As well, ISO 45001:2018 requires that the OH&S policy is “available as documented information; communicated within the organization; available to interested parties as, appropriate; and relevant and appropriate” (53).
5.4.4 Organizational Roles, Responsibilities, and Authorities
Requirements to define OH&S roles, responsibilities, and authorities are contained in ISO 45001:2018 as well as with earlier OHSMS approaches. This section (§5.3) requires that “top management shall ensure that the responsibilities and authorities for relevant roles within the OH&S management system are assigned and communicated at all levels within the organization… [and that] workers at each level of the organization shall assume responsibility for those aspects of the [OHSMS] over with they have control” (53). Requirement for assigning responsibility and authority include OHSMS conformance with ISO 45001, and reporting on the OHSMS's performance to top management.
5.5 Planning (§6)
ISO 45001:2018's planning section (§6) contains requirements that are familiar to industrial hygienists and OH&S professions, and have been bedrock in OH&S management for decades. These include: hazard identification and assessment of risks and opportunities (§6.1.2); determination of legal requirements and other requirements (§6.1.3); and generating OH&S objectives and planning to achieve them (§6.2).
The standard requires that (§6.1.1):
“…when planning for the OH&S management system, the organization shall consider the issues referred to in §4.1 (context), the requirements referred to in §4.2 (interested parties) and §4.3 (the scope of its OH&S management system) and determine the risks and opportunities that need to be addressed to: give assurance that the OH&S management system can achieve its intended outcome(s); prevent, or reduce, undesired effects; and achieve continual improvement” (56).
Management of change (MOC) is addressed in §8.1.3, however, §6.1.1 (Actions to address risks and opportunities, general) implies that proactive MOC thinking is needed during the planning process, where it states:
“…the organization, in its planning process(es), shall determine and assess the risks and opportunities that are relevant to the intended outcomes of the OH&S management system associated with changes in the organization, its processes or the OH&S management system. In the case of planned changes, permanent or temporary, this assessment shall be undertaken before the change is implemented” (57).
5.5.1 Actions to Address Risks and Opportunities
While all of this section's (§6) requirements are important, perhaps most significant are the requirements related to “actions to address risks and opportunities.” Central to the IH/OH&S profession is the identification of hazards, and assessing and prioritizing associated risks. ISO 45001:2018, as have other OHSMSs, provides robust guidance on this process, a process that then establishes a foundation for a number of actions, such as establishing objectives and determining controls, to name a few. As already mentioned, the inclusion of the term “opportunities” here is relatively new in the historical development of OHSMS approaches. An example of when an “opportunity” might occur is when an organization is updating a process. The organization can choose the one with the greatest OH&S improvement even though it may be more difficult or costly to implement.
Robust requirements are included related to hazard identification (6.1.2.1), “the organization shall establish, implement, and maintain a process(es) for hazard identification that is ongoing and proactive” (58). From an audit perspective, consideration needs to be given to what constitutes “ongoing” and how to demonstrate this. In well‐functioning OHSMSs, this issue points to establishing feedback channels for hazard identification‐related data that arises from any number of activities, such as audits, accident reports, or worker complaints. The requirement to be proactive, while not absent in intent in early OHSMS approaches, is clearly stated here.
Of particular interest related to hazards is the requirement that the process for hazard identification (§6.1.2.1.a) also take into account “how work is organized, social factors (including workload, work hours, victimization, harassment, and bullying), leadership, and the culture in the organization.” Language in this section makes clear that hazard identification extends in to “locations not under the direct control of the organization” that has an impact on the organization's workers and workplaces. (§6.1.2.1.e.3). This includes multiemployer work locations and “situations not controlled by the organization and occurring in the vicinity of the workplace that can cause injury and ill health to persons in the workplace” (58).
A distinction is made between OH&S risks and “other risks to the OH&S management system” (§6.1.2.2). OH&S risks refers to what could be considered tradition risks, such as a chemical exposure, slips, trips, falls, etc. Risks to the OH&S management system refers to things that can affect OH&S performance, such as day‐to‐day operations and decision‐making, regulatory changes, the organizational culture, changes in resources, to name a few. A methodology for assessing OH&S risks is required, this needs to “be defined with respect to their scope, nature, and timing to ensure they are proactive rather than reactive” (58).
5.5.2 Legal and Other Requirements
Determination of legal and other requirements is a common element of OHSMS approaches. These requirements include governmental regulations, applicable nongovernmental consensus standards, and internal company standards, to name a few. 45001's Annex (A.6.1.3) suggests “requirements” to consider. From an audit perspective, it is valuable to demonstrate what “requirements” have been considered, and then, which ones are selected for inclusion in the OHSMS's planning. As well, it is valuable to define how knowledge/requirements will be updated, and how often.
5.5.3 Planning Action
While familiar, and somewhat pro forma, the standard requires that actions are planned to “address these risks and opportunities (§6.1.2.2 and §6.1.2.3), legal requirements and other requirements (6.1.3), [and] prepare for and respond to emergency situations (§8.2)” (§6.1.4.a). As well, It is required that the organization plan “how to integrate and implement the actions into its OH&S management system processes or other business processes, [and] evaluate the effectiveness of these actions” (59). The explicit requirement of integration with business processes is a significant evolution from earlier OHSMS approaches, and provides a valuable concept and tool for industrial hygienists and OH&S professionals.
5.5.4 Objectives
Requirements for OH&S objectives have been integral to OHSMSs since the earliest approaches. In ISO 45001:2018, the term objective is defined as “result to be achieved” (50). Several “notes” associated with this definition indicate that objectives can be strategic, tactical, or operational; and can relate to different levels or parts of an organization.