5. Health and safety management systems – Act

Audit and review

Organisations need to monitor their performance to assess how well they are controlling risks. A low accident rate is not necessarily a sign that all risks are being managed, and so measures of performance need to be more wide ranging.


Audit is a formalised method of investigating a system’s performance. According to HSG65, it is “the structured process of collecting independent information on the efficiency, effectiveness and reliability of the total health and safety management system and drawing up plans for corrective action.”

There are two main types of audit. A ‘systems audit’ checks that necessary systems are in place, comply with legislation, guidance and good practice and are generally appropriate for the level of risk. A ‘compliance audit’ checks that the systems are being used and result in appropriate workplace precautions.

An audit cannot look at every element of a system, and so sampling is important. Some elements need to be checked more often than others, and it is bad practice simply to do the same audit every time. A useful concept is the idea of ‘vertical’ and ‘horizontal’ audits. A vertical audit takes a subject and sees how it fits into all elements of the health and safety management system from top to bottom (i.e. how it is covered by policy, organisation, arrangements, measurement, audit and review). Whilst a horizontal audit selects one part of the system and considers how different items are addressed.

Any auditor should be able to act independently, so it is not normal for someone to audit their own system or compliance. However, internal audits can be carried out, typically by people from a different department from that being audited. These audits can be particularly useful at sharing best practice and learning through an organisation, and the auditors usually have the benefit of knowing the systems very well, including known weaknesses (i.e. they know where to look for problems).

To ensure an audit system remains relevant it is usually necessary to carry out some degree of external auditing. This is a requirement for achieving defined standards (e.g. OHSAS 18001), and has the advantage of the auditors being fully independent. However, there is the obvious cost of external audits and the possibility that the auditor does not understand the industry and its risks, or the organisation’s systems.

Auditing is not always as successful as it should be and there have been some high profile examples of where companies have had major incidents shortly after apparently successful audits. Part of the problem is that organisations get to know what they are going to be audited on, and make changes to do well in the audit. This can be at the expense of other items that are more critical but not covered by the audit. For this reason it is essential that all auditors use their schedule as a guide, whilst taking every opportunity to fully explore all aspects of the system that they feel may be critical.

Driving improvement

Of course it is no good collecting information if nothing is done with it to correct deficiencies. Organisations need to review the information they have from all sources and act on it.

Setting targets

As with most things in life, setting health and safety performance targets can help improve performance by giving people something tangible to aim for and because they show that the organisation is serious about the issue. However, setting targets can be fraught with problems. The obvious outcome we want from health and safety is that no one is harmed at work, but given that hazards always exist, risk management can only reduce the likelihood rather than eliminate it all together. But, setting what may be considered a more realistic target (i.e. something above zero) can give the impression that accidents are acceptable or that the organisation is willing to compromise on safety.

It is possible to set reactive targets (e.g. accident, incident and ill health rates; claims, enforcement and complaints) but their use may be limited. It is probably much better to set targets for positive outcomes. Examples may be:

  • Completing inspections and audits as per schedule;
  • Implementing recommendations within a specified time scale;
  • People completing training;
  • People achieving competency standards;
  • Achieving a recognised standard (OHSAS 18001, trade association award).

NEXT PAGE Workplace hazards and controls