Management Systems: Doin’ the Do
Posted by Mike Stevens – Client Service Director
I think the most confusing thing about ISO management standards is where to start. To many people, H&S is something they were already doing, and doing with a reasonable degree of competence well before 45001, 18001 or BS 8800 came along. It might make sense to start with a Plan, but what about the existing day to day operations? Do you factor them in or plan to do things differently? They must have some influence on the success or otherwise of the plans you make. Shouldn’t the plans be initiated by some sort of management review first? And surely a great many organisations are already measuring performance and so that should be what’s really informing the planning stage. So where really DO you start? I think the problem lies in the fact that the standard is linear, but the thing it is describing is circular. Any child will tell you, you can start drawing a circle from any position. And ISO 45001 has several circular references.
If you read the previous newsletter you’ll know we started looking at the plan stage and starting there seemed logical. We explored the idea that the Plan:Do:Check:Act cycle of ISO 45001:2018 is applicable to the a business/tax year (and many businesses will have started a new one). But a plan developed from that perspective is entirely aspirational in nature and it needs grounding.
All management standards post Annex SL have 10 Clauses and arguably the first seven clauses are preparation for Clause 8 because that’s the operational bit and the planning bit is over. Some quite prominent consultancies and management system training providers would confidently start their discussion of the DO phase with Clause 8. But you will quickly note that Clause 8 is about controlling the risks you’ve already identified.
The standard has a diagram suggesting Clause 7 is part of DOING. Clause 7 requires things like getting together resources and establishing competence that are preparatory in nature. Maybe they should be part of planning? A golden rule of management is that if someone comes to you with a plan you don’t like, it is most easily dismissed with the words “yes, but you haven’t said how we are going to pay for it”. In other words getting resources together is something that you do before plans are implemented.
Clause 7 is entitled “Support” and lays out five specific requirements for supporting an existing management system:
Resources, Competence, Awareness, Communication and Documented Information
The devil is in the detail. In order to meet the requirement of the standard that “Workers shall be made aware of hazards and risks” for instance, you need to have first assessed those risks. That’s Clause 6. In fact, it’s Clause 6.1. It comes before Planning in the standard. Planning is 6.2. Annoying right?
For this reason I think our discussion of the Plan phase is clearly not over, just because you’ve set the objectives and targets. Those plans, policies, targets and objectives are necessarily informed by the risks that are present in the organisation. We need to do some risk assessment.
The standards says in 6.1.4 “The organization should ensure specific plans are in place for the elimination of hazards and reduction of OH&S risks”. This is often taken to imply the compilation of an exhaustive register has been made of all the hazards in the organisation. Dwight D. Eisenhower said: “In preparing for battle I have always found that plans are useless, but planning is indispensable.” It’s the discipline and the exercise of thinking about risk and opportunity – rather than the comprehensive document with the word PLAN written on the front – that actually matters at this stage. The reason is that, as we’ve already said, day-to-day H&S management of some kind is already going on. There’s a good chance you already have some good risk assessments; perhaps even ones you’d be comfortable rolling out if you were ever asked by an enforcement authority to see them. No, this is about “Focussing on Major Risks”, at a high level; a broad brush painting of your organisation in profile, highlighting the obvious bits that stick out, the ones that you could catch yourself on.
The HSE definition of a risk assessment is:
simply a careful examination of what, in the workplace, could cause harm to people, so that a decision can be made as to whether the precautions taken are satisfactory or whether more should be done to prevent harm
There is something subtle I think that has been missed in the general appreciation of the requirement to carry out risk assessments and it’s there, too in Regulation 3 of the MHSWR 99. It says :
Every employer shall make a suitable and sufficient assessment of…the risks to the health and safety of his employees to which they are exposed whilst they are at work.
The funny things about this is the tense. The “risks to which they are exposed” are the current risks. The assessment comes after the risks, not before them. But if someone is already undertaking the task, what makes us think – until we carry out this paper exercise required by legislation – that no risk assessment has taken place? It almost certainly has. It’s the quality of it that is at issue, not that act.
In the HSE definition the “examination” is that which is predictive of future consequences. The risk is already being taken, and the precautions are already being taken, and we are only now evaluating them. In both cases, someone has made a decision to carry out the work, and it isn’t always the case that they are ignorant of the risk. In fact, if they have been doing the job for any length of time, they may well be, and most probably are, more familiar with it than anyone. Our job is essentially to capture the risks already being taken, examine them, and improve upon them. To change existing risk calculations for the better. Thus the concept of improvement is embedded in health and safety in general and in risk assessment. Good risk assessment is refinement, maybe even a craft. The concept of Compliance, such as it is, is really a distraction.
And changing existing risk calculations for the better absolutely entails two-way communication, up and down the organisation. Risk assessment prepared without the involvement of the people taking the risk are potentially useless. Strategising about avoiding risk without meeting the people who manage it for you is almost reckless.
IOSH and the Institute of Directors have collaborated in putting together a package of training called Leading Safely. It’s aimed at board level involvement in H&S. The surprising thing about the course (and this is often reflected in feedback from participants) is that it doesn’t include very much about how “Directors can be personally liable”. It doesn’t focus on personal risks. No one is put in the metaphorical dock and given the shock treatment. There are no looming “Inspector Calls” style cautionary tales of whopping great fines or time spent by beleaguered CEO’s incarcerated at Her Majesty’s pleasure. If you want that sort of thing, there are other places to get it. In IOSH LS, there’s a distinct lack of stick and a lot of juicy carrots. The focus is predominantly on demonstrable leadership skills, cost-benefit, reputation, stakeholders, enabling, empowerment, employee engagement, sustainability, resilience. And discussion of risk is in a predominantly organisational and operational context; as something you manage not something that happens to you whilst you’re busy trying to make money.
Directors are expected and required to understand risk and opportunity apply strategies to mitigate one and enhance the other. That’s literally their job. The trick with IOSH LS is getting them to realise they need to upskill to meet the challenges of a changing workplace; that no one is born with the skills, knowledge and mind-set to steer a business through the future; that you have to be fighting fit to lead. Facilitating this course involves encouraging participants to confront some quite deeply held assumptions about health and safety and realise those beliefs were holding them back. It’s not giving the game away too much to share some of these with you in summary (they’ll be familiar to anyone who has studied some of the trends in marketed H&S such as the “Bradley Curve” or “Safety Differently”):
If you can turn your cliché alarm off and take my word for it, many of these ideas come as a profound surprise to Senior Execs. Some have even described the experience as “refreshing” (no higher praise for an H&S training course).
Focus on major risks. That’s the one that causes consternation. You can usually preface their discussion by saying something provocative like: “organisations that attain true risk-maturity have far fewer risk assessments than embryonic and compliance lead organisations”. Someone in the room will be quite proud of the 600-plus catalogue of taxonomized risk assessments and will understandably bridle. Envisage an Inspector Gadget practitioner who can flip out a finely tooled risk assessment for almost any conceivable occasion. But, honestly, at a strategic level, too much detail is actually confusing and unhelpful. You need to PRIORITISE.
In 1772 Joseph Priestley wrote to Benjamin Franklin for advice because he couldn’t decide between his calling as a clergyman and a lucrative job as a tutor to Lord Shelburne’s children. Franklin responded that he should follow his method, which he called a kind of ‘moral algebra’. It involved dividing a piece of paper in two and writing the advantages and disadvantages on either side. “He would then think carefully about each one and assign them a number based on importance”. If something on one side equalled something on the other, he would cross them both off the list. ‘Thus proceeding I find at length where the balance lies; and if, after a day or two of farther consideration, nothing new that is of importance occurs on either side, I come to a determination accordingly’.  It’s the earliest example I’ve read of a list of pro’s and cons.
Ask yourself the following three questions and you’ll have a grasp of strategic, objective oriented risk assessment:
They might seem like funny questions to ask and insufficiently jargon given the preceding information. But actually when you ask anyone to prioritise, you are asking them to rank things in order of importance and then do something about the first things first. If you’re struggling, just figure out your top 5 risks and commit to making a dent in each one.
The culmination of the IOSH LS course is a written commitment to outcome, process and performance goals for improving health and safety. At no time is it necessary to consult accurate performance data about the state of H&S within the organisation they are leading. Instinctively, leaders will grasp that there are things that matter to them. One of the commonest personal commitments they offer up is to “spend more time getting to know their people on the front line” of the high risk activities in their business.
Here’s what I’d recommend: open conversations about risk that involve people right throughout the organisation. Not tool box talks; you’re the one doing the most listening, not them. We’re going to ask the very dangerous question, “what do you need to really make a reduction in harm related to your work?” and we’re going to consider carefully how we can give them what they need. I’m putting it perhaps more bluntly than the HSE might but their guidance on management systems says that as soon as you have grasped what the risks are and prioritised them you then:
And it’s all very well to consult, of course because it doesn’t actually commit one to doing anything about the things one has heard. But I would caution against consultation without action. One of the big reasons why the number of near misses and unsafe conditions in real life never quite matches up to the numbers in Birds famous triangle, is because people get demoralised speaking truth to power and getting no response. They stop bothering. I can’t count the number of times in my career I’ve asked someone why they didn’t report a defect or a risk and been told, “what’s the point? No one ever does anything about it”.
Here’s a radical idea: once you’ve consulted, summarise what you’ve heard and publish it. Link the ambitions and plans you have with the risks you’ve prioritised, with what you know about the strategic and financial situation, with the people you have, and with the things you’ve heard from your colleagues about what needs fixing, and put them all together. What you’ve got now is an Action Plan. This is different from your initial Plan, because this has flesh on those bones. Studies have shown that we consider more points of view when we believe that we will need to explain our thinking to others. Your Action Plan should be plain English and everyone should be able to read it.
Your Action Plan can also consider organisation and arrangements, procedures, processes and controls, monitoring and measurements that will needed to manage each of the risk priorities you’ve identified. If you do that, you should find that you know exactly what your management system is going to look like and you can easily identify exactly where it started.
If you have any questions, or want to speak to one of our advisors on how to improve your own Management Systems, then please contact us on 0870 446 4201 or email us on email@example.com
 This anecdote comes courtesy of a brilliant book by David Robson called “The Intelligence Trap: Revolutionise your Thinking and Make Wiser Decisions”. Hodder & Stoughton.
 This sounds like a bit of jargon, I know, but think of them like this: If an outcome goal was to “Finish a marathon”, a performance goal would be “run four miles in 60 minutes” and then “run five miles in 60 minutes” and so on. Performance goals are milestones. A process goal would be to lose “two pounds in weight” and “cut out crisps and beer”. Process goals are helpful to the end result and valuable for their own sake.
 Samuelson, P.L. and Church, I.M. (2015), ‘When Cognition Turns Vicious: Heuristics and Biases in Light of Virtue Epistemology’, Philosophical Psychology, 28(8), 1095?1113