ISO 45001:2018 is the international standard for occupational health and safety (OH&S) management systems. It replaced OHSAS 18001 and provides a framework for organizations of all sizes to proactively manage workplace safety. The standard emphasizes leadership commitment, worker participation and a systematic, risk-based approach to prevent injuries and illnesses. By requiring organizations to identify hazards and assess OH&S risks (and opportunities) in all operations, ISO 45001 helps ensure that potential safety issues are addressed before incidents occur. In practice, certification to ISO 45001 demonstrates that an organization has an effective safety management system focused on continual improvement of worker well-being.
ISO 45001 is structured on the “Plan-Do-Check-Act” cycle. Hazard identification and risk assessment (HIRA) fall under the “Plan” phase. Clause 6.1.2 of the standard mandates an ongoing process to identify hazards and evaluate the corresponding risks in every work activity. The results of HIRA feed into planning (setting OH&S objectives and controls) and drive the implementation of safety measures and monitoring. In short, HIRA is the foundation of the ISO 45001 management system: it supplies the data needed to prioritize controls and to track safety performance over time.
Hazard Identification and Risk Assessment (HIRA) is the combined process of finding potential sources of harm (hazards) and evaluating the likelihood and severity of injury or illness that they could cause. In ISO 45001, organizations must establish and maintain an ongoing, proactive hazard identification process (Clause 6.1.2.1) and a corresponding risk assessment process (Clause 6.1.2.2). Hazards encompass any condition, substance, activity or human factor with the potential to cause harm. Risks are the estimated severity of harm multiplied by the probability that harm will occur. Together, HIRA produces a prioritized list of safety risks that the organization must manage.The ISO standard requires that hazard identification be comprehensive and continuous. Organizations must consider all aspects of their work, including routine operations, maintenance and non-routine activities (such as cleaning, repairs or emergencies). The process should cover: the work environment (equipment, materials, infrastructure, climate); the design and arrangement of processes; how tasks are performed; and human factors (workload, shift patterns, competence, supervision, culture). It also explicitly includes all people at or affected by the workplace – workers, contractors, visitors, commuters near the site, and even employees working off-site. Any changes to processes, new equipment or substances, and external conditions (e.g. regulatory changes or industry guidance) must trigger fresh hazard reviews.
Risk assessment follows hazard identification. For each hazard identified, the organization estimates: (a) the likelihood of an incident (e.g. frequency of exposure, number of people exposed, effectiveness of current controls) and (b) the severity of potential consequences (e.g. minor injury versus fatality or chronic illness). These factors are then combined, often using a risk matrix or scoring system, to produce an overall risk rating (for example: low, medium, high). Critically, ISO 45001 requires that existing control measures be taken into account during this assessment: an effective guard, procedure or PPE reduces the calculated risk level.
The organization defines its own risk acceptance criteria (based on its context, legal obligations and risk appetite), which guides which risks must be reduced. High-priority risks are then treated through the hierarchy of controls (elimination, substitution, engineering and administrative controls, PPE) until residual risk is as low as reasonably practicable (ALARP). The entire HIRA process – methods, criteria and results – must be documented and kept up to date as part of the OH&S management system (ISO 45001 Clause 7.5 and 6.1.2 requirements).
Click Here to Download Readymade ISO 9001, ISO 14001, ISO 22000, ISO 45001, FSSC 22000, HACCP, Food Safety & Integrated Management Systems (IMS) Templates.
ISO 45001 mandates that all relevant types of hazards be identified in the workplace. Common hazard categories include:
Each hazard type should be considered in the context of all workplace activities – administration, design, production, maintenance, etc. For example, office work has ergonomic and psychosocial hazards, while manufacturing has many physical and chemical hazards. Effective HIRA programs categorize hazards systematically to ensure none (especially subtle ones like psychosocial factors) are overlooked.
Click Here to Download Readymade ISO 9001, ISO 14001, ISO 22000, ISO 45001, FSSC 22000, HACCP, Food Safety & Integrated Management Systems (IMS) Templates.
Hazard identification employs multiple methods and tools. No single approach suffices; together they ensure a thorough scan of the workplace. Common techniques include:
Combining these tools makes hazard identification robust. For example, an organization might review SDS and processes to list chemical hazards, then conduct a walkthrough using a checklist, and follow up with JHAs for critical tasks. OSHA guidance specifically recommends collecting existing information, conducting inspections, analyzing nonroutine tasks and emergency scenarios, and consulting workers to identify hazards. All identified hazards should be recorded (e.g. in a hazard log or register) for assessment.
Click Here to Download Readymade ISO 9001, ISO 14001, ISO 22000, ISO 45001, FSSC 22000, HACCP, Food Safety & Integrated Management Systems (IMS) Templates.
Once hazards are identified, the organization analyzes OH&S risks. Risk assessment is systematic: for each hazard, estimate (i) Likelihood of a harmful event (frequency/chance of occurrence) and (ii) Consequence/Severity of the outcome if it occurs. Likelihood may be rated on a scale from “Rare” to “Almost Certain” and Severity from “Insignificant” to “Catastrophic”. These scales should be clearly defined in the risk procedure for consistency. Existing controls (guards, procedures, training) must be factored in: they reduce the effective likelihood and/or severity.The most common risk assessment tool in ISO 45001 contexts is a Risk Matrix. In a risk matrix, likelihood and severity scores are combined (often by multiplication or lookup table) to yield a risk level (e.g. Low/Medium/High or a numeric score). For example, a “Possible” (3) likelihood and “Major” (4) severity might give a risk score of 12, which could be categorized as “High” risk depending on the matrix thresholds. Organizations tailor their matrix criteria to their industry and risk appetite. The risk assessment methodology (matrix format, scoring rules and categories) must be documented and applied systematically to all hazards.
In addition to qualitative matrices, some organizations use semi-quantitative methods (e.g. assigning numerical values to likelihood/frequency and consequence or calculating exposure times and dose). However, the underlying concept remains: high-probability and high-consequence hazards are ranked highest. Once risks are assessed, hazards are prioritized so that controls can be applied to the most significant ones first. ISO 45001 requires that risk assessment be proactive: risks should be identified and treated before an incident occurs, rather than waiting for accidents to prompt action.
The risk assessment must also account for legal and regulatory context. Many jurisdictions mandate hazard assessment, specific risk controls, and maintenance of risk assessment records. For example, workplace safety laws often require written risk assessments for chemical exposures or hazardous processes. ISO 45001 expects organizations to stay current with legal requirements (Clause 6.1.3) and to factor those obligations into risk evaluation. If regulations set exposure limits or prohibit certain practices, the risk assessment must treat compliance failure as an unacceptable risk. Some companies adopt concepts like “As Low As Reasonably Practicable” (ALARP) to ensure they go beyond mere legal compliance if necessary.
Finally, after scoring, risk treatment plans are developed. High and medium risks get controls applied (hierarchy of controls), and residual risk is re-evaluated. Documentation of the risk assessment should include: the hazard description, likelihood, severity, risk score, existing controls, and recommended additional controls. All risk assessment results become part of the organization’s OH&S records. ISO 45001 calls for maintaining documented information on risk assessment methodology and results.
Click Here to Download Readymade ISO 9001, ISO 14001, ISO 22000, ISO 45001, FSSC 22000, HACCP, Food Safety & Integrated Management Systems (IMS) Templates.
An essential requirement of ISO 45001 is worker participation and consultation in all aspects of the OHS management system, especially HIRA. Those closest to the work often know where hazards hide. Involving workers in hazard identification and risk assessment improves accuracy and acceptance of safety measures. Consultation mechanisms can include safety committees, joint hazard review teams, toolbox meetings, surveys and suggestion programs. For example, involving machine operators in a JSA can reveal operational nuances that might be missed by outside consultants.
In practice, effective worker involvement means: giving employees channels to report hazards or near-misses without fear; involving them in inspections and incident investigations; and consulting them whenever changes are planned (new equipment, processes, organizational restructuring). ISO 45001 (Clause 5.4) actually requires organizations to ensure that worker representatives participate in decision-making on safety. This participation should be meaningful: organizations should train workers on hazard recognition and encourage open dialogue.The benefits are clear: workers who help identify hazards are more likely to follow controls, and diverse input can surface issues that managerial staff may overlook. Involving employees also fosters a positive safety culture. For instance, many companies tie hazard reporting to recognition programs or corrective action meetings, making safety a shared responsibility. Lack of participation is a common reason HIRA fails to capture psychosocial or process-related hazards. Thus, structured consultation (through committees or designated safety representatives) is a best practice under ISO 45001.
Hazard identification and risk assessment should not be a stand-alone activity; it must be woven into every element of the OHS management system. In the planning phase (Clause 6), HIRA outputs inform the setting of OH&S objectives and targets – for example, reducing the highest-rated risks by a certain percentage. In the “Do” phase, operational controls are derived directly from HIRA: work procedures, safe operating instructions, and training programs are designed around identified hazards and required risk controls. For instance, if a risk assessment finds a high risk from welding fumes, the organization might implement improved ventilation and include fume handling in SOPs and training.
Moreover, HIRA is tied to Management of Change. Whenever a process, substance or organizational change is planned, the change management process should require a hazard/risk re-evaluation before approval. This ensures that new hazards do not slip into production unassessed. This is explicitly required by ISO 45001 Clause 6.1.2.1(7), which calls for considering proposed changes in hazard identification.In terms of the broader OHSMS, the hazard/risk assessment procedure itself should be documented in the safety manual or quality system (Clause 7.5). The organization should define responsibilities (e.g. who leads HIRA, who participates) and the timing (periodic, or triggered by events). HIRA findings become inputs to performance evaluation: leading indicators (e.g. number of hazards identified or risk controls implemented) and lagging indicators (incident rates) are tracked to evaluate if risk management is effective. Internal audits (Clause 9.2) must check that hazard identification and risk assessment processes are in place and being followed. Management review meetings (Clause 9.3) should examine the current risk profile and progress on risk mitigation as part of strategic oversight.Integrating HIRA also means linking with other systems.
For example, many organizations integrate OH&S risk assessment with environmental (ISO 14001) and quality (ISO 9001) risk registers, especially if risks overlap (e.g. a chemical spill is both safety and environmental). All risk-related documentation (hazard registers, assessment reports, corrective action logs) should be controlled and updated as part of the OH&S documentation system. In effect, HIRA forms the core of the “Plan” phase in PDCA, and its outputs cascade throughout the OHSMS to ensure a systematic approach to safety.
Click Here to Download Readymade ISO 9001, ISO 14001, ISO 22000, ISO 45001, FSSC 22000, HACCP, Food Safety & Integrated Management Systems (IMS) Templates.
ISO 45001 requires that the results of HIRA be documented and kept current. This means maintaining a hazard/risk register or equivalent records where each identified hazard, risk rating and associated controls are logged. These documents are subject to the same controls as other official records (per Clause 7.5): they must be reviewed and retained appropriately. The standard also mandates keeping documented information on the methodology and criteria used for risk assessment.
Review of HIRA is an ongoing process. Hazard identifications and risk assessments should be reviewed periodically (e.g. annually or semi-annually) and whenever there is a change in operations, a significant incident, or new information (such as changes in law or technology). Many organizations incorporate HIRA into their incident investigation and management review actions: after an accident, the root-cause hazard is added or reassessed in the register. Internal audits of the OH&S system typically include reviewing a sample of risk assessments for completeness and accuracy.
Effective practice is to create a feedback loop: controls implemented are monitored (through inspections or health surveillance), and if controls fail or near-misses occur, risk levels are updated. Continual improvement is emphasized – the organization should refine its hazard identification techniques (perhaps adding new checklists or data sources) and risk criteria over time. Some use software-based risk management tools to ensure version control and ease of updating assessments. Ultimately, the documentation and review process ensures that HIRA does not become stale: it remains a living part of the management system that adapts with the workplace.
Click Here to Download Readymade ISO 9001, ISO 14001, ISO 22000, ISO 45001, FSSC 22000, HACCP, Food Safety & Integrated Management Systems (IMS) Templates.
By combining a structured approach with engaged people and continual refinement, organizations can overcome challenges and make HIRA an effective, integrated part of their OH&S management system. ISO 45001’s emphasis on documented processes and worker involvement provides a roadmap: when followed rigorously, it leads to better hazard awareness, lower risks, and a safer workplace.
Click HERE to download or any of the following documents: