Table talk: ISO 45001

Watch the recording, split into two parts, here

NICK WARBURTON (NW): How do you feel organisations have found working with the standard over the past year?

GERALD HIGGINS (GH): Early starters have had a positive experience. Where they have already certified to OHSAS 18001, they have found the transition quite reasonable and, provided they [have identified] the gaps between the two standards, they've managed to implement it successfully.

TERRY FISHER (TF): The biggest issue that we've identified is the terminology. But once people understand what that's trying to achieve, it's a straightforward process. It's not a barrier. It's that initial interpretation because it's not common commercial language.

MARTIN COTTAM (MC): It's a different journey for different companies. Those that are familiar with ISO 9001 and ISO 14001 are already familiar with the terminology and the high-level structure. They've found those new concepts like "context" relatively straightforward. Organisations that perhaps only worked with OHSAS 18001 or perhaps didn't have a formal OHS management system have to grapple with the language and the structure at the same time. For those organisations, it's been things around worker participation, consultation and participation that have been a harder challenge.

NW: Should organisations try to make the business fit the standard?

MC: No. You need to have a management system that speaks to your own people, in their own language, and you can structure that any way you like. What you do need in the background, for ease of auditing, is to have that mapping so that you can readily demonstrate to yourselves and to others the connection between your management system and the standard's requirements.

KATE FIELD (KF): Management systems are tools to enable business, and as a tool it's up to the organisation to find the best way of using that. Particularly for small businesses, the framework and the language can often be daunting, but it is designed to be accessible. If you don't like the phrases around consultation on participation and you want to use engagement or something like that, then do so. It's your standard.

GH: Context is key. There's a huge difference between a small, office-based company and a large manufacturer. You have to adapt the standards to meet the requirements or the particular circumstances that the company has to meet. But don't lose sight of the fact that you still have to cover all the standard's requirements as well.

TF: It's got to be understood that it's a part of a business management system and it's there to support the business and meet its needs, and that's what it's trying to deliver. Although all the clauses are there and the various structures [are] built into the standard requirements, they've got to connect to each other and work as an effective management system. That's the key message.

NW: How have companies coped with the differences between OHSAS and the new standard?

MC: It depends on the starting point because we tend to default to the assumption that companies have built a previous management system around a previous standard. Although some have, one of the dangers of downward pressure and supply chains is that people rather reluctantly engage with the idea that they have to have a certified system and build it very much to, "Here are the requirements, we'd better do it". But a lot of organisations don't approach it that way. They're doing it because they believe in it and they're looking beyond the pure requirements of the standard.

KF: My advice is read the standard once, twice, and then three times-¦ it is only an upgrade from 18001. There aren't many significant differences, but the devil is in the detail. If they're using 18001 and they're based in the UK, they'll be following the legislation that has those systems in place, but there are specific elements that have to be covered, either in participation or consultation, so it's really about focusing on that detail.

GH: We found difficulty on the contractor management side. That is definitely more defined, more comprehensive than was the case with OHSAS. It's a fine line between almost over-managing the contractors and ensuring they have a proper management system that protects their own workers.

NW: Does anyone want to pick up on the contractor management point?

KF: One of the biggest questions we've seen is about what outsourcing means and how far the client organisation then has to oversee any outsourcing arrangements. The solution is there in the standard [which says] you define it. It doesn't suddenly mean that you've got to be going out and auditing all your suppliers, which was the initial fear.

MC: It's about having first thought through the entire OHS landscape and the kind of relationship that you have with suppliers. Outsourcing is one of the areas of the high-level structure that is likely to be fine-tuned at the next revision. It's recognised that the language isn't as clear as it could be and that's where guidance standards have a part to play, the international ones, or the ones published in the UK by BSI in the past 12 months.

TF: It's about how the management system works for that organisation. I've never been in an organisation where there's a lack of information once they understand the requirement [of the standard]. It's a matter of making that subtle distinction between what you're trying to achieve and why you're trying to achieve it, rather than the various clauses.

KF: One of our clients went through the standard clause by clause and asked: "What does that mean? What have we got? What do we need to do?" They captured it in simple language because, when they were having conversations with their wider workforce, they had something that was meaningful to them. It's easy to click into auditor speak and talk about clause or context or participation or outsourcing. That's the language of the standard and it doesn't necessarily translate into the language of the business.

NW: For those looking to certify to the standard, what should they be looking to prioritise?

KF: Doing a gap audit is an important starting point because it benchmarks where you are and then it can help to prioritise where you need to go to. The other area worth considering early is how you're going to manage culture and how you're going to demonstrate how you measure it and then demonstrate continual improvement because that's a key theme in 45001, which is different from any existing international management standard.

TF: Clients should do a gap analysis on what they're trying to achieve and where they are at that moment.

A lot of organisations do understand what they're there for as a commercial entity but when you ask them, "How do you communicate? How do you engage?", that's a totally different question. We are going into a more in-depth assessment of the effectiveness of the process. That's a challenge to both the clients and assessors because it's a different approach. The way the standards are written, they shouldn't need lots of fine-tuning year on year or lots of revision. They're written quite well, so they should stand the test of time.

MC: When doing the gap analysis, don't start at section 4 of the standard, which is very common. Section 3, the definitions, is important because there has been a big shift in terminology in the high-level structure. Look closely at the definitions and at the text. You probably need to go through it two or three times to absorb it. Then it's that question: "Okay, that's what it's saying but what does it mean in the context of my organisation?" It's easy to read these standards as having been written and more applicable to larger organisations. The high-level structure uses a terminology that speaks a little bit about larger organisations. It's not intended to mean that the standards and principles don't apply to smaller organisations. If you're a large multinational, you do have quite a job to think about how to communicate across time zones and cultures. If you're a small organisation with a few people co-located in one place, that communication is a natural process.

NW: Should companies continue to use a manual to record and document the management system?

KF: 45001 moves away from having documented procedures to having documented information. In the standard's annex it talks about any documented information that you do need, and there are elements that are required to be documented information, but they are proportionate. It talks about making sure that you're moving away from a bureaucratic system to something that is easier, manageable, and using technology to record information. It's not necessarily about the written word, but pictures or videos or animations. There's much more flexibility for being more innovative.

MC: My advice would be to start from thinking about, "What are the essentials? What is the minimum?". Don't over-elaborate it. HSE colleagues who participated in the UK mirror committee and the development of 45001 were passionate about the word "proportionate" and keen to make sure that message came through loud and clear. Lloyd's Register is delivering some of its management system information to technical colleagues in the field on a mobile phone app. It has improved accessibility. Sometimes it's not about what the documentation is; it's the form and accessibility.

GH: We don't encourage companies to undergo metamorphosis when they go from the old to the new standard. Try to rationalise documents that are obsolete or redundant. We find that the manual is a very good signposting document. We encourage companies to go for an integrated management system manual.

TF: The use of a manual is dependent on the organisation. You're there to meet the needs of that organisation. Traditionally, a lot is carried over or is a comfort blanket for the older versions of the various standards. I would say: "What benefit is that manual delivering to you now? Is it something you dust off the shelf two days before the assessor arrives and therefore what value is it adding to the business?" It should be a live activity integrated into the normal operation of the business.

GH: But do you not feel that, if you're going to a company for the first time and they have a concise manual, it's the easiest way of understanding how they structure their own management system or systems?

TF: If it works for them, manuals are great. That's the message from the standard. It should be perceived as a far more flexible document than it ever has been. The Annex SL Framework has brought in management system flexibility that needs to be applied to a particular organisation. If a manual works, great. If it doesn't, maybe it's time to review, reduce or eliminate it over time. Development. Continual improvement.

NW: What challenges have early registrants found around "context"?

KF: If organisations aren't familiar with the high-level structure, context does seem a bit daunting. Start by identifying what can have an impact on your organisation, internally or externally. That might be regulation externally; it might be insurance requirements. Brainstorm them.

GH: We'd recommended a SWOT analysis which will pick up the internal and external issues. Notwithstanding that the standard doesn't require documented information for clause 4.1, companies should document their context. The strengths and weaknesses are identified as the internal issues and the opportunities and threats are picked up from the external issues.

MC: It is that structured analysis. It's a reminder for organisations that the management system is there as a risk-management tool for the organisation, and so this context section, mysterious though it sounds, is the opportunity to think, "What are we trying to achieve? In what environment and landscape are we trying to achieve it, and what's our internal situation? Are we an organisation that values and works systematically to procedures or are we an organisation that likes a lighter touch and is more dynamic and flexible?"

TF: It's that initial interpretation of the language. Once you get past that, context is understood. Most organisations do this without even thinking. One of the difficulties of using Annex SL across various disciplines is that, because they understand context in, say, a quality scenario, then it's not necessarily an easy transition to say, "But in occupational health and safety it changes the dynamic". It's getting into their roots of why that was perceived in that particular way, or why is it an opportunity not a risk, or is it a bit of both?

KF: One of the early learnings that our clients found, particularly with that clause, was that, if they had ISO 9001 or ISO 14001, and therefore they had context within one or both of those management systems, they assumed that they could carry that across almost wholesale into 45001. Although a lot of it is there, and you can carry a lot of it across, you do need to consider what is different for each of those elements from a health and safety point of view. It is important to really look at the detail because, for instance, it talks about workers of interested parties in 45001 rather than just interested parties in, say, 9001 and 14001. That was something that some of our clients missed to begin with.

GH: Companies should have a single context document that reflects whatever management system standards they are complying with, rather than separate contexts. In "Early doors" [see IOSH Magazine, January 2019], one of the early registrants said that if a company didn't understand its context it wouldn't be in business for very long. That also applies to the management system side as well.

NW: One explicit requirement of the standard is that management has to demonstrate leading and managing safety culture. What should they be doing?

KF: Being visible, being on site, understanding and demonstrating that they are committed to looking after their workforce and making the workplace healthy. One thing that a lot of organisations often fail to clearly show is they're getting more involvement from the workforce and implementing workforce suggestions. It shows that the commitment is there. 45001 does require leadership to protect workers from reprisals. [It] is going to raise standards on occupational health and safety around the world because it's going to ask organisations to do things that aren't necessarily part of their legislative framework.

NW: What particular challenges do you see for companies that operate in other parts of the world?

GH: The absence or the disregard of legislation. It's difficult to build a management system around a culture that isn't conscious of protecting workers or, indeed, protecting the environment.

MC: Where the natural culture is top-down and controlling, those requirements for worker participation and consultation are much harder to get going. Another thing is the cultural difference between places where health and safety defaults to safety. I'm not sure that this standard has gone as far as it was originally planned in trying to emphasise health. It's one of the things that is good now about the fact that BSI has published a specific guidance standard on the health side of health and safety. It's not the words that are wrong in the standard. It mentions health and safety very equitably. The problem is often with us as the people who apply the standard because health issues are often less visible, less immediate. In organisations where the OHS function is led by medical practitioners, you see the health side coming through in a very powerful way.

TF: We've talked about the cultural and legislative framework. A lot of cultures aren't really driven by the legislative framework. We should be arguing the point on grounds other than the legal requirement. It's about looking after people.

NW: Has anyone seen any innovations in health?

MC: One of the first deliverables for the new technical committee which owns 45001 will be a guidance standard on psychological risk in the workplace. We already have UK guidance material on that topic, but that was seen as one of the early priorities for the ISO committee: that there should be something international, specifically around psychological risk.

KF: The emphasis is there and also when it's asking organisations to look at hazard identification, it starts with psychosocial risk: work hours, bullying, harassment. In case anybody has missed it, it also does talk about the fact that leadership and culture are hazards.

NW: Organisations need to define external issues and interested parties. This could be a much wider remit than they had anticipated.

GH: Companies should go through the iterations 4.1, 4.2 and then into 6.1 so that they understand the context and the needs and expectations of interested parties before they undertake a risk assessment.

KF: When you start looking at this there's a temptation, particularly for maybe smaller organisations who aren't familiar with the language or what's being required, to think they've got to chase a rabbit down a warren. That it is never-ending in terms of interested parties. But take a moment, step back, pause and be sensible and proportionate about it. Think about who's going to be impacted and that's generally your group. You might have what seems a long list of interested parties, but it doesn't mean that you've got to do something with them all. It's a logical step: "Who are they? What might their interests be? Do we need to do anything or don't we?"

TF: It's quite an empowering opportunity because that context is a very dynamic element and could change on a daily basis. It's having the mechanisms to connect that to the rest of the organisation and that it works in an effective way. So, if it isn't right, you can change it. It's having that flexibility.

MC: It is an opportunity to look forward slightly, which doesn't always happen. We tend to default to the way things are today. Having that look-ahead can be an early opportunity to start tuning the management system in anticipation.

KF: Coming back to leadership, 45001 does ask that the top management looks at the strategic objectives of the organisation and it is forward-thinking. The feedback we've received is that, because the management review is more detailed, clients are seeing much more engagement from leadership about those conversations.

NW: What are the good components of worker participation and have you seen any good examples?

TF: Communication is the key. Both transparent communication and a culture whereby it's encouraged. If somebody feels confident to stop the chief exec when he's doing his site walkover and say, "You're not doing that" or, "You don't need to be there", that cultural indicator is a barometer of how effective worker engagement is. Does it happen at two o'clock in the morning or does it change? After five o'clock in the afternoon, does the culture change to such an extent that the organisation doesn't operate in the same way?

GH: Look at the clause and how prescriptive it is in terms of participation. Based on that, we would expect worker involvement in risk assessments, in incident investigations, in conducting audits and walkabouts and inspections -- that they're actively involved in the health and safety management system rather than standing back and looking at other people getting involved. We've seen companies that didn't have a strong worker participation now realising that it's in their interest.

MC: Previous standards have alluded to the value of worker participation but then been selective in specifying what it should be. This represents a step forward. It says workers should be involved in the whole plan-do-check-act cycle, and it comes through clearly that, if you're involved in the planning, you're probably more committed to the delivery. The benefits of having workers involved in all those conversations around that whole cycle will spin off way beyond occupational health and safety. The signs we're getting is that it does have that ripple effect.

KF: We started this conversation saying you don't need to change your terminology -- but I know one organisation that has changed its toolbox talks to "participation briefings". They made that decision because they felt it was an easier way to explain to their workforce how they were demonstrating conformance to 45001. Another company is using QR (quick response) codes, so each site has an individual code linked to a reporting app. If a worker sees an issue or good practice, which is important because 45001 talks about opportunities, they can scan the code. There are just a few questions on the app. It then gets sent through into a central database where the information is held and analysed to look for trends. If an individual was concerned about reporting something, they could do it anonymously.

TF: It's interesting that technology is playing a vital role in this communication process. We talk about apps. The traditional methods are to some extent falling to the wayside. It's more dynamic, it's more responsive. The communication process in organisations is changing to reflect society.

GH: I'd have concerns about the use of some of the software that's used for different elements of management systems, audits, risk assessments. It works well if the company has a robust system in place before they try to implement it electronically, but I found a lot going through the motions with some of the software.

NW: We've looked at continual improvement. Do you have any good examples?

MC: The word continual has been the source of some discussion and it continues to be in the way the standards are written in the future. That tends to lead us to think in terms of these small incremental, year-on-year improvements that we can make to our systems to enhance performance. But we also need to link it to the word in the standard -- "opportunity". That opens up a whole issue of those more transformational but perhaps more occasional changes that can be made in the life of the organisation where a particular set of circumstances come together and enable something more dramatic to be done with an OHS benefit. That's about asking the question: "Are there decisions being made about the future of the organisation in which the OHS function isn't represented and isn't contributing, and hence are we in danger of missing an opportunity because things roll along without that OHS input at that critical time?" That's probably where the greater gain is for many organisations that are already attuned to continual improvement.

GH: The opportunities for continual improvement are quite evident from a reading of the standard. Companies should take the opportunity to give feedback to workers or workers' representatives about where continual improvement is occurring. That feedback can come via the management review clause or the audit feedback, for example. They should communicate where continual improvement has been achieved.

NW: One area we should touch on is how it could help to raise the standards across the supply chain.

MC: It's an issue of concern to ISO technical committee 283 because we're very conscious that one of the few metrics we have around the penetration of the standard relates to certification. If you look at global OHS performance, it's the performance of smaller organisations that is probably the greatest concern. That's the landscape in which the world of standards has least impact and least penetration, and it's also the world in which certification is probably least relevant. One of the technical committee's objectives is to try to improve the uptake and use of the principles embedded in these standards among smaller organisations because that's where we'll hopefully see the greatest potential improvement in global OHS performance. That's the challenge. How do you access that SME sector?

The danger is that you get OHS management pushed down supply chains and sometimes certification pushed down supply chains. There are two issues with that. When things are imposed, it becomes something of a grudged purchase and people tend to take a tick-box approach. But perhaps the bigger concern is that organisations tend to expect their suppliers to have management systems like their own. If we understand anything about the context section of the standard, the one thing it's telling us is the management system ought to look pretty different because it's a different organisation. If we rely on the supply chain to be our vehicle for communicating and influencing smaller organisations, we need to remind people to look for something appropriate to their supplier's context.

TF: From a certification body and assessment organisation, one of the key messages and benefits that we want to deliver to our clients is that the registration is to some extent a secondary consideration to the process. It shouldn't be the primary driver. If you embrace the intention and the requirements of the OHS management system, to make it effective in your organisation, continual improvement based on action will be a natural output anyway because of the way it's structured. We should be selling and banging the drum for the benefits, that "protecting workers" is the right and good thing to do. That's the primary goal of the management system.

KF: We are seeing it cascade down the supply chain. There are no two ways about it, but in some circumstances that's for very good reasons. We're seeing it in automotive so, for suppliers within the sector, the [International Automotive Task Force] does recognise that 45001 has value and can be a good way of demonstrating health and safety management for an organisation. For our global organisations, there's much more focus on the sustainability or the corporate responsibility agenda. For larger organisations they recognise that they are in a position to help and encourage smaller organisations to do that. But, if it's mandated as a must-have and it's got to look a certain way, then the system is broken and it is not going to work.

GH: We have found the implementation of that particular element of the standard to be the most problematic in that larger companies aren't quite sure what level of control they need to impose on their supply chain. Companies should adopt a more nuanced approach, particularly with the smaller contractors. By all means, encourage them to implement management systems or to implement or improve their health and safety performance, but do it in a way that allows them to implement it subject to limited financial or human resources within the smaller company.

NW: Are there any key areas that we've missed?

KF: It's worth highlighting that 18001 has a limited lifespan and will be withdrawn in March 2021. Organisations that wish to maintain their health and safety management system will need to migrate to 45001. There are different ways organisations can do that. They can do it in a single go or they can do it over a period of time. There's quite a lot of flexibility but organisations do need to start thinking about what that journey is going to look like so that they don't find themselves in February 2021 with a couple of weeks to go and lots of work to do.

MC: It's about planning and planning with your certification body because they too have to plan to have the resources available when you need them. If everybody wants to be certified in the last three months, not everybody is going to get what they want.

GH: Companies should look at their documented information and not necessarily transfer all of their documents to the new system. They should take the opportunity to rationalise some of their documentation.

TF: Perform some form of strategic gap analysis. "Why do you need the standard? What's driving you for that requirement?" Don't see it as an intimidating barrier. It's an enabling management system. Don't be intimidated by the terminology or the clause numbers. It's about practical, effective operational control.