Management system guidance

6.1 Address Risks and Opportunities

ISO Navigator Pro™ is a free tool that provides practical, expert guidance for businesses wishing to interpret and better implement the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018.

Our range of templates cover the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018, and offer an easy way to implement your next management system.

6.1.3 Occupational Hazards

N.B. This page is being updated to include content for ISO 45001. Until then, the guidance on this page is broadly still relevant to the new requirements.

ISO 45001:2018 defines hazards as those things which have the potential to cause harm, and risks as those things which relate to the potential for harm to actually arise. A simple example might be to consider the electrical supply in a building.

Hazard identification and risk assessment form the core of the management system’s drive for control and improvement. What is important at this stage; is to understand the terms hazard and risk; these terms are commonly used, interchangeably in everyday conversation.

Electricity itself represents a hazard and provided the supply is live, the risk of electric shock remains. These hazards and risks are best identified by understanding your business processes, identifying the tasks and activities where they arise and listing the inputs and outputs from each activity. The key features of this clause are:

  1. A procedure for identifying occupational hazards appropriate to a task;
  2. Evaluating the consequent risks and deciding which are significant;
  3. Identifying a level of risk which the organization considers to be tolerable;
  4. Using this as a basis for setting objectives for improvement;
  5. Keeping the risk assessments and any improvement objectives up to date.

These can represent a wide range of issues, but it is essential they are all considered because your whole management system will be focused on the output of this identification process and ranking for significance.

Auditors will test the process and its outputs for content, repeatability, accuracy, records, and later on, for the use of its outputs in focusing the direction and delivery of the management system.

  1. Look for hazards;
  2. Decide who might be harmed and how;
  3. Evaluate the risks and decide whether current controls are adequate;
  4. Record your findings;
  5. Review risk assessments and revise if necessary.

Review and revise the risk assessment when there is any significant change (e.g. new hazards arise due to new machines, substances and processes). Regularly review the risk assessment to check that the precautions for each hazard still adequately control the risk and, if necessary, reassess the risk.

Having identified all hazards and associated risks which could impact on occupational health and safety, the process of rating the risks for significance can be carried out. This crucial process, together with a thorough knowledge of legal and other similar requirements, provide the foundations of the management system.

This assessment process is vital in determining the need for controls aimed at either reducing risk to levels deemed to be tolerable, or meeting the requirements of legislation. The significance level (or risk rating) should then be used to prioritise actions.

Remember that the importance of this process cannot be overestimated. If you get this process wrong, the whole system will be suspect.

Regular reviews are essential to ensure that hazards and risk are being appropriately managed, and that the relevant data about them remains accurate and reliable. Your organization should repeat the hazard and risk assessment process every 2 years or when site conditions change, when new tasks are added or when new workers join the crew, in order to prevent the development of unsafe working condition. Objective evidence could be in the following various forms:

  1. Risk assessements;
  2. Training records;
  3. Breifing records;
  4. COSHH assessments;
  5. Planning, analysis and evaluation activities;
  6. Corrective actions;
  7. Non-conformance reports.

More information on PDCA


4.1 Understanding Context 4.2 Interested Parties 4.3 Determining Scope
4.4 Management System Processes  
5.1 Leadership and Commitment 5.2 Policies 5.3 Roles, Responsibility and Authority
6.1 Address Risk and Opportunity 6.2 System Objectives and Planning 6.3 Planning for Change


7.1 Resources 7.2 Competence 7.3 Awareness
7.4 Communication 7.5 Documented Information
8.1 Operational Planning and Control 8.2 Requirements for Products and Services 8.3 Design & Development
8.4 Externally Provided Products and Services 8.5 Product and Service Provision 8.6 Release of Products and Services
8.7 Non-conforming Outputs 8.8 Emergency Preparedness 8.9 Accident and Incident Investigation


9.1 Monitor, Measure, Analyse and Evaluate 9.2 Internal Audit 9.3 Management Review


10.1 Improvement - General 10.2 Non-Conformity and Corrective Action 10.3 Continual Improvement

Free internal audit checklists

Check out our free internal audit checklists. The audit checklist template is just one of the many tools which are available from the auditor’s toolbox that help ensure your audits address the necessary requirements.

Client list

Over 8,000 companies and globally recognized brands have relied on our templates to provide a path to improve, collaborate, and to enhance their operations to achieve certification, please see our client list for more information.