In September next year, ISO 45001 will become the new international standard for OSH, with an emphasis on flexibility, leadership and integration.
With the eyes of OSH professionals firmly on the management of the COVID-19 crisis, it would be easy to overlook the fact that OHSAS 18001 – for 21 years the hallmark of an organisation’s commitment to safe and healthy working – has entered its twilight months. On 11 September 2021, OHSAS 18001 will be withdrawn, three years after the launch of ISO 45001, the new international standard for OSH (the IAF has extended the original deadline from 12 March due to the pandemic). For those organisations yet to transition, the looming demise of the old standard will focus minds.
ISO 45001 was five years in development. Objective-setting, strategic, flexible and SME-friendly, it focuses on risk – not simply on compliance – and aligns with ISO 9001 (the quality management standard) and ISO 14001 (environmental management).
For organisations moving from the old standard to the new, one of the most notable changes is the emphasis on leadership: senior managers are expected to be personally knowledgeable about the management of OSH in their organisations.
Stakeholder engagement is another key feature of ISO 45001, with a requirement for organisations to involve ‘interested parties’, both internal and external, in their decision-making. This puts worker participation front and centre; it also requires companies to consider a wider range of external stakeholders – from the supply chain to
In a bid to lighten the bureaucratic load for smaller firms, documentation requirements are more flexible under the new standard, with a range of evidence now acceptable as ‘documented information’, for example digital photographs and audio clips.
But what hasn’t changed are the moral, legal and business cases for undergoing assessment, audit and accreditation. Evidence suggests an effective OSH management system can increase productivity and morale while reducing incident and absence rates. For some organisations, working towards accreditation is a decision based on the knowledge that it will help protect workers’ health and safety while improving business performance. For others, client and customer pressure in the supply chain – accreditation may be a contractual specification – provide the motivation. An accreditation such as ISO 45001 carries weight across continents.
At the end of 2019, an estimated 100,000 organisations had achieved ISO 45001 certification. Overleaf, two OSH professionals discuss their organisations’ accreditation journeys.
Get certified: Make it stick
Robin Maunder-Cockram, who has helped a variety of clients approach ISO 45001 certification in his role as senior adviser at EY CertifyPoint, offers seven key points for organisations to consider as they embark on certification.
- Know what you want out of it. Do you want to have a certificate for market qualification only or do you want your organisation to be challenged? Defining this upfront will help you find a matching certification partner.
- Don’t do it for the sake of compliance. Pursuit of compliance alone will most likely end in compliance, not effectiveness or meaningful results. Look at the standard as a source for inspiration and have an experienced adviser help you translate it for your organisation.
- Understand the audit process. Have your team complete lead auditor training so they know what auditors are looking for and why. The insight is invaluable throughout the certification cycle and can be spread internally.
- Think big, start small. Fulfilling all standard requirements may take a lot of effort. Phase your efforts and fit them into your overall programme. Overburdening people will result in a superficial implementation.
- Timing is everything. Let the dust settle before you certify. Changes made to fulfil standard requirements need time to become business as usual. It’s about people and their routines; fallbacks and inertia are a given.
- Make it stick! Make sure all stakeholders are involved from initiation to handover when moving towards a certified management system. This will facilitate the design and implementation process greatly.
- Do at least one dry run. Have a certification body perform dry-run audits to make your colleagues feel comfortable being interviewed. Coach key individuals and identify any gaps before certification audits start.
Lee McArdle GradIOSH
Compliance manager Shine Food Machinery
As soon as we had the final draft of ISO 45001, I said: ‘Right, let’s do it.’ I wasn’t interested in dragging our feet and taking three years to achieve accreditation: I wanted to know exactly where we were and to get it.
There weren’t really any surprises in the new standard. In my role, I’m responsible for ISO 9001, ISO 14001 and ISO 45001, and they all follow the same high-level structure.
To start with I did a gap analysis between OHSAS 18001 – which we were already certified to – and ISO 45001. I had created an IMS [integrated management system] for ISO 9001 and ISO 14001, so I ran OHSAS 18001 through it and then it was a question of filling in the gaps.
At the earliest opportunity we invited the BSI auditors in to check for any non-conformities and we were closer than I’d thought. We dealt with the minor non-conformities raised, and we were accredited within six months.
The major difference between OHSAS 18001 and ISO 45001 is communication: it’s a massive element of the latter. It’s not enough to tell people you’ve changed a policy or working practice; you must have evidence to demonstrate that you’ve told people and that they’ve understood. But there’s a great deal of flexibility in how you record. I had carte blanche from the directors, so I switched from paper to electronic systems, and created apps and online toolbox talks so people can sign on screen to confirm their understanding. It’s far easier and has made a big difference in terms of time and resources.
You can improve your business by adopting. The process is not difficult, and it will give you structure
The emphasis on communication has improved our practices. A policy isn’t worth the paper it’s written on if people don’t understand it, so now we issue the policy, then we talk about it: we hold sessions to explain what we’re doing and why and to get feedback.
Prior to ISO 45001, installation managers, project managers and factory managers would contact me to tell me ‘This needs fixing’, but I never felt I was getting actual questions and queries from the ground. When we moved to 45001, I created a health and safety committee which we publicised on noticeboards and in emails. I gave the time of the meeting and said everyone was welcome. A couple of people turned up to the first one. I told them there were no managers; it was a place they could have the confidence to speak up and say what they wanted. Two weeks later, we had 10 people and it’s grown from there. We’ve dropped ‘health and safety’ from the name now, so people can raise environment and quality issues too.
We work with lots of tier one contractors. When we first achieved ISO 45001 and had to fill in their pre-qualification questionnaires, we used to cross through OHSAS 18001 and write 45001 when we were asked for our accreditations – it was so new it wasn’t on there!
I would absolutely recommend working towards ISO 45001. Lots of companies are stuck in their ways and I get that: policies and procedures are in place. But ultimately an ISO is a management system and will make your operations far easier. You can improve your business by adopting it. The process is not difficult, and it will give you structure. No management system is perfect, but transitioning to ISO 45001 has massive benefits.
Health and safety manager CrossReach
We’re a service-based care provider, and until now we’ve been using a customer service excellence system. We don’t have any manufacturing or process-based operations, so a customer service system has been an ideal vehicle for us in terms of quality improvement and in-house assessment.
We picked ISO 45001 because we were looking for a way to benchmark and refresh our health and safety system – but it doesn’t sit snugly with our existing systems.
Our current system includes key performance indicators for health and safety, but it doesn’t have the same breadth as ISO 45001. In short, ISO 45001 requires lots more scrutiny.
We are in the early days of exploring whether full accreditation is the most appropriate route for us, but in any event it will take us further along our improvement journey. We had customised our question-sets and were about to apply these when the COVID-19 crisis put everything on hold.
Getting buy-in was easy at director level: they understood that ISO 45001 would give us a way of taking the temperature of the organisation in health and safety terms. We looked at the Health and Safety Laboratory’s Safety Climate Tool, but we felt that ISO 45001 went further, and the directors recognised the credentials of an ISO.
We knew at the outset we would also need to get managers on board, so they understand why we’re doing it and don’t just see it as an audit. We have 54 services across Scotland, and we’d planned – prior to COVID-19 – to begin working with regional managers so they could then introduce the question-sets to service managers. I would then go in and offer support as necessary.
As a care organisation, we’re already heavily scrutinised so consideration of ‘interested parties’, as specified in ISO 45001, is already built in to what we do. In fact, one of the potential barriers to pursuing the standard was that managers would see it as yet another yardstick, so we’ve had delicate conversations around the benefits of inviting additional scrutiny.
Internally, I think ISO 45001 will make a real difference in terms of participation in health and safety. All of our service managers are working at full capacity and they’re busy with what’s in front of them at any moment; they’re red-hot on the protection of residents and service users. Hopefully, ISO 45001 will serve as a useful reminder about OSH and make us more strategic. It can be a standard to rally around; something that will bring more engagement in health and safety.
We operate in a competitive environment, bidding for tenders, so external verification of our management systems will help. It’s difficult to benchmark in this sector: providers don’t release figures on such things as medication errors or falls, and incident frequency is only part of the picture. Obviously we’re aiming for zero, but ISO 45001 will hopefully enable us to benchmark more easily and judge whether our policies and procedures are exemplary. For example, we introduced a driving for work policy recently, but we don’t just want to ‘fire and forget’. We want to review its implementation and success, and ISO 45001 can help here.
At the moment, we have our own safety management system and I produce the management information I think we need. But ISO 45001 will give us a better idea of where to focus activity, and allow us to have conversations with other accredited providers about where we go next.
What’s new in ISO 45001
- ISO encourages risk-based thinking rather than controlling hazards.
- Senior management are expected to take more responsibility and a stronger top-down leadership role.
- OSH operations can no longer be delegated to a representative.
- Organisations should consider how suppliers and contractors are managing their risks too.
- The overall intent to create a framework for managing the prevention of employee injuries, illnesses and fatalities remains the same for both standards.