ISO 45001:2018 Clause 6.1: Actions to Address Risks & Opportunities

Introduction

Many organizations treat Clause 6.1 as a documentation checkbox — fill out a risk register, file it away, and move on. That approach produces a system that looks compliant on paper but fails when it matters most: during an incident, a regulatory inspection, or a certification audit.

Clause 6.1 is the planning engine of the entire OH&S management system. Without it, nothing downstream (objectives, operational controls, training programs) is grounded in actual workplace reality.

According to the Bureau of Labor Statistics, there were 5,070 fatal work injuries in the U.S. in 2024. That number is the cost of treating hazard identification and risk planning as a formality.

This article breaks down what Clause 6.1 actually requires — and what it takes to make it work in practice, not just on paper.

TL;DR

  • Clause 6.1 covers hazard identification, risk/opportunity assessment, legal requirements, and action planning — ongoing, not a one-time task
  • Planning draws from four inputs: organizational context, interested party needs, scope, and applicable legal requirements
  • OH&S risks, OH&S opportunities, and management system opportunities are each distinct categories requiring separate treatment
  • Pre-change risk assessments are mandatory under Clauses 6.1.4 and 8.1.3 before any operational change
  • Auditors check worker participation, context linkage, live risk registers, and legal compliance traceability

What Is ISO 45001:2018 Clause 6.1 and What Does It Require?

Clause 6.1 is the overarching planning clause within Section 6 of ISO 45001. It encompasses four sub-clauses:

Sub-Clause Title
6.1.1 General
6.1.2 Hazard identification and assessment of risks and opportunities
6.1.3 Determination of legal requirements and other requirements
6.1.4 Planning action

Together, these establish what needs to be addressed before the organization sets OH&S objectives and programs.

The Three Core Purposes

The standard states that Clause 6.1 planning exists to:

  1. Give assurance that the OH&S management system can achieve its intended outcomes, meaning the system is designed around real hazards, not theoretical ones
  2. Prevent or reduce undesired effects, controlling what can go wrong before it does
  3. Achieve continual improvement, using identified opportunities to advance OH&S performance over time

Planning Is Not a One-Time Event

This is where many organizations go wrong. Clause 6.1 is not a project with a completion date. The standard explicitly requires that as circumstances change — new processes, new equipment, new regulations, workforce changes — the organization must reassess risks and opportunities. The planning process repeats as the organization and its hazard landscape evolve.

The Four Key Inputs That Shape Clause 6.1 Planning

The quality of Clause 6.1 planning depends entirely on the quality of its inputs. There are four.

Organizational Context (Clause 4.1)

Internal factors — organizational culture, available resources, existing processes — and external factors — the regulatory environment, economic conditions, industry-specific hazard profiles — all determine which risks and opportunities are relevant. A chemical processor faces a markedly different risk landscape than a software firm, and Clause 6.1 planning should reflect that difference clearly.

Needs and Expectations of Interested Parties (Clause 4.2)

Workers, contractors, regulators, customers, and community neighbors all have OH&S-related expectations. Failing to address them represents a risk. Exceeding them can be an opportunity. Worker input carries particular weight here. Clause 5.4 requires worker consultation and participation in hazard identification, and auditors will specifically check for evidence of this.

Scope of the OH&S Management System (Clause 4.3)

The scope determines which sites, activities, and functions fall within the system — and therefore which hazards must be addressed. Hazards at locations or activities outside scope are not automatically irrelevant; they must be explicitly excluded and that exclusion should be defensible.

Legal Requirements and Other Requirements (Clause 6.1.3)

The organization must identify applicable OH&S laws, regulations, and industry standards, determine how they apply, and carry that understanding throughout planning. Non-compliance with legal requirements is itself a significant OH&S risk — and a reliable source of nonconformities in certification audits.

In practice, treat these four inputs as a connected checklist before moving into hazard identification. Auditors reviewing Clause 6.1 will trace your planning decisions back to each one — gaps here surface as gaps everywhere downstream.

Identifying and Assessing OH&S Risks and Opportunities

Hazard Identification: The Starting Point

The standard defines a hazard as a source with the potential to cause injury or ill health. Risk is the effect of uncertainty — specifically, the likelihood that harm actually arises from that hazard combined with the severity of that harm.

A straightforward example: a wet floor is a hazard. The risk is that someone slips, falls, and is injured. NSC data shows falls, slips, and trips accounted for 479,480 days-away-from-work cases over 2023–2024 — making this not just a textbook example but one of the most consequential hazard categories in practice.

Clause 6.1.2.1 requires hazard identification to cover:

  • Routine activities (day-to-day operations) and non-routine activities (occasional, infrequent, or unplanned work)
  • Human factors — fatigue, skill level, time pressure
  • New or changed hazards, including those from planned changes
  • Potential emergency situations
  • All people who may be affected — employees, contractors, visitors, and neighbors
  • Changes in knowledge or technology

Worker participation in this process is not optional. It is a clause requirement.

Assessing OH&S Risks

Once hazards are identified, each is assessed for likelihood of occurrence and severity of potential harm to produce a risk level. A likelihood × severity grid is the most widely used practical tool — the ILO's risk assessment guidance confirms this as the standard approach. ISO 45001 does not mandate a specific format, so organizations can use a 3×3, 4×4, or 5×5 matrix depending on what suits their operations.

Once you have a risk level, the question becomes: what do you do with it? The 4Ts framework provides a practical decision structure:

  • Tolerate — low-priority risks that can be monitored without immediate action
  • Terminate — eliminate the hazard or risk entirely where possible
  • Treat — reduce likelihood or severity through engineering controls, administrative controls, or PPE
  • Transfer — outsource or insure, noting that legal liability remains with the organization regardless

4Ts risk response framework tolerate terminate treat transfer decision flow

Recognizing OH&S Opportunities

The standard distinguishes between two types of opportunities (a distinction that frequently surfaces as a point of confusion in audits).

OH&S performance opportunities improve actual safety outcomes:

  • Automating high-risk manual tasks
  • Redesigning hazardous processes
  • Safety requirements built into new equipment procurement specifications
  • Implementing job safety analyses for high-risk activities

Management system opportunities improve how the OH&S system itself operates:

  • Strengthening hazard reporting culture
  • A more rigorous legal register maintenance process
  • Increasing top management visibility in safety activities
  • Enhancing incident investigation processes

Knowing which type you're documenting matters — auditors will ask.

Planning Actions and Managing Change Under Clause 6.1

Building Action Plans

Once risks and opportunities are assessed, Clause 6.1.4 requires action plans. A strong action plan includes:

  • Description of the action
  • Responsible person or team
  • Timeline for completion
  • Required resources
  • How effectiveness will be evaluated

These are typically tracked in a risk and opportunity register — which, for most organizations, becomes the practical heart of Clause 6.1 documented information.

The Pre-Change Assessment Requirement

This is one of the most commonly missed requirements. For any planned change — permanent or temporary — a risk and opportunity assessment must be completed before the change is implemented. Clause 8.1.3 (Management of Change) reinforces this directly.

A manufacturer introducing new production machinery must assess the OH&S risks from that equipment before it goes into service, not after the first incident. The U.S. Chemical Safety Board has documented cases where inadequate pre-change assessment contributed to serious outcomes — which is precisely why the standard makes this a hard requirement.

Integration Into the Broader System

Not every identified risk requires a formal action plan. The organization determines which risks and opportunities need to be addressed based on significance — higher-priority items get the most attention and resources.

Action plans developed under Clause 6.1 are not standalone documents. They must feed into:

  • Clause 6.2 — OH&S objectives and programs
  • Clause 7.2 — training and competence requirements
  • Clause 8.1 — operational planning and controls
  • Clause 9.3 — management reviews

Clause 6.1 action plan integration into ISO 45001 downstream clauses diagram

When that integration exists, risk management becomes built into daily operations. When it doesn't, you have a parallel paperwork system that passes audits but doesn't prevent incidents.

Documented Information Requirements Under Clause 6.1

Clause 6.1.1 explicitly requires documented information on two things: the risks and opportunities themselves, and the processes and actions used to determine and address them — to the extent necessary to confirm they are carried out as planned.

In practice, this means maintaining:

  • Risk and opportunity assessment records
  • The methodology or criteria used for assessment
  • Action plans with assigned responsibilities and timelines
  • Monitoring and review records
  • Evidence that pre-change assessments were conducted

The standard does not prescribe a specific format. Organizations have flexibility to use tools that fit their operations — a spreadsheet, a purpose-built register, or a cloud-based management system all satisfy the requirement if the content is there.

That flexibility, however, can work against organizations that don't have a clear starting point. First-time implementers frequently underestimate how much Clause 6.1 documentation is actually required once hazard identification, risk assessment, legal obligations, and change management records are all accounted for. Synergistic Systems addresses this directly through their structured, modular implementation methodology — building compliant documented information collaboratively with the client team rather than handing over a template and walking away. Their cloud-based ISO management intranet consolidates hazard logs, risk registers, action plans, and audit records in a single controlled environment, making it practical to maintain and audit over time.

How Auditors Evaluate Clause 6.1 Compliance

What Auditors Check

IAF MD 22:2023 is the mandatory document for certification bodies auditing OH&S management systems. Under it, auditors must review key hazards and OH&S risks, hazardous materials, applicable legal obligations, and must interview workers — including both permanent and temporary employees.

In a Clause 6.1 review, expect auditors to examine:

  • Whether a formal, repeatable hazard identification process exists
  • Whether workers were involved in identifying hazards and assessing risks
  • Whether context (4.1) and interested party needs (4.2) visibly fed into the assessments
  • Whether legal requirements are current, identified, and linked to operational controls
  • Whether the risk register reflects recent changes and planned activities

Common Nonconformities

The most frequent Clause 6.1 findings include:

  • Risk register not updated when changes occur — missing pre-change assessment evidence
  • Disconnected inputs — risks and opportunities not traceable back to context and interested party analyses
  • Vague methodology documentation — assessment criteria too generic to demonstrate systematic application
  • No worker participation evidence — hazard identification completed by management only, with no documented worker input

Four common ISO 45001 Clause 6.1 audit nonconformities with descriptions

Preparing for a Clause 6.1 Audit

Each nonconformity above maps directly to a preparation gap. Address them before the auditor arrives:

  1. Maintain the audit trail from Clause 4.1 context analysis through to action plans — the connection between context, risks, and controls must be visible end to end.
  2. Keep the risk register current, reflecting recent operational changes, new equipment, or workforce shifts. Auditors look for evidence of pre-change assessment.
  3. Link legal requirements to specific controls — be ready to show which regulation connects to which operational procedure.
  4. Document worker consultation with meeting notes, sign-in sheets, or hazard report submissions. Verbal participation without records will not satisfy an auditor.

Frequently Asked Questions

What are the 'actions to address risks and opportunities' in ISO 45001:2018 Clause 6.1?

Clause 6.1 requires organizations to identify hazards, assess OH&S risks and opportunities, determine legal and other requirements, and plan actions to address them. The goal is to ensure the OH&S management system achieves its intended outcomes, prevents undesired effects, and drives continual improvement — not to generate documentation for its own sake.

How do you audit risks and opportunities under ISO 45001:2018?

Auditors verify the existence of a formal, documented hazard identification and risk assessment process, check that it links to context and interested party analyses, confirm worker participation is evidenced, and review whether action plans have been implemented and evaluated for effectiveness.

What is the difference between OH&S risks and OH&S opportunities in ISO 45001?

OH&S risks are the potential for harm arising from identified hazards. OH&S opportunities are possibilities to improve safety performance — through safer technology or redesigned processes — or to strengthen the management system itself through better worker participation or enhanced incident investigation practices.

What documented information does Clause 6.1 require?

Organizations must maintain documented information on their identified risks and opportunities and on the processes used to determine and address them. In practice, this means a risk and opportunity register, assessment methodology documentation, action plans, and pre-change assessment records.

How does Clause 6.1 connect to Clauses 4.1 and 4.2?

The internal and external issues identified in Clause 4.1 and the needs of interested parties in Clause 4.2 are direct inputs into Clause 6.1 planning. Risks and opportunities should flow from those analyses, creating a traceable connection from organizational context all the way through to action plans.

Does ISO 45001 Clause 6.1 require organizations to address all identified risks?

No. The standard states organizations shall "determine the risks and opportunities that need to be addressed." The organization decides based on significance, likelihood, and severity — typically prioritizing higher-risk items for immediate action while monitoring lower-risk items over time.