What Is an OHSMS? A Plain English Guide to Occupational Health and Safety Management Systems

What Is an OHSMS?

An OHSMS, or Occupational Health and Safety Management System, is a structured framework that an organisation uses to manage risks to the health, safety, and wellbeing of its workers. The acronym stands for Occupational Health and Safety Management System, and you will also see it written as OHS management system or simply referred to as a safety management system in some contexts.

At its core, an OHSMS gives an organisation a systematic way to identify hazards, assess risks, implement controls, and continually improve safety performance. Rather than reacting to incidents after they occur, a well designed OHSMS helps organisations stay ahead of the risks that cause harm in the first place.

In Australia, the term OHSMS is widely used across industries including construction, mining, manufacturing, healthcare, and transport. It is the backbone of any serious safety program, and it is the framework that ISO 45001:2018 is built around.

Why Organisations Build an OHSMS

The reasons organisations invest in an OHSMS go well beyond regulatory compliance. Yes, Australian work health and safety legislation imposes duties on employers to provide safe workplaces, but the OHSMS is the mechanism that makes those duties operational. It turns legal obligations into documented processes, assigned responsibilities, and measurable outcomes.

There are several practical reasons organisations choose to formalise their safety management:

• Reducing incidents and injuries: A systematic approach to hazard identification and risk control consistently outperforms ad hoc safety practices. Workers go home safely, and organisations avoid the human and financial cost of workplace injuries.
• Meeting legal obligations: The Work Health and Safety Act and its regulations across Australian jurisdictions require PCBUs (persons conducting a business or undertaking) to eliminate or minimise risks so far as is reasonably practicable. An OHSMS provides the documented evidence that these duties are being met.
• Winning contracts: Many government tenders and large private sector procurement processes require contractors to demonstrate a functioning OHSMS. ISO 45001 certification is increasingly a minimum expectation in sectors like construction, mining services, and civil works.
• Reducing insurance costs: Insurers look favourably on organisations with certified or demonstrably effective safety management systems.
• Building safety culture: An OHSMS is not just paperwork. When implemented well, it engages workers in identifying hazards and participating in decisions that affect their safety.

The Key Components of an OHSMS

Whether your OHSMS is built around ISO 45001 or another framework, the core components are broadly consistent. Understanding these components helps you see how the system hangs together as a whole rather than as a collection of disconnected documents.

Leadership and Commitment

An OHSMS cannot function without genuine commitment from top management. This means more than signing a policy. It means allocating resources, setting safety objectives, actively participating in safety reviews, and visibly demonstrating that safety is a priority. In ISO 45001, this is captured in Clause 5.1, which places specific obligations on top management rather than allowing safety to be delegated entirely to a safety officer.

The OH&S Policy

The OH&S policy is the organisation's formal statement of intent. It commits the organisation to preventing work related injury and ill health, complying with applicable legal requirements, and continually improving safety performance. The policy must be communicated to workers and available to interested parties. It is a living document, not a framed statement on the wall that nobody reads.

Hazard Identification and Risk Assessment

This is the engine room of any OHSMS. The organisation must identify all hazards associated with its activities, assess the risks those hazards present, and determine appropriate controls. In ISO 45001, this sits within Clause 6.1.2 and requires the process to be proactive and ongoing, not a one time exercise conducted during system implementation.

Hazards might include physical risks like working at heights or operating plant, chemical hazards, biological risks, ergonomic factors, and psychosocial hazards such as fatigue, workload, and workplace violence. A credible hazard identification process considers all of these categories.

Legal and Other Requirements

The OHSMS must include a process for identifying and keeping current with applicable WHS legislation, regulations, codes of practice, and other requirements the organisation has committed to. This is sometimes called the legal register or compliance obligations register. Auditors check this register carefully because outdated or incomplete legal registers are a common nonconformity.

OH&S Objectives

Objectives give the OHSMS direction. They should be measurable, consistent with the OH&S policy, and focused on continual improvement. Examples might include reducing the lost time injury frequency rate by a specific percentage, completing a certain number of hazard inspections per month, or achieving a target for near miss reporting. Vague objectives like improve safety culture without any measure attached will not satisfy ISO 45001 requirements.

Operational Controls

Once hazards are identified and risks assessed, the organisation must implement controls. ISO 45001 requires controls to be applied in the order of the hierarchy of controls: elimination first, then substitution, engineering controls, administrative controls, and finally personal protective equipment as the last resort. Documented procedures, safe work method statements, permits to work, and toolbox talks are all examples of operational controls in practice.

Worker Participation and Consultation

One of the defining features of ISO 45001 compared to its predecessor OHSAS 18001 is the emphasis on worker participation. The standard requires organisations not just to consult workers but to actively involve them in hazard identification, risk assessment, incident investigation, and decisions about controls. This is not a box ticking exercise. Auditors look for genuine mechanisms through which workers can raise safety concerns and see those concerns acted upon.

Incident Investigation

When incidents, near misses, or dangerous occurrences happen, the OHSMS must have a process for investigating them, identifying root causes, and implementing corrective actions to prevent recurrence. Organisations that only investigate lost time injuries and ignore near misses are missing the majority of their learning opportunities. A mature OHSMS treats near miss reporting as a leading indicator of safety performance.

Monitoring, Measurement, and Evaluation

The OHSMS must include processes for monitoring and measuring safety performance. This includes both leading indicators (hazard inspections completed, toolbox talks held, training completed) and lagging indicators (injury rates, days lost, workers compensation claims). Regular compliance evaluations check whether the organisation is meeting its legal obligations.

Internal Audit

Internal audits are a mandatory element of any ISO management system, including an OHSMS built on ISO 45001. The internal audit programme must cover all elements of the system at planned intervals, with frequency based on risk. Internal auditors must be competent and independent from the areas they audit. The purpose is to verify that the OHSMS is conforming to requirements and is being effectively implemented.

If you want to understand what auditors actually look for when they examine an OHSMS, the article on auditing occupational health and safety under ISO 45001 covers this in practical detail.

Management Review

Top management must periodically review the OHSMS to ensure it remains suitable, adequate, and effective. The management review considers inputs like audit results, incident data, legal compliance status, achievement of objectives, and stakeholder feedback. Outputs must include decisions about continual improvement, resource needs, and any changes required to the system.

Continual Improvement

An OHSMS is not a static document set. It must improve over time. Nonconformities identified through audits or incidents must be addressed through corrective action, and the organisation must look for opportunities to improve safety performance beyond simply fixing problems as they arise.

OHSMS vs ISO 45001: What Is the Relationship?

ISO 45001:2018 is the international standard that specifies requirements for an OHSMS. It provides the framework, the structure, and the specific requirements that an organisation must meet if it wants third party certification. But an OHSMS does not have to be certified to ISO 45001 to be valid or effective.

Many organisations operate an OHSMS that is not formally certified. They may follow the ISO 45001 framework without seeking external certification, or they may have built their system around industry specific guidelines or their own internal requirements. Certification to ISO 45001 simply means that an accredited certification body has independently verified that the OHSMS meets the requirements of the standard.

In Australia, ISO 45001 replaced the previous Australian standard AS/NZS 4801 as the preferred framework for OHS management systems. Organisations that were certified to AS/NZS 4801 were expected to transition to ISO 45001. The two standards share similar intent but ISO 45001 is more demanding in several areas, particularly around worker participation, leadership commitment, and the integration of the OHSMS into the broader business strategy.

How the OHSMS Fits with ISO 9001 and ISO 14001

ISO 45001, ISO 9001 (quality management), and ISO 14001 (environmental management) all share the same High Level Structure. This means they follow the same clause numbering and use consistent terminology. The practical benefit is that organisations can integrate all three into a single Integrated Management System (IMS) rather than running three separate systems with duplicated documentation and separate audit programmes.

When auditing an integrated system, the auditor looks at how the three standards reinforce each other. A risk assessment under ISO 45001 may identify environmental risks that are relevant to ISO 14001. A management review under ISO 9001 may incorporate safety performance data from the OHSMS. The process approach that underpins ISO 9001 applies equally to the OHSMS.

Understanding the differences and overlaps between these three standards is essential for anyone working in quality, safety, or environmental management. The comparison article on ISO 9001 vs ISO 14001 vs ISO 45001 is a useful reference if you are working across more than one standard.

Who Is Responsible for the OHSMS?

Responsibility for the OHSMS sits with the organisation as a whole, not with a single person. Top management owns the system and is accountable for its performance. The WHS Manager or Safety Manager typically coordinates the day to day operation of the system, including maintaining the hazard register, organising training, managing incident investigations, and preparing for audits.

However, ISO 45001 is explicit that safety is not the sole responsibility of the safety team. Every manager and supervisor has responsibilities within the OHSMS, and workers themselves have a duty to participate in safety processes and report hazards. The OHSMS assigns these responsibilities clearly and ensures people have the competence to carry them out.

In larger organisations, the OHSMS may be supported by a dedicated safety team with specialists in areas like industrial hygiene, ergonomics, or emergency management. In smaller organisations, the WHS Manager may be the only dedicated safety resource, and the OHSMS must be designed to be practical and manageable at that scale.

Common Weaknesses Auditors Find in an OHSMS

After hundreds of external audits across construction, mining, manufacturing, and services, certain patterns emerge in where OHSMS implementations fall short. These are the areas that consistently attract nonconformities:

• Hazard registers that are not kept current: The hazard register is created during system implementation and then never updated when new activities, equipment, or work arrangements are introduced.
• Legal registers that are out of date: WHS legislation changes, and organisations fail to review their legal register to reflect current obligations.
• Worker participation that is tokenistic: Consultation processes exist on paper but workers have no genuine avenue to raise safety concerns or influence decisions.
• Objectives without measures: Safety objectives are stated in the system but have no targets, no timelines, and no monitoring process.
• Incident investigations that identify symptoms rather than root causes: The investigation concludes that the worker was not following the procedure, without asking why the procedure was not followed or whether the procedure was adequate.
• Internal audits that are not independent: People audit their own work areas, which compromises the objectivity of the audit findings.
• Management review that is a compliance exercise: The review meeting happens because ISO 45001 requires it, but the outputs do not drive any real decisions or improvements.

Building or Improving Your OHSMS

If you are starting from scratch or looking to strengthen an existing system, the most practical approach is to begin with a gap analysis. Compare your current arrangements against the requirements of ISO 45001 clause by clause and identify where the gaps are. This gives you a prioritised list of actions rather than an overwhelming list of everything that needs to be done.

From there, focus first on the foundations: a genuine hazard identification process, a current legal register, clear responsibilities, and a functioning incident reporting system. These are the elements that have the most direct impact on safety outcomes and are also the first things an auditor will look for.

Documentation should support the system, not drive it. Many organisations make the mistake of creating elaborate documented procedures before they have sorted out the underlying processes. Start with the processes, then document them in a way that is useful to the people doing the work.

If you are preparing to have your OHSMS audited, whether internally or by a certification body, understanding what auditors look for under each clause of ISO 45001 is invaluable. The article on understanding the ISO 45001 hazard identification audit trail gives a detailed look at one of the most scrutinised areas of the standard.

Training for OHSMS Auditors

Whether you are an internal auditor responsible for auditing your organisation's OHSMS, or a quality and safety professional looking to move into external auditing, formal training is the most efficient way to build the skills you need.

An ISO 45001 internal auditor course will teach you how to plan and conduct audits against the standard, gather and evaluate evidence, write nonconformity reports, and communicate findings to management. A lead auditor course goes further, covering audit programme management, team leadership, and the skills required to conduct third party certification audits.

At Audit Workshop, our ISO 45001 auditor training is delivered by a certified lead auditor with over 14 years of hands on compliance experience and more than 500 external ISO certification audits completed across Australia and internationally. The training is practical, grounded in real audit scenarios, and available in both live virtual and self paced formats to suit your schedule.

If you are deciding between training levels, the guide on ISO Lead Auditor vs Internal Auditor: which course you need will help you choose the right starting point for your goals.