All organizations use processes to achieve their objectives. As per ISO definition “A process: the set of interrelated or interacting activities that use inputs to deliver an intended result NOTE: Inputs and outputs may be tangible (e.g. materials, components or equipment) or intangible (e.g. data, information or knowledge).”
The process approach is the foundation upon which your QMS must be developed. The ISO 9001 Standard promotes the adoption of a process approach when developing, implementing and improving the effectiveness of a quality management system, to enhance customer satisfaction by meeting customer requirements. ISO 9001:2008 promoted the adoption of a process approach when developing, implementing and improving the effectiveness of a quality management system. ISO 900:2015 makes this more explicit (in 4.4) by expanding the requirements around QMS Processes – specifying requirements considered essential to the adoption of a process approach. For example, determining the inputs required and outputs expected from these processes , then after determining the risks and opportunities and plans to address these in 6.1 – integrate these into its QMS processes(4.1.f – plan and implement actions), related performance indicators (4.4.1c.), assignment of responsibilities and authorities for these processes (4.4.1 e).
For an organization to function effectively, it has to identify and manage numerous linked activities. Any activity, using resources and managed in order to enable the transformation of inputs into outputs, can be considered a process. Often the output from one process directly forms the input to the next. The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management, can be referred to as the “process approach”.
An advantage of the process approach is the ongoing control that it provides over the linkage between the individual processes within the system of processes, as well as over their combination and interaction.
When used within a quality management system, such an approach emphasizes the importance of:
An understanding of the intended results and requirements
Consideration of processes in terms of adding Value and effective performance
Improvement of processes based on evaluation of data and information
Consistent and predictable results
Meeting requirements and customer satisfaction
Activity understanding and management of interrelated processes
The model of a process-based quality management system shown in figure illustrates the process linkages presented in clauses 4 to 10. This illustration shows that customers requirements, the needs, and expectations of relevant interested parties along with the organization and its context play a significant role in defining requirements as inputs. The output of the process is the result of the QMS that includes product and service the organization provides, which should result in Customer satisfaction. The model shown in Figure covers all the requirements of this Standard but does not show processes at a detailed level.
Understanding Process :
Let’s understand some basics about processes.
All work generally involves a process – things go in (inputs); get worked upon (conversion), and come out differently (output). The value-adding conversion activity within a process transforms inputs into outputs, e.g. takes raw materials (the input) and manufactures (the value-adding conversion activity using various resources) a product (the output).
Process inputs and outputs can be tangible such as raw materials or finished product or intangible like INFORMATION – e.g. computerized drawing or specification.
All processes have a supplier and a customer. These suppliers and customers may be internal processes or external to your organization. Each process must have an accountable owner, i.e., having defined responsibility and authority to operate, control and improve their process.
All processes require the use of resources, e.g. – people, equipment, materials, technology, etc. These resources can be used as inputs (raw materials or information such as a customer specification) as well as for the value-adding conversion activity (e.g. use of machinery, equipment, computers, technology, people, etc.) to transform raw material (input) into finished product (output).
All processes must meet customer, organizational and applicable regulatory requirements. The performance of all processes can be monitored and measured. Gather performance data that can be analyzed to determine process effectiveness and whether any corrective action or improvement is needed.
As an example, the below process contains a set of activities that are interrelated (showing links from/to), interacting (showing inputs/ outputs), and the transformation of process inputs into process outputs.
Schematic Representation of the elements of single process
Procedures are typically used to control deviation where risk/hazards are present. It is defined as a specified way to carry out an activity or a process’, which may be a documented set of instructions, or simply an established way of doing a specific task that itself forms part of a larger process. In ISO 9001:2015 this might be considered captured, in the main, by’the availability of documented information that defines: the characteristics of the products to be produced, the services to be provided, or the activities to be performed. An organization’s QMS processes may be grouped or categorized in many ways. One logical way would include the following:
Customer Oriented Processes (COP’s):
These are product realization processes that determine customer requirements (inputs), design, make, deliver and service product (outputs) to customers and determine customer satisfaction. These processes generally have the greatest degree of interaction with external customers. COP’s includes marketing and sales, design and development, production, shipping, packaging, servicing/ warranty, customer satisfaction, etc., whether performed onsite or off-site.
Support Oriented Processes (SOP’s) :
These processes provide the necessary resources to COP’s to facilitate product realization. These processes generally have the greatest degree of interaction at an operational level with COP’s and to a lesser degree with other internal QMS processes. SOP’s includes human resources, information technology, purchasing and receiving, laboratory, maintenance, tooling, facility management, etc, whether performed onsite or off-site.
Management Oriented Processes (MOP’s)
These processes provide the commitment, leadership, resources, review, and decision-making by top management. These processes generally interact with all QMS processes at the QMS planning and review level. MOP’s includes business planning, management review, quality planning, resource planning, communication, etc., whether performed offsite or on-site.
Quality Management Processes (QMP’s):
It includes all process which is used to document, measure, analyze and improve all processes. These processes provide quality management support to and interact with all QMS processes. QMP’s includes document control, records control, monitoring and measurement of processes and product, internal audits, control of the nonconforming product, corrective and preventive action, continual improvement, etc whether performed onsite or off-site.
Outsourced Processes (OP’s):
An “outsourced process” is a process that the organization has identified as being needed for its quality management system (QMS), but one which it has chosen to be carried out by an external party outside the managerial control of your facility and not subject to your QMS. These could include MOP’s, COP’s or SOP’s. They may be performed onsite or off-site. These processes may include – strategic planning is done at head office; purchasing or design done at head office or another location; heat treating; painting; welding, calibration; testing; sort; HR; etc., done by an outside organization.
Implementing QMS using Process Approach
Your QMS is made up of a network of these value-adding processes that link, combine and interact with one another to collectively provide product or service. These processes are inter-dependent and can be defined by complex interactions. For example, any of the COP processes could interact with some or all of the MOP’s, SOP’s, QMP’s. Also, note that resources (SOP’s) and QMP’s may also be applied to all other processes. Interactions between QMS processes may occur at any of the three process stages (input, output or conversion activity). The interaction may occur in many different ways – physical, documentary, verbal, electronic, etc. For each process, we must identify these interactions, assess the risks of problems that may occur and implement appropriate controls to prevent them, e.g., if orders are communicated verbally by sales personnel to production, what is the risk that production errors will occur?
Therefore, in general, in order to plan and implement your QMS using the ‘Process Approach’, you must:
Identify the processes needed for the QMS.
Determine their sequence and interaction(show the sequence and interaction of your COP’s). There are many ways to document this, e.g., a high-level flowchart or a process map.
Determine the application of QMS processes throughout the organization (show how MOP’s; SOP’s and QMP’s are applied to each COP and to each other). There are many ways of documenting this. A popular way is through graphical representation, e.g. process maps.
Determine (plan) the criteria, methods, information, controls, and resources needed for each QMS process.
Identify the internal/external customer-required output.
Describe the processing activity that produces the output.
Identify the resources needed for the processing activity.
Identify the inputs for the process – information, materials, supplies, etc.
Define the process methods, procedures, forms, etc., that may be needed to produce the output.
Define the controls to prevent or eliminate the risk of errors, omissions, or nonconformities in process activity. controls may come from the IS standards; customer; regulatory and your own organizational requirements
Interaction with sources that provide the inputs (internal processes or external supplier), uses the output (internal processes or external customer), or provide the resources (internal support process) to perform the process activity.
Implement your QMS according to your plan.
Monitor, measure and improve each QMS process and its interaction with other processes. Performance indicators to monitor and measure process performance may come from the IS standard, customer, regulatory and your own organizational requirements. Performance indicators may relate to the process output as well as the process activity.
Performance indicators for process output must focus on meeting customer and regulatory requirements. Performance indicators for process activity should focus on measuring process effectiveness and efficiency.
It is useful to point out that while we do need to identify all QMS processes and describe their interaction, not all identified QMS processes need to be documented or documented in the detail described above.
PLAN-DO-CHECK-ACT (PDCA)
In addition, the methodology known as “Plan-Do-Check-Act” (PDCA) can be applied to all processes. PDCA can be briefly described as follows. Plan: Establish the objectives and processes necessary to deliver results in accordance with customer requirements and the organization’s policies. Do: Implement the processes Check: Monitor and check processes and product against policies, objectives, and requirements for the product and report the results Act: Take actions to continually improve process performance
PLAN-DO-CHECK-ACT (PDCA) is a very effective tool for business management and the ISO 9001 standard strongly recommends its use. PDCA is a dynamic cycle that can be applied to each of the organization’s processes, and also to the system of processes as a whole. It may be used to plan, implement, control and continually improve both product realization and other QMS processes.
Maintenance and continual improvement of QMS processes can be achieved by applying PDCA to processes at all levels within the organization right from the executive high-level strategic processes, such as business planning or management review to operational processes such as product realization or calibration.
PLAN :
For each QMS process you must establish:
Process owner and his/her accountability.
Process inputs, outputs, value adding or conversion activities and sequence/interaction of these activities (sub-processes) within the process. Many of the COP’s and SOP’s may have sub-processes.
Process policies, responsibilities and accountability.
Process objectives and performance indicators and methods to monitor and measure process performance to these objectives and indicators.
Resources such as facility, equipment, labor, materials, time, etc needed.
Preventive and detective controls needed for process activity, input, output, and resources used.
Process documentation such as procedures, forms, work instructions, specification, etc.
The nature, method, frequency, and timing of interaction with other processes and where this interaction will occur – input, output, use of resources, conversion activity, etc.
You must pay a lot of attention to this stage of your QMS development. Planning must also consider how you will meet customer, applicable regulatory, and your own organizational requirements, in addition to ISO 9001 requirements.
DO:
Deploy and implement your QMS processes and manage and control them according to your plan as documented above.
CHECK:
Monitor and measure the effectiveness of your QMS processes against policies and objectives that you established under PLAN. Monitoring and measuring activity may focus on any or all of a process’s inputs; outputs; use of resources for conversion; and interaction with other processes.
ACT:
Collect and analyze your monitoring and measurement information and use it to determine the effectiveness of each process as well as your overall QMS in meeting requirements. Use the information to correct problems and continually improve individual processes.
CONTINUOUS IMPROVEMENT PROCESS MODEL
The above fig shows the macro level application of the PDCA model to an entire organization. The organization’s QMS as depicted by the processes within the circle is used to PLAN the controls over all inputs, resources, value-adding activities and outputs. We DO implement our plan by using various resources to convert customer inputs (requirements) into outputs (product) that meet customer requirements. We CHECK – by monitoring and measuring QMS performance and through customer feedback. We ACT by using this information to continually improve QMS effectiveness. At the micro level, this same model can be applied to each QMS process.
The process approach in ISO 9001:2015
The process approach includes establishing the organization’s processes to operate as an integrated and complete system.
The management system integrates processes and measures to meet objectives
Processes define interrelated activities and checks, to deliver intended outputs
Detailed planning and controls can be defined and documented as needed, depending on the organization’s context.
These three concepts together form an integral part of the ISO 9001:2015 standard. Risks that may impact on objectives and results must be addressed by the management system. Risk‐based thinking is used throughout the process approach to:
Decide how risk (positive or negative) is addressed in establishing the processes to improve process outputs and prevent undesirable results
Define the extent of process planning and controls needed (based on risk)
improve the effectiveness of the quality management system
maintain and manage a system that inherently addresses risk and meets objectives
PDCA can be used to manage processes and systems.
Plan: set the objectives of the system and processes to deliver results (“What to do” and “how to do it”)
Do: implement and control what was planned
Check: monitor and measure processes and results against policies, objectives and requirements and report results
Act: take actions to improve the performance of processes
PDCA operates as a cycle of continual improvement, with risk‐based thinking at each stage.
Steps in the process approach
What to do?
Guidance
Define the context of the organization
The organization should identify its responsibilities, the relevant interested parties and their relevant requirements, needs & expectations to define the organization’s intended purpose.
1. Gather, analyze and determine external and internal responsibilities of the organization to satisfy the relevant requirements, needs, and expectations of the relevant interested parties.
2. Monitor or communicate frequently with these interested parties to ensure continual understanding of their requirements, needs and expectations.
Define the scope, objectives, and policies of the organization
Based on the analysis of the requirements, needs and expectations establish the scope, objectives, and policies that are relevant for the organization’s quality management system.
1. The organization shall determine the scope, boundaries, and applicability of its management system taking into consideration the internal and external context and interested party requirements.
2. Decide which markets the organization should address.
3. Top management should then establish objectives and policies for the desired outcomes.
Determine the processes in the organization
Determine the processes needed to meet the objectives and policies and to produce the intended
outputs.
1. Management shall determine the processes needed for achieving the intended outputs.
2. These processes include management, resources, operations, measurement, analysis, and improvement.
Determine the sequence of the processes
Determine how the processes flow in sequence and interaction.
Define and describe the network of processes and their interaction. Consider the following:
1. The inputs and outputs of each process (which may be internal or external).
2. Process interaction and interfaces on which processes depend or enable.
3. Optimum effectiveness and efficiency of the sequence.
4. Risks to the effectiveness of process interaction. Note: As an example, realization processes (such as those needed to provide the products or services delivered to a customer) will interact with other processes (such as the management, measurement, procurement in the provision of resources). Process sequences and their interactions may be developed using tools such as modelling, diagrams, matrices, and flowcharts.
Define people who take process ownership and accountability
Assign responsibility and authority for each process.
1. Top Management should organize and define ownership, accountability, individual roles, responsibilities, working groups, remits, authority and ensure the competence needed for the effective definition, implementation, maintenance and improvement of each process and its interactions. Such individuals or remits are usually referred to as the Process Owners.
2. To manage process interactions it may be useful to also establish a management system team that has a system overview across all the processes and may include representatives from the interacting processes and functions.
Define the need for documented information
Determine those processes that need to be formally defined and how they are to be documented.
1. Processes exist within the organization.
2. They may be formal or informal.
3. There is no catalogue or list of processes that have to be formally defined.
4. The organization should determine which processes need to be documented on the basis of risk‐based thinking, including, for example: The size of the organization and its type of activities.
5. The complexity of its processes and their interactions.
6. The criticality of the processes.
7. The need for formally accountability of performance.
Processes can be formally documented using a number of methods such as graphical representations, user stories, written instructions, checklists, flow charts, visual media or electronic methods including graphics and systemization. However, the method or the technology chosen are not the goals. They can be used to describe processes, which are the means to achieve the goals. Effective and organized processes can then deliver consistent and accountable operations and the desired objectives and results which can then be improved.
Define the interfaces, risks and activities within the process
Determine the activities needed to achieve the intended outputs of the process and risks of unintended outputs.
1. Define the required outputs and inputs of the process.
2. Determine the risks to conformity of products, services, and customer satisfaction if unintended outputs are delivered.
3. Determine the activities, measures and inherent controls required to transform the inputs into the desired outputs.
4. Determine and define the sequence and interaction of the activities within the process.
5. Determine how each activity will be performed.
6. Ensure that the management system as a whole takes account of all material risks to the organization and users.
Note: In some cases, the customer may specify requirements not only for the outputs but also for the realization of a process.
Define the monitoring and measurement requirements
Determine where and how monitoring and measuring should be applied. This should be both for control and improvement of the processes and the intended process outputs. Determine the need for recording results.
Identify the validation necessary to assure effectiveness and efficiency of the processes and system. Take into account such factors as:
1. Monitoring and measuring criteria.
2.Reviews of performance Interested parties’ satisfaction.
3.Supplier performance.
4. On-time delivery and lead times.
5.Failure rates and waste.
6. Process costs.
7. Incident frequency.
8. Other measures of conformity with requirements.
Implement
Implement actions necessary to achieve planned activities and results.
The organization should perform activities, monitoring, measures and controls of defined processes and procedures (which may be automated), outsourcing and other methods necessary to achieve planned results.
Define the resources needed
Determine the resources needed for the effective operation of each process.
Confirm that the process is effective and that the characteristics of the processes are consistent with the purpose of the organization.
The organization should compare outputs against objectives to verify that all the requirements are satisfied. Processes are needed to gather data. Examples include measurement, monitoring, reviews, audits and performance analysis.
If you need assistance or have any doubt and need to ask any question contact me at preteshbiswas@gmail.com . You can also contribute to this discussion and I shall be very happy to publish them in this blog. Your comment and suggestion are also welcome.
ISO 9001 2015 focuses on change management at many places of the standard. Any change maybe it is in process, manpower, machinery, instruments, technology, raw materials, suppliers, customer requirements, legal requirements, etc shall go through a defined change management process. One of the goals of ISO 9001:2015 is to enhance the requirements for addressing changes at the system and operational levels. The ISO 9001:2015 requirements provide a strong basis for a management system for business that supports the strategic direction of the organization. Once the organization has identified its context and interested parties and then identified the processes that support this linkage, addressing changes becomes an increasingly important component of continued success. Once processes are determined, an organization will need to identify the risks and opportunities associated with these processes. To achieve the benefits associated with the determination of risks and opportunities, changes may be needed. These changes can be related to any element of the process, such as inputs, resources, persons, activities, controls, measurements, outputs, etc. Change process would include
the change to be done
changes initiated by
reason for change
changes reviewed by
evaluation of change for consequences/effects on the overall performance of the quality system and further actions to be taken to resolve such effects
resources required to make change
skills required to make change
the final decision for change approval
change in documents as per change to be implemented.
Changes are intended to be beneficial to the organization and need to be carried out as determined by the organization. In addition, consideration of newly introduced risks and opportunities needs to be taken into account. To achieve the benefits associated with changes, the organization should consider all types of changes that may need to occur. These changes may be generated, for example, in:
Processes
Documented information
Tooling
Equipment
Employee training
Supplier selection
Supplier management
and many others
The successful management and control of these changes have become a core requirement within the organization’s QMS. These new requirements are referenced in ISO 9001:2015 as outlined below.
4.4.1 g) The organization shall establish, implement, maintain and continually improve a quality management system. including the processes needed and their interactions. in accordance with the requirements of this International Standard. The organization shall determine the processes needed for the quality management system and their application throughout the organization, and shall evaluate these processes and implement any changes needed to ensure that these processes achieve their intended results;
5.3 e) Top management shall ensure that the responsibilities and authorities for relevant roles are assigned, communicated, and understood within the organization. Top management shall assign the responsibility and authority for ensuring that the integrity of the quality management system is maintained when changes to the quality management system are planned and implemented.
6.3 Planning of changes When the organization determines the need for changes to the quality management system, the changes shall be carried out in a planned and systematic manner (see 4.4). The organization shall consider the: a) purpose of the changes and their potential consequences; b) integrity of the quality management system; c) availability of resources; d) allocation or reallocation of responsibilities and authorities.
8.1 Operational planning The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.
8.3.6 Design and development changes The organization shall identify, review and control changes made during, or subsequent to, the design and development of products and services. to the extent necessary to ensure that there is no adverse impact on conformity to requirements. The organization shall retain documented information on: a) design and development changes; b] the results of reviews; c) the authorization of the changes; d] the actions are taken to prevent adverse impacts.
8.5.6 Control of changes The organization shall review and control changes for production or service provision, to the extent necessary to ensure continuing conformity with requirements. The organization shall retain documented information describing the results of the review of changes, the persons authorizing the change, and any necessary actions arising from the review.
9.2.2 a) The organization shall plan, establish, implement and maintain an audit program (s) including the frequency, methods, responsibilities, planning requirements, and reporting. which shall take into consideration the importance of the processes concerned. changes affecting the organization. and the results of previous audits
9.3.2 b) The management review shall be planned and carried out taking into consideration changes in the external and internal issues that are relevant to the quality management systems.
9.3.3 b) The outputs of the management review shall include decisions and actions related to any need for changes to the quality management system;
10.2.1 f) When a nonconformity occurs, including any arising from complaints, the organization shall make changes to the quality management system, if necessary. Corrective actions shall be appropriate to the effects of the nonconformities encountered.
Things to consider when implementing the new requirement for Change
There are many triggers that can cause a change in the Quality Management System:
Customer feedback
Customer complaint
Product failure
Employee feedback
Innovation
Determined risk
Determined opportunity
Internal audit results
Management review results
Identified nonconformity
Many others
These recommendations are not necessarily applicable to every type of organization. Some changes need to be carefully managed while others can be safely ignored. In order to sort through this, the organization should consider a method to prioritize. To determine the priority, the organization should consider a methodology that allows them to take into account: Consequences of the change
Likelihood of the consequence
Impact on customers
Impact on interested parties
Impact on quality objectives
Effectiveness of processes that are part of the QMS
others
Typical steps to Implement changes
Define the specifics of what is to be changed
Have a plan (tasks, timeline, responsibilities, authorities, budget, resources, needed information, others)
Engage other people as appropriate in the change process
Develop a communication plan (appropriate people within the organization, customers, suppliers, interested parties, etc. may need to be informed)
Use a cross-functional team review the plan to provide feedback related to the plan and associated risks
Train people
Measure the effectiveness
What changes may need to be made?
Change to a process (inputs, activities, outputs, controls, etc.)
Communication with customers
Communication with the supply chain
Additional controls for processes
Inspection
Employee training
Implement a new process
Provide documented information
Change existing documented information
Improve employee competence
Outsource a process
Many others
Other considerations:
Prior to making a change, the organization should consider unintended consequences
After making a change the organization should monitor the change to determine its effectiveness and to identify any additional problems that might be created
Records of some changes may be needed as part of the Quality Management System
Here are some tips and techniques to help you plan and implement your change in an effective, efficient and timely manner:
1. Change Must Be Realistic, Achievable, and Measurable
These aspects are especially relevant to managing personal change. Before starting organizational change, ask yourself: What do we want to achieve with this change, why, and how will we know that the change has been achieved? Who is affected by this change, and how will they react to it? These aspects also relate strongly to the management of personal as well as organizational change.
2. Start At The Top But Involve Every Layer
As change is unsettling for employees across all organizational levels, the introduction of ISO 9001:2015 will place a focus on the CEO and leadership team for strength, support, decisiveness, and direction. Initialising the changes must include plans for identifying leaders throughout the company and pushing responsibility for the design and implementation of the organization so that change systematically flows through the organization. At each layer of the organization, those managers and employees identified and trained must be aligned to the company’s vision, equipped to execute their specific mission, and motivated to make change happen.
3. Risk Thinking through Change Management
Within ISO 9001:2015, many QMS managers and coordinators have faced the challenge of how to implement risk thinking and risk assessment in their Quality Management System. The answer is easy – Your Risk Management Will Be Included In Your Change Management! Firstly, you need to evaluate any planned changes by identifying the consequence and likelihood of potential risk related to every change. So in addition to identifying the benefit of every change, why not identify the risk involved with the change.
Some typical risks of the changes are:
Resistance – Active and Passive
Change Put On Hold
Resources Not Made Available
Costs / Time Runs Over Budget
Obstacles Appear Unexpectedly
Change Fails to Achieve Expected Results
Side Effects of The Change
4. Make You Change Management Integrated
Due to continuous organizational changes in the life cycle of businesses, there will always be a basis for uncertainty within the businesses. Why not bring these changes under one umbrella?
There are different internal and external sources initiating the change throughout the organization. Change management tool as a platform enables you to plan, control and manage every change need in the organization such as:–
Strategic Business Changes
Changes in Product, Processes or System
Decisions Made (Management review meetings, board meeting, etc.)
Objective and Targets (Quality, Safety or and business goals)
Corrective (or preventive) Actions
Respond to Customer Complaints or undesired situations
Respond to Accidents, Incidents
Suggestions and Recommendations for Improvement
Change Management in easy steps
Prepare a change register to address and keep control of every change. This register can be easily made by an excel sheet addressing the below items:
What needs to be changed?
Why is the change needed? Investigate causes in case of an incident or customer complaint.
Existing Situation? What is the environment telling you prior to beginning implementation of the change?
Who is doing what? – Individuals & Teams
What are the Resources Required? This includes cost, infrastructure, and human resources
What are the Timings and Deadlines?
What are your end objectives?
What Are The Potential Risks?
Identifying and evaluating potential risks through determining the consequence and likelihood and contingency plan for each risk (See 9001:2015 Clause 6.1)
Who / when / how will effectiveness and efficiency of change be monitored?
Current and additional required knowledge (See ISo 9001:2015 Clause 7.1.6)
Implementing the Change Management tool will help you with every single change suggested in ISO 9001:2015 and will be good practice for any other change such as business needs and daily decisions. Effective change management will support a smooth transition from the old Quality Management system to the new one and will be a good practice to manage all the other changes in your organization in the future.
CHANGE MANAGEMENT PROCESS
The change management process is the sequence of steps or activities that a change management team follows to apply change management to a change in order to drive individual transitions and ensure the project meets its intended outcomes.
1. READINESS ASSESSMENTS
Assessments are tools used by a change management team or project leader to assess the organization’s readiness to change. Readiness assessments can include organizational assessments, culture and history assessments, employee assessments, sponsor assessments, and change assessments. Each tool provides the project team with insights into the challenges and opportunities they may face during the change process. What to assess:
Assess the scope of the change:
How big is this change?
How many people are affected?
Is it a gradual or radical change?
Assess the readiness of the organization impacted by the change:
What is the value-system and background of the impacted groups?
How much change is already going on?
What type of resistance can be expected?
You will also need to assess the strengths of your change management team and change sponsors, then take the first steps to enable them to effectively lead the change process.
2. COMMUNICATION & COMMUNICATION PLANNING
Many managers assume that if they communicate clearly with their employees, their job is done. However, there are many reasons why employees may not hear or understand what their managers are saying the first time around. In fact, you may have heard that messages need to be repeated five to seven times before they are cemented into the minds of employees.
Three components of effective communication
The audience
What is communicated
When it is communicated
For example, the first step in managing change is building awareness around the need for change and creating a desire among employees. Therefore, initial communications are typically designed to create awareness around the business reasons for change and the risk of not changing. Likewise, at each step in the process, communications should be designed to share the right messages at the right time. Communication planning, therefore, begins with a careful analysis of the audiences, key messages, and the timing for those messages. The change management team or project leaders must design a communication plan that addresses the needs of frontline employees, supervisors, and executives. Each audience has particular needs for information based on their role in the implementation of the change.
3. SPONSOR ACTIVITIES & SPONSOR ROADMAPS
Business leaders and executives play a critical sponsor role in times of change. The change management team must develop a plan for sponsor activities and help key business leaders to carry out these plans. Research shows that sponsorship is the most important success factor.
Avoid confusing the notion of sponsorship with support
The CEO of the company may support your project, but that is not the same as sponsoring your initiative. Sponsorship involves active and visible participation by senior business leaders throughout the process, building a coalition of support among other leaders, and communicating directly with employees. Unfortunately, many executives do not know what this sponsorship looks like. A change manager or project leader’s role includes helping senior executives do the right things to sponsor the project.
4. CHANGE MANAGEMENT TRAINING FOR MANAGERS
Managers and supervisors play a key role in managing change. Ultimately, the manager has more influence over an employee’s motivation to change than any other person. Unfortunately, managers can be the most difficult group to convince of the need for change and can be a source of resistance. It is vital for the change management team and executive sponsors to gain the support of managers and supervisors. Individual change management activities should be used to help these managers through the change process. Once managers and supervisors are on board, the change management team must prepare a strategy to equip managers to successfully coach their employees through the change. They will need to provide training and guidance for managers, including how to use individual change management tools with their employees.
5. TRAINING DEVELOPMENT AND DELIVERY
Training is the cornerstone for building knowledge about the change and the required skills to succeed in the future state. Ensuring impacted people receive the training they need at the right time is a primary role of change management. This means training should only be delivered after steps have been taken to ensure impacted employees have the awareness of the need for change and the desire to support the change. Change management and project team members will develop training requirements based on the skills, knowledge, and behaviors necessary to implement the change. These training requirements will be the starting point for the training group or the project team to develop and deliver training programs.
6. RESISTANCE MANAGEMENT
Resistance from employees and managers is normal and can be proactively addressed. Persistent resistance, however, can threaten a project. The change management team needs to identify, understand and help leaders manage resistance throughout the organization. Resistance management is the processes and tools used by managers and executives with the support of the change team to manage employee resistance.
7. EMPLOYEE FEEDBACK AND CORRECTIVE ACTION
Managing change is not a one-way street; employee involvement is a necessary and integral part of managing change. Feedback from employees as a change is being implemented is a key element of the change management process. Change managers can analyze feedback and implement corrective action based on this feedback to ensure full adoption of the changes.
8. RECOGNIZING SUCCESS REINFORCING CHANGE
Early adoption, successes, and long-term wins must be recognized and celebrated. Individual and group recognition is a necessary component of change management in order to cement and reinforce the change in the organization. Continued adoption needs to be monitored to ensure employees do not slip back into their old ways of working.
9. AFTER-PROJECT REVIEW
The final step in the change management process is the after-action review. It is at this point that you can stand back from the entire program, evaluate successes and failures, and identify process changes for the next project. This is part of the ongoing, continuous improvement of change management for your organization and ultimately leads to change competency. These elements comprise the areas or components of a change management program. Along with the change management process, they create a system for managing change. Good project managers apply these components effectively to ensure project success, avoid the loss of valued employees and minimize the negative impact of the change on productivity and a company’s customers.
Risk management principles are effectively utilized in many areas of business and government including finance, insurance, occupational safety, public health, pharmaceutical, pharmacovigilance, and by agencies regulating these industries. Risk is defined as the combination of the probability of occurrence of harm and the severity of that harm. However, achieving a shared understanding of the application of risk management among diverse stakeholders is difficult because each stakeholder might perceive different potential harms, place a different probability on each harm occurring and attribute different severities to each harm.
PRINCIPLES OF QUALITY RISK MANAGEMENT
Two primary principles of quality risk management are:
The evaluation of the risk to quality should be based on scientific knowledge and
The level of effort, formality, and documentation of the quality risk management process should be commensurate with the level of risk.
GENERAL QUALITY RISK MANAGEMENT PROCESS
Quality risk management is a systematic process for the assessment, control, communication, and review of risks to the quality of product across the product life-cycle. A model for quality risk management is outlined in the diagram. Other models could be used. The emphasis on each component of the framework might differ from case to case but a robust process will incorporate consideration of all the elements at a level of detail that is commensurate with the specific risk.
Overview of a typical quality risk management process
Decision nodes are not shown in the diagram above because decisions can occur at any point in the process. These decisions might be to return to the previous step and seek further information, to adjust the risk models, or even to terminate the risk management process based upon information that supports such a decision. Note: “unacceptable” in the flowchart does not only refer to statutory, legislative, or regulatory requirements but also indicates that the risk assessment process should be revisited.
Responsibilities
Quality risk management activities are usually, but not always, undertaken by interdisciplinary teams. When teams are formed, they should include experts from the appropriate areas such as quality unit, business development, engineering, regulatory affairs, production operations, sales and marketing, legal, statistics, in addition to individuals who are knowledgeable about quality risk management process.
Decision-makers should
take responsibility for coordinating quality risk management across various functions and departments of their organization and
ensure that a quality risk management process is defined, deployed, and reviewed and that adequate resources are available.
Initiating a Quality Risk Management Process
Quality risk management should include systematic processes designed to coordinate, facilitate and improve science-based decision making with respect to risk. Possible steps used to initiate and plan a quality risk management process might include the following:
Define the problem and/or risk question, including pertinent assumptions identifying the potential for risk
Assemble background information and/or data on the potential hazard, harm or human health impact relevant to the risk assessment
Identify a leader and critical resources
Specify a timeline, deliverables, and appropriate level of decision making for the risk management process
Risk Assessment
Risk assessment consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards. Quality risk assessments begin with a well-defined problem description or risk question. When the risk in question is well defined, an appropriate risk management tool and the types of information that will address the risk question will be more readily identifiable. As an aid to clearly defining the risk for risk assessment purposes, three fundamental questions are often helpful:
What might go wrong?
What is the likelihood (probability) it will go wrong?
What are the consequences (severity)?
Risk identification
Risk identification is a systematic use of information to identify hazards referring to the risk question or problem description. Information can include historical data, theoretical analysis, informed opinions, and the concerns of stakeholders. Risk identification addresses the “What might go wrong?” question, including identifying the possible consequences. This provides the basis for further steps in the quality risk management process.
Risk analysis
Risk analysis is the estimation of the risk associated with the identified hazards. It is the qualitative or quantitative process of linking the likelihood of occurrence and severity of harm. In some risk management tools, the ability to detect harm (detectability) also factors in the estimation of risk.
Risk evaluation
Risk evaluation compares the identified and analyzed risk against given risk criteria. Risk evaluations consider the strength of evidence for all three of the fundamental questions. In doing an effective risk assessment, the robustness of the data set is important because it determines the quality of the output. Revealing assumptions and reasonable sources of uncertainty will enhance confidence in this output and/or help identify its limitations. Uncertainty is due to a combination of incomplete knowledge about a process and its expected or unexpected variability. Typical sources of uncertainty include gaps in knowledge, gaps in process understanding, sources of harm (e.g., failure modes of a process, sources of variability), and the probability of detection of problems.
The output of a risk assessment is either a quantitative estimate of risk or a qualitative description of a range of risks. When the risk is expressed quantitatively, a numerical probability is used. Alternatively, risk can be expressed using qualitative descriptors, such as “high,” “medium,” or “low,” which should be defined in as much detail as possible. Sometimes a risk score is used to further define descriptors in risk ranking. In quantitative risk assessments, a risk estimate provides the likelihood of a specific consequence, given a set of risk-generating circumstances. Thus, quantitative risk estimation is useful for one particular consequence at a time. Alternatively, some risk management tools use a relative risk measure to combine multiple levels of severity and probability into an overall estimate of relative risk. The intermediate steps within a scoring process can sometimes employ quantitative risk estimation.
Risk Control
Risk control includes decision-making to reduce and/or accept risks. The purpose of risk control is to reduce the risk to an acceptable level. The amount of effort used for risk control should be proportional to the significance of the risk. Decision-makers might use different processes, including benefit-cost analysis, for understanding the optimal level of risk control. Risk control might focus on the following questions:
Is the risk above an acceptable level?
What can be done to reduce or eliminate risks?
What is the appropriate balance among benefits, risks, and resources?
Are new risks introduced as a result of the identified risks being controlled?
Risk reduction focuses on processes for mitigation or avoidance of quality risk when it exceeds a specified (acceptable) level. Risk reduction might include actions taken to mitigate the severity and probability of harm. Processes that improve the detectability of hazards and quality risks might also be used as part of a risk control strategy. The implementation of risk reduction measures can introduce new risks into the system or increase the significance of other existing risks. Hence, it might be appropriate to revisit the risk assessment to identify and evaluate any possible change in risk after implementing a risk reduction process.
Risk acceptance is a decision to accept risk. Risk acceptance can be a formal decision to accept the residual risk or it can be a passive decision in which residual risks are not specified. For some types of harm, even the best quality risk management practices might not entirely eliminate risk. In these circumstances, it might be agreed that an appropriate quality risk management strategy has been applied and that quality risk is reduced to a specified (acceptable) level. This (specified) acceptable level will depend on many parameters and should be decided on a case-by-case basis.
Risk Communication
Risk communication is the sharing of information about risk and risk management between the decision-makers and others. Parties can communicate at any stage of the risk management process. The output/result of the quality risk management process should be appropriately communicated and documented. Communications might include those among interested parties (e.g., regulators, industry, within a company, industry, or regulatory authority). The included information might relate to the existence, nature, form, probability, severity, acceptability, control, treatment, detectability, or other aspects of risks to quality. Communication need not be carried out for each and every risk acceptance. Between the industry and regulatory authorities, communication concerning quality risk management decisions might be affected through existing channels as specified in regulations and guidance.
Risk Review
Risk management should be an ongoing part of the quality management process. A mechanism to review or monitor events should be implemented. The output/results of the risk management process should be reviewed to take into account new knowledge and experience. Once a quality risk management process has been initiated, that process should continue to be utilized for events that might impact the original quality risk management decision, whether these events are planned (e.g., results of the product review, inspections, audits, change control) or unplanned (e.g., root cause from failure investigations, recall). The frequency of any review should be based upon the level of risk. Risk review might include reconsideration of risk acceptance decisions.
RISK MANAGEMENT METHODS AND TOOLS
Quality risk management supports a scientific and practical approach to decision-making. It provides documented, transparent, and reproducible methods to accomplish steps of the quality risk management process based on current knowledge about assessing the probability, severity, and, sometimes, detectability of the risk. Traditionally, risks to quality have been assessed and managed in a variety of informal ways (empirical and/or internal procedures) based on, for example, a compilation of observations, trends, and other information. Such approaches continue to provide useful information that might support topics such as handling of complaints, quality defects, deviations, and allocation of resources. An organization can assess and manage risk using recognized risk management tools and/or internal procedures (e.g., standard operating procedures). Below is a non-exhaustive list of some of these tools
Basic Risk Management Facilitation Methods
Some of the simple techniques that are commonly used to structure risk management by organizing data and facilitating decision making are:
Flowcharts
Check Sheets
Process Mapping
Cause and Effect Diagrams (also called an Ishikawa diagram or fishbone diagram)
Hazard Analysis and Critical Control Points (HACCP)
HACCP is a systematic, proactive, and preventive tool for assuring product quality, reliability, and safety). It is a structured approach that applies technical and scientific principles to analyze, evaluate, prevent, and control the risk or adverse consequence(s) of hazard(s) due to the design, development, production, and use of products.
HACCP consists of the following seven steps:
conduct a hazard analysis and identify preventive measures for each step of the process
determine the critical control points
establish critical limits
establish a system to monitor the critical control points
establish the corrective action to be taken when monitoring indicates that the critical control points are not in a state of control
establish a system to verify that the HACCP system is working effectively
Preliminary Hazard Analysis (PHA)
PHA is a tool of analysis based on applying prior experience or knowledge of a hazard or failure to identify future hazards, hazardous situations, and events that might cause harm, as well as to estimate their probability of occurrence for a given activity, facility, product, or system. The tool
consists of:
the identification of the possibilities that the risk event happens,
the qualitative evaluation of the extent of possible injury or damage to health that could result,
a relative ranking of the hazard using a combination of severity and likelihood of occurrence, and
Supporting Statistical Tools
Statistical tools can support and facilitate quality risk management. They can enable effective data assessment, aid in determining the significance of the data set(s), and facilitate more reliable decision making. A listing of some of the principal statistical tools commonly used is provided:
Control charts, for example, Acceptance control charts, Control charts with arithmetic average and warning limits, Cumulative sum charts, Shewhart control charts, Weighted moving average.
One of the key changes in the 2015 revision of ISO 9001 is to establish a systematic approach to risk, rather than treating it as a single component of a quality management system. In previous editions of ISO 9001, a clause on preventive action was separated from the whole. Now the risk is considered and included throughout the standard. By taking a risk-based approach, an organization becomes proactive rather than purely reactive, preventing or reducing undesired effects and promoting continual improvement. Preventive action is automatic when a management system is risk-based. Risk-based thinking is something we all do automatically and often sub-consciously. for e.g, if I wish to cross a road I look for traffic before I begin. I will not step in front of a moving car. The concept of risk has always been implicit in ISO 9001 – this revision makes it more explicit and builds it into the whole management system. The risk is considered from the beginning and throughout the standard, making preventive action part of strategic planning as well as operation and review. Risk-based thinking is already part of the process approach. For e.g to cross the road I may go directly or I may use a nearby footbridge. Which process I choose will be determined by considering the risks. Risk-based thinking makes preventive action part of the routine. Risk is often thought of only in a negative sense. Risk-based thinking can also help to identify opportunities. This can be considered to be the positive side of risk. Crossing the road directly gives me an opportunity to reach the other side quickly, but there is an increased risk of injury from moving cars. The risk of using a footbridge is that I may be delayed. The opportunity of using a footbridge is that there is less chance of being injured by a car. Opportunity is not always directly related to risk but it is always related to the objectives. By considering a situation it may be possible to identify opportunities to improve. The opportunities for improvement, a subway leading directly under the road, pedestrian traffic lights, or diverting the road so that the area has no traffic. It is necessary to analyze the opportunities and consider which can or should be acted on. Both the impact and feasibility of taking an opportunity must be considered. Whatever action is taken will change the context and the risks and these must then be reconsidered.
Identify what your risks are – it depends on context
Example:
If I cross a busy road with many fast-moving cars the risks are not the same as if the road is small with very few moving cars. It is also necessary to consider such things as weather, visibility, personal mobility, and specific personal objectives.
Understand your risks
What is acceptable, what is unacceptable? What advantages or disadvantages are there to one process over another?
Example:
Objective: I need to safely cross a road to reach a meeting at a given time.
It is UNACCEPTABLE to be injured.
It is UNACCEPTABLE to be late.
Reaching my goal more quickly must be balanced against the likelihood of injury. It is more important that I reach my meeting uninjured than it is for me to reach my meeting on time. It may be ACCEPTABLE to delay arriving at the other side of the road by using a footbridge if the likelihood of being injured by crossing the road directly is high. I analyze the situation. The footbridge is 200 meters away and will add time to my journey. The weather is good, the visibility is good and I can see that the road does not have many cars at this time. I decide that walking directly across the road carries an acceptably low level of risk of injury and will help me reach my meeting on time.
The Main Objectives Of ISO 9001 to provide confidence in the organization’s ability to consistently provide customers with conforming goods and services and to enhance customer satisfaction. The concept of “risk” in the context of ISO 9001 relates to the uncertainty in achieving these objectives.
Plan actions to address the risks
How can I avoid or eliminate the risk? How can I mitigate risks?
Example:
I could eliminate the risk of injury caused by being hit by a vehicle if I use the footbridge but I have already decided that the risk involved in crossing the road is acceptable. Now I plan how to reduce either the likelihood or the impact of the injury. I cannot reasonably expect to control the impact of a car hitting me. I can reduce the probability of being hit by a car. I plan to cross at a time when there are no cars moving near me and so reduce the likelihood of an accident. I also plan to cross the road at a place where I have good visibility.
Implement the plan – take action
Example:
I move to the side of the road, check there are no barriers to the crossing. I check there are no cars coming. I continue to look for cars whilst crossing the road.
Check the effectiveness of the action – does it work?
Example:
I arrive at the other side of the road unharmed and on time: this plan worked and undesired effects have been avoided.
Learn from experience – improve
Example:
I repeat the plan over several days, at different times and in different weather conditions. This gives me data to understand that changing context (time, weather, the quantity of cars) directly affects the effectiveness of the plan and increases the probability that I will not achieve my objectives (being on time and avoiding injury). Experience teaches me that crossing the road at certain times of the day is very difficult because there are too many cars. To limit the risk I revise and improve my process by using the footbridge at these times. I continue to analyze the effectiveness of the processes and revise them when the context changes. I also continue to consider innovative opportunities:
can I move the meeting place so that the road does not have to be crossed?
can I change the time of the meeting so that I cross the road when it is quiet?
can we meet electronically?
DEFINITIONS
ISO 9001:2015 defines risk as to the effect of uncertainty on an expected result.
An effect is a deviation from the expected – positive or negative.
Risk is about what could happen and what the effect of this happening might be.
Risk also considers how likely it is.
The target of a management system is to achieve conformity and customer satisfaction.
Explanation:
Risk is the possibility of events or activities impeding the achievement of an organization’s strategic and operational objectives. It is the volatility of potential outcomes. Risk can be defined by two parameters
Severity (This is the Seriousness of the harm)
Probability (This is the Probability that the harm will occur)
Risk as Currently Stated in ISO 9001:2015
ISO 9001:2015 uses risk-based thinking to achieve this in the following way:
Clause 4 (Context) the organization is required to determine the risks which may affect this. The organization is also required to determine its QMS processes and to address its risks and opportunities
Clause 5 (Leadership) top management are required to commit to ensuring Clause 4 is followed. Top management is required to
Promote awareness of risk-based thinking
Determine and address risks and opportunities that can affect product /service conformity
Clause 6 (Planning) The organization is required to identify risks and opportunities related to QMS performance and take appropriate actions to address them
Clause 7 (Support) the organization is required to determine and provide necessary resources (risk is implicit whenever “suitable” or “appropriate” is mentioned)
Clause 8 (Operation)the organization is required to manage its operational processes (risk is implicit whenever “suitable” or “appropriate” is mentioned). The organization is required to implement processes to address risks and opportunities.
Clause 9 (Performance evaluation) the organization is required to monitor, measure, analyze and evaluate the risks and opportunities.
Clause 10 (Improvement) the organization is required to correct, prevent or reduce undesired effects and improve the QMS and update risks and opportunities.
ISO 9001:2015 subclause 4.4.1—QMS and it processes
“ The organization shall establish, implement, maintain and continually improve a quality management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard. The organization shall determine the processes needed for the quality management system and their application throughout the organization and shall determine: organization shall: address the risks and opportunities as determined in accordance with the requirements of 6.1″
The organization must integrate the actions to address risks and opportunities into its QMS processes using the PDCA cycle. Not all processes of a quality management system represent the same level of risk in terms of the organization’s ability to meet its objectives and the effects of uncertainty are not the same for all organizations. Each organization is therefore responsible for the extent it applies risk-based thinking and the actions it takes to address risk, including whether or not to retain documented information as evidence of its determination of risks. 5.1.2—Leadership and commitment with respect to the needs and expectations of customers
ISO 9001:2015 subclause 5.1.1—General under leadership and commitment
“Top management shall demonstrate leadership and commitment with respect to the quality management system by d) promoting the use of the process approach and risk-based thinking;“
ISO 9001:2015 requires that when planning its QMS, the top management must implement and promote a culture of risk-based thinking throughout the organization to determine and address the risks and opportunities associated with providing assurance that the QMS can achieve its intended result(s); provide conforming products and services, enhance customer satisfaction; promote desirable effects and improvement; and prevent, or mitigate, undesired effects.
ISO 9001:2015 subclause 5.1.2—Customer focus
“Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that: b) the risks and opportunities that can affect conformity of products and services and ability to enhance customer satisfaction are determined and addressed;”
This can be achieved by establishing process capabilities for each process from manufacturing and assembly to packaging and product delivery and installation. The computation of a simple indicator of process capability (Cp) or the adjustment of the process capability toward a specification (Cpk) would help managers quantify their process risk. The objective would be to achieve the highest economically feasible capability for each process, thus minimizing the risk of producing so-called unintended output.
6.1—Actions to address risks and opportunities
6.1.1 “When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:
a) giving assurance that the quality management system can achieve its intended result(s)
b) enhance desirable effects
c) prevent, or reduce, undesired effects, and
d) achieve improvement.”
6.1.2 “The organization shall plan:
a) actions to address these risks and opportunities, and
b) how to
1) integrate and implement the actions into its quality management system processes (see 4.4), and
2) evaluate the effectiveness of these actions.
Any actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of goods and services and customer satisfaction.”
The organization must integrate the actions to address these risks and opportunities into its QMS processes using the PDCA cycle. Not all processes of a quality management system represent the same level of risk in terms of the organization’s ability to meet its objectives and the effects of uncertainty are not the same for all organizations. Each organization is therefore responsible for the extent it applies risk-based thinking and the actions it takes to address risk, including whether or not to retain documented information as evidence of its determination of risks. When planning its QMS, the organization must consider the risks and opportunities presented by external and internal issues as well as the needs and expectations of interested parties, relevant to its purpose and strategic direction, Means to address risks may include avoiding risk, taking a risk in order to avail an opportunity, removing the source of the risk, changing the likelihood or consequences, sharing the risk, or making an informed decision to retain the risk. Opportunities can derive from favorable circumstances that can lead to the use of new practices, launch new products, enter new markets, address new clients, reduce waste or improve productivity, grow relationships, use new technology, and other desirable and viable opportunities to facilitate the organization in achieving its strategic direction and enhance customer satisfaction.
9.1.3 – Analysis and evaluation
“The organization shall analyze and evaluate appropriate data and information arising from monitoring and measurement. The results of the analysis shall be used to evaluate: e) the effectiveness of actions taken to address risks and opportunities;”
Planning also requires monitoring and measuring these actions and gathering, analyzing, and evaluating appropriate data and information to determine the effectiveness of such actions.
9.3.2 – Management review Inputs
” The management review shall be planned and carried out taking into consideration: e) the effectiveness of actions taken to address risks and opportunities (see 6.1)“
This planning must be periodically reviewed and updated as necessary when taking corrective actions or at management reviews. These actions must be proportional to the potential impact on the conformity of products and services.
10.2.1- Non Conformity and Corrective action
“When a nonconformity occurs, including any arising from complaints, the organization shall: e) update risks and opportunities determined during planning, if necessary;”
One could do failure mode effects and analysis (FMEA) to show that the risk-priority number has decreased as a result of a process change. This would not be difficult to do but full of uncertainties because FMEA is based on subjective assessment.
Use of risk based thinking.
By considering risk-based thinking throughout the organization the likelihood of achieving stated objectives is improved, the output is more consistent and customers can be confident that they will receive the expected product or service.
Risk-based thinking, therefore:
builds a strong knowledge base
establishes a proactive culture of improvement
assures consistency of quality of goods or services
improves customer confidence and satisfaction
Use of Risk Register
The risk register or risk log becomes essential as it records identified risks, their severity, and the actions steps to be taken. It can be a simple document, spreadsheet, or database system, but the most effective format is a table. A table presents a great deal of information in just a few pages. There is no standard list of components that should be included in the risk register. Some of the most widely used components are:
Dates: As the register is a living document, it is important to record the date that risks are identified or modified. Optional dates to include are the target and completion dates.
Description of the Risk: A phrase that describes the risk.
Risk Type (business, project, stage): Business risks relate to the delivery of achieved benefit;, project risks relate to the management of the project such as timeframes and resources, and stage risks are risks associated with a specific stage of the plan.
Likelihood of Occurrence: Provides an assessment on how likely it is that this risk will occur. Examples are L-Low >30%)(, M-Medium (31- 70%), H-High (>70%).
The severity of Effect: Provides an assessment of the impact that the occurrence of this risk would have on the project.
Countermeasures: Actions to be taken to prevent, reduce, or transfer the risk. This may include the production of contingency plans.
Owner: The individual responsible for ensuring that risks are appropriately engaged with countermeasures undertaken.
Status: Indicates whether this is a current risk or if the risk can no longer arise and impact the project. Example classifications are C-current or E-ended.
Other columns such as quantitative value can also be added if appropriate.
Risk-driven approach in organizational processes.
Identify what risks and opportunities are – it depends on the context. For example, If I cross a busy road with many fast-moving cars the risks are not the same as if the road is small with very few moving cars. It is also necessary to consider such things as weather, visibility, personal mobility, and specific personal objectives.
Analyze and prioritize your risks and opportunities. What risk is acceptable, what is unacceptable? What advantages or disadvantages are there to one process over another? for Example If I need to safely cross a road to reach a meeting at a given time. It is UNACCEPTABLE to be injured. It is UNACCEPTABLE to be late. The opportunity of reaching my goal more quickly must be balanced against the likelihood of injury. It is more important that I reach my meeting uninjured than it is for me to reach my meeting on time. It may be ACCEPTABLE to delay arriving at the other side of the road by using a footbridge if the likelihood of being injured by crossing the road directly is high. I analyze the situation. The footbridge is 200 meters away and will add time to my journey. The weather is good, the visibility is good and I can see that the road does not have many cars at this time. I decide that walking directly across the road carries an acceptably low level of risk of injury and an opportunity to reach my meeting on time.
Plan actions to address the risks How can I avoid or eliminate the risk? How can I mitigate risks? For example, I could eliminate the risk of injury by using the footbridge but I have already decided that the risk involved in crossing the road is acceptable. Now I plan how to reduce the likelihood of injury and/or the effect of an injury. I cannot reasonably expect to control the effect of a car hitting me. I can reduce the probability of being hit by a car. I plan to cross at a time when there are no cars moving near me and so reduce the likelihood of an accident. I also choose to cross the road at a place where I have good visibility and can safely stop in the middle to re-assess the number of moving cars, further reducing the probability of an accident
Implement the plan – take action For example I move to the side of the road, check there are no barriers to the crossing and that there is a safe place in the center of the moving traffic. I check there are no cars coming. I cross half of the road and stop in the central safe place. I assess the situation again and then cross the second part of the road.
Check the effectiveness of the actions – does it work? For Example, I arrive at the other side of the road unharmed and on time: this plan worked and undesired outcomes have been avoided.
Learn from experience – continual improvement, For example, I repeat the plan over several days, at different times, and in different weather conditions. This gives me data to understand that changing context (time, weather, the quantity of cars) directly affects the effectiveness of the plan and increases the probability that I will not achieve my objectives of being on time and avoiding injury. Experience teaches me that crossing the road at certain times of the day is very difficult because there are too many cars. To limit the risk I revise and improve my process by using the footbridge at these times. continue to analyze the effectiveness of the processes and revise them when the context changes. I also continue to consider innovative opportunities such as Can I move the meeting place so that the road does not have to be crossed? Can I change the time of the meeting so that I cross the road when it is quiet? Can we meet electronically?
The ISO 9000:2015 and ISO 9001:2015 standard is based on the following Seven principles of Quality management.
The Seven Principles
1 – Customer Focus
The primary focus of quality management is to meet customer requirements and to strive to exceed customer expectations.
Rationale
Sustained success is achieved when an organization attracts and retains the confidence of customers and other interested parties on whom it depends. Every aspect of customer interaction provides an opportunity to create more value for the customer. Understanding the current and future needs of customers and other interested parties contributes to the sustained success of an organization
Key Benefits (As per ISO 9000:2015)
There is an increase in customer value;
There is an increase in customer satisfaction;
There is an improvement in customer loyalty;
It enhances in repeat business;
It enhances in reputation of the organization;
There is an expansion of the customer base;
There is an increase in revenue and market share.
Possible actions (As per ISO 9000:2015)
Some of the possible actions that an organization can take to increase Customer Focus can include:
To identify and recognize the direct and indirect customers of the organization who receive value from the organization.
To understand customers’ current and future needs and expectations;
The organization must link it’s objectives to customer needs and expectations;
It must communicate customer needs and expectations throughout the organization;
It must plan, design, develop, produce, deliver and support products and services to meet customer needs and expectations;
It must measure and monitor customer satisfaction and take appropriate actions;
It must determine and take action on relevant interested parties’ needs and appropriate expectations that can affect customer satisfaction;
It must actively manage relationships with customers to achieve sustained success.
Explanation:
This is the first of the Seven Principles of Quality management and there is no change in the heading of this principle. The Eight principle definition stated, “Organizations depend on their customers and therefore should understand current and future customer needs, should meet customer requirements and strive to exceed customer expectations.” The Seven principle definition states “The primary focus of quality management is to meet customer requirements and to strive to exceed customer expectations.”. First and foremost the organization must have a clear understanding of who is its direct customer and who is its indirect customers. Customer-focused means putting your energy into satisfying customers and understanding that profitability comes from satisfying customers. There should be researching, establishing, and understanding current and future customer needs and expectations. The organization should ensure that the objectives of the organization are linked to customer needs and expectations. The top Management should communicate customer needs and expectations throughout the organization. There should be measuring customer satisfaction and acting on the results. the organization should ensure a balanced approach between satisfying customers and other interested parties.
2 – Leadership
Leaders at all levels establish unity of purpose and direction and create conditions in which people are engaged in achieving the quality objectives of the organization.
Rationale
The creation of unity of purpose, direction, and engagement enables an organization to align its strategies, policies, processes, and resources to achieve its objectives.
Key Benefits (As per ISO 9000:2015)
It increases the effectiveness and efficiency in meeting the organization’s quality objectives;
There is better coordination of the organization’s processes;
There is an improvement in communication between levels and functions of the organization;
It develops and improves the capability of the organization and its people to deliver the desired results.
Possible actions (As per ISO 9000:2015)
Some of the possible actions that an organization can take includes:
It can communicate the organization’s mission, vision, strategy, policies, and processes throughout the organization;
It can create and sustain shared values, fairness and ethical models for behavior at all levels of the organization;
It can establish a culture of trust and integrity;
It can encourage an organization-wide commitment to quality;
It can ensure that leaders at all levels are positive examples to people in the organization;
It can provide people with the required resources, training and authority to act with accountability;
It can inspire, encourage and recognize the contribution of people.
Explanation:
This is the second of the Seven Principles of Quality management and there is no change in the heading of this principle. The Eight principle definition stated “Leaders establish unity of purpose and direction of the organization. They should create and maintain the internal environment in which people can become fully involved in achieving the organization’s objectives.” The Seven principle definition states “Leaders at all levels establish unity of purpose and direction and create conditions in which people are engaged in achieving the quality objectives of the organization.”Leadership is providing role model behaviors consistent with the values of the organization. Behavior that will deliver the organization’s objectives. The internal environment includes the culture and climate, management style, shared, trust, motivation, and support. The leadership should Consider the needs of all interested parties including customers, owners, employees, suppliers, financiers, local communities, and society as a whole. The leadership should establish a clear vision of the organization’s future. The leadership should set challenging goals and targets. The leadership should create and sustain shared values, fairness, and ethical role models at all levels of the organization. The leadership should Establish trust and eliminate fear. The leadership should provide people with the required resources training and freedom to act with responsibility and accountability. The leadership should Inspire, encourage and recognize people’s contributions.
3 – Engagement of People
It is essential for the organization that all people are competent, empowered and engaged in delivering value. Competent, empowered and engaged people throughout the organization enhance its capability to create value.
Rationale
To manage an organization effectively and efficiently, it is important to involve all people at all levels and to respect them as individuals. Recognition, empowerment, and enhancement of skills and knowledge facilitate the engagement of people in achieving the objectives of the organization.
Key Benefits (As per ISO 9000:2015)
It improves understanding of the organization’s quality objectives by people in the organization and increased motivation to achieve them;
It enhances the involvement of people in improvement activities;
It enhances personal development, initiatives, and creativity;
It enhances people satisfaction;
It enhances trust and collaboration throughout the organization;
It increases attention to shared values and culture throughout the organization.
Possible actions (As per ISO 9000:2015)
Some of the possible actions that an organization can take includes:
It can communicate with people to promote understanding of the importance of their individual contribution;
It can promote collaboration throughout the organization;
It can facilitate open discussion and sharing of knowledge and experience;
It can empower people to determine constraints to performance and to take initiatives without fear;
It can recognize and acknowledge people’s contribution, learning, and improvement;
It can enable self-evaluation of performance against personal objectives;
It can conduct surveys to assess people’s satisfaction, communicate the results and take appropriate actions.
Explanation:
This is the third of the Seven Principles of Quality management and the term “Involvement of People” has been changed to “Engagement of People”. The Eight principle definition stated, “People at all levels are the essence of an organization and their full involvement enables their abilities to be used for the organization’s benefit.” The Seven principle definition states “It is essential for the organization that all people are competent, empowered and engaged in delivering value. Competent, empowered and engaged people throughout the organization enhance its capability to create value.” Engaging people means employees are committed to their organization’s goals and values, motivated to contribute to organizational success, and are able at the same time to enhance their own sense of well-being. An engaged employee experiences a blend of job satisfaction, organizational commitment, job involvement, and feelings of empowerment. When we talk of the engagement of people it means that all the employees are competent, empowered and they are delivering value. An engaged employee will have a better perception of job importance. An engaged employee will have better clarity of job expectations. There will be more improvement opportunities. There will be regular feedback and dialog with supervisors. The Quality of working relationships of an engaged employee with peers, superiors, and subordinates is much improved. There is effective employee communication.
4 – Process Approach
Consistent and predictable results are achieved more effectively and efficiently when activities are understood and managed as interrelated processes that function as a coherent system.
Rationale
The quality management system is composed of interrelated processes. Understanding how results are produced by this system, including all its processes, resources, controls and interactions, allows the organization to optimize its performance.
Key Benefits (As per ISO 9000:2015)
It enhances the ability to focus effort on key processes and opportunities for improvement;
There are consistent and predictable outcomes through a system of aligned processes;
It can optimize performance through effective process management, efficient use of resources and reduced cross-functional barriers;
It enables the organization to provide confidence to interested parties related to its consistency, effectiveness, and efficiency.
Possible actions (As per ISO 9000:2015)
Some of the possible actions that an organization can take includes:
It can define the objectives of the system and processes necessary to achieve them;
It can establish authority, responsibility, and accountability for managing processes;
It can understand the organization’s capabilities and determine resource constraints prior to action;
It can determine process interdependencies and analyze the effect of modifications to individual processes on the system as a whole;
It should manage processes and their interrelations as a system to achieve the organization’s quality objectives effectively and efficiently;
It can ensure the necessary information is available to operate and improve the processes and to monitor, analyze and evaluate the performance of the overall system;
It should manage risks which can affect outputs of the processes and overall outcomes of the QMS.
Explanation:
This is the fourth of the Seven Principles of Quality management and there is no change in the heading of this principle. The Eight principle definition stated, “The desired result is achieved more efficiently when activities and related resources are managed as a process.” The Seven principle definition states “Consistent and predictable results are achieved more effectively and efficiently when activities are understood and managed as interrelated processes that function as a coherent system.” Processes are dynamic-they cause things to happen. Processes within an organization should be structured in order to achieve a certain objective in the most efficient and effective manner. It helps us in systematically defining the activities necessary to achieve/obtain the desired results. It helps us in establishing clear responsibility and accountability for managing key activities. It helps us in analyzing and measuring the capabilities of key activities. It helps us in identifying the interfaces of key activities within and between the functions of the organization. It helps us in evaluating the risks, consequences, and impacts of activities on customers, suppliers, and other interested parties. Quality Management System is constructed by connecting interrelated processes together to deliver the system objectives which is the satisfaction of the interested parties. This helps us in structuring a system to achieve the organization’s objectives in the most effective and efficient way and understanding the interdependencies between the processes of the system. It also helps us in providing a better understanding of the roles and responsibilities necessary for achieving common objectives and thereby reducing cross-functional barriers and targeting and defining how specific activities within a system should operate.
5 – Improvement
Successful organizations have an ongoing focus on improvement.
Rationale
Improvement is essential for an organization to maintain current levels of performance, to react to changes in its internal and external conditions and to create new opportunities.
Key Benefits (As per ISO 9000:2015)
There are improved process performance, organizational capability, and customer satisfaction;
There is an enhanced focus on root cause investigation and determination, followed by prevention and corrective actions;
There is an enhanced ability to anticipate and react to internal and external risks and opportunities;
There is enhanced consideration of both incremental and breakthrough improvement;
There is improved use of learning for improvement; There is an enhanced drive for innovation.
Possible actions (As per ISO 9000:2015)
Some of the possible actions that an organization can take includes:
It can promote the establishment of improvement objectives at all levels of the organization;
It can educate and train people at all levels on how to apply basic tools and methodologies to achieve improvement objectives;
It can ensure people are competent to successfully promote and complete improvement projects;
It can develop and deploy processes to implement improvement projects throughout the organization;
It can track, review and audit the planning, implementation, completion, and results of improvement projects;
It can integrate improvement consideration into the development of new or modified products and services and processes;
It can recognize and acknowledge improvement.
Explanation:
This is the fifth of the Seven Principles of Quality management and can be mapped to the sixth of the Eight Quality principle which is “Continual Improvement”. The term “Continual Improvement” has been changed to “Improvement”. The fifth principle of the Eight Quality principle “System approach to management” no longer exists in the Seven principles of quality management. The Eight principle definition stated, “Continual improvement of the organization’s overall performance should be a permanent objective of the organization.” The Seven principle definition states “Successful organizations have an ongoing focus on improvement.” Improvement is an improvement in organizational efficiency and effectiveness. The organization should Employ a consistent organization-wide approach to improvement of the organizations’ tools of improvement. The organization should Provide people with training in the methods and tools of improvement. The organization should Make improvements of products, processes, and the system an objective for every individual in the organization. The organization should Establish the goals to guide and lead.
6 – Evidence-based Decision Making.
Decisions based on the analysis and evaluation of data and information are more likely to produce desired results.
Rationale
Decision-making can be a complex process, and it always involves some uncertainty. It often involves multiple types and sources of inputs, as well as their interpretation, which can be subjective. It is important to understand cause-and-effect relationships and potential unintended consequences. Facts, evidence, and data analysis lead to greater objectivity and confidence in decisions made.
Key Benefits (As per ISO 9000:2015)
There is an improvement in decision-making processes;
There is an improvement in the assessment of process performance and ability to achieve objectives;
There is an improvement in operational effectiveness and efficiency;
There is an increased ability to review, challenge and change opinions and decisions;
There is an increased ability to demonstrate the effectiveness of past decisions.
Possible actions (As per ISO 9000:2015)
Some of the possible actions that an organization can take includes:
It should determine, measure and monitor key indicators to demonstrate the organization’s performance;
It can make all data needed available to the relevant people;
It should ensure that data and information are sufficiently accurate, reliable and secure;
It can analyze and evaluate data and information using suitable methods;
It should ensure people are competent to analyze and evaluate data as needed;
It can make decisions and take actions based on evidence, balanced with experience and intuition.
Explanation:
This is the sixth of the Seven Principles of Quality management and can be mapped to the seventh of the Eight Quality principle which is “Factual approach to decision making “. The term “Factual approach to decision making ” has been changing to “Evidence-based Decision Making”. The fifth principle of the Eight Quality principle “System approach to management” no longer exists in the Seven principles of quality management. The Eight principle definition stated, “Effective decisions are based on the analysis of data and information.” The Seven principle definition states “Decisions based on the analysis and evaluation of data and information are more likely to produce desired results.” Evidence is information that shows or proves that something exists or is true. Evidence can be collected by performing observations, measurements, tests, or by using any other suitable method. Any decision-making should away be based on evidence. The organization should ensure that data/information is sufficiently accurate and reliable. The organization should make data accessible to those who need them. The organization should analyze data using appropriate tools. The organization should make a decision and take actions based on analysis of data, balanced with experience and intuition.
7 – Relationship Management
For sustained success, organizations manage their relationships with interested parties, such as suppliers.
Rationale
Interested parties influence the performance of an organization. Sustained success is more likely to be achieved when an organization manages relationships with its interested parties to optimize their impact on its performance. Relationship management with its supplier and partner network is often of particular importance
Key Benefits (As per ISO 9000:2015)
There is enhanced performance of the organization and its relevant interested parties through responding to the opportunities and constraints related to each interested party;
There is a common understanding of objectives and values among interested parties;
There is an increased capability to create value for interested parties by sharing resources and competence and managing quality-related risks;
There is a well-managed supply chain that provides a stable flow of products and services.
Possible actions (As per ISO 9000:2015)
Some of the possible actions that an organization can take includes:
It can determine relevant interested parties (such as providers, partners, customers, investors, employees or society as a whole) and their relationship with the organization;
It can determine and prioritize interested party relationships that need to be managed;
It can establish relationships that balance short-term gains with long-term considerations;
It can gather and share information, expertise, and resources with relevant interested parties;
It can measure performance and provide performance feedback to interested parties, as appropriate, to enhance improvement initiatives; It can establish collaborative development and improvement activities with providers, partners, and other interested parties;
It can encourage and recognize improvements and achievements by providers and partners.
Explanation:
This is the seventh of the Seven Principles of Quality management and can be mapped to the eighth of the Eight Quality principles which is “Mutually beneficial supplier relationships “. The term “Mutually beneficial supplier relationships “ has been changed to “Relationship Management“. The fifth principle of the Eight Quality principle “System approach to management” no longer exists in the Seven principles of quality management. The Eight principle definition stated “An organization and its suppliers are interdependent and a mutually beneficial relationship enhances the ability of both to create value” The Seven principle definition states “For sustained success, organizations manage their relationships with interested parties, such as suppliers.“An interested party is a person or group that has a stake in the success or performance of an organization. Interested parties may be directly affected by the organization or actively concerned about its performance. Interested parties can come from inside or outside of the organization. Examples of interested parties include customers, suppliers, owners, partners, employees, unions, bankers, or members of the general public. Interested parties are also referred to as stakeholders. Relation management with interested parties meaning sharing knowledge, vision, values, understanding, and suppliers are not treated as adversaries. The organization establishes relationships that balance short-term gains with long term considerations. There is pooling of expertise and resources with partners. The Organization identifying and selecting key suppliers. There is clear and open communication with the stakeholders. There is a sharing of information and future plans. The organization establishes joint development and improvement activities. The organization inspiring encourages and recognize improvements and achievement by suppliers.
Due to the new structure and risk focus of the standard, there are no preventive action requirements in this clause. The organization should react accordingly to nonconformities and incidents, and take action to control, correct them, cope with their consequences, and eliminate their source so as to prevent recurrences. However, there are some new more detailed corrective action requirements. The first is to react to incidents or nonconformities and take action in a timely manner, to control and correct these and deal with the consequences. Root cause analysis can be used to explore all possible factors associated with an incident or nonconformity by asking what happened and why it happened. The second is to determine whether similar incidents or nonconformities exist, or could potentially occur, leading to appropriate corrective actions across the whole organization if necessary. Although the concept of preventive action has evolved there is still a need to consider potential nonconformities, albeit as a consequence of an actual nonconformity. The requirement for continual improvement has been extended to continually improve the suitability and adequacy of the OH&S management system as well as its effectiveness through continual improvement objectives. Clause 10, the final major section, delineates the concept of continual improvement within the context of specific activities. Any organization wishing to adopt the principles of ISO 45001 must have a plan for addressing nonconformities in a timely manner. Organizations should take direct action to control conditions and deal with consequences. Nonconformities can be identified from investigations, audits, or other events. The corrective actions should be evaluated and the results should be documented. To achieve continual improvement, the organization shall have an OH&S management system that:
Prevents the occurrence of incidents and nonconformities
Promotes a positive OH&S culture
Enhances OH&S performance
10.1 General
The organization must determine opportunities for improvement and must implement necessary actions to achieve the intended outcomes of its OH&S management system.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
The organization should consider the results from analysis and evaluation of OH&S performance, evaluation of compliance, internal audits, and management review when taking action to improve. Examples of improvement include corrective action, continual improvement, breakthrough change, innovation, and re-organization.
From the results discussed in Clause 9 Management Review including the analysis and evaluation of OH&S performance, internal auditing, and feedback from worker engagement, Non-conformity & corrective action, Incident investigation & corrective action, Accident investigation & corrective action, and Compliance obligations including output from the introduction of the new regulation. Several different methods of capturing improvement opportunities may be designed in the system based on the structure, activities, and risk within the business discussed in Clause 4 and 6. The organization must actively seek out and, where possible, realize opportunities for improvement that will facilitate the achievement of the intended outcomes of the OH&S management system. The organization should consider the results from analysis and evaluation of its OH&S performance, evaluation of compliance, internal audits, and management review when taking actions to improve its performance. Improvement can arise from corrective action, continual improvement, breakthrough change, innovation, and re-organization.
Outputs from management reviews, internal audits, and compliance and performance evaluations should all be used to form the basis for improvement actions. Improvement examples could include corrective action, reorganization, innovation, and continual improvement programs. The chosen methods must consider the following:
Means of reporting including incidents to the right groups of workers and interested parties
The timescale of reporting
How the information is going to be recorded as documented information, for example, near-miss report cards, accident reports, defect reports, reports to senior leadership
Using workers to participate in investigations to determine root cause analysis
A structured system to prevent reoccurrence
Hierarchy of control measures to reduce risk as far as is reasonably practicable
Assessment of OH&S risks prior to the introduction of a corrective action to prevent the introduction of new hazards
Training and competence for workers and interested parties on the means of reporting OH&S hazards, incidents and opportunities for improvement
10.2 Incident, nonconformity and corrective action
The organization shall establish, implement and maintain a process(es), including reporting, investigating, and taking action, to determine and manage incidents and nonconformities. When an incident or a nonconformity occurs, the organization should react in a timely manner to the incident or nonconformity and take action to control and correct it to deal with the consequences. With the participation of workers and the involvement of other relevant interested parties, the organization must evaluate the need for corrective action to eliminate the root cause of the incident or nonconformity, in order that it does not recur or occur elsewhere. The organization must investigate the incident or review the nonconformity, determine the causes of the incident or nonconformity. The organization must also determine if similar incidents have occurred, nonconformities exist, or if they could potentially occur. As appropriate it must also review the existing assessments of OH&S risks and other risks. It must also determine and implement any action needed, including corrective action, in accordance with the hierarchy of controls and the management of change. It must also assess OH&S risks that relate to new or changed hazards, prior to taking action. It must review the effectiveness of any action taken, including corrective action. It must make changes to the OH&S management system, if necessary. Corrective actions should be appropriate to the effects or potential effects of the incidents or nonconformities encountered. The organization should retain documented information as evidence of the nature of the incidents or nonconformities and any subsequent actions are taken and also of the results of any action and corrective action, including their effectiveness. The organization must communicate this documented information to relevant workers, and, where they exist, workers’ representatives, and other relevant interested parties. The reporting and investigation of incidents without undue delay can enable hazards to be eliminated and associated OH&S risks to be minimized as soon as possible.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
Separate processes may exist for incident investigations and nonconformities reviews, or these may be combined as a single process, depending on the organization’s requirements. Examples of incidents, nonconformities, and corrective actions can include, but are not limited to:
Incidents: same level fall with or without injury; broken leg; asbestosis; hearing loss; damage to buildings or vehicles where they can lead to OH&S risks;
nonconformities: protective equipment not functioning properly; failure to fulfil legal requirements and other requirements; or prescribed procedures not being followed;
corrective actions: eliminating hazards; substituting with less hazardous materials; redesigning or modifying equipment or tools; developing procedures; improving the competence of affected workers; changing frequency of use; using personal protective equipment.
Root cause analysis refers to the practice of exploring all the possible factors associated with an incident or nonconformity by asking what happened, how it happened, and why it happened, to provide the input for what can be done to prevent it from happening again. When determining the root cause of an incident or nonconformity, the organization should use methods appropriate to the nature of the incident or nonconformity being analyzed. The focus of root cause analysis is prevention. This analysis can identify multiple contributory failures, including factors related to communication, competence, fatigue, equipment, or procedures. Reviewing the effectiveness of corrective actions refers to the extent to which the implemented corrective actions adequately control the root causes.
The organization should have a process in place for reporting and investigating incidents and other nonconformities, and for taking action to correct them and deal with their consequences. Separate processes may exist for incident investigations and nonconformities reviews, or these may be combined as a single process. It is imperative that root cause analysis is carried out on the incident or nonconformity in order to take appropriate action to prevent a recurrence. Examples of incidents and nonconformities include but are not limited to:
Incidents: near misses, injuries and ill-health, and damage to property or equipment that could lead to OH&S risks; such as a broken leg, asbestosis, hearing loss;
Nonconformities: protective equipment not functioning properly; failure to fulfill legal requirements; prescribed processes or procedures not being followed; contractor behaving in an unsafe manner on-site.
When an incident or nonconformity occurs, the organization must react in a timely manner, act to control and correct it and deal with the consequences. It must evaluate the need for corrective action to eliminate the root cause of the incident or nonconformity in order to ensure that it does not recur or occur elsewhere in the organization by:
Investigating the incident or reviewing the nonconformity;
Finding out what caused the incident or nonconformity;
Finding out if similar incidents have occurred, if nonconformities exist, or if they could potentially occur.
The evaluation of the need for corrective action should be carried out with the active participation of workers and the involvement of other relevant interested parties. The aim of an incident investigation is to determine what happened, why it happened, and what can be done to prevent it from happening again. This means not only considering the immediate causes, but also the underlying or root causes and taking corrective action to address these causes. Almost all incidents have multiple causes. These can be related to a range of factors, including human behavior and competency, the nature of the tasks and processes, equipment, or management of the organization. The investigation should identify all areas that need improvement including improvements to the OH&S management system and propose appropriate corrective actions.
The level of investigation should be proportionate to the potential health and safety consequences of the incident. The incident should be recorded and reported internally and, where appropriate, reported externally to regulatory bodies such as the HSA/HSE /the Safety, Health, and Welfare at Work. Where practicable, the investigation should be led by a person independent of the activities being assessed and should include a worker or workers’ representative. In addition, the organization should
Review existing OH&S risk assessments for continued suitability (e.g. did the risk assessment anticipate the occurrence of the incident or nonconformity);
Decide on and implement any action needed, including corrective action, in accordance with the hierarchy of controls and the management of change;
Assess OH&S risks that relate to new or changed hazards, prior to taking action;
Review the effectiveness of any action taken, including corrective action (e.g. the extent to which the implemented corrective actions adequately control the root cause); Make changes to the OH&S management system, if necessary such as updating a process map or procedure.
Examples of corrective actions (as indicated by the hierarchy of controls) include, but are not limited to:
Eliminating hazards;
Substituting with less hazardous materials;
Redesigning or modifying equipment or tools;
Developing and implementing procedures or improving processes;
Improving the competency of affected workers;
Changing the frequency of use of equipment, etc.;
Using personal protective equipment.
Corrective actions should be appropriate to the effects or potential effects of the incidents or nonconformities encountered.
Root cause analysis refers to the practice of exploring all of the possible factors associated with an incident or nonconformity by ascertaining what happened, how it happened, and why it happened, to provide input for what can be done to prevent it from happening again. When determining the root cause of an incident or nonconformity, the organization should use methods appropriate to the nature of the incident or nonconformity being analyzed. The focus of root cause analysis is prevention. Root cause analysis can identify multiple contributory failures, including factors related to communication, competence, fatigue, equipment, or documentation. While root cause analysis is being performed, the organization may also have to undertake immediate but temporary actions to prevent the occurrence of the same nonconformity or incident. This would form part of the corrective action. The organization should retain documented information as evidence of:
The nature of the incidents that occurred or nonconformities encountered, and any subsequent actions taken;
The results of any actions and corrective actions taken, including their effectiveness.
The organization should communicate this documented information to relevant workers, and where they exist, workers’ representatives, and other relevant parties. It is worth noting that the investigation and reporting of incidents without undue delay can enable hazards to be eliminated and associated OH&S risks to be minimized as soon as possible.
Unlike ISO 9001 Quality and ISO 14001 Environmental management systems, ISO 45001 introduces ‘Incident’ alongside nonconformity and corrective action. Clause 3 ‘Terms of Definition’ within the standard provides the parameters in which ‘incident’ can be interpreted and reported. An ‘incident’ is an occurrence that does not result in an injury and/or ill health. Therefore, the organization must implement a system of reporting that captures events that have not necessarily been foreseen within processes of the management system. Often these are referred to as ‘near misses’, ‘near-hit, or a ‘close call’. When a near miss is reported there may be a process in which during the investigation the findings are recorded within a non-conformance report. Prevention of incidents and elimination of hazards is a key facet of the OH&SManagement System, and this is specifically addressed in the definition of organizational context and assessing risks and opportunities. Taking action to correct and control problems when they occur, and then to investigate and take corrective action for the root causes of these problems when it is necessary, are critical to prevent recurrence of process nonconformity. The basic example process of reporting an incident leading to non-conformance, corrective action and continuous improvement
Process
Event
Management System
Incident
A delivery vehicle during a reversing manoeuvre narrowly misses a worker.
The driver has conducted the visitor induction including the issue of the site map.
Near miss report Card
The worker fills out a simple report card outlining the occurrence with the assistance of the supervisor.
Near Miss Report Card available across the site. Process training delivered during induction.
Corrective Action
Cones and tape are immediately placed to prevent entry to the area of the incident by the supervisor.
Temporary Corrective Action.
Investigation
The supervisor has a discussion with the delivery driver relating to the circumstances.
The warehouse and site manager discuss the incident and review the associated risk assessment.
Workers located in the area provide input.
Details recorded as part of the investigation.
Risk assessment reviewed.
Risk-based thinking solution.
Following the risk assessment review including discussions with Top Management, physical barriers are placed on the pedestrian walkway as segregation of vehicles and transport.
Additional lighting is installed.
Barriers are incorporated into the maintenance programme.
Risk assessment revised.
Delivery driver induction modified to include barrier walkways.
Non-conformance report completed with root cause analysis.
Recorded within the incident report register.
Maintenance programme updated
Communication
The delivery driver (worker) is contacted and provided with incident feedback and closure.
The worker who reported the near-miss is provided with feedback.
Incident report sent to the transport company.
Incident report worker signs the corrective action report as evidence of positive feedback.
Review
The incident is discussed at the Safety committee and management meetings.
The responsible supervisor reports the effectiveness of the introduced changes.
Safety committee and management meeting minutes.
Committee meeting minutes posted on the notice boards.
Management Review
Overview of the incident and positive outcome within statistics.
Near miss/incident statistics review.
Management Review Minutes communicated.
A regular audit of pedestrian routes is added to the internal audit programme as part of an improvement objective.
10.3 Continual improvement
The organization shall continually improve the suitability, adequacy, and effectiveness of the OH&S management system, by enhancing OH&S performance. It must promote a culture that supports an OH&S management system. It must promote the participation of workers in implementing actions for the continual improvement of the OH&S management system. It must communicate the relevant results of continual improvement to workers, and, where they exist, workers’ representatives. It should be maintaining and retaining documented information as evidence of continual improvement.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
Examples of continual improvement issues include, but are not limited to:
new technology;
good practices, both internal and external to the organization;
suggestions and recommendations from interested parties;
new knowledge and understanding of occupational health and safety-related issues;
new or improved materials;
changes in worker capabilities or competence;
achieving improved performance with fewer resources (i.e. simplification, streamlining, etc.).
The concept of continual improvement is embodied in all management systems based on annex SL such as ISO 9001, ISO 14001, ISO 27001, ISO 22301, and of course ISO 45001. The opportunities for continual improvement must be reported. It may come from new technology. non-conformances, failures, and any other IMS issues. This system is successful by identifying, establishing, and maintaining OH&S objectives and processes based on relevant risks. Involving top management and all levels of the organization, these processes should be evaluated upon completion for the purpose of continual improvement. Now, it is important to clarify that continual improvement differs from continuous improvement, especially considering that the two potentially could be used interchangeably. To avoid misunderstandings, this clarification is provided under the Terms and definitions section of Annex A in ISO 45001:2018. According to ISO 45001:2018, continuous indicates duration without interruption, while continual indicates duration that occurs over a period of time with intervals of interruption. The latter certainly seems more suitable for the processes of a system intended to safeguard employees from injury and illness, since these processes are implemented before they are evaluated under the Plan-Do-Check-Act cycle. ISO 45001:2018 recommends that organizations evaluate their completed OH&S processes for continual improvement, not continuous.
Through all of the actions to improve the overall OH&SManagement System, the organization can achieve enhanced OH&S performance and promote a culture that supports worker participation in making the OH&SManagement System better. Improvements can be initiated by any employee when any of the following issues are identified:
To initiate a change to the IMS.
To initiate improvement to the performance and effectiveness of the IMS.
When an innovation or improvement opportunity is identified.
When a non-conformance is identified at any time.
When a discrepancy, non-conformance or improvement is identified during auditing.
When a customer complaint or any significant customer feedback is received (including compliments).
Actions which an organization might take with a view to achieving continual improvement in the suitability, adequacy, and effectiveness of its OH&S management system include:
Enhancing OH&S performance;
Promoting a culture that provides support to the OHSMS;
Promoting the participation of workers in the identification and implementation of actions for continual improvement of the OHSMS;
Communicating the relevant results of continual improvement to workers, and where they exist, workers’ representatives;
Maintaining and retaining documented information as evidence of continual improvement
The organization must establish a system that involves the monitoring, measurement, analysis, and evaluation of its OH&S performance. It should decide what to measure and how, for instance, accidents or worker competence. Moreover, internal audits must be established along with regular management reviews, in order to see the progress made towards the achievement of OH&S objectives and the fulfillment of ISO 45001 requirements. Performance evaluation is a constructive process that aims to improve an organization’s operation and is crucial to the ‘Plan, Do, Check and Act’ model prescribed by ISO 45001. These processes should help achieve and support organizational strategy and goals. Clause 9, Performance Evaluation, provides an in-depth discussion regarding the criteria for evaluating the overall performance of the OH&S management system. The primary themes of this section focus on the means of process evaluation and documentation of evaluations. The importance of documentation (and how records and data are retained), as well as document dissemination, are performance themes both in ISO 45001 in general and in this section in particular. This section tends to be more specific than some of the others and includes a detailed discussion of documentation requirements, internal audit protocols, and relevancy and applicability of measurements within the organization. The key attributes of this section include: 1. Following applicable legal requirements and documentation are followed 2. Measuring operational risks and hazards 3. Evaluating the effectiveness of operational controls 4. Establishing the timeline for conducting the measures 5. Planning for analysis, evaluation, and communication of the results 6. Calibrating and verifying the accuracy of all equipment 7. Retaining documentation of all measures 8. Auditing the OH&S Management System, the OH&S Policy, OH&S Objectives, and the 45001 requirements 9. Establishing the frequency of audits and account for significant changes to the organization, performance improvements, risks, and opportunities 10. Ensuring the competence of auditors 11. Communicating findings to management, workers, and worker representatives 12. Taking action to address identified nonconformities 13. Retaining audit results as evidence of the completion of the audit 14. Reviewing audit findings and corrective actions by top management 15. Ascertaining that corrective actions, worker engagement, and opportunities for continual improvement are in place The most important objectives of the Performance Evaluation section are ensuring the adequacy of the current OH&S management system and measuring that OH&S objectives are met. These are, essentially, the only measures of success.
9.1 Monitoring, measurement, analysis and performance evaluation
9.1.1 General
The organization must establish, implement and maintain processes for monitoring, measurement, analysis and performance evaluation. The organization has to determine what needs to be monitored and measured. The organization must determine up to what extent the legal requirements and other requirements are fulfilled. The organization must monitor and measure its activities and operations related to identified hazards, risks, and opportunities, its progress towards achievement of the organization’s OH&S objectives and the effectiveness of operational and other controls. The organization must determine the methods for monitoring, measurement, analysis and performance evaluation, as applicable, to ensure valid results. It must also determine the criteria against which the organization will evaluate its OH&S performance and when the monitoring and measuring shall be performed. It must also determine when the results from monitoring and measurement shall be analyzed, evaluated and communicated. The organization must evaluate the OH&S performance and determine the effectiveness of the OH&S management system. The organization must ensure that monitoring and measuring equipment is calibrated or verified as applicable, and is used and maintained as appropriate. There can be legal requirements or other requirements (e.g. national or international standards) concerning the calibration or verification of monitoring and measuring equipment. The organization must retain appropriate documented information as evidence of the results of monitoring, measurement, analysis and performance evaluation and on the maintenance, calibration or verification of measuring equipment.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
In order to achieve the intended outcomes of the OH&S management system, the processes should be monitored, measured and analyzed.
Examples of what could be monitored and measured can include, but are not limited to:
occupational health complaints, the health of workers (through surveillance) and work environment;
work-related incidents, injuries and ill health, and complaints, including trends;
the effectiveness of operational controls and emergency exercises, or the need to modify or introduce new controls;
competence.
Examples of what could be monitored and measured to evaluate the fulfillment of legal requirements can include, but are not limited to: identified legal requirements (e.g. whether all legal requirements have been determined, and whether the organization’s documented information of them is kept up-to-date); collective agreements (when legally binding); the status of identified gaps in compliance.
Examples of what could be monitored and measured to evaluate the fulfillment of other requirements can include, but are not limited to:
collective agreements (when not legally binding);
standards and codes;
corporate and other policies, rules and regulations;
insurance requirements.
Criteria are what the organization can use to compare its performance against.
Examples are benchmarks against:
other organizations;
standards and codes;
the organization’s own codes and objectives;
OH&S statistics.
To measure criteria, indicators are typically used; for example:
if the criterion is a comparison of incidents, the organization may choose to look at frequency, type, severity or number of incidents; then the indicator could be the determined rate within each one of these criteria.
if the criterion is a comparison of completion of corrective actions, then the indicator could be the percentage completed on time.
Monitoring can involve continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected. Monitoring can be applied to the OH&S management system, to processes, or controls. Examples include the use of interviews, reviews of documented information, and observations of work being performed. Measurement generally involves the assignment of numbers to objects or events. It is the basis for quantitative data and is generally associated with the performance evaluation of safety programs and health surveillance. Examples include the use of calibrated or verified equipment to measure exposure to a hazardous substance or the calculation of the safe distance from a hazard. The analysis is the process of examining data to reveal relationships, patterns, and trends. This can mean the use of statistical operations, including information from other similar organizations, to help draw conclusions from the data. This process is most often associated with measurement activities. Performance evaluation is an activity undertaken to determine the suitability, adequacy, and effectiveness of the subject matter to achieve the established objectives of the OH&S management system.
The organization not only has to measure occupational health & safety progress, but it should also consider its significant hazards, compliance obligations, and operational controls when tackling this clause. The methods established should have considerations to ensure that the monitoring and measuring periods are aligned with the needs of the OH&SManagement System for data and results, that the results are accurate, consistent, and can be reproduced, and that the results can be used to identify trends. It should also be noted that the results should be reported to the personnel with the authority and responsibility to initiate action on the basis of the outputs themselves. The organization should have a systematic approach for measuring and monitoring its OH&S performance on a regular basis, as an integral part of its management system. The organization needs to monitor and measure the following in order to determine the performance of the OHSMS and evaluate its effectiveness:
The extent to which legal and other requirements are fulfilled including, where applicable, all applicable OH&S legislation, collective agreements, standards, and codes and insurance requirements;
Characteristics of activities and operations related to the identified hazards, risks, and opportunities;
Progress in the achievement of the organization’s OH&S objectives;
Effectiveness of operational and other controls.
This includes the determination of the criteria against which the organization’s OH&S performance will be evaluated, including appropriate indicators. Criteria are what the organization uses to compare its performance against (e.g. benchmarking its OH&S performance against other organizations, standards or codes, etc.). To measure criteria, indicators are used. For example, if the criterion is a comparison of incidents, the organization could choose to look at frequency, type, severity, or a number of incidents; the indicator could be the determining rate within each one of these criteria. The organization must select appropriate methods for monitoring, measurement, analysis, and performance evaluation in order to ensure valid results, decide when the monitoring and measurement will be performed and when the results from monitoring and measurement will be analyzed, evaluated, and communicated.
The organization must ensure that monitoring and measurement equipment such as sampling pumps, noise monitors, toxic gas detection equipment, is calibrated or verified and that it is correctly used and maintained. Insofar as measuring and monitoring are concerned, the organization should use both reactive and proactive measures of performance but should mainly focus on proactive measures in order to drive OH&S performance improvement. Examples of proactive measures include:
Assessment of compliance with legal and other requirements;
Evaluation of the effectiveness of OH&S training;
Use of worker surveys to evaluate OH&S culture and related worker satisfaction;
Completion of statutory and other inspection schedules;
The extent to which programmes have been implemented;
The effectiveness of the worker consultation and participation process;
Use of health screening.
Examples of reactive measures include:
Occurrence and rates of notifiable accidents and dangerous occurrences;
Lost time incident rates;
Monitoring of ill health;
Actions required following assessments by regulatory bodies such as the HSA/HSE.
The organization must retain appropriate documented information as evidence of the results of monitoring, measurement, analysis, and evaluation and of the maintenance, calibration, or verification of measuring instruments. An organization should check, review, inspect and observe its planned activities to ensure they are occurring as intended. An organization must make sure they have determined the appropriate processes so they can evaluate how well they are performing based on risk and opportunities. Monitoring generally indicates processes that can check whether something is occurring as intended or planned. The tables below provide examples of monitoring and specific control measures:
Event
Local Exhaust Ventilation System (LEV)
Monitoring
An appointed person to weekly inspect airflow of an LEV system to safely remove fumes from a process.
Measurement
Use of a calibrated meter to check the airflow at two inspection locations of the system according to a specified Work Instruction. (Employee is trained and competent to use the equipment).
Analysis
Review of recorded data determining the airflow efficiency of the system to ensure workers are safe. This may include trends. This would be in compliance with manufacturers specifications and regulatory requirements.
Evaluation
The trend analysis indicates a reduction in airflow, therefore, maintenance is triggered to isolate and inspect the LEV system.
Event
Safe Walking Routes
Monitoring
Appointed person daily site inspection of safe walking routes to ensure they are in a condition to prevent slips, trips, and falls.
Measurement
Visual inspection to ensure there are no obstructions outside of defined safe walking routes. (Usually, measurement is associated with measurement equipment to obtain data).
Analysis
Examination of results from inspections. In this case, there may be a trend of equipment repeatedly left in the same location as a Safe Walking Route.
Evaluation
Determination of root cause of why equipment is repeatedly left in the safe walking route. Resulting in the allocation of a designated safe place for equipment away from the safe walking route.
Any equipment used to determine the measurement ‘indicator’ should be calibrated and maintained so that a high degree of confidence is gained in the credibility of data. The standard also requires the organization to implement a process to evaluate legal and other compliance including:
The frequency and method of evaluation
If action is needed, the process in which it will be evaluated and implemented
Maintain knowledge and understanding of its compliance status
Retain documented information to support the evaluation of legal and other requirements
9.1.2 Evaluation of compliance
The organization must establish, implement and maintain the processes for evaluating compliance with legal requirements and other requirements. The organization must determine the frequency and methods for the evaluation of compliance and must evaluate compliance and take action if needed. It must maintain knowledge and understanding of its compliance status with legal requirements and other requirements. It must retain documented information on the compliance evaluation results.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
The frequency and timing of compliance evaluations can vary depending on the importance of the requirement, variations in operating conditions, changes in legal requirements and other requirements, and the organization’s past performance. An organization can use a variety of methods to maintain its knowledge and understanding of its compliance status.
There is an ever-increasing amount of legislation intended by the government to ensure that we manage issues such as health and safety in the workplace and our impacts on the environment in order to protect human health and the environment from harm. There is also a range of legislation designed to give some security of personal information, intellectual property, and organizational records to both public and private sector businesses whose information and networks are important business assets. The standard recognizes that evaluation requirements will vary from organization to organization based on factors such as size, compliance obligations, sector worked in, past history and performance, and so on, but suggests that regular evaluation is always required. If the result of a compliance evaluation reveals that a legal requirement is unfulfilled, the organization needs to assess what action is appropriate, possibly up to contacting a regulatory body and agreeing on a course of action for repair. This agreement will now see this obligation become a legal requirement. Where non-compliance is identified by the OH&SManagement System and corrected, it does not automatically become a non-conformity. But exactly what legislation is there that applies to your organization, how does it apply and why do you need to evaluate it.
Firstly it is worth looking at compliance in more detail. Compliance is not an option. If we don’t comply then we could be operating outside of the law. Not only can this lead to penalties and fines, but poor compliance can also lead to:
Increased health and safety incidents, environmental accidents and pollution.
Increased downtime, clean up costs and fines
Increased insurance premiums and regulatory inspections
Workforce concerns and industrial relations issues
Reduced ability to meet customer requirements
Damage to reputation and possible lost business
Individual prosecution and corporate manslaughter and/or dismissal
The legislation provides regulators with specific duties and powers and enables the regulators to take enforcement action to mitigate the consequence of site closures and suspension or revocation of permits. For example, in 2005/2006 the HSE issued 6400 enforcement notices and prosecuted in over 1010 cases. Magistrates and courts are coming under increasing pressure to impose ever more stringent penalties. With this in mind, there is increasing pressure on organizations from various sources to improve and ensure compliance. In practice, you may consider putting a list of compliance obligations within a spreadsheet as outlined under clause 6 of this document. Periodically this process should be audited within the internal audit program to ensure all compliance obligations have been fulfilled. Audit results including compliance status should be communicated to senior leadership within the organization. Any outstanding or pending requirements can be actioned by the leadership team. This will ensure compliance to obligations and reduction in risk including potential prosecution. So how can you evaluate compliance? There are essentially three approaches:
1. The Passive Approach
The passive approach means an organization sits back and waits for things to happen. It relies solely on feedback from regulators, employees, and members of the public. Typically few resources are allocated and compliance efforts are minimized and tend to be focused on current areas of concern. The drawback of this approach is that it may well be unrepresentative of the true level of compliance, the outcome of which being the increased likelihood of a non-compliant event that could lead to unforeseen prosecutions.
2. The Reactive Approach
The reactive approach is taken when an organization acts only when a situation of non-compliance is brought to light. There may be some internal and external evaluation and auditing but this usually relies on a sampling basis. It is similar to the passive approach in that typically few resources are allocated. The drawback of this approach is that it may not be sufficiently comprehensive. It tends to only pick up problems after the event. Although actions are taken to manage compliance these are typically only implemented after the event once the non-compliance has been identified. Therefore an organization following the reactive approach may incur increased costs, both financial and time, in addressing the non-compliance as opposed to preventing it from occurring.
3 The Proactive Approach
An organization following the proactive approach will seek to actively identify the compliance position and establish processes to ensure on-going compliance status is maintained. The proactive approach is typically system-based and integrates compliance into everyday business practices. The management system may be one of three types:
Internal bespoke Compliance Management System
Management System based on a recognized standard such as ISO 14001, OHSAS 18001, ISO 9001 and ISO 27001
Third party certified Management Systems such as ISO 14001, OHSAS 18001, ISO 9001 and ISO 27001 (certification to which can only be awarded based on a legal complaint system)
Management systems provide the mechanisms to identify upfront compliance requirements and ensure appropriate controls are in place to positively manage compliance status. They cannot guarantee against a non-compliance occurring but should ensure that the system in place quickly identifies the non-compliance status and corrects it. Following the proactive system-based approach will enable an organization to:
Make a commitment to compliance
Identify current legal and other requirements specific to the organization and be aware of pending legislation and its impact on the organization well in advance.
Understand the full implications of all applicable legislation and incorporate the requirements into business practices.
Keep information up-to-date.
Identify compliance criteria.
Establish a framework to address and control the identified compliance requirements.
Provide a mechanism for the on-going review, evaluation, and reporting of compliance performance
One area of particular importance is the reference to the control mechanism employed within the organization to manage that element of the legal requirements. By including this in your system for compliance management immediately increases the transparency of the legal management system and ensures that there is an effective control mechanism in place for each of the key requirements. Controls will not always be procedures but may include site inspections, monitoring equipment, or designating responsibilities. Typically through a management system, there will be a number of different steps to the management of compliance:
Step 1 – Commitment to Legal Compliance
Evaluation Essentially this requires the agreement from top management that this is required and their commitment to providing the necessary resources including staff, finance, and IT support to carry out the evaluation and to take action to resolve areas of non-compliance.
Step 2 – Identification of Legal Requirements
Having secured top management commitment to evaluating compliance, the next step is to identify the legal requirements such as codes of practice and guidance notes. Legal requirements can take many forms including:
Legislation, regulations, and statutes
Directives
Permits, licenses or other forms of authorization as Orders issued by regulatory bodies.
Judgments of courts or administrative tribunals
Treaties, conventions, and protocols
There are many different ways an organization can go about identifying legal requirements. These are all valuable sources. However, the most important thing is what you do with the information you identify. Typically the identification of legal requirements leads to the production of a legal register. A typical legal register would include:
However, this format will not be sufficient to enable effective evaluation of compliance within the management system.
Step 3 – Identification of Compliance Criteria
To ensure the use of a legal register is effective, consideration should be given to also using the document as a mechanism to:
Evaluate the legislation to determine which components are applicable, e.g. discharge of trade effluent from the effluent plant.
Establish the relevance of the legislation to the organization – identify which activities are completed on site that falls within the scope of the legislation e.g. a license is required for the discharge of trade effluent
The above is referred to as the compliance criteria and without a good understanding of what these criteria are for your organization, it will be very difficult to undertake an effective evaluation of compliance. The legal register should be a ‘live’ document and be useful to the organization. It may also identify:
Installation Activity
Regulation
Regulator
Description of Regulation
Relevance to the organization — compliance criteria
Responsible Persons
Reference to other parts of the management system e.g. environmental aspects, health and safety hazards, objectives and targets
Reference to the license, permit, authorization or notification
Further information (e.g. codes of practice)
Operational Controls
Additional columns might be as follows:
This type of register can provide a clear understanding of the relationship between legislation and organizations’ activities, products, and services. Also, it can be used as an awareness-raising tool, but more importantly, it provides a clear audit trail for the internal audit function to undertake their evaluation of legal compliance.
Step 4 – Compliance Performance Evaluation
Having identified relevant legislation, the compliance criteria, and related operational controls, the next step is to develop a process for checking legal compliance. Use the information from the register to review current practices against the identified legal requirements applicable to your organization. You might want to consider developing a checklist for each item of legislation that the organization has identified. Objective evidence will need to be gathered in order to evaluate compliance. Compliance performance evaluation can be carried out by:
Monitoring against performance indicators – trend analysis to predict and prevent non-compliance e.g. amount of mercury discharged on a monthly basis versus the early figure specified within the discharge consent or noise emissions limits.
Reviewing risk assessments.
Undertaking physical inspections e.g. of the status of oil storage facility or of wearing of relevant personal protective equipment (PPE)
Undertaking Management Systems audits.
Compliance verification against procedural and legal requirements.
Independent verification (e.g. in the case of compliance to a GHG permit)
Conducting a compliance performance evaluation will help you to:
Identify any regulatory non- compliances
Determine whether existing controls are adequate to help prevent regulatory non-compliance including those related to abnormal and emergency situations.
Identify areas where further information is required to track or confirm compliance, any opportunities for improvement
Proactively manage an organization’s compliance status
There has been much discussion about what constitutes an ‘Evaluation of compliance’. What is clear is that there is no one method or definitive answer but more of a suite of tools that can be used when completing the evaluation. Therefore it is important that the outcomes of the evaluations are brought together to enable trend analysis and the overall compliance status to be determined.
Step 5 – Compliance and Review Reporting
A compliance review is more than just monitoring. Routine monitoring may not check compliance with all requirements and limits of a permit or consent. Monitoring of an indicator to demonstrate improvement (such as the quantity of monthly hazardous waste arising’s) will not check compliance with all applicable waste legislation (such as whether hazardous waste documentation identifies waste streams correctly). However, the results of monitoring can be input into the evaluation process. Likewise, a true evaluation of compliance is more than just systems auditing as systems audits tend to have broad scopes, are not specifically focused on legal compliance, assess too small a sample of data, and are too infrequent to demonstrate system effectiveness. However, the results of audits can be input into the evaluation process and are still a valuable tool.
Step 6 – Compliance Verification
So, compliance verifications are also necessary. Compliance verifications use compliance detail from the legal register and legal documents, such as permits, to create comprehensive checklists. Compliance verifications can be targeted, topic specific, more frequent, and risk-based. Compliance verification will:
Identify compliance tasks and their frequency
Ensure availability of sufficient
competent resource
Allocate time and resources on a risk basis
Regardless of which methods are used – it is essential that appropriate records are held of the outcome of the evaluation process.
Step 7 – Compliance Reporting
So what do you do with the results of the evaluation? Compliance reporting is a systematic activity using information from monitoring, system auditing, verification, and feedback from interested parties (such as regulators). Using this data enables you to confidently, and accurately, report on your compliance status to top management (policy and decision-makers) for the identification of future legislative trends, areas of strengths and weaknesses, and opportunities for improvement. Reporting should be undertaken at a frequency appropriate to the risks and should seek to answer the questions, posed by top management, ‘how compliant have we been, are we now, and will we be, with legal and other requirements?’
Step 8 – Define an Action Plan
Define an action plan for addressing the issues identified in the gap analysis. The action plan might include the:
Allocation of specific clear roles and responsibilities for compliance.
Communication or. the relevance of the requirements at all levels.
Revision of procedures include operational criteria
Provision of relevant training
Step 9 – Repeat the process
In order to maintain legal compliance, this evaluation process needs to be repeated on a regular basis. This provides the opportunities for continuous improvements and enables you to keep up to date, if not ahead of, regulatory developments. There is no right or wrong way to the evaluation of compliance. There are different methods for evaluating compliance. Choose the approach that best suits your business based on size, type, and complexity. We would, however, recommend using a system-based approach to identify legal requirements and establish appropriate controls. A legal Register can be an effective tool to help evaluate and verify compliance. Determine the measures needed to develop a compliance framework, including frequency and resources, and the frequency of review and reporting should be systematic and risk-based. Provide comprehensive reports to top management for decisions on future policy and objectives, and for corporate assurance. Evaluation of compliance is a key component of an effective system to deliver continued legal compliance. A management system will not guarantee compliance as it can not predict the future! It will, however, provide the framework for an organization to manage its compliance status and improve its capability to deliver regulatory compliance.
9.2 Internal audit
9.2.1 General
The organization must conduct internal audits at planned intervals. This will provide information on whether the OH&S management system is conforming to the organization’s own requirements for its OH&S management system, including the OH&S policy and OH&S objectives and also to the requirements of ISO 45001:2018. It also provides information if the OH&S management system is effectively implemented and maintained.
9.2.2 Internal audit programme
The organization, must plan, establish, implement and maintain audit programs including the frequency, methods, responsibilities, consultation, planning requirements, and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits. It must define the audit criteria and scope for each audit. It must select auditors and conduct audits to ensure objectivity and the impartiality of the audit process. It must ensure that the results of the audits are reported to relevant managers; ensure that relevant audit results are reported to workers, and, where they exist, workers’ representatives, and other relevant interested parties. It must take action to address nonconformities and continually improve its OH&S performance. It must retain documented information as evidence of the implementation of the audit program and the audit results.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
The extent of the audit program should be based on the complexity and level of maturity of the OH&S management system. An organization can establish objectivity and impartiality of the internal audit by creating processes that separate auditors’ roles as internal auditors from their normal assigned duties or the organization can also use external people for this function.
An internal audit is a systematic method to check organizational processes and requirements, as well as those detailed in the ISO 45001 standard. This will ensure the processes in place are effective and the procedures are being adhered to. An internal audit in ISO 45001 not only serves as a function to meet the terms of the standard, as explained above, but also a real opportunity to improve your OH&SMS (Operational Health and Safety Management System), and therefore reduce the risk of accidents in your workplace while improving employee wellbeing. Internal audits and auditors should be independent and have no conflict of interest over the audit subject, the standard reminds us, and it should be noted that non-conformities should be subject to corrective action. When considering the results of previous audits, the results of previous internal and external audits and any previous non-conformities and resulting actions to repair them should be taken into account. The 45001:2018standard refers us to ISO 19011for the internal audit program, but when you are establishing your program there are several rules you can subscribe to in order to ensure that your program is effective. Base your internal audit frequency on what is reasonable for your organization in terms of size, the sector you operate in, compliance obligations, and risk to the health and safety of workers. Decide what is reasonable for you, whether that is bi-annually, quarterly, or whatever you deem suitable. Keep in mind that this schedule can be changed, preferably through management review and leadership guidance, in the event of changes that necessitate extra internal audit activity. The internal audit program will aid the organization to achieve the OH&S objectives and targets. It helps:
Monitor compliance with policy and objectives.
Provide evidence that all necessary checks are carried out.
Ensure all current legislative and other requirements are met.
Assess the effectiveness of risk management.
Worker engagement leading to a positive safety culture.
Identify improvement using ‘fresh eyes’ to review a process.
Aid continual improvement.
The organization must conduct internal audits at planned intervals to provide information on whether the OH&S management system conforms to the organization’s own requirements for its OH&S management system, including the OH&S policy and OH&S objectives and the requirements of ISO 45001. In addition, the audit allows the organization to determine if its OH&S management system is effectively implemented and maintained. The extent of the audit program should be based on the complexity and level of maturity of the OH&S management system. The organization must plan, establish, implement and maintain an audit program, which contains information on:
The frequency that audits are conducted;
The methodology/protocol used (should be in general conformance with the requirements of ISO 19011:2011 Guidelines for auditing management systems;
Who is responsible for managing and conducting audits;
What consultation takes place with auditees and the general workforce;
How the audits are planned and implemented;
The format for reporting audits.
The planning of the internal audit program must recognize the importance of the processes concerned and the results of previous audits. This would be reflected in the audit programme being based on the results of the risk assessments of the organisation’s activities and the results of previous audits, which in turn would guide the organization in determining the frequency of audits of particular activities, areas or functions and what parts of the OH&S management system should be given attention. The OH&S management system audits should cover areas and activities within the scope of the OHSMS as defined by clause 4.3 of the standard and also assess conformity to ISO 45001. The organization must define the audit scope and audit criteria for each audit. Audit evidence should be evaluated against the audit criteria to generate the audit findings and conclusions. Audit evidence should be verifiable. Prior to conducting the audit, the auditors should review appropriate OH&S management system documented information, and the results of prior audits. This information should be used by the organization in planning for the audit.
The organization must select auditors and conduct audits to ensure objectivity and the impartiality of the audit process. It can establish objectivity and impartiality of the internal audit process by creating a process that separates auditors’ roles as internal auditors from their normal assigned duties. Alternatively, it can utilize the services of external companies to conduct its internal audit program. After the audit is complete the auditors must ensure that the results of the audits are reported to relevant managers. In addition, relevant audit results must be reported to workers; where they exist, to workers’ representatives, and to other relevant interested parties. The organization must take action to address nonconformities in a timely and efficient manner and continually improve its OH&S performance. The audit report should be clear, precise, and comprehensive. The organization must retain documented information as evidence of the implementation of the audit program and the audit results.
It also points out how previous audit results and outputs from risk assessment can provide inputs for the internal audit itself. Given that you have a date for your internal audit – whether this is being carried out by an internal or external auditor – what should you bear in mind to prepare? Firstly, you must consider how you prepare for your internal audit. Does your organization have an adequately trained auditor? Internal audits must be conducted by competent staff with a degree of impartiality to the area being audited. A risk-based approach can be applied to areas being audited with an increased focus on higher-risk activities. Internal audits must be planned with an expectation of each process being audited at regular intervals. In addition to planned audits, unplanned audits may be conducted in reaction to problematic areas, near-miss reports, or incident data with a focus on accident prevention. It is beneficial to communicate audit results to applicable interested parties including workers and set realistic completion timescales for identified ‘opportunities for improvement’ or ‘nonconformities’. Top Management must be aware of deficiencies within the system to ensure the necessary resources can be allocated to mitigate the findings. Audit results will be reviewed as part of the management review process. ISO 45001, like most other ISO standards, contains a clause that outlines how organizations should perform internal audits. Internal audits should meet the planned measures of the OHSMS System and the audit outputs should be made available. You should establish and plan your internal audit schedule, based on the results of previous audits and risk assessments. Although it is sensible and standard, as are other clauses in ISO 45001, the internal audit should be approached with more care than, for instance, the comparable clauses in ISO 9001 (Quality Management) or ISO 14001 (Environmental Management). This is because an ineffective OHSMS audit could endanger the welfare of your employees. The organization should plan its internal audits at regular intervals. It should, however, be noted that accidents, incidents, risk assessments, or stakeholder input can all be used to initiate internal audits beyond the regular schedule. This would be the case if the organization feels it would be beneficial to the overall health and safety performance. Let’s look at when who, and how the ISO 45001 system internal audit should be performed.
When: Internal audit should be done at planned intervals, or whenever it is deemed required, or beneficial to your ISO 45001 system. Who: The standard requires that the internal auditor must be impartial and objective. Auditor selection is critical. The auditor must be experienced and, if possible, formally trained. The auditor must also be aware of the company’s OHSMS Policy, objectives, and performance. As the internal audit process is so critical, many organizations use external advice from an expert for internal audit purposes. How: All relevant information in terms of “input” to the process should be available to the internal auditor. The auditor will also need OHSAS performance outputs, risk assessment information and results, desired OHSMS objectives, and stakeholder input. Why: A logical question to ask at this stage would be “Why?” Apart from being a requirement of the ISO 45001 standard, internal audits should be seen as key drivers in the continual improvement cycle. It is also critically important as a preventive measure for health and safety in the workplace. Anyone interacting with the auditor should therefore always provide truthful and accurate information during the audit. An accurate assessment creates an opportunity for suggestions for improvement based on past and current data.
The ISO 45001 standard requires that management should have access to the results of any internal audits. This enables the top management team to make decisions on actions that need to be taken based on the results from the internal audit. In terms of continual improvement, it is however also helpful if the auditor makes suggestions based on the audit itself, as they have had direct experience and interactions with the procedures and processes during the audit. This will give the management team a more balanced view of the audit’s effectiveness and the validity of the results. This will create a bigger chance of continual improvement and output that could potentially prevent incidents and accidents. It is obviously necessary that the process is documented, including findings, outcomes, and actions, as the internal audit takes its place in the improvement cycle. Make sure that internal audits are always thorough, honest, and accurate. Use the “plan, do, check, act” methodology to ensure that the proposed actions are implemented, effective, and maintained. Once you have done this, you can be sure that the results of the internal audit are truly effective. The principles of ISO 19011 which addresses system auditing can also help you with regard to structuring your audit. So, what other elements do we need to consider when undertaking the internal audit? Let us consider:
Remember, the internal audit will show your ability to meet the requirements of the standard itself (or some of it, depending on the scope of the audit). Ensure you and your organization have met all requirements of the standards, including management review, risk assessment, and emergency response. Bear in mind that any non-conformities will be reported and you should consider using your corrective action process to rectify any identified non-conformities. Concentrate on hazard and risk identification. Though closely related, hazard and risk are not the same things. ISO 45001 defines a hazard as a “source or situation with a potential to cause injury and ill health”. In other words, what features of your processes have the ability to harm individuals? This could be a hazardous chemical you need to use in a process or a machine that has a pinch point that needs to be guarded to protect the people who need to use it. It could also be an office position that requires certain actions that over time could lead to repetitive strain injuries. An OH&S risk is defined as the “combination of the likelihood of occurrence of a work-related hazardous event or exposure and the severity of the injury and ill health that can be caused by the event or exposures”. So, the hazard is the feature of the process that can harm an individual, and the risk is the likelihood that it will happen along with how to sever the consequences will be. This should be a key element of most internal audit examinations, and the identification of both, as well as mitigation of risk, are key to maintaining an effective OH&SMS.
Ensure your corrective action process is effective. The steps to take once corrective action is initiated in your OH&SMS, we looked at the step by step process for ensuring corrective action with respect to ensuring that root causes of problems were correctly identified and eradicated. While prevention is preferable to cure in any OH&SMS, an effective system must have an effective corrective action process. It is likely that this will be examined closely in most internal audits.
Ensure your team is ready. Ensuring your team has satisfied these clauses can be vital to your internal audit. Keep in mind that no OH&SMS can flourish without employee knowledge, commitment and buy-in. Ensure that your team is involved in the preparation for, and execution of the internal audit. This can help your OH&SMS flourish and your internal audit is successful.
Rehearse for your external audit. Remember that your internal audit is an opportunity to prepare and rehearse for your external certification audit. There are several ways you can do this, using the information in the article What questions should you expect from the ISO 45001 auditor? should help you prepare your OH&SMS and your own team for both the internal and likely forthcoming external audit.
Ensuring your OH&SMS benefits. As stated, the internal audit is not only a dry run for your external certification audit in terms of the conformance of your OH&SMS. It is also a huge opportunity for improvement. Use the information in How to create an internal audit checklist for your Health & Safety management system to ensure you cover all the elements required in the standard itself. Record your results, and clearly outline any corrective action or improvements made. This will serve as evidence and ensure you have a record of action and improvement for your next audit, whether internal or external. Treat your internal audit as a measure of conformity, an opportunity to improve and a rehearsal for your external audit. Doing this will ensure that real value can be derived from this mandatory part of ISO 45001.
What evidence will the auditor require?
As stated above, the auditor’s main function is to ensure that your documentation, processes, and actions comply with the ISO 45001 standard, and that evidence can be produced to prove this. So, if we think from that point of view there are some questions he/she is almost certain to ask:
Are all the clauses in the standard met? From the moment the auditor enters your organization’s premises, this will be what he/she is tasked to find out. It is normal that the auditor will break the clauses and requirements down an element at a time, but the final requirement will be to ensure that compliance versus the standard is there. For example, can you ensure that all of your mandatory documentation is covered? Ensure that you have a copy of the standard, know it well, and have carefully worked through it to be sure your organization complies.
Have you held a management review? This is the critical starting point for your OH&SMS in terms of ensuring that there is top management input and that objectives are established correctly, as well as having the ability to ensure that the cycle of review and improvement exists when your OH&SMS is running.
Have you recorded incidents, accidents, and near misses? And, if so, do you have evidence to show that you have undertaken the correct processes after an accident, and have a process whereby action is taken to prevent near misses from being repeated and becoming accidents in the future?
Are your processes consistent? You will need to prove that your processes – whether documented or not – are consistent internally in the way they are used and that they meet the terms of the standard. This also leads to the question regarding whether the effectiveness of processes has been reviewed, which will encourage continual improvement – the element that underpins the standard itself.
Have you completed the critical functions of the OH&SMS? Have you assessed risks and hazards correctly? Have you performed corrective action in the cases where something has gone wrong? Have you completed internal audits with satisfactory outcomes and actions to guarantee improvement to your OH&SMS? Have you documented these accurately as evidence? These elements are all central to running a successful OH&SMS, you can be sure the auditor will focus on these to a large extent; therefore, it is wise to prepare. Also, be sure to remember that while these elements are critical, they only make up part of the clauses you will be audited against!
Can you demonstrate competence, awareness, and evidence of training? Especially in matters of health and safety, it is critical that your team can demonstrate that they are aware of processes, communications that may have taken place, and are generally aware enough to operate safely within your organization. Ensure that your employees realize that it is very likely that the auditor will come and speak to them, and instruct them on how to react. There is no need to be nervous, but being articulate, truthful, and honest will help greatly.
Can you demonstrate improvement? As stated previously, this is necessary to demonstrate your organization’s compliance with ISO 45001. It is therefore certain that the auditor will ask a member of the team about how this is obtained and evidenced. Be prepared for this.
How you can make the audit smoother for your organization and people. It is wise to remember that the auditor is trying to help you pass, not trying to make you fail. Anticipating the questions he will ask will undoubtedly help you to prepare your employees and ensure that they are less nervous, as well as helping you to ensure that you have all your respective boxes ticked in terms of meeting the clauses of the standard. Remember that the auditor is trying to help you make sure your organization remains a safe place to work, not trying to trip you up. Lastly, should the auditor have any observations or recommendations during the audit, be sure that you take them on board and use them to help you improve your OH&SMS.
9.3 Management review
Top management must review the organization’s OH&S management system, at planned intervals, to ensure its continuing suitability, adequacy, and effectiveness. The management review must consider the status of actions from previous management reviews. The changes in external and internal issues that are relevant to the OH&S management system including the needs and expectations of interested parties, legal requirements, and other requirements and risks and opportunities. It must consider the extent to which the OH&S policy and the OH&S objectives have been met. It must also consider the information on the OH&S performance such as trends in:
incidents, nonconformities, corrective actions, and continual improvement;
monitoring and measurement results;
results of the evaluation of compliance with legal requirements and other requirements;
audit results;
consultation and participation of workers;
risks and opportunities;
The input to Management Review must also consider the adequacy of resources for maintaining an effective OH&S management system, relevant communications with interested parties, and opportunities for continual improvement. The outputs of the management review must include decisions related to the continuing suitability, adequacy, and effectiveness of the OH&S management system in achieving its intended outcomes and continual improvement opportunities. It must include the need for any changes to the OH&S management system, the resources, and y action needed. It must also consider the opportunities to improve integration of the OH&S management system with other business processes and any implications for the strategic direction of the organization. Top management must communicate the relevant outputs of management reviews to workers, and to workers representative where they exist. The organization shall retain documented information as evidence of the results of management reviews.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
The terms used in relation to management review should be understood as:
“suitability” refers to how the OH&S management system fits the organization, its operation, its culture, and business systems.
“adequacy” refers to whether the OH&S management system is implemented appropriately’
“effectiveness” refers to whether the OH&S management system is achieving the intended outcome.
The management review topics listed in 9.3 need not be addressed all at once; the organization should determine when and how the management review topics are addressed.
This clause requires reviews of the suitability, adequacy, and effectiveness of the OHSMS to be undertaken by top management at planned intervals. It should be noted that, contrary to popular belief, the management review does not have to be done all at once; it can be a series of high-level or board meetings with topics tackled individually, although it should be on a strategic and top management level. Complaints from interested parties should be reviewed by top management, with resultant improvement opportunities identified. It should be remembered that the management review generally is the one function that must be carried out accurately and diligently to ensure that the function of the OH&SManagement System and all resulting elements can follow suit. It goes without saying that all details and data from the management review must be documented and recorded to ensure that the OH&SManagement System can follow the specific requirements and general strategic direction for the organization detailed there. Management reviews are the opportunity for senior management to critically evaluate the performance of the OH&S management system to ascertain if it continues to be:
Suitable: does the management system fit the organization, its operation, its culture and business systems; Adequate: is the management system implemented appropriately; Effective: has the management system achieved its intended outcomes.
The management review should consider the following:
The status of actions from previous management reviews;
Changes in internal and external issues that can impact on the OH&S management system such as risks and opportunities, the needs and expectations of relevant interested parties and legal and other requirements;
The adequacy of resources for maintaining an effective OH&S management system;
Relevant communications with internal and external interested parties;
Opportunities for continual improvement.
The reviews should also include information on the organization’s OH&S performance including trends in:
The achievement of OH&S objectives;
Incidents, nonconformities, and corrective actions;
Monitoring and measurement;
The evaluation of compliance with legal and other requirements;
Internal and external audits;
Consultation and participation of workers;
Risks and opportunities.
The management reviews should be carried out on a regular basis (e.g. quarterly, semi-annually, or annually). Partial management reviews of the performance of the OHSMS can be held at more frequent intervals, if appropriate. Different reviews can address different elements of the overall management review. The management review process should not just evaluate historical trends but should aspire to improve the OH&S performance of the organization through the initiation of improvement actions. Conclusions that should be drawn at the end of the management review process related to:
The continuing suitability, adequacy, and effectiveness of the OH&S management system in achieving its intended outcomes;
Opportunities for continual improvement;
Any need for changes to the OH&S management system;
Additional resources needed;
Any actions needed;
Opportunities to improve the integration of the OH&S management system with other business processes such as environment, quality, business continuity, etc.
Any implications for the strategic direction of the organization.
Top management must communicate relevant outputs from the management reviews to workers, and where they exist, workers’ representatives.
The organization must retain documented information as evidence of the results of the management reviews. Management Review is an essential element of the Occupational Health and Safety Management System. The aim of the review is for Top Management to assess the performance of the management system to ensure it has been effective and suitable for the needs of the business, ultimately preventing injury or harm to workers. The management review is also a planned activity to review objectives including compliance and to set new objectives. Usually, management review meetings are conducted annually, however many organizations conduct management reviews every six months or quarterly to track the performance of the system. If more frequent meetings are conducted, often the meeting agenda is reduced with the full agenda occurring annually. The table on the following page provides an overview of prescribed management review agenda requirements:
9.3 Standard reference
Summary of the requirement for Management Review agenda/clause reference point
a)
Provide a summary of the status of actions from the output of the previous management review. This will include completed or incomplete tasks and justifications for their status. This information can be pre-prepared for the meeting.
b1)
Explain any changes to internal and external issues relevant to the context of the organization to ensure the needs and expectations of interested parties including workers are fulfilled.
b2)
In addition to B1 note any changes or pending changes to legal and other requirements and actions to address compliance obligations.
b3)
If there are any differences or changes to organizational risk and opportunities, they should be noted and explained and discussed in the section below.
c)
Review whether compliance with OH&S policy and objectives have been achieved. It is good practice to place objectives within a table, align key performance indicators to achieve them and comments if they have or have not been achieved. This will also indicate the compliance status of continual improvement.
d1)
Discuss any incidents or non-conformities which have occurred since the last review period including trends. Are there any trends and what actions have been taken to prevent re-occurrence?
d2)
Determine if monitoring and measuring have been effective in meeting expectations within the organization. If evidence suggests it has not been effective Top Management can influence improvement.
d3)
Discuss the status of compliance with legal and other requirements. This may include evidence to support compliance including the methods of determination and sources of information. Discuss any pending legal and other requirements.
d4)
Discuss the results of internal audits and actions that have been taken to resolve any non-conformities. Discuss areas of improvement and areas which are performing well.
d5)
Overview of consultation of workers. This may be feedback from safety committee meetings and actions to address risk and opportunities. Other processes to ensure workers are safe including contractor arrangements.
d6)
Discuss risk and opportunities including the performance of hazard identification and opportunities to mitigate harm to workers. The organization may wish to review significant findings of risk assessments.
e)
With consideration of the information discussed in previous sections are there enough resources to maintain and continuously improve the management system? This could be human or financial. Top Management is key to influence improvement in this area.
f)
Discuss communications with interested parties, this may include regulatory authorities or external providers who are providing materials which have an impact on safety.
g).
General discussion with the provision of information on how the OH&S management system is performing and how can it continually improve in the future
On completion of the management review meeting, the organization must decide with senior leadership and support, what is needed to continuously improve OH&S and satisfy the standard. The following points outline the Management Review Meeting output requirements:
Provide a wide-ranging conclusion to the continuing stability, adequacy, and effectiveness in achieving its intended outcomes
Identify continuous improvement opportunities
Identify any required changes to the OH&S management system
Identify required resources
Identify any actions needed
Identify any integration improvements with other business processes. This may be further harmonization with ISO 9001 or ISO 14001 management systems
Any implications to the strategic direction of the business. This is a broad scope requirement to capture any topic to improve the OH&S management system
The organization is required to record the meeting minutes within documented information. This information must be communicated to the relevant interested parties and where applicable worker representatives. It is good practice to transfer management review objectives into a separate document with identified key performance indicators, expected completed timescales, and delegated responsibilities. These objectives may be communicated via the organization’s email or placed on notice boards.
Clause 8: Operation provides guidance on the operational planning and control requirements relating to the OH&S management system. Once it has gained an understanding of its OH&S hazards, the organization should implement the operational controls that are necessary to manage the risks associated with its activities and comply with applicable health and safety legal requirements. The organization can plan, implement and control its operational processes by establishing operating criteria and control the processes in accordance with these operating criteria. This clause deals with the execution of the plans and processes that are the subject of previous clauses. Operational planning and controls should be established to meet the requirements of the OH&S management system including controls to reduce OH&S risks to levels as low as reasonably practical. Operational controls can use a variety of methods, for example, the introduction of method statements or safe systems of work, preventative maintenance regimes, inspection programmes and regular reviews on the competency of workers. Controls can combine several steps such as hazard elimination, replacing the dangerous with non-dangerous, implementing protective measures or providing and ensuring the use of personal protective equipment. Change needs to be planned for in a systematic manner, ensuring they do not introduce new or unforeseen hazards or risks. At the same time, organizations should use the process to identify OH&S opportunities to reduce risks. Procurement and outsourcing controls are required to ensure that outsourced processes affected are controlled and to evaluate and control the procurement of goods before their introduction. Contractors also need to be considered as they can involve different types and levels of OH&S risks. An organization can use a variety of tools for managing contractors’ health and safety performance, including pre-qualification criteria and assessment. The organization must ensure that the requirements of its OH&S management system are met by its contractors and their workers and this needs to include OH&S criteria for selection of contractors. Arrangements with regards to emergency preparedness and response are also a feature of this clause. This clause forms the heart of the ISO 45001 standard and addresses the program content necessary to have a successful OH&S management system that meets the intent of the standard. The specific topics discussed in this section include:
General provisions: such as the means for creating and managing documentation.
Hierarchy of controls: to utilize the most effective means of risk reduction within the organization.
Management of change: to ensure that when planned changes occur they are managed to control risk
Outsourcing: to make certain risk controls are adequate for all outsourced processes
Procurement: to validate all incoming materials and services conform to the system requirements
Contractors: to communicate and control internal risks to third parties and evaluate risks they may introduce into the workplace
Emergency preparedness and response: to identify potential emerging risks and develop specific and customized plans with key stakeholders to minimize these risks
8.1 Operational planning and control
8.1.1 General
The organization must plan, implement, control and maintain the processes needed to meet requirements of the OH&S management system and to implement the actions determined in Clause 6. The organization should establish the criteria for the processes. The organization must implement the control of the processes in accordance with the criteria. It must maintain and retain documented information to the extent necessary to have confidence that the processes have been carried out as planned. It must adapt its work as per the need of workers. At multi-employer workplaces, the organization shall coordinate the relevant parts of the OH&S management system with the other organizations.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
Operational planning and control of the processes need to be established and implemented as necessary to enhance occupational health and safety, by eliminating hazards or, if not practicable, by reducing the OH&S risks to levels as low as reasonably practicable for operational areas and activities. Examples of operational control of the processes include:
the use of procedures and systems of work
ensuring the competence of workers
establishing preventive or predictive maintenance and inspection programmes
specifications for the procurement of goods and services
application of legal requirements and other requirements or manufacturers’ instructions for equipment
engineering and administrative controls
adapting work to workers; for example, by
defining, or redefining, how the work is organized
the induction of new workers
defining, or redefining, processes and working environments
using ergonomic approaches when designing new, or modifying, workplaces, equipment, etc.
Operational Planning and Control is the method in which the organization determines what is required for each process and the method in which requirements are controlled to ensure workers are protected from harm. Operational Planning and Control is achieved by identifying the criteria for each process which may include:
The boundaries of each process and how they interact
What resources are required to manage the process including leadership, equipment, time, human (competency and training aspects) and financial
What documented information is required to aid management of the process including procedures and safe systems of work
The method in which changes to the process are planned and controlled including unintended events
Application of legal and other requirements or manufacturer’s instructions for equipment
Engineering controls, for example, interlocked guards and exhaust systems
Clause 8.1 of the ISO 45001 standard deals with operational planning and control, which can be defined as a function that “helps to check the errors and to take corrective action so that deviations from standards are minimized and stated goals of the organization are achieved in the desired manner.” It is, therefore, obvious that operational control is absolutely critical to the performance of any management system, even the best practices, policies, and procedures in the world can become ineffective for lack of discipline and operational control to ensure they have the desired effect. Operational control is critical and can come in several different forms. If, for example, you have an ISO 45001 system, you will have requirements for risk assessment, internal audits, and so forth. Your level of operational control should determine that these happen in a timely and regular fashion and that actions and outputs from these functions are undertaken in the correct manner to ensure your system yields the improvement it needs. To achieve this we can
Use an OH&S planning diary to help you ensure that operational control is maintained. If we create an electronic version, we can share it with the team and allow everyone to see when tasks and events are scheduled. One can even use a traffic light type of rule (red/yellow/green) to signify that actions from that particular events are complete and closed off. This not only displays an organization’s high level of operational control but also its commitment to openness and employee engagement.
Create an “Operational Control Log” for document system. Make it part of the OH&S team’s responsibility at its periodic meetings to ensure that all operational control functions are up to date and all tasks set are completed. Review, modify, and improve after every meeting, ensuring that employee and stakeholder input is taken into account. Stakeholder involvement is viewed as an increasingly important part of an organization’s operational control these days. Consider using your corrective action process if tasks slip and operational control are seen to be less effective than desired.
Ensure that the delegated OH&S representative reports on the level of operational control back to both the Health & Safety and Management Teams. If, for example, internal audit and risk assessments are not undertaken and completed on time, then the level of operational control is insufficient and your OH&S performance will undoubtedly suffer.
The standard specifically mentions operational control in terms of purchasing, change management, contractors, outsourcing, and your own policies and procedures. As long as operational control is considered and written into your own policies when constructed, then you can use the methodologies shown above to manage the internal control overall and ensure your OH& S system functions in a timely and efficient manner. In a nutshell, define methods and responsibilities and process, monitor, review, and adjust. It sounds a lot like the traditional “Plan-Do-Check-Act” cycle, and it very much is, but with some tricks to ensure we keep our processes and tasks in check.
Clearly, the benefits of having operational control from a strategic point of view – like planning and policy are vital, but using tips like these that ensure your OH&S performance is never allowed to slip out of scope can be extremely helpful, too. If we can join the two together successfully, then one should have an OH& S system that is efficient, accurate, and that provides you with the data required to allow to perform corrective action and improvement diligently. Assuming excellent operational control also can be a positive for employee morale: for example, if you commit to assessing risk in an internal situation in June and it is not done until July, what does that say to your employees about the organization’s prioritization of health and safety and concern for their well-being? Demonstrating your operational control can also be vital for your stakeholders and shareholders, too – who wants to do business with an organization that lacks this quality? Implement your plan today, as it’s a vital part of delivering safety and well-being for your people in the short and long term.
The organization must also consider the adaptation of the work environment to ensure it is suitable and sufficient for all workers. Adaptation in broad terms may be the induction of new workers or ergonomically changed processes to protect workers from harm and improve process efficiency.
8.1.2 Eliminating hazards and reducing OH&S risks
The organization must establish, implement and maintain processes for the elimination of hazards and reduction of OH&S risks. The “hierarchy of control” to be followed are :
eliminate the hazard;
substitute with less hazardous processes, operations, materials or equipment;
use engineering controls and reorganization of work;
use administrative controls, including training;
use adequate personal protective equipment.
In many countries, the organization is required to provide personal protective equipment (PPE) at no cost to workers.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
The hierarchy of controls is intended to provide a systematic approach to enhance occupational health and safety, eliminate hazards, and reduce or control OH&S risks. Each control is considered less effective than the one before it. It is usual to combine several controls in order to succeed in reducing the OH&S risks to a level that is as low as reasonably practicable. The following examples are given to illustrate measures that can be implemented at each level.
Elimination: removing the hazard; stopping using hazardous chemicals; applying ergonomics approaches when planning new workplaces; eliminating monotonous work or work that causes negative stress; removing fork-lift trucks from an area.
Substitution: replacing the hazardous with less hazardous; changing to answering customer complaints with online guidance; combating OH&S risks at source; adapting to technical progress (e.g. replacing solvent-based paint by water-based paint); changing slippery floor material; lowering voltage requirements for equipment.
Engineering controls, reorganization of work, or both: isolating people from hazard; implementing collective protective measures (e.g. isolation, machine guarding, ventilation systems); addressing mechanical handling; reducing noise; protecting against falls from height by using guard rails; reorganizing work to avoid people working alone, unhealthy work hours and workload, or to prevent victimization.
Administrative controls including training: conducting periodical safety equipment inspections; conducting training to prevent bullying and harassment; managing health and safety coordination with subcontractors’ activities; conducting induction training; administrating forklift driving licences; providing instructions on how to report incidents, nonconformities and victimization without fear of retribution; changing the work patterns (e.g. shifts, of workers); managing a health or medical surveillance programme for workers who have been identified as at-risk (e.g. related to hearing, hand-arm vibration, respiratory disorders, skin disorders or exposure); giving appropriate instructions to workers (e.g. entry control processes).
Personal protective equipment (PPE): providing adequate PPE, including clothing and instructions for PPE utilization and maintenance (e.g. safety shoes, safety glasses, hearing protection, gloves).
The organization should apply the hierarchy of control measures for the elimination of hazards and the reduction of OH&S risks. The hierarchy of controls provides a structured approach to eliminating hazards and reducing or controlling OH&S risks. This approach involves prioritizing control actions in a sequential manner. Each control is considered less effective than the one above it. It is customary to combine several controls in order to effectively reduce the OH&S risks to a level that is as low as reasonably practicable. Having chosen the methodology for risk assessment determined in clause 6.0, the organization will use the ‘Hierarchy of Controls’ outlined in section 6 to eliminate or reduce hazards to the lowest practicable risk. It is essential that when conducting risk assessment workers, including external providers, are competent. On completion of risk, assessment results should be communicated with those workers directly affected within the operation and to aid the development of control measures. Workers need to be included in the process of assessment and other system elements. When deciding what is reasonably practicable, best practices and technological options should be considered, in addition to financial, operational and business requirements. If new or improved controls are required, their selection should be in accordance with the hierarchy of controls whereby priority is given to the elimination of hazards, where practicable, followed by risk reduction (either by reducing the likelihood of occurrence or potential severity of injury or harm), with the adoption of PPE as the last resort. The organization must establish a process and determine controls for achieving a reduction in OH&S risks using the following hierarchy:
Hazard elimination: Avoiding risks and adapting work to workers, (integrating health safety and ergonomics when planning new workplaces, and creating a physical separation of traffic between pedestrians and vehicles). Removing the hazard; discontinuing the use of hazardous chemicals, applying ergonomic approaches when planning new workplaces such as the use of mechanized instead of manual packaging; eliminating monotonous work practices; removing fork-lift trucks from an area.
Substitution: Replacing the dangerous with the lesser or non-dangerous (replacing solvent-based paint with water-based paint). Replacing the hazardous with less hazardous such as replacing solvent-based paint by water-based paint, changing slippery floor tiles, or lowering voltage, pressure or temperature requirements for equipment.
Engineering controls: Implementing collective protective measures (isolation, machine guarding, ventilation, noise reduction, etc.). Isolating people from hazard; implementing collective protective measures (e.g. isolation, machine guarding, ventilation systems); addressing mechanical handling; reducing noise; protecting against falls from height by using guard rails; reorganizing work to avoid lone working, unhealthy work hours, workload; reducing the effect of monotonous work by rotating workers.
Administrative controls: Giving appropriate instructions to workers (lock-out processes, induction, forklift driving licenses, etc.). Conducting periodic safety equipment inspections; conducting training to prevent bullying and harassment; managing health and safety coordination with subcontractors’ activities; conducting induction training; providing instruction on how to report incidents and nonconformities; changing the work patterns (e.g. shifts) of workers; managing a health or medical surveillance programme for workers who have been identified as at-risk (related to hearing, hand-arm vibration, respiratory disorders, etc.); giving appropriate instructions to workers (e.g. entry control processes, emergency); safety signs
Personal protective equipment (PPE): Providing PPE and instructions for PPE use/ maintenance (safety shoes, safety glasses, hearing protection, chemical and liquid-resistant gloves, electrical protection gloves, etc.). Providing adequate PPE, including clothing and instructions for PPE utilization and maintenance (e.g. safety shoes, safety glasses, hearing protection, gloves).
In applying the hierarchy of controls consideration should be given to the relative costs, risk-reduction benefits and reliability of the available options.
8.1.3 Management of change
The organization must establish processes for implementation and control of planned temporary and permanent changes that impact OH&S performance. The changes can include new products, services, and processes, or changes to existing products, services, and processes, including changes in work locations and surroundings, work for the organization, working conditions, equipment, and workforce. It can include changes to legal requirements and other requirements, the changes in knowledge or information about hazards and OH&S risks, and developments in knowledge and technology. The organization is to review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. Changes can result in risks and opportunities.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
The objective of management of change process is to enhance occupational health and safety at work, by minimizing the introduction of new hazards and OH&S risks into the work environment as changes occur (e.g. with technology, equipment, facilities, work practices and procedures, design specifications, raw materials, staffing, standards or regulations). Depending on the nature of an expected change, the organization can use an appropriate methodology (e.g. design review), for assessing the OH&S risks and the OH&S opportunities of the change. The need to manage change can be an outcome of the planning
It is recognized that accidents can occur when processes deviate from defined established control measures. This may include changes competent supervision and workers or the introduction of new materials, machinery and processes. The organization must define and implement a process which considers change throughout the business. This may be a written policy which accounts for different scenarios based on risk and opportunity. The change process may be supported by a documented system to acknowledge the issue and receipt of the notification to ensure it is communicated and understood. Notification of change may be supported by training and competence requirements. Change process could incorporate a mechanism to assess and prevent the introduction of new hazards. Examples of events where management of change might be necessary include but this is not exhaustive:
Change event
Method of Management
Loss of knowledgeable competent member of staff
Organization of re-training of an existing member of staff supported with an external provider until the employee is competent.
First aider absent
Temporarily train staff in alternative means of receiving first aid treatment including neighbouring businesses and emergency services.
Introduction of a new piece of machinery
Appoint a Project Manager to coordinate implementation including risk assessment, instruction, training, supervision. Provision of risk assessment and installation method statement from an external provider. Development of control documents based on manufacturers recommendations.
Flood within a building
Appointed a competent representative to conduct a risk assessment and coordinate the relocation of staff to a safe environment.
Introduction of new software
Project management coordination, presentations and toolbox talks, competence and awareness training.
The organization is required to establish a process for the implementation and control of planned temporary and permanent changes that influence its OH&S performance such as:
New products, processes or services;
Changes to work locations, working conditions, processes, procedures, equipment, or the company’s organizational structure;
Changes to applicable legal and other requirements;
Changes in knowledge or information concerning hazards and associated risks
Developments in knowledge and technology
The company is required to control both temporary and permanent changes, to review the consequences of unintended changes and, where applicable, to take action to mitigate any adverse effects that might arise as a result of the occurrence of the change. The overall purpose of the management of change process is to minimize the introduction of new hazards and risks into the workplace as a result of changes in:
Technology
Plant and equipment
Facilities
Work practices and procedures
Design specifications
Raw materials
Company personnel
Standards or regulations
Depending on the nature of any anticipated change, the company must use a suitable methodology for assessing the risks and the opportunities that might arise as a result of the change. The company must ensure that new, unforeseen hazards are not introduced, or the risk profile increased as a result of the introduction of the change. Where the company decides to implement the change, it must ensure that all affected employees are properly informed and are competent to cope with the change. The management of change process should include consideration of the following questions to ensure that any new or changed risks are acceptable:
Have new hazards been created?
What are the risks associated with the new hazards?
Have the risks from other hazards changed?
Could the changes adversely affect existing risk controls?
Have the most appropriate controls been chosen, bearing in mind usability, acceptability and both the immediate and long-term costs?
8.1.4 Procurement
8.1.4.1 General
The organization must establish, implement and maintain processes to control the procurement of products and services in order to ensure their conformity to its OH&S management system.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
The procurement processes should be used to determine, assess and eliminate hazards, and reduce OH&S risks associated with, for example, products, hazardous materials or substances, raw materials, equipment, or services before their introduction into the workplace. The organization’s procurement processes should address requirements for, for example, supplies, equipment, raw materials, and other goods and related services purchased by the organization to conform to the organization’s OH&S management system. The process should also address any needs for consultation and communication. The organization should verify that equipment, installations, and materials are safe for use by workers by ensuring:
equipment is delivered according to specification and is tested to ensure it works as intended;
installations are commissioned to ensure they function as designed;
materials are delivered according to their specifications;
any usage requirements, precautions or other protective measures are communicated and made available.
The purchase of goods and services is a requirement for any business to function. The standard requires the organization to put controls in place to ensure those purchased goods and services do not introduce hazards and expose workers to harm including contractors. This clause has been written to ensure that the organization does not use the corporate veil, to escape overall responsibility for achieving the intended outcome of their health and safety management system while engaging in outsourcing, engaging contractors and procurement. This clause again must be read in conjunction with clause 5.4, giving workers and their representatives the right to participation and consultation through these processes. Procurement processes should be used to control potential hazards and reduce OH&S risks associated with the purchase and introduction of products, hazardous chemicals, raw materials, equipment, and ancillary services into the workplace. The process should also address the need for consultation and communication on the procurement process with interested parties such as workers, contractors, and visitors. The organization should ensure that purchases are safe for use by workers by confirming that:
Equipment is supplied in accordance with a technical specification such as CE-marking and, where appropriate, is tested to ensure that it functions as intended;
Equipment is supplied in accordance with legal requirements;
Where appropriate, risk assessments are carried out in advance of the use of the equipment;
Installations are commissioned to ensure that they function as designed;
Materials are supplied in accordance with technical specifications;
Usage requirements, precautions or other protective measure are communicated and made available to workers, contractors and others who could be adversely affected.
8.1.4.2 Contractors
The organization should coordinate its procurement processes with its contractors, to identify hazards and to assess and control the OH&S risks, arising from the contractors’ activities and operations that impact the organization, the organization’s activities and operations that impact the contractors’ workers, contractors activities and operations that impact other interested parties in the workplace. The organization shall ensure that the requirements of its OH&S management system are met by contractors and their workers. The organization’s procurement processes must define and apply occupational health and safety criteria for the selection of contractors. It can be helpful to include the occupational health and safety criteria for the selection of contractors in the contractual documents.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
The need for coordination recognizes that some contractors (i.e. external providers) possess specialized knowledge, skills, methods, and means. Examples of contractor activities and operations include maintenance, construction, operations, security, cleaning and a number of other functions. Contractors can also include consultants or specialists in administrative, accounting and other functions. Assignment of activities to contractors does not eliminate the organization’s responsibility for the occupational health and safety of workers. An organization can achieve coordination of its contractors’ activities through the use of contracts that clearly define the responsibilities of the parties involved. An organization can use a variety of tools for ensuring contractors’ OH&S performance in the workplace (e.g. contract award mechanisms or pre-qualification criteria which consider past health and safety performance, safety training, or health and safety capabilities, as well as direct contract requirements). When coordinating with contractors, the organization should give consideration to the reporting of hazards between itself and its contractors, controlling worker access to hazardous areas, and procedures to follow in emergencies. The organization should specify how the contractor will coordinate its activities with the organization’s own OH&S management system processes (e.g. those used for controlling entry, for confined space entry, exposure assessment, and process safety management) and for the reporting of incidents. The organization should verify that contractors are capable of performing their tasks before being allowed to proceed with their work; for example, by verifying that:
OH&S performance records are satisfactory;
qualification, experience and competence criteria for workers are specified and have been met (e.g. through training
Resources, equipment, and work preparations are adequate and ready for the work to proceed.
A robust procurement process is essential to control product and services inputs into an organization. Inputs may include raw materials for products, equipment including machinery, consumables such as cleaning products and workers conducting maintenance as part of a service agreement. The organization is required to develop a process which should include an assessment of the impact on the safety of products and services prior to purchase. This may include obtaining product or material safety data from an external provider or by conducting a risk assessment. Risk assessment with an external provider may be considered during activities such as the purchase and installation of machinery. The assessment would identify potential hazards and suitable control measures to protect both organizational workers and contractors. Within the process, consider the delivery of products to ensure they are inspected against specified requirements prior to release. Consideration must also be made to ensure those products and services are legally compliant. This may be through the assessment of material safety data sheets, declarations of conformity or business registration with trade associations. Personnel who are responsible for procurement must ensure they utilize competent workers to assist with assessments and to communicate safety information relating to product or service. Health and safety information may include material safety data sheets, training, competency requirements and instructions for use.
The organization must coordinate its procurement process with its contractors, in order to identify hazards and to assess and control the OH&S risks arising from:
Contractors’ activities and operations that impact or have the potential to impact the organization;
The organization’s activities and operations that impact or have the potential to impact contractors’ workers;
Contractors’ activities and operations that impact or have the potential to impact other interested parties in the workplace such as visitors or the public.
Contractor activities include the full gamut of services provided to organizations including maintenance, construction, facilities, security, cleaning, waste management and a number of other functions. Contracting activities can also encompass consultants, accountants, administrators, and other specialist service providers. The organization must ensure that the requirements of its OH&S management system are met by contractors and their workers. The procurement process should define and apply occupational health and safety criteria in the selection of contractors, ideally in contract documents or service level agreements (SLAs). How the organization manages often diverse and complex relationships with contractors can vary, depending on the nature and extent of the service provided and the hazards and risks associated with it. When co-coordinating with contractors, the organization should consider the reporting of hazards between itself and its contractors, controlling worker access to hazardous areas, and procedures to follow in emergencies. The organization should specify how the contractor will coordinate its activities with the organization’s own OH&S management system processes (e.g. those used for lock-out tag-out, confined space entry, exposure assessment, and process safety management, etc.) and for the reporting of incidents.
The organization must verify that contractors are capable of performing their tasks before being allowed to proceed with their work, by, for example:
Reviewing the contractor’s OH&S management system documentation such as risk assessments, procedures/work instructions/method statements, OH&S manual/Safety Statement;
Confirming that the contractor’s OH&S performance records are satisfactory (review HSA/HSE prosecutions, notifiable accidents or dangerous occurrences, improvement or prohibition notices);
Assessing the contractor’s understanding of its OH&S legal and other obligations;
Determining that qualification, experience and competence criteria for workers are specified and have been met (e.g. through training);
Resources, equipment, and work preparations are adequate and ready for the work to proceed;
Checking the contractor’s emergency and evacuation plans and procedures and level of preparedness in the event of an emergency;
Reviewing the contractor’s process for incident investigation, and reporting of nonconformities and corrective actions;
Assessing contractor OH&S consultation, communication, and participation with any of its workforce and other relevant interested parties including the organization;
8.1.4.3 Outsourcing
The organization shall ensure that outsourced functions and processes are controlled. The organization shall ensure that its outsourcing arrangements are consistent with legal requirements and other requirements and with achieving the intended outcomes of the OH&S management system. The type and degree of control to be applied to these functions and processes shall be defined within the OH&S management system. NOTE Coordination with external providers can assist an organization to address any impact outsourcing has on its OH&S performance.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
When outsourcing the organization needs to have control of the outsourced functions and processes to achieve the intended outcomes of the OH&S management system. In the outsourced functions and processes, the responsibility for conforming to the requirements of this document is retained by the organization. The organization should establish the extent of control over outsourced function(s) or processes based upon factors such as:
the ability of the external organization to meet the organization’s OH&S management system requirements.
the technical competence of the organization to define appropriate controls or assess the adequacy of controls.
the potential effect the outsourced process or function will have on the organization’s ability to achieve the intended outcome of its OH&S management system.
the extent to which the outsourced process or function is shared.
the capability of the organization to achieve the necessary control through the application of its procurement process.
opportunities for improvement.
In some countries, legal requirements address outsourced functions or processes.
Outsourcing (or sub-contracting) is the employment of an external organization to perform one or more processes in the OHSMS. This can include system processes (e.g. internal auditing, etc.) as well as operational processes (e.g. welding, recruitment, component sterilization, etc.). Many businesses use the services of contractors (external providers) to fulfil gaps in processes and to complete tasks requiring specialist knowledge. The standard requires the organization to conduct an assessment on those contractors including due diligence competency checks. The organization may consider the use of contractor selection criteria to ensure services are within the scope of the task. The organization must be satisfied there is a process to protect contractors (workers) and other workers who may be exposed to hazards due to their activities. During the procurement process, written agreements may be established between the organization and contractor specifying the organization’s rules. This may be supported by risk assessments and method statements conducted by both parties with the communication of results. It is key that necessary checks have been made to ensure contractors are competent and may, in some circumstances, require confirmation of compliance to legal requirements. For example, certification to work on electrical switchgear or to work on a gas boiler. Once the procurement process has been completed it is good practice to support site activities with an induction programme. This will provide contractor workers with an understanding of the rules including any specific requirements, for example, site hazards, authorized areas, near-miss reporting processes, safe walking routes, emergency action plans, supervision and required permits to work.
Responsibility for conforming to the requirements of the ISO 45001 is vested in the organization, because the outsourced process remains part of the organization’s OHSMS, including the necessary controls exerted on the outsourced process for OH&S purposes. The organization must establish appropriate controls both to ensure that the external provider understands what is required of it and to give itself an assurance that these are being pursued in a responsible way. The organization must verify that its outsourcing arrangements are compliant with legal requirements and are consistent with achieving the intended outcomes of the OH&S management system. The type and degree of control to be applied to outsourced functions and processes must be defined within the OH&S management system and should be based on criteria such as:
The ability of the external organization to meet the organization’s OH&S management system requirements;
The technical competence of the organization to identify hazards, assess risks, determine appropriate controls and understand its obligations vis a vis OH&S legislation;
The potential effect the outsourced processes may have on the organization’s ability to achieve the intended outcomes of its OHSMS;
The extent to which the outsourced process or function is shared;
The capability of the organization to achieve the necessary controls through the application of its procurement process;
Opportunities for improvement.
Controls can include contractual requirements, training, inspections and risk assessments.
The standard requires the organization to maintain documented information relating to the procurement of products and services including contractor arrangements. Below is a list of examples of documented information considered for retention:
Risk assessment and method statements between the organization and contractor
Material safety data sheets
Email exchanges relating to safety aspects
Certificates of conformity – Harnesses, guarding, emergency stops, PPE
Contractor permits and licenses
Completed external provider questionnaires
Worker training records
8.2 Emergency preparedness and response
The organization must establish, implement and maintain processes needed to prepare for and respond to potential emergency situations. The organization must establish a planned response to emergency situations, including the provision of first aid. It must provide training for the planned response. It must periodically test and exercise the planned response capability. The organization must evaluate performance and, as necessary, revising the planned response, including after testing and in particular after the occurrence of emergency situations. It must communicate and provide relevant information to all workers on their duties and responsibilities. It must be communicating relevant information to contractors, visitors, emergency response services, government authorities and, as appropriate, the local community. It must take into account the needs and capabilities of all relevant interested parties and ensuring their involvement, as appropriate, in the development of the planned response. The organization shall maintain and retain documented information on the processes and on the plans for responding to potential emergency situations.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
Emergency preparedness plans can include natural, technical and man-made events that occur inside and outside normal working hours.
This Clause deals with emergency preparedness and response and is one of the most critical clauses of the standard. Having a defined and efficient process in the event of an incident or accident can be central to ensuring that the effect is mitigated and reduced. Therefore, while preventing incidents and accidents is the primary concern of an OHSAS system, responding to them and ensuring an emergency response plan is in place is equally important. So, given that most organizations will have employees and contractors, visitors, partners, and neighbours and will have to call on emergency services in the event of an accident, it is clear that there are many stakeholders to consider and make provisions for if your emergency response plan is to be truly effective.
Emergency preparedness and response is a key element in the mitigation of occupational health & safety risk. The standard informs us that it is the responsibility of the organization to be prepared, and a number of elements should be considered and planned for. Actions to mitigate incidents must be developed, as well as internal and external communication methods and appropriate methods for emergency response. Consideration of varying types of occupational health & safety incidents needs to be made, as do root cause analysis and corrective action procedures to respond to incidents after they occur. Regular emergency response testing and relevant training need to be considered and undertaken, and assembly routes and evacuation procedures defined and communicated. Lists of key personnel and emergency agencies (think clean-up agencies, local emergency services, and local occupational health & safety offices or agencies) should be established and made available, and it is often good practice to form partnerships with similar neighbouring organizations with whom you can share mutual services and provide help in the event of an occupational health & safety incident. Planning for unexpected events is a good all-around organizational discipline. The risk assessment process, for ISO 45001 identification of hazards, may have highlighted potential emergency situations with possibly catastrophic consequences. Therefore, it is necessary to put control measures in place to mitigate these potential events. Once emergency situations have been identified, which may involve workers at every level of the organization, a plan needs to be formulated and tested. Check that emergency preparedness and response has been tested within the internal audit plan. Testing emergency response plans are critical to raise awareness of potential events and ensure control measures function including supervision, individual responsibilities, the suitability of training and communication. Below are some examples of when emergency plans will be required:
Event
Recommendation
Provision of first aid
Testing of first aid response, consider shift patterns, availability of equipment and competent staff, etc.
Evacuation drill
Method of raising the alarm, contacting the emergency services, accountability of workers, staged evacuation, changes in building layout, etc.
Bomb Threat
Raising the alarm, what to do with workers – stay put or evacuate to a safe area, keeping away from windows, controlled method of raising the alarm.
Chemical spillage
Raising the alarm, evacuation, containment, availability of Material Safety Data Sheets.
The emergency response process should address all of the following:
Establishing a planned response to emergency situations, including the provision of first-aid. Qualified first aid people: who are they, where are they, and is everyone aware of them? These people are likely to be central to lessening the effect of an emergency situation, so the more of them you have, the better. The more quickly and accurately an employee can reach them, the more chance there is of effectively dealing with a potential emergency situation before it escalates.
Fire extinguisher and chemical spill kits: are they clearly signposted and are employees informed of any changes?
Emergency contact numbers: they need to be clearly outlined in your plan, in the event someone needs to access them swiftly.
Evacuation plan: whether in case of fire, chemical spillage, or natural disaster, is everyone aware of the protocol?
The employee next of kin details: informing anyone of an accident is an unpleasant task, but it is good practice to ensure that your records are accurate and up to date.
Responsibilities and communication: does your plan clearly identify who is responsible for decision making and communicating to any stakeholders in the event of the emergency plan is activated?
Return to work process: your plan should indicate who decides when it is safe to go back to work, and that person can then initiate the process whereby investigation, risk assessment, and corrective action can be implemented to drive improvement and prevent reoccurrence.
Providing training for the planned response;
Periodically testing the organization’s capability to respond to the potential emergency;
Evaluating the organization’s performance and, as necessary, revising the planned response, including after testing and, in particular, after the occurrence of an emergency situation;
Communicating and providing relevant information to all workers on their duties and responsibilities;
Communicating relevant information to contractors, visitors, emergency response services, government bodies and, where appropriate, the local community;
Taking into account the needs and capabilities of all relevant interested parties and ensuring their involvement, as appropriate, in the development of the planned response.
When identifying potential emergency situations, consideration should be given to emergencies that can occur subject to both normal and abnormal conditions (e.g. operation start-up or shut-down, construction activities, etc.). Involving stakeholders in the construction of your emergency preparedness and response plan is a positive thing. Inviting your local fire service, for instance, to participate in your plan construction can give you added expertise and insight into what they deem to be achievable and sensible, thereby lessening the impact should an emergency occur. Likewise, why not invite business partners and contractors to contribute to your emergency plan? You will benefit from the sharing of information, educate your partners, and hopefully construct an emergency plan that is a combination of shared knowledge. How the potential emergency situations will impact all personnel within and/or in the immediate vicinity of the workplace should be assessed by the organization, particularly those with special needs such as people with limited mobility, vision or hearing. The emergency preparedness and response process should focus on the prevention of ill-health and injury to all personnel including workers, contractors, visitors, neighbours, members of the general public and emergency services personnel and should take account of applicable OH&S legislation. The process should be clear and concise and should be understandable to personnel within the organization with specific duties and responsibilities during an emergency such as fire wardens. The emergency preparedness and response process should consider the following:
Identification of potential emergency situations and locations;
Details of the actions to be taken by personnel during the emergency;
Evacuation;
Organizational roles, responsibilities, and authorities of personnel with specific roles during an emergency such as fire-wardens, first-aid staff, spillage response personnel and members of the emergency response team (ERT);
Interface and communication with emergency services;
Communication with workers, regulatory bodies and other relevant interested parties such as workers’ families, neighbours, the local community and the media;
Information deemed necessary to facilitate the emergency response process such as plant layout drawings, identification, and location of emergency response equipment, identification, and location of hazardous chemicals and wastes, utility shut-off locations and contact information for emergency response providers;
Review of emergency response equipment and materials;
Emergency responses training;
Periodic testing of emergency preparedness and response process;
Review and revision of process, where appropriate.
The organization should maintain and retain documented information on the emergency preparedness and response process and on any plans for responding to potential emergency situations. No, ISO 45001 also requires you to test, review, and improve your plan wherever practical and possible. Therefore, it is necessary to state in your plan how and how often you will test your plan, what methods you use to review that output, and how you improve it. Again, feedback from all stakeholders is very useful here, so don’t hesitate to involve stakeholders in this process to ensure that you get the best possible response and feedback to assist in your improvement cycle. Set a schedule to review your plan regularly, and ensure that you consider accidents, incidents, and legislation changes when you do so. If you can encourage stakeholder engagement and feedback, expert advice, and good communication allied to learning from the past, your organization will be well positioned to lessen the impact should an unfortunate situation occur.
Section 7 of ISO 45001 discusses the resources and support needed to be successful with the OH&S management system. “Support” means that the organization has achieved a level of competence among its workers and systems to successfully drive the outcomes of the OH&S plan. It also discusses the need to establish awareness of the OH&S policy, communicate information about the OH&S management system, outline with whom the information should be shared, manage documentation including tracking of updates, and control information and ensure its accessibility and accuracy. Essentially, the support system provides an overview of how the organization must support the OH&S management system. Successfully managing an Occupational Health and Safety Management System relies heavily on having the necessary resources for each task. This includes having competent staff with the appropriate training, support services, and effective information and communication means. The organization will determine what documented information is necessary for the success of the system. Documented information is a new term in the standard, which means the information can be in any format, media, or from any source. Moreover, internal and external information must be communicated throughout the organization and must be gathered, disseminated, and understood by those receiving it. The decisions that need to be made are:
On/about what to inform?
When to inform?
Who to inform?
How to inform?
How to receive and maintain documented information and how to respond to relevant incoming communications?
Respectively, the terms ‘document and record’ became obsolete in the new standard, which uses the term ‘documented information’ instead, for the purpose of maximizing the confidence to share information through any media.
7.1 Resources
The organization must determine and provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the OH&S management system.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
Examples of resources include human, natural, infrastructure, technology, and financial. Examples of infrastructure include the organization’s buildings, plant, equipment, utilities, information technology, and communications systems, and emergency containment systems.
The organization must initially determine and provide the resources necessary to establish, implement, maintain and continually improve its OH&S management system. The identification, procurement, and provision of resources are the prerogative of senior management, and their absence or diminution can be a limitation on the effectiveness of the OH&SMS. Examples of resources include:
Human;
Natural;
Infrastructure;
Technology
Examples of infrastructure include:
Buildings;
Plant;
Equipment;
Utilities;
Information technology;
Communications systems;
Emergency containment systems.
Resources should be provided in a timely and efficient manner. Resource allocations should consider the organization’s current and future needs. Resources will be required to fulfill the requirements identified during the planning stages of the system to maintain continuous improvement. These include human, natural, infrastructure (buildings, plant, equipment, utilities, emergency containment systems) technological, and financial resources. It is essential that the allocation of resources has full support from Top Management, under the requirements of Clause 5, to drive the maintenance of a safe and healthy work environment. As part of identifying resources, the organization needs to look at the information produced in Section 6 to acknowledge the risk, opportunities, and resulting objectives. They then need to allocate sufficient resources to mitigate or manage them. Simply put, the standard advises the organization that the resources required to achieve the stated objectives and show continual improvement must be made available.
7.2 Competence
The organization must determine the necessary competence of workers that affects or can affect its OH&S performance. It must ensure that workers are competent including the ability to identify hazards on the basis of appropriate education, training, or experience and where applicable, take actions to acquire and maintain the necessary competence, and evaluate the effectiveness of the actions taken. It must take retain appropriate documented information as evidence of competence. Applicable actions can include, for example, the provision of training to, the mentoring of, or the reassignment of currently employed persons, or the hiring or contracting of competent persons.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
The competence of workers should include the knowledge and skills needed to appropriately identify the hazards and deal with the OH&S risks associated with their work and workplace. In determining the competence for each role, the organization should take into account things such as: a) the education, training, qualification, and experience necessary to undertake the role and the re-training necessary to maintain competence; b) the work environment; c) the preventive and control measures resulting from the risk assessment process(es); d) the requirements applicable to the OH&S management system; e) legal requirements and other requirements; f) the OH&S policy; g) the potential consequences of compliance and noncompliance, including the impact on the worker’s health and safety; h) the value of the participation of workers in the OH&S management system based on their knowledge and skill; i) the duties and responsibilities associated with the roles; j) individual capabilities, including experience, language skills, literacy, and diversity; k) the relevant updating of the competence made necessary by context or work changes. Workers can assist the organization in determining the competence needed for roles. Workers should have the necessary competence to remove themselves from situations of imminent and serious danger. For this purpose, it is important that workers are provided with sufficient training on hazards and risks associated with their work. As appropriate, workers should receive the training required to enable them to carry out their representative functions for occupational health and safety effectively. In many countries, it is a legal requirement to provide training at no cost to workers.
The organization must determine the competency requirements for those workers that affect, or could affect its OH&S performance. This requirement also pertains to workers operating under the control of the organization such as contractors, agency workers, etc. Once these competency requirements have been determined the organization must then ensure that those workers possess the necessary competence, including the ability to identify hazards, on the basis of appropriate education, training, or experience. It is imperative that all workers have the knowledge and skills required to identify the hazards and manage the OH&S risks associated with their work and workplace. If workers are deemed not to be competent, the organization is required to take action (e.g. refresher/remedial training, recruitment of additional personnel, or hiring/contracting of external expertise) in order to acquire the necessary competence. The actions taken to raise competence to the required level need to be evaluated for effectiveness by means of the following mechanisms:
Interlocution of the workers on their understanding of their competence to perform the relevant tasks following the prescribed training;
Assessment of competence of the workers by observing them undertake the relevant tasks following the prescribed training;
Peer review or supervision following the required training.
The organization must determine competence requirements for individual tasks and should consider the following factors in its deliberations:
The education, training and experience required to undertake the role and the re-training necessary to maintain competence;
The work environment;
The preventive and control measures arising from the risk assessment process;
The requirements applicable to the OH&S management system;
The potential consequences of compliance and non-compliance, including the impact on the worker’s health and safety;
The duties and responsibilities associated with the roles;
The complexity and requirements of operating procedures and work instructions;
The results from incident investigations;
Legal and other requirements;
The necessary updating of the competence made necessary by context or work changes;
Individual capabilities, including experience, language skills, literacy, and diversity.
The organization should pay particular attention to the competency requirements attached to personnel performing the following tasks:
Identifying hazards and conducting risk assessments;
Conducting audits;
Performing occupational exposure or noise assessments;
Carrying out incident investigations;
Performing tasks that have associated with the significant hazards and associated high risks.
When competence is acquired through training, the organization’s training process should include:
Identification of training needs;
Preparation of a training plan or programme to address identified training needs;
Delivery of the training;
Evaluation of the effectiveness of the training;
Documentation, monitoring, and review of the training received.
Workers should be encouraged to assist the organization in ascertaining the competence needed for their respective roles. The organization is required to retain appropriate documented information as evidence of its employees’ competence such as training records.
Employee competence must meet the terms of the ISO 45001:2018 standard by ensuring that the people given responsibility for OH&SManagement System tasks are capable and confident. Related to this, it stands to reason that the experience, training, and/or education of the individual must be of the required standard, and that any necessary training is identified and delivered – with measurable actions taken externally or internally to ensure that this level of competence exists. Predictably, this process and its outputs need to be recorded as documented information for the OH&SManagement System. An organization working effectively and efficiently must have competent workers. In terms of OH&S, it is essential that workers have access to information and have been suitably trained to prevent accidents or ill health to themselves and others. Competence can include consideration for:
Capability to fulfil the task based on defined job roles and a clear understanding of the required OH&S aspects
Defined methods of recruitment with consideration for temporary or agency workers
Awareness of hazards associated with the environment and processes
Legal requirements
Individual capabilities including experience, language skills, literacy and diversity
The diversity of activities within the organization will determine the level of training required to fulfill competence. Training Gaps are usually identified with the development of new processes, for example, the introduction of new machinery or in achieving compliance with regulatory requirements. No matter how big or small the organization is, training records are essential as reference and evidence of the fulfillment of competence. Consider an overview training matrix identifying fulfilled training gaps including refresher training dates. In addition, consider individual training records with signatory evidence from the worker to acknowledge completion and understanding of training including hazard awareness. The organization must also consider the competence of external providers including the procurement of contractors conducting tasks on site. The organization’s procurement process may provide the structure for management of external providers; including evidence of capability, competence, and on-site, this may be supported with site induction training. Either internally or externally, the organization’s Top Management must be confident that mechanisms are in place to provide workers with suitable and sufficient competency-based OH&S training. The organization must train all workers to be competent in the ability of hazard identification. It is core to being able to participate in applying the hierarchy of control and to understand when to exercise their right to cease unsafe work.
7.3 Awareness
Workers should be aware of the OH&S policy and OH&S objectives. Workers should be aware of how they can contribute to the effectiveness of the OH&S management system, including the benefits of improved OH&S performance. The worker must be aware of the implications and potential consequences of not conforming to the OH&S management system requirements. They must be aware of the incidents and the outcomes of investigations that are relevant to them. They must be aware of the hazards, OH&S risks, and actions determined that are relevant to them. They must be aware of their ability to remove themselves from work situations that they consider presenting an imminent and serious danger to their life or health, as well as the arrangements for protecting them from undue consequences for doing so.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
In addition to workers (especially temporary workers), contractors, visitors and any other parties should be aware of the OH&S risks to which they are exposed.
Awareness is closely related to competence in the standard. Employees must be made aware of the Occupational Health & Safety policy and its contents, any current and future impacts that may affect their tasks, what their personal performance means to the OH&SManagement System and its objectives, including the positives or improved performance, and what the implications of poor performance may be to the OH&SManagement System. Additionally, the standard demands that workers be aware that they can remove themselves from work situations that they consider to be a danger to their life or health. Awareness of the requirements of the OH&S system is critical to both internal and external workers. There must be a clear understanding of the organization’s H&S Policy including the requirement for individuals to protect themselves and others from exposure to hazards. Awareness training starts before work commencement for both internal and external workers and may include:
OH&S Policy and requirements
Hazards associated with the environment and processes
Means to report incidents and receive information following the investigation
Means to report near misses or safety-critical defects
Structure of supervision
Provision of information including Safe Systems of Work or Work Instructions
A clear understanding that there are no recriminations for reporting hazards or precautionary removal of individuals from exposure to harm which is life-threatening. This must be actively encouraged as part of a positive safety culture. It is recommended there is evidence of awareness training.
The right to cease unsafe work without reprisals or victimization etc. is set out in ISO 45001, requiring the organization to make their workers aware of their ability to cease work where they consider a serious and imminent hazard to their health or life exists. Clause 7.3 also requires the organization to make workers aware of the arrangements in the health and safety management system that protect workers from consequences that are undue in exercising this basic right at work. If the application of the hazard identification and elimination processes leaves workers still considering themselves in imminent and serious danger, then ceasing unsafe work is the only option. Likewise, if a new hazard suddenly arises, that presents an imminent and serious danger, then ceasing unsafe work is the only option. This does not mean walking off the job entirely, in fact, an essential part of ceasing unsafe work is reporting the hazard to management and quickly negotiating a resolution to the reasonable concern. This can include an interim measure, pending a permanent resolution. This clause also requires that workers are made aware of the organization’s:
Outcomes of relevant incidents and their investigations,
Outcomes of the application of the risk management processes in clause 6 & 8, for hazards, health and safety risks and determining control measures.
7.4 Communication
7.4.1 General
The organization must establish, implement and maintain the process(es) needed for the internal and external communications relevant to the OH&S management system. The organization needs to communicate internally among the various levels and functions of the organization, among contractors and visitors to the workplace, and among other interested parties. The organization must determine what it will communicate when to communicate, with whom to communicate, and among other interested parties. While communicating, the organization must take into account diversity aspects such as gender, language, culture, literacy, disability. The organization must ensure that the views of external interested parties are considered in establishing its communication processes. When establishing its communication processes, the organization must take into account its legal requirements and other requirements. The organization must ensure that OH&S information to be communicated is consistent with information generated within the OH&S management system, and is reliable. The organization should respond to relevant communications on its OH&S management system. The organization must retain documented information as evidence of its communications, as appropriate.
7.4.2 Internal communication
The organization must internally communicate as appropriate information relevant to the OH&S management system among the various levels and functions of the organization, including changes to the OH&S management system. It must ensure its communication process enables workers to contribute to continual improvement.
7.4.3 External communication
The organization must externally communicate information relevant to the OH&S management system, as established by the organization’s communication processes, and taking into account its legal requirements and other requirements.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
The communication process(es) established by the organization should provide for the gathering, updating, and dissemination of information. It should ensure that relevant information is provided, received, and is understandable to all relevant workers and interested parties.
The organization must establish, implement and maintain a process or processes for internal and external communications relevant to the OH&S management system, which provides for the gathering, updating, and dissemination of information and which encompasses the following:
What topics to communicate on;
When to communicate;
With whom to communicate (e.g. internally within the organization and/or externally with contractors, visitors, and other interested parties);
How to communicate.
Communications should be appropriate, comprehensible, and intelligible for the audience at which it is aimed and take into account diversity aspects such as gender, language, culture, literacy, and disability. The organization should also take into account legal and other requirements and ensure that the information to be communicated is consistent with information generated within the OH&S management system and is reliable. Information transmitted by internal or external communications, of interest to relevant interested parties, must be available when required.
It is critically important to effectively communicate information about OH&S risks and the OH&S management system, including changes to the OH&SMS, at various levels and between various functions of the organization. This should include information relating to:
Management’s commitment to the OH&S management system;
The identification of hazards and risks;
OH&S objectives and programmes to achieve them;
Incident investigation;
Progress in eliminating hazards and associated OH&S risks;
Operational changes that might impact the OH&S management system;
Progress with consultation and participation of workers;
The organization should have a process in place for receiving, documenting, and responding to relevant communications from external interested parties, where appropriate. Paramount to this is the development and maintenance of a process for communicating with contractors and other visitors to the workplace. The extent of this communication should be related to the OH&S risks faced by these parties and will be further considered in clause 8.1.4.2 of the standard. Service level agreements (SLAs), contracts, and pre-project OH&S planning meetings are often used to communicate OH&S issues to external providers such as contractors, but the organization should also use methods such as on-site induction to raise OH&S awareness amongst contractors’ workers. In addition to communicating about specific OH&S requirements relating to on-site and off-site activities, the following should also be taken into account when communicating with external providers, particularly contractors:
Information about a contractor’s OH&S management system;
Legal and other requirements that impact on the method or extent of communication;
Previous OH&S performance and history of notifiable incidents;
The use of multiple contractors at the workplace;
Emergency response;
The need for alignment of the contractor’s OH&S practices with those of the organization and other contractors at the workplace;
The need for additional consultation and/or contractual provisions relating to high-risk tasks;
Reporting of OH&S performance, incidents, nonconformities, and corrective actions; Arrangements for regular communications.
For visitors such as delivery companies, clients, members of the general public and service providers specific OH&S information needs to be communicated as follows:
OH&S requirements relevant to their visit;
Evacuation procedures and responses to alarms;
Traffic controls;
Access controls and escort function;
Details relating to the wearing of personal protective equipment (PPE).
External communication processes often include the identification of a designated contact person from within the organization. This allows for appropriate information to be communicated in a timely and consistent manner. This can be especially important in emergency situations where regular updates are required to be delivered in a clear and unambiguous manner.
Processes for internal and external communication need to be established and recorded as documented information within the OH&S Management System. The key elements that need to be decided, actioned, and recorded are what needs to be communicated, how it should be done, who needs to receive the communication, and at what intervals it should be done. It should be noted here that any communication outputs should be consistent with related information and content generated by the OH&S Management System for the sake of consistency. The standard advises the organization that information should be communicated at various levels and with various frequencies as deemed suitable and that the organization must ensure that the nature and frequency of communication allow continual improvement to result from the communication process itself. Once again, the organization is advised by the standard to ensure that communication relevant to the OH&S Management System takes place as per the established process, with the goal of ensuring that compliance obligations and objectives are met.
Defined channels of communication are key to the success of the OH&S management system. It is recommended that there is a clear policy on communication endorsed by Top Management identifying the process of communication. The organization will need to determine:
Question
Answers
What will be communicated?
OH&S Policy, site rules including personal responsibilities, hazards, risk assessments, Work Instructions, minutes from committee meetings, investigation results, organizational structure, performance
When communication occurs?
Recruitment permanent or temporary, induction internally and externally, morning briefing, safety committee meetings, pending legal requirements
Who will information be communicated to?
Workers including agency, contractors, external providers, product end-users, and other interested parties
The organization must have Document Information (documents and records) as required by ISO 45001:2018 and also those determined by the organization as being necessary for the effectiveness of the OH&S management system. The extent of documented information for an OH&S management system can differ from one organization to another due to the size of the organization and its type of activities, processes, products, and services. It can be due to the need to demonstrate fulfillment of legal requirements and other requirements; the complexity of processes and their interactions; the competence of workers.
7.5.2 Creating and updating
When creating and updating documented information, the organization must ensure appropriate identification and description (e.g. a title, date, author, or reference number) and format (e.g. language, software version, graphics) and media (e.g. paper, electronic); It must also ensure appropriate review and approval for suitability and adequacy.
7.5.3 Control of documented information
Documented information required by the OH&S management system must be controlled to ensure that it is available and suitable for use, where and when it is needed. It must be adequately protected from loss of confidentiality, improper use, or loss of integrity. For the control of documented information, the organization shall address the following activities:
distribution, access, retrieval, and use;
storage and preservation, including preservation of legibility;
control of changes (e.g. version control);
retention and disposition.
Documented information of external origin determined by the organization to be necessary for the planning and operation of the OH&S management system should be identified, as appropriate, and controlled. Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information. Access to relevant documented information includes access by workers, and, where they exist, workers’ representatives.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
It is important to keep the complexity of the documented information at the minimum level possible to ensure effectiveness, efficiency, and simplicity at the same time. This should include documented information regarding planning to address legal requirements and other requirements and on evaluations of the effectiveness of these actions. The actions described in 7.5.3 are particularly aimed at preventing the unintended use of obsolete documented information. Examples of confidential information include personal and medical information.
“Documented information,” refers to the documents and records that are necessary for the OH&S Management System. The requirements are designed to allow each organization to have the ability to shape documented information to their own requirements in general, with the exception of the mandatory components mentioned specifically in the standard and, therefore, this guide. The ISO 45001:2018standard advises us that the OH&SManagement System should include all documented information that it declares mandatory, and anything viewed as critical to the OH&SManagement System and its operation. It should also be noted that the amount of documented information that an organization requires would differ according to the size, operating sector, and complexity of compliance obligations faced by the business. The standard advises that documentation created by the OH&SManagement System needs to include appropriate identification, description, and format so that it is can be easily understood what the documented information is for. There is also a need to review and approve the documented information for suitability and accuracy before release. The standard advises that documentation created by the OH&SManagement System should be available and fit for purpose where and when needed, reasonably protected against damage or loss of integrity and identity and that the processes of distribution, retention, access, retrieval, preservation and storage, control, and disposition are adequately provided for. It should be noted that documented information from external sources should be similarly controlled and handled, and that viewing and editing access levels should be carefully considered and controlled.
It is important for top management to ensure that the OHSMS processes are carried out as planned and the desired results are achieved. Capturing key pieces of information in documented form can assist in this effort. Documenting how the system works helps personnel responsible for its implementation understand what they need to do and how to do it. Where a number of people are performing a process, documenting the steps can ensure consistency in the results. Documenting decisions made, OHSMS activities performed and the resulting outcomes provides evidence to demonstrate conformity to requirements and the effective implementation of the OH&S management system. Mandatory documents include the documented information required by ISO 45001 and additional information identified by the organization as necessary for the effective operation of its OH&S management system. The extent of documented information for an OH&S management system can differ from one organization to another due to:
The size of the organization and the type of activities, processes, products or services it is engaged in.
The need to demonstrate fulfilment of legal and other requirements.
The complexity of the organization’s processes and how they interact.
The competence of workers.
ISO 45001 has moved from prescriptive requirements for specific ‘documents’ and ‘records’ towards the more inclusive term ‘documented information’. This allows the organization to customize its occupational health and safety documentation to better reflect its particular circumstances. There are now basically two types of documented information; “living” documents that describe how things are done within the OHSMS, and “static” records that reflect results of some activity at a particular point in time. Whether in electronic or paper format, the correct and current versions of living documents, be they procedures, work instructions, process maps, plans, or programs, need to be available to those who use them. This requires the organization to have a process to create these documents and control their revision. Records of results need to be created, reviewed, and retained for a period of time. The organization should attempt to keep the complexity of the documented information at the minimum level necessary to ensure contemporaneous effectiveness, efficiency, and simplicity. It should be noted that an Occupational Health and Safety Manual is no longer required by ISO 45001, but most organizations are likely to persevere with it as an integral part of their OH&S management system
When creating and updating documented information, the organization must ensure appropriate:
Identification and description (e.g. a title, date, author or reference number);
Format (e.g. language, software version, graphics) and media (e.g. paper, electronic);
Review and approval for suitability, adequacy, and effectiveness.
The organization is required to control documented information in order to ensure that it is available where needed and that it is suitable for use. It must also be adequately protected against improper use, loss of integrity, and loss of confidentiality. With reference to documented information, the organization must make decisions on its:
Distribution, access, retrieval, and use;
Storage and preservation;
Control of any changes;
Retention and disposal.
The organization is also required to identify any documented information of external origin that is considered essential for the planning and operation of its OH&S management system and ensure that it is controlled. All of the controls described are primarily aimed at preventing unintended use of obsolete documented information. As with all management systems, the extent of documented information will vary depending on the size, scope, and complexity of processes within the organization. A practical approach to the development and control of documented information will assist in business protection as well as providing sources of information for workers relating to hazard identification. Consider a risk-based approach to the level of documented information required including consideration for literacy and language. Documented information is not restricted to hard copy and will appear in a variety of media including electronic format, emails, and web-based. Below is a selection of the variety of documented information:
Internal / External Sources
Type
Use
External
Regulatory
Government website instructions and leaflets, codes of practice
External
Information
External Provider material safety data sheets, certificates of conformity
External
Information
External Provider machinery installation instructions and technical specifications
External
Information
Risk assessments and method statements
External
Certificate
Fire system, fixed wiring service records, liability insurance documents
External
Training
Certificates of competence (Fork Lift Truck, OH&S awareness)
Internal
Training
Induction presentations, toolbox talks
Internal
Training
Individual training records
Internal
Work
Safe Systems of Work Work Instructions
Internal
Inspections
Evidence of maintenance and routine inspections
It’s essential to have a robust but simple system of control for documented information. This will ensure workers are always aware of the latest requirements relating to OH&S. In support of the latest revision of documented information, there must be the means to communicate the latest policies, practices, and work instructions. As previously indicated documented information will come from internal and external sources. Below are suggested means of controlling both internal and external documented information:
Internal
Develop a document reference system within the header or footer e.g. Maintenance Procedure No. 1 – MP01, Maintenance Form 01 – MF01, etc
Identify the revision status, revision date and author within the document footer
Use the same document control methodology for electronic documents and data
Develop a spreadsheet identifying the reasons why previous revisions have been updated
Determine the method of the issue for documented information with consideration for recovery of pre-modified documented information and communication
Archive in electronic format previous revisions of documents based on risk ensuring there is a means of backing up and recovering data
Determine and identify in the spreadsheet the intended document retention timescale. This may be based on legal requirements such as insurance documentation
External
Determine what should be communicated and retained based on risk.
Consider scanning to reduce reliance on paper
Maintain the integrity of archived documentation
Remember to create a simple system to use for all to understand and access accordingly. Consider supporting the chosen method with an instructional procedure with applicable training.
List of documents required by ISO 45001:2018
The ISO 45001 standard provides us with some insight into what documents are required. Compared to OHSAS 18001, there are not too many changes, but the documentation requirements are easier to manage, following the logic of the new versions of other ISO standards. Of course, the standard does not explicitly mention documents and records, but uses the term “documented information.” The following represents a list of documents that you need to maintain in order to comply with ISO 45001:
Clause
Required Documented Information
4.3
The scope of OH&S available as documented information
5.2
The OH&S policy available as documented information
5.3
The responsibilities, accountabilities, and authorities for relevant roles are maintained as documented information
6.1.1
Maintain documented information of the OH&S risks and OH&S opportunities and the processes needed to address risks and opportunities
6.1.2.2
The methodologies and criteria for assessing OH&S risks are defined, maintained and retained as documented information
6.1.3
Information on applicable legal and other requirements are maintained, retained, and updated as documented information
6.2.2
The OH&S objectives and plans to achieve them are maintained and retained as documented information
7.2
Documented information is retained as evidence of competence of workers
7.4
Relevant OH&S communications are received and maintained as documented information
8.1.1
Documented information to provide confidence that processes have been carried out as planned and determining where the absence of documented information could lead to deviations from the OH&S policy and the OH&S objectives is kept
8.6
Information on the process and on the plans for responding to potential emergency situations are maintained and retained as documented information
9.1.1
Evidence of the monitoring, measurement, analysis and evaluation results are retained as documented information
9.1.2
Results of the compliance evaluation are retained as documented information
9.2.2
Evidence of the implementation of the audit program and the audit results are retained as documented information
9.3
Evidence of the results of management reviews is retained as documented information
10.1
Evidence of the nature of incidents or nonconformities and actions taken with results and effectiveness of correction is retained as documented information and communicated to relevant workers other relevant interested parties
10.2.2
Evidence of the results of continual improvement efforts is retained as documented information
Other supporting documents Apart from the abovementioned list of documents, there are additional supporting documents that can be used to facilitate the operation of a management system. Thus, the following documents are commonly used:
Procedure for determining the context of the organization and interested parties (clauses 4.1 and 4.2)
Procedure for identification and evaluation of OH&S management system risks and opportunities (clauses 6.1.1 and 6.1.2)
Procedure for competence, training, and awareness (clauses 7.2 and 7.3)
Procedure for communication (clause 7.4)
Procedure for document and record control (clause 7.5)
Procedure for internal audit (clause 9.2)
Procedure for management review (clause 9.3)
The standard also emphasizes that it is important to demonstrate the effectiveness of the OH&S Management System, rather than to simply draft endless theoretical procedures.
Clause 6 describes the actions necessary to address risk and opportunity. Activity planning must take place within the context of the organization. The planning process must ensure that the OH&S management system is designed to achieve its intended outcomes and continually improve. Worker participation is cited as being a critical component in the planning phase. Additional considerations include operational risk, legal requirements, and other opportunities to improve the OH&S management system. This section outlines the need for hazard identification by the organization for both routine and non-routine activities, emergency situations, people and behavior, work area design, work environment under the control of the organization, and situations not under organizational control. Additional points of assessment include changes to process and operations, past incidents and their causes, and social/economic factors. The major sub-sections in Clause 6 include:
Hazard Identification
Assessment of OH&S Risks
Identification of OH&S Opportunities
Determination of Legal Requirements
Planning to Take Action
The setting of OH&S Objectives
Planning to Achieve Objectives
The planning phase is a comprehensive part of the ISO 45001 standard, requiring a detailed understanding of operations. By following this section, the organization can create a very deliberate and effective set-up to sustain the OH&S management system and ensure it continually improves. This is one of the most critical clauses since it is related to the establishment of strategic objectives and guiding principles for the Occupational Health and Safety Management System as a whole. The OH&S objectives, which can be integrated with other business functions, are the expression of the intent of the organization to treat the risks identified. When determining the risks and opportunities that need to be addressed, the organization shall take into account:
OH&S hazards and their associated risks, and opportunities for improvement;
Applicable legal requirements and other requirements;
Risks and opportunities related to the operation of the OH&S Management System that can affect the achievement of the intended outcomes.
6 Planning
6.1 Actions to address risks and opportunities
6.1.1 General
When planning for the OH&S management system, the organization must consider the relevant internal and external issues(4.1), the needs and expectations of workers and other interested parties (4.2), and the scope of its OH&S management system(4.3) and determine the risks and opportunities. The organization must give assurance that the OH&S management system can achieve its intended outcomes, prevent, or reduce, undesired effects and achieve continual improvement. When determining the risks and opportunities to the OH&S management system and its intended outcomes that need to be addressed, the organization shall take into account its hazards; OH&S risks, and other risks; OH&S opportunities and other opportunities; legal requirements, and other requirements. The organization, in its planning process, must determine and assess the risks and opportunities that are relevant to the intended outcomes of the OH&S management system associated with changes in the organization, its processes, or the OH&S management system. In the case of planned changes, permanent or temporary, this assessment must be undertaken before the change is implemented. The organization must record its risks and opportunities; the processes and actions needed to determine and address its risks and opportunities to the extent necessary to have confidence that they are carried out as planned.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
Planning is not a single event but an ongoing process, anticipating changing circumstances and continually determining risks and opportunities, both for the workers and for the OH&S management system. Undesired effects can include work-related injury and ill health, noncompliance with legal requirements and other requirements, or damage to reputation. Planning considers the relationships and interactions between the activities and requirements for the management system as a whole. OH&S opportunities address the identification of hazards, how they are communicated, and the analysis and mitigation of known hazards. Other opportunities address system improvement strategies.
Examples of other opportunities to improve OH&S performance:
a) inspection and auditing functions; b) job hazard analysis (job safety analysis) and task-related assessments; c) improving OH&S performance by alleviating monotonous work or work at a potentially hazardous pre-determined work rate; d) permit to work and other recognition and control methods; e) incident or nonconformity investigations and corrective actions; f) ergonomic and other injury prevention-related assessments.
Examples of other opportunities to improve OH&S performance:
integrating occupational health and safety requirements at the earliest stage in the life cycle of facilities, equipment or process planning for facilities relocation, process re-design or replacement of machinery and plant.
integrating occupational health and safety requirements at the earliest stage of planning for facilities relocation, process re-design or replacement of machinery and plant.
using new technologies to improve OH&S performance.
improving the occupational health and safety culture, such as by extending competence related to occupational health and safety beyond requirements or encouraging workers to report incidents in a timely manner.
improving the visibility of top management’s support for the OH&S management system.
enhancing the incident investigation process(es).
improving the process(es) for worker consultation and participation.
benchmarking, including consideration of both the organization’s own past performance and that of other organizations.
collaborating in forums that focus on topics dealing with occupational health and safety.
The current standard states that the organization should establish, implement, and maintain the processes needed to address the requirements of the whole of the planning section itself. When planning the OH&S Management System, considerations need to be made regarding the context of the organization (section 4.1) and the needs and expectations of interested parties (section 4.2), as well as the scope of the OH&S Management System. Risk and opportunity must be considered with respect to these elements, as well as legal and regulatory issues, and the organization’s Occupational Health & Safetyhazardsthemselves. This outcome needs to ensure that the OH&SManagement System can meet its intended outcomes and objectives, that any external factors that may affect performance are avoided, and that continual improvement can be achieved. In terms of emergency situations, the organization is required to determine any situations that may occur and have resulted in occupational health & safety risks. Again, it is vital that documented information is retained concerning the risks and opportunities considered and addressed in the planning phase in order to satisfy the terms of the clause. Planning is an integral part of all elements of an OH&S management system. Effective planning is concerned with prevention by identifying, eliminating, and controlling hazards and risks. This is particularly important when dealing with health risks, which might only become apparent after a long gestation period. Planning should be a collaborative effort involving personnel throughout the organization. This co-operation is eminently suitable for demonstrating and gaining commitment to continual improvement and promoting a positive health and safety culture throughout the organization. Planning for the OH&S management system is an ongoing process and is undertaken in order:
To determine the risks that can affect the OH&S performance of the organization;
To manage these risks;
To identify opportunities to improve OH&S performance and the OH&S management system.
When planning for the OH&S management system, the organization should take into account the following:
The organization and its context;
The needs and expectations of workers and other interested parties;
The scope of the OH&S management system.
Planning should be proportionate to the level of risk identified. While the organization should consider all potential risks to its OH&S performance it should focus on those hazards which are most likely to occur and/or have the greatest impact. The company should concentrate on those opportunities that can realistically be acted upon, with priority given to those that are most likely to improve performance. Examples of opportunities to improve OH&S performance include the following:
Identification of hazards, how they are communicated, analyzed and controlled;
Enhancing the inspection and auditing functions;
Introduction of job safety analysis and task-related assessments;
Modification of working processes including the alleviation of monotonous and repetitive work;
Implementation of permit-to-work processes;
Incident or nonconformity investigations and corrective actions;
Implementation of ergonomic and other injury prevention-related assessments;
Integration of occupational health and safety considerations at the earliest stage in the design life cycle of plant and equipment;
Integration of occupational health and safety considerations at the earliest stage in planning for facilities relocation, and/or process redesign;
Introduction of new technology;
Improvement of the occupational health and safety culture of the organization;
Enhancing the visibility of top management’s support for the OH&S management system;
Enhancing the incident investigation process;
Improving worker consultation and participation;
Benchmarking of the organization’s OH&S performance against that of other organizations;
Collaborating in forums that review issues relating to occupational health and safety.
The organization must maintain documented information on:
Risks and opportunities;
The process and actions needed to determine and address its risks and opportunities to the extent necessary to have confidence that they are carried out as planned.
6.1.2 Hazard identification and assessment of risks and opportunities
6.1.2.1 Hazard identification
The organization should establish, implement and maintain processes for hazard identification that is ongoing and proactive. The organization must take into account how work is organized, social factors including workload, work hours, victimization, harassment, and bullying, leadership, and the culture in the organization. The routine and non-routine activities and situations, including hazards arising from infrastructure, equipment, materials, substances, and the physical conditions of the workplace; product and service design, research, development, testing, production, assembly, construction, service delivery, maintenance, and disposal; human factors; how the work is performed. The organization must consider past relevant incidents, internal or external to the organization, including emergencies, and their causes. They must also consider potential emergency situations. It must also include those people :
with access to the workplace and their activities, including workers, contractors, visitors, and other persons;
in the vicinity of the workplace who can be affected by the activities of the organization;
workers at a location not under the direct control of the organization;
Other issues including the design of work areas, processes, installations, machinery/equipment, operating procedures, and work organization, including their adaptation to the needs and capabilities of the workers involved. The situations occurring in the vicinity of the workplace caused by work-related activities under the control of the organization. The situations not controlled by the organization and occurring in the vicinity of the workplace can cause injury and ill health to persons in the workplace. It must include actual or proposed changes in organization, operations, processes, activities, and OH&S management system; It must also include changes in knowledge of, and information about, hazards.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
The ongoing proactive identification of hazards begins at the conceptual design stage of any new workplace, facility, product, or organization. It should continue as the design is detailed and then comes into operation, as well as being ongoing during its full life cycle to reflect current, changing, and future activities. While this document does not address product safety (i.e. safety to end-users of products), hazards to workers occurring during manufacture, construction, assembly, or testing of products should be considered. Hazard identification helps the organization recognize and understand the hazards in the workplace and to workers, in order to assess, prioritize and eliminate hazards or reduce OH&S risks. Hazards can be physical, chemical, biological, psychosocial, mechanical, electrical, or based on movement and energy. The list of hazards given in 6.1.2.1 is not exhaustive. NOTE The numbering of the following list items a) to f) does not correspond exactly to the numbering of the list items given in 6.1.2.1. The organization’s hazard identification process(es) should consider: a) routine and non-routine activities and situations:
routine activities and situations create hazards through day-to-day operations and normal work activities;
non-routine activities and situations are occasional or unplanned;
short-term or long-term activities can create different hazards;
b) human factors:
relate to human capabilities, limitations and other characteristics;
information should be applied to tools, machines, systems, activities, and environment for safe, comfortable human use;
should address three aspects: the activity, the worker and the organization, and how these interact with an impact on occupational health and safety;
c) new or changed hazards:
can arise when work processes are deteriorated, modified, adapted or evolved as a result of familiarity or changing circumstances;
understanding how work is actually performed (e.g. observing and discussing hazards with workers) can identify if OH&S risks are increased or reduced;
d) potential emergency situations:
unplanned or unscheduled situations that require an immediate response (e.g. a machine catching fire in the workplace, or a natural disaster in the vicinity of the workplace or at another location where workers are performing work-related activities);
include situations such as civil unrest at a location at which workers are performing work-related activities which requires their urgent evacuation;
e) people:
those in the vicinity of the workplace who could be affected by the activities of the organization (e.g. passers-by, contractors or immediate neighbors);
workers at a location not under the direct control of the organization, such as mobile workers or workers who travel to perform work-related activities at another location (e.g. postal workers, bus drivers, service personnel traveling to and working at a customer’s site);
home-based workers, or those who work alone;
f) changes in knowledge of, and information about, hazards:
sources of knowledge, information and new understanding about hazards can include published literature, research and development, feedback from workers, and review of the organization’s own operational experience;
these sources can provide new information about the hazards and OH&S risks.
ISO 45001:2018 asks organizations to consider, in a proactive manner, all occupational health & safety hazards within the organization’s control. Changes or planned future changes to services also have to be taken into account, as do any abnormal situations that may arise that are reasonable for the organization to predict–for example, if you are about to launch a new product that needs radically new production processes or materials. Again, the organization needs to maintain documented information on this clause and its elements, and communication to the appropriate levels with effective frequency needs to be planned and undertaken. In terms of documented information, if you ensure that all actual and associated risks, the criteria you use to define them, and your significant occupational health & safety risks are documented, then you will satisfy the terms of this clause. The overall purpose of the risk assessment process is to evaluate the hazards that arise or might arise in the course of the organization’s activities, and ensure that the risks to people arising from these hazards are assessed, prioritized, and controlled to eliminate hazards or reduce risks to acceptable levels.
Hazards have the potential to cause injury or ill-health. They need to be identified before the risks associated with these hazards can be assessed and, if no controls exist or existing controls are inadequate, effective controls should be implemented according to the hierarchy of controls. Hazard identification should aim to determine proactively all sources, situations, or acts (or a combination of these), arising from an organization’s activities, with a potential for harm in terms of injury or ill health. Examples include:
Sources (e.g. moving machinery, radiation or energy sources);
Situations (e.g. working in confined spaces, working at height);
Acts (e.g. manual handling, wearing PPE).
Hazard identification should consider the different types of hazards in the workplace, including:
Physical (e.g. slips, trips, and falls, entanglement, noise, vibration, harmful energy sources);
Chemical (e.g. inhalation, contact with or ingestion of chemicals);
Biological (e.g. contact with allergens or pathogens such as bacteria or viruses);
Psychosocial (e.g. threat of physical violence, bullying or intimidation);
The organization’s hazard identification process should take account of the following:
Routine and non-routine activities such as plant cleaning and maintenance, extreme weather conditions, refurbishment, and plant start-ups/shut-downs;
Activities of all persons having access to the workplace including contractors, visitors, and home-based workers;
Human behavior, capabilities, and other human factors;
Identified hazards originating outside the workplace capable of adversely affecting the health and safety of a person under the control of the organization within the workplace;
Hazards created in the vicinity of the workplace by work-related activities under the control of the organization;
Infrastructure, equipment, and materials at the workplace, whether provided by the organization or others;
Changes or proposed changes in the organization or its activities;
Modifications to the OH&S management system, including temporary changes, and their impact on operations, processes, and activities;
Any applicable legal obligations relating to risk assessment and the implementation of necessary controls;
The design of work areas, processes, installations, machinery/equipment, operating procedures, and work organization, including their adaptation to human capabilities;
Potential emergency situations;
Changes in knowledge of, and information about, hazards;
New or changed hazards.
Examples of items for inclusion in a hazard identification checklist:
1 Physical hazard
Slippery or uneven ground
Working at height
Objects falling from the height
Inadequate space to work
Poor ergonomics (e.g. workplace design that does not take account of human factors)
Manual handling
Repetitive work
Trappings, entanglement, burns and other hazards arising from the equipment
Transport hazards, either on the road or on-premises/sites, while travelling or as a pedestrian (linked to the speed and external features of vehicles and the road environment)
Fire and explosion (linked to the amount and nature of flammable material)
Harmful energy sources such as electricity, radiation, noise or vibration (linked to the amount of energy involved)
Stored energy, which can be released quickly and cause physical harm to the body (linked to the amount of energy)
Frequently repeated tasks, which can lead to upper limb disorders (linked to the duration of the tasks)
Unsuitable thermal environment, which can lead to hypothermia or heat stress
Violence to staff, leading to physical harm (linked to the nature of the perpetrators)
Ionizing radiation (from x- or gamma-ray machines or radioactive substances)
2 Chemical hazards Substances hazardous to health or safety due to:
Inhalation of vapours, gases, or particles
Contact with or being absorbed through, the body
Ingestion
The storage, incompatibility, or degradation of materials
3 Biological hazards
Biological agents, allergens, or pathogens (such as bacteria or viruses), that might be:
Inhaled
Transmitted via contact, including by bodily fluids (e.g. needlestick injuries), insect bites, etc.
Ingested (e.g. via contaminated food products)
4 Psychosocial hazards
Situations that can lead to negative psychosocial (including psychological) conditions, such as stress (including post-traumatic stress, anxiety, fatigue, depression, e.g.:
Excessive workload
Lack of communication or management control
Workplace physical environment
Physical violence
Bullying or intimidation
Psychosocial hazard can arise from issues external to the workplace and can impact the OH&S of Individuals or their colleagues.
Typical operation controls could include:
Clarifying health and safety responsibilities and ensuring that the activities of everyone are well coordinated
Ensuring everyone with responsibilities understands clearly what they have to do to discharge their responsibilities and ensure they have the time and resources to discharge them effectively
Setting standards to judge the performance of those with responsibilities and ensure they meet them. It is important to reward good performance as well as to take action to improve poor performance
Ensuring adequate and appropriate supervision, particularly for those who are learning and who are new to a job
Elimination (modify a design, etc.)
Substitution (use a less hazardous material or reduce system energy, etc.)
Personal Protective Equipment (PPE) (safety glasses, harnesses, respirators, gloves, etc.
Take account:
use of a hierarchy:
Combination of controls
Adapt work to an individual
Using measures that protect everyone, in preference to PPE
Typical basic types of human behaviour (lapses etc.)
Planned maintenance
Lack of familiarity
Examples of areas in which OH&S risks typically arise, and examples of their associated control measures, include (general control measures):
Regular maintenance and repair of facilities, machinery.
Equipment to prevent unsafe conditions from developing
Housekeeping and maintenance of clear walkways
Traffic management (e.g. the management of the separation of vehicle and pedestrian movements)
Provision and maintenance of workstations
Maintenance of the thermal environment (temperature, air quality)
Maintenance of the ventilation systems and electrical safety systems
maintenance of emergency plans
Policy related to travel, bullying, sexual harassment, drug, and alcohol abuse, etc.
Training and awareness programmes relating to the use of particular controls (e.g. permit-to-work systems)
Access controls
Occupational health:
Health surveillance
Pre-employment medical screening
Post-employment medicals
Worker support
Absence monitoring
Health promotion
EXAMPLE OF HAZARDS/RISKS ANALYSIS REGISTER
Process / Activity
Hazard
Likely Hazardous Incidence/ Situation
Risk Involved
Current Risk Control System
Risk Level High, Medium, Lower
Is Risk Tolerable
If No, Proposed Risk Control System
Lifting by overhead crane manually
Electricity
Expose to fire
Fire Hazards
Fire extinguishers, Electricity tripping systems,
High
No
Fire Alarm system
Electricity
Expose to live current
Electric shock
Coated electric cables provided, Covering for connections
High
No
First Aid training, Electric tripping system
Break failure of the crane
Falling of materials on the body
Injury to body
No Control
High
No
Effective Preventive Maintenance, Helmel, Training to the operator on capacity and maintenance, Crane Alarm System
Breaking of hook
Falling of materials on the body
Injury to body
No Control
High
No
Effective Preventive Maintenance, Helmel, Training to the operator on capacity and maintenance, Crane Alarm System
Falling of jobs due to overfilling of the tote box
Falling of materials on the body
Injury to body
No Control
High
No
Effective Preventive Maintenance, Helmel, Training to the operator on capacity and maintenance, Crane Alarm System
Failure of the structure of the beam
Falling of structure on the body
Injury to body/Death
Testing of cranes by a third-party inspector
High
No
Effective Preventive Maintenance, Helmet, Crane Alarm System
Breaking of lifting chain/Slipping of the chain due to improper clamping
Falling of materials on the body
Injury to body
No Control
High
No
Replacement of chain by Continuous chain, Effective Preventive Maintenance,training to Operator, Crane Alarm System
Internal OH&S risk and Hazardous assessment guidelines
The term risk assessment appears in many different sets of Regulations: Control of Substances Hazardous to Health, Management of Health & Safety at Work, Manual Handling, Display Screen Equipment, Fire Safety, Noise, Vibration, etc. The process referred to in all of these pieces of legislation is identical. The aim of any risk assessment is to prevent accidents and injury. It requires all employers to examine their processes, equipment, workplaces, and work practices to highlight where the potential for accidents exists. Once the hazards (anything which has the potential to cause harm) are identified, the risk assessment requires the employer to evaluate the risk. This involves looking at the hazard and considering how likely it is that it will cause injury as well as the possible severity of the injuries which could be caused. This is by no means an exact science, but by completing an assessment risks can be identified as high, medium, and low, which will allow priorities to be set for improvements.
Identify the hazards – in relation to processes or the workplace.
Identify who is at risk – consider employees and others.
Identify any existing controls – have people been trained?
Evaluate the risk – consider possible likelihood and severity.
Take action to reduce the risk of accidents – consider long and short term action.
Record all findings.
Review – if there are any changes.
Monitor – have improvements been implemented? If yes, have they worked?
The process is always the same. However, the actual specific items examined will differ depending on the type of risk assessment being completed. Managing Health & requires a general risk assessment of all work operations. From these more, specialist risk assessments will flow.
The organization must strive to carry out suitable and sufficient assessments of the OH&S risks to the health and safety of our employees. The significant findings of the assessments have to be recorded along with details of any groups of employees identified as being especially at risk. The contents of the assessments will be reviewed:
If there is a reason to suspect that they are no longer valid.
If there has been a significant change in the matters to which they relate
Every three years if no review has occurred in the interim
The organization is required to provide information to employees on the results of the risk assessments. The information has to be comprehensible and relevant to: –
The risks to their health and safety identified by the assessments.
The preventative and protective.measures being taken by management to reduce or eliminate these risks.
The identity of the competent persons nominated to implement H&S procedures and any other procedures to be followed in the event of serious and imminent danger.
Identifying Hazards
When seeking out and identifying hazards, adequate information is necessary and reference should be made to relevant sources such as:
Legislation and approved codes of practice
Health and Safety regulators (DOSH) Guidance
Product information – manufacturer guidance
Personal knowledge of managers, colleagues, and safety representatives
Accident records
Expert advice
In the simplest cases, hazards can be spotted by observation and questioning. They may be identified by individual activities, people, or work areas depending on the nature of the areas being assessed. Some tasks may be undertaken by several people in the same department, so an assessment covering the task or activities would be more appropriate than one covering each individual. Individual aspects of the people will need to be taken into account i.e. one person maybe 5 feet tall the other 6 feet 2 inches, therefore further risks may be applicable to one employee rather than the other.
2. Identify Those At Risk
In most cases, the person at risk will be the person actually involved in the work. It is, however, important to remember third parties including members of the public who could be affected by the hazard.
3. Are There Any Existing Controls?
Are there any existing controls which are already helping to reduce the risk of injury?
e.g. Have employees been trained? Is PPE worn? Are warning signs displayed?
Remember to include only those existing controls which are working efiectively. If you know that face masks are available, but they are not worn or are not suitable, then this is not an existing control measure.
4. Evaluating the Risk
Evaluating the risk involves judging the likelihood and the severity of the harm that may arise as a result of the hazard. Some risks will be insignificant either because the likelihood is very low, or because the severity of the injury is very low, or both.
Risk = Hazard Severity X Likelihood of Occurrence
A scoring system will be used to help in this process and is an essential part of a risk assessment.
5. Decide On Measures
The measures, which will be required to minimize or remove risk, need to be considered by applying a hierarchy of risk control measures. This is the important part of every risk assessment; as it is here where we are required to take action to reduce the risk of injury.
Eliminate the Risk i.e. Is it possible to stop using the chemical or piece of equipment?
Personal Protective Equipment (PPE) — Effective if not costly
Discipline
Substitute i.e. Can we use a less hazardous substance?
Engineering Controls at Source i.e. Guards and safety devices
Re-design workplace of task
Safe Systems Of Work i.e. Staff Operating Procedures which are communicated
Training & Supervision — if employees are trained supervision will be needed to ensure the training is followed
Warning Signs – these do not eliminate the risk but do raise awareness
Maintenance of equipment – to prevent accidents from using defective equipment
Good Housekeeping – having clear routes, safe storage
This is by no means an exhaustive list as certain specific controls will be needed to suit certain work areas.
6. Record the Assessment
It is a legal requirement for many countries with over five employees to record their assessments. Blank forms can be found in the QESH management system document set.
7. Review / 8. Monitor
The risk assessments will need to be monitored regularly. This will be completed by the Managing Director on at least an annual basis.
Risk Evaluation – Scoring system to be used
Severity (Worst Outcome)
Likelihood
6.1.2.2 Assessment of OH&S risks and other risks to the OH&S management system
The organization shall establish, implement and maintain a process to assess OH&S risks from the identified hazards while taking into account the effectiveness of existing controls. The organization must determine and assess the other risks related to the establishment, implementation, operation, and maintenance of the OH&S management system. The organization’s methodologies and criteria for the assessment of OH&S risks shall be defined with respect to their scope, nature, and timing to ensure they are proactive rather than reactive and are used in a systematic way. Documented information shall be maintained and retained on the methodologies and criteria.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
An organization can use different methods to assess OH&S risks as part of its overall strategy for addressing different hazards or activities. The method and complexity of assessment do not depend on the size of the organization but on the hazards associated with the activities of the organization. Other risks to the OH&S management system should also be assessed using appropriate methods. Processes for the assessment of risk to the OH&S management system should consider day-to-day operations and decisions (e.g. peaks in workflow, restructuring) as well as external issues (e.g. economic change). Methodologies can include ongoing consultation of workers affected by day-to-day activities (e.g. changes in workload), monitoring and communication of new legal requirements and other requirements (e.g. regulatory reform, revisions to collective agreements regarding occupational health and safety), and ensuring resources meet existing and changing needs (e.g. training on, or procurement of, new improved equipment or supplies).
The organization must establish, implement and maintain a process to:
Assess OH&S risks from the identified hazards, whilst taking into account the effectiveness of existing controls;
Determine and assess the other risks related to the establishment, implementation, and maintenance of the OH&S management system.
An organization needs to apply the process of hazard identification and risk assessment to determine the controls that are necessary to reduce the risks of injury and/or ill health. The purpose of risk assessment is to address the hazards that might arise in the course of the organization’s activities and ensure that the risks to people arising from these hazards are assessed, prioritized and controlled.
This is achieved by:
Developing a methodology for hazard identification and risk assessment;
Identifying hazards;
Estimating the associated risk levels, taking into account the adequacy of existing controls, based on an assessment of the likelihood of the occurrence of a hazardous event or exposure and the severity of the injury or ill health that can be caused by the event or exposure;
Determining whether these risks are acceptable vis the organization’s legal obligations and its OH&S objectives;
Determining the appropriate risk controls, where these are found to be necessary;
Documenting the results of the risk assessment;
Reviewing the hazard identification and risk assessment process on an ongoing basis.
The outputs from the risk assessment process should be used in the implementation and development of other parts of the OH&S management system such as competence, operational planning and control, and monitoring, measurement, analysis, and performance evaluation.
There is no single methodology for hazard identification and risk assessment that is suitable for all organizations. Hazard identification and risk assessment methodologies vary greatly across industries, ranging from simple assessments to complex numerical methods with extensive documentation. Individual hazards might require that different methods be used, e.g. an assessment of long-term exposure to hazardous substances might need a different method from that taken for equipment safety or for assessing an office workstation. Each organization should choose the method that is appropriate to its scope, nature, and size. The chosen approach should result in a comprehensive methodology for the ongoing evaluation of the organization’s risks. Where the organization’s risk assessment uses descriptive categories for assessing severity or likelihood of harm, these should be clearly defined, e.g. clear definitions of terms such as “likely” and “unlikely” are needed to ensure that different individuals interpret them consistently.
The organization should consider risks to sensitive populations (e.g. pregnant employees) and vulnerable groups (e.g. young workers) as well as any particular susceptibilities of the individuals involved in performing particular tasks (e.g. the ability of an individual to read instructions). The risk assessment should involve consultation with, and participation by, workers and take into account legal and other requirements. Risk assessment should be conducted by personnel with competence in risk assessment methodologies and techniques and appropriate knowledge of the organization’s work activities. The organization should also consider risks that are not directly related to the health and safety of people, but which affect the OH&S management system itself and can have an impact on its intended outcomes.
Risks to the OH&S management system includes:
Failure to understand the context of the organization;
Failure to address the needs and expectations of relevant interested parties;
Inadequate consultation and participation of workers;
Inadequate planning or allocation of resources;
An ineffectual audit programme;
An incomplete management review;
Poor succession planning for key roles;
Poor engagement by top management.
6.1.2.3 Assessment of OH&S opportunities and other opportunities to the OH&S management system
The organization shall establish, implement and maintain processes to assess OH&S opportunities to enhance OH&S performance while taking into account planned changes to the organization, its policies, processes or its activities, and opportunities to adapt work, work for the organization and work environment to workers. The opportunities to eliminate hazards and reduce OH&S risks and other opportunities for improving the OH&S management system. OH&S risks and OH&S opportunities can result in other risks and other opportunities for the organization.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
The process for assessment should consider the OH&S opportunities and other opportunities determined, their benefits and potential to improve OH&S performance.
The organization must establish, implement and maintain a process to assess:
OH&S opportunities to enhance OH&S performance, while considering planned changes to the organization, its policies, processes or activities;
Other opportunities for improving the OH&S management system.
Opportunities to improve OH&S performance can include:
Consideration of hazards and risks when planning and designing facilities, processes, plant and equipment, and materials;
Modification of working processes including the alleviation of monotonous and repetitive work;
Introduction of new technology to ameliorate high-risk activities;
Collaborating in forums that focus on issues relating to occupational health and safety.
Introduction of job safety analysis and task-related assessments;
Implementation of permit-to-work processes;
Implementation of ergonomic and other injury prevention-related assessments;
Improvement of the occupational health and safety culture of the organization;
Opportunities to improve the OH&S management system include:
Enhancing the visibility of top management’s support for the OH&S management system;
Improving worker consultation and participation in OH&S decision making;
Enhancing the incident investigation process;
Improving two-way communication on OH&S issues and promoting OH&S in the workplace;
Expediting corrective actions to address OH&S nonconformities;
Implementing OH&S objectives with the same passion as other business objectives;
Improving competency in identifying hazards, dealing with OH&S risks and implementing appropriate controls;
Adopting a risk assessment approach to conducting OH&S audits;
Viewing workers at all levels as a key resource of the organization;
Ensuring that the management review promotes a strategic and critical evaluation of the OH&S management system.
Risk / Opportunity of Internal Issues (Examples)
Sr.No
Issues (Internal)
Expected Result
Uncertainty
Risks (-ve) Effect
Opportunity (+ve) Effect
1
Social customs around PPE Responsibility of OH&S The willingness to be involved in consultation and participation
Use of PPE Top management shall take overall responsibility and accountability for the protection of workers, processes for consultation/ participation, establish 0H&S committees
Social custom is for workers to provide their own PPE. and be solely responsible for their OH&S. Also, the willingness to be involved in consultation and participation in a work setting is traditionally very poor
Workers ignore the organizations OH&S processes, and OH&S performance does not improve
Opportunity to be known in the sector as a caring and forward-thinking the employer, attracting good quality human resources and inward investment from client’s (including overseas client’s) concerned with reputational impacts and good social responsibility/ governance
2
Is the organizational structure capable of ensuring adequate control for OH&S, especially when outsourcing and with the use of contractors
Outsourced processes are controlled Contactor controls for communicating hazards, evaluation, and OH&S risks.
The structure is very flat, with most of the workers being of low education, or the work is outsourced. Uncertainty around adequate supervision and OH&S control
Poor OH&S performance affecting workers and others OH&S, reputational damage, fines, loss of customers
(Not every issue will have an opportunity associated with it. Please do not mix up risk treatment with an opportunity)
Risk / Opportunity of External Issues (Examples)
Sr
Issues (External)
Expected Result
Uncertainty
Risks (-ve) Effect
Opportunity (+ve) Effect
1
Cultural – risk-taking (contractors/outsourcing)
Top Management promoting a culture that supports the OH&S MS Promoting a culture supporting an OH&S Awareness of benefits of improved OH&S performance and their contribution Aware of the implications of not conforming Implementing control of the processes in accordance with the criteria Commitments in the policy to provide a safe and healthy workplace
Might be considered as part of the culture, and seen as normal practice in. Expansion into other regions will require research into the culture affecting OH&S
OH&S MS is not effective and does not achieve it’s intended outcomes Workers continue to adopt peer pressure norms to get the work done Workers are injured, suffer ill health, or fatal consequences investment cost of the OH&S MS is lost Contracts helped by having an OH&S MS may be lost due to non-adherence Other MS’s could be affected e.g. quality
(Not every issue will have an opportunity associated with it. Please do not mix up risk treatment with an opportunity)
Risk / Opportunity of Requirement for Workers Requirements (Examples)
Sr
(Relevant) Requirements workers
Expected Result
Uncertainty
Risks (-ve) Effect
Opportunity (+ve) Effect
1
Opportunities for dialogue, improvement, and when changes occur
Processes for consultation/ participation, establish OH&S committees The policy commitment to consultation/ participation processes for consultation and participation. Ensure the participation of workers
Manager & workers traditionally do not consult or participate in OH&S matters. Time to consult/ participate and logistical arrangementsCulture with respect to OH&S importance
OH&S culture does not improve OH&S performance is affected Hazards/risks are not the identified OH&S loss to workers
(Not every issue will have an opportunity associated with it. Please do not mix up risk treatment with an opportunity)
Risk / Opportunity of Requirement for Other interested Parties Requirements (Examples)
Contractors/suppliers/outsourcing-Clear statement of OHS requirements in tenders/ contracts
Controls for procuring goods/ services conform to OH&S MS requirements
OH&S requirements are not clearly defined in our contracts and demoted to a contract Annex
Poor OH&S performance, and OH&S loss to workers
Improving the OH&S culture by extending competence related to OH&S beyond requirements (OH&S Opportunity to improve OH&S)
6.1.3 Determination of legal requirements and other requirements
The organization shall establish, implement and maintain processes to determine and have access to up-to-date legal requirements and other requirements that are applicable to its hazards, OH&S risks and OH&S management system. The organization must determine how these legal requirements and other requirements applicable to the organization and what needs to be communicated. It must take these legal requirements and other requirements into account when establishing, implementing, maintaining and continually improving its OH&S management system. The organization shall maintain and retain documented information on its legal requirements and other requirements and shall ensure that it is updated to reflect any changes. Legal requirements and other requirements can result in risks and opportunities for the organization.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
a) Legal requirements can include:
legislation (national, regional or international), including statutes and regulations;
decrees and directives;
orders issued by regulators;
permits, licenses or other forms of authorization;
judgments of courts or administrative tribunals;
treaties, conventions, protocols;
collective bargaining agreements.
b) Other requirements can include:
the organization’s requirements;
contractual conditions;
employment agreements;
agreements with interested parties;
agreements with health authorities;
non-regulatory standards, consensus standards, and guidelines;
voluntary principles, codes of practice, technical specifications, charters;
public commitments of the organization or its parent organization.
The organization should have a process to determine and have access to health and safety legal requirements and other requirements applicable to its OHSMS and to determine how these requirements apply to the OHSMS. The organization needs to be confident that during the risk assessment process it is adhering to the latest applicable legal and other requirements. The legal and other requirements process of assessment will vary depending on the complexity of the business. Sources of information may be gathered in many ways including:
Subscription to publisher legal update newsletters.
Membership of trade associations
Research via reputable government websites
Use of competent consultants
Competent employee membership of occupational health and safety institutes.
Employee attendance of occupational health and safety training courses
Following the initial assessment of compliance obligations, the organization may consider placing the relevant information in a document. A spreadsheet may be useful for this purpose. A live document may include the following information and be referenced within individual risk assessments:
Name and reference number of regulation/requirement.
Revision status
The date the regulation was last reviewed
The competent person responsible for reviewing the requirement
Area of the organization the requirement impacts including a short description of the activity and associated documented information
A hyperlink or description of the source of information
Name and customer / external provider contact details if relevant to ‘other requirement’
Next review date
The process should cover:
What are the organization’s legal and other requirements and how are they determined, accessed and kept up-to-date;
How do these legal and other requirements applicable to the organization’s activities, processes, plant & equipment, workforce, hazard profile & associated OH&S risks, the overall OH&SMS, and its OH&S performance;
How these legal and other requirements are taken into account when establishing, implementing, maintaining and continually improving the organization’s OH&S management system.
Legal requirements could include:
Acts and statutory instruments such as the Safety, Health, and Welfare at Work Act 2005 and the Safety, Health and Welfare at Work (Chemical Agents) Regulations 2001;
Licenses, permits and other forms of authorization such as the EPA Office of Radiological Protection license or Seveso establishment notification;
Improvement or prohibition notices issued by HSA/HSE;
EU Directives or Regulations.
Other requirements could include:
Parent company protocols or policies;
Collective bargaining agreements;
Voluntary adherence to sector or trade body guidance documents;
Contractual conditions;
Employment agreements;
Voluntary principles, codes of practice, technical specifications, charters;
Public commitments of the organization or its parent company.
The organization must ensure that relevant workers know how to access information on legal and other requirements that are applicable to them. The organization is required to maintain and retain documented information on this process. This will ensure that the information is updated to reflect any changes to the organization’s health and safety profile. The organization must decide what legal and other requirements are related to its occupational health & safety hazards and how to best access them, decide how they apply to the organization, and take them. into consideration when establishing, operating, and delivering continual improvement through the OH&S Management System. Documented evidence needs to be recorded for these obligations, also.
6.1.4 Planning action
The organization shall plan actions to address these risks and opportunities; legal requirements and other requirements. It must prepare for and respond to emergency situations. It must also plan actions to integrate and implement the actions into its OH&S management system processes or other business processes. The organization must evaluate the effectiveness of these actions. The organization shall take into account the hierarchy of controls and outputs from the OH&S management system when planning to take action. When planning its actions, the organization shall consider best practices, technological options, and financial, operational, and business requirements.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
The actions planned should primarily be managed through the OH&S management system and should involve integration with other business processes, such as those established for the management of the environment, quality, business continuity, risk, financial or human resources. The implementation of the actions taken is expected to achieve the intended outcomes of the OH&S management system. When the assessment of OH&S risks and other risks has identified the need for controls, the planning activity determines how these are implemented in operation (see Clause 8); for example, determining whether to incorporate these controls into work instructions or into actions to improve competence. Other controls can take the form of measuring or monitoring (see Clause 9). Actions to address risks and opportunities should also be considered under the management of change (see 8.1.3) to ensure there are no resulting unintended consequences.
The organization should ensure that specific plans are in place to:
Address risks and opportunities that have been assessed as requiring further action;
Address legal and other requirements;
Prepare for and respond to emergency situations.
In this clause, the standard states that the organization shall plan to take actions to address its occupational health & safety hazards, risks, and opportunities, and compliance obligations, all of which we have discussed above. These also need to be implemented into the organization’s OH&SManagement System and associated business processes. The task of evaluating the effectiveness of these actions also must be considered, with technological, financial, and operational considerations all taken into account. The actions planned should primarily be managed through the OH&S management system and where appropriate should involve integration with other business processes and/or management systems such as quality, environment, business continuity, risk management, and financial or human resource management. When planning to take action the organization should take into account the hierarchy of controls common to risk management, which is detailed in section 8.1.2 of the standard and outputs from the OH&S management system. The actions planned can include establishing objectives (reference section 6.2 of the standard) or incorporating the action into other OHSMS processes such as documented procedures or improved competence. Actions to address risks and opportunities should also be considered under clause 8.1.3: management of change to ensure that there are no unintended consequences arising from the actions taken. Finally, the organization needs to evaluate the effectiveness of these actions.
Category
Identified need:
Actions required:
How to:
Address risks and opportunities
OH&S MS – The willingness to be involved in consultation and participation in a work setting is traditionally very poor. Workers might ignore the organizations OH&S processes, and OH&S performance does not improve.
Top management is to demonstrate their commitment to the OH&S MS and those involved with it. Monthly OH&S committees are to be set up with top management involvement. All workers will be invited to select their representatives at the committees. Meeting minutes will be published with actions to improve OH&S performance. All suggested improvements will be considered before a decision is made. All OH&S MS decisions that need to be made will involve consultation with the workers before the decision is made. All decisions in the OH&S MS will be transparent. Time, training, the resource will be made available for consultation and participation.
Integrate- Business processes will be updated to include the actions stated. Implement into OH&S MS or other processes-Production Director is tasked to implement these actions within 3 months (from last management review). Evaluate effectiveness – This will be through the first OH&S Committee scheduled in two months’ time. Other Consideration – Operational and business requirements and constraints.
6.2 OH&S objectives and planning to achieve them
6.2.1 OH&S objectives
The organization shall establish OH&S objectives at relevant functions and levels in order to maintain and continually improve the OH&S management system and OH&S performance. The OH&S objectives must be consistent with the OH&S policy. The objectives must be measurable (if practicable) or capable of performance evaluation. It must take into account
applicable requirements;
the results of the assessment of risks and opportunities;
the results of consultation with workers, and, where they exist, workers’ representatives;
The objectives must be monitored, communicated and be updated as appropriate.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
Objectives are established to maintain and improve OH&S performance. The objectives should be linked to risks and opportunities and performance criteria that the organization has identified as being necessary for the achievement of the intended outcomes of the OH&S management system. OH&S objectives can be integrated with other business objectives and should be set at relevant functions and levels. Objectives can be strategic, tactical, or operational: a) strategic objectives can be set to improve the overall performance of the OH&S management system (e.g. to eliminate noise exposure); b) tactical objectives can be set at facility, project, or process level (e.g. to reduce noise at source); c) operational objectives can be set at the activity level (e.g. the enclosure of individual machines to reduce noise).
The measurement of OH&S objectives can be qualitative or quantitative. Qualitative measures can be approximations, such as those obtained from surveys, interviews, and observations. The organization is not required to establish OH&S objectives for every risk and opportunity it determines.
The organization should establish objectives in order to maintain and improve the OH&S management system and to achieve continual improvement in its OH&S performance.
When determining its OH&S objectives the organization must take into account:
The results of the assessments of risk and opportunities;
Applicable legal and other requirements;
The results of consultation with workers and where applicable, their representatives.
OH&S objectives can be integrated with other business objectives such as quality or environment and should be set at relevant functions and levels as defined and decided upon by the organization.
The OH&S objectives should address both broad corporate OH&S issues and OH&S issues that are specific to individual functions and levels within the organization. It is a requirement of the standard to set achievable OH&S objectives with the means to periodically measure progress, demonstrating continuous improvement. Often objectives are set and reviewed at management review or locally at departmental or committee meetings. Once set, there must be a means to communicate objectives throughout the organization to support and generate a positive OH&S culture. If many requirements have been identified the organization may consider developing a documented Occupational Health and Safety Strategic Plan. The plan should be agreed on by senior leadership and include risk rating tasks, in order of priority, and the alignment with senior leadership responsible for overseeing the task.
The standard advises that occupational health & safety objectives should be established at appropriate levels and intervals, having considered the identified occupational health & safety hazards, risks and opportunities, and compliance obligations. The characteristics of the set objectives are important, they need to be consistent with the organization’s Occupational Health & safety policy, measurable where possible, able to be monitored, communicated effectively, and be such that they can be updated when circumstances require. Once more, it is mandatory that documented information is kept outlining this process and its outputs. Because the term “maintain and improve its OH&S management system” is used in this clause, the organization can set some objectives in order to maintain a certain level of performance and can set other objectives for the purpose of achieving an improvement in its OH&S performance. This means that in the case of the former, once a level of performance has been achieved and no further opportunity for improvement can be identified, the organization can set an objective that maintains that set level of performance until such time as new opportunities are identified. The OH&S objectives should be consistent with the OH&S policy and if practicable, be measurable or capable of performance evaluation. Ideally, the objectives should be specific, measurable, achievable, realistic, and time-oriented (SMART).
Typical examples of OH&S objectives include the following:
Objectives to increase or reduce a numerical value such as reducing manual handling incidents by 10% or increasing VDU risk assessments by 20%.
Objectives to introduce controls or eliminate hazards such as the introduction of LEV in a particular process or elimination of a particular hazardous substance from a process;
Objectives to introduce less hazardous materials in specific products;
Objectives to increase levels of worker satisfaction in relation to OH&S such as a reduction of workplace stress or an increase in worker participation in and consultation on OH&S issues;
Objectives to increase awareness or competence in performing work tasks safety;
Objectives to meet legal requirements prior to their enactment.
The objectives should be monitored, communicated, and be updated as appropriate. The organization is not required to establish OH&S objectives for every risk and opportunity it determines.
6.2.2 Planning to achieve OH&S objectives
When planning how to achieve its OH&S objectives, the organization must determine:
what will be done?
what resources will be required?
who will be responsible?
when it will be completed?
how the results will be evaluated, including indicators for monitoring?
how the actions to achieve OH&S objectives will be integrated into the organization’s business processes?
The organization must maintain and retain documented information on the OH&S objectives and plans to achieve them.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
The organization can plan to achieve objectives individually or collectively. Plans can be developed for multiple objectives where necessary. The organization should examine the resources required (e.g. financial, human, equipment, infrastructure) to achieve its objectives. When practicable, each objective should be associated with an indicator that can be strategic, tactical or operational.
6.2.2 Planning to Achieve OH&S Objectives
The standard advises on the elements that need to be determined to ensure that objectives can be achieved. This can be thought of in terms of what needs to be done when it needs to be done, what resources are required to achieve it, who is responsible for the objectives being achieved, how results are to be measured and progress ensured, and consideration on how these objectives can be implemented within existing business systems. In order to achieve the objectives, a programme or programmes should be established. A programme is an action plan for achieving one or all of the OH&S objectives. The programme, at a minimum, should address the following:
What is to be done;
What resources (e.g. financial, human, equipment & infrastructure) will be required;
Who will be responsible;
When it will be completed;
How the results will be evaluated, including indicators for monitoring.
The program should be reviewed at planned intervals, and adjusted as necessary, to ensure that the objectives are achieved. This review can be part of the management review process. The organization must maintain and retain documented information on the OH&S objectives and plans to achieve them.
A strategic OH&S plan is a live document and periodically should be reviewed to monitor progress to achieving objectives and continuous improvement. The document may include:
Strategic prioritized topic
Action, this could be conducting assessments according to compliance obligations such as a noise assessment
The method in which the action can be achieved
Resources required to achieve the action. For example human, equipment, financial and external provider expertise
The key performance indicator to demonstrate achievement of the action
General responsibility
Top Management responsibility
Timescale
Risk rating (order of priority)
Examples for Objectives
OH&S Policy/Risk Area
OH&S objectives
Target
Times-Frames
Legal and other requirements
Programs and other responsibilities
Prevention of Injury and ill health
Number of non-reportable Accidents per yearNumber of Reportable Accidents per yearIncident Frequency Rate
≤10
≤2
≤20
I Year
I Year
1 Year
Health and Safety at Work Act
Management of Health and Safety
at Work Regulations
Reporting of Injuries, Diseases and Dangerous Occurrences Regulations
Control of Substances Hazardous to Health (Amendment) Regulations
Electricity at Work Regulations Health and Safety (Safety Signs and Signals) Regulations
Manual Handling Operations Regulations
Incidents to be monitored quarterly. Action: Production Supervisor (PS)
Any increases in incident rates to be investigated and action taken. Action: ALL Managers
Reduction in incident levels to be targeted through training & monitoring programmes. Action: ALL Managers
Example of Derivation of Objectives from Risk and Opportunity
Contractors/suppliers/outsourcing-Clear statement of OHS requirements in tenders/ contracts
Controls for procuring goods/ services conform to OH&S MS requirements
OH&S requirements are not clearly defined in our contracts and demoted to a contract Annex
Poor OH&S performance, and OH&S loss to workers
Improving the OH&S culture by extending competence related to OH&S _beyond requirements (OH&S Opportunity to improve OH&S)
OH&S objective – OHS/Contractor (Sept 15th 20xx): To include a clear statement of OHS requirements in tenders/contracts. To be included by the end of Dec XX.
(What will be done)
Workers’ Representative, Purchasing Supervisor, H&S Manager: To drafl a statement of OH&S requirements to be included in tenders/contracts. (Before the end of September 20xx)
Production Manager: To review/revise in consultation with the above. (Before Oct 15th 20xx)
Company Secretary: To forward agreed requirements to company legal advisor for inclusion into the contract, or amendment as legally required/advised. (Before Oct end 20xx)
Purchasing Managers: To include new tenders/contracts. (Before Nov end 20xx)
Purchasing Manager: To start negotiating changes to existing contracts to include the above OH&S requirements. (On-going, but expected completion of all existing contracts by April 20xx)
Production Manager: To communicate new requirements for all company workers who may be involved with contractors. (Before Nov)
Purchasing Manager: To monitor the response from the contractor’s top management on the new requirements in tenders/contracts. (From Nov 20xx onwards)
(What resources will be required)
Workers Representative
Purchasing Manager
Purchasing Supervisor
H&S Manager
Company Secretary
Company legal Advisor
Time and cost for legal advice (KWD 500)
(Who will be responsible) Purchasing Manager and Production Manager.
(When it will be completed) Over the next four months (April 20xx+l).
(How it will be measured through indicators (if practicable) and monitored, including frequency). Through the dates and responsibilities identified above, and reported through the monthly OH&S committee meetings.
(How the results will be evaluated) Through the Purchasing Manager requesting if OH&S requirements are now clear in contracts (sample contractors’ management), and thereafter the Purchasing Supervisor monitoring of conformance against contract OH&S requirements (number of contract OH&S breaches/month).
(How the actions to achieve OH&S objectives will be integrated into the organization’s business processes) Actions will be integrated into each responsible person’s personal appraisal for the year and reviewed as part of their personal development and achievement.
…………………………………End of Examples …………………………………………
I’m excited to share the book I have authored:
Standard for Integrated Management System for Quality, Environment & Health & Safety
ISBN: 978-8199763272 Published by Brown Books Publications
This book provides a practical, risk-based framework to integrate Quality, Environmental, and Occupational Health & Safety systems into one streamlined management system — helping organizations eliminate duplication, improve efficiency, and drive continual improvement.
