The incorporation of Annex SL into the ISO 45001 standard is a key driver towards the 'risk-based approach'.

If ISO 45001 follows in the same vein as the 9001 and 14001 standards, which is likely, then it'll be necessary to determine the risks and opportunities, plan actions to address them, implement the actions in occupational health and safety management system processes and evaluate the effectiveness of these actions.

Taking a risk-based approach ensures your organisation is proactive rather than reactive, preventing potentially damaging events and promoting improvement. Once a management system is risk-based, preventive action is automatic.

While risk is commonly understood to be negative, risk-based thinking allows for opportunities to be found – this is the positive side of risk. Analysing risks can often bring forth opportunities for improvement and enable businesses to make strategic decisions. Applying a robust management system can also be considered an important aspect of risks and opportunities.

Determining risks and opportunities

Many professionals approach Qualsys for advice on how to determine risks and opportunities and the appropriate level of action to take to address them.

When planning for your occupational health and safety (OH&S) management system, you should identify the risks and opportunities you must address to:

1. Ensure that your management system can achieve its intended result(s)
2. Reduce any undesired effects as far as possible
3. Achieve continual improvement.

Put simply, to determine risks and opportunities, you must first determine your organisation's objectives before you can identify potential events that may prevent you from achieving those aims.

Analyse and prioritise

ISO 9001:2015 and ISO 14001:2015 define a risk as "the effect of uncertainty on an expected result". It's highly likely that this definition will again be applied to ISO 45001. If this is the case, then it follows that:

• an effect is a deviation from the expected – positive or negative

• risks are about what could happen and what the effect of this happening might be

• risk also considers the likelihood of an event occurring.

There are various methods to approaching ISO 45001 risk-based thinking; which method is appropriate is determined by the nature of your organisation.

In smaller organisations, it may be sufficient to simply provide appropriate records of risk-based thinking and to ensure control of business processes (e.g. regular reviews of documentation, clear sight of training and competencies, sufficient data for analysis and continual improvement).

In contrast, many busy teams in larger organisations use risk registers as a framework for assessing, evaluating and prioritising risks. Risk management software such as EQMS Risk Manager enables you to identify and assess risks looking at 'likelihood' and 'impact'. EQMS Risk Manager's workflow means you can assign responsibilities and set deadlines to ensure risks are dealt with rapidly and efficiently. EQMS triggers escalation to guarantee critical actions never go ignored.

Planning and implementing actions to address risk

Planning actions to address risks and opportunities can include:

• avoiding risk

• eliminating the risk source

• changing the likelihood or consequences (likelihood and impact)

• sharing the risk

• retaining risk by informed decision

• even taking risk in order to pursue an opportunity.

When doing your own planning, it's again imperative that you consider the context of your organisation. For example, the process of planning actions to mitigate a potential fault with a nuclear reactor at a power plant will be much more thorough and meticulous than planning actions to mitigate the risk of paper cuts.

Similar to this, the risk presented by polluted air in a country with whom an organisation has little trade or links is minor in comparison to the country in which it mainly trades and operates. It's essential to understand your organisation and its strategic direction as this will enable you to determine and address the associated risks.

Many organisations use risk management software such as EQMS Risk Manager to implement actions to address risks. EQMS Risk Manager enables you to create automated workflows for addressing risks, highlighting responsibilities and sending email notifications of various tasks to the relevant individuals. This ensures actions to address risks are completed via a closed-loop process.    

Check the effectiveness of the actions – do they work?

In simple terms, to check the effectiveness of your actions to address risk, you need to ask, "Do they work?". There are various methods you can employ to do this, including:

• Audits and internal reviews

• KPI analyses

• Project evaluations

One important aspect of this checking involves having the right data available to make informed decisions. By improving how you aggregate risk data, you can strengthen your capability in making judgements about risk. This leads to gains in efficiency, reduces the chances of loss events occurring, and enhances your strategic decision-making.

Many organisations are now employing KPI dashboards such as EQMS Dashboard to provide instant access to real-time management information. With an overarching view of key performance indicators that are determined by management, organisations can track performance in critical areas and make informed decisions.

Instant access to risk assessments, audit reports, customer complaints, non-conformance and CAPA statuses and document notifications give you the ability to 'take the temperature' of your organisation, carry out trend analysis and demonstrate that you are operating a 'culture of compliance'.

Moving forward

The ISO 45001 standard will likely encourage organisations to build risk management into their entire management system.

With risk-based thinking, you're able to adopt a risk-based approach to improve customer confidence and satisfaction, and to establish a proactive culture of prevention and improvement.  With such explicit benefits, this can only be seen as an opportunity and a step in the right direction.

What you should do now

Download the EQMS Datasheet Pack to learn more how EQMS Risk Manager can improve your approach to risk management.