Management system guidance

6.1 Address Risks and Opportunities

ISO Navigator Pro™ is a free tool that provides practical, expert guidance for businesses wishing to interpret and better implement the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018.

Our range of templates cover the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018, and offer an easy way to implement your next management system.

6.1.3 Legal and other requirements

Legal requirements can result in risks and opportunities to the organization and may arise from mandatory requirements, applicable laws and regulations, voluntary commitments such as organizational and industry standards, contractual relationships, principles of good governance and community and ethical standards. Maintain documented information on legal, and other requirements. The introduction of new legislation and changes to current legislation can be monitored through following sources:

  1. NETRegs service www.netregs.gov.uk
  2. Environment and Health & Safety www.cedrec.com/home/index.htm
  3. Health & Safety www.croner.co.uk
  4. Health & Safety www.hse.gov.uk/guidance/index.htm
  5. Relevant publications and professional bodies.

Using your Legal and Other Requirements Register, determine the compliance obligations related to your environmental aspects and the legal requirements associated with OHS hazards. These may arise from mandatory requirements; applicable laws and regulations, voluntary commitments such as organizational and industry standards; contractual relationships; principles of good governance and community; and ethical standards. The needs and expectations from interested parties only become obligatory requirements for an organization if it chooses to adopt them.

Identifying legal requirements

Form a review team comprising relevant Department Managers to actively identify any relevant mandatory and voluntary legal and other requirements, and determine how impacts associated with non-compliance should be mitigated. The Health and Safety Manager should employ several techniques to track, identify, and evaluate applicable safety related legal and other requirements including;

  1. Listing out all the hazardous chemicals with their maximum quantities that are stored and used at any given time.
  2. Listing out the properties of all the hazardous chemicals from their respective MSDS/SDS and COSHH assessments;
  3. Listing out the characteristics of all the activities, operations, and process inputs based on the available and measured data, or by the information provided by suppliers;
  4. Conducting detailed risk assessments and determine their risk level. All risk-control methods must take the relevant legal requirements into account;
  5. Taking into account arrangements for the preventive maintenance of plant and equipment, which may also be covered by legal requirements;
  6. Determining whether a piece of legislation is ‘relevant’ or ‘irrelevant’.
  7. Identifying and maintaining legal and other requirements related to safety from the interested parties;
  8. Identifying statutory inspections in order to fulfil the legal requirements, e.g. LOLER/PUWER.
  9. Determining whether your organization is compliant with the legislation:
    • Describe how the legal requirements apply;
    • Describe what controls are in place to manage the requirement;
    • Describe what controls are in place to mitigate the related health and safety hazard.
  10. Determining the applicable controls defined in the respective assessments. Applying recognised legal and industry principles to determine and demonstrate ALARP for all identified risks and hazards;
  11. Preparing a list of applicable requirements from all the applicable legislation and linking them to the identified health and safety risks; 
  12. Defining the criteria of operational controls as specified in the rules or from other sources (manufacturer’s manual, industrial best practices manual, historical data, information available on public domain, guidelines or from experts);
  13. Determining the level of compliance in respect of all the identified requirements from all the applicable legislation as they apply to:
    • Procedural requirements;
    • Operational requirements;
    • Monitoring requirements.
  14. Assigning responsibilities across the organization for compliance and reporting;
  15. Subscribing to an external agency for regular legislation updates;
  16. As and when any update or change in legal requirement occurs, the above steps are repeated.

Document all applicable health and safety legal requirements and other requirements that apply to your organization’s processes using the Legal and Other Requirements Register. The introduction of new legislation, changes to existing legislation, or new government agendas, charters or policies should be considered Top management, and if considered to be of particular relevance to relevant health and safety hazards, it should then assessed and cascaded to relevant process owners as quickly as practicable.

Evaluating legal requirements

The Health and Safety Manager must assess all relevant occupational health and safety related legal requirements, regulations and Approved Codes of Practice (ACoPs) using http://www.legislation.gov.uk to ensure that all identified occupational health and safety hazards are evaluated and understood in terms of current legislation, including as appropriate:

  1. Health and Safety at Work Act 1974;
  2. The Regulatory Reform (Fire Safety) Order 2005;
  3. Workplace (Health, Safety and Welfare) Regulations 1992;
  4. Management of Health and Safety at Work Regulations 1999;
  5. Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) 2013;
  6. Control of Substances Hazardous to Health Regulations (COSHH) 2002;
  7. Safety Representatives and Safety Committees Regulations 1977;
  8. Health and Safety (Consultation with Employees) Regulations 1996;
  9. Building Regulations 2000;
  10. Lifting Operations and Lifting Equipment Regulations (LOLER) 1998;
  11. Provision and Use of Work Equipment Regulations (PUWER) 1998;
  12. Health and Safety (First Aid) Regulations 1981.

The Health and Safety Manager is often responsible for ensuring this information is kept up-to-date and communicating relevant information on compliance with legal and other requirements to relevant stakeholders or interested parties and for management review.

Determining other requirements

Other requirements include the requirements of interested parties and workers, national and international standards, contract requirements, business codes, guidance notes, code of practices, other technical memoranda and other practice notes produced by government agencies as well as professional institutions.

  1. Subscription to publisher legal update newsletters;
  2. Membership of trade associations;
  3. Research via reputable government websites;
  4. Use of competent consultants;
  5. Competent employee membership of occupational health and safety institutes;
  6. Employee attendance of occupational health and safety training courses.

The evaluation of other requirements should be documented within the Legal and Other Requirements Register in order to identify and demonstrate applicability.

Documenting legal requirements

Your organization should maintain an indexed list of relevant legal requirements, and other requirements such as standards and procedures in connection with identified safety critical tasks and associated hazards by referencing the minimum acceptable legal, industry standards and technical specifications against the associated equipment and operating routines at your facility. Information in the register for each requirement includes but is not limited to:

  1. Title and description of the legal and other requirement;
  2. Description of how the requirement applies and whether relevant licenses or approvals are required;
  3. Title and description of supporting documents that demonstrate compliance;
  4. How compliance is verified.

The Legal and Other Requirements Register must be reviewed and updated for adequacy, both for new regulations and updated regulations, and communicated to relevant staff whose responsibilities or actions can affect compliance.

Updating legal requirements

Departmental Managers should inform a member of Health and Safety Committee of any changes to the requirements relevant to their functions or departments, so as to ensure that up-to-date copies of the legal and other requirements relevant to their departments are accessible.

Legal and other requirements should be reviewed for applicability on a regular basis with assistance from the automatic emails received whenever legislation is updated or is newly published. Legislative requirements are kept up to date through membership of peak professional bodies and subscription to legislative updating services. Sources of legal information are also gathered in many ways including:

  1. Information from trade associations;
  2. The internet and email lists;
  3. Outside consultants;
  4. Direct communication with regional, national, and local agencies;
  5. Networking with industry peers;
  6. Industry trade shows;
  7. Industry publications;
  8. Participation in professional organizations;
  9. Training courses on health and safety laws.

The introduction of new legislation, changes to existing legislation, or new government agendas, charters or policy is of particular relevance and importance to your organization it should then be cascaded to relevant employees as quickly as practicable. Review the Legal and Other Requirements Register, specifically to:

  1. Determine whether a piece of amended legislation, or new legislation is ‘relevant’ or ‘irrelevant’;
  2. Determine whether our organization is compliant with the legislation whilst describing how the requirements apply and what controls are in place to manage the requirement and mitigate related health and safety hazards;
  3. Undertake a periodic review of legal requirements, and other standards and codes of practice when changes are planned to ensure continued compliance;
  4. Determine whether other legal requirements relevant to our organization and those that we have adopted whilst describing how the requirements apply and what controls exist to remain compliant.

Each update received should be reviewed for relevance and a record of the review is retained. The Legal and Other Requirements Register should be amended and communicated, where necessary, within one calendar month. Report findings are communicated during management review meetings.

Monitoring compliance status

The compliance audit frequency is reduced when repeat compliance audits find zero non-compliances. Where additional legal requirements are identified when the list of legal requirements is reviewed by the compliance auditor, these are reviewed and considered by Top management. Nonconformities resulting from the legal compliance audits must be recorded, actioned and tracked according to your nonconformity and corrective action process.

More information on PDCA

Planning

ISO 9001:2015 ISO 14001:2015 ISO 45001:2018
4.1 Organizational Context 4.1 Organizational Context 4.1 Organizational Context
4.2 Relevant Interested Parties 4.2 Relevant Interested Parties 4.2 Relevant Interested Parties
4.3 Management System Scope 4.3 Management System Scope 4.3 Management System Scope
4.4 QMS Processes 4.4 EMS Processes 4.4 OH&S Management System
 
ISO 9001:2015 ISO 14001:2015 ISO 45001:2018
5.1 Leadership & Commitment 5.1 Leadership & Commitment 5.1 Leadership & Commitment
5.2 Quality Policy 5.2 Environmental Policy 5.2 OH&S Policy
5.3 Roles, Responsibilities/Authorities 5.3 Roles, Responsibilities/Authorities 5.3 Roles, Responsibilities/Authorities
    5.4 Consultation & Participation
 
ISO 9001:2015 ISO 14001:2015 ISO 45001:2018
6.1.1 Address Risks & Opportunities 6.1.1 Address Risks & Opportunities 6.1.1 Address Risks & Opportunities
6.2.1 Quality Objectives 6.1.2 Environmental Aspects 6.1.2 Hazard Identifcation
6.2.2 Planning to Achieve Objectives 6.1.3 Compliance Obligations 6.1.3 Legal & Other Requirements
6.3 Planning for Change 6.1.4 Planning Action 6.1.4 Planning Action
  6.2.1 Environmental Objectives 6.2.1 OH&S Objectives
  6.2.2 Planning to Achieve Objectives 6.2.2 Planning to Achieve Objectives
 

Doing

ISO 9001:2015 ISO 14001:2015 ISO 45001:2018
7.1.1 Resources - General
7.1 Resources 7.1 Resources
7.1.2 People 7.2 Competence 7.2 Competence
7.1.3 Infrastructure
7.3 Awareness 7.3 Awareness
7.1.4 Operational Environment 7.4.1 Communcation - General 7.4.1 Communcation - General
7.1.5 Monitoring & Measuring 7.4.2 Internal Communcation 7.4.2 Internal Communcation
7.1.6 Organizational Knowledge 7.4.3 External Communcation 7.4.3 External Communcation
7.2 Competence 7.5 Documented Information 7.5 Documented Information
7.3 Awareness    
7.4 Communcation    
7.5 Documented Information    
 
ISO 9001:2015 ISO 14001:2015 ISO 45001:2018
8.1 Operational Planning & Control
8.1 Operational Planning & Control 8.1.1 General
8.2.1 Customer Communication 8.2 Emergency Preparedness 8.1.2 Eliminating Hazards
8.2.2 Determining Requirements
  8.1.3 Management of Change
8.2.3 Reviewing Requirements   8.1.4 Outsourcing
8.2.4 Changes in Requirements
  8.2 Emergency Preparedness
8.3.1 Design Development - General    
8.3.2 Design Development - Planning
   
8.3.3 Design Development - Inputs    
8.3.4 Design Development - Controls    
8.3.5 Design Development - Outputs    
8.3.6 Design Development - Changes    
8.4.1 External Processes - General    
8.4.2 Purchasing Controls    
8.4.3 Purchasing Information    
8.5.1 Production & Service Provision    
8.5.2 Identification & Traceability    
8.5.3 3rd Party Property    
8.5.4 Preservation    
8.5.5 Post-delivery Activities    
8.5.6 Control of Changes    
8.6 Release of Products & Services    
8.7 Nonconforming Outputs    
 

Checking

ISO 9001:2015 ISO 14001:2015 ISO 45001:2018
9.1.1 Performance Evaluation 9.1.1 Performance Evaluation 9.1.1 Performance Evaluation
9.1.2 Customer Satisfaction 9.1.2 Evaluation of Compliance 9.1.2 Evaluation of Compliance
9.1.3 Analysis & Evaluation 9.2 Internal Audit 9.2 Internal Audit
9.2 Internal Audit 9.3 Management Review 9.3 Management Review
9.3 Management Review    
 

Acting

ISO 9001:2015 ISO 14001:2015 ISO 45001:2018
10.1 Improvement - General 10.1 Improvement - General 10.1 Improvement - General
10.2 Nonconformity & Corrective Action 10.2 Nonconformity & Corrective Action 10.2 Incident, Nonconformity & Corrective Action
10.3 Continual Improvement 10.3 Continual Improvement 10.3 Continual Improvement
 

Free internal audit checklists

Check out our free internal audit checklists. The audit checklist template is just one of the many tools which are available from the auditor’s toolbox that help ensure your audits address the necessary requirements.

Client list

Over 8,000 companies and globally recognized brands have relied on our templates to provide a path to improve, collaborate, and to enhance their operations to achieve certification, please see our client list for more information.