ISO 45001 Clause 6 – Planning: Hazards, Risks & Opportunities
ISO 45001 Clause 6 – Planning: Hazards, Risks & Opportunities
Last Updated on December 24, 2025 by Melissa Lazaro
Understanding ISO 45001 Clause 6 Planning Requirements
Here’s what I’ve noticed over the years:
Most ISO 45001 systems don’t fail because people ignore safety. They fail because planning is weak.
Clause 6 is where good intentions either turn into effective controls—or stay as paperwork.
This is the clause clients struggle with the most.
They ask:
- What’s the difference between hazards and risks?
- How detailed does a risk assessment really need to be?
- What are “opportunities” in an OH&S system?
Clause 6 answers all of that, but only if you apply it practically.
In this section, I’ll break down Clause 6 in plain language and show you how auditors expect planning to work in real life—not in theory.
ISO 45001 Clause 6.1 – Actions to Address Risks & Opportunities
Clause 6.1 sets the direction for OH&S planning.
At its core, it asks one question:
What could go wrong, what could improve, and what are you going to do about it?
Risks aren’t just accidents waiting to happen.
They include anything that could prevent your OH&S system from working effectively.
Opportunities, on the other hand, are chances to improve safety performance—not business opportunities.
Clause 6.1 requires you to plan actions that:
- Reduce OH&S risks
- Prevent undesired effects
- Achieve continual improvement
Pro tip:
If your risks and opportunities don’t influence actions, auditors will question the whole process.
Common mistake:
Treating risks and opportunities as a checklist exercise. Generic entries with no follow-up rarely survive audit scrutiny.
In my experience, strong planning is visible because it drives decisions—not because it fills templates.
ISO 45001 Clause 6.1.1 – Hazard Identification Process
This is where planning becomes very real.
ISO 45001 expects you to identify hazards related to:
- Routine and non-routine activities
- Emergency situations
- Human factors
- Infrastructure, equipment, and materials
- Changes in processes or organization
Hazard identification should reflect how work is actually done—not how procedures say it’s done.
Pro tip:
Workers are your best source of hazard information. If they aren’t involved, hazards get missed.
Common mistake:
Using copied hazard lists that don’t reflect site conditions. Auditors usually spot this within minutes of a site tour.
I’ve seen audits go well simply because the hazard register matched what was happening on the floor. That consistency builds confidence fast.
ISO 45001 Clause 6.1.2 – OH&S Risk Assessment & Opportunities
Once hazards are identified, risk assessment determines priorities.
Risk assessment means evaluating:
- Likelihood of harm
- Severity of consequences
- Existing controls
It doesn’t require complex math.
It requires consistency and logic.
Opportunities at this stage might include:
- Safer equipment
- Improved training
- Better supervision
- Process redesign
Pro tip:
Simple risk scoring is usually more defensible than complicated matrices nobody understands.
Common mistake:
Over-engineering risk assessments. When people don’t understand the system, they stop using it.
Auditors often test risk assessments by asking workers about controls. If answers don’t match documents, planning credibility drops quickly.
ISO 45001 Clause 6.1.3 – Legal Requirements & Other Requirements
Clause 6.1.3 connects planning to compliance.
You’re expected to:
- Identify applicable OH&S laws and regulations
- Identify other requirements (contracts, codes, internal rules)
- Consider these requirements when planning controls
The key isn’t having a legal register.
It’s using it.
Pro tip:
Link legal requirements directly to hazards and controls. That makes compliance easier to demonstrate.
Common mistake:
Maintaining a legal register that never influences operations. Auditors often ask how legal requirements affect daily work.
In real audits, compliance gaps often appear where legal requirements weren’t considered during risk planning.
ISO 45001 Clause 6.1.4 – Planning Actions to Control Risks & Opportunities
This clause is about turning planning into action.
Controls must be selected using the hierarchy of controls:
- Elimination
- Substitution
- Engineering controls
- Administrative controls
- PPE
The higher up the hierarchy, the better.
Actions must be:
- Proportionate to risk
- Integrated into operations
- Assigned and tracked
Pro tip:
Auditors don’t expect zero risk. They expect logical, well-implemented controls.
Common mistake:
Listing controls without evidence they’re actually in place. Documentation alone doesn’t prove effectiveness.
In strong systems, controls are obvious on site. You don’t need to explain them—they’re visible.
ISO 45001 Clause 6.2 – OH&S Objectives & Planning to Achieve Them
Clause 6.2 ensures planning doesn’t stop at risk registers.
OH&S objectives must:
- Be measurable where possible
- Align with risks and opportunities
- Include actions, responsibilities, and timelines
Objectives should drive improvement—not just satisfy auditors.
Pro tip:
Good objectives focus on risk reduction, not just activity completion.
Common mistake:
Objectives like “conduct training” or “do inspections” with no link to risk outcomes.
Auditors often ask why objectives were chosen. If they aren’t clearly linked to planning inputs, findings become likely.
Linking Clause 6 Planning to Operational Control & Performance
Clause 6 only works if it feeds into daily operations.
That means:
- Risk assessments influence procedures
- Controls are reflected in work practices
- Objectives drive monitoring and improvement
Planning must also be reviewed when changes occur—new equipment, incidents, or organizational shifts.
Pro tip:
Near misses are planning gold. Use them to update hazards and risks.
Common mistake:
Treating planning as an annual exercise. Static planning quickly becomes irrelevant.
In effective systems, planning evolves with the organization. Auditors can see that immediately.
FAQs – ISO 45001 Clause 6 Hazards, Risks & Opportunities
Is hazard identification the same as risk assessment?
No. Hazard identification finds what could cause harm. Risk assessment evaluates how serious that harm could be and how likely it is.
How detailed does an ISO 45001 risk assessment need to be?
It depends on risk level and complexity. Higher risk activities need more detail. Simpler tasks need simpler assessments.
Can poor planning lead to major nonconformities?
Yes. I’ve seen major findings raised when risks were clearly known but not properly planned or controlled.
Conclusion – Planning OH&S Risks the Right Way Under ISO 45001
Clause 6 is the engine of your OH&S management system.
When planning is practical:
- Hazards are identified early
- Controls make sense
- Objectives drive improvement
- Audits feel structured and fair
When planning is weak, problems surface later—usually after incidents or during audits.
If there’s one thing to remember, it’s this:
Good planning isn’t about predicting everything. It’s about being prepared for what matters most.
Next step:
Review your hazard identification and risk assessments. Ask whether they genuinely influence controls and objectives. If they don’t, that’s where improvement starts.
Melissa Lavaro is a seasoned ISO consultant and an enthusiastic advocate for quality management standards. With a rich experience in conducting audits and providing consultancy services, Melissa specializes in helping organizations implement and adapt to ISO standards. Her passion for quality management is evident in her hands-on approach and deep understanding of the regulatory frameworks. Melissa’s expertise and energetic commitment make her a sought-after consultant, dedicated to elevating organizational compliance and performance through practical, insightful guidance.
Related Posts
