OSH Risk Assessment Methodologies #
Introduction #
To effectively relate the concept of Occupational Safety and Health (OSH) Management System with OSH Risk Assessment Methodologies, it is essential to integrate the organizational context, relevant issues, interested parties, and the actions taken to address risks and opportunities as part of a structured approach aligned with ISO 45001:2018. This explanation is designed for OSH Management System Lead Auditor Training, providing a comprehensive link between top-level management system requirements and practical risk assessment execution.
1. Understanding the Organization and Its Context #
Clause 4.1 of ISO 45001 emphasizes that an organization shall determine external and internal issues that are relevant to its purpose and affect its ability to achieve the intended outcomes of the OH&S management system.
Relevance to OSH Risk Assessment:
- Internal and external issues such as workforce skill levels, availability of resources, regulatory changes, climate conditions, and technological advancements directly influence the nature and severity of workplace hazards.
- For example, an organization operating in a high-heat environment must factor heat stress as a contextual issue in risk assessments.
- Risk methodologies must be dynamic and reflect the evolving context in which the organization operates.
Auditor Insight:
Auditors must assess whether the organization has:
- Identified contextual factors that influence OSH risks.
- Regularly reviews these factors as part of risk assessment updates.
2. Understanding the Needs and Expectations of Workers and Other Interested Parties #
Clause 4.2 requires identifying workers and other interested parties (e.g. contractors, regulators, suppliers, local communities) and their relevant needs/expectations.
Relevance to OSH Risk Assessment:
- Interested parties influence risk acceptance criteria, control implementation, and legal compliance.
- Workers may express concerns over manual handling tasks, triggering ergonomic risk assessments.
- Contractors may require specific hazard communication protocols that must be incorporated into the risk assessment framework.
Auditor Insight:
- Ensure the risk assessment process includes consultation and participation of workers.
- Evaluate how the organization has converted stakeholder needs into measurable risk control actions.
3. Hazard Identification and Assessment of Risks and Opportunities #
Clause 6.1.2 outlines a methodical approach to identify hazards, assess risks, and identify opportunities to enhance OH&S performance.
Integration with Risk Assessment Methodologies:
A comprehensive risk assessment must consider:
- Routine and non-routine activities
- Emergency situations
- People access (contractors, visitors)
- Human factors and organizational culture
- Changes in knowledge or legislation
Risk Assessment Tools Commonly Used:
- HIRARC (Hazard Identification, Risk Assessment and Risk Control) – Malaysia’s preferred method.
- JSA (Job Safety Analysis)
- FMEA (Failure Mode and Effects Analysis)
- Bowtie Analysis
Auditor Insight:
- Verify that hazard identification aligns with legal, operational, and behavioral aspects.
- Confirm that risk matrices or ranking methods are consistent and relevant to actual work conditions.
4. Actions to Address Risks and Opportunities #
Once hazards are identified and assessed, Clause 6.1 requires the organization to determine actions to address risks and opportunities—with the goal of:
- Ensuring OH&S system achieves its intended outcomes.
- Preventing or reducing undesired effects.
- Continual improvement of OH&S performance.
Link to OSH Management System:
- This is where risk assessment results translate into operational controls, training, PPE provision, work redesign, emergency planning, etc.
- Opportunities may include new safety technologies, automation, or behavioral safety programs.
Auditor Insight:
Confirm linkage between risk register → control actions → monitoring & review → continual improvement.
Evaluate whether the actions taken are proportionate to the level of risk.
Integration of Clauses: #
| Element | Audit Focus | Risk Assessment Integration |
| Context of the Organization | Review internal/external factor register | Assess if risk assessments address changing context |
| Interested Parties | Stakeholder mapping and expectations log | Check if risk evaluations incorporate stakeholder inputs |
| Hazard Identification | Process walkthroughs, HIRARC reviews | Verify coverage of routine/non-routine/emergencies |
| Addressing Risks & Opportunities | Action plans, control implementation records | Link controls directly to assessed risk priority |
Summary for OSH Lead Auditors:
- Auditors must evaluate both the process and substance of risk assessment practices.
- Risk methodologies must not be generic—they must be context-driven, worker-informed, and strategically aligned with OH&S objectives.
- The integration of Clause 4 and Clause 6 of ISO 45001 into risk assessment ensures a living system that evolves with organizational dynamics.
Hazard Identification & Risk Control Measures #
Hazard Identification & Risk Control Measures addresses integration both the requirements of ISO 45001:2018 and practical methodologies used in Malaysia such as HIRARC, while also aligning with the upcoming ICOP on OSH Risk Management 202X (DRAFT). This ensures comprehensive alignment between compliance, risk control practices, and effective auditing.
1. The Core of Hazard Identification and Risk Control #
Definition:
Hazard Identification is the process of recognizing sources, situations, or acts with a potential to cause harm in terms of injury or ill health. Risk Control Measures are actions taken to eliminate hazards or reduce the risk to an acceptable level.
2. Integration into the OSH Management System (ISO 45001:2018) #
Clause 6.1 – Actions to Address Risks and Opportunities
ISO 45001 emphasizes a proactive, process-based approach to managing hazards through:
- Understanding hazards from both routine and non-routine activities
- Assessing risk severity and likelihood
- Establishing controls within the hierarchy (elimination to PPE)
- Identifying opportunities for OSH improvements
Key Auditing Insight:
Ensure hazard identification is not limited to physical hazards. It should include human factors, organizational culture, ergonomics, psychosocial risks, and potential emergencies.
3. Malaysia’s Application: HIRARC as Primary Risk Assessment Tool #
Reference
Risk Assessment Concept in Malaysia
NIOSH HIRARC Journal
✅ HIRARC Breakdown:
Hazard Identification: Visual observation, walkthroughs, SOP review
Risk Assessment:
Likelihood (L) x Severity (S) = Risk Rating (R)
Categorization: Low, Medium, High
Risk Control: Apply Hierarchy of Control:
- Elimination
- Substitution
- Engineering controls
- Administrative controls
- PPE
Enhanced Learning (NIOSH 2023 Journal):
Encourages worker participation and knowledge retention via collaborative hazard identification.
Supports ISO 45001 Clause 5.4 on worker participation.
Tips:
Check whether HIRARC documentation is activity-specific, regularly updated, and whether controls applied follow the correct hierarchy and justification.
4. New Developments: ICOP on OSH Risk Management 202X (DRAFT) #
DOSH Draft ICOP
This forthcoming Industry Code of Practice (ICOP) will reinforce risk assessment governance:
- Introduces the requirement for registered competent persons to conduct HIRARC.
- Reinforces the legal status of risk control prioritization.
- Clarifies sectoral requirements, including for SMEs, construction, and services.
Auditor Consideration:
- Evaluate whether the organization is preparing to comply with ICOP 202X.
- Check if their HIRARC complies with upcoming legal expectations (e.g., registered risk assessors).
5. Applying Hazard Identification & Risk Control Techniques #
| Technique | Use Case | Aligned Clause (ISO 45001) |
| Walkthrough Surveys | Physical hazard identification | 6.1.2.1(a) |
| Job Safety Analysis (JSA) | Task-based analysis | 6.1.2.1(b) |
| Checklist & Audits | Routine compliance | 9.2 |
| HAZOP / Bowtie Analysis | High-risk processes | 8.1.2 |
| Incident Investigations | Historical hazard mapping | 10.2 |
Auditors should assess whether the control measures implemented are:
- Risk-prioritized
- Supported by corrective actions
- Monitored for effectiveness under Clause 9.1
6. From Risk Rating to Control Decision-Making #
Example Table from HIRARC
| Hazard | Risk | L | S | R = L x S | Control |
| Falling object | Injury to head | 4 | 4 | 16 (High) | Install guard, PPE (helmet), warning sign |
| Manual lifting | Back strain | 3 | 3 | 9 (Medium) | Redesign task, training |
Auditor Questioning Technique:
- “Can you justify why substitution was not chosen before applying PPE?”
- “Is this risk reassessed after an incident or operational change?”
7. Linking Control Measures with Continual Improvement #
As Per Clause 10.3 (Continual Improvement):
- Risk control effectiveness must be monitored, evaluated, and improved.
- Organizations must demonstrate that lessons learned from near-misses, audits, and worker feedback are reintegrated into risk control planning.
Summary for OSH Management System Lead Auditor Perspective #
| Element | What to Check as Lead Auditor |
| Hazard Identification | Full coverage (physical, psychological, routine/non-routine) |
| Risk Assessment | Appropriate method (HIRARC/JSA), documented, justified |
| Control Measures | Aligned with the Hierarchy of Control, risk-prioritized |
| Monitoring & Review | Evidence of review, update after incidents/changes |
| Legal Alignment | Preparedness for ICOP 202X, compliance with OSHA 1994 and ISO 45001 |