New Requirements for Risk Assessment

| July 14, 2007

Section 4.3.1 of OHSAS 18001 (Hazard Assessment, Risk Assessment & Determining Controls) was completely changed during the revision process.  Overall, these changes align OHSAS 18001 more closely with other OH&S management system standards such as ANSI/AIHA Z10:2005.

This section now sets out additional details on both the inputs to be considered and the methodology to be used for the hazard identification and risk assessment process.  In addition, specific requirements have been added related to “management of change” and for determining appropriate controls to reduce the OH&S risks that are identified.

The standard now clearly links the requirements in 4.3.1 with those set out in 4.4.6 (operational control) so it is clear that the controls identified during the OH&S planning process need to be implemented and maintained as an integral part of operational control.

Overall, the process can be visualized as set out below:

Risk Assessment Management

In addition to these substantive changes to the standard, the definitions of hazard, risk and risk assessment have changed.  Hazard is now defined as a “source, situation or act with a potential for harm in terms of human injury or ill health, or a combination of these.”  Risk is defined as the “combination of the likelihood of an occurrence of a hazard event or exposure and the severity of injury or ill health that may be caused by the event or exposure.”  Risk assessment is defined as the “process of evaluating the risks arising from a hazard, taking into account the adequacy of any existing controls, and deciding whether or not the risk is acceptable.”

It should be noted that other standards and guidance documents may define “risk assessment” to include the entire process of hazard identification, risk analysis and selection of measures for risk reduction (i.e. “determining controls”).  OHSAS 18001 refers to each of these processes separately and uses the term risk assessment to refer to the risk analysis process only.

There are many different ways and approaches for conducting hazard identification and risk assessment.  Therefore, no one approach will suit every organization.  An organization with limited hazards is not required to implement complex risk assessment procedures.  In addition, different types of hazards may require different risk assessment strategies.  For example, the methodologies for evaluating the risks associated with employee exposure to noise may be distinctly different from the ones used for evaluating equipment safety.  The methodologies selected need to be appropriate for the hazards identified. 

© ENLAR® Compliance Services, Inc. (2007)

Category: OHSAS 18001:2007 Revisions, Standards & Certification

Comments (4)

Trackback URL | Comments RSS Feed

  1. Steve says:

    I enjoyed your July 14,2007 information.
    What is “Management of Change”?

  2. Thea says:

    Good question. I have answered in today’s blog – What is “Management of Change”?

  3. RDT says:

    Examples of how to perform risk assessment that have been successful to others?

  4. Henry says:


    What is the opinion regarding measuring the risk reduction based on Controls? Specifically with respect to the Hirachy of Control. (I.e. If the “Hazard” is eliminated then you have completely eliminated the risk of injury or whatever.) I note that a lot of people refer to reducing either the Probability or the Consequence. Is this not very subjective/