BSI Standards Publication
BSI Standards Publication
BSI Standards Publication
45002‑2:2019
The BSI copyright notice displayed in this document indicates when the document was last issued.
ISBN 978 0 580 98865 3
Contents Page
Foreword ii
0 Introduction 1
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Context of the organization 2
5 Leadership and worker participation 3
6 Planning 4
7 Support 6
8 Operation 6
9 Performance evaluation 7
10 Improvement 8
Bibliography 9
Summary of pages
This document comprises a front cover, and inside front cover, pages i to ii, pages 1 to 9, an inside back cover and a
back cover.
Foreword
Publishing information
This British Standard is published by BSI Standards Limited, under licence from The British
Standards Institution, and came into effect on 28 February 2019. It was prepared by Technical
Committee HS/1, Occupational health and safety management. A list of organizations represented on
this committee can be obtained on request to its secretary.
Presentational conventions
The guidance in this standard is presented in roman (i.e. upright) type. Any recommendations are
expressed in sentences in which the principal auxiliary verb is “should”.
Commentary, explanation and general informative material is presented in smaller italic type, and does
not constitute a normative element.
0 Introduction
Understanding risks and opportunities is vital to improving how well an organization manages
health and safety.
Managing health and safety is not simply looking at what the organization does and identifying risks
from, for example, working on a roof or handling chemicals. An effective occupational health and
safety (OH&S) management system uses risk-based thinking at every stage.
Risk-based thinking is not complex. A person automatically makes risk-based decisions.
a) When making a hot drink, we automatically hold the kettle by its handle to avoid burning
ourselves and choose a cup suitable for containing boiling water.
b) When crossing the road, we look for a gap in traffic or decide to use a crossing.
There are different types of risks and opportunities to consider, including:
1) OH&S risks to workers (what can hurt a worker?; what can make them ill?);
2) risks to the management system (what might stop the system from working well?, e.g. systems
not working together, technical breakdowns, lack of trained staff);
3) opportunities to improve OH&S performance (what can make your workplace safer or your
working practices healthier?, e.g. getting rid of faulty equipment or making sure workers take
regular breaks during their working day); and
4) opportunities to improve the management system (what can make all of the parts of the
organization’s system work better together?, e.g. better communication about what to do and
how to do it or what has changed, sharing knowledge and getting all workers involved).
1 Scope
This British Standard provides guidance on the identification and management of risks and
opportunities in an OH&S management system.
This British Standard can assist organizations in meeting the relevant requirements of BS ISO 45001,
Occupational health and safety management systems. It does not add to, subtract from, or in any
way modify the requirements of BS ISO 45001, nor does it prescribe mandatory approaches to
implementation.
The British Standard is suitable for use by any organization regardless of type, size or maturity.
2 Normative references
There are no normative references in this document.
NOTE Organizations can use this document without direct reference to BS ISO 45001, however, organizations
that wish to claim conformity to BS ISO 45001 need to refer directly to BS ISO 45001 when using this document.
Organization can also be used to describe one part of a business, e.g. one department or one site – if
that is the extent of the OH&S management system. Similarly, the term “top management” refers to
whoever directs or controls the organization – the top level decision maker(s). In practical terms, top
management can mean a small business owner, the executive board or, in a non-hierarchical structure,
everyone involved in taking high level decisions.
The definition of “worker” is also worth noting. In BS ISO 45001 worker is all-inclusive and refers to
everyone working under the control of the organization, including business owners, executive boards,
senior managers, interns, volunteers, all employees and contractors.
All of the terms and definitions within BS ISO 45001 can be found on the ISO Online Browsing Platform:
http://iso.org/obp.[Last viewed 18 February 2019.]
3.1 hazard
source with a potential to cause injury and ill health
[SOURCE: ISO 45001:2018, modified]
NOTE Hazards can also include sources with the potential to cause harm or hazardous situations, or
circumstances with the potential for exposure leading to injury and ill health.
3.2 risk
effect of uncertainty
NOTE 1 An effect is a deviation from the expected, positive or negative.
NOTE 2 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge
of, an event, its consequence, or likelihood.
The organization should always consider what its interested parties need and expect, as well as any
associated risks and opportunities.
For example:
a) Regulators: there are risks to the organization’s workers if it doesn’t comply with health and
safety law and there are also risks to the organization itself if law-breaking leads to prosecution
or closing the business.
b) Supply chain: the organization’s OH&S management system is at risk if contracted workers
are unaware and fail to follow health and safety rules. A contractor expects its workers to be
protected, but the contractor might also bring additional risks to the workplace because of the
activities being carried out, lack of health and safety training or lack of understanding of how
they are affecting other workers. On the other hand, there is also opportunity to share good
practice and knowledge.
c) Shareholders: there are risks if shareholders or the organization’s owners do not support
the management system by investing enough money or leading by example. Alternatively, if
shareholders or the owners invest time and effort, there are opportunities to improve both
health and safety and the management system.
6 Planning
6.1 Actions to address risks and opportunities
It is important to think widely about the types of risks and opportunities that can affect the
organization’s OH&S management system and take the time to understand them.
These include:
a) hazards to workers (anything with the potential to cause injury or ill health) and the related
OH&S risks (likelihood of being affected by the hazard and the potential severity of the impact);
b) OH&S opportunities (things that can lead to improving OH&S performance); and
c) risks to the OH&S management system itself and opportunities to improve it.
Not all risks and opportunities are equally important: prioritize and focus efforts on those that have
the greatest impact.
The starting point should be to think about what can harm people. This means both safety and health.
There can be many things in a workplace that have the potential to harm people – these are the
hazards. The hazard becomes a big risk if it is:
1) likely to happen; and
2) the harm to a person (or people) could be serious.
These are the hazards and risks that need the most attention.
It’s worth noting that safety risks typically involve distinct events (incidents), whereas the effects of
health risks can be instant or emerge over time, following exposure to a hazard.
Hazards depend on what an organization does and how it does it and can range from slips, trips and
falls, to life-threatening health conditions.
To identify hazards, take a logical, step-by-step approach – don’t forget to think about occasional
activities, such as cleaning or maintenance, planned or unplanned change (permanent or
temporary) or possible emergency situations (fire, explosions, attacks) which can lead to different
hazards and risks.
It can be useful to think about the different types of hazard, such as:
• physical (e.g. working at height, or in small spaces or extreme temperatures, fatigue);
• chemical (e.g. exposure to things like harmful liquids or fumes);
• biological (e.g. organic hazards like viruses, insects, bacteria);
• psychological (e.g. stress, harassment, overwork);
• mechanical (e.g. sharp objects, moving parts, machinery and tools);
• electrical (e.g. faulty electrical equipment, contact with an electrical conductor); and
• natural (e.g. floods, heatwaves, storms, earthquakes).
Identifying and understanding the hazards can be helped by, for example:
a) looking around the workplace;
b) talking to workers;
c) reading information from suppliers; and
d) considering past incidents and ill-health records.
Once hazards have been identified and understood, the risks need to be assessed and prioritized.
The risk is higher if it:
1) is likely to happen; and/or
2) can have a serious effect.
How high the risk is will be influenced by what controls an organization already has in place
(e.g. machine guards, good ventilation and lighting, whistleblowing processes, training, regular
health checks).
The organization should try to eliminate hazards where it can or otherwise reduce risks as far as
possible, but within reason (this is often referred to as “as low as reasonably practicable” or ALARP).
This is usually done using a process called “the hierarchy of controls” (see Clause 8).
As well as assessing risks, an organization should think about opportunities such as making changes
to the work environment, working conditions and how work is organized. When planning for
opportunities, an organization should consider what can make the biggest impact and when might
be a good time to act. One of the most important opportunities is when change is happening in the
organization or its activities and there is a chance to build OH&S considerations into that change,
rather than dealing with issues that arise after the change has been made.
An organization should also consider risks and opportunities which are not directly associated with
harm to people, but instead affect the effectiveness of the OH&S management system itself.
For example:
• an organization might need to coordinate plans with its neighbours; delays or difficulties in
working with neighbours can affect the OH&S management system;
• a transient, frequently changing workforce, with variable levels of experience can mean that
training and communications need to be adjusted to make sure people are still competent; and
• an organization introducing new products, services or activities might lack the knowledge and
competence to address the possible hazards and risks which in turn affects how well the OH&S
management system works.
Another vital part of risk management is being aware of and meeting legal, regulatory and other
requirements (such as those from a parent company or contract). There are different legal
requirements for different types and sizes of business, so it is important that top management stays
up to date with any changes and communicates these requirements to workers, as necessary.
NOTE The HSE provides further information on hazard identification, risk assessment and legal requirements, see
http://www.hse.gov.uk/risk/identify-the-hazards.htm [Last viewed 18 February 2019].
7 Support
To manage OH&S risk effectively the organization needs to have enough time, money, people and,
when necessary, equipment.
The OH&S management system is at risk if a lack of funding means that the protective measures
identified or changes to ways of working can’t be put in place. However, it is not necessary to spend
days discussing how to reduce the number of paper cuts or spend a fortune on a complex health
monitoring system if an organization’s business is low risk and exposure to serious hazards is rare.
Workers are typically the most important resource when it comes to managing risks and
opportunities for both people and the management system. Giving workers time to think about and
act on risks and opportunities is a good starting point in managing OH&S risk.
It is also essential that competence is addressed. There are different types of competence to consider,
such as competence to:
a) perform specific duties safely and without putting others at risk;
b) identify hazards, understand their risks and manage those risks effectively; and
c) plan for, respond to and manage emergency situations.
Competence requirements don’t stay the same, nor do individual or organizational competence. It’s
important to make sure these are reviewed regularly and actions taken to address any gaps.
It is important to avoid over-complicating paperwork and producing too many written processes
and procedures. The organization should only document what is needed to make sure the OH&S
management system works, and its legal requirements and other requirements are met.
The way the organization communicates to its workers and other people should be appropriate to
who needs to be informed, otherwise there is a risk that people who are affected might not be aware
of potential changes. For example, a software development company might find that using an online
platform to communicate is most appropriate, whilst mechanics might find conversation and a
summary on the noticeboard is more effective.
8 Operation
8.1 Operational planning and control
Once risks have been identified and prioritized, the organization needs to control them as well as
it can. To do this a system has been developed called the “hierarchy of controls”: the idea is that the
top action is the best, but if this is not possible, the ones that follow should be used. Sometimes using
more than one is the most effective and practical solution.
The hierarchy of controls is:
a) elimination (remove the hazard completely);
b) substitution (use something less dangerous, e.g. using scaffolding instead of ladders);
c) engineering controls (practical changes to reduce the risk, e.g. machine guards or reorganizing
how work is done);
d) administrative controls (raise awareness and knowledge, e.g. signs, instructions, training); and
e) personal protective equipment (wear protection to limit exposure, e.g. masks, ear defenders).
The most appropriate controls for the organization’s risks might change over time, e.g. as new
materials or technology becomes available.
9 Performance evaluation
9.1 Monitoring, measurement, analysis and performance evaluation
Performance evaluation is about answering two questions:
a) is the management system (and its processes) working properly?
b) are the controls you’ve put in place preventing injury and ill-health?
Risk is an important factor in answering both questions. Considering risks can help the organization
decide what needs to be measured and what needs to be monitored. There are lots of things
that could be measured within a management system, therefore it is important to focus on what
matters, such as:
1) are legal requirements being met, including any that have recently changed?
2) are other requirements being met, such as those agreed with your supply chain or
parent company?
3) is OH&S performance getting better, or getting worse?
4) are OH&S objectives being met?
The organization should ensure that controls to prevent injury and ill health are monitored and are
working effectively.
The organization should prioritize its largest OH&S risks. For example, if the organization has
activities controlled by formal permit to work systems or specific procedures, it is important to check
that these are being correctly applied. Similarly, fire risk controls can be measured by making sure
there is periodic inspection of emergency escape routes to check they are clear and accessible, and
measuring how long it takes to leave the building during fire drills.
In regard to OH&S risks and opportunities, internal audits provide the opportunity to test whether:
a) risk assessments are up to date and periodically reviewed;
b) workers carrying out an activity understand how the risk is assessed and are using the
right controls;
c) workers have the necessary competence;
d) assessment of changing risks is taking place; and
e) opportunities to eliminate hazards and reduce risks are being identified and acted upon.
It is important that top management evaluates the overall performance of the OH&S management
system, rather than concentrating on specific parts of it. The various measuring, monitoring and audit
activities should help determine if:
1) the organization understands its OH&S risks, and has put appropriate controls in place;
2) workers understand the risks that can affect them and are applying the agreed controls;
3) any risk controls need to change, or if there is an opportunity to eliminate a hazard or reduce
risk even more; and
4) the organization is complying with its legal requirements and other requirements in the way it
manages OH&S.
10 Improvement
Ways to improve the organization’s OH&S performance, or the OH&S management system should
become clear through evaluating how well the system is working. Although some improvements can
involve complex planning and take time to implement, quick and simple changes in the way work is
carried out can also make a positive difference.
Improvements can include:
a) assessing risks more often;
b) sharing best practice by joining professional bodies or attending networking events;
c) improving organizational and individual knowledge; and
d) changing the way something is done (for example, making sure more than one person checks
that safety measures are in place before an activity).
Bibliography
Standards publications
For dated references, only the edition cited applies. For undated references, the latest edition of the
referenced document (including any amendments) applies.
BS ISO 45001:2018, Occupational health and safety management systems – Requirements with
guidance for use
Further reading
BS 45002‑0, Occupational health and safety management systems – General guidelines for the
application of ISO 45001
• The standard may be stored on more than 1 device provided that it is accessible Subscriptions
by the sole named user only and that only 1 copy is accessed at any one time. Tel: +44 345 086 9001
• A single paper copy may be printed for personal or internal company use only. Email: [email protected]