If there is one clause in ISO 45001 that separates organizations with a genuinely effective occupational health and safety (OH&S) management system from those that are merely going through the motions, it is Clause 6.1 — Planning. In my eight-plus years consulting with over 200 organizations through ISO 45001 certification, I've seen more audit nonconformities traced back to a weak Clause 6.1 implementation than any other section of the standard. That's not a coincidence — it's a structural problem.
Clause 6.1 is where strategy meets execution. It's where you look outward at your context, inward at your capabilities, and ask: What could go wrong? What could go right? And what are we legally obligated to do? Getting this right is not just an audit requirement — it's the foundation on which every other element of your OH&S system is built.
This article is your definitive guide to understanding, implementing, and maintaining ISO 45001 Clause 6.1 in a way that actually protects workers and survives scrutiny.
What Is ISO 45001 Clause 6.1 and Why Does It Matter?
Clause 6.1, formally titled "Actions to Address Risks and Opportunities," spans four sub-clauses: 6.1.1 (General), 6.1.2 (Hazard Identification and Assessment of Risks and Opportunities), 6.1.3 (Determination of Legal Requirements and Other Requirements), and 6.1.4 (Planning Action). Together, they form the "Plan" phase of the Plan-Do-Check-Act (PDCA) cycle that underpins the entire standard.
According to the International Labour Organization (ILO), approximately 2.3 million workers die from work-related accidents and diseases every year, with an additional 374 million non-fatal injuries and illnesses annually. A properly executed Clause 6.1 process is the systematic mechanism designed to interrupt these statistics at the organizational level.
The clause draws its inputs directly from Clause 4 (Context of the Organization) and Clause 5 (Leadership), meaning that the quality of your risk and opportunity identification is only as good as the organizational understanding feeding it. Weak context analysis upstream = weak risk register downstream.
Clause 6.1.1: The General Planning Framework
Clause 6.1.1 sets the stage by requiring the organization to consider the results of its context analysis (Clause 4.1), the needs and expectations of interested parties (Clause 4.2), and the scope of its OH&S management system (Clause 4.3). The planning process must address:
- Risks and opportunities related to the OH&S management system itself (not just operational hazards)
- Hazards and OH&S risks to workers
- Legal and other requirements
- Opportunities for improvement — both in OH&S performance and in the management system
A critical distinction that many organizations miss: Clause 6.1 addresses two distinct layers of risk. The first is operational — hazards that could harm workers. The second is systemic — risks and opportunities that could affect the OH&S management system's ability to deliver its intended outcomes. Conflating these two or addressing only the operational layer is a common audit finding.
The standard requires that planned actions be: 1. Integrated into OH&S management system processes 2. Evaluated for effectiveness
This is not a "document it and forget it" requirement. Auditors will probe whether the actions identified in your risk register have actually been implemented and whether you have evidence of evaluating whether they worked.
Clause 6.1.2: Hazard Identification and Risk Assessment
This is the operational core of Clause 6.1 and typically the most documented — though not always the most rigorously executed.
What Must Your Hazard Identification Process Cover?
ISO 45001 clause 6.1.2 is unusually prescriptive about the scope of hazard identification. The process must take into account:
- Routine and non-routine activities (including maintenance, shutdowns, and emergencies)
- Human factors — ergonomics, fatigue, workload, stress
- Infrastructure, equipment, and materials
- Changes in the organization, including temporary changes
- Work organization — including remote work, lone working, and working hours
- Social factors — harassment, workplace violence, and bullying (explicitly referenced since the 2018 version)
- Hazards originating outside the workplace affecting workers
- Hazards created by persons not under the organization's control (contractors, visitors)
This last two points deserve emphasis. Your hazard identification scope must extend beyond your own employees and beyond your physical premises. An organization that only documents hazards in its own facility for its own permanent workforce has an incomplete Clause 6.1.2 process — full stop.
OH&S Risk Assessment: Methodology Matters
Once hazards are identified, the organization must assess the associated OH&S risks. The standard does not prescribe a specific methodology, but whatever methodology you choose must be:
- Documented (Clause 6.1.2 is one of the few areas where documented information is explicitly required)
- Consistent across the organization
- Reproducible — different assessors evaluating the same hazard should reach similar conclusions
- Proportionate to the nature of the hazard
Common methodologies include risk matrices (likelihood × severity), Job Hazard Analysis (JHA), Failure Mode and Effects Analysis (FMEA), and HAZOP studies. For most small-to-medium organizations, a well-constructed risk matrix is sufficient. For high-hazard industries — chemical processing, construction, mining — more rigorous quantitative approaches are expected.
Citation hook: ISO 45001 clause 6.1.2 explicitly requires hazard identification to include social factors such as harassment and workplace violence, extending the scope of OH&S risk assessment beyond traditional physical and chemical hazards.
OH&S Opportunities: The Underused Half of 6.1.2
If risks represent the downside potential, opportunities represent upside potential — and they are just as mandatory to identify under Clause 6.1.2. The standard specifically identifies opportunities to:
- Eliminate hazards or reduce OH&S risks
- Adapt work, work organization, and work environment to workers
- Replace dangerous processes, operations, materials with less dangerous ones
- Use technology to improve OH&S performance
- Improve the OH&S management system
In my consulting practice at Certify Consulting, I find that organizations spend 90% of their Clause 6.1.2 effort on risks and treat opportunities as a checkbox. That's a strategic mistake. Opportunities are where your management system generates proactive value, and auditors increasingly probe this area for evidence of genuine continual improvement thinking.
Clause 6.1.3: Legal Requirements and Other Requirements
Clause 6.1.3 requires the organization to determine and have access to the legal requirements and other requirements applicable to its hazards, OH&S risks, and OH&S management system. This is a deceptively demanding requirement.
What Counts as a "Legal Requirement"?
Legal requirements include any binding obligations imposed by legislation, regulation, or legal authority, such as:
- National occupational health and safety legislation (e.g., OSHA standards in the US, the Health and Safety at Work Act in the UK)
- Regional/state regulations
- Permits, licenses, and consents
- Regulatory orders and guidance with legal standing
- Court or tribunal judgments applicable to the organization
What Are "Other Requirements"?
Other requirements are obligations the organization has voluntarily accepted or that arise from non-legislative sources, including:
- Collective bargaining agreements
- Industry codes of practice
- Contractual requirements with customers or clients
- Requirements from corporate headquarters (for subsidiaries)
- Standards adopted by the organization (including ISO 45001 itself)
Citation hook: Under ISO 45001 clause 6.1.3, organizations must not only identify applicable legal and other requirements but maintain a process to ensure they have ongoing access to up-to-date versions — a dynamic, living obligation, not a one-time compliance review.
The Legal Register: Best Practice Structure
Maintaining a legal register (sometimes called a compliance obligations register) is the industry-standard approach to meeting Clause 6.1.3. A well-structured legal register should include, at minimum:
| Column | Description |
|---|---|
| Requirement Reference | Specific act, regulation, or standard (e.g., "29 CFR 1910.119") |
| Requirement Summary | Plain-language description of the obligation |
| Applicability Basis | Why it applies (industry, location, activity, etc.) |
| Associated Hazards/Risks | Linked hazards from the risk register |
| Compliance Status | Compliant / Partial / Non-compliant |
| Evidence of Compliance | Where evidence is held (document reference) |
| Review Frequency | How often the entry is reviewed for currency |
| Owner | Person responsible for maintaining compliance |
| Last Reviewed | Date of most recent review |
A static legal register is a liability, not an asset. Regulations change — sometimes frequently. Your Clause 6.1.3 process must include a mechanism for monitoring legal and regulatory updates. In the United States alone, OSHA issues hundreds of regulatory updates and enforcement guidance documents annually.
Clause 6.1.4: Planning Action
Clause 6.1.4 is the integrative sub-clause that brings everything together. Having identified hazards, assessed risks, identified opportunities, and determined legal requirements, the organization must now plan how to address them.
The standard requires planning to:
- Implement the hierarchy of controls (referenced in Clause 8.1.2) for OH&S risks
- Assess OH&S risks before implementing changes
- Determine how requirements will be integrated into OH&S management system processes
- Evaluate the effectiveness of actions taken
Critically, Clause 6.1.4 requires that when planning actions, the organization must consider how the actions can be integrated into its OH&S management system processes — not just added as standalone procedures. This reflects the ISO 45001 philosophy of embedding OH&S into business operations, not bolting it on as a compliance exercise.
Linking 6.1.4 to Objectives and Programs
The outputs of Clause 6.1.4 planning feed directly into Clause 6.2 (OH&S Objectives). Significant risks that cannot be fully controlled through existing measures should generate formal OH&S objectives and programs. This is the logical chain auditors follow: risk register → control gaps → objectives → programs → evidence of implementation.
Citation hook: ISO 45001 clause 6.1.4 mandates that planned actions address risks, opportunities, and legal requirements in an integrated manner, with explicit consideration of how they will be embedded into operational processes and evaluated for effectiveness.
Common Clause 6.1 Nonconformities and How to Avoid Them
Based on my work with 200+ clients achieving first-time certification, here are the most frequent Clause 6.1 nonconformities I encounter:
| Nonconformity | Root Cause | Corrective Action |
|---|---|---|
| Hazard ID limited to permanent employees on-site | Scope misunderstanding | Expand process to include contractors, visitors, remote workers, and non-routine activities |
| Risk register not updated after organizational changes | No change management trigger | Link hazard ID process to Management of Change (MOC) procedure |
| Legal register is static / outdated | No monitoring process | Subscribe to regulatory update services; assign review ownership |
| Opportunities section absent or generic | Compliance-only mindset | Conduct dedicated opportunity identification workshops; document specific opportunities |
| Actions not evaluated for effectiveness | Weak PDCA culture | Build effectiveness evaluation into corrective action closure process |
| OH&S risks assessed without worker input | Top-down implementation | Establish formal worker participation mechanisms per Clause 5.4 |
| Management system risks not separated from operational risks | Structural misunderstanding of 6.1.1 | Create two-tier risk register: operational (hazards) and systemic (management system) |
Integrating Clause 6.1 with the Rest of ISO 45001
Clause 6.1 does not operate in isolation. Its connections to other clauses are explicit and significant:
- ← Clause 4.1 / 4.2: Context and interested party needs feed the identification of risks and opportunities
- ← Clause 5.4: Worker participation must be part of hazard identification and risk assessment
- → Clause 6.2: Significant risks and opportunities drive OH&S objectives
- → Clause 7: Resource, competence, awareness, and communication needs arise from risk assessment outputs
- → Clause 8: Operational planning and control implements the hierarchy of controls identified in 6.1.2
- → Clause 9.1: Monitoring, measurement, analysis, and evaluation tracks the effectiveness of 6.1.4 actions
- → Clause 10: Nonconformities and incidents feed back into the risk assessment process
Understanding this interconnection is essential for building a management system that actually works rather than one that passes an audit and then collects dust.
Clause 6.1 Documentation Requirements
ISO 45001 requires the organization to maintain and/or retain documented information for Clause 6.1 as follows:
| Document | Type | Clause Reference |
|---|---|---|
| Hazard identification and risk assessment methodology | Maintain (procedure) | 6.1.2 |
| Hazard identification results and OH&S risk assessments | Retain (records) | 6.1.2 |
| OH&S risk register | Maintain (living document) | 6.1.2 |
| OH&S opportunities register | Maintain (living document) | 6.1.2 |
| Legal and other requirements register | Maintain (living document) | 6.1.3 |
| Actions planned to address risks, opportunities, and requirements | Retain (records) | 6.1.4 |
The standard distinguishes between maintaining documented information (keeping procedures current) and retaining it (preserving records as evidence). Both are auditable, and the absence of either type is a nonconformity.
A Practical Implementation Roadmap for Clause 6.1
For organizations building or overhauling their Clause 6.1 process, here is the sequenced approach I use at Certify Consulting:
Step 1 — Establish Scope and Context Inputs Pull the outputs of your Clause 4.1 (context) and Clause 4.2 (interested parties) analyses. These are the raw materials for identifying what risks and opportunities are even relevant to consider.
Step 2 — Map Activities, Processes, and Worker Groups Create a comprehensive activity inventory covering all work activities (routine and non-routine), all locations, all worker categories (employees, contractors, visitors), and all shift patterns and working conditions.
Step 3 — Conduct Structured Hazard Identification Facilitate participatory hazard identification workshops with workers from each work area. Use structured prompts covering physical, chemical, biological, ergonomic, psychosocial, and organizational hazard categories.
Step 4 — Assess Risks and Assign Controls Apply your selected risk methodology. Document current controls. Calculate residual risk after controls. Flag risks requiring additional action.
Step 5 — Identify OH&S Opportunities Run a separate (or integrated) opportunity identification exercise. Look for technology upgrades, process substitutions, behavioral programs, and management system improvements.
Step 6 — Build the Legal Register Conduct a legal mapping exercise using your activity inventory and location data. Populate the legal register and assign ownership. Subscribe to a regulatory monitoring service.
Step 7 — Develop Action Plans (Clause 6.1.4) For all significant risks, identified opportunities, and compliance gaps, develop specific, resourced, and time-bound action plans. Link material items to OH&S objectives under Clause 6.2.
Step 8 — Integrate and Communicate Ensure actions are embedded in operational procedures (Clause 8), communicated to relevant workers (Clause 7.4), and included in management review inputs (Clause 9.3).
Step 9 — Monitor and Review Establish a schedule for reviewing and updating the risk register, opportunities register, and legal register. Trigger reviews on organizational changes, incidents, audit findings, and regulatory updates.
For deeper guidance on how Clause 6.1 connects to your operational controls, see our guide on ISO 45001 Clause 8: Operational Planning and Control. And for understanding how risk assessment outputs translate into measurable goals, explore our article on ISO 45001 Objectives and Programs.
How Certify Consulting Approaches Clause 6.1
At Certify Consulting, we've guided over 200 organizations through ISO 45001 certification with a 100% first-time audit pass rate — and Clause 6.1 is always where we invest the most upfront effort. The reason is simple: a robust Clause 6.1 process makes every other clause easier to implement, because it defines what needs to be controlled and why.
Our approach combines structured facilitation (to ensure worker participation under Clause 5.4), legal expertise (to ensure regulatory completeness), and systems thinking (to ensure management system risks receive the same rigor as operational hazards). If you're building, certifying, or re-energizing your ISO 45001 program, Clause 6.1 is the place to start.
Visit certify.consulting to learn more about how we support organizations at every stage of their ISO 45001 journey.
Frequently Asked Questions: ISO 45001 Clause 6.1
What is the difference between OH&S risks and management system risks in Clause 6.1?
OH&S risks (addressed in Clause 6.1.2) relate to hazards that could harm workers — physical, chemical, ergonomic, and psychosocial hazards in the workplace. Management system risks (addressed in Clause 6.1.1) relate to factors that could affect the OH&S management system's ability to achieve its intended outcomes — for example, loss of leadership commitment, inadequate resources, or organizational change. Both must be identified and addressed.
Does ISO 45001 require a specific risk assessment methodology?
No. ISO 45001 clause 6.1.2 does not prescribe a specific risk assessment methodology. The organization is free to use any methodology — risk matrix, JHA, FMEA, bow-tie analysis, etc. — provided the method is documented, consistently applied, and proportionate to the nature and complexity of the hazards involved.
How often should the legal register be reviewed?
ISO 45001 clause 6.1.3 does not specify a review frequency, but best practice is to review the legal register at least annually at a minimum, with triggered reviews whenever there is a significant regulatory change, organizational change, or expansion of operations into new jurisdictions or activities. Many organizations subscribe to regulatory monitoring services to ensure timely updates.
Does Clause 6.1 require worker participation in hazard identification?
Yes — indirectly but definitively. Clause 5.4 (Worker Participation and Consultation) requires workers to be consulted on hazard identification, risk assessment, and determination of controls. Because Clause 6.1.2 outputs directly feed Clause 8 operational controls, auditors treat worker participation in hazard identification as an implicit requirement of Clause 6.1.2, not just Clause 5.4.
What happens if a significant risk is identified but cannot be fully controlled?
If a risk cannot be reduced to an acceptable level through existing controls, it should generate a formal OH&S objective under Clause 6.2, with a documented program specifying what actions will be taken, by whom, by when, and how success will be measured. This creates a traceable chain from risk identification through to controlled improvement activity.
Last updated: 2026-03-23
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.