What does ISO 45001 mean for H&S management in 2018?
The ISO 45001 standard was published in March 2018. An overwhelming 93% of member bodies voted in favour of publishing the final draft international standard at the end of January. The new standard is set to be a 'game changer' for health & safety management globally.
“ISO 45001 is one of the most significant developments in workplace safety over the past 50 years, presenting an opportunity to move the needle on reducing occupational safety and health risks” American Society of Safety Engineers
The ISO 45001 standard is built around the High-Level Structure (also known as Annex SL) that all ISO management system standards are now required to use. The HLS is a essentially a set of 10 clauses and the purpose is so that all management system standards will have the same look and feel, and will enable greater integration between ISO 9001, ISO 14001, ISO 45001 and other risk management systems. The HLS uses core text which are in every management system standard as well as contextualised text that is specific to the H&S discipline. The HLS is integrated into the PDCA cycle which is also known as the Deming cycle.
The first thing to take note of is that in the new standard there is a stronger focus on the “organization’s context”. With ISO 45001, organizations will have to look beyond their own health and safety issues and consider what the society expects from them, in regard to health and safety issues.
“The 'context' of an organization (or its 'business environment') refers to the combination of internal and external factors and conditions that can affect its approach to health and safety management. This aids the integration of the H&S system within existing business practice, rather than being looked upon as a separate function.
Internal and external issues can be positive or negative and include characteristics or changing circumstances that can affect the health and safety management system. So for example external issues can include the competitive landscape or key trends relevant to the industry that have an impact on the organisation. Internal issues can include the organisational culture, the structure, the types of products or services that the organisation creates as well as the existing standards and guidelines that have been adopted by the organisation.
Once the organisation has understood the context the next step is to:
- Identify the stakeholders or parties who have an interest in the organisation’s H&S management system. Stakeholders include both internal people such as staff, management and the board as well as external parties such as customers, contractors, suppliers, neighbours and the general public.
- Engage with these stakeholders to understand their needs and expectations relating to the H&S system.
- The requirements should then be assessed against the current and future legal requirements.
- Taking into account the context and the stakeholder issues, the scope of the H&S management system needs to be defined. The scope is essentially the sphere of activities, products and services that are within the organisation’s responsibility and control that are covered by the H&S management system.
- The organisation then needs to develop, implement and maintain a H&S system with all the required processes and interactions.
Leadership and Worker Participation
Leadership and worker participation are central to an effective health & safety management system. ISO 45001 recognises that without these key elements, health and safety systems can be very compliance focused. For those of you joining the webinar from New Zealand and Australia - these concepts aren’t new as they are two central elements of the requirements of the H&S at Work Act.
Top management are now required to demonstrate a greater direct involvement in the organization's H&S management system through direct participation and taking H&S performance into account in strategic planning. ISO 45001 makes health and safety an organization-wide concern. It changes several requirements for management participation and engagement to a more general leadership provision — a subtle distinction designed to empower all staff to make safety a priority.
The absence of the need for a specific 'Management Representative' from ISO 45001 is an attempt to ensure that 'ownership' of an organization's management system is not simply focused on one individual.. Interesting points to note are:
- Top management is responsible for ensuring that the H&S management system is compatible with the overall business strategy and that the system is integrated into the day to day business processes
- Top management is responsible for supporting other relevant management roles to demonstrate their leadership as it applies to their area of responsibility Protecting workers from reprisals when reporting H&S incidents, hazards, risks and opportunities
- As part of the commitment of the organisation to H&S the top management is responsible for the development, documentation and dissemination of the policy. The policy needs to include a commitment to safe and healthy working conditions by preventing work related injury and ill health not just accidents!
Top management of the organisation needs to ensure that responsibilities and authorities for relevant levels of the organisations are assigned and communicated. So while responsibility and authority can be assigned, ultimately, top management is still accountable for the functioning of the OH&S management system. Top management needs to assign responsibility for maintaining the H&S management system in alignment with the ISO 45001 standard as well as communicating the performance of the system to top management.
The standard is quite explicit in its requirements around worker participation and consultation. It alludes to the removal of barriers to engagement such as failure to respond to ideas and suggestions as well as eliminating language and literacy barriers - this is very relevant for those organisations in industries where many staff have english as a second language or haven’t finished school.
Effectively workers which include both operational staff and managers need to have the opportunity to be consulted and participate in all aspects of the H&S management system. From the development of the policy, to hazard identification and assessment of risks to the determination of applicable controls for outsourcing, procurement and contractors. organizations will need to set aside adequate resources for worker participation and training on things such as incident reporting, investigations, risk assessment and other tasks that were the exclusive domain of management under the old standards.
I’m personally really excited about the emphasis on this aspect as I’m sure we’ve all seen over the years siloed management systems are a key challenge for effective H&S management. By being explicit about the areas of the H&S management system that workers need to be engaged in the likelihood of this happening and being effective will be significantly increased.
By now we’re all familiar with the concept of risk and the need to assess risk relating to the identified hazards that have the potential to cause harm. The methodology for assessing the risks needs to be documented and take into account legal requirements, be proactive rather than reactive and be used in a systematic way.
A vital part of the planning and implementation of a H&S management system is the requirement to identify the risks and opportunities that can potentially impact its operation and performance and the corresponding 'proportionate' actions to address them. Therefore in addition to risks associated with health and safety hazards the ISO 45001 standard introduces the need to identify and assess the risks related to the establishment, implementation, operation and maintenance of the H&S management system. In other words identifying and putting in place actions to mitigate the risk of the H&S system not performing effectively.
Similarly, the organisation needs to identify opportunities to improve H&S performance by eliminating hazards and reducing risks. Additionally the organisation needs to identify opportunities to improve the h&s management system.
When setting health and safety objectives, the ISO 45001standard requires organizations to consider the available resources and identify the responsible staff, timelines and associated metrics for gauging success. These changes require additional documentation, formalizing organizational goals and priorities to a greater extent than OHSAS 18001 did.
Support and Operation
The ‘Doing’ element includes the Support and Operation clauses of the HLS. A key aspect of this is that resources need to be provided to support the management system, including providing competent people, appropriately maintained infrastructure, information technology and financial resources. Additionally, the knowledge necessary for the effective management of H&S needs to be determined and made available.
The terms documented procedure and records management from 18001 have been replaced with documented information in ISO 45001, where the organization determines what documentation is necessary and the most appropriate medium for that documentation. However, it is up to each organization to determine the level and type of documentation necessary to control its H&S management system - whether that be paper folders, excel spreadsheets and word docs or a modern H&S software system. The appendix of ISO 45001 makes specific mention to keep the complexity of the documented information at the minimum level possible to ensure effectiveness, efficiency and simplicity. This is recognition of the challenges associated with the traditional folders on the shelf type management systems that aren’t usually read or understood by workers.
Regarding awareness - there is an explicit focus on contractors, visitors and temporary workers being aware of the H&S risks they will be exposed to. ISO 45001 mandates that communication objectives be defined and measured for their effectiveness. The standard is more prescriptive in respect of the “mechanics” of communication, including determination of what, when and how to communicate. Importantly the communication processes need to facilitate two way communication flows to ensure the ability for workers to contribute to the continual improvement of the H&S management system.
As part of operational planning a key point of note is that organisations aligning with the standard are required to address H&S requirements in their procurement processes by ensuring that products and services they purchase are aligned with their H&S system. Similarly any outsourced processes need to be controlled in line with the system.
In regards to contractors - organisations need to ensure that processes are in place for ensuring that contractors can identify, assess and control risks. Additionally the standard requires organisations to define and apply H&S criteria in the selection of contractors.
ISO 45001 strengthens, expands or modifies many of the outgoing standard’s requirements for evaluation. Performance and monitoring results must now be documented information. As part of the new emphasis on organizational context, these benchmarks should consider additional factors such as legal requirements, risks, opportunities and objectives.
ISO 45001 also includes more detailed requirements for regulatory compliance and internal and external auditing. These changes are designed to actively engage workers organization-wide — relevant workers are required to know the organization's current compliance status, while management must inform workers and relevant interested parties of audit results. The new standard also expands the scope of management review to include risks and opportunities, among other factors.
Continual improvement is one of the core tenets of every ISO system. ISO 45001 further refines this. In it, occupational health and safety management systems must identify and respond to nonconformity with action. The new standard abandons the idea of preventive action as a distinct concept. Instead, prevention becomes a fundamental requirement of the system in its entirety.
For example, following an incident, compliant organizations must complete a root cause analysis and make the appropriate changes to ensure similar incidents don’t recur. The system is no longer merely reactive — instead, incidents of nonconformity help drive the continual improvement cycle.
Globally around 2.78 million people die due to work related deaths. This is an unacceptable number and a key reason why health & safety professionals dedicate their careers to this area.
The new ISO 45001 standard aims to support any organisation to develop an effective workplace health and safety management system that reduces risk and improves performance. ISO 45001 aligns with other international risk management system standards such as ISO 14001 (environmental) and ISO 9001 (quality). Key considerations in the new standard are a focus on setting the organisational context, increasing top management accountability, worker engagement, communication and risk management.
I'm hopeful that the new standard will encourage organisations to move beyond compliance and box ticking of their system for the purpose of certification and rather integrating the system into the operations to keep people safe at work.
Get the free ISO 45001 Gap Analysis tool