ISO 45001:2018 Clause 9.1.2 Evaluation of compliance

ISO 45001:2018 12 Minutes


The organization shall establish, implement and maintain a process(es) for evaluating compliance with legal requirements and other requirements .
The organization shall:
a) determine the frequency and method(s) for the evaluation of compliance;
b) evaluate compliance and take action if needed (see 10.2);
c) maintain knowledge and understanding of its compliance status with legal requirements and other requirements;
d) retain documented information of the compliance evaluation result(s)

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains

The frequency and timing of compliance evaluations can vary depending on the importance of the requirement, variations in operating conditions, changes in legal requirements and other requirements and the organization’s past performance. An organization can use a variety of methods to maintain its knowledge and understanding of its compliance status.

1) The organization shall establish, implement and maintain a processes for evaluating compliance with legal requirements and other requirements

Evaluating compliance with legal requirements and other requirements is a crucial aspect of an Occupational Health and Safety (OH&S) management system. It ensures that the organization is meeting its legal obligations and other relevant standards or regulations. Here’s a systematic approach to evaluating compliance:

  1. Begin by identifying all relevant legal requirements, including national, regional, and local laws and regulations related to OH&S. Additionally, identify any other requirements such as international standards, industry-specific guidelines, or contractual obligations that apply to your organization.
  2. Create a compliance register or matrix that lists all identified legal and other requirements. This register should include details such as the specific requirement, its source, applicable scope, and any relevant deadlines or review periods.
  3. Designate responsible individuals or roles within the organization for monitoring and evaluating compliance with each requirement. Clearly define roles and responsibilities to ensure accountability.
  4. Develop a schedule for regularly reviewing legal and other requirements. This schedule should align with the frequency of changes in regulations or standards. Consider conducting these reviews at least annually or when there are significant updates.
  5. Gather relevant information and data to assess compliance with each requirement. This may involve reviewing records, conducting inspections, and consulting with subject matter experts.
  6. Evaluate compliance with each requirement by comparing the organization’s practices, procedures, and activities to the specific obligations outlined in the legal and other requirements. Determine whether the organization is meeting the requirements fully, partially, or not at all.
  7. If any non-conformities or deviations from legal or other requirements are identified during the assessment, document them in a non-conformity report. Include details about the non-conformity, its impact, and any corrective actions needed.
  8. Implement corrective actions to address identified non-conformities promptly. Corrective actions should include root cause analysis, resolution of the issue, and preventive measures to prevent recurrence.
  9. Maintain detailed records of compliance evaluations, non-conformity reports, corrective actions taken, and evidence of compliance. Ensure these records are well-organized and easily accessible.
  10. Include compliance with legal and other requirements as a specific agenda item in regular management review meetings. Senior management should review the compliance status and effectiveness of corrective actions.
  11. Use the results of compliance evaluations to drive continuous improvement in the organization’s OH&S management system. Identify opportunities to enhance processes, training, or controls to maintain or improve compliance.
  12. Ensure that employees and relevant personnel are trained and aware of their responsibilities related to compliance with legal and other requirements. Training programs should cover the latest updates and changes.
  13. Communicate compliance status and any changes in requirements to relevant stakeholders, including employees, contractors, and regulatory authorities.
  14. Continuously monitor and stay informed about changes in legal and other requirements that may affect your organization’s operations. Establish a process for tracking updates.
  15. Consider engaging external auditors or specialists to conduct periodic assessments of compliance with legal and other requirements to provide an objective evaluation.
  16. Maintain accurate and complete records of compliance evaluations, corrective actions, and management reviews, as required by your OH&S management system.

By following this systematic approach, organizations can effectively evaluate and ensure compliance with legal requirements and other obligations related to occupational health and safety. This process helps mitigate legal risks, enhances workplace safety, and contributes to the overall success of the OH&S management system.

2) The organization shall determine the frequency and method(s) for the evaluation of compliance

Determining the frequency and methods for the evaluation of compliance with legal requirements and other obligations is an important step in maintaining an effective Occupational Health and Safety (OH&S) management system. The frequency and methods can vary depending on the nature of the requirements, the organization’s operations, and regulatory expectations. Here’s how to determine the frequency and methods for compliance evaluation:

  • First, compile a comprehensive list of all relevant legal requirements, including national, regional, and local laws, regulations, and other requirements such as international standards, industry guidelines, and contractual obligations. Ensure that you have a clear understanding of what each requirement entails.
  • Evaluate the importance and potential impact of each requirement on your organization’s OH&S performance. Consider factors such as the potential for harm, regulatory consequences, and stakeholder expectations.
  • Categorize the identified requirements based on their criticality and impact. Common categories may include high risk, medium risk, low risk, and routine operational requirements.
  • Determine how often compliance with each category of requirements should be evaluated. Factors to consider include:
    • Regulatory deadlines or review periods specified in laws or standards.
    • The rate of change in the regulatory environment.
    • Historical compliance performance and trends.
    • The complexity of the requirement and associated risks.
  • Align the frequency and methods for compliance evaluation with your organization’s OH&S objectives and identified risks. High-risk areas or objectives may warrant more frequent evaluations.
  • Choose appropriate methods for evaluating compliance. Methods may include:
    • Regular internal audits and inspections.
    • Third-party audits or assessments by external experts.
    • Self-assessments and checklists.
    • Monitoring and measurement activities, including data collection and analysis.
    • Review of incident reports, non-conformity reports, and corrective actions.
    • Document reviews and legal compliance software solutions.
    • Employee surveys and feedback mechanisms.
  • Create a compliance evaluation plan that outlines the frequency, methods, and responsibilities for evaluating compliance with each category of requirement. Ensure that the plan is clear, well-documented, and aligns with your organization’s OH&S management system.
  • Review the compliance evaluation plan periodically, or whenever there are significant changes in regulations or operations. Adjust the plan as needed to remain effective and up-to-date.
  • Maintain records of compliance evaluations, findings, corrective actions, and evidence of compliance. Documentation should demonstrate that the evaluation process is systematic and well-documented.
  • Communicate the compliance evaluation plan and results to relevant stakeholders, including employees, management, and OH&S committees.
  • Use the results of compliance evaluations to drive continual improvement efforts in your OH&S management system. Identify areas for enhancement and corrective actions.
  • Ensure that employees and relevant personnel are trained and aware of their roles and responsibilities in the compliance evaluation process.

By following these steps, organizations can tailor their compliance evaluation efforts to align with the specific legal requirements and other obligations that apply to their OH&S management system. This proactive approach helps mitigate risks, enhance safety, and maintain compliance effectively.

3) The organization shall evaluate the compliance and then take necessary action

Evaluating compliance and taking necessary actions based on the evaluation findings is a fundamental part of maintaining a robust Occupational Health and Safety (OH&S) management system. Here’s a structured approach to evaluating compliance and the subsequent actions:

  1. Compliance Evaluation:
    • Identify Applicable Requirements: Begin by identifying and understanding the legal requirements, standards, regulations, and other obligations that apply to your organization’s OH&S.
    • Regular Monitoring: Continuously monitor and collect relevant data and information to assess compliance with these requirements. This may involve internal audits, inspections, incident investigations, and ongoing data analysis.
    • Assessment Frequency: Determine how frequently compliance evaluations should be conducted, considering factors such as the nature of the requirements, legal deadlines, the rate of regulatory change, and the organization’s risk profile.
  2. Compliance Assessment:
    • Compare Against Requirements: Evaluate the organization’s practices, procedures, and activities to determine whether they align with the specific requirements outlined in legal and other obligations.
    • Identify Non-Conformities: If any deviations or non-compliance issues are identified during the assessment, document them as non-conformities. Clearly specify the nature of the non-conformity and its implications.
  3. Corrective Actions:
    • Immediate Corrective Actions: Address critical non-conformities or compliance breaches promptly to prevent further harm or violations. Take immediate corrective actions to rectify the situation.
    • Root Cause Analysis: Investigate the root causes of non-conformities to understand why they occurred. This helps in implementing effective corrective and preventive actions.
    • Corrective Action Plans: Develop and implement detailed corrective action plans that outline the steps, responsibilities, and timelines for addressing non-conformities.
    • Verification: Verify the effectiveness of corrective actions to ensure that they have successfully addressed the non-conformities.
  4. Preventive Actions:
    • Identify Potential Issues: Beyond addressing existing non-conformities, identify areas where compliance may be at risk in the future. This involves proactive risk assessments.
    • Preventive Action Plans: Develop preventive action plans to mitigate potential compliance risks. These plans should include measures to prevent non-conformities from occurring.
  5. Documentation:
    • Record Keeping: Maintain thorough records of compliance assessments, non-conformities, corrective actions, preventive actions, and verification activities.
  6. Management Review:
    • Management Review Meetings: Include compliance evaluation and actions as a recurring agenda item in OH&S management review meetings. Senior management should review the overall compliance status and the effectiveness of actions taken.
  7. Communication:
    • Internal Communication: Ensure that findings related to compliance evaluation and actions are effectively communicated to relevant personnel, including employees, managers, and OH&S committees.
  8. Continuous Improvement:
    • Learn from Experience: Use the outcomes of compliance evaluations to drive continual improvement efforts in the OH&S management system. Identify systemic issues and areas for enhancement.
  9. Training and Awareness:
    • Training: Ensure that employees and relevant personnel are trained and informed about compliance requirements and their roles in maintaining compliance.
  10. Regular Review and Adjustment:
    • Periodically review and update your compliance evaluation process and corrective/preventive action plans to adapt to changing regulatory requirements and organizational needs.

By following this systematic approach, organizations can effectively evaluate compliance, address non-conformities, prevent future issues, and continuously improve their OH&S management system. This ensures a proactive stance toward maintaining compliance and enhancing workplace safety.

4) The organization shall maintain knowledge and understanding of its compliance status with legal requirements and other requirements

Maintaining knowledge and understanding of compliance status with legal requirements and other requirements is a critical aspect of managing an effective Occupational Health and Safety (OH&S) management system. Here are steps to help organizations ensure they are well-informed about their compliance status:

  • Begin by identifying and documenting all relevant legal requirements, including national, regional, and local laws and regulations related to OH&S, as well as other requirements such as international standards, industry guidelines, and contractual obligations.
  • Create and maintain a compliance register or matrix that lists all identified legal and other requirements. This register should include details such as the specific requirement, its source, applicable scope, and any relevant deadlines or review periods.
  • Clearly assign responsibility to individuals or roles within the organization for monitoring and tracking compliance with each requirement. Ensure that responsibilities are well-defined to avoid gaps in compliance oversight.
  • Develop a systematic process for monitoring compliance with identified requirements. This may involve ongoing data collection, audits, inspections, and other monitoring activities.
  • Regularly assess compliance with legal and other requirements. This assessment should involve comparing the organization’s practices, procedures, and activities against the specific obligations outlined in the requirements.
  • Continuously collect relevant data and information to assess compliance. Use data analysis to identify trends, areas of concern, and potential non-conformities.
  • Periodically review and verify the organization’s compliance status with legal and other requirements. This verification may involve internal audits, third-party assessments, or self-assessments.
  • Identify and document any non-conformities or deviations from compliance with the requirements. Clearly specify the nature of the non-conformities and their implications.
  • Implement corrective actions to address identified non-conformities promptly. Corrective actions should include root cause analysis, resolution of the issue, and preventive measures to prevent recurrence.
  • Implement preventive actions to mitigate potential compliance risks and prevent non-conformities from occurring in the future.
  • Maintain accurate and comprehensive records of compliance assessments, non-conformities, corrective actions, preventive actions, and evidence of compliance. Documentation should demonstrate that compliance management is systematic and well-documented.
  • Effectively communicate compliance status and findings to relevant stakeholders, including employees, management, and OH&S committees.
  • Include compliance status as a recurring agenda item in OH&S management review meetings. Senior management should review the overall compliance status and the effectiveness of actions taken.
  • Use the outcomes of compliance assessments and evaluations to drive continuous improvement efforts in the OH&S management system. Identify areas for enhancement and systemic improvements.
  • Ensure that employees and relevant personnel are trained and informed about compliance requirements and their roles in maintaining compliance.
  • Continuously monitor and stay informed about changes in legal and other requirements that may affect your organization’s operations. Establish a process for tracking updates and ensuring that the compliance register is up-to-date.

By following these steps and maintaining a proactive approach to compliance management, organizations can effectively ensure they have knowledge and understanding of their compliance status with legal requirements and other obligations related to occupational health and safety. This helps mitigate risks, enhance safety, and demonstrate commitment to compliance excellence.

5) The organization shall retain documented information of the compliance evaluation result

The specific records to be maintained by an organization for compliance evaluation can vary depending on the nature of the organization, its industry, and the legal requirements and other obligations it must adhere to. However, here is a list of common records that organizations typically maintain as part of their compliance evaluation efforts related to Occupational Health and Safety (OH&S):

  1. Compliance Register or Matrix:
    • A comprehensive list of all identified legal requirements, standards, regulations, and other obligations, along with their compliance status, assessment results, and any associated actions.
  2. Compliance Assessment Records:
    • Documentation of compliance assessments, which may include:
      • Dates of assessments.
      • Specific requirements being assessed.
      • Assessment methodologies.
      • Responsible personnel.
      • Assessment findings and results.
  3. Non-Conformity Reports:
    • Records of non-conformities or deviations from compliance identified during assessments. These should include details about the non-conformity, its impact, and any corrective actions taken.
  4. Corrective Action Records:
    • Documentation of corrective actions taken to address identified non-conformities, including:
      • Descriptions of the non-conformities.
      • Root cause analysis findings.
      • Corrective actions implemented.
      • Verification of the effectiveness of corrective actions.
  5. Preventive Action Records:
    • Records of preventive actions taken to mitigate potential compliance risks and prevent future non-conformities. These records should outline preventive measures and their effectiveness.
  6. Audit Reports:
    • Reports from internal or external audits focused on compliance evaluation, including audit scopes, findings, recommendations, and corrective actions.
  7. Inspection Reports:
    • Reports from routine inspections conducted to assess compliance with specific requirements or standards.
  8. Verification Records:
    • Documentation of verification activities, including assessments of the effectiveness of corrective and preventive actions.
  9. Compliance Documentation:
    • Copies of relevant legal documents, regulations, standards, and industry guidelines that serve as references for compliance assessment.
  10. Management Review Records:
    • Records of management review meetings, including discussions related to compliance status and actions taken to address compliance issues.
  11. Training Records:
    • Documentation of training provided to employees and relevant personnel regarding compliance requirements and their roles in compliance management.
  12. Records of Legal Updates:
    • Records of any updates or changes to legal requirements and other obligations that affect the organization’s compliance status.
  13. Evidence of Compliance:
    • Records demonstrating compliance with specific requirements, such as documentation of safety training, safety procedures, and incident reports.
  14. Documented Compliance Policies and Procedures:
    • Copies of policies and procedures related to compliance evaluation, including procedures for record-keeping and document control.
  15. Evidence of Communication:
    • Records demonstrating communication of compliance status and findings to relevant stakeholders, including employees and management.
  16. Record Retention Policy:
    • The organization’s record retention policy outlining retention periods, storage procedures, and disposal methods for compliance evaluation records.

Example for procedure for compliance evaluation

. Purpose:

  • The purpose of this procedure is to establish a systematic process for evaluating and ensuring compliance with legal requirements and other obligations related to Occupational Health and Safety (OH&S).

2. Scope:

  • This procedure applies to all activities, processes, and functions within the organization that have an impact on OH&S compliance.

3. Responsibility:

  • The OH&S Manager is responsible for overseeing the implementation of this procedure.
  • All employees and relevant stakeholders are responsible for contributing to the compliance evaluation process.

4. Procedure Steps:

4.1. Identification of Legal and Other Requirements:

  • Identify and document all relevant legal requirements, including national, regional, and local laws, regulations, and standards related to OH&S. Additionally, identify any other requirements such as industry-specific guidelines, contractual obligations, and internal policies.

4.2. Compliance Register:

  • Maintain a compliance register or matrix that lists all identified legal and other requirements. Include details such as the requirement’s source, scope, compliance status, assessment results, and any associated actions.

4.3. Compliance Assessment:

  • Conduct regular compliance assessments to determine whether the organization is meeting its obligations. Assessments may include:
    • Internal audits.
    • Inspections.
    • Reviews of documentation.
    • Monitoring and measurement activities.

4.4. Compliance Monitoring:

  • Continuously monitor data and information related to compliance, including incident reports, corrective actions, and regulatory updates.

4.5. Non-Conformity Identification:

  • Identify and document non-conformities or deviations from compliance identified during assessments. Clearly specify the nature of the non-conformity, its impact, and its source.

4.6. Corrective Actions:

  • Implement corrective actions to address identified non-conformities promptly. Corrective actions should include root cause analysis, resolution of the issue, and verification of effectiveness.

4.7. Preventive Actions:

  • Implement preventive actions to mitigate potential compliance risks and prevent future non-conformities. These actions should be proactive and preventive in nature.

4.8. Documentation:

  • Maintain comprehensive records of compliance assessments, non-conformities, corrective actions, preventive actions, and verification activities.

4.9. Management Review:

  • Include compliance evaluation as a specific agenda item in OH&S management review meetings. Senior management should review the overall compliance status and the effectiveness of actions taken.

4.10. Communication: – Effectively communicate compliance status and findings to relevant stakeholders, including employees, management, and OH&S committees.

4.11. Record Retention: – Adhere to the organization’s record retention policy, ensuring that compliance evaluation records are stored securely and retained for the specified periods.

5. Performance Review:

  • The organization reviews the effectiveness of this procedure through periodic assessments and updates it as necessary to ensure continual improvement.

6. References:

  • ISO 45001:2018 – Occupational health and safety management systems – Requirements with guidance for use.

7. Revision History:

  • Document the revision history of this procedure, including the date of revision, description of changes made, and the person responsible for the revision.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply