In this blog we identify all the recurrent events that an organisation needs to perform under ISO 45001. As an outcome, you should be able to ensure those activities are scheduled and actively planned and put your organisation in a great position for your external audit.
The model you see in the video, if you pick up ISO 45001 and look through the introduction, is basically has a model of a management system. It’s exactly the same model as under all of ISO’s management system standards (such as quality and food safety).
The exact answer as to what recurrent events might be generated by your safety management system, will vary slightly across different organisations.
Let’s start under the context of the organisation. The standard talks about ‘identifying the context and particularly those internal and external issues that could affect our safety performance (that’s 4.1).
4.2 states that we need to identify the needs and expectations of interested parties. So both of those become a recurrent event.
They’re not something we do once, and park it. They’re something we need to come back to and revisit. Those internal and external issues change. Expectations of interested parties change.
In section 9 (under the management review requirement), the inputs to the review state that you must review those two things (4.1 and 4.2) during the management review anyway.
Moving forward to our leadership section in the standard. 5.1.1 Identifies a range of accountabilities for top management. An example of this could be looking at ways to integrate the safety management system to the strategic direction of the business, or into standard business processes where possible.
Again, they are not really one off. They’re things where, across a year, certainly an external auditor who comes back would expect to see you’ve taken ongoing action. So that is something we are going to need to facilitate with our leadership team.
Also under the leadership requirements, it says we’ve got to set an OHS policy. This is similar to any of the OHS documentation that we need to create under ISO 45001, or we choose to create to support the system.
Yes, we need to review documents periodically anyway, but certainly if there’s been operational or organisational changes, whereby the documentation is no longer reflecting our current practices. So that is definitely a recurrent event.
Roles, responsibilities and accountabilities is a clause under section 5 as well. Again, something that should be reviewed periodically, and certainly reviewed if there is organisational or operational change.
5.4 Consultation and participation absolutely triggers a range of recurrent events. Depending on how your organisation does it, if we’re going to consult through things like OHS committees, toolbox meetings, whatever the approach is… we need to plan and schedule these things.
At a senior management level too, there needs to be some oversight that senior management are reviewing the effectiveness of those consultation and participation mechanisms.
Moving on to the planning part of the standard – 6.1 states that we need to identify then take action on risks and opportunities. Again, that is something that does become a recurrent event under your ISO 45001 management system. Those risks and opportunities can often change.
You need to make sure you are progressively taking action on (and hopefully mitigate) the risks, and facilitate the opportunities. That is something that the management review process mandates that you review as well.
A really critical one is 6.2 – hazards and risks. Looking across our operational process (plant, equipment, materials), we use to identify the hazard by hazard how people could be injured, harmed or could create ill-health.
That absolutely needs to be reviewed quite regularly at a certain period, but most definitely if there’s a change in our operations and the way we work, well we’re going to need to review it again.
Legal and other requirements is something we are required to identify initially under section 6. Of course, the legal and other requirements change from time to time. Governments release new laws, modify regulations, things like that. A recurrent event is to come back and review that, and make sure we’re up to date in identifying legal and other requirements that apply to our organisation.
The last part of planning, this is the part of the standard where we set some objectives and supporting actions to achieve our objectives. Again, even the management review process mandates that we review progress against objectives. As a management team, at some point we’ve got to come back and say “are those actions allowing us to progress towards objectives, or do we need to look at additional actions to achieve what we want?”
Moving on to the support part of the standard. We might allocate resources, that’s something management review says you need to revise and review regularly anyway. This is because, the initial resource allocation (dollars, people, time) for an effective management system can change over time.
As we grow in staff numbers, or inherit new sites within our business, whatever the changes might be, you need to check if the resources are still adequate to allow us to achieve the safety performance that we are looking for?
Also under section 7, it talks about competence, and awareness. That’s most definitely an area where there’s some recurrent events. We don’t just do the initial awareness sessions, we may need to do some refreshers form time to time, particularly for new personnel who join the business. The skill-sets, competences or licenses people need to work safely need to be current. We need to make sure nothing is expired or outdated.
Also in section 7 – we’ve already talked about our documentation. It needs to be reviewed periodically, or when change occurs.
Section 8 – looking at our operations. We need to review processes that support our occupational health and safety management system.
The standard says we need to identify the control measures for hazards and risks. We need to think about the hierarchy of control.
It’s incredibly important to come back to from time to time and evaluate whether those control measures are working as effectively as…
We had initially hoped they would when we identified the control measures, and
That they’re still in an operational sense working effectively. They haven’t failed in any sort of way.
That’s absolutely critical. Fundamental in risk management as well. If a control measure has failed, then it’s not providing the level of protection we assume it is.
I would extend that too, under operations, the standard talks about emergency preparedness and response. So, if we have the emergency control equipment that creates recurrent events, it’s got to be maintained, serviced, tested and checked. Perhaps even calibrating that periodically as well, so that the equipment is fit for purpose, ready to use in an emergency event. Whether that be fire-hoses, alarms fire extinguishers. Just depends on what type of emergency equipment you have.
The last two, your operational equipment and your emergency equipment is where there will be variations between organisations listening in. We need to understand what that is in our business and plan and schedule for the maintenance or testing.
Additionally, under emergency response, it talks about needing to test evacuation processes. There’s regulatory requirements there as well, so it’s clearly a recurrent event, as well as our emergency response processes.
Moving on to section 9.1 – monitoring. Requirements for monitoring are a lot of those things we’ve already talked about...
The control measures – are they working effectively?
Monitoring whether we’re complying with our legal and other obligations.
If you look at 9.1, it does itemise that some things you MUST monitor, or go out and check from a safety perspective.
So evaluation of compliance actually gets its own clause in there. Yes, that is a recurrent event.
We need to come back and evaluate “are we actually complying with those legal and other obligations we identified back here?” No surprises here too, yes we must plan and schedule periodic internal audits.
Under section 10, we’ve had incidents reported, and we’ve got corrective action underway to try and address why they occurred. As an organisation, at a management level, we should be reviewing any trends (what kind of incidents are we getting), and also the status of the corrective action. This will ensure that nothing has fallen through the cracks, and not been actioned. As well as under section 10, review our overall progress on our objectives.
ISO says you must do these things recurrently, it never nominates a specific time frame though.
So for a management review: “how often do we do that?”
For audits, “how often do we review our documents?”
That’s really up to your organisation, there’s no minimum or maximum time frame.
It has to be within a reasonable time frame to allow you to achieve the safety performance you’re seeking to achieve though the system.
In our next blog, we’re going to start to have a look at internal auditing and why that’s really valuable in our business.
See you next week.