Safety Management System Risk Management ISO 45001 Compliance

How to Build a Safety Management System (Step by Step)

RiskSight Team

A safety management system isn’t a folder of policies collecting dust on a shared drive. It’s the operating system for how your organisation identifies, manages, and monitors risk. When it works, people go home safe. When it doesn’t, you find out the hard way.

The problem is that most safety management systems are built backwards. They start with documentation instead of understanding. Organisations buy a template, fill in the blanks, and wonder why nothing changes on the ground. The paperwork says risks are managed. The reality says otherwise.

This guide walks through how to build a safety management system that actually works, step by step. Whether you’re starting from scratch or rebuilding something that’s lost its way, the approach is the same: start with your risks, build systems around them, and create feedback loops that tell you when things are drifting.

What Is a Safety Management System?

A safety management system (SMS) is a structured framework for managing workplace health and safety risks. It includes the policies, procedures, processes, and tools an organisation uses to identify hazards, assess risks, implement controls, and monitor performance.

The key word is “system.” Individual risk assessments, incident reports, and safety procedures are components. A safety management system ties them all together into something coherent, where each piece connects to the others and nothing falls through the cracks.

Most modern safety management systems align with one of two standards:

  • ISO 45001 — the international standard for occupational health and safety management systems
  • AS/NZS 4801 (now largely superseded by ISO 45001) — the Australian and New Zealand standard

Both follow a Plan-Do-Check-Act (PDCA) cycle. Both require leadership commitment, worker participation, hazard identification, risk assessment, control implementation, monitoring, and continual improvement. The specific clauses differ, but the logic is the same.

If you operate in mining, you’ll also need to meet requirements from your state regulator (like the Resources Safety & Health Queensland or the NSW Resources Regulator), which often mandate specific SMS elements like principal hazard management plans and critical control management.

Why Most Safety Management Systems Fail

Before building anything, it’s worth understanding why so many existing systems don’t work. The failure modes are predictable:

1. Too much documentation, not enough action. The SMS becomes a library of procedures nobody reads. Thousands of pages that satisfy an auditor but don’t change behaviour. If your frontline workers can’t describe how the SMS affects their daily work, you have a documentation system, not a safety management system.

2. Disconnected components. The risk register lives in one spreadsheet. Incident reports live in another. Training records are in a third system. Corrective actions sit in someone’s email. Nothing links together, so nobody can see the full picture. This is the spreadsheet risk register problem at organisational scale.

3. No feedback loops. Risks are assessed once and never revisited. Controls are recorded as “in place” with no mechanism to check if they’re actually working. The system captures a point-in-time snapshot and then goes stale. By the time someone notices, conditions have changed and the risk profile is wrong.

4. Leadership treats it as a compliance exercise. If the executive team sees the SMS as something the safety department does for the regulator, it’s already failing. A safety management system only works when operational decisions, resource allocation, and accountability flow from the top.

5. Workers aren’t involved. The people closest to the hazards have the best information about what’s actually happening. If your SMS was designed in a boardroom without input from the people doing the work, it will miss things. Important things.

Step 1: Define Your Scope and Context

Every safety management system starts with understanding your organisation and its operating environment. This isn’t just an ISO 45001 formality. It’s the foundation everything else is built on.

Ask these questions:

  • What activities do you perform? Mining, construction, manufacturing, maintenance, transport? Each has different hazard profiles.
  • Where do you operate? Single site or multiple? Remote locations? Different jurisdictions with different regulations?
  • Who are your workers? Direct employees, contractors, subcontractors, visitors? Each group has different risk exposures and different levels of control.
  • What legislation applies? WHS Acts, mining regulations, major hazard facility requirements, environmental regulations?
  • Who are your stakeholders? Regulators, insurers, clients, communities, unions?

Document this clearly. It defines the boundaries of your SMS: what’s in scope, what’s out, and what external factors you need to account for.

This is also where you establish your organisation’s risk appetite. Not every risk gets treated the same way. Your leadership team needs to define what level of risk is acceptable, what requires escalation, and what’s intolerable. Without this, every risk assessment becomes a subjective guessing game.

Step 2: Secure Leadership Commitment

This isn’t a checkbox. It’s the single biggest predictor of whether your SMS will succeed or fail.

Leadership commitment means:

  • Resources. Budget for tools, training, and people. A safety management system run on goodwill and overtime doesn’t survive.
  • Accountability. Leaders own the SMS outcomes, not just the safety manager. Operational leaders are accountable for the risks in their area.
  • Visibility. Leaders participate in safety activities: risk reviews, incident investigations, site walks. Not as observers. As participants.
  • Decision-making. When a safety risk conflicts with production pressure, how does leadership respond? That’s where commitment is tested.

Put this in writing. A safety policy signed by the CEO that commits the organisation to specific principles: eliminating hazards where practicable, consulting workers, complying with legislation, and continually improving. Then back it up with actions.

Step 3: Identify Your Hazards

You can’t manage risks you haven’t identified. Hazard identification is the engine of your SMS, and it needs to run continuously, not just during annual reviews.

Use multiple inputs:

  • Structured risk assessments. Methods like HAZOP, FMEA, SWIFT, and WRAC give you systematic ways to identify hazards. Different methods suit different situations. HAZOP works well for process-based operations. WRAC is common in mining. SWIFT is useful for simpler operations or early-stage projects.
  • Incident and near-miss data. Every incident tells you something about your hazard profile. Near misses are even more valuable because they reveal hazards before someone gets hurt.
  • Workplace inspections. Regular, structured inspections by people who know what to look for.
  • Worker consultation. Toolbox talks, safety committees, hazard reporting systems. Your frontline workers see things that risk assessments miss.
  • Industry data. Regulator reports, industry benchmarking, published incident investigations from similar operations.
  • Change management. Any change to equipment, processes, people, or environment can introduce new hazards. Your SMS needs a trigger that kicks off hazard identification whenever something changes.

The output is a comprehensive hazard register that feeds into your risk assessment process. Don’t try to get this perfect on day one. Start with the major hazards and build from there. The system should capture new hazards continuously as they’re identified.

Step 4: Assess Your Risks

Once you’ve identified hazards, you need to understand how significant they are. Risk assessment translates hazards into a prioritised list that tells you where to focus.

The fundamental question is: for each hazard, what’s the likelihood of something going wrong, and what’s the consequence if it does?

There are several approaches:

  • Qualitative risk assessment using a risk matrix — fast, widely understood, good for initial screening. But watch out for the known limitations of risk matrices (anchoring bias, ambiguous categories, false precision).
  • Semi-quantitative methods that assign numerical values to likelihood and consequence, giving you a risk score you can rank and compare.
  • Bowtie analysis that maps the causes (threats) and consequences of a hazard event, with preventive and mitigating controls as barriers. Bowtie analysis is particularly powerful because it shows the relationship between risks and controls visually, making gaps obvious.

The best approach uses multiple methods. A risk matrix for initial screening. Bowtie analysis for your critical risks. Detailed quantitative assessment where the stakes are highest.

Whatever method you use, document your assessments in a risk register that follows ISO 31000 principles. Each risk should have a clear description, an assessment of inherent risk (before controls), the controls that are in place, and an assessment of residual risk (after controls).

Step 5: Implement Controls Using the Hierarchy

For every risk that exceeds your organisation’s tolerance, you need controls. And not just any controls. The right controls, applied in the right order.

The hierarchy of controls is your guide:

  1. Elimination — Can you remove the hazard entirely?
  2. Substitution — Can you replace it with something less hazardous?
  3. Engineering controls — Can you physically isolate people from the hazard?
  4. Administrative controls — Can you change work practices, procedures, or training?
  5. PPE — As a last resort, can you protect the individual?

Always start at the top and work down. Most organisations over-rely on administrative controls and PPE because they’re cheaper and easier to implement. But they’re also the least reliable. A procedure only works if people follow it. PPE only works if people wear it correctly.

For your critical risks, you should have multiple layers of controls across different levels of the hierarchy. This defence-in-depth approach means that if one control fails, others are still in place.

Each control needs:

  • An owner — someone accountable for making sure it works
  • A verification method — how you’ll check that the control is effective
  • A review schedule — when you’ll reassess whether the control is still adequate
  • Documentation — what the control is, why it was chosen, and what it’s managing

Step 6: Build Your Incident Investigation Process

Things will go wrong. People will get hurt, near misses will happen, and equipment will fail. Your SMS needs a robust process for investigating these events and feeding the lessons back into your risk management.

Good incident investigation methods include:

  • ICAM (Incident Cause Analysis Method) — widely used in Australian mining and heavy industry. Examines individual actions, task/environmental conditions, and organisational factors.
  • 5 Whys — simple but effective for less complex incidents. Keep asking “why” until you reach root causes.
  • TapRooT — a structured investigation system with a comprehensive root cause tree.
  • Bowtie analysis — use your existing bowties to map where barriers failed and why.

The critical thing is that investigations don’t stop at “human error.” They dig into the organisational and systemic factors that made the error possible. A worker didn’t follow a procedure? Why not? Was the procedure unclear? Were they under time pressure? Were they trained? Was the procedure even practicable?

Investigation findings must flow back into your hazard identification and risk assessment process. If an incident reveals a hazard you hadn’t identified, add it. If it shows a control isn’t working, fix it. If it reveals an organisational factor (like production pressure overriding safety), escalate it.

Step 7: Establish Monitoring and Measurement

A safety management system without monitoring is a snapshot that’s already out of date. You need both leading and lagging indicators to understand how your system is performing.

Lagging indicators tell you what happened:

  • Lost time injury frequency rate (LTIFR)
  • Total recordable injury frequency rate (TRIFR)
  • Number of incidents and near misses
  • Workers’ compensation claims

Leading indicators tell you what’s about to happen:

  • Percentage of scheduled inspections completed
  • Percentage of corrective actions closed on time
  • Training completion rates
  • Critical control verification results
  • Management safety activity participation
  • Hazard reports submitted per month

Leading indicators are more valuable because they let you intervene before something goes wrong. But they’re also harder to define and track.

For your critical risks, you need specific monitoring of control effectiveness. This is where many safety management systems fall apart. They record that a control exists, but they don’t systematically check whether it’s working. A guard rail is an engineering control. But if it’s corroded and hasn’t been inspected in two years, it’s not a reliable control anymore.

Set up scheduled reviews for your highest risks. Check that controls are in place, functioning, and adequate for the current conditions. When controls degrade, your system should flag it and trigger action.

Step 8: Create a Management Review Process

At least once a year (more often for high-risk operations), your leadership team should formally review the safety management system. This isn’t a rubber-stamp meeting. It’s where strategic decisions about safety resourcing and direction get made.

The management review should cover:

  • Performance data. How are your leading and lagging indicators trending?
  • Incident and investigation findings. What are the systemic lessons?
  • Audit results. What did internal and external audits find?
  • Risk profile changes. Have new risks emerged? Have existing risks changed?
  • Resource adequacy. Does the SMS have the people, tools, and budget it needs?
  • Opportunities for improvement. What’s working well that you should do more of? What’s not working that needs to change?

The output is a set of decisions and actions. Assign them to people, set deadlines, and track them. If management reviews produce a nice set of minutes that nobody acts on, they’re worthless.

Step 9: Drive Continual Improvement

An SMS isn’t a project with an end date. It’s a living system that should get better over time. The PDCA cycle is the mechanism:

  • Plan — identify what needs to improve, set objectives
  • Do — implement the changes
  • Check — monitor whether the changes worked
  • Act — standardise what works, adjust what doesn’t

Continual improvement happens at every level:

  • Operational level: corrective actions from incidents and inspections make specific processes safer
  • System level: management reviews and audits identify weaknesses in the SMS itself
  • Strategic level: changing industry standards, new technology, and evolving risk profiles drive fundamental changes

Set specific, measurable safety objectives each year. Not just “reduce injuries” (which is vague), but “reduce LTIFR from 4.2 to 3.0 by implementing critical control verification for our top 10 risks” (which is specific and actionable).

Common Mistakes to Avoid

Buying a template and calling it done. A template gives you structure. It doesn’t give you a safety management system. You still need to fill it with your actual hazards, your actual controls, and your actual monitoring data.

Treating the SMS as the safety department’s job. Safety is an operational function. The safety team provides expertise and governance. Line managers own the risks in their area. Workers participate in hazard identification and control implementation. Everyone has a role.

Ignoring contractor risk. If contractors perform work on your sites, their risks are your risks. Your SMS needs to cover how you select, manage, and monitor contractors.

Over-engineering the system. Start simple and build complexity where it’s needed. A 500-page SMS manual that nobody reads is worse than a 50-page one that everyone follows. Focus on your critical risks first and expand from there.

Not investing in tools. Trying to run a safety management system in spreadsheets and shared drives is a recipe for the exact problems this guide describes: disconnected data, no visibility, no feedback loops. At some point, you need purpose-built software.

How RiskSight Supports Your Safety Management System

Building a safety management system is one thing. Keeping it alive is another. That’s where the right tooling makes the difference.

RiskSight is built specifically for operational risk management in mining, construction, and heavy industry. It gives you:

  • ISO 31000-aligned risk registers that link hazards to controls, with owners, review dates, and effectiveness tracking
  • Bowtie analysis that visually maps your critical risks, threats, consequences, and barrier controls in one place
  • Structured risk assessments using HAZOP, FMEA, SWIFT, WRAC, and other methodologies with guided wizards that walk your team through the process
  • Control effectiveness monitoring with degradation alerts that tell you when a barrier is weakening before it fails
  • Incident investigation workflows that feed findings back into your risk register automatically
  • Dashboards and reports that give leadership the visibility they need without manual data wrangling

Instead of managing your SMS across disconnected spreadsheets, email threads, and shared drives, you get a single system where everything connects. A hazard links to a risk, which links to controls, which link to verification activities, which link to incidents. Full traceability, full visibility.

Start Building Your SMS the Right Way

A safety management system doesn’t have to be complicated. But it does have to be connected. Every component, from hazard identification to incident investigation to management review, needs to feed into the others. That’s what makes it a system instead of a collection of documents.

Start with your risks. Build controls around them. Monitor whether those controls work. Learn from what goes wrong. Improve continuously. That’s the cycle.

Start a free 30-day trial of RiskSight — no credit card required, demo data included — and see how purpose-built risk management software helps you build and maintain a safety management system that actually works. From risk registers to bowtie analysis to control monitoring, everything your SMS needs in one place.

Ready to modernise your risk management?

Start your 30-day free trial. No credit card required.

Start free trial