Key Changes in ISO 45001-2018 Auditing

Training Document ISO 45001-2018 Auditing Common Mistake Auditors do for ISO 45001-2018 Audit

Introduction As ISO 45001 is released in 2018, and requirement are changed, but some auditor have been found that they audit ISO 45001 which is similar to OHSAS 18001 and missing some important point of the new MSS. Companies must migrate to the new standard by March 2021. If you are auditing ISO 45001, you need to understand the different and each thin line which must be verified during the audit.

Key changes in ISO 45001 Business Context: Chapter 4.1, external and internal issues, introduces new clauses for systematic determination and monitoring of the business context. Workers and other interested parties: Chapter 4.2 introduces enhanced focus on needs and expectations for workers and other interested parties and worker involvement. This to systematically identify and understand factors that need to be managed through the management system.

Key changes in ISO 45001 (Cont..) Risk and opportunity management: Described in chapters 6.1.1, 6.1.2.3, 6.1.4, companies are to determine, consider and, where necessary, take action to address any risks or opportunities that may impact (either positively or negatively) the ability of the management system to deliver its intended results, including enhanced health and safety at the workplace. Leadership and management commitment: Stated in chapter 5.1, ISO 45001 has stronger emphasis on top management to actively engage and take accountability for the effectiveness of the management system.

Key changes in ISO 45001 (Cont..) Objectives and Performance: Strengthened focus on objectives as drivers for improvements (chapters 6.2.1,6.2.2) and performance evaluation (chapter 9.1.1). Extended requirements related to: Participation, consultation and participation of workers (5.4) Communication (7.4): More prescriptive in respect of the mechanics of communication, including determination of what, when and how to communicate. Procurement, including outsourced processes, and contractors (8.1.4)

7 Key changes in ISO 45001 ISO 45001 follows the same structure like other ISO standards. The Annex SL Structure is #2: Organisational Context The new standard has introduced two clauses related to the context of the organisation. The new clauses require the organisation to determine issues and requirements that may impact on the planning of the OH&S Management system and can serve as input for the development of the management system. The context of the organisation refers to the business environment it is operating. Identifying both external and internal issues helps the business to understand the environment and its impact on the management system. External issues can be related to technological, economic, market, competition, culture, legal and other social factors. Internal issues can be related to culture, knowledge, values and performance. Understanding the issues (both external and internal) will facilitate the organisation to achieve its intended results for the OH&S Management system. #1: New Annex SL Structure is implemented

#3 Understanding needs of interested parties This new clause requires the organisation to understand the needs and expectation of stakeholders appropriate to the business. This requirement includes not only the direct customers but also the end-users, suppliers, distributors, retailers and others involved in the supply chain, regulators and any other relevant interested party. The purpose is also to predict current and future needs because it could lead to the compliance against requirements and improve overall performance of OH&S Management system. The organisation is required to monitor and review the information about these interested parties and their relevant requirements.

#4 Leadership This clause requires more commitment and involvement from the top management in identifying work-related health & safety risks and integrating OH&S requirements into its business processes. Top-level engagement and empowerment of senior management have been raised up by the new standard, which means that the responsibility will not lie on one person (previously given to OH&S representative ). The OH&S policy must include a commitment to improving all relevant aspects of the OH&S management system, not just its effectiveness, and it must provide a framework (that is, a process) for setting the objectives. Significant changes related to this clause are Top management to establish, implement and maintain OH&S policy Appropriate to the purpose and context of the organisation Available to relevant interested parties, as appropriate Commitment to improving the OH&S management system Communicated, understood and applied within the organisation Maintained as documented information

#5 Hazards Identification Risk Management The standard strongly emphasis is on the planning of actions to address OH&S related risks within the organisation. Risk management process should consider OH&S risks related to its hazards and OH&S opportunities, applicable legal and other requirements and risks and opportunities related to the operation of the OH&S management system

#6 Documented information The standard requires all documented information (both documents & records), which includes electronic and process information, to be controlled and managed.

#7 Outsourcing, Procurement & Contractors Management The organization needs to ensure that all outsourced processes that has the potential to impact OH&S Management system are controlled and management. The standard requires the business to have adequate and effective controls with regards to procurements of products (e.g raw materials, equipment, services) to ensure that procured items meet the OH&S requirements of the organisation. The OH&S Management should expand beyond just workers and include contractors are engaged by the organisation to perform various business activities. The OH&S risks that arises in contractor engagement should be maintained and controlled.

#7 Outsourcing, Procurement & Contractors Management The organization needs to ensure that all outsourced processes that has the potential to impact OH&S Management system are controlled and management. The standard requires the business to have adequate and effective controls with regards to procurements of products (e.g raw materials, equipment, services) to ensure that procured items meet the OH&S requirements of the organisation. The OH&S Management should expand beyond just workers and include contractors are engaged by the organisation to perform various business activities. The OH&S risks that arises in contractor engagement should be maintained and controlled.

#7 Continual Improvement (Cont.) #7 Continual Improvement Unlike other international standard, ISO 45001 doesn t require the organisation to implement preventive action. However, the standard requires the business to change take proactive measures as part of the continual improvement and risk management.

FAQ for ISO 45001 What changes do the new definition of WORKER that includes top- level management persons bring to the management system and the certification audit? Worker is an all inclusive phrase which would include workers of all levels within the organization, and those who are not directly employed such as contractors and outsourced service/product suppliers. As all organizations are unique, then this would need to be considered and demonstrated as appropriate for the system and audit.

FAQ When the organization understands the needs and expectations of interested parties and strategic corporate requirements, it can then use the knowledge to assess any risks and opportunities that may be present and then take action to address them.

FAQ Legislation Registers / Aspects and Impacts Registers: Is there a minimum requirement for what they must contain? No the contents are based on the business activity, geographical location and local /national enforcement requirements. Each organization is unique.

If a company were to meet all the requirements of ISO 45001, would they also meet the requirements of OHSAS 18001:2007? If a company were to meet all the requirements of ISO 45001, would they also meet the requirements of OHSAS 18001:2007? ISO 45001 expands and builds on the foundations of OHSAS 18001. Therefore meeting the requirements of 45001 are overall in place, but the way 18001 is written is different, and requires documented procedures and other subtle changes.

What are the benefits of ISO 45001 over OHSAS 18001? As stated earlier - ISO 45001 builds and expands on the foundation of OHSAS 18001 and is designed to integrate with other revised ISO management standards eg; ISO 14001 and ISO 9001. When effectively implemented it will integrate OHS in to the operations and should be considered as part of the business management system and not a bolt-on. ISO 45001 is flexible and capable of meeting the needs of the business whilst protecting workers and delivering improvement.

How to address risks that for Local Authorities require within our emergency plan, such as Earthquakes and Tornado's? If these are requirements of enforcement agencies / interested parties then they will need to be considered and planned for. However these plans may also be part of other emergency considerations and responses in place - such as business continuity plans and responses. Review what you already have in place, and work from there.

Just a few of the differences between the OHSAS & OHSMS OHSAS 18001 British Standard Reactive planning Hazard control Procedures are prepared Safety management personnel play leadership role ISO 45001 International Organization of Standardization Standard Proactive planning Risk evaluation, reduction and prevention Documented results are required Top management plays leadership role Company leadership takes leading role to ensure it fits within the overall organization s processes. Company management reviews the process after development Safety and health is the responsibility of leadership and the overall management system of the organization. External and internal issues related to the safety management system should be addressed by leadership. Workers and interested parties needs should be addressed and incorporated into the plan. Safety and health is the responsibility of safety management personnel

Just a few of the differences between the OHSAS & OHSMS Everyone, including leadership, is responsible for safety. Workers should be provided education to help identify risks and everyone should participate. Internal audits and risk assessments should be shared with all employees and non-managers should participate in internal audits, risk assessments and incident investigation. Employee participation consultation Information and communication documentation is required including who, what, when, the objective of the communication and was it effective? Information and communication procedures are prepared Additional Elements Outsourced processes, procurement and contractors are addressed. Hierarchy of controls are to be used. Procurement of goods are to be considered. Contractor controls and communication requirements for their workers, your workers and any other affected parties are required.

The End