Why Hazard Identification and Risk Assessment Is the Core of ISO 45001
If you are working towards ISO 45001 certification, or trying to maintain it, the hazard identification and risk assessment process is not just a box to tick. It is the foundation that everything else in your occupational health and safety management system sits on. Get this right, and the rest of the standard becomes much easier to implement. Get it wrong, and no amount of polished documentation will save you when an auditor starts asking questions.
On this page
ISO 45001 requires organisations to proactively identify hazards, assess the associated risks, and put controls in place before incidents happen. This is a significant shift from older approaches that were largely reactive. The standard, published by the International Organisation for Standardisation, is built around preventing harm rather than just responding to it.
This guide walks you through the entire process in practical terms, from identifying what could go wrong to documenting your findings in a way that satisfies an auditor. Whether you are a safety manager, a business owner, or someone who has just been handed the responsibility of building your organisation's OHS system, this is where to start.
Understanding What the Standard Actually Requires
Before jumping into the how, it helps to understand the what. ISO 45001 addresses hazard identification and risk assessment primarily under Clause 6.1, which covers planning for the OH&S management system. Specifically, Clause 6.1.2 requires organisations to establish, implement, and maintain a process for hazard identification on an ongoing basis.
The standard is deliberate about the word “ongoing.” This is not a one-time exercise you do before certification and then file away. It needs to happen when you introduce new equipment, change work processes, hire new workers, respond to incidents, or when workers themselves raise concerns.
Clause 6.1.2.2 then requires you to assess the OH&S risks associated with the identified hazards. You need to evaluate these risks taking into account existing controls, and then determine whether further action is needed. The output of this process feeds directly into your planning for control measures under Clause 6.1.4.
If you are new to the standard, the ISO 45001 beginner's guide on CertBetter provides a solid overview of the full structure before you dig into the specifics here.
Step 1: Define the Scope of Your Hazard Identification Process
The first practical step is deciding what you are looking at. Your hazard identification process needs to cover all activities, locations, workers, and situations within the scope of your OH&S management system. That includes office workers, field workers, contractors, visitors, and anyone else who could be affected by your operations.
What to include in your scope
- Routine tasks that happen every day, such as operating machinery, driving vehicles, or handling chemicals
- Non-routine tasks such as maintenance, shutdowns, emergency responses, or infrequent procedures
- Remote or lone working situations
- Tasks performed by contractors or labour hire workers on your premises
- Psychological and psychosocial hazards, which are increasingly expected under modern OHS frameworks and are specifically addressed in ISO 45003
- Hazards arising from the physical work environment, including noise, heat, lighting, and ergonomics
A common mistake is limiting hazard identification to the most obvious physical risks and ignoring things like fatigue, workplace violence, or the psychological impact of high-pressure work environments. Auditors are increasingly focused on these areas, and the standard explicitly expects you to consider them.
Step 2: Choose Your Hazard Identification Methods
There is no single prescribed method in ISO 45001 for identifying hazards. The standard gives you flexibility, but it expects you to use a systematic approach that is appropriate for your industry and the nature of your work.
Common methods used in practice
Job Safety Analysis (JSA) or Job Hazard Analysis (JHA): You break down a task into individual steps and identify the hazards associated with each step. This works well for high-risk tasks and is particularly useful in construction, manufacturing, and field operations.
Workplace inspections: Regular physical walk-throughs of your work areas with a structured checklist. These are practical and visible to workers, which also helps with engagement.
Incident and near-miss analysis: Reviewing past incidents, near misses, and first aid records to identify recurring hazard patterns. If something has nearly gone wrong before, it is a hazard worth documenting.
Worker consultation: Talking directly to the people doing the work. Workers often know about hazards that management never sees. ISO 45001 places significant weight on worker participation, and this is one of the most practical ways to fulfil that requirement.
Equipment and material reviews: Reviewing safety data sheets, equipment manuals, and manufacturer guidelines to identify hazards associated with specific substances or machinery.
For most organisations, a combination of these methods gives the most complete picture. A manufacturing business might use JSA for high-risk tasks, monthly workplace inspections, and quarterly worker consultation sessions. A professional services firm might rely more on ergonomic assessments, psychosocial risk surveys, and incident reporting.
Step 3: Document Your Hazards in a Hazard Register
Once you have identified hazards, you need to record them somewhere. This is typically called a hazard register, a risk register, or a hazard and risk register. The format matters less than the content, but your register needs to be accessible, kept up to date, and actually used.
What to capture for each hazard
- A clear description of the hazard
- The task, activity, or location where the hazard exists
- Who could be harmed and how
- Existing controls already in place
- The risk rating after considering existing controls
- Any additional controls required
- Who is responsible for implementing additional controls
- Target completion date for any outstanding actions
Keep the descriptions specific. “Working at heights” is a hazard category, not a hazard. “Worker falling from an unsecured scaffold during facade installation at heights above 3 metres” is a hazard. The more specific you are, the more useful the register becomes as a working document rather than just a compliance artefact.
Step 4: Assess the Risk Associated With Each Hazard
Risk assessment is where you evaluate how serious each identified hazard is. The standard does not prescribe a specific risk assessment methodology, but most organisations use a likelihood and consequence matrix, often called a risk matrix.
Using a risk matrix
A risk matrix plots the likelihood of a hazard causing harm against the severity of the potential consequence. You assign a score to each dimension and multiply or combine them to get an overall risk rating. Common scales run from 1 to 5 for both likelihood and consequence, giving you a risk score that falls into categories such as low, medium, high, or extreme.
For example, a chemical spill hazard in a storage area might be assessed as follows. Likelihood: it could realistically happen a few times per year without controls, so a score of 3. Consequence: exposure could cause serious injury requiring hospitalisation, so a score of 4. Combined risk score: 12, which falls in the high category. That rating tells you this hazard needs significant controls and should be a priority.
Considering existing controls
An important nuance here is that your initial risk rating should reflect the risk with existing controls in place, not the inherent risk with no controls at all. Some organisations rate the inherent risk first, then the residual risk after controls, which gives you a fuller picture of how much your current controls are reducing risk. Either approach is acceptable as long as you are consistent and your auditor understands what you have documented.
If you want to understand how risk assessment principles apply more broadly across management systems, the ISO 31000 guide on CertBetter is worth reading alongside this process.
Step 5: Apply the Hierarchy of Controls
Once you have assessed the risk level of each hazard, you need to determine what controls are appropriate. ISO 45001 expects you to apply the hierarchy of controls, which is a structured approach to selecting the most effective risk reduction measures.
The hierarchy from most to least effective
- Elimination: Remove the hazard entirely. If you can redesign a process so the hazard no longer exists, this is always the preferred option. For example, replacing a solvent-based cleaning process with a water-based one eliminates the chemical exposure hazard.
- Substitution: Replace the hazard with something less dangerous. Using a less toxic chemical, a lighter tool, or a lower-voltage piece of equipment are all substitution controls.
- Engineering controls: Physical changes to the work environment or equipment that reduce exposure to the hazard. Guards on machinery, ventilation systems, noise enclosures, and automated lifting equipment all fall here.
- Administrative controls: Changes to how work is organised or performed. Job rotation to reduce repetitive strain exposure, permit-to-work systems for high-risk tasks, and safe work procedures are all administrative controls.
- Personal protective equipment (PPE): The last line of defence. Hard hats, safety glasses, hearing protection, and respirators reduce the impact of a hazard on the individual but do nothing to reduce the hazard itself.
A common mistake is jumping straight to PPE because it is cheap and easy to implement. Auditors know this, and they will look for evidence that you have genuinely considered higher-order controls before defaulting to “provide PPE and train workers.” Your risk register and control selection rationale should show that you have worked through the hierarchy.
Step 6: Involve Your Workers in the Process
Worker participation is not optional under ISO 45001. Clause 5.4 requires organisations to consult and involve workers in the development, planning, implementation, and evaluation of the OH&S management system. That includes the hazard identification and risk assessment process.
In practice, this means more than sending out a survey. It means genuinely involving workers in hazard identification walk-throughs, getting their input on risk ratings, and making sure they have a real say in what controls are selected. Workers who feel their input is valued are also far more likely to follow safe work procedures and report new hazards when they arise.
Document your consultation activities. Keep records of toolbox talks where hazards were discussed, meeting minutes from safety committee meetings, and any formal consultation processes. This documentation becomes important evidence during your certification audit.
For more on how to build genuine worker engagement into your ISO 45001 implementation, see the CertBetter article on how to get worker participation in ISO 45001 implementation.
Step 7: Review and Update Your Hazard Register Regularly
Your hazard register is not a document you create once and forget about. ISO 45001 requires your hazard identification and risk assessment process to be ongoing. There are specific triggers that should prompt a review.
When to review your hazard register
- Before introducing new equipment, substances, or work processes
- After any workplace incident, near miss, or dangerous occurrence
- When workers raise new hazard concerns
- When there are changes to legislation or regulatory requirements
- When your organisation changes structure, location, or the nature of its work
- At scheduled intervals, typically annually at a minimum
The scheduled review is a minimum, not a maximum. In high-risk industries like construction, mining, or manufacturing, hazard registers may need to be reviewed much more frequently, sometimes before each new work phase or project stage.
What Auditors Look for During Certification
When your certification auditor reviews your hazard identification and risk assessment process, they are looking for evidence of a few key things. Understanding what they want to see helps you prepare more effectively.
First, they want to see that your process is systematic and documented, not ad hoc. A well-structured hazard register with clear ratings, controls, and ownership is strong evidence of a functioning system.
Second, they will look for evidence that workers have been genuinely consulted, not just informed after the fact. Meeting records, toolbox talk sign-in sheets, and documented feedback from workers all support this.
Third, they will check that your control measures follow the hierarchy of controls and that higher-order controls have been genuinely considered. If every hazard in your register has “provide PPE” as the only control, expect a nonconformance.
Fourth, they will look for evidence that the process is ongoing. If your hazard register was last updated two years ago and there have been changes to your operations since then, that is a problem. Dated review records and version control on your documents help demonstrate currency.
If you are preparing for your audit and want to understand what the broader audit process involves, the article on 10 things to do before an ISO Stage 2 certification audit covers the preparation process in detail.
Common Mistakes to Avoid
Having reviewed a lot of OHS management systems over the years, the same mistakes come up repeatedly. Here are the ones most likely to cause problems during your certification audit.
- Generic hazard descriptions: Vague entries like “manual handling” or “slips and trips” without specific context are not useful and do not demonstrate a thorough assessment.
- Ignoring psychosocial hazards: Fatigue, bullying, work-related stress, and excessive workload are legitimate OHS hazards. Leaving them out of your register is increasingly likely to attract auditor scrutiny.
- Treating the register as a one-off document: If your register has not been reviewed since you first created it, it is not serving its purpose and will not satisfy the ongoing requirement in the standard.
- No evidence of worker consultation: Claiming you consulted workers without any records to back it up will not hold up under audit.
- Controls that do not match the risk level: High-risk hazards with only low-level administrative controls suggest the hierarchy of controls has not been properly applied.
Getting Help With ISO 45001 Implementation
Implementing a thorough hazard identification and risk assessment process takes time and expertise, particularly if your organisation is doing it for the first time. Many businesses find it worthwhile to work with an experienced ISO 45001 consultant who can guide the process, review your hazard register, and help prepare your team for the certification audit.
If you are looking for qualified consultants who specialise in ISO 45001, CertBetter makes it straightforward. You submit one form and receive up to three competing quotes from vetted ISO consultants and accredited certification bodies. The service is completely free for businesses seeking certification help, and it saves considerable time compared to searching for providers independently.
