ISO 45001, the first international safety and health management systems standard, was finally issued on 12 March, five years after it was proposed. The standard will replace BS OHSAS 18001 over the next three years. It differs from that standard in that it is a globally-agreed model for an OSH management system and because it shares elements with the other ISO management systems standards for environmental and quality management.
We brought together four specialists from BSI, the British safety Council, EEF and NQA in London to explore what auditors will be looking for, including evidence of committed leadership, employee involvement and awareness of organisational context.
LOUIS WUSTEMANN (LW): If an organisation is already certified to BS OHSAS 18001, what will be the main changes it has to make to be certified to ISO 45001?
MIKE DENISON (MD): It depends on where the company is at the moment. If they are switched on and have 18001 for the right reason, to use it to drive performance, it's not going to make a huge difference; they have already got leadership buy-in. The companies that have 18001 because it's a contractual requirement [from their customers] may have some challenges, particularly in getting away from a single management representative and bringing the whole leadership on board and involving their workers more.
TERRY FISHER (TF): I think "context of the organisation" is the other issue that a lot of clients will initially struggle with. The standard is written in audit language and people ask: "What do they mean by context?" So we need to break it down into bite-sized chunks and look at what an organisation is and what it does. You have to unwrap it, really.
Mike Denison, health, safety, climate and environment consultant, EEF
Mike Denison represents the EEF and UK manufacturing on the BSI committee responsible for the preparation, publication, review and revision of ISO 45001. He is an experienced safety and health professional and has worked in a range of industries, including manufacturing, construction, utilities and property management. Mike has experience of OSH issues from a client, consultant and contractor perspective and has worked with organisations from the shopfloor to executive levels. He has implemented and managed a wide range of management systems.
They need to not rush it. There's a three-year transitional period if you are already certified to 18001 so you don't have to rush to be the first to do it.
SALLY SWINGEWOOD (SS): Building on 18001 is about shifting the mindset slightly. You can already do this, you are already demonstrating it, you just have to provide the evidence. You also have to ensure it is a cultural thing. It's not for experts or one department; everybody is involved in health and safety management.
DAVID PARR (DP): Although organisations with mature safety management systems won't find it as hard as organisations coming to adopt it from scratch, I feel we shouldn't underplay that there are significant changes in the leadership area. The new standard is much more strategic and about integrating safety management systems and the culture into the whole organisation where 18001 doesn't demand that.
LW: If you were aiming for certification to 45001 in a year's time, what would you do first?
SS: A basic gap analysis initially, but if you have 18001 and are embracing its intent you are well on your way. Your gaps aren't going to be that large and you'll distinguish fairly easily where you need to start.
TF: Yes, you know your organisation best and where the gaps are. An external agency can't come in and know that better. It's about integrating the requirements of the standard into the everyday business practice of the organisation. You may be going for the standard for various reasons, including commercial ones, but it's about getting the benefit of the management system overall.
MD: Coming back to worker participation, if we are going to talk about that being throughout, from policy writing down, you need the workforce onside as early as possible and start to engage them on why the company is doing this. You have to be clear with the workforce what you are doing and what you need from them, trying to build their commitment.
Terry Fisher, occupational health and safety principal assessor, NQA Certification
Terry Fisher is an experienced safety and health professional and auditor who specialises in OSH. He has extensive experience working across a variety of public and private organisations and industries, including the automotive sector, heavy engineering, medical manufacturing, general manufacturing, transport and logistics. Terry is an IOSH member and a recognised OHSAS 18001 trainer for new third-party assessment auditors who deliver safety-related auditor training courses. He has spent most of his career in safety operations and management efficiency. Terry's wealth of knowledge has led him to a principal assessor role at NQA.
Continual improvement can be anything: training, gym memberships, health and wellbeing campaigns
LW: If you start new arrangements for worker participation shortly before certification, are auditors going to discount that?
MD: I think so. Most organisations have a traditional safety committee looking at accidents and so on. But how involved are they in policy and procedures and proactive things? Auditors will see if it's dropped in at the last minute for their benefit.
LW: So that would be something to improve as early as possible.
DP: The standard is based on the plan-do-check-act principle. That combines systems and behaviours, so you can have the systems in place but it's demonstrating the behaviours and the implementation of the system that will perhaps be more challenging. So if processes are relatively new, especially in [worker] participation, it may be hard to show implementation.
LW: We've already touched on leadership as an important requirement of the standard. Can you add some detail on what auditors will be looking for?
TF: One of the biggest issues traditionally has been the appointment of a safety manager in an organisation. That's allowed it to be sidelined [as in] "You get on with the safety management and we'll get on with running the business". Those things need to be integrated for 45001.
MD: A lot of companies have done it already. Organisations who have [quality management standard] ISO 9001 have tried to integrate it into what they do -- customer satisfaction and product quality. They have tried to build responsibility for those into everybody's job. They can do the same for safety. Make sure everyone understands their responsibilities and what's expected of them. Participation comes into that again.
DP: A lot of the verification and assessment of the levels of leadership in an organisation go back to the plan-do-check-act model. One of the explicit requirements of 45001 is top management "developing, leading and promoting a safety culture" throughout the business. That's a little more difficult for an auditor to assess. I think you can only do that through access to top management. For 18001 audits senior management haven't always made themselves available. There will be no getting away from that with 45001. The auditor will have to talk to the top management and see their genuine commitment and how they can demonstrate it. It goes deeper than signing a safety policy and attending safety committee meetings: they are going to have to prove to the auditor they are providing adequate resources, supporting managers at all levels. Have senior managers got personal health and safety key performance indicators [KPIs]?
Sally Swingewood, lead programme manager, British Standards Institution (BSI)
Sally Swingewood is a lead programme manager in the UK national standards body's governance and resilience sector. She is responsible for building relationships with national and international experts and developing standards in quality management, OSH management and auditing management systems. She has in-depth knowledge of management systems both through industry experience and standards development work. Passionate about providing excellent service, fairness and equality, she is exploring new tools to help small and micro businesses. She has more than 20 years' experience of publishing and management.
You don't need to provide extensive documentation about context. When you are having those conversations with the auditor you just have to show you are self-aware
LW: When you say top management, does that mean the auditor might conduct interviews with several directors?
SS: It could do.
LW: How would health and safety practitioners help them prepare for that kind of interview?
SS: You shouldn't have to prepare them. You should be working so that top management know what's going on and are committed. And not just safety but health. Top management can help to prove that commitment by promoting a culture that looks after the people who work for them in the wider sense. Do you have stressed workers? You shouldn't have to prepare the top managers; they are accountable. They always have been but now they are explicitly so.
TF: An assessor may well verify leadership from the ground up. These discussions or interviews with senior management may be carried out after they have sampled the various activities so they have a feel for the culture and the resources and the environment.
DP: We can't get away from the fact that it has to be driven from the top because, like it or not, top management dictates an organisation's culture. These are explicit requirements on top management.
SS: I think it's going to force them out of their ivory towers, out of the boardrooms. I think it will force them to walk the shopfloor a bit more and get to know their operations at a practical level more than they have before. So it's not just about being briefed, it's about seeing with their own eyes.
DP: All the things we've just said, if you were a senior manager why would you not want to do them?
LW: Will auditors be monitoring the quality of leadership by talking to people other than the leaders themselves?
MD: I hear a lot from senior management teams that safety is number one on the agenda at their board meetings. [My response is] So what? What did you do on the back of that? It has to be important rather than just be seen to be important.
David Parr, head of audit and technical, British Safety Council
David Parr joined the British Safety Council in 2005 and has been instrumental in the development, ongoing management and delivery of its audit and consultancy services and products, including the remodelling of its Five Star best practice audit. He is a member of the British Standards Institution's (BSI) HS1 committee and is also on the development panel for the forthcoming BSI guidance on the new ISO 45001 safety management standard. He provides technical management for safety and health consultancy projects for clients in the UK and internationally. Parr acts as the British Safety Council's internal health and safety adviser and has ensured its safety management system has been independently certificated to the BS OHSAS 18001 standard for the past three years.
If processes are relatively new, especially in worker participation, it may be hard to show implementation
DP: When you are auditing there is a common response from senior management: "Safety is our number one priority". But they get a bit stumped when you ask why. It goes quiet. The answer should be that it's part and parcel of everything we do, part of good management.
SS: And I think we are moving towards that. We have had these silos in the past for health and safety, quality and environment and they are all very important and not talking to each other. A successful organisation looks after all of its parts all of the time. It's a holistic vision. You can't do it with some people saying, "Safety is our number one concern" and the finance director [FD] saying, "No, money is our number one concern". It's got to be integrated.
LW: So OSH practitioners will have to make a case to FDs for the financial benefits of good safety and health, so the FDs can talk about that to an auditor.
SS: If you are looking after your workers' health as well as their safety you are going to have fewer lost days, higher production.
MD: And better staff retention and all the benefits of a happy, healthy workforce who want to do a good day's work.
TF: Organisations need to remember that people are their biggest asset and their biggest financial contributors. They need to get good value from them and to look after them. The standard has to be seen as much as a business management tool as a health and safety management tool. They also shouldn't look at the management system with a clause-by-clause approach. It's not "Leadership: tick the box, we've done that, let's move on to operational control"; it's a management system and all the parts interrelate.
LW: Moving on to worker participation. It's a major element, as David says, and was strengthened in the standard's redrafts. What do the components of good participation look like?
MD: It needs to be more than just your quarterly safety committee. We've mentioned KPIs for managers. I've worked in an organisation where every worker had a KPI for safety. So it's not a bolt-on; it's part of everyday activity for everyone, whether it's risk assessments or inspections or audits or whatever. So training is needed, then talking to the workforce and listening to them.
LW: How much will auditors be looking at employee input into OSH procedures?
TF: I think they will ask if there has been participation in risk assessments, hazard reporting, all the operational stuff. [The workers] know the hazards.
SS: Everyone from top management down to a volunteer who comes in on a Saturday is a worker. So everybody needs to know they are part of that conversation and their input is valid. It's not us and them; it has to be a collaboration.
MD: Homeworkers, mobile workers as well, how do we show they are engaged? It's going to be awkward for the auditors to check and awkward for companies to prove as well.
SS: For those workers who are travelling a lot or work from home or are part-time you are going to have to have different ways of communicating with them and ensuring they participate.
LW: So part of your initial gap analysis might be to check whether any group of workers isn't covered by your participation arrangements?
TF: That links to clause 4 [context of the organisation], which talks about needs and expectations of different groups inside and outside the organisation.
DP: Participating is actively being able to demonstrate that all the workers are involved in the decision-making process and in continual improvement. We encourage our auditors to ask people at all levels, "Do you feel empowered to intervene if there's a health and safety issue?" and, "Do you feel the culture is right?". If the culture is such that people can do that, it shows there is strong leadership as well; it's all linked.
SS: This is working together for the good of us all. I think 45001 is an enabling, empowering tool. It says you have to prove you are working like that. You can't be stuck in the past where you just tell people what to do.
DP: Most organisations in the UK will have consultation forums but do they contribute to decision-making or are they just sounding boards where quarterly they will raise issues like the lightbulbs being out in the men's toilet? Often, that's all it is. Often, decisions are taken before the consultation.
LW: Can we look at the requirement to understand the "context of the organisation"?
MD: It's where you fit in with your supply chain and customers, what the standard calls "interested parties". Where does the business sit and what are its goals and objectives? That needs to be clear.
TF: You just ask: "Why do we do that? What are we trying to achieve with that?"
SS: It's not hard. It's self-awareness isn't it? As individuals, until we look at ourselves and ask ourselves questions, we might not understand our motivation and how we are affecting other people. But we do know the answers and it's the same with a business. You do know who your interested parties are. You do know how big your organisation is and what activities it does. It's how they interlink and how the jigsaw works.
MD: It's the senior management team sitting down and talking those issues through.
DP: It's thinking outside the box a little. Most organisations are focused on their activities but actually they need to think about what factors can impact on the success of the health and safety management system. A bit of lateral thinking. What about neighbouring properties, for example? Environmentalists have been thinking about that for a long time.
SS: Do it pragmatically. Sitting in the middle of London you probably don't need to worry much about volcanoes, for example, but there are other factors. Is there a flood risk? What would we do in a terrorist situation? If you are in rural Wales there would be a different set of health and safety considerations for the context. And you don't need to provide extensive documentation about context. When you are having those conversations with the auditor you just have to show you are self-aware.
DP: Local authorities, for example, are directly affected by political change, by funding changes from government and that is bound to have an effect on the safety management system in terms of resources. So risk-profiling at an organisational and operational level is key to clause 4.
SS: In that example, if there are political changes I can't control that in an organisation, but I have to mitigate the risk. This brings us to the thorny area of outsourcing, contractors and supply chain. They are part of your risk and are affected by your activities. You need to talk to them.
LW: How far down its supply chain does an organisation have to look?
MD: As far as the organisation thinks is important, I guess. How much impact is that supplier going to have on them if something goes wrong? Some of our member companies in the automotive sector work on a just-in-time basis for their deliveries. Their suppliers work in the same way. If there is an accident at the bottom of the chain, it affects everybody and will have a big impact on them.
LW: Safety and health has always lagged environmental management in influencing supply chain behaviour. Do you think the standard will promote more of that influencing?
MD: They will need to evidence that for an auditor coming in. The clause is there about outsourcing.
TF: It's directly linked to the procurement process, isn't it? It can't be just, "Oh well, it was a very risky process so we outsourced it to Fred Bloggs down the road". It's about how you manage that to reduce or control the risks to the level of your influence. And it's also about reputation, which is also a commercial consideration.
DP: I think clause 8 in the new standard on procurement, outsourcing, appointment and management of contractors is a massive step forward from 18001. Auditing in the UK and internationally, it never ceases to amaze me how an organisation can be really mature and have a really good safety management system but will allow contractors on the premises who are a million miles away from their standards. On satellite sites you have the local electrician who has been coming to the site since time immemorial and there the management of contractors is loose.
LW: Will auditors be going to talk to suppliers?
SS: It depends on the context. There will be times when they have to talk to suppliers and contractors if the organisation has enough influence on their safety performance or the other way round. In some organisations a paper review will be enough and in others it won't.
TF: On the day of the assessment there will often be external contractors on the site, so they can chat to the contractors about their experiences.
LW: Management systems certification has sometimes been criticised as being just a paper exercise. It doesn't sound like that's possible with 45001.
DP: As I said earlier it's based on plan-do-check-act, so it's about if and how it's being implemented and whether that's effective. [An auditor] can't do that just by looking at a process. You have to go out and watch it taking place and talk to people, including the contractors and suppliers. I can't see how you can audit this standard to an effective level without engaging with those groups.
SS: I think the organisation has the right to demand a proper audit. If you have someone who wants to sit in an office and do a paper review, sack your auditor. Get somebody who will do the job properly because you want the benefit of this, which is to save lives and protect people. You want somebody to point out where there are opportunities for improvement.
Improvement as standard
LW: The standard requires those who are certified to demonstrate continual improvement. Will auditors be looking for anything different in improvement from the similar requirement under BS OHSAS 18001?
MD: In safety a lot of companies have done the lagging indicators, the accidents and the sickness absence. But do they analyse whether the sickness absence is work- or home-related and whether they can do anything to influence it and be more positive? But they need to look at the leading indicators as well.
TF: It's not different from the requirement in 18001 but it has the potential to be more diverse. People have very fixed views about how they demonstrate continual improvement, whereas it can be anything: training, gym memberships, health and wellbeing campaigns. There's a whole range of things.
MD: You do a risk assessment and introduce some controls. That's an improvement you are doing all year round without thinking about it.
SS: And you can improve your management system, make it more effective. You can demonstrate that or better processes for worker participation. That is improvement.
DP: Your top management reviews and so on. The outputs from those are continual improvement.
TF: That's why objectives are integrated into the management system. That's a way for you to identify the key areas you want to improve in a particular time frame or circumstance.
MD: Again, you don't need a mass of documentation to prove it. It will come out in the audit discussions.
LW: From everything you are saying it is clearly better to set up the system, then go for the certification once you feel it deserves it rather than setting up a system to go for the ISO 45001 badge.
SS: The certificate won't make you a better organisation; embracing the standard will. There is a huge opportunity for top management here to look good, focusing on how they make their organisation a better place to work.
TF: It will deliver benefit; it's a proven management model. It's very contemporary, it's very flexible, it's very organisation-focused. It says you will meet the requirements based on your own needs and requirements. What more can they say? It will deliver benefit to the extent that you embrace the model.
SS: If you just say here's a bit of evidence for requirement one and here's a bit for requirement two, you'll get very limited benefit from that. It's got to be a whole-organisation approach.
MD: With that word "enthusiasm" throughout.
LW: Is there any final advice you'd like to offer readers?
MD: They need not rush it. There's a three-year transitional period if you are already certified to 18001 so you don't have to rush to be the first to do it. Better to do it meaningfully. On the other hand please don't leave it three years and then think, "Oh, we had better do it now". Talk to your certification body and work with them.
TF: I'd say embrace it. There's nothing to be afraid of.
SS: Don't see it as a burden; see it as an opportunity to improve. Take it step by step at a steady pace that can be maintained. Every little bit that you improve on and change will bring a benefit.
DP: All of the above. It can only bring benefits to the organisation. Embrace it.
SS: And remember that it's yours, it's your management system. Make it work for you. Do what feels right for your organisation.