skip to main content

It’s been over a year now since ISO 45001 was first published, and many companies have achieved certification. If your company is one of them, congratulations on an important milestone in your safety journey! For companies that haven’t earned certification yet, ISO 45001 can still provide an invaluable tool to help you improve your workplace safety management system.

Let’s take a look at some of the key areas addressed by ISO 45001, with an eye toward how the standard’s guidance can improve our own EHS management.

Hazard Assessment & Risk Analysis

It’s good to start with a little background here, because many people use the terms “hazards” and “risks” interchangeably. For many EHS professionals, as well as the authors of the ISO 45001 standard, these terms have related, yet distinct meanings.

ISO 45001 defines a “hazard” as a “source with a potential to cause injury and ill health.” In the notes accompanying the definition, the standard clarifies that hazards can “include sources with the potential to cause harm of hazardous situations, or circumstances with the potential for exposure leading to injury and ill health.”

The standard defines a risk, quite briefly, as the “effect of uncertainty.” The notes for the definition further explain that “risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated ‘likelihood’ of occurrence.’”

When we put those ideas together, we can see the relationship between these concepts, and why it’s important to distinguish between the two. Hazards are conditions that have the potential to create risks. Hazards can be physical, observable conditions like wet floors which might create such risks as slips or electrical shocks, or they might be conditions that are not directly observable, such as poor safety awareness or training effectiveness which may also create the risk for various workplace accidents.

There one more important definition to know: “opportunity.” The standard defines an “opportunity” as the “circumstances or a set of circumstances that can lead to improvement of occupational health and safety (OHS) performance.” The standard states that the organization needs to take opportunities into account along with hazards and risks, highlighting the fact that an effective safety management system needs to be proactive.

The authors of the standard recognize that the best way to boost safety performance is to eliminate hazards, reduce the associated risks, and adopt a mindset of continual improvement. This means putting all of your operations, your training, and your programs and policies under the microscope on a regular basis, always looking for ways to strengthen safety awareness and reduce the potential for accidents. When you can integrate this continual improvement mindset into your business philosophy and make it part of your culture, you’ll be well on the way toward better safety performance.

Incident Investigations/Root Cause Analysis

Of course, even with an excellent safety management system, unplanned events happen. When they do, you learn the hard way about hazards and risks you didn’t previously know you had, and with that knowledge comes the responsibility to fix them.

Most people do at least some of what they should be doing in this regard. They know that if someone gets injured, they’d better do an incident investigation and identify the real underlying reasons, or root causes. Hopefully, they may also realize that they need to do this investigation not because regulations say they do (although many do), but to identify and eliminate the hazards, make the workplace safer, and prevent similar incidents from happening in the future.

In reality, however, this process often gets derailed. For example, we don’t always apply root cause analysis to “near hits” (aka “close calls,” or “near misses” in the US). We might think of them as “almost incidents” rather than as types of incidents in themselves, and therefore, don’t see them as passing our own significance test of when root cause analysis should be performed.

ISO 45001 can help us improve our awareness here. The standard defines an “incident” as “an occurrence arising out of, or in the course of, work that could or does result in injury and ill health.” The “could or does” in that statement establishes that there doesn’t need to be an actual injury or illness for the event to count as an “incident” that must be investigated and managed. To make the message even more clear, the notes to the definition say “an incident where no injury and ill health occurs, but has the potential to do so, may be referred to as a ‘near-miss, ‘near-hit,’ or ‘close call.’” Since all of these count as “incidents,” we should not compartmentalize our approach to investigating them.

Not only does “near-hit” investigation provide a golden opportunity to find and reduce both hazards and risks without actually suffering a workplace injury or illness, but a strong emphasis on “near-hits” has benefits for your EHS culture, as well. Establishing a good culture is, in large part, about changing behaviors. If you simply wait until someone becomes injured or sick, you miss out on the chance to respond to clues that unsafe conditions exist, and to change related behaviors before something more serious happens. You also send your employees a message that you only will respond to workplace safety incidents when they’re so serious that you are forced to. This can erode employee confidence in your EHS programs and jeopardize your workplace culture.

Management of Change (MOC)

One of the most common scenarios in which unsafe conditions get overlooked is when those conditions arise due to changes to the workplace. Some of the worst industrial disasters in history, such as the Seveso chemical disaster in Italy in 1976, occurred because a normal process was interrupted or altered, and those doing so did not understand the risks involved.

This situation may happen even more frequently when the planned changes are considered “temporary.” The Seveso disaster happened in large part because the plant operators interrupted a batch process prior to completion of the final step, which triggered a rapid runaway reaction resulting in release of the highly toxic 2,3,7,8-tetrachlorodibenzo-p-dioxin (TCDD). Many other disasters have occurred because of one-time bypasses of normal processes that never reverted to normal, and therefore became permanent by default, along with their unrecognized risks.

The economist Milton Friedman once quipped that “there’s nothing so permanent as a temporary government program.” His observation applies to safety as well, where numerous accidents can testify to its painful truth.

The creators of ISO 45001 recognize this reality, which is why section 8.1.3 of the standard prompts the organization to “establish a process(es) for the implementation and control of planned temporary and permanent changes that impact OH&S performance.” This process should address not only changes to operations, but also changes to workplace conditions, personnel and the organization itself, to the degree that such changes can impact safety. For example, if planned staff cuts will reduce the number of workers available to perform a certain process, that can introduce risks and management would need to understand and try to control those risks during the planning stages.

Of course, many facilities need to have an MOC process in place due to applicable regulations such as the Seveso III directive, Control of Major Accident Hazards (COMAH), or Process Safety Management (PSM) standard. However, ISO 45001 reminds us that MOC should not be a tool for the select few. Any organization can introduce unintended risks through planned changes and a robust, widely implemented MOC process is the best defense.


How do we ensure that workers will follow our procedures, including those for risk analysis, incident investigation and MOC? By giving them the proper training and verifying that the training was effective, of course! Sounds simple, right? Unfortunately, many organizations struggle with the effectiveness of their training programs. For example, I’ve encountered many companies that send employees out to do incident investigations who’ve had no training on how to do one. What is the likelihood that an untrained employee will be able to talk to the right people, document the right details, and analyze the collected data to identify true root causes?

The “Competence” (7.2), “Awareness” (7.3) and “Communication” (7.4) sections of ISO 45001 address training management. Notably, the Standard specifically states that employers must ensure worker competence, including ability to identify hazards, and that employees must be made aware of the OH&S policy and its objectives. They must also understand the hazards associated with their job tasks, and their own roles in the safety management system.

It’s worth noting here how the ISO 45001 defines a “worker.” Section 3.2 states that a worker is a “person performing work or work-related activities that are under the control of the organization.” Notes associated with this definition elaborate that the organization needs to include “workers employed by the organization, workers of external providers, contractors, individuals, agency workers, and by other persons to the extent the organization shares control over their work or work-related activities.”

This definition reflects the realities of the modern workplace, where multiple employers may have their employees working at the same time, and workers on the regular payroll work alongside contractors and temporary workers. The standard’s perspective is also similar to that expressed by OSHA in its Temporary Worker Initiative, which maintains that employers present at multi-employer worksites share responsibility for worker safety, with each employer being responsible for addressing the aspects of safety under their control. For instance, the host employer would need to make all employees, including temp and contracted labor, aware of the specific hazards of chemicals in their workplace and ways of reducing exposure. It’s a good idea to maintain open lines of communication between all employers represented in the workplace to make sure that each understands their role, and that no communication gaps exist.

Corrective Actions

All of the EHS activities we’ve talked about so far can generate corrective actions. That means at any given time, an organization is likely to be managing numerous concurrent action items, and EHS management programs can succeed or fail based on how efficiently and effectively we address those actions. Therefore, having a system that captures and funnels all of your different actions into one place can dramatically simplify management and follow-up. A modern corrective actions software solution can be a big help here.

ISO 45001 lays out its expectations in Section 10.2 on “Incident, nonconformity and corrective action.” The standard states that organizations need a process for reacting in a timely manner whenever there is an incident or nonconformity. Remember that “incidents” include close calls and near misses, as well. A “nonconformity” is essentially any instance when the company fails to do what its own management system policies and procedures require.

The standard also states that management needs to “evaluate, with the participation of workers and the involvement of other interested parties, the need for corrective action to eliminate the root cause(s) of the incident or nonconformity.” This highlights a key feature of ISO 45001, which is its strong emphasis on employee participation. In explanatory notes, the standard also clarifies that non-managerial employees need to be involved in the process.

According to the standard, an organization also can’t simply complete the action(s) related to a particular incident or nonconformity and call it a day. ISO 45001 directs them to determine if similar incidents have occurred, or could potentially occur. It also states that organizations need to document the results of actions taken and evaluate their effectiveness. This helps ensure that management is looking wider and deeper than the immediate problem at hand, and is actually making the effort to validate the effectiveness of actions.

The standard’s emphasis on promptness, scope and applicability of actions, and employee participation all serve to mutually reinforce management system performance. Prompt completion of actions demonstrates management’s commitment to reducing risks, while focusing our attention beyond immediate incidents increases the likelihood of identifying other relevant risks. Worker involvement improves the odds that actions will be effective, since workers know more about their job tasks and associated safety risks than anyone else. The more frequently we can document that actions are effectively managed and completed through employee involvement, the more likely it is that workers will buy into our EHS culture, which makes every facet of our management system that much better.

Employee Engagement

As we’ve already seen, ISO 45001 requires organizations to consult and participate with workers or their representatives. There’s a good reason for that. In the past, management systems have often been the domain of a select few, with program documents existing on only a few computers within corporate EHS.

Section 5.4 in ISO 45001 attempts to fix that by specifically requiring the consultation of non-managerial workers in various aspects of OHS to ensure that all employees are included. Organizations must also identify and remove barriers to participate. A common historical reason safety management systems failed in this regard has been that they existed in a separate universe from all of the organization’s production activities, which caused compartmentalized thinking and a lack of true engagement. Section 5.1 of 45001 states that OHS management must be an integral part of an organization’s identity.

The take-away here is that any organization seeking certification to ISO 45001, or looking to pattern their safety management system on it, will need to have a healthy and engaged EHS culture. Make sure to involve your entire workforce, including temporary and contracted workers, in all levels of your OHS management system. This includes incident investigations, development and tracking of corrective actions, and planned changes to operations.

Safety meetings are a great tool to solicit employee feedback and report on the organization’s progress in addressing issues. However, safety meetings can also be challenging to schedule and manage. Consider using a good cloud-based safety meetings software solution to take the stress out of managing your meetings.

Looking for additional information to help you sharpen your safety management system? Check out our free expert-led EHS webinars including:

Thurs, Apr 18, 2019 at 11:00 am – 12:00 pm (ET)

Tues, Apr 23, 2019 at 11:00 am – 12:00 pm (ET)


 Let VelocityEHS Help!

Thinking of trying to certify to 45001, or at least using it to reshape your safety management system? Your ability to align with 45001 will largely depend on the maturity of your management system.

Our Audit & Inspection software can help you create and deploy checklists for conducting internal audits across multiple locations so you can quickly and more accurately evaluate compliance with your OHS management system policies and procedures, as well as applicable regulatory standards. It also makes it easier to instantly generate and assign corrective actions for individual checklist items when nonconformances are identified, and to be able to verify completion of actions during audit follow-ups.

To maintain an effective management system, you’ll need to effectively train your employees on your policies and procedures. The VelocityEHS Training Management and On-Demand Training solutions help standardize safety training across your entire organization, while improving the visibility of training performance and driving employee engagement. You can easily define individual or role-based training profiles and requirements, quickly deploy flexible and interactive training content, and improve accountability for training completion and performance, all from a single cloud-based platform.

Our Compliance Management solution helps you simplify scheduling and tracking of all tasks needed to build and maintain a certified management system. You can easily assign tasks to the individual employees, track critical dates including certification and recertification dates, and establish recurring or non-recurring actions — giving you the visibility of non-conformities you need to keep your system running smoothly.

With the right tools in place, you’ll be better prepared to align with ISO 45001 and able to maintain a world-class EHS culture that protects your employees and your business.