The organization must establish a system that involves the monitoring, measurement, analysis, and evaluation of its OH&S performance. It should decide what to measure and how, for instance, accidents or worker competence. Moreover, internal audits must be established along with regular management reviews, in order to see the progress made towards the achievement of OH&S objectives and the fulfillment of ISO 45001 requirements. Performance evaluation is a constructive process that aims to improve an organization’s operation and is crucial to the ‘Plan, Do, Check and Act’ model prescribed by ISO 45001. These processes should help achieve and support organizational strategy and goals. Clause 9, Performance Evaluation, provides an in-depth discussion regarding the criteria for evaluating the overall performance of the OH&S management system. The primary themes of this section focus on the means of process evaluation and documentation of evaluations. The importance of documentation (and how records and data are retained), as well as document dissemination, are performance themes both in ISO 45001 in general and in this section in particular. This section tends to be more specific than some of the others and includes a detailed discussion of documentation requirements, internal audit protocols, and relevancy and applicability of measurements within the organization. The key attributes of this section include:
1. Following applicable legal requirements and documentation are followed
2. Measuring operational risks and hazards
3. Evaluating the effectiveness of operational controls
4. Establishing the timeline for conducting the measures
5. Planning for analysis, evaluation, and communication of the results
6. Calibrating and verifying the accuracy of all equipment
7. Retaining documentation of all measures
8. Auditing the OH&S Management System, the OH&S Policy, OH&S Objectives, and the 45001 requirements
9. Establishing the frequency of audits and account for significant changes to the organization, performance improvements, risks, and opportunities
10. Ensuring the competence of auditors
11. Communicating findings to management, workers, and worker representatives
12. Taking action to address identified nonconformities
13. Retaining audit results as evidence of the completion of the audit
14. Reviewing audit findings and corrective actions by top management
15. Ascertaining that corrective actions, worker engagement, and opportunities for continual improvement are in place
The most important objectives of the Performance Evaluation section are ensuring the adequacy of the current OH&S management system and measuring that OH&S objectives are met. These are, essentially, the only measures of success.
9.1 Monitoring, measurement, analysis and performance evaluation
The organization must establish, implement and maintain processes for monitoring, measurement, analysis and performance evaluation. The organization has to determine what needs to be monitored and measured. The organization must determine up to what extent the legal requirements and other requirements are fulfilled. The organization must monitor and measure its activities and operations related to identified hazards, risks, and opportunities, its progress towards achievement of the organization’s OH&S objectives and the effectiveness of operational and other controls. The organization must determine the methods for monitoring, measurement, analysis and performance evaluation, as applicable, to ensure valid results. It must also determine the criteria against which the organization will evaluate its OH&S performance and when the monitoring and measuring shall be performed. It must also determine when the results from monitoring and measurement shall be analyzed, evaluated and communicated. The organization must evaluate the OH&S performance and determine the effectiveness of the OH&S management system. The organization must ensure that monitoring and measuring equipment is calibrated or verified as applicable, and is used and maintained as appropriate. There can be legal requirements or other requirements (e.g. national or international standards) concerning the calibration or verification of monitoring and measuring equipment. The organization must retain appropriate documented information as evidence of the results of monitoring, measurement, analysis and performance evaluation and on the maintenance, calibration or verification of measuring equipment.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
In order to achieve the intended outcomes of the OH&S management system, the processes should be monitored, measured and analyzed.
- Examples of what could be monitored and measured can include, but are not limited to:
- occupational health complaints, the health of workers (through surveillance) and work environment;
- work-related incidents, injuries and ill health, and complaints, including trends;
- the effectiveness of operational controls and emergency exercises, or the need to modify or introduce new controls;
- Examples of what could be monitored and measured to evaluate the fulfillment of legal requirements can include, but are not limited to:
identified legal requirements (e.g. whether all legal requirements have been determined, and whether the organization’s documented information of them is kept up-to-date);
collective agreements (when legally binding);
the status of identified gaps in compliance.
- Examples of what could be monitored and measured to evaluate the fulfillment of other requirements can include, but are not limited to:
- collective agreements (when not legally binding);
- standards and codes;
- corporate and other policies, rules and regulations;
- insurance requirements.
- Criteria are what the organization can use to compare its performance against.
- Examples are benchmarks against:
- other organizations;
- standards and codes;
- the organization’s own codes and objectives;
- OH&S statistics.
- To measure criteria, indicators are typically used; for example:
- if the criterion is a comparison of incidents, the organization may choose to look at frequency, type, severity or number of incidents; then the indicator could be the determined rate within each one of these criteria.
- if the criterion is a comparison of completion of corrective actions, then the indicator could be the percentage completed on time.
- Examples are benchmarks against:
Monitoring can involve continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected. Monitoring can be applied to the OH&S management system, to processes or controls. Examples include the use of interviews, reviews of documented information and observations of work being performed. Measurement generally involves the assignment of numbers to objects or events. It is the basis for quantitative data and is generally associated with the performance evaluation of safety programmes and health surveillance. Examples include the use of calibrated or verified equipment to measure exposure to a hazardous substance or the calculation of the safe distance from a hazard. The analysis is the process of examining data to reveal relationships, patterns, and trends. This can mean the use of statistical operations, including information from other similar organizations, to help draw conclusions from the data. This process is most often associated with measurement activities. Performance evaluation is an activity undertaken to determine the suitability, adequacy, and effectiveness of the subject matter to achieve the established objectives of the OH&S management system.
The organization not only has to measure occupational health & safety progress, but it should also consider its significant hazards, compliance obligations, and operational controls when tackling this clause. The methods established should have considerations to ensure that the monitoring and measuring periods are aligned with the needs of the OH&SManagement System for data and results, that the results are accurate, consistent, and can be reproduced and that the results can be used to identify trends. It should also be noted that the results should be reported to the personnel with the authority and responsibility to initiate action on the basis of the outputs themselves. The organization should have a systematic approach for measuring and monitoring its OH&S performance on a regular basis, as an integral part of its management system. The organization needs to monitor and measure the following in order to determine the performance of the OHSMS and evaluate its effectiveness:
- The extent to which legal and other requirements are fulfilled including, where applicable, all applicable OH&S legislation, collective agreements, standards, and codes and insurance requirements;
- Characteristics of activities and operations related to the identified hazards, risks, and opportunities;
- Progress in the achievement of the organization’s OH&S objectives;
- Effectiveness of operational and other controls.
This includes the determination of the criteria against which the organization’s OH&S performance will be evaluated, including appropriate indicators. Criteria are what the organization uses to compare its performance against (e.g. benchmarking its OH&S performance against other organizations, standards or codes, etc.). To measure criteria, indicators are used. For example, if the criterion is a comparison of incidents, the organization could choose to look at frequency, type, severity or number of incidents; the indicator could be the determining rate within each one of these criteria. The organization must select appropriate methods for monitoring, measurement, analysis and performance evaluation in order to ensure valid results, decide when the monitoring and measurement will be performed and when the results from monitoring and measurement will be analyzed, evaluated and communicated.
The organization must ensure that monitoring and measurement equipment such as sampling pumps, noise monitors, toxic gas detection equipment, is calibrated or verified and that it is correctly used and maintained. Insofar as measuring and monitoring are concerned, the organization should use both reactive and proactive measures of performance but should mainly focus on proactive measures in order to drive OH&S performance improvement. Examples of proactive measures include:
- Assessment of compliance with legal and other requirements;
- Evaluation of the effectiveness of OH&S training;
- Use of worker surveys to evaluate OH&S culture and related worker satisfaction;
- Completion of statutory and other inspection schedules;
- The extent to which programmes have been implemented;
- The effectiveness of the worker consultation and participation process;
- Use of health screening.
Examples of reactive measures include:
- Occurrence and rates of notifiable accidents and dangerous occurrences;
- Lost time incident rates;
- Monitoring of ill health;
- Actions required following assessments by regulatory bodies such as the HSA/HSE.
The organization must retain appropriate documented information as evidence of the results of monitoring, measurement, analysis, and evaluation and of the maintenance, calibration or verification of measuring instruments. An organization should check, review, inspect and observe its planned activities to ensure they are occurring as intended. An organization must make sure they have determined the appropriate processes so they can evaluate how well they are performing based on risk and opportunities. Monitoring generally indicates processes that can check whether something is occurring as intended or planned. The tables below provide examples of monitoring and specific control measures:
|Event||Local Exhaust Ventilation System (LEV)|
|Monitoring||An appointed person to weekly inspect airflow of an LEV system to safely remove fumes from a process.|
|Measurement||Use of a calibrated meter to check the airflow at two inspection locations of the system according to a specified Work Instruction. (Employee is trained and competent to use the equipment).|
|Analysis||Review of recorded data determining the airflow efficiency of the system to ensure workers are safe. This may include trends. This would be in compliance with manufacturers specifications and regulatory requirements.|
|Evaluation||The trend analysis indicates a reduction in airflow, therefore, maintenance is triggered to isolate and inspect the LEV system.|
|Event||Safe Walking Routes|
|Monitoring||Appointed person daily site inspection of safe walking routes to ensure they are in a condition to prevent slips, trips, and falls.|
|Measurement||Visual inspection to ensure there are no obstructions outside of defined safe walking routes. (Usually, measurement is associated with measurement equipment to obtain data).|
|Analysis||Examination of results from inspections. In this case, there may be a trend of equipment repeatedly left in the same location as a Safe Walking Route.|
|Evaluation||Determination of root cause of why equipment is repeatedly left in the safe walking route. Resulting in the allocation of a designated safe place for equipment away from the safe walking route.|
Any equipment used to determine the measurement ‘indicator’ should be calibrated and maintained so that a high degree of confidence is gained in the credibility of data. The standard also requires the organization to implement a process to evaluate legal and other compliance including:
- The frequency and method of evaluation
- If action is needed, the process in which it will be evaluated and implemented
- Maintain knowledge and understanding of its compliance status
- Retain documented information to support the evaluation of legal and other requirements
9.1.2 Evaluation of compliance
The organization must establish, implement and maintain the processes for evaluating compliance with legal requirements and other requirements. The organization must determine the frequency and methods for the evaluation of compliance and must evaluate compliance and take action if needed. It must maintain knowledge and understanding of its compliance status with legal requirements and other requirements. It must retain documented information on the compliance evaluation results.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
The frequency and timing of compliance evaluations can vary depending on the importance of the requirement, variations in operating conditions, changes in legal requirements and other requirements and the organization’s past performance. An organization can use a variety of methods to maintain its knowledge and understanding of its compliance status.
There is an ever-increasing amount of legislation intended by the government to ensure that we manage issues such as health and safety in the workplace and our impacts on the environment in order to protect human health and the environment from harm. There is also a range of legislation designed to give some security of personal information, intellectual property and organizational records to both public and private sector businesses whose information and networks are important business assets. The standard recognizes that evaluation requirements will vary from organization to organization based on factors such as size, compliance obligations, sector worked in, past history and performance, and so on, but suggests that regular evaluation is always required. If the result of a compliance evaluation reveals that a legal requirement is unfulfilled, the organization needs to assess what action is appropriate, possibly up to contacting a regulatory body and agreeing on a course of action for repair. This agreement will now see this obligation become a legal requirement. Where a non-compliance is identified by the OH&SManagement System and corrected, it does not automatically become a non-conformity. But exactly what legislation is there that applies to your organization, how does it apply and why do you need to evaluate it.
Firstly it is worth looking at compliance in more detail. Compliance is not an option. If we don’t comply then we could be operating outside of the law. Not only can this lead to penalties and ﬁnes, but poor compliance can also lead to:
- Increased health and safety incidents, environmental accidents and pollution.
- Increased downtime, clean up costs and ﬁnes
- Increased insurance premiums and regulatory inspections
- Workforce concerns and industrial relations issues
- Reduced ability to meet customer requirements
- Damage to reputation and possible lost business
- Individual prosecution and corporate manslaughter and/or dismissal
The legislation provides regulators with speciﬁc duties and powers and enables the regulators to take enforcement action to mitigate the consequence of site closures and suspension or revocation of permits. For example, in 2005/2006 the HSE issued 6400 enforcement notices and prosecuted in over 1010 cases. Magistrates and courts are coming under increasing pressure to impose ever more stringent penalties. With this in mind, there is increasing pressure on organizations from various sources to improve and ensure compliance. In practice, you may consider putting a list of compliance obligations within a spreadsheet as outlined under clause 6 of this document. Periodically this process should be audited within the internal audit programme to ensure all compliance obligations have been fulfilled. Audit results including compliance status should be communicated to senior leadership within the organization. Any outstanding or pending requirements can be actioned by the leadership team. This will ensure compliance to obligations and reduction in risk including potential prosecution. So how can you evaluate compliance? There are essentially three approaches:
1. The Passive Approach
The passive approach means an organization sits back and waits for things to happen. It relies solely on upon feedback from regulators, employees, and members of the public. Typically few resources are allocated and compliance efforts are minimized and tend to be focused on current areas of concern. The drawback of this approach is that it may well be unrepresentative of the true level of compliance, the outcome of which being the increased likelihood of a non-compliant event which could lead to unforeseen prosecutions.
2. The Reactive Approach
The reactive approach is taken when an organization acts only when a situation of non-compliance is brought to light. There may be some internal and external evaluation and auditing but this usually relies on a sampling basis. It is similar to the passive approach in that typically few resources are allocated. The drawback of this approach is that it may not be sufﬁciently comprehensive. It tends to only pick up problems after the event. Although actions are taken to manage compliance these are typically only implemented after the event once the non-compliance has been identiﬁed. Therefore an organization following the reactive approach may incur increased costs, both ﬁnancial and time, in addressing the non-compliance as opposed to preventing it occurring.
3 The Proactive Approach
An organization following the proactive approach will seek to actively identify the compliance position and establish processes to ensure on-going compliance status is maintained. The proactive approach is typically system based and integrates compliance into everyday business practices. The management system may be one of three types:
- Internal bespoke Compliance Management System
- Management System based on a recognized standard such as ISO 14001, OHSAS 18001, ISO 9001 and ISO 27001
- Third party certiﬁed Management Systems such as ISO 14001, OHSAS 18001, ISO 9001 and ISO 27001 (certiﬁcation to which can only be awarded based on a legal complaint system)
Management systems provide the mechanisms to identify upfront compliance requirements and ensure appropriate controls are in place to positively manage compliance status. They cannot guarantee against a non-compliance occurring but should ensure that the system in place quickly identiﬁes the non-compliance status and corrects it. Following the proactive system-based approach will enable an organization to:
- Make a commitment to compliance
- Identify current legal and other requirements speciﬁc to the organization and be aware of pending legislation and its impact on the organization well in advance.
- Understand the full implications of all applicable legislation and incorporate the requirements into business practices.
- Keep information up-to-date.
- Identify compliance criteria.
- Establish a framework to address and control the identiﬁed compliance requirements.
- Provide a mechanism for the on-going review, evaluation, and reporting of compliance performance
One area of particular importance is the reference to the control mechanism employed within the organization to manage that element of the legal requirements. By including this in your system for compliance management it immediately increases the transparency of the legal management system and ensures that there is an effective control mechanism in place for each of the key requirements. Controls will not always be procedures but may include site inspections, monitoring equipment or designating responsibilities. Typically through a management system, there will be a number of different steps to the management of compliance:
Step 1 – Commitment to Legal Compliance
Evaluation Essentially this requires the agreement from top management that this is required and their commitment to providing the necessary resources including staff, ﬁnance and IT support to carry out the evaluation and to take action to resolve areas of non-compliance.
Step 2 – Identification of Legal Requirements
Having secured top management commitment to evaluating compliance, the next step is to identify the legal requirements such as codes of practice and guidance notes. Legal requirements can take many forms including:
- Legislation, regulations, and statutes
- Permits, licenses or other forms of authorization as Orders issued by regulatory bodies.
- Judgments of courts or administrative tribunals
- Treaties, conventions, and protocols
There are many different ways an organization can go about identifying legal requirements. These are all valuable sources. However, the most important thing is what you do with the information you identify. Typically the identiﬁcation of legal requirements leads to the production of a legal register. A typical legal register would include:
However, this format will not be sufﬁcient to enable effective evaluation of compliance within the management system.
Step 3 – Identification of Compliance Criteria
To ensure the use of a legal register is effective, consideration should be given to also using the document as a mechanism to:
- Evaluate the legislation to determine which components are applicable, e.g. discharge of trade effluent from the effluent plant.
- Establish the relevance of the legislation to the organization – identify which activities are completed on site that falls within the scope of the legislation e.g. a license is required for the discharge of trade effluent
The above is referred to as the compliance criteria and without a good understanding of what these criteria are for your organization, it will be very difﬁcult to undertake an effective evaluation of compliance. The legal register should be a ‘live’ document and be useful to the organization. It may also identify:
- Installation Activity
- Description of Regulation
- Relevance to the organization — compliance criteria
- Responsible Persons
- Reference to other parts of the management system e.g. environmental aspects, health and safety hazards, objectives and targets
- Reference to the license, permit, authorization or notiﬁcation
- Further information (e.g. codes of practice)
- Operational Controls
Additional columns might be as follows:
This type of register can provide a clear understanding of the relationship between legislation and organizations activities, products, and services. Also, it can be used as an awareness-raising tool, but more importantly, it provides a clear audit trail for the internal audit function to undertake their evaluation of legal compliance.
Step 4 – Compliance Performance Evaluation
Having identiﬁed relevant legislation, the compliance criteria, and related operational controls, the next step is to develop a process for checking legal compliance. Use the information from the register to review current practices against the identiﬁed legal requirements applicable to your organization. You might want to consider developing a checklist for each item of legislation that the organization has identiﬁed. Objective evidence will need to be gathered in order to evaluate compliance. Compliance performance evaluation can be carried out by:
- Monitoring against performance indicators – trend analysis to predict and prevent non-compliance e.g. amount of mercury discharged on a monthly basis versus the early ﬁgure speciﬁed within the discharge consent or noise emissions limits.
- Reviewing risk assessments.
- Undertaking physical inspections e.g. of the status of oil storage facility or of wearing of relevant personal protective equipment (PPE)
- Undertaking Management Systems audits.
- Compliance veriﬁcation against procedural and legal requirements.
- Independent verification (e.g. in the case of compliance to a GHG permit)
Conducting a compliance performance evaluation will help you to:
- Identify any regulatory non- compliances
- Determine whether existing controls are adequate to help prevent regulatory non-compliance including those related to abnormal and emergency situations.
- Identify areas where further information is required to track or conﬁrm compliance, any opportunities for improvement
- Proactively manage an organization’s compliance status
There has been much discussion about what constitutes an ‘Evaluation of compliance’. What is clear is that there is no one method or deﬁnitive answer but more of a suite of tools that can be used when completing the evaluation. Therefore it is important that the outcomes of the evaluations are brought together to enable trend analysis and the overall compliance status to be determined.
Step 5 – Compliance and Review Reporting
A compliance review is more than just monitoring. Routine monitoring may not check compliance with all requirements and limits of a permit or consent. Monitoring of an indicator to demonstrate improvement (such as the quantity of monthly hazardous waste arising’s) will not check compliance with all applicable waste legislation (such as whether hazardous waste documentation identiﬁes waste streams correctly). However, the results of monitoring can be input into the evaluation process. Likewise, a true evaluation of compliance is more than just systems auditing as systems audits tend to have broad scopes, are not speciﬁcally focused on legal compliance, assess too small a sample of data and are too infrequent to demonstrate system effectiveness. However, results of audits can be input into the evaluation process and are still a valuable tool.
Step 6 – Compliance Verification
So, compliance veriﬁcations are also necessary. Compliance veriﬁcations use compliance detail from the legal register and legal documents, such as permits, to create comprehensive checklists. Compliance veriﬁcations can be targeted, topic speciﬁc, more frequent and risk-based. Compliance veriﬁcation will:
- Identify compliance tasks and their frequency
- Ensure availability of sufﬁcient
- competent resource
- Allocate time and resources on a risk basis
Regardless of which methods are used – it is essential that appropriate records are held of the outcome of the evaluation process.
Step 7 – Compliance Reporting
So what do you do with the results of the evaluation? Compliance reporting is a systematic activity using information from monitoring, system auditing, veriﬁcation and feedback from interested parties (such as regulators). Using this data enables you to conﬁdently, and accurately, report on your compliance status to top management (policy and decision-makers) for the identiﬁcation of future legislative trends, areas of strengths and weaknesses, and opportunities for improvement. Reporting should be undertaken at a frequency appropriate to the risks and should seek to answer the questions, posed by top management, ‘how compliant have we been, are we now, and will we be, with legal and other requirements?’
Step 8 – Deﬁne an Action Plan
Deﬁne an action plan for addressing the issues identiﬁed in the gap analysis. The action plan might include the:
- Allocation of speciﬁc clear roles and responsibilities for compliance.
- Communication or. the relevance of the requirements at all levels.
- Revision of procedures include operational criteria
- Provision of relevant training
Step 9 – Repeat the process
In order to maintain legal compliance, this evaluation process needs to be repeated on a regular basis. This
provides the opportunities for continuous improvements and enables you to keep up to date, if not ahead of, regulatory developments. There is no right or wrong way to the evaluation of compliance. There are different methods for evaluating compliance. Choose the approach that best suits your business based on size, type, and complexity. We would, however, recommend using a system-based approach to identify legal requirements and establish appropriate controls. A legal Register can be an effective tool to help evaluate and verify compliance. Determine the measures needed to develop a compliance framework, including frequency and resources and the frequency of review and reporting should be systematic and risk-based. Provide comprehensive reports to top management for decisions on future policy and objectives, and for corporate assurance. Evaluation of compliance is a key component of an effective system to deliver continued legal compliance. A management system will not guarantee compliance as it can not predict the future! It will, however, provide the framework for an organization to manage its compliance status and improve its capability to deliver regulatory compliance.
9.2 Internal audit
The organization must conduct internal audits at planned intervals. This will provide information on whether the OH&S management system is conforming to the organization’s own requirements for its OH&S management system, including the OH&S policy and OH&S objectives and also to the requirements of ISO 45001:2018. It also provides information if the OH&S management system is effectively implemented and maintained.
9.2.2 Internal audit programme
The organization, must plan, establish, implement and maintain audit programmes including the frequency, methods, responsibilities, consultation, planning requirements, and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits. It must define the audit criteria and scope for each audit. It must select auditors and conduct audits to ensure objectivity and the impartiality of the audit process. It must ensure that the results of the audits are reported to relevant managers; ensure that relevant audit results are reported to workers, and, where they exist, workers’ representatives, and other relevant interested parties. It must take action to address nonconformities and continually improve its OH&S performance. It must retain documented information as evidence of the implementation of the audit programme and the audit results.
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:
The extent of the audit programme should be based on the complexity and level of maturity of the OH&S management system. An organization can establish objectivity and impartiality of the internal audit by creating processes that separate auditors’ roles as internal auditors from their normal assigned duties or the organization can also use external people for this function.
An internal audit is a systematic method to check organizational processes and requirements, as well as those detailed in the ISO 45001 standard. This will ensure the processes in place are effective and the procedures are being adhered to. An internal audit in ISO 45001 not only serves as a function to meet the terms of the standard, as explained above, but also a real opportunity to improve your OH&SMS (Operational Health and Safety Management System), and therefore reduce risk of accidents in your workplace while improving employee wellbeing. Internal audits and auditors should be independent and have no conflict of interest over the audit subject, the standard reminds us, and it should be noted that non-conformities should be subject to corrective action. When considering the results of previous audits, the results of previous internal and external audits and any previous non-conformities and resulting actions to repair them should be taken into account. The 45001:2018standard refers us to ISO 19011for the internal audit program, but when you are establishing your program there are several rules you can subscribe to in order to ensure that your program is effective. Base your internal audit frequency on what is reasonable for your organization in terms of size, the sector you operate in, compliance obligations, and risk to the health and safety of workers. Decide what is reasonable for you, whether that is bi-annually, quarterly, or whatever you deem suitable. Keep in mind that this schedule can be changed, preferably through management review and leadership guidance, in the event of changes that necessitate extra internal audit activity. The internal audit programme will aid the organization to achieve the OH&S objectives and targets. It helps:
- Monitor compliance with policy and objectives.
- Provide evidence that all necessary checks are carried out.
- Ensure all current legislative and other requirements are met.
- Assess the effectiveness of risk management.
- Worker engagement leading to a positive safety culture.
- Identify improvement using ‘fresh eyes’ to review a process.
- Aid continual improvement.
The organization must conduct internal audits at planned intervals to provide information on whether the OH&S management system conforms to the organization’s own requirements for its OH&S management system, including the OH&S policy and OH&S objectives and the requirements of ISO 45001. In addition, the audit allows the organization to determine if its OH&S management system is effectively implemented and maintained. The extent of the audit programme should be based on the complexity and level of maturity of the OH&S management system. The organization must plan, establish, implement and maintain an audit programme, which contains information on:
- The frequency that audits are conducted;
- The methodology/protocol used (should be in general conformance with the requirements of ISO 19011:2011 Guidelines for auditing management systems;
- Who is responsible for managing and conducting audits;
- What consultation takes place with auditees and the general workforce;
- How the audits are planned and implemented;
- The format for reporting audits.
The planning of the internal audit programme must recognize the importance of the processes concerned and the results of previous audits. This would be reflected in the audit programme being based on the results of the risk assessments of the organisation’s activities and the results of previous audits, which in turn would guide the organisation in determining the frequency of audits of particular activities, areas or functions and what parts of the OH&S management system should be given attention. The OH&S management system audits should cover areas and activities within the scope of the OHSMS as defined by clause 4.3 of the standard and also assess conformity to ISO 45001. The organization must define the audit scope and audit criteria for each audit. Audit evidence should be evaluated against the audit criteria to generate the audit findings and conclusions. Audit evidence should be verifiable. Prior to conducting the audit, the auditors should review appropriate OH&S management system documented information, and the results of prior audits. This information should be used by the organization in planning for the audit.
The organization must select auditors and conduct audits to ensure objectivity and the impartiality of the audit process. It can establish objectivity and impartiality of the internal audit process by creating a process that separates auditors’ roles as internal auditors from their normal assigned duties. Alternatively, it can utilize the services of external companies to conduct their internal audit programme. After the audit is complete the auditors must ensure that the results of the audits are reported to relevant managers. In addition, relevant audit results must be reported to workers; where they exist, to workers’ representatives and to other relevant interested parties. The organization must take action to address nonconformities in a timely and efficient manner and continually improve its OH&S performance. The audit report should be clear, precise and comprehensive. The organization must retain documented information as evidence of the implementation of the audit programme and the audit results.
It also points out how previous audit results and outputs from risk assessment can provide inputs for the internal audit itself. Given that you have a date for your internal audit – whether this is being carried out by an internal or external auditor – what should you bear in mind to prepare? Firstly, you must consider how you prepare for your internal audit. Does your organization have an adequately trained auditor? Internal audits must be conducted by competent staff with a degree of impartiality to the area being audited. A risk-based approach can be applied to areas being audited with an increased focus on higher risk activities. Internal audits must be planned with an expectation of each process being audited at regular intervals. In addition to planned audits, unplanned audits may be conducted in reaction to problematic areas, near-miss reports or incident data with a focus on accident prevention. It is beneficial to communicate audit results to applicable interested parties including workers and set realistic completion timescales for identified ‘opportunities for improvement’ or ‘nonconformities’. Top Management must be aware of deficiencies within the system to ensure the necessary resources can be allocated to mitigate the findings. Audit results will be reviewed as part of the management review process. ISO 45001, like most other ISO standards, contains a clause that outlines how organizations should perform internal audits. Internal audits should meet the planned measures of the OHSMS System and the audit outputs should be made available. You should establish and plan your internal audit schedule, based on the results of previous audits and risk assessments. Although it is sensible and standard, as are other clauses in ISO 45001, the internal audit should be approached with more care than, for instance, the comparable clauses in ISO 9001 (Quality Management) or ISO 14001 (Environmental Management). This is because an ineffective OHSMS audit could endanger the welfare of your employees. The organization should plan their internal audits at regular intervals. It should, however, be noted that accidents, incidents, risk assessments or stakeholder input can all be used to initiate internal audits beyond the regular schedule. This would be the case if the organization feels it would be beneficial to the overall health and safety performance. Let’s look at when who, and how the ISO 45001 system internal audit should be performed.
When: Internal audit should be done at planned intervals, or whenever it is deemed required, or beneficial to your ISO 45001 system.
Who: The standard requires that the internal auditor must be impartial and objective. Auditor selection is critical. The auditor must be experienced and, if possible, formally trained. The auditor must also be aware of the company’s OHSMS Policy, objectives, and performance. As the internal audit process is so critical, many organizations use external advice from an expert for internal audit purposes.
How: All relevant information in terms of “input” to the process should be available to the internal auditor. The auditor will also need OHSAS performance outputs, risk assessment information and results, desired OHSMS objectives and stakeholder input.
Why: A logical question to ask at this stage would be “Why?” Apart from being a requirement of the ISO 45001 standard, internal audits should be seen as key drivers in the continual improvement cycle. It is also critically important as a preventive measure for health and safety in the workplace. Anyone interacting with the auditor should therefore always provide truthful and accurate information during the audit. An accurate assessment creates an opportunity for suggestions for improvement based on past and current data.
The ISO 45001 standard requires that management should have access to the results of any internal audits. This enables the top management team to make decisions on actions that need to be taken based on the results from the internal audit. In terms of continual improvement, it is however also helpful if the auditor makes suggestions based on the audit itself, as they have had direct experience and interactions with the procedures and processes during the audit. This will give the management team a more balanced view of the audit’s effectiveness and the validity of the results. This will create a bigger chance of continual improvement and output that could potentially prevent incidents and accidents. It is obviously necessary that the process is documented, including findings, outcomes, and actions, as the internal audit takes its place in the improvement cycle. Make sure that internal audits are always thorough, honest, and accurate. Use the “plan, do, check, act” methodology to ensure that the proposed actions are implemented, effective, and maintained. Once you have done this, you can be sure that the results of the internal audit are truly effective. The principles of ISO 19011 which addresses system auditing can also help you with regard to structuring your audit. So, what other elements do we need to consider when undertaking the internal audit? Let us consider:
- Remember, the internal audit will show your ability to meet the requirements of the standard itself (or some of it, depending on the scope of the audit). Ensure you and your organization have met all requirements of the standards, including management review, risk assessment, and emergency response. Bear in mind that any non-conformities will be reported and you should consider using your corrective action process to rectify any identified non-conformities. Concentrate on hazard and risk identification. Though closely related, hazard and risk are not the same things. ISO 45001 defines a hazard as a “source or situation with a potential to cause injury and ill health”. In other words, what features of your processes have the ability to harm individuals? This could be a hazardous chemical you need to use in a process or a machine that has a pinch point that needs to be guarded to protect the people who need to use it. It could also be an office position that requires certain actions that over time could lead to repetitive strain injuries. An OH&S risk is defined as the “combination of the likelihood of occurrence of a work-related hazardous event or exposure and the severity of the injury and ill health that can be caused by the event or exposures”. So, the hazard is the feature of the process that can harm an individual, and the risk is the likelihood that it will happen along with how to sever the consequences will be. This should be a key element of most internal audit examinations, and the identification of both, as well as mitigation of risk, are key to maintaining an effective OH&SMS.
- Ensure your corrective action process is effective. The steps to take once corrective action is initiated in your OH&SMS, we looked at the step by step process for ensuring corrective action with respect to ensuring that root causes of problems were correctly identified and eradicated. While prevention is preferable to cure in any OH&SMS, an effective system must have an effective corrective action process. It is likely that this will be examined closely in most internal audits.
- Ensure your team is ready. Ensuring your team has satisfied these clauses can be vital to your internal audit. Keep in mind that no OH&SMS can flourish without employee knowledge, commitment and buy-in. Ensure that your team is involved in the preparation for, and execution of the internal audit. This can help your OH&SMS flourish and your internal audit is successful.
- Rehearse for your external audit. Remember that your internal audit is an opportunity to prepare and rehearse for your external certification audit. There are several ways you can do this, using the information in the article What questions should you expect from the ISO 45001 auditor? should help you prepare your OH&SMS and your own team for both the internal and likely forthcoming external audit.
- Ensuring your OH&SMS benefits. As stated, the internal audit is not only a dry run for your external certification audit in terms of the conformance of your OH&SMS. It is also a huge opportunity for improvement. Use the information in How to create an internal audit checklist for your Health & Safety management system to ensure you cover all the elements required in the standard itself. Record your results, and clearly outline any corrective action or improvements made. This will serve as evidence and ensure you have a record of action and improvement for your next audit, whether internal or external. Treat your internal audit as a measure of conformity, an opportunity to improve and a rehearsal for your external audit. Doing this will ensure that real value can be derived from this mandatory part of ISO 45001.
What evidence will the auditor require?
As stated above, the auditor’s main function is to ensure that your documentation, processes, and actions comply with the ISO 45001 standard, and that evidence can be produced to prove this. So, if we think from that point of view there are some questions he/she is almost certain to ask:
- Are all the clauses in the standard met? From the moment the auditor enters your organization’s premises, this will be what he/she is tasked to find out. It is normal that the auditor will break the clauses and requirements down an element at a time, but the final requirement will be to ensure that compliance versus the standard is there. For example, can you ensure that all of your mandatory documentation is covered? Ensure that you have a copy of the standard, know it well, and have carefully worked through it to be sure your organization complies.
- Have you held a management review? This is the critical starting point for your OH&SMS in terms of ensuring that there is top management input and that objectives are established correctly, as well as having the ability to ensure that the cycle of review and improvement exists when your OH&SMS is running.
- Have you recorded incidents, accidents, and near misses? And, if so, do you have evidence to show that you have undertaken the correct processes after an accident, and have a process whereby action is taken to prevent near misses from being repeated and becoming accidents in the future?
- Are your processes consistent? You will need to prove that your processes – whether documented or not – are consistent internally in the way they are used and that they meet the terms of the standard. This also leads to the question regarding whether the effectiveness of processes has been reviewed, which will encourage continual improvement – the element that underpins the standard itself.
- Have you completed the critical functions of the OH&SMS? Have you assessed risks and hazards correctly? Have you performed corrective action in the cases where something has gone wrong? Have you completed internal audits with satisfactory outcomes and actions to guarantee improvement to your OH&SMS? Have you documented these accurately as evidence? These elements are all central to running a successful OH&SMS, you can be sure the auditor will focus on these to a large extent; therefore, it is wise to prepare. Also, be sure to remember that while these elements are critical, they only make up part of the clauses you will be audited against!
- Can you demonstrate competence, awareness, and evidence of training? Especially in matters of health and safety, it is critical that your team can demonstrate that they are aware of processes, communications that may have taken place, and are generally aware enough to operate safely within your organization. Ensure that your employees realize that it is very likely that the auditor will come and speak to them, and instruct them on how to react. There is no need to be nervous, but being articulate, truthful, and honest will help greatly.
- Can you demonstrate improvement? As stated previously, this is necessary to demonstrate your organization’s compliance with ISO 45001. It is therefore certain that the auditor will ask a member of the team about how this is obtained and evidenced. Be prepared for this.
- How you can make the audit smoother for your organization and people. It is wise to remember that the auditor is trying to help you pass, not trying to make you fail. Anticipating the questions he will ask will undoubtedly help you to prepare your employees and ensure that they are less nervous, as well as helping you to ensure that you have all your respective boxes ticked in terms of meeting the clauses of the standard. Remember that the auditor is trying to help you make sure your organization remains a safe place to work, not trying to trip you up. Lastly, should the auditor have any observations or recommendations during the audit, be sure that you take them on board and use them to help you improve your OH&SMS.
9.3 Management review
Top management must review the organization’s OH&S management system, at planned intervals, to ensure its continuing suitability, adequacy, and effectiveness. The management review must consider the status of actions from previous management reviews. The changes in external and internal issues that are relevant to the OH&S management system including the needs and expectations of interested parties, legal requirements, and other requirements and risks and opportunities. It must consider the extent to which the OH&S policy and the OH&S objectives have been met. It must also consider the information on the OH&S performance such as trends in:
- incidents, nonconformities, corrective actions, and continual improvement;
- monitoring and measurement results;
- results of the evaluation of compliance with legal requirements and other requirements;
- audit results;
- consultation and participation of workers;
- risks and opportunities;
The input to Management Review must also consider the adequacy of resources for maintaining an effective OH&S management system, relevant communications with interested parties and opportunities for continual improvement. The outputs of the management review must include decisions related to the continuing suitability, adequacy and effectiveness of the OH&S management system in achieving its intended outcomes and continual improvement opportunities. It must include the need for any changes to the OH&S management system, the resources, and y action needed. It must also consider the opportunities to improve integration of the OH&S management system with other business processes and any implications for the strategic direction of the organization. Top management must communicate the relevant outputs of management reviews to workers, and to workers representative where they exist. The organization shall retain documented information as evidence of the results of management reviews.
The terms used in relation to management review should be understood as:
- “suitability” refers to how the OH&S management system fits the organization, its operation, its culture, and business systems.
- “adequacy” refers to whether the OH&S management system is implemented appropriately’
- “effectiveness” refers to whether the OH&S management system is achieving the intended outcome.
The management review topics listed in 9.3 need not be addressed all at once; the organization should determine when and how the management review topics are addressed.
This clause requires reviews of the suitability, adequacy, and effectiveness of the OHSMS to be undertaken by top management at planned intervals. It should be noted that, contrary to popular belief, the management review does not have to be done all at once; it can be a series of high-level or board meetings with topics tackled individually, although it should be on a strategic and top management level. Complaints from interested parties should be reviewed by top management, with resultant improvement opportunities identified. It should be remembered that the management review generally is the one function that must be carried out accurately and diligently to ensure that the function of the OH&SManagement System and all resulting elements can follow suit. It goes without saying that all details and data from the management review must be documented and recorded to ensure that the OH&SManagement System can follow the specific requirements and general strategic direction for the organization detailed there. Management reviews are the opportunity for senior management to critically evaluate the performance of the OH&S management system to ascertain if it continues to be:
Suitable: does the management system fit the organization, its operation, its culture and business systems;
Adequate: is the management system implemented appropriately;
Effective: has the management system achieved its intended outcomes.
The management review should consider the following:
- The status of actions from previous management reviews;
- Changes in internal and external issues that can impact on the OH&S management system such as risks and opportunities, the needs and expectations of relevant interested parties and legal and other requirements;
- The adequacy of resources for maintaining an effective OH&S management system;
- Relevant communications with internal and external interested parties;
- Opportunities for continual improvement.
The reviews should also include information on the organization’s OH&S performance including trends in:
- The achievement of OH&S objectives;
- Incidents, nonconformities, and corrective actions;
- Monitoring and measurement;
- The evaluation of compliance with legal and other requirements;
- Internal and external audits;
- Consultation and participation of workers;
- Risks and opportunities.
The management reviews should be carried out on a regular basis (e.g. quarterly, semi-annually, or annually). Partial management reviews of the performance of the OHSMS can be held at more frequent intervals, if appropriate. Different reviews can address different elements of the overall management review. The management review process should not just evaluate historical trends but should aspire to improve the OH&S performance of the organization through the initiation of improvement actions. Conclusions that should be drawn at the end of the management review process related to:
- The continuing suitability, adequacy, and effectiveness of the OH&S management system in achieving its intended outcomes;
- Opportunities for continual improvement;
- Any need for changes to the OH&S management system;
- Additional resources needed;
- Any actions needed;
- Opportunities to improve the integration of the OH&S management system with other business processes such as environment, quality, business continuity, etc.
- Any implications for the strategic direction of the organization.
- Top management must communicate relevant outputs from the management reviews to workers, and where they exist, workers’ representatives.
The organization must retain documented information as evidence of the results of the management reviews. Management Review is an essential element of the Occupational Health and Safety Management System. The aim of the review is for Top Management to assess the performance of the management system to ensure it has been effective and suitable for the needs of the business, ultimately preventing injury or harm to workers. The management review is also a planned activity to review objectives including compliance and to set new objectives. Usually, management review meetings are conducted annually, however many organizations conduct management reviews every six months or quarterly to track the performance of the
system. If more frequent meetings are conducted, often the meeting agenda is reduced with the full agenda occurring annually. The table on the following page provides an overview of prescribed management review agenda requirements:
|Summary of the requirement for Management Review agenda/clause reference point|
|a)||Provide a summary of the status of actions from the output of the previous management review. This will include completed or incomplete tasks and justifications for their status. This information can be pre-prepared for the meeting.|
|b1)||Explain any changes to internal and external issues relevant to the context of the organization to ensure the needs and expectations of interested parties including workers are fulfilled.|
|b2)||In addition to B1 note any changes or pending changes to legal and other requirements and actions to address compliance obligations.|
|b3)||If there are any differences or changes to organizational risk and opportunities, they should be noted and explained and discussed in the section below.|
|c)||Review whether compliance with OH&S policy and objectives have been achieved. It is good practice to place objectives within a table, align key performance indicators to achieve them and comments if they have or have not been achieved. This will also indicate the compliance status of continual improvement.|
|d1)||Discuss any incidents or non-conformities which have occurred since the last review period including trends. Are there any trends and what actions have been taken to prevent re-occurrence?|
|d2)||Determine if monitoring and measuring have been effective in meeting expectations within the organization. If evidence suggests it has not been effective Top Management can influence improvement.|
|d3)||Discuss the status of compliance with legal and other requirements. This may include evidence to support compliance including the methods of determination and sources of information. Discuss any pending legal and other requirements.|
|d4)||Discuss the results of internal audits and actions that have been taken to resolve any non-conformities. Discuss areas of improvement and areas which are performing well.|
|d5)||Overview of consultation of workers. This may be feedback from safety committee meetings and actions to address risk and opportunities. Other processes to ensure workers are safe including contractor arrangements.|
|d6)||Discuss risk and opportunities including the performance of hazard identification and opportunities to mitigate harm to workers. The organization may wish to review significant findings of risk assessments.|
|e)||With consideration of the information discussed in previous sections are there enough resources to maintain and continuously improve the management system? This could be human or financial. Top Management is key to influence improvement in this area.|
|f)||Discuss communications with interested parties, this may include regulatory authorities or external providers who are providing materials which have an impact on safety.|
|g).||General discussion with the provision of information on how the OH&S management system is performing and how can it continually improve in the future|
On completion of the management review meeting, the organization must decide with senior leadership and support, what is needed to continuously improve OH&S and satisfy the standard. The following points outline the Management Review Meeting output requirements:
- Provide a wide-ranging conclusion to the continuing stability, adequacy, and effectiveness in achieving its intended outcomes
- Identify continuous improvement opportunities
- Identify any required changes to the OH&S management system
- Identify required resources
- Identify any actions needed
- Identify any integration improvements with other business processes. This may be further harmonization with ISO 9001 or ISO 14001 management systems
- Any implications to the strategic direction of the business. This is a broad scope requirement to capture any topic to improve the OH&S management system
The organization is required to record the meeting minutes within documented information. This information must be communicated to the relevant interested parties and where applicable worker representatives. It is good practice to transfer management review objectives into a separate document with identified key performance indicators, expected completed timescales and delegated responsibilities. These objectives may be communicated via the organization’s email or placed on notice boards.