ISO 45001:2018 Clause 8.1.4.3 Outsourcing

ISO 45001:2018 15 Minutes

ISO 45001:2018 Requirement

The organization shall ensure that outsourced functions and processes are controlled. The organization shall ensure that its outsourcing arrangements are consistent with legal requirements and other requirements and with achieving the intended outcomes of the OH&S management system. The type and degree of control to be applied to these functions and processes shall be defined within the OH&S management system.

NOTE Coordination with external providers can assist an organization to address any impact that outsourcing has on its OH&S performance.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains

When outsourcing, the organization needs to have control of the outsourced functions and process(es) to achieve the intended outcome(s) of the OH&S management system. In the outsourced functions and process(es), the responsibility for conforming to the requirements of this document is retained by the organization.
The organization should establish the extent of control over outsourced function(s) or process(es) based upon factors such as:

  • the ability of the external organization to meet the organization’s OH&S management system requirements;
  • the technical competence of the organization to define appropriate controls or assess the adequacy of controls;
  • the potential effect the outsourced process or function will have on the organization’s ability to achieve the intended outcome of its OH&S management system;
  • the extent to which the outsourced process or function is shared;
  • the capability of the organization to achieve the necessary control through the application of its procurement process;
  • opportunities for improvement.

In some countries, legal requirements address outsourced functions or processes.

1) The organization shall ensure that outsourced functions and processes are controlled.

Ensuring that outsourced functions and processes are controlled is essential to maintain the quality and effectiveness of your organization’s operations. To achieve this, you can follow these steps:

  • Identify and document all functions and processes that are outsourced by your organization. This includes activities such as manufacturing, customer support, IT services, or any other processes that are performed by external parties.
  • Clearly define the requirements and objectives for each outsourced function or process. Specify what is expected from the external service providers in terms of quality, performance, and compliance with relevant standards.
  • Choose service providers who have the necessary expertise, capabilities, and resources to perform the outsourced functions effectively and meet your requirements. Conduct due diligence to assess their qualifications and track record.
  • Develop detailed contractual agreements or service level agreements (SLAs) that clearly outline the scope of work, responsibilities, performance standards, quality expectations, reporting requirements, and compliance obligations.
  • Conduct a risk assessment to identify potential risks associated with the outsourced functions and processes. Assess the impact of these risks on your organization’s operations and develop risk mitigation strategies.
  • Establish control measures to ensure that outsourced functions and processes are carried out in accordance with your requirements and standards. This may involve regular monitoring, audits, and inspections.
  • Communicate your organization’s expectations and requirements to the service providers. Provide necessary training and resources to help them understand and meet these expectations.
  • Implement a system for monitoring the performance of outsourced functions and processes. This may include regular performance reviews, quality checks, and reporting mechanisms.
  • Develop a process for reporting and addressing incidents or non-conformities related to outsourced functions. Ensure that service providers promptly report any issues and take corrective actions.
  • Ensure that service providers adhere to all relevant legal and regulatory requirements, as well as industry standards. Conduct periodic compliance checks and audits.
  • Maintain comprehensive documentation of all aspects of the outsourced functions and processes, including contracts, SLAs, performance records, and incident reports.
  • Continuously assess the effectiveness of the controls in place for outsourced functions and processes. Identify areas for improvement and implement corrective actions.
  • Develop contingency plans to address potential disruptions or failures in outsourced processes. Ensure that service providers have their own contingency plans in place.
  • Regularly review the performance of service providers and the effectiveness of your control measures. Reevaluate the need for outsourcing and the choice of service providers as circumstances change.
  • Ensure that all outsourced functions and processes comply with applicable laws and regulations. Stay informed about any changes in legal requirements that may impact outsourcing arrangements.

By following these steps, your organization can effectively control outsourced functions and processes, minimize risks, and ensure that external service providers align with your quality, performance, and compliance standards. This approach helps maintain the integrity and reliability of your operations and services.

2) The organization shall ensure that its outsourcing arrangements are consistent with legal requirements and other requirements

Ensuring that outsourcing arrangements are consistent with legal requirements and other relevant requirements is crucial to prevent legal issues, maintain compliance, and protect your organization’s interests. Here’s how to achieve this:

  • Identify and understand all applicable laws, regulations, standards, and contractual obligations that pertain to your organization’s operations and the specific functions or processes being outsourced.
  • Conduct thorough due diligence when selecting service providers. Assess their track record, reputation, financial stability, and compliance history to ensure they align with legal and regulatory requirements.
  • Develop detailed contractual agreements or service level agreements (SLAs) that explicitly address legal and regulatory compliance. Include clauses that require the service provider to adhere to all applicable laws and regulations.
  • Implement a system for auditing and monitoring the service provider’s compliance with legal requirements. Conduct regular audits and inspections to verify adherence to applicable laws and regulations.
  • Require the service provider to provide documentation and reports demonstrating their compliance with legal and regulatory requirements. Maintain comprehensive records of compliance-related activities.
  • Establish procedures for reporting and addressing incidents or non-compliance issues promptly. Define roles and responsibilities for both your organization and the service provider in managing compliance-related incidents.
  • Stay informed about changes in relevant legal and regulatory requirements. Ensure that your outsourcing arrangements can adapt to these changes without causing compliance gaps.
  • Ensure that both your organization and the service provider have a clear understanding of their respective compliance responsibilities. Provide necessary training and resources to maintain awareness of legal and regulatory requirements.
  • Develop contingency plans to address potential disruptions or issues related to legal compliance. Ensure that your organization and the service provider have processes in place to handle unexpected compliance challenges.
  • Regularly review the performance of the service provider in terms of legal and regulatory compliance. Reevaluate the contractual terms and arrangements to ensure they remain consistent with evolving requirements.
  • Consider seeking legal counsel or involving legal experts in the negotiation and drafting of outsourcing contracts to ensure that all legal aspects are adequately covered.
  • Include mechanisms for resolving disputes or disagreements related to legal and regulatory compliance in the contractual agreements. Define the process for dispute resolution and escalation.
  • Consider ethical principles and social responsibilities when evaluating outsourcing arrangements. Ensure that service providers align with your organization’s ethical standards.
  • Maintain open and transparent communication with the service provider regarding legal and regulatory compliance matters. Foster a collaborative approach to address compliance challenges.

By following these steps, your organization can establish outsourcing arrangements that are consistent with legal requirements and other relevant obligations. This approach helps minimize legal risks, maintain compliance, and protect your organization’s reputation and interests.

3) The organization shall ensure that its outsourcing arrangements are consistent with achieving the intended outcomes of the OH&S management system

Ensuring that outsourcing arrangements align with the intended outcomes of the Occupational Health and Safety (OH&S) management system is crucial to maintain a safe and compliant workplace. Here’s how to achieve this alignment:

  • Clearly define the objectives and intended outcomes of your OH&S management system. These may include reducing workplace accidents, improving safety performance, ensuring legal compliance, and protecting the health and well-being of employees.
  • Before entering into an outsourcing arrangement, assess the potential impact of outsourcing on your OH&S objectives and intended outcomes. Consider how outsourcing may affect safety, compliance, and the achievement of your goals.
  • Choose service providers who understand and align with your OH&S objectives and intended outcomes. Assess their commitment to workplace safety and their ability to contribute to your safety goals.
  • Include OH&S requirements and expectations in the contractual agreements or service level agreements (SLAs) with service providers. Ensure that these agreements explicitly state the importance of achieving your OH&S objectives.
  • Conduct a risk assessment to identify potential risks associated with outsourcing. Develop strategies and mitigation plans to address these risks and ensure that they do not compromise your OH&S objectives.
  • Define key performance indicators (KPIs) related to OH&S in the contractual agreements. Regularly monitor and assess the service provider’s performance against these KPIs to ensure alignment with your intended outcomes.
  • Establish procedures for incident reporting and response that involve both your organization and the service provider. Ensure that incidents are reported promptly and that corrective actions are taken to prevent their recurrence.
  • Maintain comprehensive documentation of all aspects of the outsourcing arrangement, including contractual agreements, performance records, incident reports, and compliance records related to OH&S.
  • Foster open communication and collaboration with the service provider regarding OH&S matters. Create a shared commitment to achieving safety goals and intended outcomes.
  • Continuously assess the effectiveness of the outsourcing arrangement in achieving your OH&S objectives. Identify areas for improvement and implement corrective actions as necessary.
  • Ensure that the outsourced functions and processes are integrated into your OH&S management system. Align documentation, reporting, and communication channels to maintain consistency.
  • Regularly review the outsourcing arrangement and assess its impact on your OH&S objectives and intended outcomes. Reevaluate the arrangement and make adjustments as needed.
  • Provide training to service providers and their employees on your organization’s OH&S objectives, policies, and procedures. Ensure that they understand and can contribute to achieving these objectives.
  • Consider ethical principles and social responsibilities when evaluating outsourcing arrangements. Ensure that service providers align with your organization’s ethical standards.

By following these steps, your organization can ensure that outsourcing arrangements are consistent with achieving the intended outcomes of the OH&S management system. This approach helps maintain a safe, compliant, and goal-aligned workplace that prioritizes the health and well-being of employees.

4) The type and degree of control to be applied to these functions and processes shall be defined within the OH&S management system.

Defining the type and degree of control to be applied to outsourced functions and processes within the Occupational Health and Safety (OH&S) management system is crucial to ensure that the outsourcing arrangements align with safety objectives and compliance requirements. Here’s how you can define and implement control measures:

  • Conduct a comprehensive risk assessment to determine the potential hazards and risks associated with the outsourced functions and processes. Consider the severity of consequences, likelihood of occurrence, and the organization’s tolerance for risk.
  • Based on the risk assessment, define control measures that are necessary to manage and mitigate the identified risks effectively. These measures should align with your OH&S objectives and compliance requirements.
  • Specify the type of control measures that should be applied. This could include preventive controls (to eliminate or reduce risks), detective controls (to identify issues when they occur), and corrective controls (to address issues and prevent recurrence).
  • Clearly define the objectives of the control measures. For example, if the outsourced process involves handling hazardous materials, the control objective may be to prevent accidents and exposure to these materials.
  • Ensure that the control measures align with all applicable OH&S laws, regulations, and standards. Verify that the service provider is aware of and complies with these requirements.
  • Document the control measures within your OH&S management system. This documentation should include detailed procedures, policies, guidelines, and any necessary forms or checklists.
  • Establish a system for monitoring the effectiveness of the control measures. Define key performance indicators (KPIs) to assess whether the intended control objectives are being met.
  • Clearly communicate the control measures and requirements to the service provider. Ensure that there is a shared understanding of the control expectations and objectives.
  • Define procedures for incident reporting and response within the outsourcing arrangement. Specify how incidents related to the outsourced processes should be reported, investigated, and resolved.
  • Conduct regular audits and inspections of the outsourced processes to verify compliance with control measures and identify any areas requiring improvement.
  • Review the effectiveness of the control measures during management reviews of the OH&S management system. Use the results of these reviews to make adjustments and improvements as necessary.
  • Encourage continuous improvement of the control measures and the outsourced processes. Regularly assess their effectiveness and identify opportunities for enhancement.
  • Develop contingency plans that outline how to manage unforeseen situations, such as emergencies or disruptions, while maintaining control over the outsourced processes.
  • Maintain records of control measures, monitoring activities, incident reports, and any corrective actions taken. Ensure that these records are easily accessible for review and audit purposes.
  • Ensure that employees, both within your organization and the service provider, are adequately trained and competent in implementing and adhering to the defined control measures.

By defining and implementing control measures within your OH&S management system, you can effectively manage and oversee outsourced functions and processes while aligning them with safety objectives and compliance requirements. This approach helps ensure a safe and compliant working environment for all parties involved.

Coordination with external providers can assist an organization to address any impact that outsourcing has on its OH&S performance.

Coordination with external providers, including service providers and contractors, is essential for addressing the impact that outsourcing can have on an organization’s Occupational Health and Safety (OH&S) performance. Effective coordination can help manage risks, maintain safety standards, and ensure that OH&S objectives are met. Here are key ways in which coordination with external providers can assist your organization:

  • Collaborate with external providers to conduct joint risk assessments. Identify and assess potential OH&S risks associated with outsourced functions or processes. Develop risk mitigation strategies and share best practices to ensure safety.
  • Include OH&S requirements and expectations in contractual agreements with external providers. Specify compliance with OH&S laws, regulations, and standards. Define responsibilities, reporting mechanisms, and performance metrics related to safety.
  • Establish a unified incident reporting and investigation protocol that involves both your organization and external providers. Promptly report and investigate incidents, near misses, and unsafe conditions to identify root causes and implement corrective actions.
  • Maintain open and transparent communication channels with external providers. Regularly exchange information regarding OH&S issues, safety performance, and lessons learned. Ensure that external providers can easily report safety concerns or incidents.
  • Collaborate on OH&S training and competency development for external providers and their employees. Share resources, materials, and expertise to ensure that everyone involved understands safety requirements and best practices.
  • Coordinate emergency response plans and procedures with external providers. Ensure that everyone knows their roles and responsibilities in case of emergencies, and establish communication protocols for emergency situations.
  • Implement joint performance monitoring, auditing, and inspection activities. Regularly assess external providers’ compliance with OH&S requirements and standards. Use these assessments to drive continuous improvement.
  • Share OH&S best practices, innovative solutions, and lessons learned with external providers. Collaboratively work to identify and implement improvements in safety management.
  • Periodically review and amend contractual agreements to reflect changes in OH&S requirements, organizational needs, or the scope of work. Ensure that the contracts remain aligned with safety objectives.
  • Conduct joint emergency drills and exercises with external providers to test preparedness and coordination in emergency scenarios.
  • Include external providers in OH&S performance reviews and management system evaluations. Gather feedback and insights from external providers to improve safety practices.
  • Establish mechanisms for resolving disputes or disagreements related to OH&S matters in a collaborative and constructive manner.
  • Ensure that external providers align their practices and procedures with your organization’s OH&S management system, including policies, objectives, and processes.
  • Foster a culture of mutual accountability for OH&S performance, where both your organization and external providers share responsibility for safety.

By actively coordinating with external providers, your organization can better address the impact of outsourcing on OH&S performance. This collaborative approach helps maintain a safe and compliant workplace, reduces risks, and supports the achievement of OH&S objectives and goals.

Documented Information required

  1. Outsourcing Policy and Strategy (Document):An outsourcing policy and strategy that outlines the organization’s approach to outsourcing OH&S-related functions and processes. This document should define the criteria for selecting service providers, risk assessment procedures, and the organization’s commitment to OH&S during outsourcing.
  2. Contracts and Agreements (Documents):Copies of contracts, agreements, and service level agreements (SLAs) with external service providers. These documents should clearly specify the scope of work, OH&S requirements, performance expectations, compliance obligations, and incident reporting procedures related to outsourced functions.
  3. Risk Assessment and Mitigation Plans (Documents): Documentation of risk assessments related to outsourced processes. This should include assessments of OH&S risks associated with the outsourced activities and the organization’s plans to mitigate these risks.
  4. Incident Reports (Records):Records of incidents, near misses, or accidents that occurred within the scope of outsourced processes. These records should detail the incidents, investigations, and corrective actions taken.
  5. Performance Monitoring and Auditing Records (Records): Records of performance monitoring, auditing, and inspections related to outsourced functions and processes. This should include audit reports, inspection records, and any findings related to OH&S compliance.
  6. Training Records (Records):Records of OH&S training provided to employees of external service providers involved in outsourced activities. These records should demonstrate that individuals working on behalf of the organization are adequately trained in OH&S matters.
  7. Incident Reporting and Response Records (Records): Records of incident reports, investigations, and response actions taken by both the organization and external service providers. These records should show the collaborative effort in managing OH&S incidents.
  8. Performance Evaluation Records (Records): Records of the performance evaluation of external service providers regarding their compliance with OH&S requirements, contractual obligations, and performance indicators outlined in the contracts or SLAs.
  9. Continuous Improvement Records (Records): Records of continuous improvement activities related to outsourced functions and processes. This includes records of actions taken to enhance safety, reduce risks, and improve performance.
  10. Communication Records (Records): Records of communication with external service providers regarding OH&S matters. This should include meeting minutes, email correspondences, and other forms of communication related to safety.
  11. Contractual Review and Amendment Records (Records): Records of periodic reviews and amendments of contractual agreements to ensure that they remain consistent with changing OH&S requirements and organizational needs.
  12. Documented Procedures for Outsourcing Control (Document): Documented procedures or guidelines that outline how the organization controls and manages outsourced processes. These procedures should cover the entire life-cycle of outsourcing, from selection to performance evaluation.
  13. Records of External Provider Selection (Records): Records of the selection process for external service providers, including the evaluation criteria, scoring, and rationale for selecting specific providers.
  14. Records of Legal and Regulatory Compliance (Records): Records demonstrating that external service providers comply with all relevant OH&S laws, regulations, and standards as specified in contractual agreements.

Example for procedure for outsourcing

1. Purpose

  • This procedure outlines the steps and responsibilities for evaluating, selecting, and managing external service providers to ensure the effective control of outsourced OH&S activities while maintaining compliance with ISO 45001:2018 and relevant OH&S regulations.

2. Scope

  • This procedure applies to all OH&S-related activities that are considered for outsourcing within the organization.

3. Responsibilities

  • OH&S Manager: The OH&S Manager is responsible for overseeing the outsourcing process, ensuring alignment with OH&S objectives, and monitoring the performance of external service providers.
  • Procurement Department: The procurement department is responsible for assisting in the selection and contractual negotiations with external service providers.
  • OH&S Team: The OH&S team is responsible for conducting risk assessments, evaluating external providers, and monitoring OH&S performance.

4. Procedure

4.1. Identification of Outsourcing Needs

  • Identify the OH&S-related activities and processes that are candidates for outsourcing based on organizational requirements and objectives.

4.2. Risk Assessment

  • Conduct a risk assessment for each identified outsourcing candidate to evaluate potential OH&S risks associated with outsourcing. Consider the scope, complexity, and criticality of the outsourced activity.

4.3. Evaluation of External Providers

  • Develop selection criteria and evaluation parameters for external service providers. Criteria may include OH&S compliance, experience, financial stability, and reputation.
  • Invite potential service providers to submit proposals, including their OH&S management systems, policies, and performance records.
  • Evaluate the proposals and conduct interviews or site visits as necessary to assess their commitment to OH&S and alignment with your organization’s goals.

4.4. Contractual Agreements

  • Develop detailed contractual agreements or service level agreements (SLAs) that explicitly address OH&S requirements, compliance obligations, performance expectations, and incident reporting procedures.
  • Ensure that the contractual agreements include provisions for periodic performance reviews, audits, and compliance checks.

4.5. Risk Mitigation and Control Measures

  • Develop and document risk mitigation plans to address OH&S risks associated with the outsourcing arrangement. Define control measures to ensure that risks are effectively managed.

4.6. Incident Reporting and Response

  • Establish procedures for incident reporting and response that involve both your organization and the external service provider. Specify how incidents related to the outsourced processes should be reported, investigated, and resolved.

4.7. Performance Monitoring and Auditing

  • Implement a system for monitoring and auditing the external service provider’s OH&S performance. Define key performance indicators (KPIs) and audit schedules.

4.8. Communication and Training

  • Communicate OH&S requirements, objectives, and expectations to the external service provider. Provide necessary training and resources to ensure understanding and compliance.

4.9. Continuous Improvement

  • Encourage continuous improvement by collaborating with the external service provider to identify and implement enhancements in OH&S management.

4.10. Review and Amendment of Agreements

  • Periodically review and amend contractual agreements to reflect changes in OH&S requirements, organizational needs, or the scope of work. Ensure that the contracts remain aligned with safety objectives.

5. Documentation

  • Maintain comprehensive documentation of all aspects of the outsourcing process, including risk assessments, contractual agreements, audit reports, incident records, and performance evaluations.

6. Training and Awareness

  • Ensure that employees involved in the outsourcing process are aware of and trained on this procedure and their respective responsibilities.

7. Review and Approval

  • This procedure shall be reviewed regularly and updated as necessary to reflect changes in outsourcing arrangements and OH&S requirements. The OH&S Manager shall be responsible for its periodic review and approval.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply