An OHS management system is not a folder of policies sitting on a shelf. It is a structured, integrated approach to identifying workplace hazards, controlling risks, and protecting the people who show up to work every day. If you are responsible for setting one up, or you are auditing one for the first time, understanding what the system actually consists of and how the pieces connect is the most practical place to start.
On this page
This article walks through the core components of an OHS management system, how they fit together under ISO 45001:2018, and what a sensible setup process looks like in practice. Whether you are building from scratch or reviewing an existing system, the same fundamentals apply.
What an OHS Management System Actually Is
An OHS management system is a framework an organisation uses to manage its occupational health and safety risks in a systematic way. The goal is not certification for its own sake. The goal is to prevent injury, illness, and death at work, and to create an environment where workers can raise concerns, participate in decisions, and trust that hazards are taken seriously.
In Australia, the most widely recognised international standard for OHS management systems is ISO 45001:2018. It replaced the earlier OHSAS 18001 standard and brought OHS management into the High Level Structure used by ISO 9001 and ISO 14001. That alignment makes it easier to integrate safety with quality and environmental management, which is increasingly common in Australian organisations operating under a single integrated management system.
If you want a broader overview of what an OHSMS involves before diving into components, the article What Is an OHSMS covers the fundamentals in plain language.
The Core Components of an OHS Management System
ISO 45001 organises its requirements across ten clauses that follow the Plan, Do, Check, Act cycle. Each clause represents a component of the system. Here is what each one involves and why it matters in practice.
Context and Scope
Before you can build a system, you need to understand what you are building it for. Clause 4 of ISO 45001 asks you to examine the internal and external factors that affect your organisation, identify the workers and other interested parties who have a stake in your OHS performance, and define the boundaries of your system.
In practice, this means asking questions like: What are the legal requirements that apply to our operations? Who are our workers, including contractors and labour hire? What are the conditions, activities, and locations covered by this system? Getting the scope right matters because a scope that is too narrow leaves workers unprotected, and a scope that is too broad creates obligations you cannot realistically meet.
Leadership and Worker Participation
Clause 5 is where many OHS management systems either succeed or fail. The standard is explicit that top management must demonstrate leadership and commitment, not just sign off on a policy. This means being visible on safety, allocating resources, removing barriers, and making sure OHS is integrated into business decisions rather than treated as a compliance function that runs separately.
The OHS policy sits within this clause. It needs to include a commitment to providing safe and healthy working conditions, to eliminating hazards and reducing risks, to meeting legal requirements, to consulting and involving workers, and to continual improvement. A policy that is vague or generic will not satisfy an auditor, and more importantly, it will not drive the behaviours the system depends on.
Worker participation and consultation is one of the most distinctive features of ISO 45001. Clause 5.4 requires organisations to consult workers on hazard identification, risk assessment, incident investigation, and changes that affect their safety. This is not a suggestion. It is a requirement, and auditors will look for evidence that it is genuine rather than tokenistic.
Planning
Clause 6 is where the system gets its teeth. Planning under ISO 45001 covers three main areas: risks and opportunities, hazard identification and risk assessment, and OHS objectives.
Risks and opportunities under clause 6.1.1 go beyond hazards. They include factors like changes in legislation, new technologies, workforce changes, and opportunities to improve safety performance. Organisations need to determine which risks and opportunities are significant and plan actions to address them.
Hazard identification under clause 6.1.2 is the most operationally intensive part of the planning requirement. It needs to be systematic, ongoing, and cover all activities, locations, and people, including routine tasks, non-routine tasks, emergencies, and changes to work. The hazard identification process should consider human factors, organisational factors, and the physical work environment, not just obvious physical hazards.
OHS objectives under clause 6.2 need to be measurable, monitored, communicated, and updated. They should reflect the significant risks the organisation has identified and drive real improvement rather than just tracking lagging indicators like lost time injury frequency rates.
Support
Clause 7 covers the resources, competence, awareness, communication, and documented information that the system needs to function. These are often underestimated in setup but are consistently the source of nonconformities in audits.
Competence means workers doing safety-critical tasks need to be capable of doing them safely. Training records, licences, and competency assessments are the evidence an auditor will look for. Awareness means workers understand the OHS policy, their contribution to the system, and what happens if they do not follow procedures. Communication means the organisation has determined what needs to be communicated, to whom, when, and how, both internally and externally.
Documented information under ISO 45001 does not prescribe a long list of mandatory documents. The standard requires what is necessary to support operations and provide confidence that the system is working. In practice, most organisations will maintain a hazard register, risk assessments, legal register, training records, inspection records, incident reports, and audit records as a minimum.
Operation
Clause 8 is where the system meets the workplace. It covers operational planning and control, including the hierarchy of controls, management of change, procurement, contractor management, and emergency preparedness and response.
The hierarchy of controls is fundamental to ISO 45001. The standard requires organisations to work through the hierarchy in order: eliminate the hazard first, then substitute, then use engineering controls, then administrative controls, and use personal protective equipment only as a last resort. An OHS management system that relies heavily on PPE as its primary control is a system that has not followed the hierarchy properly.
Management of change is a frequent source of nonconformities. When processes, equipment, personnel, or legal requirements change, the hazard identification and risk assessment process needs to be revisited before the change is implemented, not after an incident occurs.
Contractor management under clause 8.1.4.2 requires the organisation to coordinate with contractors to identify hazards and manage risks where work interfaces exist. This is particularly relevant in construction, mining, and facilities management, where multiple contractors work alongside each other and the host organisation's workers.
Performance Evaluation
Clause 9 covers monitoring, measurement, analysis, evaluation, internal audits, and management review. These are the mechanisms that tell you whether the system is actually working.
Monitoring and measurement under clause 9.1.1 should include both proactive measures, such as hazard inspections, near miss reporting rates, and training completion, and reactive measures, such as injury rates and incident frequency. Relying only on lagging indicators means you are measuring failures after they happen rather than identifying conditions that lead to them.
The compliance evaluation requirement under clause 9.1.2 means the organisation must periodically assess whether it is meeting its legal obligations and other requirements. This is not the same as having a legal register. It requires an active assessment of actual compliance, not just awareness of what the laws say.
Internal audits need to be planned based on risk, conducted by competent and impartial auditors, and used to generate findings that drive improvement. Management review brings together the outputs of monitoring, audits, incident investigations, and other information to make decisions about the system at the leadership level.
Improvement
Clause 10 covers incident investigation, nonconformity and corrective action, and continual improvement. Incident investigation under ISO 45001 is not just about recording what happened. It requires determining root causes, identifying contributing factors, and implementing corrective actions that address those causes rather than just the immediate symptoms.
Continual improvement under clause 10.3 means the system should be getting better over time, not just maintaining compliance. This requires a genuine commitment from leadership and a culture where workers feel safe to report hazards and near misses without fear of blame.
How to Set Up an OHS Management System
Setting up an OHS management system is a project that requires planning, resources, and genuine commitment from leadership. Here is a practical sequence that works in most organisational contexts.
Start With a Gap Analysis
Before you build anything, assess where you currently stand against the requirements of ISO 45001. A gap analysis will identify what you already have that can be formalised, what needs to be developed from scratch, and where the most significant risks lie. This gives you a realistic picture of the effort involved and helps you prioritise.
Define the Scope
Determine which locations, activities, and workers are covered by the system. The scope needs to be realistic. If you are a contractor working across multiple client sites, your scope needs to reflect that. If you have remote workers or workers employed through labour hire arrangements, they need to be included.
Establish the Context
Document the internal and external factors that affect your OHS performance. This includes legal requirements, industry context, organisational culture, and the needs and expectations of workers and other interested parties. This is not a one-time exercise. It should be reviewed whenever significant changes occur.
Develop the Policy and Objectives
Write an OHS policy that is specific to your organisation and signed by the most senior person in the scope. Then develop OHS objectives that are measurable and linked to your significant risks. Objectives that say nothing more than “reduce injuries” without a baseline, a target, and a plan are not objectives. They are wishes.
Build the Hazard Identification and Risk Assessment Process
This is the engine of the system. Develop a process for identifying hazards across all activities, assess the risks associated with each hazard, and determine appropriate controls using the hierarchy. Document the results in a hazard register or risk register that is maintained and reviewed regularly, not just created once and filed away.
For a practical breakdown of how auditors assess this process, the article Auditing Occupational Health and Safety Under ISO 45001 is worth reading alongside this one.
Develop Your Documented Information
Create the procedures, work instructions, forms, and records that the system needs. Focus on what is genuinely useful rather than creating documents to tick boxes. Every document should have a purpose, an owner, and a review cycle. Documents that are out of date or never used are worse than no documents at all because they create a false impression of control.
Train and Communicate
Workers need to understand the system, their role in it, and how to report hazards and incidents. Induction training is a starting point, but ongoing communication and engagement are what keep the system alive. Toolbox talks, safety alerts, and regular team discussions are more effective than annual training sessions that workers sit through and forget.
Implement Operational Controls
Put the controls you have identified into practice. This includes physical controls, safe work method statements, permit-to-work systems, inspection regimes, and contractor management processes. Make sure the controls are actually used, not just documented. An auditor will check both.
Monitor, Audit, and Review
Once the system is operating, measure its performance, conduct internal audits, investigate incidents, and review the system at the management level. Use what you find to make improvements. A system that is never reviewed is a system that has stopped working.
Common Setup Mistakes to Avoid
Having been involved in hundreds of audits across Australia and internationally, certain patterns come up repeatedly in organisations that struggle with their OHS management systems.
The first is building a paper system rather than a working system. Documents that describe a process that nobody follows are worse than useless because they suggest compliance where none exists. Build the system around how work actually happens, not how you wish it happened.
The second is treating worker participation as a formality. Clause 5.4 exists because worker involvement genuinely improves safety outcomes. Workers know the hazards in their work better than anyone. If consultation is reduced to signing off on documents they have not read, the system is missing one of its most valuable inputs.
The third is failing to maintain the system after initial certification. Many organisations put significant effort into achieving certification and then allow the system to drift. Surveillance audits exist precisely to check that the system remains active and effective, not just that it was active at the time of certification.
If you are planning to audit an OHS management system or want to understand what auditors look for in practice, the article Understanding the ISO 45001 Hazard Identification Audit Trail provides a detailed look at how auditors trace the hazard identification process through the system.
Getting Trained to Build or Audit an OHS Management System
Understanding the components of an OHS management system at a conceptual level is one thing. Being able to implement one, audit one, or advise an organisation on one requires practical knowledge and structured training.
Audit Workshop offers ISO 45001 auditor training at Foundation, Internal Auditor, and Lead Auditor levels, delivered live online and as self-paced courses. The training is built around real audit practice, not just clause-by-clause theory. Founder Dilawar Laghari has conducted over 500 external certification audits across Australia, the Middle East, and South Asia, and that experience shapes every course.
Whether you are a WHS manager looking to formalise your system knowledge, an internal auditor preparing to audit your organisation's OHSMS, or a professional pursuing Lead Auditor credentials, there is a course level that fits where you are and where you want to go.
