ISO 45001 Blog

How to perform risk assessment in ISO 45001

One of the most important components of any ISO 45001:2018 system is that of hazard identification and risk assessment. Given that this process has a direct bearing on the overall performance and effectiveness of the OHSMS, and the welfare of your staff through reduction of workplace accidents and incidents, it is clear that this is a process that needs to be taken seriously. On that basis, it is evident that the risk assessment process must therefore be proactive as opposed to reactive, as mitigation or removal of risk after an incident or accident suggests that your system is failing. Therefore, there are many factors to consider in the risk assessment process, from identification through mitigation and removal, and of course to ensure the continual improvement that the standard requires. So, where do we start?

Risk Assessment – The inputs

In this article we are talking about risk assessment associated with the identified hazards. An organization that has an effective risk management process is halfway to having an effective OHSMS. The ISO 45001 standard suggests the factors that should be taken into account for risk management, such as the activities of all people in your workplace, routine and non-routine activities, equipment factors, hazards identification, machinery, and legal obligations and compliance. It is also advisable to consult all stakeholders, especially your own employees, when deciding on your inputs and subjects for risk assessment. Nobody will be more aware of the inherent risks in the workplace than your employees themselves, and contractors who may come to your workplace. Contractors normally work in different workplaces and have multi-site experience, so garnering input from a contractor can often prove invaluable and provide supplementary information to that collected from your static workforce. Having an employee health and safety forum, or regular meetings with staff, can also ensure that any concerns, topics, or subjects can be raised and identified to ensure you have the maximum information to provide input to your risk assessment process. It is also important to consider the results of past risk assessments, internal audits, and actions taken against incidents and accidents. So, we are happy that we have the inputs, but what now?

For more information on other risks to be assessed in the OHSMS, along with those associated with hazards, see the article: What are the new requirements for risks and opportunities according to ISO 45001?

Risk Assessment – Process and outputs

In the previous article Why you should perform effective internal audits in ISO 45001, we looked at the internal audit process. It is wise to remember that your risk assessment and internal audit processes are very closely linked in ISO 45001, as the results of one may provide subject matter for the other – particularly if your risk assessment process is not effective. Therefore, you have several reasons to ensure that the outputs from your process are effective, employee safety and compliance with legislation being foremost. Most organizations use a “scoring system” for risk assessment, rating whether a hazard or risk is acceptable or unacceptable and identifying the action, time, and responsibility to remove or mitigate the risk. Whatever your chosen methodology, the most important factor is that you can have a positive effect on the risk that you have identified. Again, some organizations choose to use senior managers to execute this process, but I feel it is important to have stakeholder input when reviewing results of the outputs and assessing whether a risk has been positively affected. So, how is this to be achieved?

Risk Assessment – Measurement, review, and continual improvement

You will have read above why consulting your employees and contractors is vital when assessing risk in your workplace. Likewise, when you review the results of your risk assessment and action it is vital that you consult the same stakeholders again. Remember, you may believe that a risk has been mitigated or removed, and another person may not; therefore, consultation is vital in this instance. If the employees agree that health and safety are being taken seriously, risks are correctly and democratically identified, and the actions taken against them are effective, then your OHSMS has a much better chance of being effective. It is also wise, as part of your risk assessment process, that your documentation give a period in the future when that risk factor is to be revisited, and assurance sought that the risk remains mitigated or removed. Having requisite boxes on your risk assessment template to ensure all interested parties can sign off on this event is recommended, and helps provide evidence under audit conditions that you are approaching risk assessment seriously and diligently. With your internal audit process supporting the hazard identification and risk assessment process, and the channel for communication between your employees and stakeholder and management team now established, the process is now in place to ensure action, measurement, review, and continual improvement. In an OHSMS, continual improvement equals a reduction in accidents and incidents, ensuring a healthy and protected workforce.

To learn more about the risks’ and other requirements of ISO 45001, download this free white paper: Clause-by-clause explanation of ISO 45001:2018 .

Advisera John Nolan
John Nolan
John Nolan is a Fellow of the Institute of Leaders and Managers in the United Kingdom, and Prince 2 accredited with a background in Engineering and Electronics and Data Storage and Transfer. Having studied and qualified as both a Mechanical and Electronic Engineer, he has spent the last 15 years designing and delivering Quality Systems and projects across many sectors in the UK, including both national and local government.