iso 45001 risk assessment methodology

FREE  Quality, Health and Safety, and HR Business Software  Click < HERE > to Learn More and Download

THIS SITE CONTAINS NO GOOGLE OR SIMILAR TYPE ADS and NO CLICK BAIT LINKS

QHSE Support >( Site Map )   Health & Safety Guidance  > ISO 45001:2018 Clauses  > ISO 45001:2018 clause 6  > 

ISO 45001:2018 Clause 6.1 Actions to address risks and opportunities

Clause 6.1 Breakdown

6.1 Actions to address risks and opportunities

  6.1.1 General

  6.1.2 Hazard identification and assessment of risks and opportunities

  6.1.3 Determination of legal requirements and other requirements

  6.1.4 Planning action

First thing to note about clause 6 is it includes additional sub-clauses not included in the documents main index!!!

The mind-map below includes the missing sub-clauses.

The three new sub-clauses are all listed under clause 6.1.2 and include.

6.1.2 Hazard identification and assessment of risks and opportunities

  6.1.2.1 Hazard identification

  6.1.2.2 Assessment of OH&S risks and other risks of the OH&S management system

  6.1.2.3 Assessment of OH&S opportunities and other opportunities for the OH&S management system  

6.1.1 General

The mind-map below attempts to more clearly show the different areas of the standard that clause 6.1.1 makes direct or implied reference to.

Clause 6.1 Actions to address risk and opportunities is divided into 4 main sub-clauses, with 6.1.1 giving an overview of the planning requirements.  Planning should be proportionate to the level of risk and the objectives of the organization. When determining the organization's risks and opportunities, the standard is looking to see that clause 4 context of the organization  has been understood and used when taking into account;

• hazards

• OH&S risks and other risks

• OH&S opportunities and other opportunities

• legal requirements and other requirements

When considering hazards, it should not just be those probable to transpire, but also those with the most impact, i.e., those which can lead to the most significant risks to the organization.

This is about understanding the organization's internal and external OH&S issues, identifying interested parties and how they affect or are affected by the OH&S management system, knowing that the requirements only apply to the scope of your OH&S management system.  Note: While your OH&S management system scope may limit requirements of the standard, it does not distract from legal responsibilities placed upon an organization by country-specific OH&S and other legislative documents.

In general, the clause is looking to assess the risks to the OH&S management system and to provide assurance that risks are managed and where realistic or essential opportunities for improvements are identified, they are implemented.

At the most basic;

• We are doing something.

• Have we identified and then eliminated, prevented or reduced risks.

• Did we take advantage of any opportunities.

This basic approach should be used where it is considered proportionate to the level of risk for the introduction or occurrence of:

• new or modified equipment, tools, processes, activities or staff

• new technologies

• changes to interested parties

• changes to work demands

• changes to suppliers

• infrequent and unscheduled work activities

• emergency situations

  6.1.2.3 Assessment of OH&S opportunities and other opportunities for the OH&S management system

As is can be seen clause 6.1.2 is broken down into three parts which look at hazards and the risks and opportunities these hazards present.

6.1.2.1 Hazard identification

The standard requires that an organization shall (i.e. mandatory) establish, implement and maintain a process(es) for hazard identification that is ongoing and proactive. Clause 3.19  defines a hazard as a 'source with a potential to cause injury and ill health. Clause 3.18  defines injury and ill health as; "adverse effects on the physical, mental or cognitive condition of a person".  Where adverse effects include occupational disease, illness and death.  We can therefore reliably conclude that a hazard is; "a source with a potential to cause adverse effect on the physical, mental or cognitive condition of a person".

We can also reliably conclude that hazard identification will be widespread across almost all of an organization's processes and activities.  Typically these can include, but not be limited to:

• physical activities (e.g. manual handling, working at height)

• chemical, biological (e.g. oils, dusts, viruses, bacteria, harmful plants)

• psychosocial (e.g. stress, pressure, harassment, bullying, victimization, work-related violence, work conflicts)

• physiological (e.g. extreme temperatures, unpleasant or hazardous conditions)

• mechanical / electrical

Hazard identification will need to cover normal and non-normal daily activities, e.g., holiday and absenteeism cover, or events that cause additional pressures on work schedules.  It should also cover routine and non-routine activities, e.g., maintenance and breakdowns, including what happens when things don't go to plan, e.g., staff accidents  or incidents, emergency protocols being implemented.  The very nature of these non-normal events can lead to hazards in themself.  For example, fire evacuations; If not managed in a controlled manner, could lead to risks to employees and the responding emergency services.

6.1.2.2 Assessment of OH&S risks and other risks of the OH&S management system

All organizations are free to manage their OH&S and other risks in a way that suits their own and possibly unique criteria. This, providing they also meet their statutory and regulatory requirements, which would in itself be a requirement of meeting ISO 45001:2018  accreditation.  So organizations are free to choose their own appropriate way to assess risk (see clause 3.20 ), taking into account the activities they undertake and the latitude afforded them.

Many organizations will have generic risk assessments drawn up by OH&S specialists, hopefully with occupational knowledge of the industry sector.  These generic risk assessments will normally have a degree of customization, not only for site details but also site-specific activities and hazards (see clause 3.19 ).  This approach can provide consistency in the process (see clause 3.25 ) and paperwork across the organization, and possibly a proportion of cost-efficiency.  This approach also needs to have an element of careful deliberation to ensure it fully considers the varying site activities.

As listed in 6.1.2.1 ,  risks can be associated with many different criteria, and the manner and methodology for recognising these risks will vary greatly.  This is an area that generic risk assessments can sometimes fall short in meeting the necessary prerequisites.

Not all risks can be accessed using a standard severity verses likelihood health and safety risk assessment .  These types of risk could include but not be limited to.

• failure to address the needs and expectations of relevant interested parties ;

• inadequate planning  or allocation of resources;

• an ineffective audit programme ;

• poor succession planning  for key roles; and

• poor engagement by top management .

risks of these kind, if not managed effectively may well cause more than just accreditation issues.

However, the organizations' choices to implement risk management need to be in a systematic and proactive way, not a 'fire fighting' reactive based system.  The approach to risk management adopted will need to be maintained as documented information  with methodologies and criteria laid out.

6.1.2.3 Assessment of OH&S opportunities and other opportunities for the OH&S management system

The two main areas where opportunities for improvement can come from, OH&S performance and OH&S management.  One hopes if you get the latter right, the rest follows...

Opportunities for OH&S performance are probably recognised more simply from day to day activities, which may not be directly referenced by the standard, but may well come from clause 5.4 Consultation . 

OH&S performance opportunities can come from many areas; below are a few places to look:

• eliminating hazards (see Clause 3.19 ) and risks (see clause 3.20 )

• work processes, work site layout, environmental conditions

• procurement of goods and services

• introduction of new technologies

• introduction of automated machinery

• maintaining workers engagement in their activities

• eliminating worker fatigue

OH&S management performance, listed below are a few places to look:

• making top management’s support for the OH&S management system more visible, e.g. through communications such as social media or highlighting OH&S performance in strategic business plans;

• improving the organizational culture related to safety and training;

• enhancing incident investigation processes;

• increasing worker participation in OH&S decision-making; and

• collaborating with other organizations in forums which focus on OH&S.

6.1.3 Determination of legal requirements and other requirements

Each organization will have to determine not only health and safety but also other legal requirements such as building, environmental etc.  The extent of these legal requirements should cover the organization's hazards (see clause 3.19 ), OH&S risks (see clause 3.20 ) and OH&S management system (see clause 4.4 ), and will be partly based on the context of the organization (see clause 4.1 ) and any specific enforceable legislation  of the country.

This example mind map shows some typical areas, however, each organization will have its own requirements to be met.

The organizational will need to maintain as documented information  its legal and other requirements and have processes in-place to ensure they remain compliant to these and any new requirements.

6.1.4 Planning action

This cause is about confirming you have plans in place to eliminate hazards (see clause 6.1.2.1 ), reduce OH&S risks (see clause 6.1.2.2 ), manage legal requirements and other requirements (see clause 6.1.3 ), and assess OH&S opportunities (see clause 6.1.2.3 ).   When planning the management of hazards, the requirements of clause 8  need to be considered, and clause 8.2  for emergency preparations.

The clause also seeks to ensure that the effectiveness of hazard planning is evaluated, and although not directly referenced, we are probably looking at clause 9 . 

Useful integrated management system cross references

• ISO 9001-2015 6 Planning

• ISO 9001-2015 6.1 Risks and opportunities

• ISO 14001-2015 6 Planning

• ISO 14001-2015 6.1 Risks and opportunities

Help file v2.275.3082 : QHSE Support - Supported by Website On Safe Lines  

• Safety Officer
• Safety Quiz
• Interview Q/A
• Online Exam
• Download PPT
• Get Certificate Online
• HSE Web Story
• NEBOSH IDIP
• Fire Engineering
• Basic Safety
• Construction Safety
• Workplace Safety
• Fire Safety
• Crane Safety
• Work At Height
• Excavation Safety
• Electrical Safety
• Confined Space
• Noise Safety
• Vibration Safety
• Scaffolding
• Radiography
• HSE Calculations & Formulas
• Safety Slogan
• Tool Box Talk
• HSE Documentation
• HSE Training
• Risk Assessment
• Safety Audit
• Accident Investigation
• Privacy Policy
• Terms and Conditions

ISO 45001 Risk Assessment

Table of Contents

ISO 45001 Risk Assessment : Occupational health and safety is a top priority for organizations worldwide. Ensuring a safe and secure working environment for employees is not only a legal requirement but also a moral responsibility. One of the essential elements in this regard is the risk assessment process. This article will delve into the ISO 45001 risk assessment, providing a comprehensive example and guidance on how to perform it effectively.

The Importance of Risk Assessment in Occupational Health and Safety

Before we explore ISO 45001 risk assessment in detail, it’s crucial to understand why it’s of utmost importance in the realm of occupational health and safety. Risk assessment is the foundation upon which safety measures are built. By identifying potential hazards and evaluating associated risks, organizations can proactively prevent accidents and create a safer workplace.

Key Components of ISO 45001

ISO 45001 is an international standard for occupational health and safety management systems. To effectively conduct a risk assessment, you need to be familiar with the key components of this standard. ISO 45001 emphasizes a proactive approach to health and safety management, making it an essential tool for risk assessment.

ISO 45001 Risk Assessment: A Brief Overview

ISO 45001 risk assessment is a systematic and organized approach to identifying, evaluating, and mitigating risks in the workplace. It’s designed to protect the well-being of employees and ensure compliance with legal and regulatory requirements. This assessment allows organizations to tailor safety measures to their specific needs.

Understanding the Risk Assessment Process

The risk assessment process involves several critical steps. To get started, you need to identify hazards in the workplace. These can range from physical hazards like machinery to chemical hazards such as exposure to toxic substances.

Identifying Hazards in the Workplace

One of the primary tasks in ISO 45001 risk assessment is identifying hazards in the workplace. This step involves a thorough examination of the environment, processes, and materials used. By identifying potential hazards, organizations can effectively target their risk assessment efforts.

Evaluating Risks and Consequences

Once hazards are identified, the next step is evaluating the risks and potential consequences associated with them. This evaluation helps prioritize risks based on their severity and likelihood of occurrence.

Risk Assessment Tools and Techniques

There are various tools and techniques available to assist in the risk assessment process. These may include risk matrices, fault tree analysis, and failure mode and effects analysis (FMEA). Utilizing the right tool for your specific situation is crucial in ensuring a thorough risk assessment.

Creating a Risk Assessment Plan

To ensure a systematic and structured approach, it’s vital to create a risk assessment plan. This plan should outline the scope of the assessment, responsibilities of team members, and a timeline for completion.

Implementing Control Measures

Once risks are identified and evaluated, control measures need to be put in place. These measures can include implementing new safety protocols, providing training to employees, or altering work processes to reduce risk.

Monitoring and Reviewing Risk Assessments

Risk assessment is not a one-time process; it’s an ongoing commitment to safety. Monitoring and reviewing assessments regularly is essential to adapt to changes in the workplace and ensure continuous improvement in health and safety measures.

Case Study: ISO 45001 Risk Assessment Example

To illustrate the ISO 45001 risk assessment process, let’s consider a hypothetical case study. Imagine a manufacturing facility with heavy machinery. The risk assessment would involve identifying potential hazards associated with the machinery and evaluating the risks. Control measures might include regular maintenance, safety training, and machine guarding.

Benefits of ISO 45001 Risk Assessment

ISO 45001 risk assessment offers numerous benefits, including reduced workplace accidents, legal compliance, improved employee morale, and enhanced company reputation. It’s a proactive approach that ultimately saves organizations time and resources.

Common Mistakes to Avoid

In the world of risk assessment, there are some common pitfalls to avoid. These include overlooking certain hazards, not updating assessments regularly, and failing to involve employees in the process. Awareness of these mistakes can help organizations conduct more effective risk assessments.

In conclusion, ISO 45001 risk assessment is a fundamental process for ensuring occupational health and safety. By following the systematic approach outlined in the standard, organizations can create a safer and more secure work environment, protecting both employees and their reputation.

ISO 45001 SWOT Analysis

SWOT Analysis for Health and Safety Department

Safety SWOT Analysis

SWOT Analysis for Safety Officer

SWOT Analysis for HSE Management System

1. What is ISO 45001 risk assessment? ISO 45001 risk assessment is a systematic approach to identifying, evaluating, and mitigating risks in the workplace to ensure occupational health and safety.

2. Why is risk assessment important for organizations? Risk assessment is essential for preventing workplace accidents, ensuring legal compliance, and enhancing employee morale and company reputation.

3. What are the key components of ISO 45001? ISO 45001 emphasizes a proactive approach to health and safety management, making it a valuable tool for risk assessment.

4. How often should risk assessments be updated? Risk assessments should be updated regularly to adapt to changes in the workplace and ensure ongoing safety improvements.

5. What are some common mistakes to avoid in risk assessment? Common mistakes include overlooking hazards, not updating assessments regularly, and not involving employees in the process.

Share this:

• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on Telegram (Opens in new window)
• Click to share on WhatsApp (Opens in new window)
• Click to share on LinkedIn (Opens in new window)

RELATED ARTICLES MORE FROM AUTHOR

Risk assessment vs job safety analysis, what are the 5 steps of a jsa, 5 step process of risk assessment.

Good day sir/ma Please I will like to know how does the risk matrix, fault tree, and failure mode and effect analysis look like. ISO 45001 risk assessment has just elaborated my understanding on vitality of identifying, evaluating and mitigating risk(potential hazards) Thanks for the lecture. Best regards

O conteúdo é bastante interessante, Gostaria de atender o curso.

LEAVE A REPLY Cancel reply

Save my name, email, and website in this browser for the next time I comment.

Notify me of follow-up comments by email.

Notify me of new posts by email.

Popular Posts

Top 15 best safety slogan in hindi, easy nebosh igc exam questions and answers, 25 safety officer interview questions (with sample answers), hse engineer job vacancy : urgent requirement, top 25 best hindi safety slogan in 2024, 10 essential safety officer tips every workplace needs to know, industrial safety, safety officer & safety engineer, work at height | hazards | control measures, very important slip trip and fall hazards, personal fall arrest system, latest post, urgently required fresher safety officer for saudi arabia: larsen & toubro..., urgently hiring work permit receiver for saudi arabia, 10 key questions to ask a recruiter in a job interview, urgent requirements of hse manager • hse engineer • hse officer..., fresher safety officer interview for construction: questions and sample answers, (nebosh) the national examination board in occupational safety and health, 03 safety officer jobs vacancy in saudi arabia: oil and gas..., 03 safety officer urgently required for saudi arabia: online interview, 05 hse officers urgently required in saudi arabia, 06 safety officer and safety engineer urgently required for oil and....

• ISO 27001 Done For You Package
• ISO 9001 Done For You Package
• Compliance Automation
• ISO 27001 Automation
• NIST Automation
• SOC 2 Automation
• GDPR Automation
• HIPAA Automation
• Book A Demo
• Certification

Sign up today and we'll send you a 10% discount code towards your first purchase.

ISO 45001 Hazard Identification, Risk Assessment, and Control Plan Template

Introduction.

Hazard identification, risk assessment, and control plans are crucial components of a successful health and safety management system, especially when aiming to meet the requirements of ISO 45001. This template provides a structured approach to identifying hazards, assessing risks, and implementing controls to mitigate risks in the workplace. By utilizing this template, organizations can effectively manage occupational health and safety risks, improve their safety performance, and ensure compliance with regulatory requirements.

Understanding Hazard Identification, Risk Assessment, And Control Plan For ISO 45001

Hazard Identification, Risk Assessment, and Control Plans are key components of an effective occupational health and safety management system , as outlined in ISO 45001. These processes identify potential hazards in the workplace, assess the risks associated with these hazards, and develop control measures to eliminate or minimize these risks.

1. Hazard Identification:  The first step is to identify all potential hazards in the workplace. This can include physical hazards such as machinery or chemicals, biological hazards like viruses or bacteria, and psychosocial hazards such as stress or harassment. It is important to involve employees in the hazard identification process, as they are often the most familiar with the day-to-day operations of the workplace.

2. Risk Assessment:  Once hazards have been identified, the next step is to assess the risks associated with each hazard. This involves evaluating the likelihood of an incident occurring and the potential consequences of such an incident. Risk assessment can be qualitative or quantitative, depending on the complexity of the hazard.

3. Control Plan:  Based on the risk assessment results, a control plan should be developed to eliminate or reduce the identified risks. This can include implementing engineering controls such as guarding or ventilation systems, administrative controls such as training or written procedures, or personal protective equipment (PPE). The control plan should also include monitoring and review mechanisms to ensure that control measures are effective and continue to be implemented.

By following the Hazard Identification, Risk Assessment, and Control Plan process outlined in ISO 45001, organizations can proactively manage occupational health and safety risks in the workplace, protect the health and well-being of employees, and comply with legal and regulatory requirements.

Compliance With ISO 45001 Standards In Hazard Identification, Risk Assessment, And Control

ISO 45001 is an international standard for occupational health and safety management systems, which aims to help organizations improve their workplace safety and reduce the risk of accidents and injuries. Compliance with ISO 45001 standards in hazard identification, risk assessment, and control is essential for organizations to create a safe and healthy work environment for their employees.

• Hazard identification is identifying potential workplace harm sources, such as machinery, chemicals, or hazardous substances. This can be done through regular workplace inspections, staff training, and employee consultation on potential risks.
• Risk assessment involves evaluating the likelihood and severity of potential hazards and taking steps to eliminate or control them. This can include implementing safety measures, providing personal protective equipment, or developing emergency response plans.
• Control measures are actions taken to reduce or eliminate risks in the workplace. This can include engineering controls, such as machine guarding or ventilation systems; administrative controls, such as safety policies and procedures; or personal protective equipment, such as gloves, helmets, or goggles.

By ensuring compliance with ISO 45001 standards in hazard identification, risk assessment, and control, organizations can protect employees from workplace hazards, reduce the risk of accidents and injuries, and demonstrate their commitment to workplace safety. This can ultimately lead to greater employee satisfaction, improved productivity, and a positive reputation in the industry.

Benefits Of Using Hazard Identification, Risk Assessment, And Control

1. Increased Safety:  Hazard identification, risk assessment, and control help identify potential hazards in the workplace or other environments, allowing for measures to be implemented to reduce or eliminate these risks. This ultimately leads to a safer environment for individuals.

2. Compliance With Regulations:  Many industries are required by law to conduct hazard identification, risk assessment, and control activities to ensure the safety of their employees and the public. Implementing these processes helps organizations comply with regulations and avoid potential legal repercussions.

3. Improved Decision-making:  By systematically identifying hazards and assessing risks, organizations are better equipped to make informed decisions about controlling these risks. This can lead to more effective risk mitigation strategies and overall safer outcomes.

4. Cost Savings:  Implementing hazard identification, risk assessment, and control measures can help prevent accidents, injuries, and property damage. This can result in cost savings for organizations in terms of reduced medical expenses, insurance premiums, and lost productivity.

5. Enhanced Reputation:  Organizations that prioritize safety through hazard identification, risk assessment, and control demonstrate a commitment to the well-being of their employees and stakeholders. This can enhance their reputation within their industry and with the public.

6. Continuous Improvement:  Hazard identification, risk assessment, and control processes are not one-time activities but an ongoing cycle of identifying, assessing, and addressing risks. This continuous improvement approach can help organizations proactively address emerging risks and avoid potential safety issues.

In conclusion, utilizing a Hazard Identification, Risk Assessment, and Control Plan for ISO 45001 is essential for maintaining a safe work environment and complying with occupational health and safety standards . This template provides a systematic approach to identifying hazards, assessing risks, and implementing controls to mitigate them. By using this template, organizations can proactively manage workplace risks and ensure the well-being of their employees. Hazard Identification, Risk Assessment, and Control Plan for ISO 45001 Template today to ensure a safe and compliant work environment.

ISO 45001 Clause 6.1.2.2 Assessment of OH&S risks

In this article, I’m going to cover ISO 45001 clause 6.1.2.2 Assessment of OH&S risks and other risks to the OH&S management system which falls under the overarching clause 6 Planning . I’m going to break this clause down and turn it into something you can all understand. You’ll then be able to apply this to your own organization's system and understand what the requirements will look like for you. No more guessing! 

Before I move on too much further though, I do want to point out that the title of this clause refers to OH&S risks AND other risks to the OH&S management system . It’s pretty clear that the OH&S risks come from the hazard identification process covered in clause 6.1.2.1 (be sure to check that video out on ATOL.tv ) but what are the other risks to the OH&S management system ?

The other risks would have been identified earlier on in the standard more than likely when working through Clause 4.1 understanding the organization and its context and Clause 4.2 understanding the needs and expectations of workers and interested parties . 

Other sections in the standard where other risks are identified would be Clause 6.1.3 Determination of legal requirements and other requirements and even possibly Clause 8.1 Operational planning and control. The point to take away here is that this assessment requirement is NOT just a result of hazards identified. It is a holistic assessment approach for all risks associated with the OH&S management system.

Ok, let’s get started with the nitty gritty of the clause requirements! I’m actually going to work backward for this clause and start off with the final paragraph as I think this will help us to understand points a) and b) a lot better.

So, the final paragraph of this clause states:

The organization’s methodology(ies) and criteria for the assessment of OH&S risks shall be defined with respect to their scope, nature and timing to ensure they are proactive rather than reactive and are used in a systematic way. Documented information shall be maintained and retained on the methodology(ies) and criteria.

First off when I read the words methodology and criteria I think of a risk matrix.

A risk matrix is a standard method I see out there when I’m auditing. Criteria can be aligned to the Likelihood and Consequence. The different levels in these parameters will differ based on each organization's hazards. Setting criteria for each will help to achieve ‘some sort of’ consistency. It will never be perfect and can still be subjective, however, it’s certainly a start.

So, to me, a methodology is to use a risk matrix that includes the criteria set by the organization. ISO 45001 guidance also states that methodologies can include ongoing consultation of workers (refer to our video on clause 5.4 for a refresher on this clause), and other methodologies including monitoring and communication of changed or new legal requirements as well as other requirements (refer to our video on Clause 6.1.3 to learn more about this clause). So it’s not only a ‘tool’ such as a risk matrix, it's also activities that you conduct within your OH&S management system.

And don’t forget that this methodology and criteria are required to be maintained and retained. So, we are looking for a procedure that tells us HOW we assess OH&S risks and what methodology and criteria are used. THEN we are also required to retain evidence of its use. This means we should expect to see an output such as a risk or hazard register – you can call it what you like really! It’s more about demonstrating that you have:

•  Identified hazards or other OH&S risks
•  Used the documented methodology and criteria to assess the risks
•  Documented what the risk rating is (which is essentially a demonstration of the assessment).

Now that we understand what methodology, criteria and documented information is required let’s go back to the beginning and see what the requirements are.

This clause kicks off with stating that

The organization shall establish, implement and maintain a process(es) to: a) assess OH&S risks from the identified hazards, while taking into account the effectiveness of existing controls. AND b) determine and assess the other risks related to the establishment, implementation, operation and maintenance of the OH&S management system .

Ok – so point a) we’ve already really covered – assess the OH&S risks from the hazards identified – and then it wants us to consider what controls are already in place when we do assess the risk. When we use our risk matrix, for example, our assessment of the Likelihood and Consequence should take into consideration any controls that are already in place.

So, if we’ve identified the hazard of power tools and when the power tools are used existing controls include:

• a risk assessment on the tool itself
• training and competence sign off

The risk assessment needs to consider how these existing controls will influence the Likelihood and Consequence of an incident or injury occurring. Make sense?

And then point b) is exactly what I explained way at the beginning of this video, it’s not just about assessing risks as a result of hazards identified. Assessment of risks is also required for all of the OH&S management system commencing with establishing the system, then implementing, the operational aspects, and of course ongoing maintenance. Assessment isn’t something we do once, it is an ongoing activity to ensure that the OH&S management system remains current and relevant to all activities.

Now that you have a better understanding of these requirements, it's time to take action and implement them in your own organization and ISO 45001 OH&S management systems.

If you'd like to learn more about ISO 45001, why not take a look at our other articles on the topic, starting with What is ISO 45001 and OHS Management Systems ?

If you prefer watching over reading, head to our ATOLTV ISO 45001 playlist on YouTube, either way, be sure to check out our range of ISO 45001 courses and qualifications today.

Understanding ISO 9001 Clause 7.5.1 General (Documented information)

Understanding iso 45001 clause 6.1.3 determination of legal requirements and other requirements, similar blog posts.

ISO 9001 Clause 5.1.2 Customer Focus

Defining ISO 45001 Clause 6.1.2.3

Understanding ISO 45001 Clause 6.1.2.1 Hazard ID

Your Guide to Implementing ISO 45001

Benefits of implementation.

With or without a formal OH&S management system, organizations have a moral and legal duty to protect workers from accidents and ill health. This next section provides an overview of a selection of positive benefits from implementation of ISO 45001. These positive benefits are not exhaustive. Adoption of the high-level structure of ‘Annex SL’ enables organizations to integrate ISO 45001 with existing ISO 9001 Quality and ISO14001 Environmental management systems. This approach has reduced the complexity of multiple clause requirements across different standards applications, saving time and resources. The standard provides a systematic approach for senior leadership to assess OH&S risk and opportunities, monitor and review safety performance and set objectives for continual improvement within the ‘context’ of organizational activities. This may include, for example, worker health promotion campaigns or the monitoring of the OH&S effects of products and services provided. Implementation is a demonstration and commitment from senior leadership to internal and external stakeholders (interested parties) of the intent to protect workers from accidents including short and long term ill health effects. Of course, this may in-turn reduce downtime, lead to reduction or prevention of worker loss time hours and potential prosecution. This commitment also provides assurances to the Board of Directors, Trustees or owners that management controls regarding OH&S risks inherent within the organization. The standard promotes worker participation when identifying hazards, elimination or reducing risk by implementation of controls integrated with other business process. This approach can improve safety culture, minimize risk and embed best practice resulting in increased productivity. In addition to internal process controls, the standard has provided requirements to assess procurement of products and services which may have influences on OH&S. For example, risk based structured management of contractors. Such a process can in-turn provide controls to reduce both OH&S risk, promote positive safety culture and protect business. The standard provides a structure to monitor and review compliance obligations to ensure the organization is legally compliant including products and services. It is important for an organization to understand what it is to achieve, why it needs to achieve and if it has achieved – this should be demonstrated within the system. Both internal and external audit programs provide scrutiny and effectiveness of the OH&S management system including processes. The program promotes communication and participation of workers with identification of gaps leading to continuous improvement. With an emphasis on workers taking an active role in OH&S matters, this can have positive benefits on an organization’s reputation as a safe place to work leading to staff retention, motivation and greater productivity. Implementation is also recognition for having achieved an international standard benchmark which may have positive influence on existing and potential customers in fulfilling their own social responsibility commitments. For further information on positive benefits of ISO 45001 standard implementation and its intended outcome refer to section 1 ‘Scope’.

Risk Based Thinking/Audits

Any company that operates an OH&S management system must ensure there are effective measures to evaluate performance which enables continual improvement internally. This section outlines the different methodologies of auditing in relation to the OH&S system to ensure it is effective at all levels of the organization and meets the requirements of the standard. RISK BASED THINKING

Risk Based Thinking (RBT) is a central tenet of ISO 45001. RBT requires the Management Team to continually assess the issues that affect OH&S aspects of an organization and ensure that appropriate targets, resources and controls are in place. RBT empowers organizations to make dynamic changes to their objectives and focus, whilst at the same time ensuring that resources are in place to control changes and unforeseen circumstances. In relation to OH&S, risk-based thinking extends to areas outside of the organization which may influence safety. For example, procurement of products and services (including contractors) and the impact of supplied products and services. The organization must determine the methodology for risk-based thinking with consideration of compliance obligations and the participation of workers. For operational aspects the standard clearly defines the hierarchy of control for hazard identification and the reduction of risks with the involvement of workers. This methodology requires the organization to reduce risks associated with hazards to a reasonably practicable level.

1ST PARTY - INTERNAL AUDIT

Internal audits are taken at a moment in time to determine if policies and practices are effective and achieving the intended aim. The internal audit is an opportunity to engage with workers and to capture a true reflection of processes. Audits may identify positive evidence of conformity including compliance obligations, however through inspection and observation they may identify improvement opportunities and non-compliance in breach of the management standard. AUDIT PLANNING

Developing an audit plan does not have to be a complicated process. Through risk based thinking a series of audits can be scheduled to focus areas of higher risk and to engage with identified groups of workers. It’s up to the organization to determine the frequency provided it is defined. In addition to operational aspects the plan will cover core processes including compliance obligations, management review and documented information. WALK THROUGH AUDITS

A less formal approach maybe adopted in addition to the audit plan by conducting ‘walk through’ audits. This may be conducted by senior leadership or at operational level to inspect areas of the organization to pre-determined questions. This is a further opportunity to engage with workers, promote communication and build a positive safety culture within the organization. 2ND PARTY - EXTERNAL AUDITS

Second party audits are usually conducted by customers or organizations on their behalf, however they may be conducted by regulators to ensure the organization complies with legal requirements. External audits are a useful way to substantiate an organization OH&S claim and to gather first-hand information and contact with workers prior to commitment to a formal business relationship. Second party audits may be planned; however, notice may not be provided from regulators emphasizing the requirement to ensure OH&S organizational requirements are being met. 3RD PARTY - CERTIFICATION AUDITS

Third party audits are conducted by certification bodies such as NQA, assessing compliance to the ISO 45001 OH&S standard. Depending on the number of employees, sites, risk and complexity of the organization, the certification body will determine the number of audit days required to cover the full scope of the standard. Prior to certification, the organization may consider a gap analysis conducted by either consultant or certification body to identify gaps against the OH&S standard.

Certification is a demonstration to interested parties including workers, customers and regulators that there is:

A mechanism for regular assessment to monitor and implement compliance obligations

Regular assessment to monitor and improve OH&S processes

Identification of hazards and reduce OH&S risk

Regular review and assessment of OH&S risk and opportunities

• Worker participation in the decision-making process to ensure a safe working environment, continuous improvement and safety culture

Section 1: Scope

For registration all clause requirements must be applied. This section sets the intent and parameters within which the ISO 45001 OH&S management standard can be used to attain its intended outcome.

The intended outcome of the OH&S management system is for the organization to:

Provide a safe and healthy workplace(s)

Prevent work related injury and / or ill health

Proactively monitor and improve OH&S performance

Eliminate hazards and minimise OH&S risks (including system deficiencies)

Take advantage of OH&S opportunities and address management system non-conformities associated with its activities

Fulfil legal and other requirements

Achieve OH&S objectives

Integrate other aspects of health and safety including worker wellness / wellbeing

This section makes it clear that the standard does not address issues such as product safety, property damage or environmental impacts beyond the risks they present to workers and other relevant interested parties.

Section 2: Normative References

Reference to ‘normative references’ are common across all management system standards however in the case of ISO 45001 there are no normative references. If applicable to a standard, normative references are essential documents used for the application of the document. In other words, the reference document is considered essential for the application of the referenced standard. ISO 45001 provides a bibliography with further information including associated ISO management standards.

Section 3: Terms and Definitions

ISO standards are written in such a way that their meaning can be open to interpretation. As with all standards, this interpretation can lead to confusion. To assist the user section 3 of the standard provides prescriptive terms of definition to prevent the wrong interpretation. It is highly recommended that persons responsible for implementation of the standard clarify and have a clear understanding of words described in this section.For example, ‘worker’ may be interpreted without guidance as an operator who works in a factory, when in reality a worker covers many different occupational aspects including agency, contractors, all employees including Top Management and external provider staff. Each term is listed in accordance with the hierarchy of concepts reflecting the sequencing of the introduction of the standard. In addition to the term or definition, notes provide further information and clarity. If an electronic version of the standard has been purchased the definitions are hyperlinked to other definitions so that their interrelationships can be seen.

ANNEX GUIDANCE

‘Annex A’ of the standard provides useful clarification of selected concepts in relation to OH&S to avoid misunderstanding. Concepts including:

Interested party

Documented information

If the organization requires the use of specific industry related terms and their meanings relative to the OH&S system, these terms can be used, however they must still conform to the ISO 45001 document.

Section 4: Context of the Organization

The rationale of this clause is that the system focuses on the processes and requirements needed to achieve the OH&S policy objectives. This can be achieved by understanding the organization and the ‘context’ in which it operates. Clause 4 also sets out the requirements for the ‘Scope’ and the system to be defined, and the subsequent high-level planning of the system to achieve the objectives. Understanding the context of the organization is usually conducted by senior leadership with information about the business and activities gathered at every level of the organization. Discussion points focus on internal and external issues which have an impact on the OH&S system. Clause 4 has four sub-clauses that each set out an element of what is needed to define the Context of the Organization, and to design the OH&S management system. These four requirements follow a sequence:

In 4.1: Clarification of the strategic aims of the organization and determine any issues that could affect these aims being achieved.

In 4.2: Consideration of the interested parties (Stakeholders) including workers to the organization and how they can affect how the organization operates.

In 4.3: Setting the scope of the OH&S Management System from the information discussed and considered in 4.1 and 4.2

• In 4.4: Laying out a design for the OH&S management system and the high-level planning around it

Internal and external issues are circumstances, characteristics and changes which can positively or negatively influence the OH&S management system. ‘Annex A’ of the standard has been developed to provide examples of internal and external issues. Below are typical examples, however each issue will be focused on the individual organization:

External issues

Cultural, social, political, legal, financial, technological, economic and natural surroundings including the environment in which the organization operates

Who the competitors are and any contractors, subcontractors, suppliers, partners and providers

National and international law

Industry drivers and trends which have influence on the organization

The organization products and services and their influence on occupational health and safety

Internal issues

Governance, organizational structure, roles and accountabilities

Policies, objectives and the strategies in place to achieve them

Resources (including human), knowledge and competence

OH&S culture within the organization and the relationship with workers

Process for the introduction of new products, materials, services, tools, software, premises and equipment

Working conditions

With the information that is gathered during discussions at all levels of the organization to determine context, it is recommended this information is placed into a report. The benefit of this is it provides a cohesive explanation and a good reference to support present and future business strategy. (For review of context refer to section 9). 4.2 UNDERSTANDING THE NEEDS AND EXPECTATION OF WORKERS AND OTHER INTERESTED PARTIES

From the information gathered in 4.1, 4.2 and 4.3 the standard requires the design and integration of processes within the management system to satisfy the requirements of ISO 45001. This may include such processes as design and development, procurement, marketing and manufacturing.

Section 5: Leadership

Critical to the success of the OH&S management system is leadership and commitment from ‘Top Management’. The expectation on leaders within an organization is to become champions of the system and provide the necessary resources to protect workers from harm.

This section provides the tone and expectation on senior leadership to take an active part in the OH&S system and generation of a positive health and safety culture within the organization. The following are examples of how leadership can be demonstrated within the OH&S management system:

Take overall responsibility and accountability for the prevention of work related injury / ill health, as well as the provision of a safe and healthy work environment

Facilitating positive culture and continual improvement

Ensure the OH&S system is integrated within business processes

Promote communication internally and externally and at all levels (cascading from the top)

Protect workers from reprisal when reporting incidents, hazards, risk and opportunities

Provision and support for safety committees

For an external audit the expectation is for senior leadership to be at the heart of the OH&S management system with a clear demonstration of understanding the system. OH&S POLICY

An OH&S Policy is a ‘Statement of Intent’ or ‘Mission Statement’ which sets out the framework to manage the Occupational Health and Safety Management System. The OH&S policy is approved by senior leadership and will drive the controls that are in place and the actions that are carried out to improve it. The standard specifically requires that the OH&S policy should include commitments to:

Provide a framework for setting objectives

Provide safe and healthy working conditions for the prevention of work related injury and / or ill health

Eliminate hazards and reduce OH&S risks

Continual improvement of the OH&S system

Consultation and participation of workers and where they exist worker representatives

Fulfilment of legal and other requirements

Once the OH&S policy has been approved it must be communicated to stakeholders including workers. The policy must be available to interested parties, which will include customers and external providers on request. In addition, periodically the OH&S policy must be reviewed by senior leadership to ensure it remains applicable to the context of your organization. ORGANIZATIONAL ROLES, RESPONSIBILITIES AND AUTHORITIES

This section requires the organization to define clear roles, responsibilities and authorities throughout the organization. It is recognised that overall responsibility for the OH&S management system falls to ‘Top Management’ however individuals must take account of their own health and safety and that of others. Consider documenting roles, responsibilities and authorities within high-level and localized organizational charts. Individual policies and work instructions may also include responsibility and authority however competence must be considered.

A key factor for the success of an OH&S system is to ensure there are clear lines of communication, consultation and participation of workers with sufficient allocation of time and resources. This section requires the development of processes to ensure information that has an impact on OH&S is communicated at all levels of the organization. This can be achieved in many different ways depending on the scope and scale of your organization. Here is a selection of suggested methods of promoting consultation and participation of workers:

Periodic meetings with senior leadership to discuss processes including OH&S issues

Safety committee with worker representatives (where required)

Identification and elimination of hazards (risk assessments)

Development of training Tool Box Talks and presentations (This may include training tools for workers outside of your organization such as visiting contractors)

Development of Safe Systems of Work and Work Instructions

Cross communication between sites within the organization

Near miss reporting schemes with follow up actions including root cause analysis

Open door policy to talk to a safety or HR representative

OH&S suggestion boxes

Communication – Notice boards, newsletters, email, blogs, health promotion campaigns

Once a selection of methods of consultation and participation of workers has been chosen, consider documenting the methodologies within a process. This will enable the organization to periodically check the process within your audit program to ensure any identified requirements have been fulfilled.

Section 6: Planning

Planning is one of the key components of any management system. ISO 45001 is based on the ‘Plan-Do-Check-Act’ cycle, where planning is used to set the actions in motion for how the system will work. Planning occurs at several points in the framework for OH&S management system. In order to set out the management system planning is required using information gathered in clause 4. At various points in time there will be the need to ‘plan’ again; this includes the periodic planning for achieving objectives that are set and reviewed, and also in the event of a ‘change’ which could arise from a planned or unplanned event. The requirements are to:

Plan the actions based on risk assessment to manage risks and opportunities in the prevention of undesired effects including work related injury or ill health

Manage events and continually determine risk and opportunities for both workers and the OH&S system

Establish and manage objectives

Plan and manage changes to the system and re-evaluate once change has been made

Consider relationships and interactions between activities

Define a methodology for hazard identification

Define the methodology for identification and management of legal and other requirements

• Understand the knowledge within the organization to manage activities safely

HAZARD IDENTIFICATION

Hazard identification is fundamental in the planning process to prioritize actions to address risks and opportunities. Using the ‘Hierarchy of Controls’ (see illustration opposite) the standard requires the organization to conduct risk assessment based on internal and external activities. Hazard identification will enable the organization to recognize and understand hazards in the workplace. It will also allow workers to assess, prioritize and eliminate hazards or to reduce OH&S risks. Hazards can appear in many different circumstances and conditions including physical, chemical, biological, psychosocial, physiological, mechanical, electrical, or those based on movement and energy. Consideration must also be given to the types of activity including the following:

Groups of workers exposed to the hazard

Shift work, hours of activity, lone working, supervision

Human factors including demanding physical activities

Design of the workplace, for example segregation of traffic and pedestrian routes

Changes in work pattern including increase or decrease in productivity

Noise, cold, heat

Legal requirements and mechanism to adapt to changes in legal requirements

How the risk assessment will be communicated and subsequent worker training of control measures

Emergency situations such as unplanned events including fire and loss of power

Availability of resources to ensure hierarchy of controls can be applied to risk assessment findings

The organization needs to be confident that during the risk assessment process it is adhering to the latest applicable legal and other requirements. The legal and other requirements process of assessment will vary depending on the complexity of the business. Sources of information may be gathered in many ways including:

Subscription to publisher legal update newsletters

Membership of trade associations

Research via reputable government websites

Use of competent consultants

Competent employee membership of occupational health and safety institutes

Employee attendance of occupational health and safety training courses

Following the initial assessment of compliance obligations, the organization may consider placing the relevant information in a document. A spreadsheet may be useful for this purpose.   A live document may include the following information and be referenced within individual risk assessments:

Name and reference number of regulation / requirement

Revision status

Date the regulation was last reviewed

Competent person responsible for reviewing the requirement

Area of the organization the requirement impacts including a short description of activity and associated documented information

A hyperlink or description of the source of information

Name and customer / external provider contact details if relevant to ‘other requirement’

• Next review date

PLANNING ACTION

Following the hazard identification process, the organization should plan actions in order of priority to reduce risk. These should consider the consequences of these actions before the actions are introduced. Planning actions and including the introduction of control measures must be within the framework of the OH&S management system. Control measures may be either integrated into existing quality system work instructions or based on risk and developed into a dedicated Safe Systems of Work. Tasks may be delegated by senior leadership individually or as a collective group. Tasks will be allocated to persons based on competency with consideration as to how any training will be delivered to different groups of workers. OBJECTIVES

It is a requirement of the standard to set achievable OH&S objectives with the means to periodically measure progress, demonstrating continuous improvement. Often objectives are set and reviewed at management review (see clause 9.3) or locally at departmental or committee meetings. Once set, there must be the means to communicate objectives throughout the organization to support and generate a positive OH&S culture. If many requirements have been identified the organization may consider developing a documented Occupational Health and Safety Strategic Plan. The plan should be agreed by senior leadership and include risk rating tasks, in order of priority, and the alignment with senior leadership responsible for overseeing the task. A strategic OH&S plan is a live document and periodically should be reviewed to monitor progress to achieving objectives and continuous improvement. The document may include:

Strategic prioritized topic

Action, this could be conducting assessments according to compliance obligations such as a noise assessment

Method in which the action can be achieved

Resources required to achieve the action. For example human, equipment, financial and external provider expertise

The key performance indicator to demonstrate achievement of the action

General responsibility

Top Management responsibility

Risk rating (order of priority)

Section 7: Support

This section looks at the requirements which underpin the OH&S management system to ensure it runs effectively. RESOURCES

Resources will be required to fulfil the requirements identified during the planning stages of the system to maintain continuous improvement. These include human, natural, infrastructure (buildings, plant, equipment, utilities, emergency containment systems) technological and financial resources. It is essential that allocation of resources has the full support from Top Management, under the requirements of Clause 5, to drive the maintenance of a safe and healthy work environment. As part of identifying resources, the organization needs to look at the information produced in Section 6 to acknowledge the risk, opportunities and resulting objectives. They then need to allocate sufficient resources to mitigate or manage them. COMPETENCE

An organization working effectively and efficiently must have competent workers. In terms of OH&S it is essential that workers have access to information and have been suitably trained to prevent accidents or ill health to themselves and others. Competence can include consideration for:

Capability to fulfil the task based on defined job roles and clear understanding of the required OH&S aspects

Defined methods of recruitment with consideration for temporary or agency workers

Awareness of hazards associated with the environment and processes

Legal requirements

Individual capabilities including experience, language skills, literacy and diversity

The diversity of activities within the organization will determine the level of training required to fulfil competence. Training gaps are usually identified with the development of new processes, for example the introduction of new machinery or in achieving compliance with regulatory requirements. No matter how big or small the organization is, training records are essential as reference and evidence of the fulfilment of competence. Consider an overview training matrix identifying fulfilled training gaps including refresher training dates. In addition, consider individual training records with signatory evidence from the worker to acknowledge completion and understanding of training including hazard awareness. The organization must also consider the competence of external providers including the procurement of contractors conducting tasks on site. The organization’s procurement process may provide the structure for management of external providers; including evidence of capability, competence and on site, this may be supported with site induction training. Either internally or externally, the organization’s Top Management must be confident that mechanisms are in place to provide workers with suitable and sufficient competency based OH&S training. AWARENESS

Awareness of the requirements of the OH&S system is critical to both internal and external workers. There must be a clear understanding of the organization’s H&S Policy including the requirement for individuals to protect themselves and others from exposure to hazards. Awareness training starts before work commencement for both internal and external workers and may include:

OH&S Policy and requirements

Hazards associated with the environment and processes

Means to report incidents and receive information following investigation

Means to report near misses or safety critical defects

Structure of supervision

Provision of information including Safe Systems of Work or Work Instructions

Clear understanding that there are no recriminations for reporting hazards or precautionary removal of individuals from exposure to harm which is life threatening. This must be actively encouraged as part of a positive safety culture

It is recommended there is evidence of awareness training. This is outlined within the ‘competence’ section of Section 7. COMMUNICATION - INTERNAL AND EXTERNAL

​Defined channels of communication is key for the success of the OH&S management system. It is recommended that there is clear policy on communication endorsed by Top Management identifying the process of communication. The organization will need to determine:

As with all management systems the extent of documented information will vary depending on the size, scope and complexity of processes within the organization. A practical approach to development and control of documented information will assist in business protection as well as providing sources of information for workers relating to hazard identification. Consider a risk-based approach to the level of documented information required including consideration for literacy and language. Documented information is not restricted to hard copy and will appear in a variety of media including electronic format, emails and web based. Below is a selection of the variety of documented information:

METHODS OF CONTROLLING DOCUMENTED INFORMATION

It’s essential to have a robust but simple system of control for documented information. This will ensure workers are always aware of the latest requirements relating to OH&S. In support of the latest revision of documented information there must be the means to communicate the latest policies, practices and work instructions. As previously indicated documented information will come from internal and external sources. Below are suggested means of controlling both internal and external documented information:

Develop a document reference system within the header or footer e.g. Maintenance Procedure No. 1 – MP01, Maintenance Form 01 – MF01 etc

Identify the revision status, revision date and author within the document footer

Use the same document control methodology for electronic documents and data

Develop a spread sheet identifying the reasons why previous revisions have been updated

Determine the method of issue for documented information with consideration for recovery of pre-modified documented information and communication

Archive in electronic format previous revisions of documents based on risk ensuring there is a means of backing up and recovering data

Determine and identify in the spread sheet the intended document retention timescale. This may be based on legal requirements such as insurance documentation

Determine what should be communicated and retained based on risk

Consider scanning to reduce reliance on paper

Maintain the integrity of archived documentation

Remember to create a simple system to use for all to understand and access accordingly. Consider supporting the chosen method with an instructional procedure with applicable training.

Section 8: Operation

Once processes within the organization have been identified (see clause 4.4) and planned, the method in which the business will operate (see Clause 6.0), the company needs to plan and control each process within the OH&S management system.

Operational Planning and Control is the method in which the organization determines what is required for each process and the method in which requirements are controlled to ensure workers are protected from harm. Operational Planning and Control is achieved by identifying the criteria for each process which may include:

The boundaries of each process and how they interact

What resources are required to manage the process including leadership, equipment, time, human (competency and training aspects) and financial

What documented information is required to aid management of the process including procedures and safe systems of work

The method in which changes to the process are planned and controlled including unintended events

Application of legal and other requirements or manufacturer’s instructions for equipment

Engineering controls, for example interlocked guards and exhaust systems

The organization must also consider the adaptation of the work environment to ensure it is suitable and sufficient for all workers. Adaptation in broad terms may be induction of new workers or ergonomically changed processes to protect workers from harm and improve process efficiency.

ELIMINATING HAZARDS AND REDUCING OH&S RISKS

MANAGEMENT OF CHANGE

It is recognized that accidents can occur when processes deviate from defined established control measures. This may include changes in competent supervision and workers or the introduction of new materials, machinery and processes. The organization must define and implement a process which considers change throughout the business. This may be a written policy which accounts for different scenarios based on risk and opportunity. The change process may be supported by a documented system to acknowledge issue and receipt of the notification to ensure it is communicated and understood. Notification of change may be supported by training and competence requirements. Change process could incorporate a mechanism to assess and prevent the introduction of new hazards. Examples of events where management of change might be necessary include but this is not exhaustive:

The purchase of goods and services is a requirement for any business to function. The standard requires the organization to put controls in place to ensure those purchased goods and services do not introduce hazards and expose workers to harm including contractors.

PROCUREMENT

A robust procurement process is essential to control product and services inputs into an organization. Inputs may include raw materials for products, equipment including machinery, consumables such as cleaning products and workers conducting maintenance as part of a service agreement. The organization is required to develop a process which should include an assessment of the impact on safety of products and services prior to purchase. This may include obtaining product or material safety data from an external provider or by conducting a risk assessment. Risk assessment with an external provider may be considered during activities such as the purchase and installation of machinery. The assessment would identify potential hazards and suitable control measures to protect both organizational workers and contractors. Within the process, consider the delivery of products to ensure they are inspected against specified requirements prior to release. Consideration must also be made to ensure those products and services are legally compliant. This may be through the assessment of material safety data sheets, declarations of conformity or business registration with trade associations. Personnel who are responsible for procurement must ensure they utilize competent workers to assist with assessments and to communicate safety information relating to product or service. Health and safety information may include material safety data sheets, training, competence requirements and instructions for use. CONTRACTORS AND OUTSOURCING

Many businesses use the services of contractors (external providers) to fulfil gaps in processes and to complete tasks requiring specialist knowledge. The standard requires the organization to conduct an assessment on those contractors including due diligence competency checks. The organization may consider the use of contractor selection criteria to ensure services are within scope of the task. The organization must be satisfied there is a process to protect contractors (workers) and other workers who may be exposed to hazards due to their activities. During the procurement process written agreements may be established between the organization and contractor specifying the organization's rules. This may be supported by risk assessments and method statements conducted by both parties with communication of results. It is key that necessary checks have been made to ensure contractors are competent and may, in some circumstances, require confirmation of compliance to legal requirements. For example, certification to work on electrical switch gear or to work on a gas boiler. Once the procurement process has been completed it is good practice to support site activities with an induction program. This will provide contractor workers with an understanding of the rules including any specific requirements, for example, site hazards, authorized areas, near miss reporting processes, safe walking routes, emergency action plans, supervision and required permits to work. DOCUMENTED INFORMATION

The standard requires the organization to maintain documented information relating to the procurement of products and services including contractor arrangements. Below is a list of examples of documented information considered for retention:

Risk assessment and method statements between the organization and contractor

Material safety data sheets

Email exchanges relating to safety aspects

Certificates of conformity – Harnesses, guarding, emergency stops, PPE

Contractor permits and licenses

Completed external provider questionnaires

Worker training records

EMERGENCY PREPAREDNESS AND RESPONSE

Planning for unexpected events is a good all-round organizational discipline. The risk assessment process, for ISO 45001 identification of hazards, may have highlighted potential emergency situations with possible catastrophic consequences. Therefore, it is necessary to put control measures in place to mitigate for these potential events. Once emergency situations have been identified, which may involve workers at every level of the organization, a plan needs to be formulated and tested. Check that emergency preparedness and response have been tested within the internal audit plan. Testing emergency response plans are critical to raise awareness of potential events and ensure control measures function including supervision, individual responsibilities, suitability of training and communication. Below are some examples of when emergency plans will be required:

Once the plan has been tested it is important to provide workers with feedback to learn from experience. Again, there is a requirement to have suitable information and records as documented information.

Section 9: Performance Evaluation

Performance evaluation is a constructive process that aims to improve an organization’s operation and is crucial to the ‘Plan, Do, Check and Act’ model prescribed by ISO 45001. These processes should help achieve and support organizational strategy and goals.

MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION

An organization should check, review, inspect and observe its planned activities to ensure they are occurring as intended. An organization must make sure they have determined the appropriate processes, so they can evaluate how well they are performing based on risk and opportunities. Monitoring generally indicates processes that can check whether something is occurring as intended or planned. The tables below provide examples of monitoring and specific control measures:

Any equipment used to determine the measurement ‘indicator’ should be calibrated and maintained so that a high degree of confidence is gained in the credibility of data. The standard also requires the organization to implement a process to evaluate legal and other compliance including:

The frequency and method of evaluation

If action is needed, the process in which it will be evaluated and implemented

Maintain knowledge and understanding of its compliance status

Retain documented information to support the evaluation of legal and other requirements

In practice you may consider putting a list of compliance obligations within a spreadsheet as outlined under section 6 of this document. Periodically this process should be audited within the internal audit program to ensure all compliance obligations have been fulfilled. Audit results including compliance status should be communicated to senior leadership within the organization. Any outstanding or pending requirements can be actioned by the leadership team. This will ensure compliance to obligations and reduction in risk including potential prosecution.

INTERNAL AUDIT An internal audit is a systematic method to check organizational processes and requirements, as well as those detailed in the ISO 45001 standard. This will ensure the processes in place are effective and the procedures are being adhered to. The internal audit program will aid the organization to achieve the OH&S objectives and targets. It helps:

Monitor compliance to policy and objectives

Provide evidence that all necessary checks are carried out

Ensure all current legislative and other requirements are met

Assess the effectiveness of risk management

Worker engagement leading to a positive safety culture

Identify improvement using ‘fresh eyes’ to review a process

Aid continual improvement

Internal audits must be conducted by competent staff with a degree of impartiality to the area being audited. A risk-based approach can be applied to areas being audited with an increased focus on higher risk activities. Internal audits must be planned with an expectation of each process being audited in regular intervals. In addition to planned audits, unplanned audits may be conducted in reaction to problematic areas, near miss reports or incident data with focus on accident prevention. It is beneficial to communicate audit results to applicable interested parties including workers and set realistic completion timescales for identified ‘opportunities for improvement’ or ‘non- conformities’. Top Management must be aware of deficiencies within the system to ensure necessary resources can be allocated to mitigate the findings. Audit results will be reviewed as part of the management review process.

MANAGEMENT REVIEW Management Review is an essential element of the Occupational Health and Safety Management System. The aim of the review Bis for Top Management to assess the performance of the management system to ensure it has been effective and suitable for the needs of the business, ultimately preventing injury or harm to workers. The management review is also a planned activity to review objectives including compliance and to set new objectives. Usually management review meetings are conducted annually, however many organizations conduct management reviews every six months or quarterly to track the performance of the system. If more frequent meetings are conducted, often the meeting agenda is reduced with the full agenda occurring annually. The table on the following page provides an overview of prescribed management review agenda requirements:

On completion of the management review meeting the organization must decide with senior leadership and support, what is needed to continuously improve OH&S and satisfy the standard. The following points outline the Management Review Meeting output requirements:

Provide a wide-ranging conclusion to the continuing stability, adequacy and effectiveness in achieving its intended outcomes

Identify continual improvement opportunities

Identify any required changes to the OH&S management system

Identify required resources

Identify any actions needed

Identify any integration improvements with other business processes. This may be further harmonization with ISO 9001 or ISO 14001 management systems

Any implications to the strategic direction of the business. This is a broad scope requirement to capture any topic to improve the OH&S management system

The organization is required to record the meeting minutes within documented information. This information must be communicated to the relevant interested parties and where applicable worker representatives. It is good practice to transfer management review objectives into a separate document with identified key performance indicators, expected completed timescales and delegated responsibilities. These objectives may be communicated via the organizations email or placed on notice boards.

Section 10: Improvement

From the results discussed in section 9 Management Review including the analysis and evaluation of OH&S performance, internal auditing and feedback from worker engagement

Non-conformity and corrective action

Incident investigation and corrective action

Accident investigation and corrective action

Compliance obligations including output from the introduction of new regulation

Several different methods of capturing improvement opportunities may be designed in the system based on the structure, activities and risk within the business discussed in section 4 and 6. The chosen methods must consider the following:

Means of reporting including incidents to the right groups of workers and interested parties

The timescale of reporting

How the information is going to be recorded as documented information for example near miss report cards, accident reports, defect reports, reports to senior leadership

Using workers to participate in investigations to determine root cause analysis

A structured system to prevent reoccurrence

Hierarchy of control measures to reduce risk as far as is reasonably practicable

Assessment of OH&S risks prior to the introduction of a corrective action to prevent the introduction of new hazards

Training and competence for workers and interested parties on the means of reporting OH&S hazards, incidents and opportunities for improvement

INCIDENT Unlike ISO 9001 Quality and ISO 14001 Environmental management systems, ISO 45001 introduces ‘Incident’ alongside non- conformity and corrective action. Clause 3 ‘Terms of Definition’ within the standard provides the parameters in which ‘incident’ can be interpreted and reported. An ‘incident’ is an occurrence that does not result in an injury and / or ill health. Therefore, the organization must implement a system of reporting that captures events which have not necessarily been foreseen within processes of the management system. Often these are referred to as ‘near misses’, ‘near-hit’ or a ‘close call’. When a near miss is reported there may be a process in which during the investigation the findings are recorded within a non-conformance report. Basic example process of reporting an incident leading to non-conformance, corrective action and continuous improvement:

Get the Most From Your Management System

Top tips to get the most out of your health and safety management system:

To have an effective OH&S management system the organization must have commitment from ‘Top Management’ to implement and continually improve

Develop the management system as a tool to protect workers and business interests and not just to satisfy the standard

Use ‘context’ to understand how the organization can internally and externally impact on OH&S including workers

Inform interested parties and workers of their objectives when implementing the standard to gain ‘buy in’ and generate a positive safety culture

When designing processes ensure that they are relevant to the environment they are intended to be used. In other words, do not overcomplicate the system

Build the requirements of the standard into existing processes and control – OHS is not an add-on

Consider integrating this standard into existing management systems such as ISO 9001 Quality and ISO 14001 Environmental. This will help embed OH&S into the thinking of both Top Management and Workers leading to a safe workplace

• Implementation of this standard is not a burden on your organization. Risk-based thinking with the participation of workers should improve safety culture and productivity

H&S Toolkit

ISO 45001 FAQs

Integrated Quote Request Form

ISO 45001 Gap Guide

ISO 45001 Implementation Guide

Download Certification Logos

Annex SL Comparison Tool

Gap Analysis

• Our websites:
• Healthy Workplaces Campaign
• OSH Barometer

Occupational safety and health risk assessment methodologies

Published on: 28/02/2012

Latest update: 20/09/2022

This article is not available in other languages

Introduction

Workers should be protected from occupational risks they could be exposed to. This could be achieved through a risk management process, which involves risk analysis, risk assessment and risk prevention and control practices. In order to carry out an effective risk management process, it is necessary to have a clear understanding of the legal context, concepts, risk analysis, assessment and prevention and control processes and the role played by all involved. It is also desirable to base risk management on solid and tested methodologies.

Prevention of occupational risks

Employers have to take the necessary measures for the safety and health protection of workers, including prevention of occupational risks. This is a basic legal obligation in all EU Member States. This basic legal obligation is stated in Council Directive of 12 June 1989 on the introduction of measures to encourage improvements in the safety and health of workers at work (Framework Directive 89/391/EEC [1] ), which was transposed by Member States’ into national laws. It should be noted that Member States can introduce more rigorous provisions to protect their workers.

For preventing occupational accidents and ill health, employers must carry out a risk assessment, and decide on prevention measures and, if necessary, to use personal protective equipment . It is recommended to review the risk assessment on a regular basis and in particular each time a change occurs at the workplace, e.g. the use of new work equipment or chemicals , changes in the work processes or modifications to the work organisation.

Risk assessment is not only a legal duty but also good for business. Avoiding and reducing risks reduces work-related accidents and health problems, leading to cost benefits and improved productivity. Risk assessment is a dynamic process that allows companies and organisations to put in place a proactive policy for managing occupational risks. Therefore, risk assessment constitutes the basis for implementation of appropriate preventive measures and, according to the Directive; it must be the starting point of any Occupational Safety and Health (OSH) Management system. An OSH Management system should be integrated in the company’s management system. An OSH Management system allows to develop a systematic approach to OSH [2] . Risk assessment is a step in the OSH risk management process.

Basic concepts

Basic concepts in risk management are the definitions of hazard and risk.

Hazard: source or situation with a potential to cause injury and ill-health i.e. an adverse effect on the physical, mental or cognitive condition of a person [2] . Examples of physical hazardous sources or situations can be working on a ladder, handling chemicals or walking on a wet floor. Examples of psychosocial hazardous sources or situations are job content, job insecurity, isolation, bullying or harassment.

Risk: effect of uncertainty. Occupational health and safety risk: combination of the likelihood of occurrence of a work-related hazardous event or exposure(s) and the severity of injury and ill health that can be caused by the event or exposure s. [2]

A psychosocial risk is defined as a combination of the likelihood of occurrence of exposure to work-related hazard(s) of a psychosocial nature and the severity of injury and ill-health that can be caused by these hazards [3] . Hazards of a psychosocial nature include aspects of work organisation, social factors at work, work environment, equipment and hazardous tasks.

Risk assessment can be defined as the process of evaluating the risk to the health and safety of workers while at work arising from the circumstances of the occurrence of a hazard at the workplace [4] . This definition stems from the EU guide elaborated by the EU Commission to provide practical assistance for the implementation of the risk assessment requirements from the framework directive. However, it should be noted that the concept of risk assessment is not only used within the context of OSH but it can also relate to financial, environmental, socio-economic, technical and other aspects. A general framework on the risk assessment process is provided in standard ISO 31001. This standard describes risk assessment as the overall process of (1) risk identification, (2) risk analysis and (3) risk evaluation:

• Risk Identification: process of finding, recognising and describing risks;
• Risk analysis: process to comprehend the nature of risk and to determine the level of risk;
• Risk evaluation: process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable.

Risk management

Following the methodology PDCA (Plan-Do-Check-Act) risk management is a systematic process that includes the examination of all characteristics of the work system where the worker operates, namely, the workplace, the equipment/machines, materials, work methods/practices and work environment. The aim of risk management is to identify what could go wrong, i.e. finding what can cause injury or harm to workers, and to decide on measures to prevent injuries and ill-health and implement the measures.

It is important that employers know where the risks are in their organisations and prevent or keep them under control to avoid putting employees, customers and the organisation itself at risk. The main goal of risk management is to eliminate or at least to reduce the risks according to the ALARP (as low as reasonably practicable) principle. A key aspect in risk management is that it should be carried out with an active participation/involvement of the entire workforce. Carrying out risk management requires a step-by-step approach.

Step 1: Preparation of the process

The preparation of the risk management process involves several activities, namely:

• workers with special needs , such as pregnant women , young workers , aging workers and workers with disabilities ;
• maintenance workers, cleaners, contractors and visitors
• Description of tasks, work equipment, materials, and work procedures ;
• Consideration of work patterns and organisational aspects ;
• Consideration of external factors that could affect the workplace;
• Identification and description of implemented prevention measures ;
• Data on workplace incidents, near-misses, injuries and work-related health problems; and
• Identification of legal requirements , standard s or company regulations.

Several means can be used to support these activities. For instance:

• Direct observation while the job is being performed – walkthrough;
• Interviews with workers and managers;
• Analysing data on workplace incidents, near-misses, injuries and work-related health problems;
• Review of technical documentation and inspection reports on work equipment and machinery ;
• Review of the safety data sheets of the chemicals used in workplace;
• Review of the applicable legislation, standards and company regulations.

As referred, according to EU legislation employers are responsible for performing risk assessment regarding safety and health at work. Therefore, the overall responsibility for identifying, assessing and preventing risks at the workplace lies with the employer, who must guarantee that the occupational safety and health (OSH) risk management activities are properly executed.

The employer can delegate this function (not the responsibility) to occupational health and safety specialists and occupational physicians. The specialists may be part of the company staff (internal services) or be contracted outside (external services).

The participation of workers in the process of risk management in the field of safety and health at work is of fundamental importance, as workers have the best knowledge of their tasks and the associated risks. Participation also improves acceptance of the measures and facilitates their application in practice.

Step 2: Risk analysis

The risk analysis activities involve:

• Identification of hazards present in the workplace and work environment;
• Determination of the potential consequences of the risks.
• Direct observation – walkthrough;
• Checklists;
• Deviation analysis;
• Task analysis;
• Previous risk assessment data;
• Employee (satisfaction) surveys.

Step 3: Risk assessment

Risk assessment is the process of evaluation of the risks arising from a hazard, taking into account the adequacy of any existing controls. Several methods to perform risk assessment are available ranging from expert to participatory methodologies and from simple to complex methods. Which method for assessing risks is applied will depend on the nature of the workplace, the type of the tasks and work processes, and the technical complexity [4] . An overview and some guidance on risk assessment techniques can be found in IEC/ISO Standard 31010:2019 Risk management - Risk assessment techniques https://www.iso.org/standard/72140.html . Risk assessment involves evaluating, ranking, and classifying risks.

Risk evaluation

Risk evaluation involves the determination of a quantitative or qualitative value for the risk. Quantitative risk evaluation requires calculations of the two components of the risk: the probability that the risk will occur, and the severity of the potential consequences. This approach is seldom applied in practice.

Qualitative risk evaluation is more common and usually adopts a methodology based on a matrix. A risk assessment matrix consists of a two-dimensional grid with categories of harmful effects on one axis and categories of probability or likelihood on the other axis. The cells within the grid are used to indicate risk [6] . An example is shown in table 1.

Ranking of the evaluated risks

Based on the risk values obtained during the risk evaluation phase, risks should be sorted and ranked according to their severity.

Classify risk acceptability

A decision whether or not a risk is acceptable results from the comparison of the obtained risk value with acceptability criteria based on legal requirements, principles of the hierarchy of prevention , standards, recommendations,  evidence-based information on risks, adapting to innovation, etc.

It should be highlighted that a particularly careful assessment of individual risk exposure should be performed to workers of special groups (for example, vulnerable groups such as new or inexperienced workers), or to those most directly involved in the highest risk activities (i.e. the most exposed group of workers) [8] .

This risk classification is the baseline for selecting actions to be implemented and when defining the timescale, i.e. the urgency of the implementation of the corrective measures. As an example, table 1 includes a simple risk categorisation in 3 broad categories indicating a priority ranking for actions.

To have a consistent base for all risk assessments the company should first establish the acceptability criteria. This should involve consultation with workers representatives and other stakeholders and should take account of legislation and regulatory agency guidance, where applicable [8] .

Step 4: Taking measures

At this stage actions are identified and implemented to avoid or reduce risks having in mind the protection of workers’ health and safety, as well as their monitoring over time. The measures implemented should be the ones that best protect everyone exposed to the risk. However, it is important not to forget that additional or different measures may be required to protect workers belonging to special groups, namely workers with special needs (such as pregnant women, young workers, aging workers and workers with disabilities) and maintenance workers, cleaners, contractors and visitors .

It is very important to take account of the number of individuals exposed to the risk when setting priorities and the timeline for the implementation of prevention and control measures. The risk prevention and control strategy includes the design, planning and implementing of adequate measures, as well as training and informing workers.

Design measures

The first step is the design of the measures to eliminate risks. The risks that cannot be avoided or eliminated should be reduced to an acceptable level, i.e. the residual risk shall be minimised according to the ALARP (as low as reasonably practicable) principle. This means employers must perform a cost-benefit analysis to balance the cost (including money, time, trouble and effort) they could have to reduce a risk against the degree of risk [9] . It should be demonstrated that the cost involved in reducing the risk further would be grossly disproportionate to the benefit gained. The residual risk should be controlled.

Implement measures

The measures to be implemented should be based on up-dated technical and/or organisational knowledge, and good practices using the following hierarchy order [10] [11] :

• Prevention measures

Protection measures

Mitigation measures.

The aim of implementation of prevention measures is to reduce the likelihood of injuries or ill-health. Several examples, also in hierarchical order, that can be used to achieve this objective are:

a) Using engineering or technical measures to act directly on the risk source, in order to

• Remove it, i.e. ensure that during the workplace design phase risks are 'designed out'
• Reduce levels of hazardous materials. For instance provide effective ventilation through local or general exhaust ventilation systems .
• Replace it, i.e. substitute the risk by a less risky material, equipment or substance .

These measures are more efficient and economical when accomplished during the workplace design phase.

b) Using organisational or administrative measures for changing of behaviours and attitudes and promote a safety culture :

• Information and training (awareness)
• Establish appropriate working procedures and supervision
• Management and proactive monitoring
• Routine maintenance and housekeeping procedures

Implementation of Protection measures should consider, first, collective measures and then individual measures. Several examples of measures (sorted by priority) that can be used to achieve this objective are:

a) Collective Protection measures:

• Enclose or isolate the risk through the use of guards, protection of machinery and parts, or remote handling techniques;
• Physical barriers (anti-drop networks, railings, packaging, acoustic, thermal or electrical barriers);
• job rotation of workers;
• timing the job so that fewer workers are exposed;
• Implementation of safety signs, for instance restricting entry to authorised persons.

b) Individual Protection - use of Personnel Protective Equipment (PPE) to protect worker from the residual risk. The worker should participate in the selection of PPE and should be trained in its use.

When despite prevention and protective measures incidents, an injury or a cases of ill-health occurs, the company needs to be prepared (emergency preparedness) by implementing mitigation measures. The aim of mitigation measures is to reduce the severity of any damage to facilities and harm to employees and public. Several examples of measures that can be used to achieve this aim are: emergency plans, evacuation planning, warning systems (alarms, flashing lights), test of emergency procedures, exercises and drills , fire-extinguishing system, or a return-to-work plan.

Training and information

Managers must know the risk their workers are exposed to. Workers must know the risks they are exposed to. Providing information and training courses to workers is a legal requirement in EU.

Step 5: Review and update

The risk management process should be reviewed and updated regularly, for instance every year, to ensure that the prevention measures implemented are adequate and effective. Additional measures might be necessary if the improvements do not show the expected results. This is also a highly recommendable procedure since workplaces are dynamic due to change in equipment, machines, substances or work procedures that could introduce new hazards in the workplace. Another reason is that new knowledge regarding risks can emerge ; either leading to the need of an intervention or offering new ways of avoiding or controlling the risk. The review of the risk management process should consider a variety of types of information and draw them from a number of relevant perspectives (e.g. staff, management, stakeholders).

Step 6: Document the process

In EU it is a legal obligation that employers make an assessment of the risks to safety and health at work, including those facing groups of workers exposed to particular risks (Framework Directive 89/391/EEC) and document the process. Documentation should provide an overview of the identified hazards, respective risks and subsequent measures implemented .

Risk management tools

The risk management process plays a central role for any to ensure occupational health and safety and to prevent workplace injuries and ill-health. But, companies, especially smaller ones, sometimes lack the expertise and the resources to carry out risk assessments. The need for a simple, clear and cost-effective way to ensure compliance with the legislation and to foster a positive safety and health culture has led to the development and use of web-based tools. To assist Member States, EU-OSHA has created the OiRA tool , a web-based platform that enables the creation of sectoral risk assessment tools in any language in an easy and standardised way. The OiRA tool generator is provided free of charge to sectoral social partners and national authorities at EU and national level. All the OiRA tools are available on oiraproject.eu https://oiraproject.eu/en and can be used by workplaces to carry out risk assessments.

[1] Directive 89/391/EEC of 12 June 1989 on the introduction of measures to encourage improvements in the safety and health of workers at work (Framework Directive). Available at: https://osha.europa.eu/en/legislation/directives/the-osh-framework-directive/1

[2] ISO 45001:2018 Occupational health and safety management systems — Requirements with guidance for use

[3] ISO 45003:2021 Occupational health and safety management - Psychological health and safety at work - Guidelines for managing psychosocial risks

[4] EC - European Commission, Guidance on Risk Assessment at Work, Luxembourg, 1996. Available at: http://osha.europa.eu/en/topics/riskassessment/guidance.pdf .

[5] Nunes, I. L., 'Risk Analysis for Work Accidents based on a Fuzzy Logics Model', 5th International Conference of Working on Safety - On the road to vision zero? Roros. Norway, 2010.

[6] Jensen RC, Bird RL, Nichols BW. Risk Assessment Matrices for Workplace Hazards: Design for Usability. Int J Environ Res Public Health. 2022 Feb 27;19(5):2763. Available at: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8910355/

[7] BAuA. Schritt 3: Gefährdungen beurteilen. Available at: https://www.baua.de/DE/Themen/Arbeitsgestaltung-im-Betrieb/Gefaehrdungsbeurteilung/Grundlagenwissen/Prozessschritte-der-Gefaehrdungsbeurteilung/Autorenbeitraege/Schritt3.html

[8] BSI - British Standard Institutions, Occupational health and safety management systems — Guide, BS 8800, 2004.

[9] HSE - Health and Safety Executive, Principles and guidelines to assist HSE in its judgements that duty-holders have reduced risk as low as reasonably practicable, 2011. Available at: http://www.hse.gov.uk/risk/theory/alarp1.htm#P14_1686

[10] NSW - New South Wales Government, Six steps to Occupational Health and Safety. Available at: http://www.une.edu.au/od/files/OHSSixsteps.pdf

[11] Harms-Ringdahl, L., Safety Analysis: Principles and Practice in Occupational Safety, Taylor & Francis, 2001.

EU-OSHA - European Agency for Safety and Health at Work, Risk assessment essentials. Available at: https://osha.europa.eu/en/publications/risk-assessment-essentials/view

EU-OSHA - European Agency for Safety and Health at Work, Management Leadership in Occupational Safety and Health – a practical guide. Available at: https://osha.europa.eu/en/publications/management-leadership-occupational-safety-and-health-practical-guide

EU Commission, Health and safety at work is everybody’s business. Available at: https://op.europa.eu/en/publication-detail/-/publication/cbe4dbb7-ffdc-11e6-8a35-01aa75ed71a1/language-en/format-PDF/source-85839760

ILO - International Labour Organisation, How can occupational safety and health be managed? Available at: https://www.ilo.org/global/topics/labour-administration-inspection/resources-library/publications/guide-for-labour-inspectors/how-can-osh-be-managed/lang--en/index.htm

IEC/ISO 31010:2019 Risk management - Risk assessment techniques https://www.iso.org/standard/72140.html .

ISO/TR 14121-2:2012 Safety of machinery — Risk assessment — Part 2: Practical guidance and examples of methods https://www.iso.org/standard/57180.html

OSH Categories

Select theme

• Identifying new and emerging risks
• Legislation
• Main OSH players - organisations
• OSH Education
• OSH strategies
• OSH systems at national level
• Social Dialogue
• What's OSH
• Corporate Social Responsibility
• Economic aspects
• Management Systems
• OSH Culture
• OSH Management in SMEs
• Risk assessment
• Worker participation and involvement
• Work Organisation
• Communication
• Disability management
• Emergency planning
• Personal Protective Equipment
• Workplace Health Promotion
• Biological agents
• Carcinogenic, mutagenic, reprotoxic (CMR) substances
• Chemical agents
• Dust and aerosols
• Endocrine Disrupting Chemicals
• Indoor air quality
• Irritants and allergens
• Nanomaterials
• Occupational exposure limit values
• Packaging and labeling
• Process-generated contaminants
• Risk management for dangerous substances
• Vulnerable groups
• Electricity
• Electromagnetic fields
• Thermal climate
• Anthropometry
• Cognitive ergonomics
• Ergonomic work design
• Ergonomics in office work
• Human errors
• Human machine interface
• Musculoskeletal disorders
• Physical ergonomics
• Accidents and incidents
• Errors and violations
• Fire and explosion
• Machinery and work equipment
• Maintenance
• Road safety
• Slips, trips and falls
• Working on height
• Workplace transport
• Discrimination
• Job satisfaction, engagement and performance
• Mental Health
• Psychosocial issues in specific sectors and groups
• Psychosocial risk factors
• Work-life balance
• Work-related stress management
• Health and well-being
• Health, screening and surveillance
• Occupational diseases
• Substance abuse
• Agriculture
• Construction
• Emergency workers
• Hairdressers
• Health and Social work
• Hotels, restaurants and catering
• Manufacturing
• Ageing workers
• Contractors
• Disabled persons
• Expectant mothers
• Migrant workers
• Self-employed
• Temporary workers
• Young workers

Isabel L. Nunes

Aditya Jain

Karla Van den Broek

Isabel Nunes

Related articles

• QMS Quality Manual Template Everything you need to jump start your ISO 9001 documentation.
• Project Plan Start out on the right track with a proven foundation for setting up ISO 9001.
• Gap Analysis Will show where your existing processes do not meet the ISO 9001 standards.
• Quality Policy & Objectives Help Top Management with an easy-to-use structured approach.
• Documented Information How to maintain & retain your documents & records.
• Checklists Our checklists will ensure your QMS conforms to ISO 9001 requirements.
• Internal Audit All the tools you need to perform internal audits for ISO 9001.
• Procedures Written by quality management experts, why reinvent the wheel?
• Management Review Your management review meetings will be flawlessly executed.
• Corrective Action Minimise the impact & prevent the nonconformance happening again.
• ISO 9001 + ISO 14001 + ISO 45001 Don't try to manage it all alone! Our IMS is proven to work.
• ISO 9001 + ISO 14001 Start with expert templates, then make them yours.
• ISO 9001 + ISO 45001 Save time and money - proven to work. Everything you need.
• Learn about ISO 9001 Every ISO 9001 clause explained. 'The Most Comprehensive Guide to ISO On The Internet'.
• EMS Environmental Management System Template All the documents and tools you need to achieve certification.
• Project Plan Start out on the right track with a proven foundation for setting up ISO 14001.
• Gap Analysis Will show where your existing processes do not meet the ISO 14001 standards.
• Compliance Obligations Comply with Environmental Legislation.
• Environmental Aspects Identify & analyse Environmental Aspects and Impacts of your operations.
• Checklists Our checklists will ensure your EMS conforms to ISO 14001 requirements.
• Internal Audit All the tools you need to perform internal audits for ISO 14001.
• Procedures With Process Maps, Reports & Forms - written by quality management experts, why reinvent the wheel?
• ISO 9001 + ISO 14001 + ISO 45001 Save time & money, everything you need.
• ISO 14001 + ISO 45001 Our integrated management systems are proven to work.
• Learn about ISO 14001 'The Most Comprehensive Guide to ISO On The Internet'.
• OH&S Health and Safety Management System Template Written by ISO Auditors and Quality Manager Trainers ✓ Simple ✓ Easy to use ✓ Everything you need.
• Project Plan Start out on the right track with a proven foundation for setting up ISO 45001.
• Gap Analysis Will show where your existing processes do not meet the ISO 45001 standards.
• Checklists Our checklists will ensure your OH&S conforms to ISO 45001 requirements.
• Internal Audit All the tools you need to perform internal audits for ISO 45001.
• Management Review Leaving a lasting impression on Top Management, your management review meetings will be flawlessly executed.
• ISO 9001 + ISO 14001 + ISO 45001 Our integrated management system is proven to work.
• ISO 9001 + ISO 45001 Don't try to manage it all alone! Save time and money. Everything you need.
• ISO 14001 + ISO 45001 Start with expert templates, then make them yours.
• Learn about ISO 45001 Every ISO 45001 clause explained 'The Most Comprehensive Guide to ISO On The Internet'.
• Internal Audit All the tools you need to perform an AS9100D internal audit.
• Internal Audit All the tools you need to perform IATF 16949 internal audits.
• ISO 9001 + ISO 14001 + ISO 45001
• ISO 9001 + ISO 14001
• ISO 9001 + ISO 45001
• ISO 14001 + ISO 45001
• Project Plan Start out on the right track with a proven foundation for your management system.
• Checklists Our checklists will ensure your IMS conforms to ISO requirements.
• Learn about IMS Learn about ISO Integrated Management Systems (IMS).
• Learn about ISO 9001 QMS Every ISO 9001 clause explained 'The Most Comprehensive Guide to ISO On The Internet'.
• Learn about ISO 14001 EMS ISO 14001 in plain English. Easy-to-understand guidance for every clause.
• Learn about ISO 45001 OH&S Clear explanations for each ISO 45001 clause and requirement.
• Template Examples & Free Downloads Judge for yourself - browse over 100 documents clearly showing the quality of our templates.
• Why Use Our ISO Templates Used by thousands of companies worldwide since 2002. Learn how our templates can help you.
• FAQs About Our Templates Payment, security, downloading & delivery, systems requirements, support, license.

9.1 Monitoring, Measurement, Analysis and Evaluation [ISO 45001 Procedure]

What is monitoring, measurement, analysis and evaluation for iso 45001.

Health and safety performance monitoring, measurement, analysis and evaluation is conducted through the collection of safety data and safety information from a variety of sources typically available to your organization.

Data availability to support informed decision-making is one of the most important aspects of the OH&S Management System. Using this data for safety performance monitoring and measurement are essential activities that generate the information necessary for safety risk decision-making.

• What is Monitoring, Measurement, Analysis and Evaluation?

Measurement Techniques

Active monitoring, workplace inspections, statutory inspections, reactive monitoring, analysing & evaluating performance data, 9.1.2 evaluation of compliance.

To verify the safety performance and validate the effectiveness of safety risk controls requires the use of a combination of  internal audits , workplace inspections and the establishment and monitoring of SPIs.

Assessing the effectiveness of the safety risk controls is important as their application does not always achieve the results intended. This will help identify whether the right safety risk control was selected and may result in the application of a different safety risk control strategy.

For small organizations, the low volume of data may mean that it is more difficult to identify trends or changes in the safety performance. This may require meetings to raise and discuss safety issues with appropriate expertise. This may be more qualitative than quantitative but will help identify hazards and risks for the organization.

Collaborating with other businesses or industry associations can be helpful, since these may have data that your organization does not have. For example, smaller businesses can exchange with similar organizations/operations to share safety risk information and identify safety performance trends. Organizations should adequately analyse and process their internal data even though it may be limited.

For businesses with many interactions and interfaces they will need to consider how they gather safety data and safety information from multiple organizations. This may result in large volumes of data being collected to be collated and analysed later. These organizations should utilize an appropriate method of managing such data.

Don’t Try to Manage It All Alone!

9.1.1 general - monitoring and measurement.

The organization has to determine what it needs to monitor and measure. This includes the determination of the criteria against which the health and safety performance will be evaluated including appropriate indicators.

Performance measurement is an essential part of the safety and health management system.

Key purposes of performance measurement are to:

• Determine whether safety and health policies and plans have been implemented and achieved
• Check that risk-control measures have been implemented and are effective
• Learn from safety and health management system failures, including hazardous events (incidents, near misses and ill-health cases)
• Promote better implementation of plans and risk controls by providing feedback to all parties
• Provide information that can be used to review and, where necessary, improve aspects of a health and safety management system

Periodically review the monitoring and measurement process to ensure that it remains suitable and effective, and leads to  continual improvement  of the health and safety management system.

Safety monitoring should be recorded on relevant templates and be analysed and discussed at health and safety committee meetings, in order to identify any underlying themes or trends which may not be apparent for looking at events in isolation.

Priorities should be established for necessary remedial action to ensure that safety issues are dealt with and completed within a reasonable time.

It is often necessary to use both active and reactive and monitoring data to determine whether objectives are achieved. An organization’s performance monitoring system should incorporate both active and reactive monitoring. Two types of monitoring are required:

• Active systems  that monitor the design, development, installation, and operation of management arrangements, safety systems, and workplace precautions
• Reactive systems  that monitor incidents, ill-health, incidents and other evidence of deficient safety and health performance

No single measure will suitably convey the desired levels of performance, therefore, a mixed model of active (leading) and reactive (lagging) safety measures is necessary to fully define it. Active monitoring should be used to check compliance with the organization’s safety and health activities, for example to confirm that recently appointed staff have attended an induction course.

Reactive monitoring should be used to investigate, analyse, and record health and safety management system failures, including incidents, near misses, and ill-health cases.

Example Measurement Techniques

The following are examples of methods that can be used to measure safety and health performance:

• Systematic workplace inspections or safety tours using checklists
• Inspections of specific machinery and plant to check that safety-related parts are fitted and in good condition
• Safety sampling – examining specific aspects of safety and health
• Environmental sampling – measuring exposure to chemical, biological or physical agents (e.g.; Noise, chemical fumes, dusts, x-rays) and comparing with recognised standards
• Behaviour sampling – assessing employees’ behaviour to identify unsafe work practices that might require correction
• Analysis of documentation and records
• Benchmarking against good safety and health practices in other organizations

Why Reinvent The Wheel?

Active safety monitoring should be carried out which includes a review of the health and safety policy; action plans; routine inspections and checks to ensure that preventative and protective measures are in place and effective.

Active monitoring will reveal whether the health and safety management system is functioning correctly.

Active Measures

Typical active measures include:

• Number of risk assessments completed
• Number of actions taken as a result of risk assessments
• Number of risk assessments reviewed
• Number of staff attending H&S inductions
• Number of inspections completed
• Health surveillance results
• Sampling results

Every organization should collect information to investigate the causes of substandard performance or conditions adequately.  Documented procedures  for carrying out these activities on a regular basis for key operations should be established and maintained.

Active Monitoring System

The active monitoring system should include:

• Identification of the appropriate data to be collected and accuracy of the results required
• Monitoring of the achievement of specific plans, setting performance criteria and objectives
• Installation of the requisite monitoring equipment and assessment of its accuracy and reliability
• Calibration and regular maintenance of this equipment together with documented records of both the procedures involved and the results obtained
• Analysis and records of the monitoring data collected, and documented actions to be taken when results breach performance criteria
• Evaluation of all the data as part of the safety and health management review
• Documented procedures  for reviewing the monitoring and safety and health implications of forthcoming changes to work systems
• The following techniques, should be used for active measurement of the health and safety management system
• Systematic inspections of workplace processes or services to monitor specific objectives, e.g.; Weekly, monthly, or quarterly reports
• Systematic review of the organization’s risk assessments to determine whether they are functioning as intended, need to be updated and any  necessary improvements  are being implemented
• Plant or machinery inspections, e.g.; Statutory plant inspections and certification
• Environmental sampling for dusts, chemical fumes, noise, or biological agents
• Analysis of health and safety management system records

Active monitoring should be proportional to the hazard profile of the organization and should concentrate on areas likely to produce the greatest benefit and lead to the greatest control of risk.

Key risk control systems and related workplace precautions should therefore be monitored in more detail or more often (or both) than low-risk systems or management arrangements.

A workplace inspection is a regularly scheduled inspection of work areas, using a checklist to assist with the monitoring and identification of hazards. A system for inspecting workplace precautions is important in any active monitoring program.

It can form part of the arrangements for the preventative maintenance of plant and equipment, which may also be covered by legal requirements. Equipment in this category includes pressure vessels, lifts, cranes, chains, ropes, lifting tackle, scaffolds, trench supports, and local exhaust ventilation.

The aim of workplace health and safety inspections is to prevent work related accidents and ill health by identifying new hazards; and checking that preventative and protective control measures are implemented and effective.

Benefits of Workplace Inspections

Regular site workplace inspections will enable your organization to:

• Proactively identify potential hazards that may not have been previously noted Confirm the effectiveness of controls already in place
• Demonstrate commitment to health and safety

Who is Involved?

Health and safety representatives should assist Managers by helping to carry out routine inspections of their work areas and reporting the findings. They should also provide assistance, and be included in the investigation of accidents, near miss incidents, potential hazards and complaints by an employee relating to health, safety and welfare at work.

Managers and Supervisors are responsible for carrying out monthly routine inspections of their work area. The results of monthly inspections will be monitored by the Department Head in order to improve health and safety performance. Therefore, all inspections should be recorded on a checklist and a copy provided to the Department Head.

What Should be Inspected?

The personnel undertaking workplace health and safety inspections should already be familiar with the workplace activity, premises, equipment, personnel and procedures pertaining to their area of responsibility and should draw on this knowledge when planning the inspection taking into consideration:

• Known issues (individual and collectively) and other factors (who does what, where, when and how) to identify significant hazards
• The various categories of people who may be affected by, or impact on, the workplace activity (defence personnel, contractors, trainees, visitors, service dependants or members of the public, etc.)
• Suitability, use, control and storage of PPE
• The workplace hazards and the existence and effectiveness of related control measures
• Training and competence of defence personnel
• Reviewing previous inspection reports, accident/incident reports and other records
• The timing of the inspection to take place during a time considered to be representative of normal working conditions
• That any workplace inspection checklist to be used should include to cover general workplace health and safety requirements and any other significant matters

Start with Expert Templates, then Make Them Yours

Workplace inspections need to take account of premises, plant, housekeeping, procedures, activities and substances. Inspections should include other workplace precautions, such as those covering the use of premises, other places of work, and systems of work.

The workplace inspection should identify remedial actions necessary, by determining the extent to which procedures and controls are being complied with, as well as the condition of plant, equipment, and premises etc.

When conducting a workplace inspection, particular attention should be given to the existence and maintenance of suitable engineering controls (rather than the reliance on use of personnel protective equipment (PPE)); the arrangements to deal with emergencies; the availability of adequate current information; and if necessary, warnings regarding the nature of the plant/substance hazards concerned (e.g., where and how work activities are being carried out and the potentially exposed population).

Records should be maintained  of any workplace health and safety inspections undertaken (copied to the appropriate Health and Safety Representatives) including any inspection notes and checklists raised, as well as any formal post inspection reports and action plans produced; these should be retained for a period of at least three years.

Frequency of Workplace Inspections

Workplace inspections should be carried out as determined by the level of risk to the area and work practices. The following offers a guide to the frequency; however, an assessment of each individual area needs to occur to determine the frequency.

A suitable program should take all risks into account but should be properly targeted. For example, low risks might be dealt with by general inspections every month or two, covering a wide range of workplace precautions such as the condition of premises, floors, passages, stairs, lighting, welfare facilities, and first aid.

Higher risks need more frequent and detailed inspections, perhaps weekly or even, in extreme cases, daily, or before use. An example of a pre-use check would be the operation of mobile plant. The inspection program should satisfy any specific legal requirements and reflect risk priorities.

Suitable schedules and performance standards for the frequency and content of inspection can help. The schedules can be supplemented with inspection forms or checklists, both to ensure consistency in approach and to provide records for follow-up action.

Participation in Workplace Inspections

Inspections should be carried out by people who have the necessary skills and training to identify the relevant hazards and risks and who can assess the conditions found.

A properly thought-out approach to inspection will include:

• Well-designed inspection forms to help plan and initiate remedial action by requiring those doing the inspection to rank any deficiencies in order of importance
• Summary lists of remedial action with names and deadlines to track progress on implementing improvements
• Periodic analysis of inspection forms to identify common features or trends that might reveal underlying weaknesses in the system
• Information to aid judgements about any changes required in the frequency or nature of the inspection program

For best results a manager and at least one other worker should be involved in the workplace inspections.

• Review the checklist to be used
• Conduct an inspection by walking around the work environment
• Identify any physical hazards and areas of  nonconformity  against the checklist
• Record all findings, providing specific comments, ensuring form is signed and dated and includes personnel conducting the inspections
• Ensure responsibilities, priorities and time frames are listed when determining corrective action

Particular note should be taken of the following:

• Slip & trip hazards
• Relevance and adequacy of signs with a health and safety focus
• Condition of safety signage
• General housekeeping
• Damaged equipment, plant and building
• Trapping/crushing/entanglement/severing hazards
• Lighting and noise
• Emergency equipment, inspection of testing & tagging of
• Storage practices
• Labelling and use of hazardous substances
• Access and Egress

If a  hazard  or a nonconformity is identified a  corrective action  must be identified. All corrective actions must have a person or persons allocated responsibility with time frames and priority. Priority should be determined by the level of risk posed by the hazard.

There are a number of specific legal requirements which require statutory examinations and inspections to be completed. This includes the requirement within COSHH 2002 Regulation 9 to thoroughly examine equipment such as local exhaust ventilation at least every 14 months.

Other requirements are in place for the inspection and certification of work equipment such as lifting equipment under LOLER 1998 Regulation 9 on an annual basis. The definition of lifting equipment includes any equipment used at work for lifting or lowering loads, including accessories used for anchoring, fixing or supporting it. It is now referred to as a Thorough Examination, which includes a PUWER 1998 Regulation 6 inspection as well.

PUWER 1998 requires employers to ensure all work equipment is safe for use, maintained in a safe condition and inspected to ensure it is correctly installed and does not subsequently deteriorate. Work equipment is any machinery, appliance, apparatus, tool or installation for use at work.

The PSSR 2000 Regulations apply to owners and users of pressure systems containing a relevant fluid including steam, gases under pressure and any fluid kept artificially under pressure which when released to atmosphere becomes a gas.

There is a legal requirement for Thorough Examination of pressure vessels that contain steam, compressed air and refrigerants. Pressure systems require to be inspected in accordance with a Written Scheme of Examination.

If the statutory inspection for any equipment has not been completed before the expiry date, which is shown next to the equipment description on the equipment rating label and/or certificate, no equipment can be used until statutory testing has been completed. As the equipment no longer complies with legislation it must be made safe by disabling the equipment at the earliest opportunity.

Employee Surveys

Employees may be asked or targeted with a questionnaire to rate their knowledge or attitude towards health and safety. This allows the measurement of the health and safety culture of the organization. Ask staff to explain the controls in place for their work and how they have been trained to implement these controls.

This method can be used in conjunction with other methods as the responses can be used to verify a number of aspects of the safety management system e.g., training records, risk assessments etc.

Health Monitoring

Monitoring worker health can be considered an active monitoring measure, as carrying out measurements of parameters such as hearing (through audiometry) can provide a measure of effectiveness of controls.

Health monitoring processes should systematically detect and assess any adverse effects of work on the health status of workers as it relates to their duties.

It is delivered through real time monitoring of exposure levels, medical assessment and biological monitoring of workers (e.g., blood/urine tests for checking chemical exposure).

Safety Tours

This involves walking around the workplace on a set route and counting the number of hazards present on a regular basis. This allows you to acquire a picture on how that area/local manager is dealing with the H&S issues.

If the number of hazards is constantly rising then issues, once identified, are obviously not being dealt with.

Ad hoc visits to selected parts or the entire facility. Especially effective if carried out by senior departmental managers as this demonstrates their commitment to safety. The visit can provide staff with the opportunity to raise safety issues with senior staff. It is vital that concerns are documented and the actions taken are communicated to the individuals or groups who raised the issue(s).

Workplace Hazard Spotting

An informal method of identifying potential problems. The results however will just be a 'snapshot' of current practices. This method can be used to identify hazards not previously considered or recently introduced. It can also be used to identify trends if records are kept. For example, observing the same hazard at different locations in the department or in the same location at different times.

Safety Samples

These are identical to safety tours but only identify one specific type of hazard e.g., electrical/chemical etc. Sam pling implies an inspection that is limited either to certain areas of the workplace or to certain aspects of workplace activity.

Document Reviews

Examination of risk assessments or codes of practice and comparing the requirements set with observed practices. This is a method of identifying whether risk control measures are being used in accordance with approved documentation.

Behavioural Observation

An inspection is completed with the focus on observing unsafe actions rather than hazards associated with plant and premises.

Calibrating Measurement Devices

If certain instruments are required for measuring and monitoring performance, the organization must institute and maintain procedures for calibrating and servicing the instruments. It must retain verification of these calibration and servicing activities.

Measuring instruments might include devices used to detect the presence of harmful gases, radiation, excessive noise or extreme temperatures. Ensure all relevant equipment is on an appropriate monitoring and  calibration schedule .

Monitor and analyze reported incidents continuously for incident location, time or period, work process involved, type of hazard, direct and root-causes, etc., to spot trends and identify root-causes of groups of incidents.

Based on the trend analysis, the need to review or reassess any safety measure should be evaluated, documented and acted upon accordingly.

Jump Start Your Documentation

Reactive safety monitoring relies on taking action after incidents have been reported to prevent the re-occurrence of similar events. Reactive safety monitoring should be triggered after the event such as; injuries and cases of ill health; losses such as damage to property or equipment; incidents with the potential to cause injury, ill health or loss; hazards; weakness or omissions in the safety management system.

Typical reactive measures include:

• Accident Frequency Rate (No of accidents / total No of hours worked x 100,000)
• Accident Severity Rate (No of days lost / total No of hours worked x 100,000)
• Accident Incidence Rate (No of accidents / total No of employees x 1,000)
• Number of near misses
• Number of complaints (internal or external)
• Number of civil claims
• Number of enforcement notices
• Amount of compensation paid out
• Cost of accidents

A variety of safety related statistics can be used to assist in the monitoring and measuring of safety standards. Some measures may be used in-house such as the number of accidents causing injury, near misses, incidents or RIDDOR accidents.

These may be broken down further to give details of the type of accidents, their cause, the type of injury involved, the time of day or the grade/job of the person involved. This can be part of the organization’s monitoring arrangements for safety. The results of monitoring will be fed back into the safety management system in order to ensure continual improvement.

Incidents Reporting

A system of internal reporting of all incidents (which includes ill-health cases) and incidents of non-compliance with the health and safety management system should be set up so that the experience gained may be used to improve the health and safety management system.

The organization should encourage an open and positive approach to reporting and follow-up and should also put in place a system of ensuring that reporting requirements are met.

Incidents Investigation & Corrective Action

The organization should establish procedures for investigating incidents to identify their causes (see 10.2), including possible deficiencies in the health and safety management system.

Those responsible for investigating accidents, and incidents should be identified and the investigation should include plans for corrective action, which incorporate measures for:

• Restoring compliance as quickly as possible
• Preventing recurrence
• Evaluating and mitigating any adverse safety and health effects
• Reviewing the risk assessments to which the incident relates
• Assessing the effects of the proposed remedial measures

The organization should implement and record any changes in documented procedures resulting from  corrective action .

Monitoring, measurement, analysis and evaluation of OH&S metrics must take into account business context, relevant third parties, policy risks, opportunities and objectives.

Ensure that performance monitoring and measurement results are retained as documented information.

After it is determined what will be monitored and measured, statistical techniques should be applied to interpret the resulting safety data to help your organization understand levels of safety performance and effectiveness.

Data can be collected and reported about a number of different unwanted events such as:

• Accidents, near misses
• Dangerous occurrences
• Cases of ill-health
• Complaints from the workforce
• Enforcement action

Statistical techniques assist in identifying, analyzing, interpreting the monitoring and measuring safety data that is collected and reported about a number of different parameters in the previous sections.

This data must be analysed and evaluated to see if there are any:

Trends  – consistent increases/decreases in the number of and types of events over a period of time

Patterns  – collections or hot-spots of certain types of events

This analysis usually involves converting the raw data (i.e., the actual numbers) into an incident rate so that more meaningful comparisons can be made.

Data on these indicators should be collected and analysed by the Health & Safety Department to ascertain any patterns or trends, and is converted into an incident rate – based on the hours worked - so that meaningful comparisons can be made from period to period.

Analysing the Data

For the analysis of nonconformities and incidents, appropriate statistical and non-statistical techniques are applied.

Examples of Statistical Techniques:

• Statistical Process Control (SPC) charts
• Pareto analysis
• Linear and non-linear regression analysis
• Experimental design (DOE – Design of Experiments) and analysis of variance
• Graphical methods (histograms, scatter plots, etc.)

Non-statistical Techniques:

• 1Management reviews
• Surveys, audits and inspections
• Safety committee meetings
• Failure Mode and Effect Analysis (FMEA)
• Fault Tree Analysis (FTA)

In addition to the analysis within the data sources, there is also analysis across the data sources to determine the extent and significance of the nonconformity or incident. The linkage of data from different data sources is referred to as ‘horizontal analysis’

Access to current relevant legislation, Standards, codes of practice, agreements and guidelines is primarily available through electronic media available via using  http://www.legislation.gov.uk and other external internet sites. Where electronic information is inaccessible, relevant legislative material should be maintained in hardcopy format and controlled accordingly.

A legislative compliance reviews should assess the organization's health and safety policies, guidelines or procedures that comprise its OH&S management system against any legislative, industry codes of practice or standards at the desktop level.

Legislative compliance reviews should also be conducted when OH&S management system documentation is due for review or due to external changes, e.g., changes or introduction of legislation, codes of practice or national standards.

The compliance review should include identifying and referencing legislative requirements related to the health and safety policy, guideline or procedure and incorporating these needs into existing processes. The revised health and safety policy, guidelines or procedures as a result of the legislative compliance review must be communicated.

The Certification Auditor’s role is not to verify the result of the compliance audit, but to assess the effectiveness of the audit process and taken actions. An understanding of compliance status must be demonstrated. Therefore, your organization must have the means (inspections, tests, audits) that are frequent and robust enough to ensure that knowledge and understanding of compliance status is maintained.

Related Information You Might Find Useful

• 9.1.3 Analysis & Evaluation Procedure [ISO 9001]
• 9.1 Monitoring, Measurement, Analysis and Evaluation [ISO 14001]

Next ISO 45001 Clause

• 9.2 Internal Audit

Each ISO 45001 Clause Explained

• Learn About ISO 45001

100% Money Back Guarantee

Customers: 132 countries (July 2024) We are 100% confident in the quality and contents of our products. Used by thousands of organizations around the world, our templates have been sold online since 2002. Please  read our Money Back Guarantee .

Are The Templates Suitable For You?

Five reasons to choose our templates.

• Top 10 FAQs
• Document Format
• Payment and Billing
• Downloading and Delivery
• Systems Requirements
• License and Updates

Ask Us a Question

• Enquiries [email protected]
• Support [email protected]
• Call 0845 054 2886 (UK only)

More Information

• Client list

This website uses cookies to ensure you get the best experience on our website, and to gather traffic statistics.

PRETESH BISWAS

Your Partner in ISO Standard compliance

Procedure for Hazard Identification, Risk Assessment, And Determining Controls

1.0 purpose:.

To establish, implement & maintain a documented procedure for ongoing identification of the hazards, assessment of risks, and determination of necessary control measures.

Applicable for the activities, process, products & services covered under the scope of EHS Management System at XXX.

3.0 RESPONSIBILITY:

EHS MR & CFT Members.

4.0 DEFINITION

4.1 Hazard – source or situation with a potential for harm in terms of human injury or ill health, or a combination of these.

4.2 Risk – the combination of the likelihood and consequence(s) of a specified hazardous event occurring.

4.3 Normal – Is a condition/situation, which occurs whenever the activity/ service is carried out according to the planned arrangement. This may happen during routine activity. Note: Planned arrangements are defined in the control plans, process sheets, work instructions, do’s and don’ts, etc. Eg: Noise generation while machining operations.

4.4 Abnormal – Is a condition/ situation, which occurs due to deviation from planned arrangements. This may happen during a non-routine activity. Eg: Finger entrapment between tools in Machining operation & Potential risk of electrocution due to the short circuit while carrying out electrical maintenance.

4.5 Emergency – Is an undesirable situation resulting from unforeseen and uncontrollable events leading or having the potential to lead to intolerable consequences. Eg: Fire in FO Storage area.

4.6 Routine – Daily activities/ Services carried out in the plant.

4.7 Non-routine – Occasional activities/ services carried out in the plant. These generally support activities comprising A/c maintenance, hydrostatic testing of pressure vessel, etc

4.8 Visitor – Is any person visiting the company and is not involved in carrying out any of the routine or non-routine activity. Eg. Suppliers, Vendors, consultants, auditors, neighbors and the legal authorities.

4.9 Risk assessment – Overall process of estimating the magnitude of risk and deciding whether the risk is tolerable or not.

4.10Acceptable risk – Risk that has been reduced to a level that can be tolerated by the organization having regard to its legal obligations and its own OH&S policy.

4.11 Site – A work area, the organizational unit that falls under the scope of the XXX EHSMS and within which an EHSMS is being implemented.

 5.0  Introduction:

This procedure is designed for the identification of hazard, risk assessment and defining the necessary applicable controls methods. While defining, the organization has referred to the complexity of the operations, suitability of the methodologies of risk assessment, workplace conditions, and expert guidance.

The risk assessment process is based on the following steps:

6.0 PROCEDURE – DETAILS:

6.1 hazard identification:.

6.1.1 Responsibility:CFT

6.1.2 Activity

The OHS risks shall be identified through Cross Functional Team (CFT) and the following points shall be considered:

• Adverse conditions – routine / non-routine / emergency
• Past, present and future situations.
• Maintenance, purchasing activities.
• Human factors such as fatigue, stress, abnormal
• Working postures, ergonomics, etc.
• Housekeeping
• Material handling
• Working on different premises
• Working in a hazardous area having chemical fire/explosion hazards.
• Risks on account of statutory/legal requirement.

      Note: – All these considerations shall apply to normal /abnormal/emergency conditions in which a risk may be present.

6.2 Risk  Assessment

6.2.1 Responsibility:CFT

6.2.2 Activity

• At least once in six month, the CFT members shall identify the possible loss, exposures to worker, material & equipment through brainstorming, task observation.
• Analysis, physical visit to the work area and conducting GRA especially for new/modified activities.

Note: – Identification of risks based on other factors like accidents, incidents, and reports of planned inspections/task observation / critical task analysis / Safety Audit / Internal and External Audits shall also be done.

6.3 Occupational Health & Risk Evaluation

6.3.1 Responsibility: CFT and EHS MR

6.3.2 Activity

Evaluate the risks for loss exposures identified through the above means, in HIRA through giving severity and probability ratings, which shall be recorded in the HIRA format to arrive at Risk Level for each loss exposure / Risk identified.  Follow the methodology of HIRA activities covered in relevant work instruction.

• For the identified Risks, indicate the Risk Controls proposed for implementation with details of responsibilities.
• All the risks with risk Level of 3 and above shall be taken as significant risks and for these, where appropriate, Work Instructions / Occupational Health & Safety Management Programmers (OHSMP) shall be prepared to detail time frame, responsibilities and the actions to be taken to achieve the set objectives and targets.  The above programs shall be approved by EOHS MR

6.4 Impact Evaluation Guidelines

• SEVERITY (S)

The planning committee shall ensure that the OH&S risk and determined controls are taken into account when identifying, Matrix, the EHS CFT will tally HIRA considered and rank them for their severity.

• PROBABILITY (P)

  Probability due to injury, first aid, incident/accident, exposure of chemical, etc. it comes to the rating scale, the CFT should consider normal operating conditions, abnormal conditions (i.e. shut down & startup) as well as the risk associated with reasonably foreseeable or emergency situations .

• CRITERIA RISK LEVEL (RL)

Establish the Level of Significance

Level of significance can be determined by using the following formula

Significant Risk Level (RL) = (Severity x Probability)

Significant Risk Level (RL): Highest possible rating is 25 & above 12 as criteria for significance. The RL rating above 12 considered as significant Risk.

► If Severity & Probability Scale – 5 are considered as significant aspect.

► Injury, First aid, ill health, and Legal requirements are considered a significant aspect in spite of their score rating.

 CFT shall review and make the corresponding changes in HIRA half yearly or as and when needed to determine other aspects that can still be considered in setting objectives, program, operational controls and new rating of previously identified significant risk.

7.0.0 DOCUMENT / RECORD REF:

Share this:

• ISO 45001:2018

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt . View all posts by Pretesh Biswas

Leave a Reply Cancel reply

Please turn AdBlock off as it affects the revenue of the blogger. The blogger has spent time and money to get you information. Please help him

Notice for AdBlock users

Please turn AdBlock off

Discover more from PRETESH BISWAS

Subscribe now to keep reading and get access to the full archive.

Type your email…

Continue reading

• Magazine Subscription
• ENewsletters
• EHS Education
• Safety Leadership Conference
• America's Safest Companies
• Search Search
• Members Only
• Environment
• Safety Technology
• Training & Engagement

ISO 45001: A Model for Managing Workplace Ergonomics

A common characteristic of organizations successful in improving workplace ergonomics is that ergonomics is managed as a process -- one that systematically identifies and effectively reduces the level of employee exposure to the risk factors known to cause musculoskeletal disorders (MSDs).

Typically, ergonomics improvement processes are based on a continuous improvement model such as the quality (ISO 9001), environmental (ISO 14001) or safety (OHSAS 18001 or ANSI Z10) models. Each of these management system models provides a common and familiar set of steps for managing environmental and safety risk, including MSD risks. The ISO 45001 Safety Management System standard provides a new, and soon to be common, model that can be used as an effective system for managing ergonomics.

MSD Risk Factors

MSD injuries continue to be a major loss in today's workplace. Fortunately, what causes MSDs is well known. The three primary risk factors are awkward posture, high force and exposure time (either long duration or high repetition).

Figure 1: Primary MSD Risk Factors

Exposure to a combination of two or all three of these risk factors increases the chance of developing discomfort, pain and/or an MSD. The threshold for each risk factor varies by body part. Large joint structures, like the shoulder and knee, have a higher tolerance for each risk factor than smaller joints. Results of epidemiologic studies have been used to develop valid, quantitative MSD risk assessment methods. In turn, these assessment methods enable safety professionals and engineers to calculate the level of risk based on the exposure to combined MSD risk factors. Applying this information to the dose-response relationship of MSD risk factors is a key measure in a continuous improvement process.

The programs and processes used to reduce MSDs vary widely among practitioners. In the 1990s, both OSHA and NIOSH promoted the implementation of an ergonomics program that included key elements and activities but did not include a specific sequence or prescribed process. The advent of total quality management (TQM) and EHS management systems launched the approach of managing safety (and ergonomics) risk as an ongoing process versus an episodic program, which leads us to management systems, specifically ISO 45001.

A New Standard

A safety management system provides a structured approach that enables an organization to control its occupational health and safety risks and improve performance. All safety management systems evolved from the quality management system (ISO 9001), which in turn was based on the Shewhart Cycle of continuous improvement (Plan-Do-Check-Act).

"To improve performance, you need to improve the system rather than focus on the individuals" -- W. Edwards Deming

Table 1: Alignment of ISO 45001 Content with the Shewhart Cycle

ISO 45001 is an international safety management system standard. It is the product of a project committee, representing 58 countries, to establish a common, global safety management system that is consistent in steps and language with the current environmental and quality management system. The final standard was published on March 15, 2018.

ISO 45001 can also be a model on which to structure an ergonomics improvement process. This could be a standalone improvement process or an element of an organization's complete safety management system. The content of ISO 45001 aligns closely with the four steps of the Shewhart Cycle (Table 1).

So, we have the concept of a management system at a high level, but what does it look like to manage an ergonomics process as a management system?

Elements of an Ergonomics Management System

Safety management systems focus on reducing the risk of occupational injuries, illnesses and fatalities. This means that to improve workplace ergonomics, one must control the cause of MSDs.

"Manage the cause, not the results" -- W. Edwards Deming

Using the proposed content of ISO 45001 (Table 1) as a systematic process, we present the key elements and activities in an ergonomics management system. 
 Leadership, Worker Participation, and Consultation

Whether managing business performance, safety or MSD reduction, an organization's performance will not improve without leadership commitment, support and sponsorship from those at the very top. Top leaders must demonstrate commitment and hold individuals accountable for their roles in the ergonomics improvement process.

Policy is a clear statement of the common direction and belief set by leadership. It establishes "true north," the common goal that aligns all people and activities involved in improvement. Establishing a risk reduction-based goal will focus your organization on systematically identifying and reducing MSD risks proactively. This is the foundation of an effective ergonomics improvement process; it keeps people on track and focused, and allows you to hold individuals accountable for their involvement and results.

Next, establish organizational roles, responsibilities, accountabilities and authorities. This means defining the distinct roles and responsibilities of people involved in the ergonomics process, and empowering them. These roles typically include a sponsor (top manager), ergonomics process lead, subject matter experts (ergonomics team members, safety committee members, ergonomists), engineers and maintenance, managers and supervisors, employees, medical staff, and safety staff. Well-defined roles and responsibilities should be used to hold individuals accountable for their involvement and results, and become the learning objective from which to design or specify training in ergonomics.

Employee participation, consultation, and representation in any process or project are critical for ensuring that workplace changes are made and improvements sustained. This is true for line employees (it is their workplace) and for engineers and maintenance personnel who are key in designing new, and modifying existing, workplaces and tools to reduce risk. 


In this step, identify where action to address risk opportunities is needed. Valid quantitative MSD risk assessment tools enable subject matter experts to conduct exposure assessments and determine if exposure in a task is above or below the established threshold. They can then quickly and accurately determine the level of exposure to MSD risk factors by body part and job task; this makes it possible to combine results into a risk map across multiple workplaces.

Figure 2: Example of Whole-Body MSD Risk Assessment Results

Many risk assessment tools measure exposure for a single body joint. In addition, a few whole-body assessment tools combine all exposures into a single risk score that reflects exposure for the entire body. An example is the risk priority score (RPS) in Figure 2, which combines exposures of different body parts with the total time spent performing a task. The RPS reflects the cumulative exposure in the task for use in prioritizing and selecting tasks to address.

Based on assessment findings, (Table 1) establish objectives and plans to reduce risk. Identify those tasks and workstations with exposure exceeding the threshold for MSD risk (Table 2). Combined into a risk map, this allows leaders to prioritize, select, and plan workplace changes. Plans should not be based solely on risk level, but balanced with ease of change, number of people benefitting from the improvement, product life-cycle status, trends in production volumes, productivity and quality improvements, and leveraging scheduled maintenance time and equipment change opportunities.

Well-defined resources, including people, their time and funding, are necessary (Figure 3). In addition to understanding their responsibilities, individuals need to know the amount of time allotted for them to support the ergonomics process. Also determine the funding available for improvements; lack of this information has been identified as a challenge for many.

Table 2: MSD Risk Map Example Support

To ensure that people are successful in supporting the ergonomics improvement process, they must be prepared with the skills, knowledge, ability and competence to meet their defined responsibilities. Competence is achieved through training. The learning objectives of any training should be based on the responsibilities.

Figure 3: Cost Effectiveness of MSD Risk Factor Controls

Awareness, information and communication of an ergonomics improvement process occurs at a couple of levels and times. When preparing to launch a site process, communicate the goal, metrics to track, who is responsible for certain elements of the process and the planned timeline for implementation. After the process has been launched and established, all employees should receive regular communication of progress to the risk-reduction goals, and be made aware of specific case studies illustrating risk reduction.

• Documented information about an ergonomics improvement process should include the following, at a minimum:
• Common goal, measures and improvement plans
• Results of MSD risk assessments
• Controls implemented
• Verification of risk reduction achieved by the controls
• Engineering review of ergonomics designs in new and modified equipment, tools and layout
• Records of skills and awareness training in ergonomics
• Results of ergonomics improvement process audit

Operational planning and control means changing the workplace to reduce the level of exposure to MSD risk factors. The "ergonomics" of a workplace will not improve without changing the workplace and design of the work performed. Within the hierarchy of controls, most ergonomics improvements fall under the first and most effective type of control, engineering controls. The effectiveness of engineering controls was validated by Goggins et al. (2008) when they found that the cost effectiveness of several MSD control methods was highest when the level of exposure was eliminated or reduced through engineering changes to the workplace.

Figure 4: Example of Verification of MSD Risk Reduction

Managing change involves leveraging opportunities during equipment changes and service, and when bringing in new equipment and processes to improve ergonomics. In other words, include ergonomics in prevention through design. The cost to include ergonomics design criteria when specifying, and selecting new equipment, tools, furniture, and layout is significantly less than the cost to retrofit equipment in place. The purchasing process should be leveraged as a gatekeeper to ensure that only properly designed, low-MSD-risk equipment is introduced.

Since MSDs result from chronic exposures, the emergency preparedness and response section of ISO 45001 seems out of place. However, this portion of the ergonomics improvement process ensures that there is a system in place to manage MSD injuries when they do occur.


Performance Evaluation

Performance evaluation occurs at three levels: at individual workstations, across the organization and in response to MSD injuries.

To monitor, measure and evaluate ergonomics improvements at each workstation, conduct a follow-up MSD risk assessment using the same quantitative risk assessment method that was used for initial assessment (Figure 4). Compare the "before" risk score with the "after" risk score to verify that the exposure to MSD risk was reduced to an acceptable level, and is being maintained.

In addition to verifying the effectiveness of ergonomics improvements, follow-up assessments enable you to measure the amount of risk reduction resulting from a specific control.

The second level of performance evaluation is an internal audit of the site or company ergonomics process. A systematic review of the policy, goals, responsibilities and plans established in the planning steps identifies how well plans and goals are met. The results of the internal audit should be communicated through a management review.

Improvement

Checking for risk reduction resulting from workstation improvements and audits will generate a list of incidents, nonconformity and corrective action. Incidents refer to the investigation of suspected MSD injuries. A best practice for injury root cause analysis is to begin the investigation of MSD injuries with a quantitative risk assessment. This helps to focus the investigation on factors known to cause MSDs and helps to maintain a data-driven, repeatable process. Include the same valid MSD risk assessment tools used during Planning.

Every management system includes an element to ensure that non-conformity is addressed and corrective actions are taken and completed. Non-conformance may indicate equipment and tools not designed to established design criteria, risk exposure at a task exceeds the acceptable level, improvement goals and metrics are not being met, or a site ergonomics process is falling short of company standards. In each case, tracking non-conformance, ensuring action and holding individuals accountable for corrective action are essential for success.

Continual Improvement

This is the final step to sustain the ergonomics improvement process over time -- through staffing and management changes, expense controls and market fluctuations -- and to learn from and adjust the process to fit future needs, resources and priorities.

Putting it into Practice

Best practices for sustaining the ergonomics improvement process described in this article include the following: Ensure that adequate controls and actions are in place (and supported by top management) to reduce MSD risk factors to the lowest level achievable. Apply effective risk-reduction controls at other similar tasks and workstations. Provide necessary resources to continually find and reduce MSD risks. Regularly review and track the status of the ergonomics process and plans within the normal business tracking process. Involve all levels of the organization in identifying and addressing MSD risks in daily operations.

And finally, manage MSD risks and ergonomics as a process that follows a common or familiar set of steps. ISO 45001 uses terminology and structure, like quality and environmental management systems, to enable you to do just that within your organization and across your enterprise. 

Walt Rostykus, CSP, CPE, CIH, FAIHA is a principal consultant, and Rick Barker, CPE is a senior consultant with  Humantech Inc. , a provider of workplace improvement and ergonomics solutions.

Deming, W.E. (1982). Out of the Crisis. Massachusetts Institute of Technology. Center for Advanced Educational Services, Cambridge, Mass.

Goggins, R., Spielholz, P., & Nothstein, G. (2008). Estimating the effectiveness of ergonomics interventions through case studies: implications for predictive cost-benefit analysis. Journal of Safety Research, 39(3), 339-344.

Humantech, Inc. (2014). Summary of Benchmarking Study Results: Cost and Return on Investment of Ergonomics Programs. Retrieved March 3, 2018, from https://www.humantech.com/resources/whitepapers/

International Organization for Standardization (ISO). (2015). Draft International Standard ISO/DIS 45001. Occupational Health and Safety Management Systems– Requirements with Guidance for Use. 

Humantech, Inc. (2011). Summary of Benchmarking Study Results: Elements of Effective Ergonomics Program Management. Retrieved March 3, 2018, from https://www.humantech.com/resources/whitepapers/

U.S. Department of Health and Human Services, Public Health Services, Centers for Disease Control and Prevention, National Institute for Occupational Safety and Health (1997). Musculoskeletal Disorders and Workplace Factors, A Critical Review of Epidemiologic Evidence for Work-Related Musculoskeletal Disorders of the Neck, Upper Extremity, and Low Back. Cincinnati: NIOSH.

Walt Rostykus | principal consultant

Walt Rostykus, CSP, CPE, CIH, FAIHA is a principal consultant with Humantech Inc., a provider of workplace improvement and ergonomics solutions.

Rick Barker | senior consultant

Rick Barker, CPE is a senior technical ergonomics manager with VelocityEHS | Humantech , a provider of cloud-based environment, health, safety (EHS) and sustainability solutions.

Continue Reading

• Special Discounts
• Enterprise transcription solutions
• Enterprise translation solutions
• Transcription/Caption API
• AI Transcription Proofreading API

Trusted by Global Leaders

GoTranscript is the chosen service for top media organizations, universities, and Fortune 50 companies.

GoTranscript

One of the Largest Online Transcription and Translation Agencies in the World. Founded in 2005.

Speaker 1: What is information security risk? Information security risk is simply a combination of the impact that could result from a threat compromising one of your important information assets and the likelihood of this happening. Risk management in ISO 27001. ISO 27001 requires that you implement a risk management system to help you manage the security of your important information assets. The backbone of this is formed from the need to develop and implement an appropriate and effective information security risk management methodology. ISO 27001 risk management. You should develop and implement a risk management methodology which allows you to identify your important information assets and to determine why they need protecting. It is important to note here that when information security is mentioned people immediately start thinking about confidentiality aspects but the availability and integrity aspects also need to be taken into consideration as these are important components of information security. Once this has been achieved your methodology needs to be able to identify the likelihood of something going wrong and what can be done to mitigate this risk. In a nutshell it enables you to quantify the impact and the likelihood elements of information security risk and then go on to do something about it. ISO 27001 risk management framework. There are several discrete stages of an ISO 27001 risk management methodology. First of all it is important to understand the information security context of your organisation. Once this has been achieved you can perform a risk assessment which includes the need to identify your risks, analyse them and evaluate them. You then need to determine a suitable treatment for the risks you have assessed and then implement that treatment. It is vitally important that you do not see this as a one-off exercise. Your risk management methodology should be designed to be iterative. This enables you to not only review the status of risks you have previously identified taking into consideration any potential changes in context but it also enables you to identify new risks. The high-level stages of a risk management methodology as described above should be thought of as a framework that enables risk management to be embedded within key processes throughout your organisation so that any identified risks are comparable. ISO 27001 risk management context. The first stage of your risk management methodology needs to identify what is important to you or your organisation from an information security point of view. ISO 27001 requires you to determine the context of your organisation, part of which means that you need to be able to identify the information security related issues that you face along with who the internal and external interested parties are and what their needs and expectations are. It is important to also understand what your risk appetite is at this stage as we will need this information later. Once you have done this you are able to determine what is important about the different information assets under your control. ISO 27001 risk management. What is risk appetite? Risk appetite is simply the amount and type of risk you are willing to accept or retain in order to allow business operations to proceed. This is important because too much security can sometimes compromise your operational viability whereas too little will reduce the confidence of your stakeholders. Some types of organisations are willing to accept more risk than others. For example a hedge fund manager is likely to take more risk in order to make greater profits over a short space of time whereas a pension fund manager generally prefers a less risky steady growth approach. ISO 27001 risk assessment methodology. Risk identification. Once you have determined the context you can go ahead and conduct a risk assessment. The first part of a risk assessment is to identify the risks that you face. This can be broken down into three elements. The first element is to identify your information assets. An information asset is any information that has value to you. There are several different ways to calculate the value of an asset but it is important that you not only consider the confidentiality needs of the information but also the integrity and availability requirements. The second element of risk identification is threat analysis. You need to have a process which enables you to identify all of the threats which are applicable to the assets you have identified. If a particular threat is applicable then it is also a good idea to think about how probable it is that the threat will materialise. For example if you use windows-based computer systems which are connected somehow to the internet the probability of them being affected by a virus is probably very high if you do nothing to stop it. Whereas if you are using an Apple Mac which is never connected to the internet the probability is very low. The third element of risk identification is the need to determine if there are any vulnerabilities that would allow a threat that you have identified to cause an impact on your asset. To carry on with the example we have just used if you have an antivirus system installed and running on your internet connected windows computers you are less vulnerable to this particular threat than if you didn't. ISO 27001 risk assessment methodology Risk analysis. One of the useful aspects of the output from an effective risk assessment is the ability to prioritise your risks. This is important as you may not have sufficient resources to fully mitigate every risk that you identify. This means that it is important to somehow quantify your risks. To do this we need to know two things. First how much of an impact would be felt if a compromise occurred and second what is the likelihood of that threat occurring. One good idea is to use a set of scales to record values in these areas. For example using a scale of one to five we could say how impactful it would be if the confidentiality of an asset were breached. Clearly breaches of confidentiality would cause a greater impact for some assets for example HR records than others like the staff canteen menu. A second one to five scale could be used to determine the likelihood of a breach occurring and we would take into consideration the threat and vulnerability information we spoke about earlier in order to do this. ISO 27001 risk assessment methodology. Risk evaluation. Risk evaluation is a relatively simple process as it requires you to identify whether or not the risk that you have identified is above or below appetite. To do this the first thing we need to do is calculate the value of the risk which simply means multiplying the impact and likelihood values together. We have a range of possible values which result from multiplying the two one to five scales together. The appetite is stated within the methodology as a particular value on the five by five matrix. If a particular risk is above this value then it is above appetite which means that it can then be flagged for treatment. Anything below appetite can be accepted and monitored for change. ISO 27001 risk treatment methodology. Your risk management methodology needs to include a methodology for determining the most appropriate treatment for the risks that you have identified. There are four possible treatments to choose from. These are accept, reduce, transfer and avoid. You may come across different terms used for these such as tolerate, treat, transfer and terminate. This example is known as the four Ts however they take the same approach. ISO 27001 risk treatment methodology accept or tolerate. One of the four treatments provides you with the ability to accept risk. We have already seen that this is possible as it is likely that you will simply accept risks that are below appetite. However you can also make an informed decision to accept risks in certain circumstances such as where there is a legal requirement preventing you from taking the desired action or you have insufficient resources to do so. These cases should be few and far between though and should always be approved by appropriate management and regularly reviewed. ISO 27001 risk treatment methodology reduce or treat. The second treatment option is to reduce or treat the risk. This is done through the implementation of controls. ISO 27001 provides you with a list of 114 best practice controls that can be used to mitigate the risks that you have identified. These can be used in combination in order to increase their effectiveness and of course you can also add controls of your own that do not appear in ISO 27001. ISO 27001 risk treatment methodology transfer. The third risk treatment option is to transfer the risk. The transfer option involves the use of third parties to help you mitigate your risks. You could do this for example by offloading some of the financial impact of something going wrong by taking out an insurance policy. Another way of doing this is to outsource the responsibility for implementing and operating technical controls to a third party such as an IT managed service provider. It is important to note here that although responsibility for financial impact or the management of operational controls can be transferred to a third party, the accountability associated with the risk cannot. In other words you will still be held accountable by your stakeholders if something goes wrong. ISO 27001 risk treatment methodology avoid or terminate. The fourth risk treatment option is to simply avoid the risk. As we have discussed before there are three component parts to risk. The impact felt by the organisation following a breach of confidentiality, integrity or availability for an information asset, a threat that could cause this impact and a vulnerability that would allow it to do so. It is possible to avoid risk completely by eliminating one or more of these three elements. However it is unlikely that we would be able to completely remove all threats or all vulnerabilities which leaves us only with one viable option which is to remove the impact. This is done by removing the asset or stopping the processes that are associated with the identified risk. For example to avoid the risks associated with the taking of credit card payments remove that process and only deal in cash. There are obvious issues associated with taking this approach as it is unlikely to be looked upon too favourably by your stakeholders especially if the process is revenue generating. This is the reason why this particular risk treatment methodology is rarely used. ISO 27001 risk treatment methodology controls. The most common option chosen to treat risks other than maybe accept in more mature ISMS's is to reduce the risk. This is done by implementing controls or improving existing ones to address the risk. There are three main operational types of control. Administrative or people-based controls, technical or logical controls and physical or environmental controls. Within these three operational types there are several different tactical uses of controls such as those that are designed to prevent a threat from materialising, those that are designed to deter people from carrying out an undesired action, those that detect if a threat has materialised or those that enable you to recover from a situation after the threat has been dealt with and there are several others. Operational types and tactical uses of controls are not mutually exclusive and can and should be used where possible in combination to provide a greater depth of security. ISO 27001 risk management monitor and review. It is important to ensure that any actions you take to address the risks you have identified are monitored and reviewed to ensure that they have the desired effect. Part of the monitor and review process should also include a review of context before the risk assessment is re-performed. This will allow you to identify and take into consideration any changes that may have happened either internally within your organisation or externally such as changes in legislation or changes to the threat environment. Thus you are able to identify if risks that have previously been identified are getting worse or hopefully better and you will also be able to identify any new risks. ISO 27001 risk assessment frequency. Risk management and therefore risk assessment is an iterative process and each iteration should take into consideration lessons learned from the previous iteration and should take into consideration any internal or external changes thus enabling continual improvement. There is no hard and fast rule on the frequency of risk assessment but URM recommends that the frequency is no less than annual. This does not necessarily mean that you should set aside a certain amount of time at a certain point in the year to conduct a risk assessment although of course you can do this if you wish. It just means that each time 12 months has elapsed you should aim to have completed the next iteration. So you could spread the workload over the 12 month period by performing smaller risk assessments on a subset of areas at more frequent intervals if this is more manageable. ISO 27001 risk management governance. Throughout the risk management process you need to ensure that you communicate effectively with any interested parties. It may be useful to put together a RACI to help you with this as all the way through the process different people will need to be held responsible, some will need to be held accountable, some will need to be consulted in order to identify all of the pertinent information we need to perform an effective risk assessment and some people, for example the management team, will need to be informed through effective reporting of your risk status. ISO 27001 risk management policy and process. As with all key processes associated with an effective ISMS it is a good idea to implement a risk management policy. This enables you to set the risk management and risk assessment criteria, appetite and roles and responsibilities out within a document that everyone is required to implement throughout the business. This should of course be underpinned by the risk management methodology and any required documented processes to enable risk management to be embedded throughout the organisation. So how can URM help? URM can offer a range of information risk management consultancy and training services, most notably our accredited five-day practitioner certificate in information risk management training course. In addition URM has also developed an information risk management module abrisca 27001, specially to meet the risk assessment requirements of ISO 27001. For more information email us or give us a call.

• Advisera Home
• Compliance in general

Partner Panel

Company Training Account

Products by framework:

Implementation, maintenance, training, and knowledge products for Information Security Management Systems (ISMS) according to the ISO 27001 standard.

Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.

All required policies, procedures, and forms to implement an ISMS according to ISO 27001.

Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful ISMS.

Accredited courses for individuals and security professionals who want the highest-quality training and certification.

Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.

Compliance and training products for critical infrastructure organizations for the European Union’s Network and Information Systems cybersecurity directive.

All required policies, procedures, and forms to comply with the NIS 2 cybersecurity directive.

Company-wide training program for employees and senior management to comply with Article 20 of the NIS 2 cybersecurity directive.

Compliance and training products for personal data protection according to the European Union’s General Data Protection Regulation.

All required policies, procedures, and forms to comply with the EU GDPR privacy regulation.

Accredited courses for individuals and privacy professionals who want the highest-quality training and certification.

Implementation, training, and knowledge products for Quality Management Systems (QMS) according to the ISO 9001 standard.

All required policies, procedures, and forms to implement a QMS according to ISO 9001.

Accredited courses for individuals and quality professionals who want the highest-quality training and certification.

Get instant answers to any questions related to ISO 9001 and the QMS using Advisera’s proprietary AI-powered knowledge base.

Implementation, training, and knowledge products for Environmental Management Systems (EMS) according to the ISO 14001 standard.

All required policies, procedures, and forms to implement an EMS according to ISO 14001.

Accredited courses for individuals and environmental professionals who want the highest-quality training and certification.

Get instant answers to any questions related to ISO 14001 and the EMS using Advisera’s proprietary AI-powered knowledge base.

Implementation and training products for Occupational Health & Safety Management Systems (OHSMS) according to the ISO 45001 standard.

All required policies, procedures, and forms to implement an OHSMS according to ISO 45001.

Accredited courses for individuals and health & safety professionals who want the highest-quality training and certification.

Implementation and training products for medical device Quality Management Systems (QMS) according to the ISO 13485 standard.

All required policies, procedures, and forms to implement a medical device QMS according to ISO 13485.

Accredited courses for individuals and medical device professionals who want the highest-quality training and certification.

Compliance products for the European Union’s Medical Device Regulation.

All required policies, procedures, and forms to comply with the EU MDR.

Implementation products for Information Technology Service Management Systems (ITSMS) according to the ISO 20000 standard.

All required policies, procedures, and forms to implement an ITSMS according to ISO 20000.

Implementation products for Business Continuity Management Systems (BCMS) according to the ISO 22301 standard.

All required policies, procedures, and forms to implement a BCMS according to ISO 22301.

Implementation products for testing and calibration laboratories according to the ISO 17025 standard.

All required policies, procedures, and forms to implement ISO 17025 in a laboratory.

Implementation products for automotive Quality Management Systems (QMS) according to the IATF 16949 standard.

All required policies, procedures, and forms to implement an automotive QMS according to IATF 16949.

Implementation products for aerospace Quality Management Systems (QMS) according to the AS9100 standard.

All required policies, procedures, and forms to implement an aerospace QMS according to AS9100.

• White Papers
• Templates & Tools

Where to Start

• Live Consultations
• Consultant Directory

Solutions for industries:

• Consultants
• IT & SaaS companies
• Critical infrastructure
• Manufacturing
• Transportation & distribution
• Telecommunications
• Banking & finance
• Health organizations
• Medical device
• Laboratories

Implementation, maintenance, training, and knowledge products for consultancies.

Handle multiple ISO 27001 projects by automating repetitive tasks during ISMS implementation.

All required policies, procedures, and forms to implement various standards and regulations for your clients.

Organize company-wide cybersecurity awareness program for your client’s employees and support a successful cybersecurity program.

Accredited ISO 27001, 9001, 14001, 45001, and 13485 courses for professionals who want the highest-quality training and recognized certification.

Get instant answers to any questions related to ISO 27001 (ISMS), ISO 9001 (QMS), and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.

Find new clients, potential partners, and collaborators and meet a community of like-minded professionals locally and globally.

Implementation, maintenance, training, and knowledge products for the IT industry.

Documentation to comply with ISO 27001 (cybersecurity), ISO 22301 (business continuity), ISO 20000 (IT service management), GDPR (privacy), and NIS 2 (cybersecurity).

Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.

Compliance, training, and knowledge products for essential and important organizations.

Documentation to comply with NIS 2 (cybersecurity), GDPR (privacy), ISO 27001 (cybersecurity), and ISO 22301 (business continuity).

Implementation, training, and knowledge products for manufacturing companies.

Documentation to comply with ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety).

Accredited courses for individuals and professionals who want the highest-quality training and certification.

Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.

Implementation, training, and knowledge products for transportation & distribution companies.

Implementation, training, and knowledge products for schools, universities, and other educational organizations.

Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), and GDPR (privacy).

Get instant answers to any questions related to ISO 27001 (ISMS) and ISO 9001 (QMS) using Advisera’s proprietary AI-powered knowledge base.

Implementation, maintenance, training, and knowledge products for telecoms.

Implementation, maintenance, training, and knowledge products for banks, insurance companies, and other financial organizations.

Documentation to comply with ISO 27001 (cybersecurity), ISO 22301 (business continuity), GDPR (privacy), and NIS 2 (cybersecurity).

Implementation, training, and knowledge products for local, regional, and national government entities.

Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), GDPR (privacy), and NIS 2 (cybersecurity).

Implementation, training, and knowledge products for hospitals and other health organizations.

Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), ISO 14001 (environmental), ISO 45001 (health & safety), and GDPR (privacy).

Implementation, training, and knowledge products for the medical device industry.

Documentation to comply with MDR and ISO 13485 (medical device), ISO 27001 (cybersecurity), ISO 9001 (quality), ISO 14001 (environmental), ISO 45001 (health & safety), and GDPR (privacy).

Implementation, training, and knowledge products for the aerospace industry.

Documentation to comply with AS9100 (aerospace), ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety).

Implementation, training, and knowledge products for the automotive industry.

Documentation to comply with IATF 16949 (automotive), ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety).

Implementation, training, and knowledge products for laboratories.

Documentation to comply with ISO 17025 (testing and calibration laboratories) and ISO 9001 (quality).

Mark Hammar

• Get Started

What are the new requirements for risks and opportunities according to ISO 45001?

With the release of ISO 45001:2018 , there are new requirements for assessing risks and opportunities in the Occupational Health & Safety Management System (OH&SMS). So, how does this differ from the previous requirements for assessing hazards and risks in OHSAS 18001 , and are these requirements still in the standard? In short, these requirements in ISO 45001 cover two different types of risk for the individual processes and for the overall OH&SMS, and both assessments are needed for a good OH&SMS.

What is required for hazards and risks?

The previously existing requirements in the OHSAS 18001:2007 standard were quite simply written, even though the task was rather large. In brief, for all of your activities, processes and work areas, you must identify what hazards exist for the occupational health and safety of all involved (including contractors and visitors). Once these hazards were identified, you would then identify what risks exist for the hazards and what controls you needed to put in place to mitigate the risks present.

For example, if you had a large machine, you might identify that there is a pinch point hazard when the machine was running. The risk of this pinch point could be injury to any worker, contractor or visitor who put their hand in the way of the machine while it was running. To mitigate this risk, you could put a guard in place to prevent hands from entering the pinch point and have a lock-out/tag-out procedure to ensure that the machine could not run without the guard in place during maintenance.

The requirements to assess risks of the processes are still part of the planning for the OH&SMS. Controlling the risk from your processes is an important part of ensuring the health and safety of people within your facilities. As the backbone of the OH&SMS, this assessment of the hazards and risks posed by the organization’s activities is still a critical part of what is needed to improve occupational health & safety performance.

For a better understanding about hazards and risks in the OH&SMS see this article: How to identify and classify OH&S hazards  and How to perform risk assessment in OHSAS 18001 .

What do you need to consider with new conditions for assessing the risks and opportunities?

Along with the above requirements, there are new conditions for assessing the risks and opportunities of the overall Occupational Health & Safety Management System. These new requirements come from the standard ISO format for all management systems, called Annex SL. This format includes the assessment of the context of the organization with respect to the purpose of the management system, including the internal and external issues that affect it. The next step in the standard is to identify all of the interested parties for your management system, and what their needs and expectations are.

Finally, taking these issues, interested parties and expectations into account, the company must assess what risks and opportunities exist for the company with respect to the management system. For the OH&SMS this means the risks and opportunities that could affect the company’s ability to enhance OH&S performance, fulfill compliance obligations and achieve OH&S objectives. Many companies have a strategic planning function which addresses these requirements of the standard. If you have more than one management system in place (such as a quality management system or environmental management system), this same process can be used for all of them.

For instance, as part of your ongoing assessment of legal requirements, you may have learned that there is an upcoming change in the law that will make it illegal to use a certain cancer-causing chemical that is needed for creating your product. As this is the case, you have an opportunity to make changes to your product that allow you to find a replacement chemical that is less hazardous to the occupational health & safety of your workforce. There is also a risk that the replacement chemical is actually more hazardous to the people who need to use it. It is these risks and opportunities that you will need to address.

Likewise, if you identify that a company is introducing a new type of machine guard that will make it much easier to prevent accidents you may start investigating how this could be incorporated into your machinery ahead of the government approval for the product. You would not install the new guard, but instead start the process so that it could be more quickly implemented once the approval for the guard was granted.

Risk and Opportunity assessment: An important part of OH&SMS

Any company that has implemented an Occupational Health & Safety Management System knows that the assessment of risk, and the management of the controls to address risk, is critical for managing occupational health & safety. Assessment of risks and determining what needs to be done about them has always been a part of the OH&SMS, and this has not changed. The only real change is to include an additional focus for the important task of risk assessment, and the assessment of opportunities that can be pursued to benefit your company, which can help you with OH&S improvement.

For a better understanding where risks and opportunities fit into the implementation process, see this Diagram of ISO 45001 Implementation Process .

Diagram of the ISO 45001 Implementation Process

Free diagram that outlines the steps for your ISO 45001 implementation

Suggested reading

Upcoming free webinar, related products.

ISO 45001 Documentation Toolkit

Integrated iso 9001/14001/45001 toolkit.

ISO 45001 Foundations Course

You may unsubscribe at any time. For more information, please see our privacy notice .

ISO 18128:2024 Information and documentation — Records risks — Risk assessment for records management , developed by Working Group 19 (WG 19), addresses the need for a structured approach to assessing risks related to records management. This International Standard offers organizations a comprehensive framework for identifying, analyzing, and evaluating risks associated with records, ensuring that records continue to meet business, legal, and regulatory requirements throughout their lifecycle.

ISO 18128 provides practical methods for conducting effective risk assessments within records management systems. It guides organizations in identifying potential risks, evaluating their impact, and prioritizing actions to safeguard their information assets. This framework is designed to enhance the way organizations manage their records, making it easier to address the unique risks posed by increasingly complex regulatory and business environments.

Key Components of the ISO Standard

The standard’s approach to risk assessment for records management includes several critical features:

Risk Identification : The standard guides organizations through the process of identifying risks, focusing on records and the systems, processes, and controls that manage them. It encourages documentation of potential risks and vulnerabilities that could impact the integrity, accessibility, or security of records.

Risk Analysis : Once risks are identified, the standard offers techniques for analyzing them. This includes evaluating the likelihood and potential impact of each risk, which helps organizations prioritize actions based on their operational and regulatory context.

Risk Evaluation : The standard provides guidelines for evaluating the identified risks, assisting organizations in determining which risks are most significant and need immediate attention. By understanding the risk landscape, organizations can better align their records management practices with business objectives and legal obligations.

Applicability Across Organizations

One of the key strengths of this ISO standard is its versatility. Whether an organization is small or large, in the public or private sector, the framework can be adapted to meet specific needs. It recognizes the diverse nature of organizational structures, regulatory environments, and business activities, offering a flexible approach that can be tailored accordingly.

The standard also acknowledges the complexity of modern business environments, including factors like outsourcing, partnerships, and intricate supply chains. By doing so, it provides a more holistic view of risk management that goes beyond internal operations to include external influences.

Establishing Boundaries for Risk Assessment

A critical element of the risk assessment process outlined by the standard is defining the organization's boundaries. This involves determining the scope of the assessment, which ensures that all relevant aspects of records management are taken into account. Understanding the scope helps organizations focus their risk assessments more effectively and allocate resources where they are most needed.

Not Focused on Risk Mitigation

It is important to note that while this standard provides a detailed framework for identifying and evaluating risks, it does not directly address how to mitigate those risks. Risk mitigation strategies vary widely across organizations and industries, depending on their unique requirements and operational contexts. Instead, the standard serves as a foundational tool for understanding risks, enabling organizations to develop their mitigation plans based on the identified risks and organizational priorities.

Who Can Benefit from the Standard?

This standard is valuable not only to records management professionals but also to auditors, compliance officers, risk managers, and any individuals responsible for managing or overseeing information systems. It provides a unified approach that enhances the ability to assess risks and supports better decision-making across departments.

The release of this ISO standard marks an important advancement in the field of records management. Offering a structured approach to risk assessment, it empowers organizations to proactively manage risks related to their records. Whether an organization is facing regulatory scrutiny or seeking to optimize internal processes, this standard provides essential guidelines that can be applied to protect and preserve the integrity of records.

By adopting this risk-based approach to records management, organizations can ensure that their records continue to serve their business needs while remaining compliant with legal and regulatory obligations. This new ISO standard is poised to become a critical tool in the records management landscape, offering practical guidance for organizations across various sectors.