Clause 6.1.2 sits at the heart of ISO 45001. If clause 5 is about leadership and clause 8 is about doing the work, 6.1.2 is where the standard asks: do you actually know what could hurt people, and have you dealt with it? Auditors spend real time here, because a weak hazard identification process undermines everything downstream.
This article explains what the clause requires in plain language, what evidence demonstrates conformity, and the gaps that most commonly trigger findings.
6.1.2.1 — Hazard identification
The standard requires a process to identify hazards that is ongoing and proactive. Crucially, it lists the sources you must take into account. Your process needs to consider, among others:
- How work is organised, social factors, leadership, and culture
- Routine and non-routine activities and situations
- Past relevant incidents, internal or external, including emergencies, and their causes
- Potential emergency situations
- People: those with access to the workplace (workers, contractors, visitors) and those in the vicinity affected by your activities
- Human factors: how tasks are actually performed, human limitations, and the way people behave under real conditions
- Changes in knowledge, and changes to processes, activities, or the management system
The word auditors probe is "ongoing." A hazard identification that only happens at annual review misses the hazards introduced by daily changes — new equipment, a modified procedure, a contractor's method statement. Your process should show hazards being captured continuously: from inspections, near misses, change management, and pre-task analysis.
6.1.2.2 — Assessment of OH&S risks and other risks
Once hazards are identified, you must assess the OH&S risk arising from them, taking into account the effectiveness of existing controls. You also have to assess other risks related to establishing, implementing, operating, and maintaining the management system itself.
The standard requires that your methodology and criteria for assessing risk be:
- Defined with respect to scope, nature, and timing — decided in advance, not improvised
- Applied and maintained to give results that are consistent, repeatable, and can be validated
6.1.2.3 — Assessment of OH&S opportunities
Often overlooked. The clause also asks you to identify opportunities — to improve OH&S performance, to adapt work and the working environment to workers, and to eliminate hazards and reduce risk. In practice this means your process shouldn't only be about controlling what's bad; it should also surface ways to make the work inherently safer (redesigning a task, automating a hazardous step, improving ergonomics).
What auditors look for as evidence
Conformity is demonstrated through documented information and, more importantly, through consistency between what your process says and what actually happens. Expect an auditor to check:
| They ask… | They want to see… |
|---|---|
| How do you identify hazards? | A defined, documented process — plus live evidence it runs continuously, not annually |
| Show me your risk methodology | Pre-defined criteria and scales, applied the same way across different assessments |
| How did this incident feed back in? | A traceable line from an incident/near miss to an updated hazard or control |
| Were workers involved? | Records of consultation and participation (links to clause 5.4) |
| What about that new equipment? | Hazard identification triggered by change (links to clause 8.1.3, management of change) |
| Are controls effective? | Evidence controls were assessed for effectiveness, following the hierarchy of controls (clause 8.1.2) |
How 6.1.2 connects to the rest of the standard
Clause 6.1.2 is not an island. Findings often arise where it fails to connect to neighbouring clauses:
- 5.4 Consultation and participation — workers must be involved in hazard identification and risk assessment.
- 6.1.3 Legal and other requirements — hazards tie to the legal obligations that apply to them.
- 8.1.2 Eliminating hazards and reducing risks — the hierarchy of controls is applied here.
- 8.1.3 Management of change — changes trigger re-assessment.
- 10.2 Incident, nonconformity and corrective action — incidents feed back into hazard identification.
The most common findings
- "Ongoing" isn't demonstrated. Risk assessments all dated to one annual exercise, with nothing capturing hazards in between.
- Methodology undefined. A matrix is used, but nobody can explain the scales or show they're applied consistently across assessments.
- Non-routine activities missing. Maintenance, breakdowns, start-up/shut-down, and emergencies aren't covered.
- Human factors ignored. Assessments assume procedures are followed perfectly and never account for how work is really done.
- No feedback loop. Incidents and near misses don't visibly update the hazard register or controls.
- Opportunities absent. 6.1.2.3 is quietly skipped.
Turn ISO 45001 clauses into tracked evidence
ENSURE's Legal Register breaks a standard like ISO 45001 into its clauses and tracks per-clause compliance with linked evidence — so when the auditor asks about 6.1.2, you show the trail instead of hunting for it.