Home/ Blog/ ISO 45001 Clause 6.1.2 Explained

ISO 45001 Clause 6.1.2 Explained: Hazard Identification and Risk Assessment

Clause 6.1.2 sits at the heart of ISO 45001. If clause 5 is about leadership and clause 8 is about doing the work, 6.1.2 is where the standard asks: do you actually know what could hurt people, and have you dealt with it? Auditors spend real time here, because a weak hazard identification process undermines everything downstream.

This article explains what the clause requires in plain language, what evidence demonstrates conformity, and the gaps that most commonly trigger findings.

The short version. Clause 6.1.2 requires you to establish, implement and maintain processes for (6.1.2.1) identifying hazards on an ongoing basis, (6.1.2.2) assessing OH&S risks and other risks to the management system, and (6.1.2.3) assessing OH&S opportunities. The words "ongoing" and "proactive" do a lot of work — a once-a-year exercise is not enough.

6.1.2.1 — Hazard identification

The standard requires a process to identify hazards that is ongoing and proactive. Crucially, it lists the sources you must take into account. Your process needs to consider, among others:

  • How work is organised, social factors, leadership, and culture
  • Routine and non-routine activities and situations
  • Past relevant incidents, internal or external, including emergencies, and their causes
  • Potential emergency situations
  • People: those with access to the workplace (workers, contractors, visitors) and those in the vicinity affected by your activities
  • Human factors: how tasks are actually performed, human limitations, and the way people behave under real conditions
  • Changes in knowledge, and changes to processes, activities, or the management system

The word auditors probe is "ongoing." A hazard identification that only happens at annual review misses the hazards introduced by daily changes — new equipment, a modified procedure, a contractor's method statement. Your process should show hazards being captured continuously: from inspections, near misses, change management, and pre-task analysis.

6.1.2.2 — Assessment of OH&S risks and other risks

Once hazards are identified, you must assess the OH&S risk arising from them, taking into account the effectiveness of existing controls. You also have to assess other risks related to establishing, implementing, operating, and maintaining the management system itself.

The standard requires that your methodology and criteria for assessing risk be:

  • Defined with respect to scope, nature, and timing — decided in advance, not improvised
  • Applied and maintained to give results that are consistent, repeatable, and can be validated
ISO 45001 does not mandate a risk matrix. A 5×5 severity-by-likelihood matrix is common and perfectly acceptable, but it is not required. What matters is that your method is defined in advance, applied consistently, and proportionate to the risk. If you use a matrix, be ready to explain your severity and likelihood scales and why the resulting scores drive the actions they do.

6.1.2.3 — Assessment of OH&S opportunities

Often overlooked. The clause also asks you to identify opportunities — to improve OH&S performance, to adapt work and the working environment to workers, and to eliminate hazards and reduce risk. In practice this means your process shouldn't only be about controlling what's bad; it should also surface ways to make the work inherently safer (redesigning a task, automating a hazardous step, improving ergonomics).

What auditors look for as evidence

Conformity is demonstrated through documented information and, more importantly, through consistency between what your process says and what actually happens. Expect an auditor to check:

They ask…They want to see…
How do you identify hazards?A defined, documented process — plus live evidence it runs continuously, not annually
Show me your risk methodologyPre-defined criteria and scales, applied the same way across different assessments
How did this incident feed back in?A traceable line from an incident/near miss to an updated hazard or control
Were workers involved?Records of consultation and participation (links to clause 5.4)
What about that new equipment?Hazard identification triggered by change (links to clause 8.1.3, management of change)
Are controls effective?Evidence controls were assessed for effectiveness, following the hierarchy of controls (clause 8.1.2)

How 6.1.2 connects to the rest of the standard

Clause 6.1.2 is not an island. Findings often arise where it fails to connect to neighbouring clauses:

  • 5.4 Consultation and participation — workers must be involved in hazard identification and risk assessment.
  • 6.1.3 Legal and other requirements — hazards tie to the legal obligations that apply to them.
  • 8.1.2 Eliminating hazards and reducing risks — the hierarchy of controls is applied here.
  • 8.1.3 Management of change — changes trigger re-assessment.
  • 10.2 Incident, nonconformity and corrective actionincidents feed back into hazard identification.

The most common findings

  • "Ongoing" isn't demonstrated. Risk assessments all dated to one annual exercise, with nothing capturing hazards in between.
  • Methodology undefined. A matrix is used, but nobody can explain the scales or show they're applied consistently across assessments.
  • Non-routine activities missing. Maintenance, breakdowns, start-up/shut-down, and emergencies aren't covered.
  • Human factors ignored. Assessments assume procedures are followed perfectly and never account for how work is really done.
  • No feedback loop. Incidents and near misses don't visibly update the hazard register or controls.
  • Opportunities absent. 6.1.2.3 is quietly skipped.

Turn ISO 45001 clauses into tracked evidence

ENSURE's Legal Register breaks a standard like ISO 45001 into its clauses and tracks per-clause compliance with linked evidence — so when the auditor asks about 6.1.2, you show the trail instead of hunting for it.

Book a demo See the Legal Register
Disclaimer This article is a general explainer, not certification advice. Always work from the current text of ISO 45001:2018 and your certification body's guidance. Clause references follow the 2018 edition.

Keep reading

How to Write a Job Hazard Analysis (JHA): A Step-by-Step Guide → 5 Whys vs Fishbone: Choosing the Right Root Cause Analysis Method →