ISO 45001 will celebrate its first birthday this spring. In the run-up to its publication, businesses were assured that, though the emphasis differed, the new standard built on its predecessor OHSAS 18001 and certification would not be too onerous, especially for those familiar with the long-standing quality (ISO 9001) and environmental (ISO 14001) standards.
For a snapshot of early adopters' experiences, IOSH Magazine spoke to representatives from four registrants: CBRE Global Workplace Solutions (CBRE GWS), which specialises in facilities and project management; building science centre BRE Group; geoscience specialist the British Geological Survey (BGS); and Affinity for Business, a water provider to business.
The organisations, all of which had different starting points, agreed that implementation was a positive process. They also agreed that a thorough reading and understanding of the new standard was essential to success and that it was critical not to fall into the trap of trying to make the business fit the standard.
None of the organisations found it particularly challenging to deal with the differences between 18001 and 45001, such as the greater emphasis on leadership and worker participation and consultation. Instead, they felt the new standard was to some degree "catching up" with existing good practice. However, some found the new structure and terminology a stumbling block.
Systematic and regimented
ISO 45001 differs from its non-ISO predecessor in that, rather than focusing narrowly on OSH procedures, it looks at the interaction between an organisation and its business environment.
The standard requires safety and health aspects to be part of an overall business management system, with a greater focus on risk and opportunities and more integration into wider business strategy. To meet the requirements, organisations must look beyond immediate OSH issues, taking into account what wider society -- contractors, suppliers and neighbours -- expects of them (see Lexicon, I is for interested person, IOSH Magazine, December 2018 bit.ly/2SdVu0u).
If you had a reasonable manual for BS OHSAS 18001, convert it
BGS had previously been working to achieve 18001 but switched when it became clear that 45001's publication was imminent. James Corbett, BGS's senior health and safety adviser, found the differences between the old and new standards greater than expected. "18001 is a very operational standard," he says. "This is much more strategic. It talks about scope, context, engaging with different levels of the business. And so it really made us step back and quantify what we do in that terminology."
Rosemary Brown, who worked with Affinity for Business to achieve all three standards (9001, 14001, and 45001) as part of an integrated management system (IMS), reinforces this point: "I think anyone just doing 45001 after having 18001 will find it slightly complicated if they haven't also done 9001 and 14001. It's a very different approach -- much more systematic and regimented."
For Ray Jeffery, health, safety and environment manager at BRE Group, the challenge was less about meeting the core requirements -- which his organisation was well placed to do, having recently migrated to the revised 9001 and 14001 -- and more about appreciating the extent of the alterations in the sequence and structure of the new standard.
"This was quite a surprise when we initially did a gap analysis to tally the numbers up," he says. "We had heard that it hadn't really changed very much. In some ways it hadn't, but it has really reshuffled the sections and clauses, as well as altered the terminology."
All the practitioners emphasised the importance of reading the standard thoroughly. This might seem obvious but "the devil's in the detail", warns Brown. One of the trickier aspects for her was the extent of the requirement to define external issues and interested parties.
"This was a much wider remit than we'd understood previously," she says. Affinity's office is on the second floor of a shared block. "Although we'd considered our immediate neighbours underneath, "we hadn't looked at the owners of the block of flats under construction behind and their service road, and how that impacted on us in terms of road safety and drainage."
Brown also stresses the need to note common factors that are not relevant to your business. "If you don't do something, put it in the policy that you haven't done it because you don't have it in your business."
BGS's stage one audit was in March 2018. "We'd acquired the final standard just two days before, on the day of publication," says Corbett. "In effect, we used stage one to do a desktop exercise with the auditors and go through the whole thing on paper. We went through every single line and talked about what it meant, and what we had to do to prove we met the requirement. That was incredibly useful."
He recommends reading the standard, re-reading it, and then giving it a week before reading it again. "Every time you'll see something different and understand it in a different way," he says.
Corbett admits the standard's phrasing was a challenge for his team and for the rest of the staff, mostly research scientists.
"It is phrased in business-speak, not health and safety-- or science-speak, and translation is difficult," he says. "We had to interpret what 45001 means to an organisation that doesn't use that kind of terminology."
In particular, understanding context and scope was daunting at first.
"We sat with the auditor, and when we got to that we fell silent," says Corbett.
"Our business has been functioning for more than 100 years and we know what we are and what we do, but we had never written it down or identified it in this way, so we had no resource material to call on."
Once the team understood the requirements, however, the process of defining context and scope was relatively straightforward, as well as useful.
"The standard made us look more closely at our place in the environment and local community," says Corbett, "and our commitment to internal and external stakeholders and interested parties."
Jeffery's view is that, although context was not an explicit requirement of 18001, it is fundamental to any management system. "One of the first questions we had [for the auditor] was: 'Are we covering the context and interested parties requirements correctly?' He replied that any business that doesn't understand its context wouldn't be in business for long. If you don't know what you're doing, how are you doing it?"
Jeffery reiterates the importance of staying focused and not being fazed by the new terminology. "You know what your organisation does: look at that -- your vision and mission -- and use it to reflect on what you are doing with health, safety and wellbeing."
Another feature of the new standard is a requirement to identify not just risks, but also opportunities. This was a cause of trepidation for some.
"We looked at the word opportunity and asked what that meant to us," says Corbett. "Then we realised we get opportunities all the time; we just don't see them as opportunities. For example, the auditor noticed some racking in a storeroom that had not been inspected, so there was an immediate opportunity to look at that and improve our processes."
CBRE GWS was already certified to 14001, 9001 and 18001 within an IMS, so was ahead of the game here. "We did have to think about risk and opportunity," says Richard White, quality, health, safety and environment director.
"But we were already doing it as part of our wider risk management framework, so we could easily demonstrate both the risks we're managing and the opportunities to improve management of risk."
Controls to manual
One selling point for ISO 45001 is that it shares ISO's high-level structure (Annex SL), in common with revisions to ISO 9001 and 14001. This makes it easier to incorporate in an IMS, an advantage welcomed by the four organisations we spoke to.
Jeffery's top tip for colleagues embarking on the 45001 process is to continue to use a manual to document and record how the management system operates. "Looking from the outside, 45001 does not indicate that you need a formal manual any longer," he says. "But it's quite a beast and I would say that you are never going to manage it without one. If you had a reasonable manual for 18001, convert it and pick up the new terminology within it. If you're starting off cold, build a manual to answer all the questions and follow it through."
At BGS, Corbett also found this critical: "We needed a document that sat between our policy and the operational stuff people do on the ground. We produced a set of ten very short documents under the overarching safety management system heading. But what is important is that there was nothing in these documents that we didn't already do; the problem was we had not laid it out in evidence format.
"We approached it as smartly as we could. The longest document -- at eight pages -- is the arrangements, which goes through the plan, do, check, act methodology, and the shortest is two pieces of paper talking about the scope."
For the auditors (BSI for CBRE and BGS, LRQA for BRE, and NQA for Affinity for Business), 45001 is also new territory. "With the new aspects of the standard, we explored it together," says Corbett. "BSI was asking these questions for the first time itself too, albeit with a lot of previous experience of 9001, 14001 and 18001. And I think the auditors found the process very useful. We helped each other out."
White describes his company's relationship, also with BSI, as "challenging but supportive", which he believes is crucial for success. "You don't want it too cosy and comfortable," he argues. "Be prepared to have robust conversations."
He points to a particular exchange over management review.
"The auditors were maybe expecting to see a piece of paper and for us to say 'here's our record of management review'," he says. "But we argued we've got numerous levels of review across the business: board reviews, regional reviews, contract/account reviews on every account every month. This for us is management review, rather than an annual process designed specifically to meet a clause in the standard. Our process is continual and applied across all parts of the business."
Submitting evidence of that to the auditor convinced him that this aspect was covered.
"We do it but not simply to meet the standard; we do it as part of our business process," says White. "That's a recurring theme we were at pains to point out during the whole audit. Here's what we do as a business: here's how it meets the standard -- do you agree? You will never see a specific process written to meet a specific clause requirement: we do it because it's right for the business."
White's team found it did not have to make big changes to existing practice to attain the standard.
"We refocused and slightly adjusted a couple of processes, including around hierarchy of control," he says. "Obviously that's nothing new but, unlike 18001, the new standard includes it as a specific requirement, so we did have to think about whether we were sufficiently explicit."
Top down, bottom up
Perhaps the most publicised differences between 45001 and 18001 are those relating to leadership and worker participation. But for businesses already operating good practice, these present few challenges.
"It's got to be driven from above," says Jeffery. "We have a very active CEO. The CEO is a key player. If they don't help, you will be struggling to get it embedded."
White adds: "Our CEO and president of operations are fully behind the importance of management systems and standards. Our president of operations was actively involved, to the extent that he joined the audit with BSI to explain what he does, and his active leadership of QHSE in the business."
White holds similar views on the worker consultation requirements. "This comes back to the point about the standard catching up with business practice. Why wouldn't you involve them in this? They know the risks, the job, and the short cuts that might be taken to complete a task, so they must be actively involved in the drive for continual improvement."
Though CBRE's arrangements for participation and involvement were robust, White says the standard "did help to focus our thoughts in terms of how we ensure our workers are engaged and how effective our communication is in practice". And the auditors tested the words they had heard in the field at account level by talking directly to employees.
The auditor also focused in on these "new" requirements at Affinity for Business. "We'd implemented a health and safety group for staff and a group for the senior management team, so that was all documented," says Brown. The audit included conversations with individual workers and examining meeting minutes.
"That part was not so different from 18001 audits I've been involved in," Brown says. "What was different was the auditor's long session with the firm's managing director this time."
Time to reflect
All the practitioners, even those familiar with ISO standards, felt one of the biggest benefits of implementation was the chance to gain a new perspective.
"It's not necessary even to go for certification," says Brown, "but it will help to develop procedures and discipline. That's what 45001 is, a discipline to make sure you think about what you need to do to carry out your business safely."
Corbett agrees: "It made us examine ourselves in a way we had never done before. It allowed us to look at things in a more structured and strategic way and has been very reassuring to our board and executive."
The standard also proved a useful strategic planning tool. "By identifying areas where we are weaker, it gives us the opportunity to plan for where we can improve," says Corbett, "which brings us back to the concept of risks and opportunities. You could, of course, do it in a different, very technical, prescriptive way by focusing on achieving the right things to pass. But I think your business would suffer; it's not sustainable."