A risk is acceptable
to a specific organization if it has been reduced
to a level that it can tolerate given its obligations, its
its basic purpose.
An audit is a systematic evidence gathering
process. Audits must be
independent and evidence must be evaluated objectively to
how well audit criteria are being met. There are three
types of audits:
first-party, second-party, and third-party. First-party
audits are internal
audits while second and third party audits are external
Organizations use first party audits to audit
themselves. First party
audits are used to provide input for management review and
internal purposes. They're also used to declare that an
meets specified requirements (this is called a
Second party audits are external audits. They’re
usually done by
customers or by others on their behalf. However, they can
done by regulators or any other external party that has an
in an organization. Third party audits
are external audits as well.
However, they’re performed by independent organizations such
as registrars (certification bodies) or regulators.
ISO also distinguishes between combined audits and
When two or more management systems of different disciplines
audited together at the same time, it's called a combined
when two or more auditing organizations cooperate to audit a
single auditee organization it's called a joint audit.
Competence means being able to apply
knowledge and skill to
achieve intended results. Being competent means
knowledge and skill that you need and knowing how to apply
it. Being competent means that you’re qualified to do the
Conformity is the "fulfillment of a
requirement". To conform means
to meet or comply with requirements and a requirement is a
expectation, or obligation. There are many types of
management requirements, management requirements, product
requirements, service requirements, contractual
statutory requirements, and regulatory requirements.
When organizations engage in consultation it
means that they seek
and receive the views and opinions of others before making
In the context of OH&S, organizations often consult
health and safety committees, and workers' representatives
make decisions that could affect the health & safety of
Consultation is not the same as participation.
means receiving the views and opinions of others before
are make, participation means getting people
involved in the actual
decision making process itself.
An organization’s context is its business
environment. It includes
all of the internal and external factors and conditions that
products and services, have an influence on its OHSMS, and
relevant to its purpose and strategic direction.
An organization’s external context includes
all of the needs and
expectations of interested
parties, as well as its social, cultural,
legal, technological, regulatory, and competitive environment.
An organization’s internal context includes
its values, culture,
knowledge, and performance.
Continual improvement is a set of recurring
activities that are carried
out in order to enhance OH&S performance. Continual
can be achieved by carrying out internal audits,
management reviews. Continual improvements can also be
collecting data, analyzing information, setting objectives,
A contractor is an organization that
provides services to another
organization in accordance with an agreed set of terms,
Corrective actions are steps that
are taken to eliminate the causes of
existing nonconformities in order to prevent recurrence. The
action process tries to make sure that existing
incidents don’t happen again.
The term documented
information refers to information that
must be controlled and maintained
and its supporting medium.
Documented information can be in any format and on any
and can come from any source.
Documented information includes information
about the management
system and related processes. It also includes all the
organizations need to operate and all the information that
to document the results that they achieve (aka records).
Effectiveness refers to the degree to which
a planned effect is achieved.
Planned activities are effective if these activities are
actually carried out
and planned results are effective if these results are
A hazard is any situation, substance,
activity, or event,
that could potentially cause human injury or ill health.
Hazardous situations can cause injury or ill
Examples of potentially hazardous situations include
or uneven walking surfaces, cramped working conditions,
ventilated areas, high altitudes, noisy locations, poorly
and confined spaces.
Hazardous substances can cause injury or ill
Examples of potentially hazardous substances include
and toxic chemicals, flammable and explosive materials,
gases and liquids, radioactive substances, particulates,
bacteria, and viruses.
Hazardous activities can cause injury or ill
Examples of potentially hazardous activities include
tasks, unnatural movements and postures, heavy lifting,
work, interpersonal conflicts, bullying, and intimidation.
Hazardous events can cause injury or ill health.
Examples of potentially hazardous events include explosions,
implosions, collisions, vibrations, fires, leaks, releases,
reactions, electric shocks, falling objects, loud noises,
breakdowns, software failures, equipment malfunctions, and
Hazards can also be classified as follows:
- Chemical hazards
- Biological hazards
- Thermal hazards
- Electrical hazards
- Structural hazards
- Acoustical hazards
- Mechanical hazards
- Radiological hazards
- Psychological hazards
Hazard identification is a process that
involves recognizing that
an OH&S hazard exists and then describing its
An injury or ill health is an adverse effect
on someone's physical, mental,
or cognitive condition. Adverse effects include disease,
illness, and death.
An incident is a work related occurrence or
event during which injury,
ill health, or fatality actually occurs, or injury, ill
health, or fatality could
An accident is a type of incident. It is a
work-related event during which
injury, ill health, or fatality actually occurs. It is a
type of incident.
A close call, near miss, or near
hit is also a type of incident. It is a
work-related event during which injury, ill health, or
have occurred, but didn’t actually occur.
An interested party
is anyone who can affect, be affected by, or
believe that they are affected by a decision or activity. An
party is a person, group, or organization that has an
interest or a
stake in a decision or activity.
In the context of this ISO 45001 2018 standard, a requirement
OHSMS need, expectation, or obligation. It can be stated or
by an organization, its customers, or other interested
Legal requirements are compulsory.
Organizations must comply
with them. Other requirements, may be compulsory or
organizations may be forced to comply with them or they may
choose to comply with them.
A management system is a set of
interrelated or interacting elements
that organizations use to formulate policies and objectives
establish the processes that
are needed to ensure that policies
followed and objectives are achieved. These
structures, programs, procedures, practices,
plans, rules, roles,
responsibilities, relationships, contracts, agreements, documents,
records, methods, tools, techniques, technologies, and
There are many types of management systems.
Some of these include
quality management systems,
financial management systems,
information security management
management systems, disaster management systems, food safety
management systems, risk management systems, and, of course,
occupational health and safety management systems.
The scope or focus of a management system
could be restricted to
a specific function or section of an organization or it
the entire organization. It could even include a function
across several organizations.
Measurement is a process that is used to
a value. In most cases this value will be a quantity.
To monitor means to determine the status of
an activity, process,
or system at different stages or at different times. In
order to determine
status, you need to supervise and to continually check and
observe the activity, process, or system that is being
Nonconformity is a nonfulfillment or failure
to meet a requirement.
A requirement is a need, expectation, or obligation. It can
or implied by an organization or interested parties.
An objective is a result you intend to
achieve. Objectives can be
strategic, tactical, or operational and can apply to an
as a whole or to a system, process, project, product, or
Objectives may also be referred to as targets, aims, goals,
or intended outcomes.
OH&S objectives are generally based on
or derived from an
organization’s OH&S policy and must be consistent with
OHSMS is either a standalone management
system or one part of a larger
management system. It is a set of interrelated or
interacting elements that
organizations use to implement their OH&S policies, to
achieve their OH&S
objectives, and to manage their OH&S processes.
These elements include structures, programs,
plans, rules, roles, regulations, responsibilities,
agreements, documents, records, methods, tools, techniques,
technologies, and resources.
OH&S objectives are specific OH&S
results that organizations set for
themselves and wish to achieve. Your organization’s OH&S
should be both measurable and consistent with its OH&S
An OH&S opportunity is a circumstance or
a set of circumstances
that could lead to the improvement of OH&S performance.
OH&S performance is all about results and
organizations prevent injury and ill health and provide safe
workplaces, they are achieving good results and being
An occupational health and safety (OH&S)
policy statement should
express top management's commitment to the prevention of
injury and ill-health and to the provision of a safe and
It should also make a commitment to the implementation,
and improvement of the occupational health & safety
system (OHSMS). And it should allow workers to set OH&S
objectives and it should encourage action..
ISO 45001 defines OH&S risk as the “combination
of the likelihood of
occurrence of a work-related hazardous event(s) or
the severity of injury or ill health that can be caused by
ISO 45001 accepts the more traditional definition of
risk and rejects the
newer ISO 31000 definition (discussed below) when it defines
The more traditional definition of risk combines three
elements: it starts
with a potential event and then combines its probability
with its potential
severity. A high risk event would have a high likelihood of
have a severe impact if it actually occurred.
An organization can be a single person or a
group that achieves its
objectives by using its own
functions, responsibilities, authorities,
and relationships. It can be a company, corporation,
partnership, charity, association,
or institution and can be
incorporated or unincorporated
and be either privately or
owned. It can also be an operating unit that is part of a
When an organization makes an arrangement
with an outside
organization to perform part of a function or process,
it is referred
to as outsourcing. To outsource means to
ask an external organization
to perform part of a function or process normally done
an outsourced organization is beyond the scope of your QMS,
outsourced process or function itself falls within your
When people are involved in decision making, it's
Workers, workers' representatives, and health and safety
are often asked to participate in organizational decision
Participation is not the same as consultation. While
means receiving the views and opinions of others before
are make, participation means getting people
involved in the actual
decision making process itself.
According to ISO, the term performance
refers to a measurable result.
It refers to the measurable results
that activities, processes, products,
services, systems and organizations are able to achieve.
perform well it means
that acceptable results are being achieved and
whenever they perform poorly, unacceptable results
A policy is a general commitment, direction, or intention and is
formally stated by top management. A quality policy
express top management's commitment to the implementation
improvement of its quality management system and should
managers to set quality objectives.
A procedure is a way of carrying out a
process or an activity.
Procedures may or may not be documented.
A process is a set of activities that are
interrelated or that interact
with one another. Processes
use resources to transform inputs
into outputs. Processes are interconnected because the
from one process often becomes the input for another
While processes usually transform inputs
into outputs, this
is not always the case. Sometimes inputs become outputs
should be planned and carried
out under controlled conditions. An effective process is one
that realizes planned activities and achieves planned
A requirement is a need, expectation, or
obligation. It can be stated or
implied by an organization, its customers,
or other interested parties.
A specified requirement is one that has been stated (in a
example), whereas an implied requirement is a need,
obligation that is common practice or customary.
There are many types of requirements. Some of these
requirements, quality management requirements,
management requirements, product requirements, service
contractual requirements, statutory requirements, and
According to ISO 45001, “risk is the effect of
uncertainty”. This cryptic
definition is based on a similar definition of risk found in
the ISO 31000
risk management standard. According to ISO 31000, risk is
of uncertainty on objectives” and an effect is a
positive or negative
deviation from what is expected. Both definitions are
the same. The following will explain what this definition
ISO 31000 recognizes that all of us operate in an
Whenever we try to achieve an objective, there’s always the
that things will not go according to plan. Every step has an
of risk that needs to be managed and every outcome is
Whenever we try to achieve an objective, we don't always get
results we expect. Sometimes we get positive results and
sometimes we get negative results and occasionally
we get both.
The traditional definition of risk combines three
starts with a potential event and then combines its
its potential severity. A high risk event would have a high
of occurring and a severe impact if it actually occurred.
While ISO 31000 defines risk in a new and unusual
way, the old and
the new definitions are largely compatible. Both definitions
the same phenomena but from two different perspectives. ISO
of risk in goal-oriented terms while the traditional
definition thinks of
risk in event-oriented terms. These two definitions can and
do co-exist. They’re two different ways of talking about the
ISO provides a conceptual definition of risk while
formulation operationalizes this general definition: it
to quantify risk. It argues that the amount or level of risk
calculated by combining probability and severity.
ISO 45001 actually rejects this ISO 31000 definition
of risk when
it defines OH&S risk. Instead of accepting the ISO 31000
ISO 45001 defines OH&S risk as the “combination of the
of occurrence of a work-related hazardous event(s) or
and the severity of injury or ill health that can be caused
event(s) or exposure(s).
Risk assessment is a process that is made up
of three separate
processes: risk identification, risk analysis, and risk
identification is a process that is used to find,
recognize, and describe
the risks that could affect the achievement of objectives. Risk
is a process that is used to understand the nature, sources,
of the risks that you have identified and to estimate the
level of risk. It
is also used to study impacts and consequences and to
controls that exist. Risk evaluation is a process
that is used to
compare risk analysis results with risk criteria in order to
determine whether or not a specified level of risk is
acceptable or tolerable.
Risk criteria are terms of reference and are
used to evaluate the
significance or importance of your organization’s risks.
used to determine whether a specified level of risk is
or tolerable. Risk criteria should reflect your
policies, and objectives, should be based on its external
context, should consider the views of stakeholders, and
derived from standards, laws, policies, and other
The term top management normally refers to
the people at
the top of an organization. It refers to the people who
resources and delegate authority and who coordinate, direct,
and control organizations.
However, if the scope of a management system covers
of an organization, then the term top management
to the people who direct and control that part of the
The term worker is defined as anyone who
performs work or
work-related activities that are under an organization's
Workers include both managers and nonmanagers and include
both employees and non-employees (i.e., contractors, agency
workers, and external product and service providers). They
could be permanent or part-time, regular or temporary, and
paid or unpaid; all of these people are defined as workers.
A workplace is a place where an
organization’s work is performed.
A place is an organization’s workplace only if it is under
at least to some extent. How much responsibility an
over OH&S depends on how much control it has over its