IDENTIFYING OCCUPATIONAL HALTH AND SAFETY (OHS) HAZARDS AND MANAGING RISKS How do workplace accidents or illnesses affect your company? If an employee gets hurt or falls sick, what kind of chaos does it bring? Does it slow down your output? How does it influence the rest of your team, whether through extra tasks or effects on their mental state and overall wellness?   Your employees are the backbone of your company. That is why handling workplace safety and wellness properly is key to thriving. If you don’t address dangers to their physical and mental health, it can weaken your business’s goals, limit its growth, and threaten its staying power. This makes it vital to recognize risks, create plans to lower them, and foster an environment that keeps your team safe and supported. Implementing a robust Occupational Health and Safety Management System(ISO 45001) is a proven way to prevent accidents and ill health, and protect your organization’s long-term viability through its most valuable asset – its people. What is an OHS Hazard An OHS hazard is anything that could hurt someone at work. It is not the injury itself, but the thing that could cause it. Think of a wet floor in a kitchen, a noisy machine in a factory, or even stress from tight deadlines. Hazards are everywhere and spotting them is the first step to keeping people safe. Types of hazards Physical Hazards Things you can see or touch that might cause harm.   Example: A delivery worker trips over boxes left in a walkway, twisting an ankle. Chemical Hazards Dangerous substances that can make people sick.   Example: A cleaner breathes in strong bleach fumes without proper ventilation. Biological Hazards Germs or living things that spread illness.   Example: A nurse catches a virus from a patient because gloves were not available. Ergonomic Hazards Problems from how people work with their bodies.   Example: A typist gets back pain from using a bad chair and keyboard setup for hours. Psychological Hazards Stress or mental strain from work.   Example: A call centre worker feels overwhelmed by constant angry customers and no breaks. Ignoring hazards is not cheap. When someone gets hurt or sick because of work, it hits your business hard. There is the obvious stuff: medical bills, lost workdays, or replacing broken equipment.   For example, if a construction worker falls off a shaky ladder, you are paying for their recovery and maybe a new ladder. But it goes deeper—productivity drops when people are out, morale sinks if workers feel unsafe, and you could face fines or lawsuits. The real cost? It is not just money—it is people. How to Reduce OHS Risks Spot the Hazards: Walk around your workplace and look for trouble spots. Ask your team what worries them. That wet floor? Someone is bound to slip if it is not mopped up. Plan Ahead: Decide what is most dangerous and fix it first. For example, put up a “Wet Floor” sign or repair that leaky pipe before someone falls. Use the Right Tools: Give workers what they need to stay safe. A factory worker handling chemicals should have gloves and a mask—no excuses. Train Everyone: Show your team how to avoid trouble. Teach a warehouse worker how to lift heavy boxes without hurting their back. Check Regularly: Keep an eye on things. If that noisy machine gets louder, fix it before it damages someone’s hearing. How Your Business Will Benefit Managing hazards is not just about avoiding trouble—it makes your business better. When workers feel safe, they are happier and stick around longer. That means less time hiring and training new people. Productivity goes up because no one’s out injured—a delivery company cut delays by 20% after fixing slippery truck ramps. Plus, customers and partners notice when you care about safety. It builds trust. And if regulators come knocking, you are covered—no fines, no stress.

How to Identify Information Security Risks in ISO 27001:2022 What is an information security risk? Information security risk is the potential for a threat to exploit vulnerabilities in an information asset thereby causing harm to the organization. Additionally, a risk would be potential for an information security event to impact the confidentiality, integrity and availability of information thereby affecting the organization’s objectives.   What the standard states about risk identification Clause 6.1.1 of ISO 27001:2022, states that an organization shall determine risks and opportunities that need to be addressed to prevent or reduce undesired effects. This ensures that the organization can effectively plan for actions to address the identified risks and integrate these actions into the information security management system.  These risks should be derived from the internal and external issues that can affect the information security management system. Furthermore, organizations should identify risks cognizant of the needs and expectations of interested parties.  The process of risk identification The Assets, Threats and Vulnerabilities (ATV) methodology is popular approach to identifying risks.   It involves systematically listing the organization’s assets, identifying potential threats and then uncovering any vulnerabilities that these threats could exploit.   Additionally, this approach ensures organizations identify the risks that are specific to its assets and not generic or industry-wide threats.  1. Identification of Assets An asset is anything that has value to the organization and which, therefore, requires protection. Assets encompass hardware, software, information assets, people assets and intangible assets like brand reputation.  2. Identification of Threats A threat is something that can exploit by a vulnerability in an asset. It is important to note that for a threat to materialize, there needs to be existence of a vulnerability. Examples of threats are:  Physical Threats : Fire, Floods and natural disasters Human Threats : Theft and Insider threat Technical threats: Malware, Phishing 3. Identification of vulnerabilities A weakness in an information system, security procedures, internal controls, or implementation that could be exploited by a threat to cause harm. Therefore, risk isn’t automatically caused by a vulnerability; a threat must also exist for the vulnerability to take advantage of it. Examples of vulnerabilities are:  Physical Vulnerabilities : Lack of surveillance, Lack of secure entry systems Human Vulnerabilities : Weak passwords, Insufficient security awareness Software Vulnerabilities : Outdated software, weak encryption 4. Identification of Consequences The consequences that losses of confidentiality, integrity and availability may have on the assets should be identified.  Using the information above a a comprehensive risk identification can be conducted. This is shown in the table below.  ASSET THREAT VULNERABILITY CONSEQUENCES Data Center Power Outage Lack of backup power generators Loss of data, downtime, financial loss and damage to reputation. Employee Laptops Theft Inadequate physical security measures Data exposure and operational inefficiency Financial records Insider threat Lack of segregation of duties Financial fraud and loss of financial integrity From this table, a clearer definition of risk can be uncovered; a risk is potential harm (consequence) to an asset if a threat exploits a vulnerability. Here are the three risks that we can derive from the table: The risk that the data center loses electricity, potentially causing all systems to shut down or data to be lost. The risk that a thief steals laptops thereby compromising the data stored on them if not properly secured. The risk that someone within the organization (an insider) could misuse access to financial records for fraud or theft. Conclusion Risk identification is a cornerstone of risk management as it sets the stage for subsequent steps in this process. It demands pro-activeness to adapt to new threats, vulnerabilities and technological advancements that may disrupt the organization’s information security posture.  Organizations should invest in thorough, accurate, and ongoing risk identification to safeguard their information assets, ensure business continuity, and maintain a competitive edge in an increasingly threat-laden digital landscape. What is ISO 27001:2022