Category: Risk Management

What is Hierarchy of Controls?

I recently had the following question e-mailed to me – “What is the “Hierarchy of Controls” [referenced in section 4.3.1 of OHSAS 18001:2007] and how do I address it in the hazard control & risk assessment procedure?”
The “hierarchy of controls” is a protocol that you use when deciding what kind of control measures you are going to use to address a particular OH&S hazard.  The rationale underlying the “hierarchy of controls” is that an organization should use more reliable control measures rather than measures that are more likely to fail. 

March 23, 2009 | 0 Comments More

Thinking Outside the Bus…No, I Mean Box

One of the requirements of OHSAS 18001 is to identify all of your workplace hazards, including those that may cause “ill health”.  This includes illnesses that are made worse by a work activity.  This analysis also needs to be extended to individuals beyond the borders of the traditional workplace. 

ABC News reported on just such a situation last night.  It included a segment on the health implications of driving a school bus and the steps Broward County, Florida has taken to address them.

What did the Broward County School Board do?

March 5, 2009 | 0 Comments More

Developing an OHSMS Risk Management Strategy

In a previous post, I discussed that there is no single, fill-in-the-blank, process for conducting an OHS hazard identification and risk assessment.  Instead, what is needed is an assembly of individual processes that, when taken together, result in a comprehensive OHSMS risk management strategy. 

It is equivalent to assembling a meal from an a la carte menu.

So what are your a la carte choices?

They are numerous and varied and include –

  • Checklists and questionnaires
  • Consequence / likelihood matrices
  • Failure modes and effects analysis (FMEA)
  • Hazard and operability studies (HAZOP)
  • Exposure assessment strategies
  • Bayesian analysis
  • Ergonomic evaluations
  • Computer modeling programs

Just as the key to healthy eating is making wise menu choices, the key to a sound OH&S risk management strategy is choosing the hazard identification and risk assessment tools that are appropriate for your organization.

© ENLAR® Compliance Services, Inc. (2008)

November 6, 2008 More

OH&S Risk Assessment is NOT a Single Process

One of the requests I commonly get from organizations seeking to integrate occupational health and safety into an existing environmental management system is –

“Can you provide a generic risk assessment process I can just plug into my aspect/impact procedure?”

The short answer to this request is “No.”

This is the fundamental difference between the OHSAS 18001 and the ISO 14001 standards.  To conform to ISO 14001, many organizations have a single aspect/impact evaluation process.  It may be complex and involve several factors and complicated calculations but it is typically one process.  This is not the case for OHSAS 18001 hazard identification and risk assessment.

To quote from the OHSAS 18002 guidance –

Hazard identification and risk assessment methodologies vary greatly across industries, ranging from simple assessment to complex quantitative analyses with extensive documentation.  Individual hazards may require that different methods be used, e.g. an assessment of long term exposure to chemicals may need a different method than that taken for equipment safety or for assessing an office workstation.  Each organization should choose approaches that are appropriate to its scope, nature and size, and which meet its needs in terms of detail, complexity, time, cost and availability of reliable data.  Taken together, the chosen approaches should result in a comprehensive methodology for the ongoing evaluation of the organization’s risk.

In other words – there is no simplistic answer or cookie-cutter methodology.  It is not one process but several that, when taken together, make up a comprehensive risk management strategy.

© ENLAR® Compliance Services, Inc. (2008)

August 29, 2008 More

OHSAS 18001 & ISO’s Risk Management Standards

As discussed in previous posts, OHSAS 18001:2007 has a foundation based on risk management principles.

To meet the OHSAS 18001 requirements, an organization must:

  • Identify its OH&S hazards
  • Assess the risks associated with the OH&S hazards that are identified
  • Determine the controls that are necessary to reduce OH&S risks to an acceptable level

Identification of OH&S hazards and assessment of the associated risks is one of the primary inputs for setting objectives for continual improvement, identifying training needs and establishing operational controls.

The risk management foundation of OHSAS 18001 is not explicitly found in either ISO 9001 or ISO 14001.   ISO 9001 focuses on identifying customer requirements and achieving customer satisfaction; ISO 14001 focuses on identifying environmental aspects and prevention of pollution.  Although risk management is important to quality and environmental management, neither ISO management system standard explicitly addresses this.

Interestingly, ISO is currently in the process of developing several risk management standards.  According to ISO, these standards are intended to provide guidance to assist organizations in managing risk – including safety and environmental risk.  In addition, according to its Scope statement, ISO 31000 is intended to “harmonize risk management processes and definitions in existing and future standards.”

The ISO risk management standards currently under development include the following:

  • Substantial changes to the definition of risk in Guide 73 – Risk management – Vocabulary – Guidelines for use in standards
  • Drafting of a new “strategic-level” risk management standard – ISO 31000 – Risk management – Principles and guidelines on implementation
  • Adoption of an IEC standard outlining risk assessment methods as an ISO standard – ISO 31010 – Risk Management – Risk Assessment Techniques
  • Drafting of a new standard on risk assessment of structures – ISO 13824 – General principles on risk assessment of systems involving structures

This ISO standard-setting activity raises a couple of interesting questions —

  1. Will future revisions of ISO 9001 and ISO 14001 include a risk management focus as well?
  2. Might risk management become the unifying foundation for an integrated management system standard?

© ENLAR® Compliance Services, Inc. (2008)

June 19, 2008 More

Three HSE Strategies

I attended the annual American Industrial Hygiene Association conference (AIHce) last week in Minneapolis, Minnesota.

There were many excellent sessions covering a wide range of topics important to the practice of industrial hygiene.  In particular, the Tuesday morning general session focused on demonstrating the value of the industrial hygiene profession and included a presentation by Jeffrey P. Pino, President of Sikorsky Aircraft Corporation.

In his presentation, Mr. Pino stated that there are three strategies important to a successful HSE (health, safety and environmental) program:

  • Leadership Commitment
  • Employee Engagement
  • Risk Management

These three strategies are also critical to the implementation of an occupational safety and health management system based on OHSAS 18001:2007.

June 11, 2008 More

What is “Management of Change?”

Although it is often used as a term of art in the safety field, “management of change” is not a defined term in OHSAS 18001:2007.  It is, however; vital to an effective OH&S management system. 

Explicit requirements for management of change were added into section 4.3.1 of OHSAS 18001 in the 2007 revision of the standard.  This addition was an explicit request of the American Industrial Hygiene Association for purposes of aligning OHSAS 18001 with the U.S. Occupational Health and Safety Management System standard — ANSI/AIHA Z10-2005.  In addition, management of change is also an explicit requirement for safety management systems implemented to comply with the Seveso II Directive (see Annex III of EU Council Directive 96/82/EC).

 The following requirements related to management of change were added in section 4.3.1:

 The procedures for hazard identification and risk assessment shall take into account:

g) changes or proposed changes in the organization, its activities or materials; h) modifications to the OH&S management system, including temporary changes, and their impacts on operations, processes and activities;…. For the management of change, the organization shall identify the OH&S hazards and risks associated with changes in the organization, the OH&S management system or its activities, prior to the introduction of such changes. 

In addition, reference to Management of Change was also included in section 4.4.6: 
The organization shall determine those operations and activities that are associated with the identified hazard(s) where the implementation of controls is necessary to manage the OH&S risk(s). This shall include the management of change (see 4.3.1).

These new requirements cover four important concepts:

  • Identification of the hazards associated with “change”
  • Assessment of the risks associated with “change”
  • Consideration of OH&S hazards and risks prior to the introduction of the “change”
  • Implementation of the controls needed to address the hazards and risks associated with the “change”

For purposes of management of change within an OH&S management system, the changes that need to be addressed include:

  • Organizational changes (e.g. personnel or staffing changes)
  • Activity changes (e.g. changes to processes, equipment, infrastructure, software)
  • Material changes (e.g. new chemicals, packaging)
  • Changes to the OH&S management system (e.g. procedures)

Why is management of change so important?

Ineffective management of change is one of the leading causes of serious incidents.  To quote the U.S. Chemical Safety and Hazard Investigation Board (CSB), “In industry, as elsewhere, change often brings progress.  But it can also increase risks that, if not properly managed, create conditions that may lead to injuries, property damage or even death.” (from CSB press release announcing its 8/28/2001 Safety Bulletin concerning “Management of Change”)  Ineffective management of change is one of the major contributing factors in many of the incident investigations conducted by the CSB.  To check it out, go to the CSB web site at  and enter “management of change” as your search term at the link “Search this Site.”

© ENLAR® Compliance Services, Inc. (2007)

July 18, 2007 More