Last reviewed 7 March 2016
The occupational health and safety management systems standard is due to publish in the autumn. Mike Sopp highlights those elements for which organisations can start preparing.
Autumn 2016 will likely see the publication of ISO 45001 Occupational Health and Safety Management Systems. Requirements with Guidance for Use from the International Organization for Standardization (ISO).
Prepared using the ISO “high-level structure” provided in Annex SL of the ISO/IEC Directives, Consolidated ISO Supplement, the standard will be aligned with other recently revised standards such as ISO 14001:2015 and ISO 9001:2015.
Although taking into account current standards such as BS OHSAS 18001:2007 Occupational Health and Safety Management Systems. Requirements and the International Labour Organization’s OSH Guidelines, and following the Plan-Do-Check-Act cycle, the new standard will contain some noticeable differences for which organisations wishing to transpose to the new standard need to be prepared.
Organisational context and understanding
Clause 4 of the draft consultation version of ISO 45001 relates to the “context of the organisation” and contains a number of subclauses.
The first, “understanding the organisation and its context”, requires the organisation to “determine external and internal issues that are relevant to its purpose and objectives and that affect its ability to achieve the intended outcome(s) of its OH&S management system”.
To fulfil this clause the organisation will need a clear idea as to its objectives and the intended outcomes of the system. Minimum outcomes will clearly be legislative compliance but thought will need to be given as to whether the organisation wishes to “go beyond compliance” and what other outcomes may be met, eg those relating to corporate social responsibility.
In essence, a high-level understanding of the important internal and external issues that can significantly impact on the organisation’s occupational health and safety management system will be required.
However, like many risk management functions, health and safety tends to be rather isolated and disconnected from the bigger picture issues, which have the potential to influence both positively and negatively the ongoing effectiveness of the system.
Therefore, determining context can be challenging and it is not anticipated that any guidance will be forthcoming on how to meet the clause.
One method that can be adopted is the completion of a “context review” using an organisational cross-cutting workshop approach utilising various tools including interviews, questionnaires, surveys and research.
This can also include the completion of a PESTLE workshop so as to get a better understanding of the internal and external context (PESTLE being the political, economic, social, technological, legal and environment themes that impact on an organisation).
The second subclause of Clause 4 requires the organisation to determine the:
interested parties that are relevant to the system
relevant requirements of these interested parties.
The draft standard defines interested parties as a “person or organisation that can affect, be affected by, or perceive itself to be affected by a decision or activity related to the OH&S management system”.
One method of determining these stakeholders is to initially describe the relationship with the organisation and then the various interested parties within this heading. For example, the relationship can be based upon “responsibility”, which would include stakeholders with whom the organisation has some legal, financial or operational responsibilities. Interested parties may include investors, parent companies or business partners. Other groups could relate to:
dependency: those dependent upon the organisation such as employees, customers and suppliers
representation: representing others such as regulatory agencies, trade unions, trade associations, etc.
Having developed a detailed list of interested parties, the next stage is to identify the requirements. Such requirements can consist of what the stakeholder needs or what they want.
As an example, those under the responsibility relationship may need assurance as to the management of risk or want clear reporting on performance and adherence to corporate policy.
Similarly, those with dependency will want a safe and healthy working environment and need management to develop an appropriate culture to achieve this. Stakeholders in the representation group may want assurance as to compliance with regulations and will need accurate reporting on risk performance.
Again, the method of meeting this clause can be achieved by the workshop, organisational cross-cutting approach with representation from all relevant departments and specific disciplines.
The level of detail required to fulfil this subclause will vary in each organisation depending on size, complexity, risk profile and current management system maturity and can range from broad brushstrokes down to named individuals.
The final element of this clause is to identify what stakeholder requirements “become applicable legal and other requirements”. Legal obligations should be identified first followed by the other requirements the organisation wishes to meet (eg those beyond compliance needs but required for best practice, etc).
This process should enable the organisation to focus and coordinate on what are the most important issues, rather than managing them ad hoc.
OHSAS 18001 currently requires top management to demonstrate its commitment by ensuring resources are available to establish, maintain and review the system and to ensure roles, responsibilities, authorities and accountabilities are delegated.
Clause 5 of the draft ISO 45001 is devoted to “leadership and commitment” and contains a comprehensive list of requirements to be met by top management. This includes but is not limited to:
taking health and safety performance into account in strategic planning
integrating the OH&S management system requirements into the organisation’s business processes
ensuring that the appropriate financial, human and organisational resources needed are available
communicating the importance of effective management and of conforming to the management system requirements
promoting and leading organisational culture with regard to the management system.
In some aspects, this clause reflects the recommendations already contained in INDG417 Leading Health and Safety at Work, as it suggests, for example, that the “board should integrate health and safety into the main governance structures” and ensure that “health and safety arrangements are adequately resourced”.
Similarly, BS 18004:2008 Guide to Achieving Effective Occupational Health and Safety Performance details certain elements of leadership and contains a list of leadership attitudes and behaviours that promote a positive occupational health and safety culture.
It can be argued that the requirements contained in the draft management standard will require a more “robust” and proactive approach from top management in terms of leadership, particularly when the full list of accountabilities in the standard are reviewed.
Although delegating such key elements to other persons within the organisation is permissible, accountability will remain with the top management. This can be perceived as being an opportunity to engage with top management and obtain their buy-in to health and safety.
Interestingly, prior to the introduction of the revised ISO 14001 a survey found that 42% of top managers had little or no involvement in their organisation’s environmental management systems.
It can be suggested that similar numbers will apply for health and safety and, as such, unless the appropriate approach is taken when engaging — that is, making it relevant to the top managers and overall organisational objectives — there is the potential for this to become another tick-box exercise.
Certainly health and safety practitioners may have to revise any engagement strategies and even reflect on their own interpersonal skills to ensure that clause is effectively implemented.
A good starting point would be to utilise the data obtained from the process of understanding the organisational context and the influences of stakeholders as these will certainly be linked to the bigger picture issues the top management team have to consider on a daily basis.
ISO/DIS 45001, British Standards Institution (BSI)
ISO 45001, International Organization for Standardization (ISO)
Changes to ISO 18001 and Implications for Management Systems, Institution of Occupational Safety and Health (IOSH)