search account download cart
static-aside-menu-toggler

Workplace Hazard Identification and Risk Assessment Under ISO 45001

ISO 45001 Clause 6.1.2

Identify hazards proactively across routine and non-routine work, then assess and control the resulting risks.

ISO 45001 Clause 6.1.2 - Hazard Identification and Assessment of Risks and Opportunities

ISO 45001:2018 Clause 6.1.2 is the operational heart of the standard. The clause requires the organisation to establish, implement and maintain processes for ongoing and proactive hazard identification, the assessment of OH&S risks and other risks, and the assessment of OH&S opportunities and other opportunities.

The clause is divided into three sub-clauses: 6.1.2.1 Hazard identification, 6.1.2.2 Assessment of OH&S risks and other risks, and 6.1.2.3 Assessment of OH&S opportunities and other opportunities.

Clause 6.1.2.1 - Hazard Identification

The hazard identification process must be ongoing and proactive. The standard sets out specific things the process must take into account: how work is organised, including social factors such as workload, working hours, victimisation, harassment and bullying; routine and non-routine activities, including hazards arising from infrastructure, equipment, materials, substances and physical conditions; product and service design, research, development, testing, production, assembly, construction, service delivery, maintenance and disposal; human factors and how the work is performed; past incidents that are relevant, internal or external to the organisation; potential emergency situations; people with access to the workplace including workers, contractors and visitors, and people in the vicinity affected by the activities; and workers at locations not under the direct control of the organisation.

The breadth of this list is deliberate. ISO 45001 expects the organisation to think about hazards from many angles - not just physical hazards in the immediate workplace but social factors like bullying, hazards affecting contractors and visitors, hazards arising from changes in technology or design, and hazards that emerge when workers operate at client sites.

Clause 6.1.2.2 - Assessment of OH&S Risks and Other Risks

Once hazards have been identified the organisation assesses the OH&S risks arising from them, taking into account the effectiveness of any existing controls. The methodology is not prescribed - qualitative scoring, quantitative analysis or a hybrid approach are all acceptable. The risk assessment must be appropriate to the nature of the hazard and proportionate to the level of risk.

The assessment must consider risks under both routine and non-routine conditions. A printing line operating normally has different risks from the same line during a paper jam clearance or a maintenance shut-down. Both conditions need to be considered.

Clause 6.1.2.3 - Assessment of OH&S Opportunities and Other Opportunities

Opportunities are the flip side of risks. The clause requires the organisation to assess opportunities to enhance OH&S performance - for example through introducing new technology, redesigning a process, or extending consultation arrangements. Opportunities also include opportunities to improve the OH&S management system itself.

The Hierarchy of Controls

The hierarchy of controls is the foundation of how OH&S risks should be controlled under ISO 45001. The clause requires the organisation to apply controls in the following order: eliminate the hazard, substitute with less hazardous processes, use engineering controls and reorganise the work, use administrative controls including training, and use personal protective equipment as the last line of defence. PPE is always the last resort, never the first.

The hierarchy is not a menu to choose from - it is a sequence to work through. Where elimination is reasonably practicable, eliminate. Where elimination is not reasonably practicable, substitute. And so on down the hierarchy until the level of residual risk is acceptable.

Hazard identification has to be proactive, not reactive. The standard is clear about this. It is not enough to wait for an accident and then identify the hazard that caused it. The process needs to find hazards before they cause harm.

For most organisations the practical approach is a combination of risk assessments for the planned activities, daily and weekly inspections to spot new hazards, near miss reporting to capture hazards that have not yet caused harm, and regular reviews when activities change. The list at 6.1.2.1 is the prompt - if any of those topics have not been considered, add them.

The hierarchy of controls is the rule that catches people out. Many organisations jump straight to PPE. The standard says PPE is the last resort, not the first. If the hazard can be eliminated by changing the equipment or substance, do that. If it cannot, look at engineering controls before administrative ones.

The other thing the standard pushes is non-routine activities. Most workplaces are safe when running normally. The accidents happen during start-up, shut-down, maintenance, breakdown clearance and emergency response. Cover those.

I sample risk assessments and ask how they were derived. I check that the hazards identified cover the spread the standard asks for - including the social factors that organisations sometimes miss. I also check that the controls applied follow the hierarchy. If a risk assessment lists PPE as the only control with no consideration of elimination or substitution, I will challenge it.

Practical Compliance Guidance

The IMS1 Manual sets out the hazard identification and risk assessment process. Section 6.1.2 covers the methodology, the inputs from the standard, and the application of the hierarchy of controls.

The following alphaZ documents support compliance with ISO 45001:2018 Clause 6.1.2.

alphaZ document How to use it
ISO 45001 Toolkit The full set of documents for ISO 45001 compliance, including the hazard register and risk assessment templates.
ER14 Hazard Risk Assessment Register Records the hazards identified across the organisation alongside the risk assessments completed for each.
ER18 Accident Statistics Captures past incidents and near misses that feed back into proactive hazard identification.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

It means looking for hazards before they cause harm, not waiting for incidents to highlight them. Inspections, risk assessments before new activities start, near miss reporting, regular safety walks and consultation with workers are all proactive sources. Reactive sources such as accident investigation are still valuable but should not be the main way hazards are identified.
Because the standard takes a broad view of OH&S that includes psychosocial hazards. Workload pressure, working hours, harassment, bullying and victimisation can all cause physical and mental harm to workers. Including them at Clause 6.1.2.1 makes clear that they sit alongside physical hazards in the hazard identification process.
Yes. Clause 8.1.2 requires the organisation to apply the hierarchy of controls when establishing controls for OH&S risks. The order is fixed: eliminate, substitute, engineering controls, administrative controls, PPE. The organisation works down the hierarchy and uses controls from a lower level only when higher levels are not reasonably practicable.
Yes. The standard explicitly requires the organisation to consider workers at locations not under its direct control. For service-based businesses where staff work at client sites, the process must include those locations - typically through pre-visit risk assessments and reliance on client risk information.

UK Legislation

The following UK legislation underpins hazard identification and risk assessment for organisations operating in the UK. Organisations outside the UK should identify equivalent legislation in their jurisdiction.

Further Resources

payment logos