What to include in risk management methodology according to ISO 45001:2018

The ISO 45001:2018 standard includes requirements to address risks in the Occupational Health & Safety Management System (OHSMS), but how does this affect your company? To make things more complex, there are two types of risks to consider in the standard, so what is the best risk management methodology to address this?

This assessment of hazards, and the risks that are associated with them, is not new to the OHSMS. For more information on hazards in the OHSMS, see the article Hazards vs. risks – What is the difference according to DIS/ISO 45001? (This information has not changed since the draft international standard (DIS) was released.)

Below you will find out about the two types of risk and a methodology to plan to address them.

Type 1 – Hazard identification

Clause 6.1.2, hazard identification and assessment of risks and opportunities, talks about two different types of risk that need to be considered in the OHSMS. The first clause, 6.1.2.1 Hazard identification, requires you to consider the hazards and risks that are present in the processes of your organization. This includes consideration not only of regular conditions, but also potential emergencies and other factors such as changes in the OHSMS.

Type 2 – Assessment of OH&S risks

The second type of risk is in clause 6.1.2.2, Assessment of OH&S risks and other risks to the OH&S management system, and talks about not only risks from the hazards, but also other risks related to the OHSMS. These other risks are new to the OHSMS and could come from the internal and external issues identified earlier in the standard, from changes in legal requirements, or from the needs of interested parties.

The assessment of both types of risks is required to be defined, proactive rather than reactive, used systematically, and documented.

For a more thorough understanding of the new risk requirements in the standard, see the article What are the new requirements for risks and opportunities according to ISO 45001?


What is the methodology to manage risk according to ISO 45001?

Once both types of risks are assessed, there is a common requirement in the standard to plan actions to address the risk (clause 6.1.4 Planning actions). During the assessment of each risk above, there is a decision on the necessity to take action to reduce or eliminate the risk and, if action is needed, there are certain planning requirements for these actions.

Some parts of the methodology for planning actions that need to take place include:

Plan actions. If you have determined that you need to do something about the risks to reduce or eliminate them, then you will need to plan the actions. What are you going to do? What steps will be taken? Who will do them, and when?

Prepare for emergencies. If you cannot eliminate a risk by changing what you are doing (such as eliminating a risky process from your company or removing a hazardous chemical from your process), then having plans in place to deal with the situations that can arise is necessary. What emergency plans do you need to create? What training do employees need to respond to the potential emergencies in your organization? Who will report the emergencies?

Integrate the actions into your processes. When you determine the controls needed as part of your plan, you will need to integrate these controls into your processes. Controls are not effective if they are an afterthought for employees, rather than being an integral part of the process they are doing; any process worth doing is worth doing safely.

These integrated controls should follow the following hierarchy of controls:

  • 1) it is best to eliminate a hazard;
  • 2) the next best is to substitute less hazardous processes;
  • 3) then, try to put in engineering controls;
  • 4) followed by administrative controls and training;
  • 5) and finally, employ the use of personal protective equipment (PPE).

For more details on how these five levels of control work, see the article 5 levels of hazard controls in ISO 45001 and how they should be applied.

ISO 45001 risk management methodology: What to include?

Make risk management work for you

The most important part of risk management is ensuring that you are controlling the right risks in the right way. Taking excessive steps to eliminate a very small risk, while only applying personal protective equipment controls to a much greater hazard, is not only a poor utilization of resources but will also not reduce the overall hazard level of your company. The reason we assess the risks is to determine the logical thing to apply resources to in order to improve the occupational health & safety within the company.

Having a process in place that ensures that the proper resources are applied to the highest-risk areas is not only good for health & safety within your organization, but it is also good for business. Managing risk well is one of the best improvements you can make towards the betterment of occupational health & safety within your workplace. After all, improved OH&S performance is the reason for implementing an Occupational Health & Safety Management System in the first place.

To better understand the requirements of ISO 45001:2018, see this white paper: Clause-by-clause explanation of ISO 45001:2018.

Advisera Mark Hammar
Author
Mark Hammar
Mark Hammar is a Certified Manager of Quality / Organizational Excellence through the American Society for Quality and has been a Quality Professional since 1994. Mark has experience in auditing, improving processes, and writing procedures for Quality, Environmental, and Occupational Health & Safety Management Systems, and is certified as a Lead Auditor for ISO 9001, AS9100, and ISO 14001.