ISO 45001:2018 is the global standard for managing health and safety. The internationally agreed framework outlines the elements of best practice an organisation should employ. Its purpose is to:
a) help businesses to build a strong health & safety management system
b) create a benchmark against which the performance of companies can be judged
c) prevent work-related illness and ill health to workers and provide safe & healthy workplaces
There are a number of benefits to having a well implemented ISO 45001 Occupational Health & Safety Management System (OH&S):
It strengthens your image and credibility, helping you to win projects
Without a doubt, the ability to show clients that you have a certified OH&S management system in your business is one of the most powerful arguments for achieving certification. Having an independent third party verify your organisations health & safety processes sends a strong message to clients and prospective clients that you place safety at the centre of what you do.
It creates a safer & healthier working environment
Although all businesses will be concerned with creating a safe and healthy working environment, employing the ISO 45001 framework will in most businesses create a more comprehensive and consistent approach to health & safety.
It lowers business risk
There is wide ranging health & safety legislation with which organisations must comply. Failing to meet these legal requirements can result in enforcement actions, fines, reputational damage and in the most serious circumstances prison sentences if there is significant negligence by the organisation. By applying a structured approach to health & safety, organisations are able to identify hazards and mitigate the risks they pose. Systematic and proactive risk mitigation reduces accidents, safeguards life, saves money, preserves reputation and prevents lost time incidents.
It increases moral
Good health and safety controls improve moral. It is a right for all workers to come to work and return home safely. Creating a safe working environment and displaying a strong commitment to health & safety from senior leadership downwards, provides workers with the physical and psychological safety they are entitled to.
When you first look at the standard, the layout and terminology can be confusing. However, as you understand further how the ISO 45001 standard is structured the logic starts to appear.
The 10 Clauses
The ISO 45001:2018 standard is written around 10 clauses. Of the ten clauses, it is clauses 4-10 that are audited. Clause 1-3 are used to set the scene of the standard but are less important when it comes to your ISO 45001 implementation.
Clause 4 - Context of the Organisation
Your organisation must identify, monitor and review external and internal issues that are relevant to your health & safety performance. This could be issues ranging from the nature of the activities undertaken and the way work is organised, through to cultural perceptions of health & safety and the legislative environment. You should document your findings and review them regularly. This clause also asks you to document all the interested parties who have needs and expectations of your business. Finally, this is the clause that requires you to have documented health & safety procedures, e.g. for how you undertake risk assessments, manage fire arrangements and investigate incidents.
Clause 5 - Leadership & Worker Participation
Leadership involvement is a critical component in making an OH&S management system work, and for this reason the standard makes it a requirement. Leadership are required to create your Health & Safety Policy, set objectives, be present in health & safety reviews and communicate the importance of safety throughout the organisation. Some of the ways leaders are involved will be tangible, e.g. the writing of the Health & Safety Policy, but in other ways their involvement will be intangible, e.g. by acting in a way that positively promotes a safety culture.
Clause 5 also requires organisations to proactively involve staff through consultation and participation. Organisations need to establish a framework that allows them to genuinely harness non-managerial worker involvement in planning and implementing H&S arrangements.
Clause 6 - Planning
In Clause 6 you need to demonstrate that you have a robust planning procedure in place for your health & safety arrangements. The standard asks you to document the major risks facing your organisation and any health & safety opportunities you believe that you have. These risks & opportunities should be linked to the contextual issues and expectations of your interested parties (Clause 4). This clause also requires you to set and document health & safety objectives, and to have a way to plan for changes in your business that may impact the safety of workers and other parties.
You must establish a robust process for hazard identification and treatment, which will generally involve risk assessments of work activities and the work environment. You will also need to produce a health & safety legal register in which you recognise all the health & safety related regulations which are applicable to your work and how you ensure that you are meeting these requirements.
Clause 7 - Support
This section of the standard is about all the pieces of a management system that act like the oil, allowing everything to run smoothly. We are talking about making sure you have competently trained staff, a high level of awareness of health & safety arrangements, established procedures for communicating internally and externally about health & safety issues, and control over the documentation in your management system.
Clause 8 - Operations
In Clause 8 you will need to demonstrate that your planned arrangements for health & safety are consistently implemented in practice. This can include processes for; consultation and participation of workers; hazard identification and risk assessment; compliance with legal requirements; communication; management of change; emergency preparedness and response; monitoring; ensuring competence; and procuring goods and services. You will need to demonstrate that you are applying the hierarchy of controls to eliminate hazards or control risks. Evidencing this clause to an assessor is usually by a walk through of your workspace, observation of a job from end-to-end and interviews with staff.
Clause 9 - Performance evaluation
There are four main components of performance evaluation. Firstly you will need to demonstrate that you are monitoring your health & safety performance, be it through site inspections, incident investigations or accident statistics as examples. Secondly is a periodic evaluation of compliance in which you need to confirm you are working in line with all the legislation that applies to your business. Thirdly is the important business of internal auditing - you will need to demonstrate that you regularly audit all the key components of the management system to review performance. Lastly, you will need to hold periodic 'management reviews' in which the person responsible for the daily running of the management system reports back to the leadership team against a set agenda.
Clause 10 - Improvement
The key mechanism for continual improvement is a 'nonconformance process'. Although this sounds a bit foreboding, it is actually a constructive way to review your systems when something goes wrong and address the root cause of the issue. It is not about finding fault with individuals, rather the focus is on understanding why a process has broken down or incident has occurred. The other half of improvement is the general way in which your business continually improves how it operates, either through small incremental changes or larger step changes.
Gain confidence that you will deliver products and services with high levels of control around safety
Streamline their own due diligence & tender process if you are certified
Have assurance that your controls will help others who are working collaboratively to remain safe
Streamlined tendering processes and point of competitive advantage
Structured approach to mitigating risk to your employees, visitors, the public and your business
Sense of pride that you run your business to international best practice
An analysis of the internal and external issues that can impact your business
A well utilised risk management process
Documented and communicated H&S processes
A well deployed process for training staff and measuring competency
Utilisation of well chosen indicators (KPIs) to monitor H&S performance
A process for managing the relationship with suppliers
A process for addressing incidents, accidents and unexpected circumstances
Regular consultation and participation of workers
Internal audits to check H&S arrangements are implemented as intended
Documented management meetings to review H&S arrangements
ISO 45001 is based upon a 'Plan-Do-Check-Act' Cycle to drive continual H&S improvements
Here are what we consider to be the key ingredients to make a really strong health & safety management system. It is also important to recognise that ISO is a journey and no company will have a perfect system in the first few years.
Senior manager involvement
Senior management must be involved to give legitimacy to the H&S management system, ensure the team buy in & provide the resources needed
Engagement of staff
Staff should be consulted on H&S arrangements, actively participating in making suggestions for improvements
Thirst for continual improvement
Ideally the whole organisation, or at least a number of influential members must have a real desire to push the business to continually improve, learning from mistakes and seeking suggestions from all team members for improvements
Consistency & discipline
An OH&S management system should not be a once a year consideration just before the auditors come in - instead work should be carried out on the management system little and often (e.g. spreading the internal audits throughout the year; or arranging regular H&S meetings)
Collaboration with suppliers & subcontractors
The role suppliers & subcontractors play in your success shouldn't be underestimated - the best companies develop strong mutually beneficial relationships with suppliers & subcontractors and help each other make health & safety improvements
The certification process can be confusing when you first research it.
Here, we will throw light on how the process works.
Firstly, you will need to have implemented or be in the process of implementing the Occupational Health & Safety Management System. You don’t need to have fully implemented the system before contacting the certification bodies, however having made a start or knowing how far you have to go can help set a date to aim for.
The next step is to contact one or more certification bodies to ask for quotes. You will be required to provide information about your business (i.e. nature of your work, number of employees and the roles they do, number of sites) so the certification body can make a good approximation about how many days it will take an assessor to audit your business.
We recommend contacting at least two certification bodies since the price and number of days they expect the audit to take can vary.
Based upon the quotes received, you will need to decide the most appropriate body to certify your business and set a fixed date for your Stage 1 and Stage 2 audits.
Before the external audits you must fully implement your management system. This includes organising processes, creating policies, conducting internal audits, holding a management review and putting in place other mechanisms. A good consultant can help you put in place a management system with maximum efficiency.
On the agreed dates, you will receive two rounds of audits, a Stage 1 and Stage 2 audit, usually 4 - 6 weeks apart. On successful completion of these audits, you will receive the certificate
The Stage 1 Audit
A Stage 1 audit is an initial visit from the assessor in which they aim to; get a feeling for your business and the processes involved; check your readiness for the full Stage 2 audit; and see if there are any major gaps that need to be filled before Stage 2
This is an important step as if anything is missing it can be resolved before the full audit. You cannot ‘fail’ a Stage 1 audit however you should have your management system as fully implemented as possible. If your system is particularly weak at Stage 1, the Stage 2 audit may be postponed and you may need another Stage 1 audit to determine readiness at a later date. A good consultancy like 2SB will help you be ready for your Stage 1 so nothing major is missing from your system and that you can move on smoothly to the Stage 2 audit.
The Stage 2 Audit
At Stage 2 the assessor will take a much deeper look into your business processes. They will be walking around, speaking to staff in the organisation, looking at whether your own processes are well implemented, and checking to see if the systems meet the requirements of the ISO standard. The auditor will typically take a job, project or process and look at it from start to finish to understand how you build health & safety into your operations.
The Stage 2 audit will give one of three results:
i. Your system is well implemented and meets the requirements of the standard. There may be some recommendations for improvements but there are no nonconformances. You will receive your certificate.
ii. There have been minor nonconformances observed, and these need to resolved. You will receive a report giving you details of the minor nonconformance(s) and a timeframe to address them within. Once you have submitted proof that the nonconformance(s) has been addressed you will receive your certificate.
iii. There is a major nonconformance observed. In this case it is likely you will have to resolve the issue and undergo another audit to confirm it has been addressed. Generally, major nonconformances will be prevented by the Stage 1 audit which should highlight any major gaps in the system.
Once gained, the certificate is valid for three years, with the UKAS requirement that surveillance audits carried out annually and re-certification audits every third year.
What are surveillance audits?
Once you have gained your initial certification, you will be required to have annual surveillance audits to ensure that your system is still functioning as intended.
Surveillance audits are ‘lighter’ audits than the initial certification audit and will generally focus on higher risk/more critical business functions and on areas that nonconformances have been previously observed. If a minor nonconformance is raised during a surveillance audit, you will be required to address this before the next annual audit. If a major nonconformance is raised, this will need to be addressed and proof submitted or further audits carried out to ensure the system has been repaired.
What is a re-certification audit?
The re-certification audit forms the final part of the certification cycle. It is more in depth than the surveillance audits and successfully passing it will give a renewed certificate for a further three year cycle (with annual surveillance audits).
The role of the Management Representative is to manage your ISO certified system, to ensure that it is effectively implemented and to prepare it for the annual surveillance visits.
The most recent versions of the standards no longer require a Management Representative, with these responsibilities now transfered to the "top management", this is to ensure that they are fully aware that they are responsible for the effectiveness of the organisation's management system. Thry may also oversee internal audits to ensure the ISO management system is performing as required.
2SB's recommendation is that the "top management" delegate these responsibilities for the management system to a committed member of staff with "top management" still actively involved.