4.1 Conformity Assessment
Conformity assessment refers to the activities associated with determining (formally and informally) whether an implemented management system conforms to a formal OHSMS standard, such as ISO 45001, or a protocol unique and internal to an organization. A common definition for conform assessment is “the determination of whether a product or process conforms to particular standards or specifications. Activities associated with conformity assessment include testing, certification, and quality assurance” (29). Conformity assessment deals with the activities associated with determining how well a given system approach has been implemented in an organization, this primarily includes auditing and the certification activities.
It is important to understand and consider conformity assessment issues and how they relate to MS as they are central to strategic considerations regarding the rational for implementing and auditing a management system. A common misconception about MS is that third‐party certification must be pursued. This is not the case. While many organizations do pursue certification, many do not.
Conformity assessment frameworks typically have three levels.
Primary level – assessment
Secondary level – accreditation
Tertiary level – recognition
The primary level represents measurement activities, including auditing. Workplace air sampling or safety surveys are examples of assessment activities, as are management system audits. The secondary level, addresses the formal qualifications of the entities performing primary level activities and the bodies that provide confirmation of the qualifications. An example is with Certified Safety Professionals (CSP) or Certified Industrial Hygienists (CIH) who perform workplace assessments. The CSP and CIH designations are given respectively by the Board of Certified Safety Professionals (BCSP) and the American Board of Industrial Hygiene (ABIH). The certification function performed by the BCSP and ABIH represent secondary level activities.
With management system certification, registrars perform audits, a primary level activity, and accreditation agencies, accredit the registrars to perform the registration audits. Finally, an example of tertiary level recognition is found in OSHA regulations that require certain activities be performed by CSPs or CIHs (30). With MS, recognition is given by regulatory agencies who might give organizations with a certified OHSMS some sort of regulatory relief, as with the OSHA VPP.
4.2 Risk‐Based Thinking
Identifying, controlling, and eliminating risk when possible has been a central OH&S activity from the field's earliest days. The term “risk‐based thinking” began to appear in ISO MSS activities, both as a concept and actual use in some standards, as the high‐level MSS was applied to specific areas, such quality (ISO 9001) and environment (ISO 14001) (31, 32).
ISO 14001:2015 uses the term “risk‐based thinking” in the introduction, embedded in §0.5, where it is stated that “this International Standard does not include requirements specific to other MS, such as those for quality, OH&S, energy, or financial management. However, this International Standard enables an organization to use a common approach and risk‐based thinking to integrate its EMS with the requirements of other management systems” (32). ISO 9001:2015 states in its introduction (§0.3.3), “risk‐based thinking (see Clause A.4) is essential for achieving an effective quality management system. The concept of risk‐based thinking has been implicit in previous editions of this International Standard including, for example, carrying out preventive action to eliminate potential nonconformities, analyzing any nonconformities that do occur, and taking action to prevent recurrence that is appropriate for the effects of the nonconformity” (33).
While the term “risk‐based thinking” is not used in ISO 45001:2018, the concept is implicit throughout the standard, in much greater detail than earlier OHSMS standards (e.g. OHSAS 18001:2007). For instance, risk management and analysis are key elements throughout the standard with the main requirements outlines in clause 6.1 – Actions to address risks and opportunities. This clause addresses the requirement that an effective OHSMS must assess not only issues that may present risks, which the standard defines as the effects of uncertainty, but also opportunities, defined as circumstances that can lead to improvement. OH&S risk is further defined as a combination of the likelihood of occurrence and potential severity of the event. These risks are often represented by a matrix (Figure 3).
The concept of risk management has a long history that likely began with early human's understanding that some events had consequences and that preventing those events provided a safer environment. It has even been suggested that an understanding of risk is the true dividing line between ancient and modern times (34). As monetary systems developed this concept evolved into predictive models, some suggest first used by gamblers, aimed at determining the likelihood of given events.
Risk management as an element of business gained importance as a tool used by insurers to establish rates. As a planning tool risk management gained attention after World War II and focused on operational risks (35). In the 1960s tools were developed to minimize risk as a response to increasing insurance costs. Similar financial risk management schemes gained momentum in the 1980s gaining increased importance as a series of financial scandals led to the introduction of the Sarbanes‐Oxley Act in the United States in 2002. In 2009 ISO published ISO 31000 Risk management – Code of practice that established the significance and a framework for the subject in subsequent ISO standards. ISO nor ISO 9001:2015 did not require a formal risk assessment or a specific single document. ISO 45001:2018 and 14001:2015 goes a bit further requiring documentation of the analysis and a consideration of changing environments the organization may encounter.
Some controversy exists with these risk assessments given that they are largely qualitative and subject to the knowledge of those performing the assessments. The concept of “risk‐based thinking” is subjective and its application somewhat based on the assumptions of those attempting its application. See chapter “Decision Making in Managing Risk” in this edition of Patty's for more on this topic.
4.3 Risk and Opportunity
A relatively new distinction in MS approaches is the notion of opportunity, or opportunities as a parallel consideration of risk. While early approaches focused only on risk (if not by name, by idea or context) identification, assessment, control, mitigation, etc. – requirements to consider opportunities for improvement were not explicitly addressed. Consideration of opportunities is mandated in ISO's high‐level MSS, and as such, it is found in ISO 45001:2018 as “OH&S opportunities.” ISO's risk management activities (ISO 31000:2009) supported an expanded view in considering opportunities, as it states (§5.4.2) “it is important to identify the risks associated with not pursuing an opportunity.”
ISO 45001:2018 defines OH&S opportunity (3.22) as “circumstance or set of circumstances that can lead to improvement of OH&S performance,” (36) and in its Annex (A.6.1.1) a robust bundle of examples of opportunities