OHSAS 18001 & ISO’s Risk Management Standards

| June 19, 2008

As discussed in previous posts, OHSAS 18001:2007 has a foundation based on risk management principles.

To meet the OHSAS 18001 requirements, an organization must:

  • Identify its OH&S hazards
  • Assess the risks associated with the OH&S hazards that are identified
  • Determine the controls that are necessary to reduce OH&S risks to an acceptable level

Identification of OH&S hazards and assessment of the associated risks is one of the primary inputs for setting objectives for continual improvement, identifying training needs and establishing operational controls.

The risk management foundation of OHSAS 18001 is not explicitly found in either ISO 9001 or ISO 14001.   ISO 9001 focuses on identifying customer requirements and achieving customer satisfaction; ISO 14001 focuses on identifying environmental aspects and prevention of pollution.  Although risk management is important to quality and environmental management, neither ISO management system standard explicitly addresses this.

Interestingly, ISO is currently in the process of developing several risk management standards.  According to ISO, these standards are intended to provide guidance to assist organizations in managing risk – including safety and environmental risk.  In addition, according to its Scope statement, ISO 31000 is intended to “harmonize risk management processes and definitions in existing and future standards.”

The ISO risk management standards currently under development include the following:

  • Substantial changes to the definition of risk in Guide 73 – Risk management – Vocabulary – Guidelines for use in standards
  • Drafting of a new “strategic-level” risk management standard – ISO 31000 – Risk management – Principles and guidelines on implementation
  • Adoption of an IEC standard outlining risk assessment methods as an ISO standard – ISO 31010 – Risk Management – Risk Assessment Techniques
  • Drafting of a new standard on risk assessment of structures – ISO 13824 – General principles on risk assessment of systems involving structures

This ISO standard-setting activity raises a couple of interesting questions —

  1. Will future revisions of ISO 9001 and ISO 14001 include a risk management focus as well?
  2. Might risk management become the unifying foundation for an integrated management system standard?

© ENLAR® Compliance Services, Inc. (2008)

Category: Risk Management, Standards & Certification

Comments (4)

Trackback URL | Comments RSS Feed

  1. Waqas says:


    I m being doing risk assessments under ohs-18001 system and the method of calculating risk is L(likelihood) mulitply (A,Assets+Health,H). My question is now considering the new standard 18001:2007 thats cancle out property (assets) which equation is best to calculate the risk.

    Please respond, thanks

  2. Henry says:

    I surely hope this is the case. Why otherwise would we want to ensure that Processes are controlled to reduce the potential for non conforming product and a potential disatisfied customer?


  3. Matt says:

    Interesting questions. I have another one… (which also relates to the post: ‘OH&S Risk Assessment is NOT a Single Process’ ):
    As mentionned, to meet the OHSAS 18001 requirements, an organization must:
    -Identify its OH&S hazards
    -Assess the risks associated with the OH&S hazards that are identified
    -Determine the controls that are necessary to reduce OH&S risks to an acceptable level

    Knowing that in the latest versions of the standards (9001:2000, 14001:2004 and OHSAS 18001), an effort has been made to ensure that MS were efficient and oriented on the performance of the organization, my question is:


    I’m wondering how efficient would it be for an industrial site (a plant) to establish such an inventory ?
    Realistically, by the time this is done (several months, years(?)), wouldn’t that end up being a long list, most likely to constantly be outdated and incredibly unefficient; a heavy burden to manage, with no (or very few) added-value in itself.

    Could a combination of various evaluations and activities (and taking inititatives to address main issues) be enough, such as :
    – analysis of leading (near misses) & lagging indicators (incidents & accidents);
    – prejob risk assessment;
    -(establish site but also departments objectives);
    To first identify minor vs major risks (ASSESS) with some well known risk factors (electricity, heights, confined spaces, mobile equipment, moving parts…) and only follow-up (EVALUATE) on major ones? Or am I not properly understanding the definition of ‘Assess’ ?

    The idea of course being to decentralize and make people at all levels accountable and ensure that maintaining the OHSMSystem will not only be the business of one or two, but definintely everybody’s role.

    WHAT WOULD BE ENOUGH Risk assessment wise?

    I’d like to get opinions on that matter.

  4. Thea says:

    You are correct in the difficulty in creating an “inventory” of all OH&S hazards and evaluating the risk associated with each one – parallel to the approach often taken in identifying environmental aspects and impacts for ISO 14001. This is not an OHSAS 18001 requirement.

    The intent is for an organization to use approaches that are appropriate to it. To quote the OHSAS 18002 guidance – “Each organization should choose approaches that are appropriate to its scope, nature and size, and meet its needs it terms of detail, complexity, time, cost, and availability of reliable data.” The choice of methodology to be used for the hazard identification and risk assessment is up to the organization (taking into account any applicable legal requirements that may limit the approaches that can be used).

    What is enough? That the approaches chosen, taken together, are comprehensive, i.e. they cover the OH&S hazards within the defined scope of the OH&S management system.