several documented UK outbreaks demonstrate this gap with uncomfortable clarity. At University Hospital Nottingham, infrastructure changes were required to fully control Legionella recurrence, even after temperature-based interventions had been implemented. The system met thermal control parameters on paper, yet the bacteria persisted. This reflects a pattern seen in complex water systems where biofilm, stagnant zones, or scale create protected niches that temperature alone cannot reach.
The 2024 UKHSA data reinforces why vigilance matters beyond the paperwork cycle. When more than half of reported cases are linked to clusters, it signals that systemic failures are driving transmission, not isolated individual exposures.
Real compliance means your controls are working. Not just that they exist.
What distinguishes organisations that prevent outbreaks from those that experience them often comes down to a few key behaviours:
Acting on monitoring data rather than just collecting it
Recognising that a positive water sample is an investigation trigger, not a form to file
Updating control schemes promptly when building conditions change
Treating temperature monitoring as a live indicator rather than a compliance formality
Scheduling system inspections and maintenance based on risk, not convenience
Pro Tip: When you receive a water sampling result close to the action threshold but still technically within range, treat it as an early warning signal. Investigate the conditions that produced it. Do not wait for an exceedance before acting.
Key statistic: In 2024, 472 cases of Legionnaires’ disease were reported in England and Wales. Of these, 238, over half, were associated with clusters. Prevention at the system level is the only intervention that changes this number.
Technical controls matter enormously, but they are only reliable when someone is genuinely overseeing them. A control scheme that sits in a drawer, reviewed once a year at a scheduled audit, offers far less protection than one that is actively managed, questioned, and updated.
Managing competencies and resources: Getting the right expertise
One of the questions that comes up most frequently is what competent actually means in this context. HSE does not define a specific qualification, but the expectation is clear: the person conducting a risk assessment or managing controls must have the knowledge, skills, and experience to do the job correctly.
For in-house responsible persons, this means understanding how water systems work, knowing which conditions favour Legionella growth, being able to interpret monitoring data, and knowing when a situation exceeds their expertise. That last point is critical. Overconfidence in in-house capability is a recognised contributing factor in compliance failures.
When your organisation lacks sufficient internal knowledge, you must appoint a competent external specialist. This is not a sign of weakness; it is what HSE expects and what good governance demands. The key rules for doing this well are:
Document the scope of the external specialist’s appointment in writing
Define exactly which tasks they are responsible for and which remain in-house
Ensure reporting lines are clear so nothing falls between the gaps
Keep records of all specialist visits, reports, findings, and recommendations
Review external contractors’ competence credentials before appointment and periodically thereafter
Legionella awareness training for in-house staff is a practical and cost-effective way to raise baseline competence. It means your responsible person understands why controls are in place, not just how to carry them out. That understanding makes a material difference in how consistently and intelligently the controls are applied.
A business premises case study consistently shows that the sites with the strongest compliance culture are those where the responsible person has received formal training, not just on-the-job instruction. They ask better questions, escalate appropriately, and maintain more reliable records.
Pro Tip: When appointing an external Legionella specialist, ask them to walk you through how they would document their findings and the reporting pathway back to your organisation. If they cannot explain it clearly, that is a red flag about how the relationship will function in practice.
Why water risk management is an ongoing leadership challenge, not an annual checkbox
Here is an opinion that sometimes meets resistance: the real barrier to effective Legionella control in most UK organisations is not technical knowledge. It is leadership culture.
We see this repeatedly in the organisations we work with. When health and safety managers treat water risk as a compliance task that gets handed to facilities and reviewed once a year, the system drifts. Controls become habitual rather than considered. Records are completed but not interrogated. The responsible person starts to lose confidence in their own understanding because nobody is asking questions.
In contrast, the organisations with the most robust water safety outcomes are those where the health and safety manager treats their water system as a genuinely live risk, one that requires the same scrutiny as any other significant hazard. That means reviewing trends in monitoring data, asking whether the control scheme still reflects the building as it actually operates today, and ensuring that every person involved understands the reasoning behind what they do.
The most powerful shift we encourage is moving from an audit mindset to an integration mindset. Instead of checking whether compliance activities have been completed, focus on whether the system as a whole is reliably protecting people. The BCS blog regularly covers practical water risk topics that support this kind of ongoing professional engagement, and we encourage responsible persons and their managers to use it as a resource throughout the year, not just ahead of an audit.
Water risk management done well is not burdensome. It is simply a consistent habit of attention. The organisations that struggle are those that only look at water risk when they have to.
Expert Legionella and water risk compliance support for your organisation
If this article has highlighted gaps in your current approach, the good news is that specialist support is available and straightforward to access.
At Bespoke Compliance Solutions, we work with health and safety managers across a wide range of sectors to build compliance programmes that are genuinely effective, not just complete on paper. Whether you need a thorough Legionella risk assessment in Coventry or a broader programme of water analysis and Legionella testing across multiple sites, we tailor every solution to your buildings, your systems, and your team’s capabilities. From implementing bespoke logbook systems and control programmes to training your responsible persons and providing ongoing consultancy, we are here to make compliance straightforward and sustainable.
Frequently asked questions
Can the legal duty for Legionella control be handed off to a contractor?
No. Legal responsibility always remains with your organisation’s dutyholder, even when contractors carry out the practical work. You can delegate tasks, but not accountability.
How often should risk assessments and control schemes be reviewed?
Review is required periodically and whenever building conditions or use change, not simply on a fixed annual basis. Any significant change to your water system should trigger an immediate review.
What if we do not have in-house expertise for Legionella water risk?
You should appoint a competent external specialist and document their scope, roles, and reporting lines clearly. This is the expected and appropriate course of action when internal expertise is insufficient.
Is temperature control always enough to stop Legionella?
Not always. Ongoing surveillance and infrastructure changes may be needed even after temperature-based interventions, particularly in complex or ageing water systems where biofilm or scale provide protection for the bacteria.
Do records need to be kept after a risk assessment?
Yes. ACOP L8 requires records of the risk assessment, control scheme, monitoring activities, and all reviews to be retained and made available for inspection. Accurate record-keeping is a core part of demonstrating compliance.
Recommended
Comments