No, this is not safe. You said it's not a small company which means that there probably are people not everyone entirely trusts (which is pretty impossible for > 10 employees) and probably even means that there are some positions which occupied by different people coming into the company and leaving it quite frequently. Probably even just a few weeks for work experience, a summer job, or something alike.
Those people cannot be trusted not to manipulate IT systems they have access to. When sending unencrypted data over ethernet, everyone in-between can read it.
You don't even use challenge-response authentication but a password. This means no elaborate attack involving manipulating traffic live or intercepting packets and sending them after manipulating them or hoping that the otherwise same packets can be sent again after manipulating them when they have been sent to the server before (so the person using the site doesn't notice because they get the response from the server). Instead, one can just record the traffic, analyze it later on, get the password, and have access to the HR site until the password is changed and they have to record the traffic, again.
If manipulation from within the intranet is possible, sooner or later someone will do it. People even make up official announcements when they can:
The employee in this case had altered the Company’s intranet
welcoming page with the following message: “500 jobs to be gone at
Waterford plant before end of first quarter 2008”.
(http://www.cpaireland.ie/docs/default-source/media-and-publications/accountancy-plus/it/email-and-internet-use-by-employees.pdf?sfvrsn=2)
There are loads of reports (like http://www.askamanager.org/2014/02/ive-been-breaking-into-my-companys-computer-network.html) on the internet where people admit they have been breaking weak security measures. This doesn't even have to be malicious. It can result from boredom, curiosity (In your company's case: Does Mr. Smith really make so much that he's able to afford those 3 nice cars?), over even to increase productivity by destroying security barriers.
There are many recommendations similar to this one:
Every employer needs to have a detailed policy regarding use of company computers and resources accessed with computers, such as e-mail, Internet, and the company intranet, if one exists.
(http://www.twc.state.tx.us/news/efte/monitoring_computers_internet.html)
Of course, that's worth very little if compliance isn't enforced. And your connection is about as open as possible within the company because no transport encryption is used whatsoever and even the passwords are transmitted in plain text. The best way to enforce a policy is by making disregarding it impossible. Of course, that's not always possible, and sometimes there are better ways, but it seems very much like this is both the easiest, best, and most reliable way to go in this case.
This warning is very close to what your company is facing:
In addition to ensuring that they don't run afoul of HIPAA regs,
companies need to focus on another critical intranet security issue:
internal breaches. Internet security expert Norbert Kubilus, a member
of Tatum CIO Partners, said that in most cases, intranet "hackers" are
unhappy employees looking to inconvenience the company or gain some
personal advantage.
"Most of what I've heard about and observed is internal abuse,"
Kubilus said. "You can get a disgruntled employee who gets into the
intranet and raises havoc by changing vacation schedules or time
cards. If you don't have the right protections in place, or the right
education and process in place, you leave yourself vulnerable to a
disgruntled employee."
(http://www.techrepublic.com/article/intranet-data-requires-a-good-security-review/)
When considering that the data at risk is quite important, it's clear that this is an unacceptable risk. Depending on where your company is located, it might also be illegal to operate the site in that way, e.g. because it contains insufficiently secured personal data.
Telling management that this is illegal (if it is) probably has higher chances security will be improved than telling them the system is insecure.
I don't know about UK law but I think you definitely can't have such a system under EU law and therefore not under UK law.
Following a quick search, I found this EU regulation. A quote of article 32 which could give you hope that it's illegal:
Taking into account the state of the art, the costs of implementation
and the nature, scope, context and purposes of processing as well as
the risk of varying likelihood and severity for the rights and
freedoms of natural persons, the controller and the processor shall
implement appropriate technical and organisational measures to ensure
a level of security appropriate to the risk, including inter alia as
appropriate:
[...]
(b) the ability to ensure the ongoing confidentiality, integrity,
availability and resilience of processing systems and services;
You can't guarantee confidentiality nor integrity if everyone in the company can access the HR site after watching a 10 minutes YouTube video about how to connect Ethernet cables so their laptop is between the server and a HR computer and a 5 minutes YouTube video of how to use Wireshark to get a password which was sent over the network. Of course, virtually any person who ever played with Wireshark could do that without wasting 15 minutes watching YouTube videos first. ;-)