ISO 45001:2018 Clause 9

Performance Evaluation
The organization must establish a system that involves the monitoring,
measurement, analysis, and evaluation of its OH&S performance. It
should decide what to measure and how, for instance, accidents or
worker competence. Moreover, internal audits must be established
along with regular management reviews, in order to see the progress
made towards the achievement of OH&S objectives and the fulfillment
of ISO 45001 requirements. Performance evaluation is a constructive
process that aims to improve an organization’s operation and is crucial
to the ‘Plan, Do, Check and Act’ model prescribed by ISO 45001. These
processes should help achieve and support organizational strategy and
goals. Clause 9, Performance Evaluation, provides an in-depth
discussion regarding the criteria for evaluating the overall performance
of the OH&S management system. The primary themes of this section
focus on the means of process evaluation and documentation of
evaluations. The importance of documentation (and how records and
data are retained), as well as document dissemination, are performance
themes both in ISO 45001 in general and in this section in particular.
This section tends to be more specific than some of the others and
includes a detailed discussion of documentation requirements, internal
audit protocols, and relevancy and applicability of measurements
within the organization. The key attributes of this section include:
1. Following applicable legal requirements and documentation are
followed
2. Measuring operational risks and hazards
3. Evaluating the effectiveness of operational controls
4. Establishing the timeline for conducting the measures
5. Planning for analysis, evaluation, and communication of the results
6. Calibrating and verifying the accuracy of all equipment
7. Retaining documentation of all measures
8. Auditing the OH&S Management System, the OH&S Policy, OH&S
Objectives, and the 45001 requirements
9. Establishing the frequency of audits and account for significant
changes to the organization, performance improvements, risks, and
opportunities

1
10. Ensuring the competence of auditors
11. Communicating findings to management, workers, and worker
representatives
12. Taking action to address identified nonconformities
13. Retaining audit results as evidence of the completion of the audit
14. Reviewing audit findings and corrective actions by top
management
15. Ascertaining that corrective actions, worker engagement, and
opportunities for continual improvement are in place
The most important objectives of the Performance Evaluation section
are ensuring the adequacy of the current OH&S management system
and measuring that OH&S objectives are met. These are, essentially, the
only measures of success.

9.1 Monitoring, measurement, analysis

and performance evaluation
9.1.1 General
The organization must establish, implement and maintain
processes for monitoring, measurement, analysis and
performance evaluation. The organization has to determine
what needs to be monitored and measured. The organization
must determine up to what extent the legal requirements and
other requirements are fulfilled. The organization must
monitor and measure its activities and operations related to
identified hazards, risks, and opportunities, its progress
towards achievement of the organization’s OH&S objectives
and the effectiveness of operational and other controls. The
organization must determine the methods for monitoring,
measurement, analysis and performance evaluation, as
applicable, to ensure valid results. It must also determine the
criteria against which the organization will evaluate its OH&S
performance and when the monitoring and measuring shall
be performed. It must also determine when the results from
monitoring and measurement shall be analyzed, evaluated
and communicated. The organization must evaluate the
OH&S performance and determine the effectiveness of the
OH&S management system. The organization must ensure
that monitoring and measuring equipment is calibrated or
2
verified as applicable, and is used and maintained as
appropriate. There can be legal requirements or other
requirements (e.g. national or international standards)
concerning the calibration or verification of monitoring and
measuring equipment. The organization must retain
appropriate documented information as evidence of the
results of monitoring, measurement, analysis and
performance evaluation and on the maintenance, calibration
or verification of measuring equipment.

As per Annex A (Guidance on the use of ISO 45001:2018

standard) of ISO 45001:2018 standard it further explains:

In order to achieve the intended outcomes of the OH&S management

system, the processes should be monitored, measured and analyzed.
1. Examples of what could be monitored and measured can include,
but are not limited to:
1. occupational health complaints, the health of workers
(through surveillance) and work environment;
2. work-related incidents, injuries and ill health, and complaints,
including trends;
3. the effectiveness of operational controls and emergency
exercises, or the need to modify or introduce new controls;
4. competence.
2. Examples of what could be monitored and measured to evaluate
the fulfillment of legal requirements can include, but are not
limited to:
identified legal requirements (e.g. whether all legal requirements
have been determined, and whether the organization’s
documented information of them is kept up-to-date);
collective agreements (when legally binding);
the status of identified gaps in compliance.
3. Examples of what could be monitored and measured to evaluate
the fulfillment of other requirements can include, but are not
limited to:
1. collective agreements (when not legally binding);
2. standards and codes;
3. corporate and other policies, rules and regulations;

3
 4. insurance requirements.
4. Criteria are what the organization can use to compare its
performance against.
1. Examples are benchmarks against:
 other organizations;

 standards and codes;

 the organization’s own codes and objectives;

 OH&S statistics.

2. To measure criteria, indicators are typically used; for

example:
 if the criterion is a comparison of incidents, the
organization may choose to look at frequency, type,
severity or number of incidents; then the indicator could be
the determined rate within each one of these criteria.
 if the criterion is a comparison of completion of corrective
actions, then the indicator could be the percentage
completed on time.

Monitoring can involve continual checking, supervising, critically

observing or determining the status in order to identify change from
the performance level required or expected. Monitoring can be applied
to the OH&S management system, to processes or controls. Examples
include the use of interviews, reviews of documented information and
observations of work being performed. Measurement generally
involves the assignment of numbers to objects or events. It is the basis
for quantitative data and is generally associated with the
performance evaluation of safety programmes and health
surveillance. Examples include the use of calibrated or verified
equipment to measure exposure to a hazardous substance or the
calculation of the safe distance from a hazard. The analysis is the
process of examining data to reveal relationships, patterns, and
trends. This can mean the use of statistical operations, including
information from other similar organizations, to help draw
conclusions from the data. This process is most often associated with
measurement activities. Performance evaluation is an activity
undertaken to determine the suitability, adequacy, and effectiveness
of the subject matter to achieve the established objectives of the OH&S
management system.

4
The organization not only has to measure occupational health & safety
progress, but it should also consider its significant hazards, compliance
obligations, and operational controls when tackling this clause. The
methods established should have considerations to ensure that the
monitoring and measuring periods are aligned with the needs of the
OH&SManagement System for data and results, that the results are
accurate, consistent, and can be reproduced and that the results can be
used to identify trends. It should also be noted that the results should
be reported to the personnel with the authority and responsibility to
initiate action on the basis of the outputs themselves. The organization
should have a systematic approach for measuring and monitoring its
OH&S performance on a regular basis, as an integral part of its
management system. The organization needs to monitor and measure
the following in order to determine the performance of the OHSMS and
evaluate its effectiveness:
 The extent to which legal and other requirements are fulfilled
including, where applicable, all applicable OH&S legislation,
collective agreements, standards, and codes and insurance
requirements;
 Characteristics of activities and operations related to the identified
hazards, risks, and opportunities;
 Progress in the achievement of the organization’s OH&S objectives;
 Effectiveness of operational and other controls.

This includes the determination of the criteria against which the

organization’s OH&S performance will be evaluated, including
appropriate indicators. Criteria are what the organization uses to
compare its performance against (e.g. benchmarking its OH&S
performance against other organizations, standards or codes, etc.). To
measure criteria, indicators are used. For example, if the criterion is a
comparison of incidents, the organization could choose to look at
frequency, type, severity or number of incidents; the indicator could be
the determining rate within each one of these criteria. The organization
must select appropriate methods for monitoring, measurement,
analysis and performance evaluation in order to ensure valid results,
decide when the monitoring and measurement will be performed and
when the results from monitoring and measurement will be analyzed,
evaluated and communicated.

The organization must ensure that monitoring and measurement

equipment such as sampling pumps, noise monitors, toxic gas detection
5
equipment, is calibrated or verified and that it is correctly used and
maintained. Insofar as measuring and monitoring are concerned, the
organization should use both reactive and proactive measures of
performance but should mainly focus on proactive measures in order to
drive OH&S performance improvement. Examples of proactive
measures include:
 Assessment of compliance with legal and other requirements;
 Evaluation of the effectiveness of OH&S training;
 Use of worker surveys to evaluate OH&S culture and related worker
satisfaction;
 Completion of statutory and other inspection schedules;
 The extent to which programmes have been implemented;
 The effectiveness of the worker consultation and participation
process;
 Use of health screening.

Examples of reactive measures include:

 Occurrence and rates of notifiable accidents and dangerous
occurrences;
 Lost time incident rates;
 Monitoring of ill health;
 Actions required following assessments by regulatory bodies such
as the HSA/HSE.

The organization must retain appropriate documented information as

evidence of the results of monitoring, measurement, analysis, and
evaluation and of the maintenance, calibration or verification of
measuring instruments. An organization should check, review, inspect
and observe its planned activities to ensure they are occurring as
intended. An organization must make sure they have determined the
appropriate processes so they can evaluate how well they are
performing based on risk and opportunities. Monitoring generally
indicates processes that can check whether something is occurring as
intended or planned. The tables below provide examples of monitoring
and specific control measures:

6
 Event Local Exhaust Ventilation System (LEV)

An appointed person to weekly inspect airflow of an LEV system

Monitoring
to safely remove fumes from a process.

Use of a calibrated meter to check the airflow at two inspection

Measurement locations of the system according to a specified Work Instruction.
(Employee is trained and competent to use the equipment).

Review of recorded data determining the airflow efficiency of the

system to ensure workers are safe. This may include trends. This
Analysis
would be in compliance with manufacturers specifications and
regulatory requirements.

The trend analysis indicates a reduction in airflow, therefore,

Evaluation
maintenance is triggered to isolate and inspect the LEV system.

Event Safe Walking Routes

Appointed person daily site inspection of safe walking routes to

Monitoring
ensure they are in a condition to prevent slips, trips, and falls.

Visual inspection to ensure there are no obstructions outside of

Measurement defined safe walking routes. (Usually, measurement is associated
with measurement equipment to obtain data).

Examination of results from inspections. In this case, there may be

Analysis a trend of equipment repeatedly left in the same location as a Safe
Walking Route.

Determination of root cause of why equipment is repeatedly left in

Evaluation the safe walking route. Resulting in the allocation of a designated
safe place for equipment away from the safe walking route.

Any equipment used to determine the measurement ‘indicator’ should

be calibrated and maintained so that a high degree of confidence is
gained in the credibility of data. The standard also requires the
organization to implement a process to evaluate legal and other
compliance including:
 The frequency and method of evaluation
 If action is needed, the process in which it will be evaluated and
implemented
 Maintain knowledge and understanding of its compliance status
 Retain documented information to support the evaluation of legal
and other requirements

7
9.1.2 Evaluation of compliance
The organization must establish, implement and maintain
the processes for evaluating compliance with legal
requirements and other requirements. The organization
must determine the frequency and methods for the
evaluation of compliance and must evaluate compliance and
take action if needed. It must maintain knowledge and
understanding of its compliance status with legal
requirements and other requirements. It must retain
documented information on the compliance evaluation
results.

As per Annex A (Guidance on the use of ISO 45001:2018

standard) of ISO 45001:2018 standard it further explains:

The frequency and timing of compliance evaluations can vary

depending on the importance of the requirement, variations in
operating conditions, changes in legal requirements and other
requirements and the organization’s past performance. An
organization can use a variety of methods to maintain its knowledge
and understanding of its compliance status.

There is an ever-increasing amount of legislation intended by the

government to ensure that we manage issues such as health and safety
in the workplace and our impacts on the environment in order to
protect human health and the environment from harm. There is also a
range of legislation designed to give some security of personal
information, intellectual property and organizational records to both
public and private sector businesses whose information and networks
are important business assets. The standard recognizes that evaluation
requirements will vary from organization to organization based on
factors such as size, compliance obligations, sector worked in, past
history and performance, and so on, but suggests that regular
evaluation is always required. If the result of a compliance evaluation
reveals that a legal requirement is unfulfilled, the organization needs to
assess what action is appropriate, possibly up to contacting a regulatory
body and agreeing on a course of action for repair. This agreement will
now see this obligation become a legal requirement. Where a non-
compliance is identified by the OH&SManagement System and
corrected, it does not automatically become a non-conformity. But

8
exactly what legislation is there that applies to your organization, how
does it apply and why do you need to evaluate it.

Firstly it is worth looking at compliance in more detail. Compliance is

not an option. If we don’t comply then we could be operating outside of
the law. Not only can this lead to penalties and fines, but poor
compliance can also lead to:
 Increased health and safety incidents, environmental accidents and
pollution.
 Increased downtime, clean up costs and fines
 Increased insurance premiums and regulatory inspections
 Workforce concerns and industrial relations issues
 Reduced ability to meet customer requirements
 Damage to reputation and possible lost business
 Individual prosecution and corporate manslaughter and/or
dismissal

The legislation provides regulators with specific duties and powers and
enables the regulators to take enforcement action to mitigate the
consequence of site closures and suspension or revocation of permits.
For example, in 2005/2006 the HSE issued 6400 enforcement notices
and prosecuted in over 1010 cases. Magistrates and courts are coming
under increasing pressure to impose ever more stringent penalties.
With this in mind, there is increasing pressure on organizations from
various sources to improve and ensure compliance. In practice, you
may consider putting a list of compliance obligations within a
spreadsheet as outlined under clause 6 of this document. Periodically
this process should be audited within the internal audit programme to
ensure all compliance obligations have been fulfilled. Audit results
including compliance status should be communicated to senior
leadership within the organization. Any outstanding or pending
requirements can be actioned by the leadership team. This will ensure
compliance to obligations and reduction in risk including potential
prosecution. So how can you evaluate compliance? There are essentially
three approaches:

1. The Passive Approach

The passive approach means an organization sits back and waits for
things to happen. It relies solely on upon feedback from regulators,

9
employees, and members of the public. Typically few resources are
allocated and compliance efforts are minimized and tend to be focused
on current areas of concern. The drawback of this approach is that it
may well be unrepresentative of the true level of compliance, the
outcome of which being the increased likelihood of a non-compliant
event which could lead to unforeseen prosecutions.

2. The Reactive Approach

The reactive approach is taken when an organization acts only when a

situation of non-compliance is brought to light. There may be some
internal and external evaluation and auditing but this usually relies on
a sampling basis. It is similar to the passive approach in that typically
few resources are allocated. The drawback of this approach is that it
may not be sufficiently comprehensive. It tends to only pick up
problems after the event. Although actions are taken to manage
compliance these are typically only implemented after the event once
the non-compliance has been identified. Therefore an organization
following the reactive approach may incur increased costs, both
financial and time, in addressing the non-compliance as opposed to
preventing it occurring.

3 The Proactive Approach

An organization following the proactive approach will seek to actively

identify the compliance position and establish processes to ensure on-
going compliance status is maintained. The proactive approach is
typically system based and integrates compliance into everyday
business practices. The management system may be one of three types:
 Internal bespoke Compliance Management System
 Management System based on a recognized standard such as ISO
14001, OHSAS 18001, ISO 9001 and ISO 27001
 Third party certified Management Systems such as ISO 14001,
OHSAS 18001, ISO 9001 and ISO 27001 (certification to which can
only be awarded based on a legal complaint system)

Management systems provide the mechanisms to identify upfront

compliance requirements and ensure appropriate controls are in place
to positively manage compliance status. They cannot guarantee against
a non-compliance occurring but should ensure that the system in place

10
quickly identifies the non-compliance status and corrects it. Following
the proactive system-based approach will enable an organization to:
 Make a commitment to compliance
 Identify current legal and other requirements specific to the
organization and be aware of pending legislation and its impact on
the organization well in advance.
 Understand the full implications of all applicable legislation and
incorporate the requirements into business practices.
 Keep information up-to-date.
 Identify compliance criteria.
 Establish a framework to address and control the identified
compliance requirements.
 Provide a mechanism for the on-going review, evaluation, and
reporting of compliance performance

One area of particular importance is the reference to the control

mechanism employed within the organization to manage that element
of the legal requirements. By including this in your system for
compliance management it immediately increases the transparency of
the legal management system and ensures that there is an effective
control mechanism in place for each of the key requirements. Controls
will not always be procedures but may include site inspections,
monitoring equipment or designating responsibilities. Typically
through a management system, there will be a number of different steps
to the management of compliance:

Step 1 – Commitment to Legal Compliance

Evaluation Essentially this requires the agreement from top

management that this is required and their commitment to providing
the necessary resources including staff, finance and IT support to carry
out the evaluation and to take action to resolve areas of non-
compliance.

Step 2 – Identification of Legal Requirements

Having secured top management commitment to evaluating

compliance, the next step is to identify the legal requirements such as
codes of practice and guidance notes. Legal requirements can take
many forms including:

11
 Legislation, regulations, and statutes
 Directives
 Permits, licenses or other forms of authorization as Orders issued
by regulatory bodies.
 Judgments of courts or administrative tribunals
 Treaties, conventions, and protocols

There are many different ways an organization can go about identifying

legal requirements. These are all valuable sources. However, the most
important thing is what you do with the information you identify.
Typically the identification of legal requirements leads to the
production of a legal register. A typical legal register would include:

However, this format will not be sufficient to enable effective evaluation

of compliance within the management system.

Step 3 – Identification of Compliance Criteria

To ensure the use of a legal register is effective, consideration should be

given to also using the document as a mechanism to:
 Evaluate the legislation to determine which components are
applicable, e.g. discharge of trade effluent from the effluent plant.
 Establish the relevance of the legislation to the organization –
identify which activities are completed on site that falls within the
scope of the legislation e.g. a license is required for the discharge of
trade effluent

The above is referred to as the compliance criteria and without a good

understanding of what these criteria are for your organization, it will be
very difficult to undertake an effective evaluation of compliance. The
legal register should be a ‘live’ document and be useful to the
organization. It may also identify:
 Installation Activity
 Regulation

12
  Regulator
 Description of Regulation
 Relevance to the organization — compliance criteria
 Responsible Persons
 Reference to other parts of the management system e.g.
environmental aspects, health and safety hazards, objectives and
targets
 Reference to the license, permit, authorization or notification
 Further information (e.g. codes of practice)
 Operational Controls

Additional columns might be as follows:

This type of register can provide a clear understanding of the

relationship between legislation and organizations activities, products,
and services. Also, it can be used as an awareness-raising tool, but more
importantly, it provides a clear audit trail for the internal audit function
to undertake their evaluation of legal compliance.

Step 4 – Compliance Performance Evaluation

Having identified relevant legislation, the compliance criteria, and

related operational controls, the next step is to develop a process for
checking legal compliance. Use the information from the register to
review current practices against the identified legal requirements
applicable to your organization. You might want to consider developing
a checklist for each item of legislation that the organization has
identified. Objective evidence will need to be gathered in order to
evaluate compliance. Compliance performance evaluation can be
carried out by:
 Monitoring against performance indicators – trend analysis to
predict and prevent non-compliance e.g. amount of mercury
discharged on a monthly basis versus the early figure specified
within the discharge consent or noise emissions limits.
 Reviewing risk assessments.
13
 Undertaking physical inspections e.g. of the status of oil storage
facility or of wearing of relevant personal protective equipment
(PPE)
 Undertaking Management Systems audits.
 Compliance verification against procedural and legal requirements.
 Independent verification (e.g. in the case of compliance to a GHG
permit)

Conducting a compliance performance evaluation will help you to:

 Identify any regulatory non- compliances
 Determine whether existing controls are adequate to help prevent
regulatory non-compliance including those related to abnormal and
emergency situations.
 Identify areas where further information is required to track or
confirm compliance, any opportunities for improvement
 Proactively manage an organization’s compliance status

There has been much discussion about what constitutes an ‘Evaluation

of compliance’. What is clear is that there is no one method or definitive
answer but more of a suite of tools that can be used when completing
the evaluation. Therefore it is important that the outcomes of the
evaluations are brought together to enable trend analysis and the
overall compliance status to be determined.

Step 5 – Compliance and Review Reporting

A compliance review is more than just monitoring. Routine monitoring

may not check compliance with all requirements and limits of a permit
or consent. Monitoring of an indicator to demonstrate improvement
(such as the quantity of monthly hazardous waste arising’s) will not
check compliance with all applicable waste legislation (such as whether
hazardous waste documentation identifies waste streams correctly).
However, the results of monitoring can be input into the evaluation
process. Likewise, a true evaluation of compliance is more than just
systems auditing as systems audits tend to have broad scopes, are not
specifically focused on legal compliance, assess too small a sample of
data and are too infrequent to demonstrate system effectiveness.
However, results of audits can be input into the evaluation process and
are still a valuable tool.

14
Step 6 – Compliance Verification

So, compliance verifications are also necessary. Compliance

verifications use compliance detail from the legal register and legal
documents, such as permits, to create comprehensive checklists.
Compliance verifications can be targeted, topic specific, more frequent
and risk-based. Compliance verification will:
 Identify compliance tasks and their frequency
 Ensure availability of sufficient
 competent resource
 Allocate time and resources on a risk basis

Regardless of which methods are used – it is essential that

appropriate records are held of the outcome of the evaluation process.

Step 7 – Compliance Reporting

So what do you do with the results of the evaluation? Compliance

reporting is a systematic activity using information from monitoring,
system auditing, verification and feedback from interested parties (such
as regulators). Using this data enables you to confidently, and
accurately, report on your compliance status to top management (policy
and decision-makers) for the identification of future legislative trends,
areas of strengths and weaknesses, and opportunities for improvement.
Reporting should be undertaken at a frequency appropriate to the risks
and should seek to answer the questions, posed by top management,
‘how compliant have we been, are we now, and will we be, with legal
and other requirements?’

Step 8 – Define an Action Plan

Define an action plan for addressing the issues identified in the gap
analysis. The action plan might include the:
 Allocation of specific clear roles and responsibilities for compliance.
 Communication or. the relevance of the requirements at all levels.
 Revision of procedures include operational criteria
 Provision of relevant training

15
Step 9 – Repeat the process

In order to maintain legal compliance, this evaluation process needs to

be repeated on a regular basis. This provides the opportunities for
continuous improvements and enables you to keep up to date, if not
ahead of, regulatory developments. There is no right or wrong way to
the evaluation of compliance. There are different methods for
evaluating compliance. Choose the approach that best suits your
business based on size, type, and complexity. We would, however,
recommend using a system-based approach to identify legal
requirements and establish appropriate controls. A legal Register can
be an effective tool to help evaluate and verify compliance. Determine
the measures needed to develop a compliance framework, including
frequency and resources and the frequency of review and reporting
should be systematic and risk-based. Provide comprehensive reports to
top management for decisions on future policy and objectives, and for
corporate assurance. Evaluation of compliance is a key component of
an effective system to deliver continued legal compliance. A
management system will not guarantee compliance as it can not predict
the future! It will, however, provide the framework for an organization
to manage its compliance status and improve its capability to deliver
regulatory compliance.

9.2 Internal audit

9.2.1 General
The organization must conduct internal audits at planned
intervals. This will provide information on whether the
OH&S management system is conforming to the
organization’s own requirements for its OH&S management
system, including the OH&S policy and OH&S objectives and
also to the requirements of ISO 45001:2018. It also provides
information if the OH&S management system is effectively
implemented and maintained.

9.2.2 Internal audit programme

The organization, must plan, establish, implement and
maintain audit programmes including the frequency,
methods, responsibilities, consultation, planning
requirements, and reporting, which shall take into
16
consideration the importance of the processes concerned
and the results of previous audits. It must define the audit
criteria and scope for each audit. It must select auditors and
conduct audits to ensure objectivity and the impartiality of
the audit process. It must ensure that the results of the audits
are reported to relevant managers; ensure that relevant audit
results are reported to workers, and, where they exist,
workers’ representatives, and other relevant interested
parties. It must take action to address nonconformities and
continually improve its OH&S performance. It must retain
documented information as evidence of the implementation
of the audit programme and the audit results.

As per Annex A (Guidance on the use of ISO 45001:2018

standard) of ISO 45001:2018 standard it further explains:

The extent of the audit programme should be based on the complexity

and level of maturity of the OH&S management system. An
organization can establish objectivity and impartiality of the internal
audit by creating processes that separate auditors’ roles as internal
auditors from their normal assigned duties or the organization can
also use external people for this function.

An internal audit is a systematic method to check organizational

processes and requirements, as well as those detailed in the ISO 45001
standard. This will ensure the processes in place are effective and the
procedures are being adhered to. An internal audit in ISO 45001 not
only serves as a function to meet the terms of the standard, as explained
above, but also a real opportunity to improve your OH&SMS
(Operational Health and Safety Management System), and therefore
reduce risk of accidents in your workplace while improving employee
wellbeing. Internal audits and auditors should be independent and
have no conflict of interest over the audit subject, the standard reminds
us, and it should be noted that non-conformities should be subject to
corrective action. When considering the results of previous audits, the
results of previous internal and external audits and any previous non-
conformities and resulting actions to repair them should be taken into
account. The 45001:2018standard refers us to ISO 19011for the internal
audit program, but when you are establishing your program there are
several rules you can subscribe to in order to ensure that your program
is effective. Base your internal audit frequency on what is reasonable
for your organization in terms of size, the sector you operate in,

17
compliance obligations, and risk to the health and safety of workers.
Decide what is reasonable for you, whether that is bi-annually,
quarterly, or whatever you deem suitable. Keep in mind that this
schedule can be changed, preferably through management review and
leadership guidance, in the event of changes that necessitate extra
internal audit activity. The internal audit programme will aid the
organization to achieve the OH&S objectives and targets. It helps:
 Monitor compliance with policy and objectives.
 Provide evidence that all necessary checks are carried out.
 Ensure all current legislative and other requirements are met.
 Assess the effectiveness of risk management.
 Worker engagement leading to a positive safety culture.
 Identify improvement using ‘fresh eyes’ to review a process.
 Aid continual improvement.

The organization must conduct internal audits at planned intervals to

provide information on whether the OH&S management system
conforms to the organization’s own requirements for its OH&S
management system, including the OH&S policy and OH&S objectives
and the requirements of ISO 45001. In addition, the audit allows the
organization to determine if its OH&S management system is
effectively implemented and maintained. The extent of the audit
programme should be based on the complexity and level of maturity of
the OH&S management system. The organization must plan, establish,
implement and maintain an audit programme, which contains
information on:
 The frequency that audits are conducted;
 The methodology/protocol used (should be in general
conformance with the requirements of ISO 19011:2011 Guidelines
for auditing management systems;
 Who is responsible for managing and conducting audits;
 What consultation takes place with auditees and the general
workforce;
 How the audits are planned and implemented;
 The format for reporting audits.

18
The planning of the internal audit programme must recognize the
importance of the processes concerned and the results of previous
audits. This would be reflected in the audit programme being based on
the results of the risk assessments of the organisation’s activities and
the results of previous audits, which in turn would guide the
organisation in determining the frequency of audits of particular
activities, areas or functions and what parts of the OH&S management
system should be given attention. The OH&S management system
audits should cover areas and activities within the scope of the OHSMS
as defined by clause 4.3 of the standard and also assess conformity to
ISO 45001. The organization must define the audit scope and audit
criteria for each audit. Audit evidence should be evaluated against the
audit criteria to generate the audit findings and conclusions. Audit
evidence should be verifiable. Prior to conducting the audit, the
auditors should review appropriate OH&S management system
documented information, and the results of prior audits. This
information should be used by the organization in planning for the
audit.

The organization must select auditors and conduct audits to ensure

objectivity and the impartiality of the audit process. It can establish
objectivity and impartiality of the internal audit process by creating a
process that separates auditors’ roles as internal auditors from their
normal assigned duties. Alternatively, it can utilize the services of
external companies to conduct their internal audit programme. After
the audit is complete the auditors must ensure that the results of the
audits are reported to relevant managers. In addition, relevant audit
results must be reported to workers; where they exist, to workers’
representatives and to other relevant interested parties. The
organization must take action to address nonconformities in a timely
and efficient manner and continually improve its OH&S performance.
The audit report should be clear, precise and comprehensive. The
organization must retain documented information as evidence of the
implementation of the audit programme and the audit results.

It also points out how previous audit results and outputs from risk
assessment can provide inputs for the internal audit itself. Given that
you have a date for your internal audit – whether this is being carried
out by an internal or external auditor – what should you bear in mind
to prepare? Firstly, you must consider how you prepare for your
internal audit. Does your organization have an adequately trained
auditor? Internal audits must be conducted by competent staff with a

19
degree of impartiality to the area being audited. A risk-based approach
can be applied to areas being audited with an increased focus on higher
risk activities. Internal audits must be planned with an expectation of
each process being audited at regular intervals. In addition to planned
audits, unplanned audits may be conducted in reaction to problematic
areas, near-miss reports or incident data with a focus on accident
prevention. It is beneficial to communicate audit results to applicable
interested parties including workers and set realistic completion
timescales for identified ‘opportunities for improvement’ or
‘nonconformities’. Top Management must be aware of deficiencies
within the system to ensure the necessary resources can be allocated to
mitigate the findings. Audit results will be reviewed as part of the
management review process. ISO 45001, like most other ISO standards,
contains a clause that outlines how organizations should perform
internal audits. Internal audits should meet the planned measures of
the OHSMS System and the audit outputs should be made available.
You should establish and plan your internal audit schedule, based on
the results of previous audits and risk assessments. Although it is
sensible and standard, as are other clauses in ISO 45001, the internal
audit should be approached with more care than, for instance, the
comparable clauses in ISO 9001 (Quality Management) or ISO 14001
(Environmental Management). This is because an ineffective OHSMS
audit could endanger the welfare of your employees. The organization
should plan their internal audits at regular intervals. It should,
however, be noted that accidents, incidents, risk assessments or
stakeholder input can all be used to initiate internal audits beyond the
regular schedule. This would be the case if the organization feels it
would be beneficial to the overall health and safety performance. Let’s
look at when who, and how the ISO 45001 system internal audit should
be performed.

When: Internal audit should be done at planned intervals, or

whenever it is deemed required, or beneficial to your ISO 45001 system.
Who: The standard requires that the internal auditor must be
impartial and objective. Auditor selection is critical. The auditor must
be experienced and, if possible, formally trained. The auditor must also
be aware of the company’s OHSMS Policy, objectives, and performance.
As the internal audit process is so critical, many organizations use
external advice from an expert for internal audit purposes.
How: All relevant information in terms of “input” to the process should
be available to the internal auditor. The auditor will also need OHSAS

20
performance outputs, risk assessment information and results, desired
OHSMS objectives and stakeholder input.

Why: A logical question to ask at this stage would be “Why?” Apart

from being a requirement of the ISO 45001 standard, internal audits
should be seen as key drivers in the continual improvement cycle. It is
also critically important as a preventive measure for health and safety
in the workplace. Anyone interacting with the auditor should therefore
always provide truthful and accurate information during the audit. An
accurate assessment creates an opportunity for suggestions for
improvement based on past and current data.

The ISO 45001 standard requires that management should have access
to the results of any internal audits. This enables the top management
team to make decisions on actions that need to be taken based on the
results from the internal audit. In terms of continual improvement, it is
however also helpful if the auditor makes suggestions based on the
audit itself, as they have had direct experience and interactions with the
procedures and processes during the audit. This will give the
management team a more balanced view of the audit’s effectiveness and
the validity of the results. This will create a bigger chance of continual
improvement and output that could potentially prevent incidents and
accidents. It is obviously necessary that the process is documented,
including findings, outcomes, and actions, as the internal audit takes its
place in the improvement cycle. Make sure that internal audits are
always thorough, honest, and accurate. Use the “plan, do, check, act”
methodology to ensure that the proposed actions are implemented,
effective, and maintained. Once you have done this, you can be sure that
the results of the internal audit are truly effective. The principles of ISO
19011 which addresses system auditing can also help you with regard to
structuring your audit. So, what other elements do we need to consider
when undertaking the internal audit? Let us consider:
 Remember, the internal audit will show your ability to meet the
requirements of the standard itself (or some of it, depending on the
scope of the audit). Ensure you and your organization have met all
requirements of the standards, including management review, risk
assessment, and emergency response. Bear in mind that any non-
conformities will be reported and you should consider using your
corrective action process to rectify any identified non-conformities.
Concentrate on hazard and risk identification. Though closely
related, hazard and risk are not the same things. ISO 45001 defines
a hazard as a “source or situation with a potential to cause injury
21
 and ill health”. In other words, what features of your processes have
the ability to harm individuals? This could be a hazardous chemical
you need to use in a process or a machine that has a pinch point that
needs to be guarded to protect the people who need to use it. It could
also be an office position that requires certain actions that over time
could lead to repetitive strain injuries. An OH&S risk is defined as
the “combination of the likelihood of occurrence of a work-related
hazardous event or exposure and the severity of the injury and ill
health that can be caused by the event or exposures”. So, the hazard
is the feature of the process that can harm an individual, and the
risk is the likelihood that it will happen along with how to sever the
consequences will be. This should be a key element of most internal
audit examinations, and the identification of both, as well as
mitigation of risk, are key to maintaining an effective OH&SMS.
 Ensure your corrective action process is effective. The steps to take
once corrective action is initiated in your OH&SMS, we looked at
the step by step process for ensuring corrective action with respect
to ensuring that root causes of problems were correctly identified
and eradicated. While prevention is preferable to cure in any
OH&SMS, an effective system must have an effective corrective
action process. It is likely that this will be examined closely in most
internal audits.
 Ensure your team is ready. Ensuring your team has satisfied these
clauses can be vital to your internal audit. Keep in mind that no
OH&SMS can flourish without employee knowledge, commitment
and buy-in. Ensure that your team is involved in the preparation
for, and execution of the internal audit. This can help your
OH&SMS flourish and your internal audit is successful.
 Rehearse for your external audit. Remember that your internal
audit is an opportunity to prepare and rehearse for your external
certification audit. There are several ways you can do this, using the
information in the article What questions should you expect from
the ISO 45001 auditor? should help you prepare your OH&SMS and
your own team for both the internal and likely forthcoming external
audit.
 Ensuring your OH&SMS benefits. As stated, the internal audit is not
only a dry run for your external certification audit in terms of the
conformance of your OH&SMS. It is also a huge opportunity for
improvement. Use the information in How to create an internal
audit checklist for your Health & Safety management system to
ensure you cover all the elements required in the standard itself.
22
 Record your results, and clearly outline any corrective action or
improvements made. This will serve as evidence and ensure you
have a record of action and improvement for your next audit,
whether internal or external. Treat your internal audit as a measure
of conformity, an opportunity to improve and a rehearsal for your
external audit. Doing this will ensure that real value can be derived
from this mandatory part of ISO 45001.

What evidence will the auditor require?

As stated above, the auditor’s main function is to ensure that your

documentation, processes, and actions comply with the ISO 45001
standard, and that evidence can be produced to prove this. So, if we
think from that point of view there are some questions he/she is almost
certain to ask:
 Are all the clauses in the standard met? From the moment the
auditor enters your organization’s premises, this will be what
he/she is tasked to find out. It is normal that the auditor will break
the clauses and requirements down an element at a time, but the
final requirement will be to ensure that compliance versus the
standard is there. For example, can you ensure that all of your
mandatory documentation is covered? Ensure that you have a copy
of the standard, know it well, and have carefully worked through it
to be sure your organization complies.
 Have you held a management review? This is the critical starting
point for your OH&SMS in terms of ensuring that there is top
management input and that objectives are established correctly, as
well as having the ability to ensure that the cycle of review and
improvement exists when your OH&SMS is running.
 Have you recorded incidents, accidents, and near misses? And, if
so, do you have evidence to show that you have undertaken the
correct processes after an accident, and have a process whereby
action is taken to prevent near misses from being repeated and
becoming accidents in the future?
 Are your processes consistent? You will need to prove that your
processes – whether documented or not – are consistent internally
in the way they are used and that they meet the terms of the
standard. This also leads to the question regarding whether the
effectiveness of processes has been reviewed, which will encourage

23
 continual improvement – the element that underpins the standard
itself.
 Have you completed the critical functions of the OH&SMS? Have
you assessed risks and hazards correctly? Have you performed
corrective action in the cases where something has gone wrong?
Have you completed internal audits with satisfactory outcomes and
actions to guarantee improvement to your OH&SMS? Have you
documented these accurately as evidence? These elements are all
central to running a successful OH&SMS, you can be sure the
auditor will focus on these to a large extent; therefore, it is wise to
prepare. Also, be sure to remember that while these elements are
critical, they only make up part of the clauses you will be audited
against!
 Can you demonstrate competence, awareness, and evidence of
training? Especially in matters of health and safety, it is critical that
your team can demonstrate that they are aware of processes,
communications that may have taken place, and are generally
aware enough to operate safely within your organization. Ensure
that your employees realize that it is very likely that the auditor will
come and speak to them, and instruct them on how to react. There
is no need to be nervous, but being articulate, truthful, and honest
will help greatly.
 Can you demonstrate improvement? As stated previously, this is
necessary to demonstrate your organization’s compliance with ISO
45001. It is therefore certain that the auditor will ask a member of
the team about how this is obtained and evidenced. Be prepared for
this.
 How you can make the audit smoother for your organization and
people. It is wise to remember that the auditor is trying to help you
pass, not trying to make you fail. Anticipating the questions he will
ask will undoubtedly help you to prepare your employees and
ensure that they are less nervous, as well as helping you to ensure
that you have all your respective boxes ticked in terms of meeting
the clauses of the standard. Remember that the auditor is trying to
help you make sure your organization remains a safe place to work,
not trying to trip you up. Lastly, should the auditor have any
observations or recommendations during the audit, be sure that you
take them on board and use them to help you improve your
OH&SMS.

24
9.3 Management review
Top management must review the organization’s OH&S
management system, at planned intervals, to ensure its
continuing suitability, adequacy, and effectiveness. The
management review must consider the status of actions from
previous management reviews. The changes in external and
internal issues that are relevant to the OH&S management
system including the needs and expectations of interested
parties, legal requirements, and other requirements and
risks and opportunities. It must consider the extent to which
the OH&S policy and the OH&S objectives have been met. It
must also consider the information on the OH&S
performance such as trends in:
1. incidents, nonconformities, corrective actions, and
continual improvement;
2. monitoring and measurement results;
3. results of the evaluation of compliance with legal
requirements and other requirements;
4. audit results;
5. consultation and participation of workers;
6. risks and opportunities;

The input to Management Review must also consider the

adequacy of resources for maintaining an effective OH&S
management system, relevant communications with
interested parties and opportunities for continual
improvement. The outputs of the management review must
include decisions related to the continuing suitability,
adequacy and effectiveness of the OH&S management system
in achieving its intended outcomes and continual
improvement opportunities. It must include the need for any
changes to the OH&S management system, the resources,
and y action needed. It must also consider the opportunities
to improve integration of the OH&S management system with
other business processes and any implications for the
strategic direction of the organization. Top management
must communicate the relevant outputs of management
reviews to workers, and to workers representative where

25
they exist. The organization shall retain documented
information as evidence of the results of management
reviews.

As per Annex A (Guidance on the use of ISO 45001:2018

standard) of ISO 45001:2018 standard it further explains:

The terms used in relation to management review should be

understood as:
1. “suitability” refers to how the OH&S management system fits the
organization, its operation, its culture, and business systems.
2. “adequacy” refers to whether the OH&S management system is
implemented appropriately’
3. “effectiveness” refers to whether the OH&S management system is
achieving the intended outcome.

The management review topics listed in 9.3 need not be addressed all
at once; the organization should determine when and how the
management review topics are addressed.

This clause requires reviews of the suitability, adequacy, and

effectiveness of the OHSMS to be undertaken by top management at
planned intervals. It should be noted that, contrary to popular belief,
the management review does not have to be done all at once; it can be
a series of high-level or board meetings with topics tackled individually,
although it should be on a strategic and top management level.
Complaints from interested parties should be reviewed by top
management, with resultant improvement opportunities identified. It
should be remembered that the management review generally is the
one function that must be carried out accurately and diligently to
ensure that the function of the OH&SManagement System and all
resulting elements can follow suit. It goes without saying that all details
and data from the management review must be documented and
recorded to ensure that the OH&SManagement System can follow the
specific requirements and general strategic direction for the
organization detailed there. Management reviews are the opportunity
for senior management to critically evaluate the performance of the
OH&S management system to ascertain if it continues to be:

Suitable: does the management system fit the organization, its

operation, its culture and business systems;

26
Adequate: is the management system implemented appropriately;
Effective: has the management system achieved its intended
outcomes.

The management review should consider the following:

 The status of actions from previous management reviews;
 Changes in internal and external issues that can impact on the
OH&S management system such as risks and opportunities, the
needs and expectations of relevant interested parties and legal and
other requirements;
 The adequacy of resources for maintaining an effective OH&S
management system;
 Relevant communications with internal and external interested
parties;
 Opportunities for continual improvement.

The reviews should also include information on the organization’s

OH&S performance including trends in:
 The achievement of OH&S objectives;
 Incidents, nonconformities, and corrective actions;
 Monitoring and measurement;
 The evaluation of compliance with legal and other requirements;
 Internal and external audits;
 Consultation and participation of workers;
 Risks and opportunities.

The management reviews should be carried out on a regular basis (e.g.

quarterly, semi-annually, or annually). Partial management reviews of
the performance of the OHSMS can be held at more frequent intervals,
if appropriate. Different reviews can address different elements of the
overall management review. The management review process should
not just evaluate historical trends but should aspire to improve the
OH&S performance of the organization through the initiation of
improvement actions. Conclusions that should be drawn at the end of
the management review process related to:
 The continuing suitability, adequacy, and effectiveness of the OH&S
management system in achieving its intended outcomes;

27
 Opportunities for continual improvement;
 Any need for changes to the OH&S management system;
 Additional resources needed;
 Any actions needed;
 Opportunities to improve the integration of the OH&S management
system with other business processes such as environment, quality,
business continuity, etc.
 Any implications for the strategic direction of the organization.
 Top management must communicate relevant outputs from the
management reviews to workers, and where they exist, workers’
representatives.

The organization must retain documented information as evidence of

the results of the management reviews. Management Review is an
essential element of the Occupational Health and Safety Management
System. The aim of the review is for Top Management to assess the
performance of the management system to ensure it has been effective
and suitable for the needs of the business, ultimately preventing injury
or harm to workers. The management review is also a planned activity
to review objectives including compliance and to set new objectives.
Usually, management review meetings are conducted annually,
however many organizations conduct management reviews every six
months or quarterly to track the performance of the
system. If more frequent meetings are conducted, often the meeting
agenda is reduced with the full agenda occurring annually. The table on
the following page provides an overview of prescribed management
review agenda requirements:

9.3
Summary of the requirement for Management Review
Standard
agenda/clause reference point
reference

Provide a summary of the status of actions from the output of the

previous management review. This will include completed or
a)
incomplete tasks and justifications for their status. This information can
be pre-prepared for the meeting.

Explain any changes to internal and external issues relevant to the

b1) context of the organization to ensure the needs and expectations of
interested parties including workers are fulfilled.

28
 In addition to B1 note any changes or pending changes to legal and
b2)
other requirements and actions to address compliance obligations.

If there are any differences or changes to organizational risk and

b3) opportunities, they should be noted and explained and discussed in the
section below.

Review whether compliance with OH&S policy and objectives have

been achieved. It is good practice to place objectives within a table, align
c) key performance indicators to achieve them and comments if they have
or have not been achieved. This will also indicate the compliance status
of continual improvement.

Discuss any incidents or non-conformities which have occurred since

d1) the last review period including trends. Are there any trends and what
actions have been taken to prevent re-occurrence?

Determine if monitoring and measuring have been effective in meeting

d2) expectations within the organization. If evidence suggests it has not
been effective Top Management can influence improvement.

Discuss the status of compliance with legal and other requirements.

This may include evidence to support compliance including the methods
d3)
of determination and sources of information. Discuss any pending legal
and other requirements.

Discuss the results of internal audits and actions that have been taken
d4) to resolve any non-conformities. Discuss areas of improvement and
areas which are performing well.

Overview of consultation of workers. This may be feedback from safety

d5) committee meetings and actions to address risk and opportunities. Other
processes to ensure workers are safe including contractor arrangements.

Discuss risk and opportunities including the performance of hazard

identification and opportunities to mitigate harm to workers. The
d6)
organization may wish to review significant findings of risk
assessments.

With consideration of the information discussed in previous sections

are there enough resources to maintain and continuously improve the
e)
management system? This could be human or financial. Top
Management is key to influence improvement in this area.

Discuss communications with interested parties, this may include

f) regulatory authorities or external providers who are providing materials
which have an impact on safety.

29
 General discussion with the provision of information on how the OH&S
g). management system is performing and how can it continually improve
in the future

On completion of the management review meeting, the organization

must decide with senior leadership and support, what is needed to
continuously improve OH&S and satisfy the standard. The following
points outline the Management Review Meeting output requirements:
 Provide a wide-ranging conclusion to the continuing stability,
adequacy, and effectiveness in achieving its intended outcomes
 Identify continuous improvement opportunities
 Identify any required changes to the OH&S management system
 Identify required resources
 Identify any actions needed
 Identify any integration improvements with other business
processes. This may be further harmonization with ISO 9001 or ISO
14001 management systems
 Any implications to the strategic direction of the business. This is a
broad scope requirement to capture any topic to improve the OH&S
management system

The organization is required to record the meeting minutes within

documented information. This information must be communicated to
the relevant interested parties and where applicable worker
representatives. It is good practice to transfer management review
objectives into a separate document with identified key performance
indicators, expected completed timescales and delegated
responsibilities. These objectives may be communicated via the
organization’s email or placed on notice boards.

30