How to Address “Evaluation of Compliance” in ISO 45001:2018

For organisation’s in Australia pursuing ISO 45001 certification, Clause 9.1.2, “Evaluation of compliance,” is a critical component. This clause moves beyond merely identifying legal and other requirements (Clause 6.1.3); it demands a systematic process for actively evaluating these requirements, to “check” if your organisation’s operating in a legally compliant manner.

This is not only beneficial for organisation’s in Australia pursuing ISO 45001 certification, but this is just good business, as operating in a legally compliant manner, aligned to local acts, regulations, codes of practices etc. is not an “optional” choice for businesses – it is mandatory!

Government organisations like WorkSafe, have been consistently issuing large fines (i.e. Hundreds of thousands of dollars) for organisation’s in Australia, that are caught not operating in a legally compliant manner. This often comes to light after a serious incident, which by then, it is too late. A proactive approach is the only way to go!

At S & J Auditing & Consulting, we have a strong reputation in the market, for really homing in on this clause for our clients. Our process to address this clause is simple, but effective:

1. Identify and Maintain an Understanding of OH&S Legislation

This occurs, through consultation with relevant stakeholders to identify “what OH&S legislation” is applicable and what is not. An example may be that a welding workshop does have OH&S legislation they are obliged to comply with such as regulations related to first aid facilities, the provision of personal protective equipment, signage etc. although regulations related to diving work may not apply. Hence, it is vital to consult with relevant stakeholders to identify which OH&S legislation is applicable and which is not.

Maintaining an understanding of applicable OH&S legislation may include processes such as:

• Signing up to automated emails and newsletters provided by OH&S regulators;
• Attending conferences or information sessions related to OH&S legislation, and
• Having regular communication with specialists related to OH&S legislation etc.

It is also an optimal idea for organisations, to maintain a list of OH&S legislation, applicable to their processes, often known as a “legal register”, or “legal and other requirements register”.

2. Identify Hazards and Risks, and Conduct Risk Assessments

Identifying hazards and risks, and assessing them is a critical step in ensuring a safe place of work, and legal compliance. Our process involves systematically examining the environment, tasks, and equipment to pinpoint potential sources of harm, such as physical, chemical, biological, or ergonomic hazards.

Our consultants at S & J Auditing & Consulting work with relevant stakeholders, who are potentially exposed to these hazards and risks, to determine the likelihood and consequence of each risk allowing a Risk Register (or similar) to be developed. Controls are discussed and documented, then consultation with workers occurs, to ensure all hazards and risks are identified and controlled.

Once controls have been documented, a cross check against applicable OH&S legislation is conducted, to ensure that all controls cover legal requirements for each hazard and risk. Controls can include changes to processes, guarding on machines, issued and worn PPE etc.

3. Create a Risk-based Internal Audit Schedule/Plan

Once all hazards and risks are identified, risk assessed and documented controls are captured, a clear picture of risk control priorities can be established. This is the time to create an internal audit plan or internal audit schedule. This process ensures that higher risks that pose a more likely threat of injury or ill health can be targeted to be “checked/audited” more often. For example, if an organisation’s manual handling processes are risk assessed as “high-risk” then the controls for these processes, can be scheduled to be “audited more often”. This is what is often referred to as a “risk-based” internal audit plan or internal audit schedule. 

4. Develop Custom-made OH&S Internal Audit Tools

Now we have identified applicable OH&S legal requirements, conducted risk assessments and control allocations for hazards, and developed an internal audit plan/schedule, we have now arrived at a point in time where custom-made OH&S internal audit tools can be developed. This involves revisiting the OH&S legislation we looked at in step 1, documenting “what the law” requires for hazard controls, and documenting this into a custom-made OH&S internal audit tool. For example, if the local WH&S Regulations (or other applicable legal standard) states in Regulation 42, that a PCBU (Person Conducting a Business or Undertaking) must provide sufficient first aid equipment, then we can create a question in our custom-made OH&S internal audit tool. To ask this as a question, whilst also capturing the reference to the legal requirement. See the example below, of this may look like:

Once the custom-made OH&S internal audit tool has captured applicable OH&S legal requirements, we can also add in any other applicable controls, which the organisation may deem as necessary for their processes. For example, maybe a first aid kit is required, in the worker’s lunch room.

The idea is, the custom-made OH&S internal audit tool is capturing:

1. Questions to ensure we are checking directly against the legal requirements for that topic/hazard, and
2. Questions to ensure we are checking directly against any other internal requirement the organisation has deemed as necessary to be in place.

5. Conduct OH&S Internal Audits

Now we have developed custom-made OH&S internal audit tools, we can go back to our internal audit plan/schedule we talked about in step 3, and plan to start conducting these OH&S internal audits. This involves visually assessing the workplace, and controls that are in place for specific topics/hazards.

As we conduct these OH&S internal audits, we can allocate the findings for each question are follows:

1. OK – Meets requirements
2. OFI – Opportunity for Improvement identified
3. NC – Nonconformance identified
4. NA – Not Applicable

It is also recommended to write a short sentence describing the evidence sighted, and also use pictures as evidence where possible:

6. Log OH&S Internal Audit Findings

Now we have conducted the OH&S internal audit, it is time to log all the findings (i.e. Nonconformances, opportunities for improvements etc.) at the end of the OH&S internal audit report. This can include areas that clearly breach OH&S legislation or internal requirements, or just an error we deem an “opportunity for improvement”. See the below examples:

This process of logging all the findings is we can “evaluate compliance” to relevant OH&S legislation or internal requirements, and improve this through addressing these findings. As you will see above, this example found that the forklift had not been serviced in the last 12 months, raising a nonconformance in this OH&S internal audit. After raising this issue, a responsible person can be allocated, to ensure that the forklift is serviced, thus closing this issue out, and raising the compliance level of the organisation.

This approach achieves multiple benefits for organisations:

1. It ensures they meet the requirements of ISO 45001 certification, Clause 9.1.2, Evaluation of compliance, and
2. It allows business owners to have confidence they are providing a safe place of work, which is legally compliant.
3. It will be valuable records for tender submissions, which bring confidence to current and potential new clients.

Our consultants at S & J Auditing & Consulting are specialists in supporting organisations in this process, so reach out to us, to find out more!