In this article, I’m going to cover ISO 45001 clause 6.1.2.2 Assessment of OH&S risks and other risks to the OH&S management system which falls under the overarching clause 6 Planning. I’m going to break this clause down and turn it into something you can all understand. You’ll then be able to apply this to your own organization's system and understand what the requirements will look like for you. No more guessing!
Before I move on too much further though, I do want to point out that the title of this clause refers to OH&S risks AND other risks to the OH&S management system. It’s pretty clear that the OH&S risks come from the hazard identification process covered in clause 6.1.2.1 (be sure to check that video out on ATOL.tv) but what are the other risks to the OH&S management system?
The other risks would have been identified earlier on in the standard more than likely when working through Clause 4.1 understanding the organization and its context and Clause 4.2 understanding the needs and expectations of workers and interested parties.
Other sections in the standard where other risks are identified would be Clause 6.1.3 Determination of legal requirements and other requirements and even possibly Clause 8.1 Operational planning and control. The point to take away here is that this assessment requirement is NOT just a result of hazards identified. It is a holistic assessment approach for all risks associated with the OH&S management system.
Ok, let’s get started with the nitty gritty of the clause requirements! I’m actually going to work backward for this clause and start off with the final paragraph as I think this will help us to understand points a) and b) a lot better.
So, the final paragraph of this clause states:
The organization’s methodology(ies) and criteria for the assessment of OH&S risks shall be defined with respect to their scope, nature and timing to ensure they are proactive rather than reactive and are used in a systematic way. Documented information shall be maintained and retained on the methodology(ies) and criteria.
First off when I read the words methodology and criteria I think of a risk matrix.
A risk matrix is a standard method I see out there when I’m auditing. Criteria can be aligned to the Likelihood and Consequence. The different levels in these parameters will differ based on each organization's hazards. Setting criteria for each will help to achieve ‘some sort of’ consistency. It will never be perfect and can still be subjective, however, it’s certainly a start.
So, to me, a methodology is to use a risk matrix that includes the criteria set by the organization. ISO 45001 guidance also states that methodologies can include ongoing consultation of workers (refer to our video on clause 5.4 for a refresher on this clause), and other methodologies including monitoring and communication of changed or new legal requirements as well as other requirements (refer to our video on Clause 6.1.3 to learn more about this clause). So it’s not only a ‘tool’ such as a risk matrix, it's also activities that you conduct within your OH&S management system.
And don’t forget that this methodology and criteria are required to be maintained and retained. So, we are looking for a procedure that tells us HOW we assess OH&S risks and what methodology and criteria are used. THEN we are also required to retain evidence of its use. This means we should expect to see an output such as a risk or hazard register – you can call it what you like really! It’s more about demonstrating that you have:
- Identified hazards or other OH&S risks
- Used the documented methodology and criteria to assess the risks
- Documented what the risk rating is (which is essentially a demonstration of the assessment).
Now that we understand what methodology, criteria and documented information is required let’s go back to the beginning and see what the requirements are.
This clause kicks off with stating that
The organization shall establish, implement and maintain a process(es) to:
a) assess OH&S risks from the identified hazards, while taking into account the effectiveness of existing controls. AND
b) determine and assess the other risks related to the establishment, implementation, operation and maintenance of the OH&S management system.
Ok – so point a) we’ve already really covered – assess the OH&S risks from the hazards identified – and then it wants us to consider what controls are already in place when we do assess the risk. When we use our risk matrix, for example, our assessment of the Likelihood and Consequence should take into consideration any controls that are already in place.
So, if we’ve identified the hazard of power tools and when the power tools are used existing controls include:
- a risk assessment on the tool itself
- training and competence sign off
- PPE
The risk assessment needs to consider how these existing controls will influence the Likelihood and Consequence of an incident or injury occurring. Make sense?
And then point b) is exactly what I explained way at the beginning of this video, it’s not just about assessing risks as a result of hazards identified. Assessment of risks is also required for all of the OH&S management system commencing with establishing the system, then implementing, the operational aspects, and of course ongoing maintenance. Assessment isn’t something we do once, it is an ongoing activity to ensure that the OH&S management system remains current and relevant to all activities.
Now that you have a better understanding of these requirements, it's time to take action and implement them in your own organization and ISO 45001 OH&S management systems.
If you'd like to learn more about ISO 45001, why not take a look at our other articles on the topic, starting with What is ISO 45001 and OHS Management Systems?
If you prefer watching over reading, head to our ATOLTV ISO 45001 playlist on YouTube, either way, be sure to check out our range of ISO 45001 courses and qualifications today.