Category: FAQ

Implementing an OHSMS – 7 Steps to Take First

steps1Are you thinking about implementing an occupational health and safety management system?

There are 7 Steps you should take FIRST. 

Want to know what they are?

Sign-up below for my mini-course (delivered to you in 7 e-mail installments) – The 7 Steps to Take Before You Implement an OHSMS.


May 23, 2013 | 0 Comments More

Validity of Certification

I recently got the following question about a blog post I did back in 2009 – OHSAS 18001 “Governing Body”.

The question was –

My company is an Environmental Laboratory in India.  It holds an unaccredited certificate issued by an Indian company.  Can you clarify how far this certificate is valid.

My response –

I can’t answer your question since the answer is specific to your organization, the clients you conduct work for and the laws of your jurisdiction.  For example, in the United States, there are laws that require testing laboratories to be accredited – including those doing certain environmental tests.

As I mentioned in the blog post you referenced, management system standards are used for a variety of different purposes.

One of those purposes is to set out the requirements upon which certification programs are based.  Some of these certifications are reputable and legitimate, whether they are accredited or not.  Others are only sham certifications.  They are issued primarily to deceive or encourage reliance on the part of third parties that is not justified based on the level of investigation actually being performed by the individual or organization providing the certification.

The issue is not so much accreditation or not.  The issue is the credibility of the certification based on the level of due diligence that supports the determination being made.

I posted this question and response because of the increased interest and reliance on OHSMS certification that is being driven by an increase in public sustainability reporting.  It is important to understand that certification alone does not represent due diligence unless it is clear exactly what assessment activities were done to support the certification.

© ENLAR Compliance Services, Inc. (2013)
March 20, 2013 | 0 Comments More

Identifying Applicable Legal Requirements

Last week, I received the following question from a reader about the OHSAS 18001 requirements related to the identification of applicable legal and other requirements  –

We are an OHSAS 18001 certified company…. Our Hazard Identification and Risk assessment (HIRA) first page tells about the legal requirement clause and the legal statements for complying with the HIRA.  Our external auditor (certifying body) insists we insert a column in the HIRA chart to identify what legal requirement clause comes against the control of each identified risk.

1.     Is my auditor correct?

2.     Does the OHSAS 18001 Standards say that?

 My answer –

That is NOT an OHSAS 18001 requirement. I believe your external auditor is confusing the ISO 14001 and OHSAS 18001 requirements. 

Section 4.3.2 of ISO 14001 requires that an organization determine how its applicable environmental legal and other requirements apply to its environmental aspects.  This is often done as your external auditor suggests, although it does NOT have to be done that way.  You can use whatever method is appropriate for your organization.

Section 4.3.2 of OHSAS 18001 does NOT have the same requirement as ISO 14001. It requires that an organization “take into account” its applicable legal other requirements in its OHSMS.  No column, chart, matrix is required.  Nor does it require identifying requirements by individual risk.  This requirement was specifically rejected when OHSAS 18001 was revised in 2007.

© ENLAR® Compliance Services, Inc. (2011)
June 7, 2011 | 1 Comment More

OH&S Risk Assessment is NOT a Single Process

One of the requests I commonly get from organizations seeking to integrate occupational health and safety into an existing environmental management system is –

“Can you provide a generic risk assessment process I can just plug into my aspect/impact procedure?”

The short answer to this request is “No.”

This is the fundamental difference between the OHSAS 18001 and the ISO 14001 standards.  To conform to ISO 14001, many organizations have a single aspect/impact evaluation process.  It may be complex and involve several factors and complicated calculations but it is typically one process.  This is not the case for OHSAS 18001 hazard identification and risk assessment.

To quote from the OHSAS 18002 guidance –

Hazard identification and risk assessment methodologies vary greatly across industries, ranging from simple assessment to complex quantitative analyses with extensive documentation.  Individual hazards may require that different methods be used, e.g. an assessment of long term exposure to chemicals may need a different method than that taken for equipment safety or for assessing an office workstation.  Each organization should choose approaches that are appropriate to its scope, nature and size, and which meet its needs in terms of detail, complexity, time, cost and availability of reliable data.  Taken together, the chosen approaches should result in a comprehensive methodology for the ongoing evaluation of the organization’s risk.

In other words – there is no simplistic answer or cookie-cutter methodology.  It is not one process but several that, when taken together, make up a comprehensive risk management strategy.

© ENLAR® Compliance Services, Inc. (2008)

August 29, 2008 More

Maintaining Your OH&S Management System

Last week, a reader e-mailed me the following question –“What are the most important areas to concentrate on in maintaining an OHSAS 18001 management system that is already in place?”

This is an excellent question.  Sometimes organizations put so much effort into developing and implementing an occupational health and safety management system, they run out of energy when it comes to its on-going maintenance.

There are two areas that are particularly important for maintaining your OHSMS —

  • On-Going Management of Change
  • An Effective Internal Audit Program

To quote the Greek philosopher Heraclitus – Nothing endures but change.

Since change is a constant in all organizations (in activities, products, people, responsibilities, etc.), addressing the occupational health and safety impacts of those changes is a major challenge.  That is why OHSAS 18001:2007 added explicit management of change requirements (check out my previous blog — “What is Management of Change?” – for information on what these requirements are).

An effective internal audit program is also important for maintaining your management system.  It lets you know whether your efforts have been successful or if changes are needed.  It is also the primary means for top management to fulfill its management review responsibilities — to determine whether the OH&S management system continues to be suitable, adequate and effective.

© ENLAR® Compliance Services, Inc. (2007)

August 13, 2007 More

What is Accountability?

In the 2007 revision of OHSAS 18001, a requirement was added for allocating, documenting and communicating accountabilities — as well as responsibilities. While accountability is not defined in OHSAS 18001, it is an important concept in a management system.  The dictionary definition is “the state of being accountable, liable or answerable.”  According to wikipedia, the word “accountability” is an extension of the terminology used in money lending systems that first developed in Ancient Greece.  One would borrow money from a money lender and would then be held responsible for their account to that party.

It is worthwhile, in this context, to explore the differences between authority, responsibility and accountability in an organization:

  • Authority is the right to make a decision or take an action
  • Responsibility is the obligation to ensure that an action is taken
  • Accountability is to be answerable for a particular activity or action to a particular entity

Although clearly related, these terms are not synonymous.  One may have the authority to take a certain action — for example, to spend money on behalf of the organization — but not be obligated to take that action.  Similarly, an individual may have an obligation to do something — for example, to ensure the organization complies with a particular legal requirement — but not be accountable.  The organization may lack a mechanism to hold that individual responsible (answerable) even if compliance is lacking.  Similarly,  an individual may be held accountable — e.g. fired for a particular action — even if he or she did not have the authority or the responsibility to accomplish the activity in question.

There are five key elements of an effective accountability system:

  1. Clearly specified standards for authority and responsibility
  2. Adequate resources to meet the assigned responsibilities
  3. Monitoring and assessment of individual performance
  4. Appropriate consequences for taking or failing to take action
  5. Consistent and unbiased application of accountability standards


 It should be noted that accountability is not necessarily the same as blame.  Often, organizations seek to assign accountability only when they are looking for someone to blame.

How can you distinguish the difference?

In most organizations, much of what is done requires a group effort where no one person is completely responsible for a particular action or decision.  In addition, accountability goes hand-in-hand with authority and responsibility.  This means that, generally, those with the greatest accountability will be highest up in the organization.  Therefore, if you are truly attempting to identify who is accountable, the result will be a list of people that includes individuals at the top, as well as the bottom, of the org chart.  If you are seeking to assign blame, usually finding a single “fall guy” will be sufficient.


Top managers need to keep in mind the sign President Truman kept on his desk to remind him who was accountable.  It read:  “The BUCK STOPS here!”


© ENLAR® Compliance Services, Inc. (2007)

July 27, 2007 More

What is a Management System? — Part 2

Using a different approach, one can seek to determine what a management system is by examining the definitions penned by the individuals who drafted the ISO management system standards.

The ISO Definition of a “Management System”

ANSI/ISO/ASQ ISO Q9000-2000 defines a “management system” as follows — a system (separately defined as a set of interrelated or interacting elements) to establish policy and objectives and to achieve those objectives.  A “quality management system” is then defined as a management system to direct and control an organization with regard to quality.

ISO 14001:2004 defines a “management system” as a set of interrelated elements used to establish policy and objectives and to achieve those objectives and an “environmental management system” as follows — part of an organization’s management system used to develop and implement its environmental policy and manage its environmental aspects.

What is interesting about these ISO definitions is their explicit focus on defining a management system in terms of the task of “establishing policy and objectives”  (ISO 9000) or “developing and implementing a policy” (ISO 14001).  This focus on establishing and implementing policy is not part of any of the dictionary definitions for management.

The OHSAS 18001 Definition

OHSAS 18001:1999 defines an “OH&S management system” as follows — part of the overall management system that facilitates the management of the OH&S risks associated with the business of the organization.  With the 2007 revision of OHSAS 18001, the definition of an OH&S management system will be aligned with the ISO 9001 and ISO 14001 definitions to focus on developing and implementing policy.

Is the primary purpose of a management system to develop and implement policy?  What do you think?

May 9, 2007 More

What is a Management System? — Part 1

Since OHSAS 18001 is intended to set a framework for an OH&S management system — like ISO 14001 sets a framework for an environmental management system and ISO 9001 sets a framework for a quality management system — it is probably worthwhile to explore just what a “management system” is.


To enjoy standard-setting is to enjoy defining terms.


There are a variety of ways you can go about deciding what something is.  You can ask an expert, you can ask several experts, you can take an opinion survey or you can look it up in a dictionary.  Part 1 of this series takes the approach of looking it up in the dictionary (or more accurately — a dictionary of dictionaries —


A Dictionary Definition

If one approaches this as a tautological exercise, one can break the term “management system” into its component parts of “management” and “system,” define each and then combine the two definitions back together again into a single definition for a “management system.”


Using this approach, one can define the word “management” as the act or manner of managing; handling, direction, or control and the word “system” as a group of interacting, interrelated, or interdependent elements forming a complex whole.  Combining these definitions, one gets the following definition for a “management system” — the act of managing a group of interacting, interrelated or interdependent elements forming a complex whole.  This is a traditional, and predictable, definition.



On the other hand, by combining a different set of definitions for “management” and “system”, one can get the following, entirely different, definition — a social, economic or political organizational form used by corporate power elites who are distinguished primarily by their distance from actual productive work and their chronic failure to manage. For those who appreciate Dilbert cartoons, this may represent a more “real world” definition of a “management system.”


Given the variety of choices set out at, which dictionary definition do you prefer?

May 8, 2007 More

Let’s Start With The Basics — What Is OHSAS 18001?

OHSAS 18001 is a specification document (standard) that sets out requirements for establishing and implementing an occupational health and safety management system.


It was originally developed in 1999 by an independent group of national standards organizations and certification bodies.  Although it is not an ISO standard, OHSAS 18001 is structured the same way as ISO 14001, the environmental management system standard, and has essentially the same elements.  It was developed specifically for use in third-party certification.


OHSAS 18001 was developed to replace a number of registrar-specific OH&S specification documents and to serve as a model for developing an international standard.  Its development was initially driven by the lack of consensus for moving ahead in developing an international standard through the ISO standard-setting process.



More information about OHSAS 18001 can be found on ENLAR’s web site at

May 7, 2007 More