Risk Management Maturity Model rm3 PDF

3
RM 2019
The
Risk Management
Maturity Model
Amended 2020
RM3 2019
The Risk Management
Maturity Model
First published 2011 (as the Railway Management Maturity Model)
Second edition 2017
Third edition 2019 (amended 2020)
For more information contact us at rm3@orr.gov.uk

or visit our website: orr.gov.uk
© Crown Copyright 2020

Foreword
ORR developed the Risk Management Maturity Model (RM3), in collaboration with the rail industry,
as a tool for assessing an organisation’s ability to successfully manage health and safety risks, to
help identify areas for improvement and provide a benchmark for year-on-year comparison.
RM3 has provided guidance to the industry on excellence in health and safety risk management.
Best performing organisations are those which have fully integrated health and safety practices
into their culture.
RM3 sets out criteria for key elements of a health and safety risk management system. RM3
identifies the steps to evaluate an organisation’s progress through the five levels of maturity, from
ad-hoc to excellent health and safety management capability.
It defines what excellent health and safety management looks like, including:
• Leaders inspiring confidence and commitment, safely leading their teams through periods
of change;
• Making full use of employees’ potential and actively involving them, to develop shared
values and a culture of trust, openness and empowerment and;
• The health and safety strategy is used by the organisation to challenge itself to achieve
health and safety performance which is in-line with the best-performing organisations.
ORR, through the cross-rail industry collaborative RM3 Governance Board, has continued to
develop RM3 to support wider industry achievement of excellence in health and safety risk
management.
We want to ensure that RM3 matures and continues to reflect best practice in risk management.
We have drawn on standards, including BS ISO 45001:2018 (Occupational Health and Safety
Management Systems) and our experience from the rail industry, and beyond. We have
reflected on recommendations from investigations into accidents, incidents and other failures of
management systems.
3
This edition of RM , written for and with the support of the rail industry, embraces the
developments in risk control which have taken place since we first published the model in 2011. It
reinforces the importance of organisational culture in successful health and safety management.
Users will find the additional examples of typical evidence make it easier to determine maturity
levels, but will also find that some of the criteria, particularly at higher levels of maturity, are more
stretching, compared with previous editions.
As industry health and safety capability
develops, it is right that RM3 itself
matures to support greater stretch and
improvement. We have embraced the
improvements made by the industry to
develop this new edition.
We want excellent organisations to embed
collaboration and innovation into their
systems. We see these as key enablers in
continuously improving towards excellence
in health and safety risk management, Ian Prosser
where reasonably practicable. Director of Rail Safety
Office of Rail and Road
1
Contents
Foreword 1
Introduction 4
Excellence in health and safety management systems 6

(SMS)
Health and safety policy, leadership and board governance 9
Organising for control and communication 9
Securing co-operation, competence and development of employees at all levels 9
Planning and implementing risk controls through co-ordinated management arrangements 9
Monitoring, auditing and review 9
Criteria development 10
The generic maturity descriptors 10
Collaboration 11
Using the criteria 12
The Risk Management Maturity Model (RM3) criteria 15

(see panel opposite)
Glossary 81
Annex 1 82
The role of independent confidential reporting
2
The Risk Management Maturity Model (RM3) criteria
Health and safety policy, SP1 Leadership

SP1 Leadership
leadership and SP2 Health and safety policy
board governance
SP
SP3 Board governance
SP4 Written safety management system
Organising for control OC3 Organisational structure

and communication OC4 Internal communication arrangements
OC5 System
OC5 S ystem safety and interface
OC
arrangements
OC1 Allocation of responsibilities
OC6 Organisational culture
OC2 Management and supervisory
accountability OC7 Record keeping, document control
and knowledge management
Securing co-operation, OP1 Worker involvement and internal
competence and co-operation
development of employees OP2 Competence management system
OP
at all levels
Planning and implementing risk RCS1 Safe systems of work (including safety
PI & RCS
critical work)
controls through co-ordinated RCS2 Management of assets
management arrangements RCS3 Change management (operational, process,
PI1 Risk assessment and management organisational and engineering)
PI2 Objective / target setting RCS4 Control of contractors and suppliers
PI3 Workload planning RCS5 Emergency Planning
Monitoring, audit and review MRA1 Proactive monitoring arrangements

MRA2 Audit
MRA3 Incident investigation MRA
MRA4 Management review
MRA5 Corrective action
3
Introduction
What is the purpose of the Risk Management Maturity Model (RM3)?
As the independent economic and safety regulator for Britain’s railways, the Office of Rail and
Road (ORR) has a key role in securing sustained improvement in the health, safety, efficiency
and performance of the rail industry. Our role, is to make sure that the health and safety (H&S) of
everyone associated with the rail industry is controlled. We achieve this by encouraging railway
organisations to achieve excellent H&S management, and ensuring that they identify and assess
risks properly, control them effectively, and comply with the law.
This will be enabled through the rail industry achieving excellence in:
• Culture;
• Health, safety and asset management, and;
• Risk control.
As a minimum, this includes properly identifying, assessing and controlling risks and compliance
with relevant legal provisions, including:
• The Health and Safety at Work etc. Act 1974 (HSWA 1974) and the Regulations made
under it that cover how certain risks should be controlled, including the Management of
Health and Safety at Work Regulations 1999 (MHSWR 1999);
• The relevant European law that arises from the Railway Safety Directive 2004/09,
implemented under UK law through the Railway and Other Guided Transport Systems
(Safety) Regulations 2006 (ROGS);
• EU Common Safety Method (CSM) for risk evaluation and assessment; and
• EU CSM for monitoring.
In order to achieve and sustain this excellence in H&S culture and risk control, we believe that
duty holders must have in place excellent health and safety management systems (SMS).
The RM3 provides criteria for measuring management capability against five maturity levels
across 26 criteria, which we have identified as being essential areas of a SMS. It is used by ORR,
and increasingly by duty holders, to understand the management capability of the rail industry in
a number of business critical areas.
3
Why have we revised RM ?
Our vision for RM3 2019 is that it is more easily accessible to those just starting out with RM3, as
well as pushing the boundaries of excellence for experienced users.
3
Since publishing the first edition of RM in 2011, we have gained considerable experience in
using the model to assess the organisations we regulate and holding structured and meaningful
3
discussions, to identify strengths and improvements in their SMSs. In producing RM 2019, we
have worked closely with duty holders to ensure that it has matured and adapted to embrace the
developments in risk control over the last eight years, since it was launched.
4
Who has been involved?
In 2015, we created the RM3 Governance Board, to oversee the development of the model and
supporting materials, advice and training. We have invited further members to the Governance
Board, representing duty holders and other organisations who are key to driving forward
continuous improvement in risk management. This is to ensure that the model itself continuously
improves and remains relevant and accessible to the whole of the rail industry.
3
The Governance Board members have collaborated extensively in the development of RM ,
and so the typical evidence reflected in the five maturity levels represents the vast operational
experience of its members in developing, using and assessing SMSs.
As well as ORR policy and inspector colleagues, the following organisations have been key to the
3
development of RM 2019:
• Rail Safety Standards Board (RSSB);
• Transport for London (TfL);
• Network Rail (NR);
• London North Eastern Railway (LNER);
• CrossCountry;
• Amey and;
• Rail Delivery Group (RDG)
• UK Tram;
• The Heritage Railway Association (HRA);
• National Freight Safety Group (NFSG) and;
• Institution of Occupational Safety and Health (IOSH).
What has changed in the new edition of RM3?
We have strengthened the model by recalibrating the evidence from the previous edition and
expanded the range of evidence in each of the criteria, filling in missing gaps and ensuring
evidence builds through maturity levels.
'Organisational culture' is a key enabler to successful health and safety management. In this
edition, typical evidence of actions, beliefs and behaviours held by emloyees, at all levels,
reflecting the culture of the organisation, are included for every level of maturity in all criteria. We
have retained the criterion OC6 (Organisational Culture). It is now used to capture these culture
assessments; providing a richer detail than the more limited evidence available under OC6 in the
previous edition. It is easier to determine what could be done to address organisational culture
issues in each area of the SMS, enabling progress to higher levels of maturity.
The Governance Board expect that, in updating the model, users will see that some assessments
3
of maturity determined from previous editions of RM will change. This is a positive action by the
Governance Board, to ensure that RM supports greater stretch and improvement. RM3 is not an
3
audit or compliance tool. It is a model to structure discussions about evidence and where to go
next, either internally in organisations or between inspectors and the organisations we regulate.
3
Any changes in maturity levels associated with using this new RM 2019 edition, will need to be
factored into these discussions.
5
Excellence in health and safety
management systems (SMSs)
Excellence is not a theory, it relates to an organisation and what it does and how it does it. The
results it gets and the confidence that these results will continue into the future. An excellent
organisation not only meets its legal obligations, but goes beyond these in its pursuit of
excellence.
3
RM has adopted the framework set out in the Health and Safety Executive’s (HSE) publication
‘Successful Health and Safety Management’ (HSG 65), shown in Figure 1, which is the most
widely adopted model of successful health and safety management within the UK .
3
The RM framework incorporates the key features of good practice in Health and Safety
Management System's (SMSs) and also draws in knowledge from incident reviews, from both the
safety and commercial risk areas. Examples of which include:
• The Baker Report into the Texas City explosion;
• The Haddon-Cave Nimrod Review;
• The Walker report into Governance within the UK Finance sector;
• The UK Government report into the collapse of Carillion;
• The Aircraft Accident Report 1/2017 Hawker Hunter T7 G/BXFI on 22 August 2015 and
• Emerging findings from the Grenfell inquiry and RAIB investigation reports.
Risk
Planning profiling
Organising
Policy
Plan Do
Implementing
your plan
Learning
Act Check Measuring
lessons performance
Investigating
Reviewing accidents,
performance incidents &
near misses
Figure 1 The Plan-Do-Check-Act cycle (HSG 65 2013)
6
Use of this approach, allows organisations to manage their operations via the application of a
systems process, that is in-line with other management systems standards, such as ISO 9001:
2015 (Quality) and ISO 14001: 2015 (Environmental). These promote the use of the Plan-Do-
Check-Act (PDCA) process model. The move towards the PDCA approach, achieves a balance
between the systems and behavioural / cultural aspects of management.
Correcti
action
SP1
SP2
Man ew
revi
O
r
ve
age
3
SP
Inc vest
y
in
Polic th & safet

men
ga
ide iga
re
Leadership
ce
4
nt tion
ltu
an
ni
SP
t
Au
sa
MRA5
cu
ver
dit
y
MRA
go
tio
Heal
S
al
ard
M
na
nS
MR
Pro
ion
SP
4
Bo
mon active MR ritt
e OC
A3
l cu
arra itorin A2 H&S policy, o f
isat
MRA W tion bilities

nge g leadership c a i
men Allo pons ry
lture
ts MR Monitoring, rviso C2
Organ
A1 and board r e s u p e
Emerge &s O
plannin ncy
audit and governance a n age’t bility
g review M unta
RCS5 acco
OC
Organisational
Control of contractors/ Organising for structure OC3
suppliers RCS4 PI & RCS Control and
Planning Internal
C S 3 Communication arrange communicatio
g e R and ments n
Chan gement Sys O C 4
m a n a
t of RCS2 implementing OP g inte tem s
rfac afe
e n n
Securi tion e a ty a
a g em 1 e r a Or rran nd
n
Ma ets C S co-op d ga g’ts
R a n nis
ass ms petenc
e ati OC
Re tro
5
PI3
t e c o m on
co
s
co l & m
s y al
n
PI2
Work internal
rd k ’m
fe ork cu
and peration
a
PI1
co-o
Competence
ltu
ke no ent
management
system
S w
of re
ep wl
er in
OC
nn oad
ing ed OC
6
and m ssessment
, d ge 7
ment
ing
pla orkl
volve
g
oc
ettin
et s /
W
Targjective
.
anage
men OP1
e
Ob
ur
t
Risk a
lt
cu
OP2
al
tion
Organisa
Figure 2 Overview of the Risk Management Maturity Model (RM3) themes and criteria
3
The 26 criteria of RM
RM3 describes what excellent management capability looks like by means of a five-point maturity
scale, ranging from ad-hoc through managed, standardised, predictable and up to excellence
(Figure 3). The model contains 26 criteria, 25 of these constitute best practice in relation to SMSs
and defined assessment criteria are set out.
3
These criteria enable those carrying out an RM evaluation, to gain a good understanding of an
organisation and whether an organisation’s SMS can deliver excellence in risk control, across all
activities.
7
Proactive / continual improvement
ce
Excellen
Delivery can be predicted by the
e d i c t a bl e management system
P r Variation and change is controlled
Good practice synthesised into
n d a r d i s ed standard processes
S ta
Local groups are organised to
d
Manage
ensure repeatable performance
BUT
each work group performs similar
tasks differently
Ad-hoc and unco-ordinated

Ad-hoc
Figure 3 RM3 maturity levels
Organisational Culture
We have taken the opportunity in RM3 2019 to strengthen the model and identify organisational
culture perceptions, expectations and typical behaviours at each maturity level for 25 of the
criteria. This will help assessors determine, and organisations improve their maturity. The final
criterion (OC6), is now used to collate the indicators of organisational culture identified in the
other 25 criteria.
3
The limited scope of OC6 in previous editions of RM , meant that it was seldom used in
assessments. The experience of the Governance Board members was that this change was
3
important, as the whole RM model is an indicator of organisational culture. This approach will
greatly enhance the model and reinforce the importance of organisational culture in achieving
excellence in risk control.
Five themes for excellence in health and safety management systems (SMS)
The following descriptions of excellence have been set for each of the main areas of an effective
SMS:
8
Health and safety policy, leadership and board governance
• The organisation’s policies are visionary, based on solid evidence of what the organisation
can achieve, and promote a consistent approach to health and safety at all levels of the
organisation.
• Leaders of the organisation set and communicate clear direction that reinforces a consistent
approach to health and safety and shapes the day-to-day activities, as well as striving to
continuously improve risk control.
• Leaders at all levels of the organisation, act in a consistent way that reinforces the values,
ethics and culture, needed to meet their organisation’s objectives.
• The leadership style throughout the organisation is transformational, as opposed to
transactional.
Organising for control and communication.
• The organisation is structured to help put it’s policies into practice, as efficiently as possible.
• There is a clear understanding of how each person’s role affects the organisation’s ability to
achieve specific goals and the overall objectives.
• The organisation provides the framework for using people, plant and processes
successfully.
• Communications up, down and across the organisation, are highly effective.
• Communications from management should be appropriate for the target audience. The
right message should be received at the right time, by the right people, and through the
appropriate channels.
Securing co-operation, competence and development of employees at all
levels
• Competences (knowledge, skills, experience and abilities) needed to work effectively,
efficiently and safely, are understood by the organisation, with the right number of people, in
the right place, at the right time, with the right competence.
• Recruitment, selection, training and continued development focus on meeting the
organisation’s objectives.
• Employees are actively involved in developing processes and making the business
successful and safe.
• Trade unions and employee representatives are recognised as an essential means of
employee involvement.
Planning and implementation of risk controls through co-ordinated
management arrangements
• Organisations systematically implement processes to make sure that the plant, people
and processes are fully used, continually improving effectiveness, efficiency and safety to
achieve the organisation’s objectives.
Monitoring, reviewing and auditing to provide effective governance,
management and supervision
• Monitoring is an important part of the organisation’s management arrangements at all
levels.
• Performance measures and audit programmes, are used to continually encourage everyone
to achieve the organisation’s objectives and reduce risk to the business.
• Variations from expected outcomes, are reviewed to understand where the organisation is
failing and what corrective action is necessary, to restore and improve performance.
• The organisation actively seeks opportunities to identify best practice from both within the
organisation and from others across the rail industry.
9
Criteria development
The generic maturity descriptors

Each RM3 maturity descriptor for the criteria shown in Figure 3 are based on the Capability
Maturity Model (CMM)1 generic descriptors which originate in the software industry. These are
shown below.
Excellence
It is characteristic of processes at this level that the focus is on continually

improving process performance through both incremental and innovative
technological changes / improvements.
It is characteristic of processes at this level that, using process metrics,

Predictable
management can effectively control the AS-IS process (An “as is” business
process defines the current state of the business process in an organisation).
In particular, management can identify ways to adjust and adapt the process
to particular projects, without measurable losses of quality or deviations from
specifications. Process capability is established from this level.
Standardised
It is a characteristic of processes at this level that there are sets of defined

and documented standard processes established and subject to some
degree of improvement over time. These standard processes are in place
(i.e. they are the AS-IS processes) and used to establish consistency of
process performance across the organisation.
It is characteristic of processes at this level that some processes are

Managed
repeatable, possibly with consistent results. Process discipline is unlikely to

be rigorous, but where it exists it may help to ensure that existing processes
are maintained during times of stress.
It is characteristic of processes at this level that they are (typically)

Ad-hoc
undocumented and in a state of dynamic change, tending to be driven in an

ad-hoc, uncontrolled and reactive manner by users or events. This provides
a chaotic or unstable environment for the processes.
Table 1 Generic maturity descriptors
1 The Capability Maturity Model (CMM) was developed by US Department of Defense

Software Engineering Institute (SEI)
10
Developing the criteria for RM3 2019
RM3 has become the health and safety maturity model of choice by Britain's rail industry.
The RM3 Governance Board, with representatives from across Britain's rail industry, were
key in providing the evidence and direction for RM3 2019. Throughout 2018, we have worked
collaboratively to develop the revised set of criteria in this edition.
Our aim is that:

• Evidence in criteria is relevant and meaningful;
• Evidence is mapped to the most appropriate maturity level;
• There is a clear build on lower maturity levels; and
• It is clear what further action needs to be done to continuously improve.
We have gone back to basics with all of the criteria and, systematically, for each maturity level
looked at:
• What happens in practice;
• What processes are in place;
• The impact of these processes;
• How standards are applied; and
• The beliefs and behaviours which indicate the organisational culture.
and we tested our findings against the generic maturity descriptors for consistency.
A major milestone in improving health and safety risk management, has been the development
and publication of BS ISO 45001:2018 - Occupational health and safety management systems.
Governance Board members have been involved in the development of this standard and we
3
validated the revised RM 2019 criteria against it.
Collaboration
In May 2017, The Rail Delivery Group (RDG) and Rail Safety and Standards Board (RSSB)
published ‘Leading Health and Safety on Britain’s Railway - A strategy for working together’
which set out the importance of collaborative working, as an enabler to achieving excellence in
health and safety risk management.
3
The RM Governance Board also recognised the importance of collaborative working to achieve
higher levels of maturity and evidence of collaboration, is now tested throughout RM3 2019.
Will existing assessed levels change with the application of RM3 2019?
In RM3 2019 we have introduced new expected evidence, as well as the evidence from
previous editions. All of the evidence has been calibrated against the generic maturity
descriptors and this has caused some evidence to lead to a change in assessed levels.
Some evidence previously found in higher levels of maturity, has dropped down a level and
some in lower levels has moved up. This will mean that assessors may find that some maturity
determinations made using the revised criteria included in this document, are different to
assessments made using previous editions.
We know that this change will make it challenging to track progress between assessments
3
using the previous edition and this one, but the real value of RM is in facilitating robust
conversations. The changes arising from using this edition will be an important part of these
discussions.
11
Using the criteria
RM3 supports the evaluation of an organisation’s health and safety management system (SMS).
The purpose of these assessments, is to identify whether the management arrangements provide
and maintain risk-control systems, that protect the safety of people affected by the organisation’s
activities. The model provides a consistent way of evaluating the management arrangements
required by MHSWR1 and ROGS2.
Assessors should adopt an evidence-based approach to evaluating the management of risk.

Several sources of data, information and knowledge can be used to measure an organisation's
current level of risk management maturity.
Information on the performance of

Reactive organisations can be gathered in a variety
Assessment of ways: through interviewing individuals
at various levels, through inspecting and
Proactive reviewing documentary evidence and
Assessment through direct or indirect observation of
conditions found at site level.
Figure 4 illustrates the type of information

and the collection methods available
Audit to assessors in determining an
organisation's maturity levels.
Collect and
analyse
Use RM³ to refine
evidence Reactive assessment includes:
future activities • Workplace violations and errors
• Incidents
• Failures to deliver performance
objectives
Determine • Complaints
maturity Improvement
Plans
Proactive assessment includes:
using RM³ • Risk control system review
• Safety verification activity
• Safety certification/authorisation
assessment
Discussions Audit includes:
• Top down SMS reviews
Targets and
• Corrective action monitoring
indicators • Internal and external
Figure 4 Information sources and collection methods
1 The Management of Health and Safety at Work Regulations 1999 (MHSWR)

2 The Railways and Other Guided Transport Systems (Safety) Regulations 2006 (ROGS)
12
SMS assessments may focus on a limited number of risk controls and track them up through the
levels of the organisation.
They may also start at senior management level and track the relevant risk controls down through
the organisation. However, to form a reliable opinion, the assessor would need to make sure that
3
the whole SMS is assessed against all of the elements set out in RM ; and that the size, structure
and nature of the organisation are also taken into account.
Evidence of the capability (or otherwise) of the organisation will be built-up during assessment
activities. The evidence gathered will only be based on a sample of the information available and
so will not be conclusive. It is possible that the evidence collected could fall across a range of
maturity levels.
Assessors should use the evidence gathered to inform their opinion of the organisation’s
3
management arrangements against the RM criteria. As the volume of evidence increases, there
should be greater clarity over where an organisation’s maturity lies. Assessors should use their
judgement when deciding which criteria and evidence to use. The following issues should be
considered:
• Consistency of the evidence - if evidence from a
number of sources suggests a similar level of maturity,
this would indicate that the findings of the assessment
Consistency Quantity are accurate;
• Quantity of the evidence - whether there is enough
evidence to provide an informed opinion on the
organisation as a whole. For example, if evidence on
document control for a small depot revealed an ‘ad-
hoc’ level of achievement, is that sufficient to form an
Currency
Quality opinion on the document control system for thirty other,
much larger depots?;
• Quality of the evidence - whether the evidence is
based on a limited observation from one site or is
consistent across a number of sites and;
• Currency of the information - when the evidence was
Figure 5 Evidence factors initially gathered and whether there are likely to have
been any significant changes since then.
Collating findings
When collating findings, assessors should critically review their evidence against the evidence
factors and should look at identifying maturity levels, based on the modal average for each criteria.
Evidence collected during assessments and investigations should be compared against the
descriptions of each level and a judgement made of the health and safety management capability
of the organisation. This will enable the organisation to understand their strengths and target areas
for improvement. Evidence could be grouped for a work section, a department, directorate, site, an
organisation or a group of companies.
Organisations should never try to roll all maturity assessments together to arrive at an overall
3
maturity level. The value of RM is in the discussions to be had around the findings for each of the
26 criteria. Determining how the SMS works in practice is, in terms of risk management, generally
more important, than how it appears on paper. The assessment should focus also on the day-to-
day application of the SMS.
13
A method for collating organisational culture assessments is included in Criterion OC6, see page
41.
3
Using the RM model, it is possible to identify the gap between the ‘work as imagined’ of the
written health and safety management system (SMS) and the ‘work as done’ actions taken at the
sharp end; the ‘here and now’ of task performance.
This approach enables assessors to interpret information to:

• identify and address the progress of the organisation towards excellence in SMSs;
• identify what activities are in place to support the development of an excellent health and
safety culture;
• identify deficiencies in management systems that may impact on issues wider than safety,
such as efficiency and performance, especially in relation to asset management;
• provide a roadmap to forming an action plan to assist an organisation’s progress towards
excellence;
• build on the existing safety validation process;
• inform future regulatory activity within the rail industry, or with particular organisations; and
• provide assurance that system safety is being managed by all the interdependent
organisations in the railway industry.
Key principles to remember when undertaking an assessment using RM3 are that:
• Both health and safety are most effectively managed when they are integrated with other
management activities and managed in the same way.
• Any unsafe act, unsafe condition, near miss or accident is a symptom of a possible failure
of a part of the management system.
• SMSs should focus on making sure that the physical, managerial, procedural, behavioural
and cultural and elements of the organisation are managed.
• The SMS should take account of, and be shaped by, the culture of the board and the
organisation as a whole.
• There is no one right way to achieve excellence in H&S management in an organisation.
However, there are some common characteristics that are seen in organisations that
manage H&S risks well.
14
The Risk Management Model (RM3)
Criteria
SP
OC
OP
PI & RCS
MRA
15
This page is intentionally left blank for you to add your notes.
16
Health and safety policy,
SP leadership and board governance
Purpose:
SP
• To make sure that the organisation is effectively governed and led.
• To make sure that each policy clearly expresses the top-level management expectation,
accurately defining what the organisation wants to achieve, how it will achieve it (through
effective leadership) and how management will know when that expectation has been met.
• To make sure that the organisation (specifically the board) effectively challenges whether a
policy and its associated activity is correct, in place and effective.
Introductory notes
The organisation’s policies are forward-thinking and based on solid evidence of what it can
achieve. Together with effective leadership, the policies promote a consistent approach to health
and safety (H&S) at all levels of the organisation.
• Leaders of the organisation set and communicate a clear direction for the organisation that
reinforces a consistent approach to H&S.
• Leaders at all levels of the organisation act in a consistent way to reinforce the values,
ethics and culture needed to meet the organisation’s objectives.
• The governance arrangements make sure that the organisation remains accountable for the
H&S of its workers, passengers and members of the public affected by their work.
Poor leadership has caused many high-profile H&S failures. A failure to consider H&S risks when
the board makes decisions can have catastrophic results.
An organisation’s approach to H&S inevitably reflects the attitudes of those who make business
decisions, and it leads the opinions and attitudes of the staff who work within the organisation.
The criteria in this section include:

• SP1 - Leadership from the top which provides consistent example and inspiration for
leaders at all levels of the organisation;
• SP2 - Health and safety policy and arrangements that capture the top management view
of how H&S contributes to business success and sets a framework for making balanced
business decisions at all levels;
• SP3 - Board governance - effective at providing clear direction, leadership and oversight
for H&S – setting 'the tone from the top' and;
• SP4 - A written safety management system (SMS) designed to control all H&S risks
which arise as a consequence of the business activities.
17
SP 1 Leadership
Leadership from the top, provides a consistent example and inspiration for leaders at all levels of
the organisation. Good leadership in health and safety (H&S) management involves:
SP 1
• The attitudes and decisions of senior managers aligning with the H&S policy and culture;
• Identifying and promoting the styles of leadership and management practices at all levels,
which best support a positive H&S culture;
• Promoting effective collaboration and engagement of all workers and business partners to
achieve continuous improvement on H&S;
• Aligning the leaders in operational management, organisational functions and operational
and support units in pursuit of the common H&S purpose, strategies and goals;
• Assessing H&S leadership and management behaviour to motivate and reward success, in
improving the control of risk and;
• Adjusting the performance-management and reward systems, so they help the organisation
achieve its goals and strategies for improving health, safety and performance.
• Leaders at all levels of the organisation
demonstrate shared values which strive Culture
towards continuous improvement. Leaders recognise they have an obligation
• Leaders search within and outside to foster the kind of organisational climate
the organisation for opportunities to where people find it easy to speak up and
improve risk control in their area of the share when they have made mistakes
organisation, to ensure it is as effective rather than covering up errors.
Excellence
and efficient as possible.

• Leaders always consider how they • Leaders encourage people and enable
influence others, recognising that good them to join forces and to participate as
leadership is compelling, not coercive. responsible individuals in a collaborative
• They pro-actively promote a institutional enterprise.
positive culture and encourage H&S • Non-technical management skills
improvements in all areas of organisation development is recognised as world-class.
• Leaders recognise that better H&S • Leadership demonstrates and reinforces
results are achieved through exercising the values and culture of the organisation
power with, rather than control over, and ensure these lead to engagement and
employees. empowerment across all levels.
• Leadership activities are consistent with
and reinforce the organisation’s H&S Culture
policies. Leaders take responsibility for developing,
Predictable
• Leaders at all levels of the organisation leading and promoting a positive culture
are credible and open to ideas for in the organisation that supports effective
improvement. H&S risk management.
• Leaders take responsibility to ensure that
the SMS achieves its intended outcome.
• Leaders inspire others within the • Non-technical management skills are
organisation to work to deliver against the recognised and developed within the
H&S vision of the organisation. organisation.
18
Standardised • The organisation is built around a
command and control structure with Culture
some feedback. Leadership is still largely viewed as a senior
• There is a rule book-based approach management role.
to H&S management, this can result in
SP 1
unwavering adherence to standards with
little innovation or flexibility.
• Non-technical skills are specified and
employees receive appropriate training.
• Collaboration occurs as specified in ‘the
rules’.
• There may be managers with health
and safety leadership skills, but these Culture
are not proactively developed by the Leadership is viewed solely as a senior
organisation. management role.
• Managers demonstrate leadership
Managed
skills, but these are not recognised by • There is no consistency over how
everyone or used consistently within the non-technical management skills are
organisation. developed in the organisation.
• The organisation’s goals and priorities
are not understood by all leaders in the
organisation.
• Some collaboration occurs, but often
by chance rather than planned, and
depends on the individuals involved
rather than being systematic.
• There is no evidence of positive
H&S leadership at any level in the Culture
organisation. Employees consider there is little effective
• H&S leadership is not considered to be leadership in H&S at any level of the
important in staff development. organisation.
Ad-hoc
• No effective application of H&S

leadership standards in the organisation.
• Leaders do not collaborate internally or • H&S leadership skills and other non-
externally. technical management skills are not
recognised or developed within the
organisation.
Guidance and further reading:

• INDG 277 ‘Leadership in the Major Hazard Industries’: Health and Safety Executive (HSE)
• INDG 417 ‘Leading Health and Safety at Work’: HSE
19
SP 2 Health and safety policy
The health and safety (H&S) policy should capture what the top management view is of how H&S
contributes to an organisation's success and sets a framework for making balanced business
SP 2
decisions at all levels.

The H&S policy and arrangements should:
• Represent the collective view of the ‘controlling mind’ of the board, following suitable
discussion, challenge and agreement;
• Explain the business benefit of the policy in context of company purpose, activity, business
model, vision, strategy and culture etc..;
• Explain the relative significance of H&S risks within the range of business risks and how
important H&S is to the organisation;
• Explain how the necessary empowerment and collaboration in the ‘entrepreneurial
leadership’ of the organisation is balanced with the ‘prudent control’ of H&S risk to avoid
goal-conflict in the delegation of roles, responsibilities and accountabilities;
• How the hazard / risk profile of the business determines the amount of resource time and
effort put into H&S and how a reasonably practicable (proportionate) approach informs:
• How the board and management spend time and attention in directing and overseeing
implementation of H&S policy and performance;
• The scope and complexity of the SMS and risk assessments;
• How the financial resourcing of H&S will form part of the business planning and
budgetary control and matched to the hazard / risk profile;
• Human resource policies (including values, recruitment, development, competence,
motivation, leadership style, culture, continuous improvement, corporate memory,
involvement and consultation) and;
• Technical support functions and policies such as design, planning and asset
management.
• The H&S policy is used to challenge
the organisation to achieve business Culture
performance that is in-line with the best- The H&S policy as implemented
performing organisations. demonstrates that managing H&S risks
• The H&S policy of the organisation is not a separate function but an integral
includes a realised active commitment to part of a productive, competitive, profitable
collaborate throughout the management organisation, which strives for continual
Excellence
chain and with external parties to achieve improvement.

the H&S policy objectives.
• The H&S policy forms part of the • The H&S policy leads to a realised
supplier accreditation process and continual improvement of risk
the organisation ensures that all new management.
suppliers meet the intent of the policy • The H&S policy explains how H&S
requirements. is integral to operational activity and
• The H&S policy explains how the risk the relevant responsibilities follow
profile of the organisation determines the management hierarchies with H&S
amount of resource time and effort put specialists acting as advisers and / or
into H&S. challengers.
20
• The organisation recognises the
importance of reviewing the policy, Culture
proactively with change. The actions of everyone acting in the
• The H&S policy includes a commitment management chain are consistent with the
Predictable
to consultation and participation of H&S policy.
SP 2
workers, and where they exist, worker
representatives. • The H&S policy includes a commitment
• All the organisations policies are: to maintain or improve risk management
standards, even through periods of
• Consistent with each other; change.
• Reviewed and revised to drive • The H&S policy forms part of the supplier
improvements and; accreditation process and the organisation
• Interpreted in the same way by all ensures that all new suppliers meet the
parts of the organisation that apply intent of the H&S policy requirements.
them.
• The H&S policy and any other associated
policies, are used as a focus for Culture
managers, which results in them being The H&S policy and any other associated
consistently interpreted by all employees. policies are used as a focus for managers,
Standardised
• Employees across the organisation which results in them being responded to in

are actively involved in reviewing and the same way by all employees.
revising the H&S policy and how it is
applied. • The H&S policy includes a commitment to
• The H&S policy and any other associated eliminate hazards and reduce H&S risks
policies are used as a focus for relevant to the organisation.
managers, which results in them being • The H&S policy is relevant and
implemented consistently throughout the appropriate, documented, communicated
organisation. within the organisation and to interested
parties as appropriate.
• The H&S policy is up-to-date and is
communicated within the organisation, Culture
but local managers and supervisors The purpose and content of the H&S policy
have inconsistent approaches or is not understood or applied consistently by
Managed
interpretations. This results in the policy everyone in the organisation at all levels.
being applied in different ways across the
organisation.
• The H&S policy has been formally • The H&S policy includes a commitment to
consulted with senior trades union fulfil legal and other requirements.
representatives in the organisation. • Some managers communicate policy on
• The H&S policy is not consistently used H&S to contractors etc., but there is no
to achieve successful risk management. systematic approach.
• The H&S policy statement is out of date
or has not been communicated within the Culture
organisation. Employees are not aware of the H&S policy
Ad-hoc
• There is no evidence of employees being or why it is relevant.

consulted.
• The H&S policy statement is unrealistic
for the risks of the organisation.
• No communication of H&S policy to
outside parties, even close collaborators.
21
SP 3 Board governance
An effective board provides clear direction, leadership and oversight for health and safety (H&S)
– 'the tone from the top'. From a H&S perspective, this involves:
SP 3
• Setting direction by defining H&S policies, vision, strategies, goals, values and culture
which are aligned with the organisation's purpose and strategic direction;
• Defining the arrangements to manage risk and ensure H&S risks are considered when
identifying the organisation’s business risks;
• Ensuring appropriate resources for controlling H&S risk are provided;
• Leading by example to promote a leadership style which supports an appropriate culture for
H&S;
• Delegating to management through organisational structures and a health and safety
management system (SMS) which promotes collaboration and engagement with employees
and other business partners;
• Developing human resource policies and reward systems which align with H&S objectives,
minimising conflict with other business goals and explaining how conflicts should be
resolved;
• Defining measures of the organisation’s business goals, and performance measures for the
activities to achieve the business goals;
• Providing oversight and challenge to guide management in learning how to pursue
improved control of H&S risk and improve the effectiveness of the SMS and:
• The board reviewing their approach and effectiveness of the direction, leadership and the
oversight they provide for H&S.
• All members of the board show a
commitment to identifying areas for Culture
improvement and effectively encourage The board promotes a culture of continuous
continuous improvement in risk improvement, challenging the executive
management through collaboration and function to improve, supporting that with
innovation, including providing necessary examples of good practice from outside the
resources. organisation that have the capability to be
• Board members are ready, able and implemented in a way that adds value to
encouraged to test strategies put forward the business.
Excellence
to reduce exposure to risk from whatever

source. • The board are prepared to endorse
excellence from within the organisation by
• The organisation actively measures
sharing examples and experiences and to
its activities against recognised good
learn from other organisations / industries.
practice in H&S risk management and
corporate governance. • The board secures effective engagement
with its work force and other stakeholders.
• The board carries out a formal and
extensive evaluation of its own
performance against H&S objectives.
This process takes account of the
context, complexity and hazard / risk
profile of the organisation in question,
including procedures which safeguard
effective decision-making.
22
• H&S risk is recognised as an essential
part of the overall risk to the organisation. Culture
• The corporate risk register is updated The board seeks balanced indicators of
Predictable
following changes to organisational safety assurance and has mechanisms

structure, risk profile or new operations in place to demonstrate the integrity of
SP 3
added to undertakings. the organisation’s assurance regime. The
• Where appointed, non-executive board demonstrates a systematic approach
directors (NEDs) have a strong and to understanding risk and sets clear
independent role in challenging H&S tolerances and expectations.
issues. • The board provides regular updates
to stakeholders, including information
following changes within the organisation.
• The board and executive show a clear, .
wide-ranging understanding of the Culture
organisation as a system, including H&S The role of the board and the executive
Standardised
management. in managing H&S is understood. A

• H&S has a champion on the board with clear expectation of risk tolerance is
H&S training. communicated.
• The corporate risk register is complete • The board ensures that stakeholders
and maintained, so the board is able to receive sufficient and relevant information
use it to direct strategy and define the to allow them to challenge the board on
organisational risk appetite. H&S issues as appropriate and makes
• The board is aware of and complies with provision for such challenge.
the UK Corporate Governance Code.
• The board considers H&S risk
management, but not in a consistent Culture
manner. Some, but not all parts of the organisation
• H&S performance is considered at board believe that the board are interested in
Managed
meetings, but there is no systematic H&S.

review of risk management performance.
• A corporate risk register is in place • If requested, the board communicates on
and this covers the H&S risk within the H&S matters to stakeholders, but does not
organisation, but lacks sufficient detail for welcome challenge.
the organisation to be able to sufficiently
direct strategy in a way that maximises
safety.
• The board shows little or no
consideration of H&S issues. Culture
• Throughout the organisation, individuals
Ad-hoc
Board meetings do not include reviews of

H&S performance measures. do not believe the board and executive are
• The corporate risk register does not interested in H&S.
cover H&S issues.
• The board are focused to prevent • There is no communication from the board
reputation damage from litigation. to stakeholders regarding H&S.
Guidance and further reading: • The UK Government report into the

• Leading Health and Safety on Britains Railway collapse of Carillion
• Baker Report into the Texas City explosion • The Aircraft accident report 1/2017
• Haddon-Cave Nimrod Review Hawker Hunter T7 G/BXFI on 22 August
2015
• UK Corporate Governance Code
23
Written health & safety management system
system
SP 4 (SMS)
A written health and safety management system (SMS) is designed to control all health and
safety (H&S) risks which arise as a consequence of the organisation's activities.
SP 4
The SMS should:

• Set out the arrangements for the control of H&S risk describing the Roles, Responsibilities,
Authorities and Accountabilities, (R2A2) of those at all levels of the organisation and how
these are integrated into business operation;
• Identify:
• Those who ‘own’ H&S risks in each part of the organisation, (individuals or business
functions) and implement risk controls;
• The process owners responsible for creating and maintaining systems of risk control;
• The contribution of H&S and professional advisers to decision-making; and
• Those who provide audit (internal or external) of the SMS;
• Identify proportionate and appropriate hazard identification, risk assessment methods, and
the design of risk controls which:
• Consider personnel as well as process / system risks;
• Are based on the reality of the way work is done and engage employees, volunteers and
/ or their representatives;
• Recognise the impact of ageing assets;
• Recognise the impact of interfaces and shared risk and involve business partners;
• Apply human factors knowledge about behaviour and consider both H&S risks; and
• Consider both the risks of performing work and the impact of work on other risk controls;
• Identify the mechanisms for engaging all employees at all levels, in learning from
experience.
• The SMS demonstrates how the

organisation will identify opportunities to Culture
improve, not only against its own targets The SMS demonstrates a commitment to
but against other organisations’ targets measuring and improving organisational
which have been identified as being culture.
excellent.
Excellence
• The SMS clearly demonstrates how • The SMS is an integral part of the
the organisation is kept aware of good organisation's overall management
practice in the rail and other industries, system.
so that continuous improvement can be • Stakeholders are consulted on and
maintained. informed of best practice, to continually
• The SMS is adaptable and responsive improve collaborative relationships and
to change, to accommodate emerging shared risk reduction.
issues / risks and reasonably foreseeable
developments in legislation, technology,
social, environmental and political
influences, whilst maintaining assurance.
24
• The SMS presents a clear approach to
managing health and safety. It shows Culture
how the organisation proactively controls There is a collaborative approach across
risk, through continual improvement of its the organisation in implementation and
internal arrangements, including through reviews of the SMS.
Predictable
periods of change.
SP 4
• Everyone in the organisation can explain
their role or how they might be involved in • The SMS remains accurate and the
the SMS and know where to find things. relevant parts subject to change, through
• Standards are reviewed to ensure that a formal change management system as
the SMS uses and delivers the up-to-date and when necessary.
standards. • Stakeholders are regularly informed of
• The SMS is proportionate to the any changes to the SMS.
organisation’s hazard / risk profile and
features appropriate risk assessment
methods.
• The SMS meets the elements laid down
in relevant standards and regulations. Culture
Standardised
• Each document contained within the There is a clear understanding at all levels
SMS has its own author / owner and it is and across the organisation of how the
approved and authorised as being fit for SMS sets out to control risks and to what
its intended purpose. standard.
• The SMS reflects clearly the systems in
place to manage risk effectively. • The SMS is communicated to
• The SMS clearly indicates the standards stakeholders.
on which it is based and those it is
intended to achieve.
• The SMS presents a systematic
approach to controlling risk, with Culture
appropriate checks and balances, and SMS is understood by most employees as
all aspects of health and safety are an important part of how risk is managed.
considered. It reflects the PLAN-DO-
Managed
CHECK- ACT model.

• There is inconsistent application of
• There is a process in place within the standards in the implementation of the
organisation to produce and maintain SMS.
a legally compliant SMS, but once
produced, the SMS is not consistently
• The SMS is communicated internally and
to regulators, but not to collaborators and
applied in all parts of the organisation.
those with shared risks.
• Both H&S receive proportionate
consideration in the SMS to the levels of
risk they present.
• There is no written SMS, or if there is

one it is poor and does not reflect the Culture
business activities, operations and risks. The SMS is seen as unimportant and poorly
•
Ad-hoc
The SMS is based on a template or understood.

copied from another organisation. It
does not reflect the business's activities, • It is not clear what standards the
operations and risks. organisation is using.
• The SMS does not address all the • Employees who should be aware and
H&S risks within the organisation e.g. involved in the SMS are not.
occupational health.
25
RSSB products relevant to
health and safety policy, leadership and board governance:
• Leading Health and Safety on Britain’s Railway (LHSBR): Looks at 12 priority risk areas,
a framework for the collaborative improvement of health and safety risk.
•
SP
LHSBR Quarterly Monitoring Report: a summary of implementation actions in the LHSBR

priority areas.
• Measuring Safety Performance Guidance: to help you identify the best safety
performance indicators to monitor for your key risks.
• Safety Assurance Guidance: for Heads of Safety, explains how to meet the requirements
of CSM monitoring and improve the implementation of your safety management system.
• Safety Management System Principles – Moving Beyond Compliance: for those
who want to take their existing safety management systems beyond minimum legal
requirements.
• Safety Culture Toolkit: one-stop-shop for safety culture assessment, improvement and
good practice exchange.
RSSB Disclaimer and Intellectual Property Statement

The Risk Management Maturity Model (RM3) has been developed by ORR in collaboration with
the rail industry. RM3 is freely available for readers to access and use, however, to ensure the
Model is fully understood, the Rail Standards and Safety Board (“RSSB”) has granted readers
access to relevant Standards, that would normally be restricted to member-only viewing.
Access to RSSB’s Standards is for informational purposes only. RSSB assumes no responsibility
for any errors or omissions in these materials. All Standards and the information contained within
them are protected by copyright laws, and may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior
written permission of RSSB. You may download material (one copy per page) from this Website
for your personal and non-commercial use only, without altering or removing any trademark,
copyright or other notice from such material.
26
Organising for control and
OC communication
Purpose
• To set out responsibilities for meeting the organisations health and safety (H&S) objectives.
• To make sure that important information is available to those making decisions.
• The organisation’s arrangements and actions promote a culture that makes excellence in
risk control possible.
• Organisations have controls in place so that risks are identified and adequately controlled.
Introductory notes
OC
H&S policies set the direction for H&S, but organisations need to create a strong framework for
management activities, setting out the roles, responsibilities, authorities and accountabilities that
will improve performance. Two important issues are control and communication.
Control is the foundation of a positive health and safety culture.
• Maintaining control is central to all management functions. Control of H&S is achieved by
allocating and carrying out responsibilities which relate to H&S objectives.
• Organisations rely on the empowerment and engagement of employees and the
organisation has to balance giving the necessary freedom and flexibility with the need for
good control of risk. The boundaries of discretion need to be clearly drawn – it should be
clear when strict adherence to health and safety procedures is essential. In many cases
learning from trial and error and experience is too costly for those involved.
• H&S and employee representatives make an important contribution. Employees /
volunteers should be focused on developing and maintaining systems of control before
events happen – not on blaming people for failures after events.
Communication is often a challenge to organisations.
• It is important that the messages which senior managers want people to understand are the
ones the people actually hear.
• Effective, proactive and reactive communication about H&S relies on accurate and clear
information coming into the organisation, flowing within it, and going out from it.
Organising for Control and Communication ensures:
• OC1 Allocation of responsibilities - the organisation is structured to put the organisation’s
policies, strategies and plans into practice as efficiently as possible, as part of its operation.
• OC2 Management and supervisory accountability - those with H&S responsibilities are
motivated and held accountable for performance, in-line with systems and methods used
for other parts of the organisation.
• OC3 Organisational structure - organisational structures facilitate flexibility and
collaborative working.
• OC4 Internal communication arrangements - communication throughout the organisation
is sufficient and suitable to ensure those making decisions which impact on H&S are
appropriately informed with up-to-date relevant information.
• OC5 System safety and interface arrangements - there is effective collaboration on H&S
risk across system and organisational boundaries.
• OC6 Organisational culture - the significant ways of thinking and doing which underpin a
positive H&S culture suited to the organisation, are identified and applied.
• OC7 Record keeping, document control and knowledge management- suitable
information is collected, stored and is readily retrievable, to support H&S decision-making
and, effective and reliable control of risk at all levels.
27
OC 1 Allocation of responsibilities
The organisation is structured to implement it’s policies, strategies and plans into practice as
efficiently as possible, as part of its operation.
This means:
• Clear delegation of roles, responsibilities, authorities and accountabilities for health and
safety (H&S) are aligned and integrated into the operation of the organisation;
• The roles of risk owners and advisers are clear;
• Allocating people and teams roles, tasks and objectives which secure effective collaboration
in meeting the organisation’s H&S objectives;
OC 1
• The potential for conflict between H&S and other business objectives is acknowledged and
minimised and there is a process for resolving conflicts and;
• Having the right people, doing the right thing, at the right time.
• The organisation looks externally for
factors which offer opportunities for Culture
continuous improvement of risk control Employees seek to improve organisational
and allocates roles and responsibilities to performance by taking on additional tasks
support this. and responsibilities especially those relating
Excellence
• Individuals at all levels across the to H&S.

organisation take responsibility to seek
improvement in risk control from within • Roles and responsibilities are reviewed
and outside the organisation. to ensure they remain in-line with
• Individuals with H&S roles and standards in recognised high performing
responsibilities routinely look at how they organisations.
might develop themselves and processes • Individuals from collaborating
to continuously improve risk control. organisations recognise and undertake
roles and responsibilities allocated during
collaborative activities.
• Responsibilities are systematically
identified with clear links between the Culture
organisation's objectives and individual's There is a culture of employees at all levels
responsibility, and are adaptable to taking responsibility for H&S within a strong
Predictable
changes in circumstances. management framework.

• H&S activities and decision-making
activities are given to the people who are • H&S responsibilities are allocated with
best placed to carry them out. the same consideration as other business
• Individuals involved in commercial and responsibilities. This makes sure that the
other decision-making roles know what is right resources are available and used.
expected of them, in relation to their H&S • The responsibilities allocated include
responsibilities and demonstrate they those for ensuring risk control in
contribute to effective risk control. collaborative situations.
28
• Responsibilities are systematically
identified and given in writing to teams or Culture
individuals, who accept them in order to Employees at all levels know what is
meet H&S objectives. expected of them in relation to their H&S
• Senior management ensure that the responsibilities with a belief that the right
Standardised
responsibilities set out in the H&S people are doing the right thing at the right
management system (SMS) are assigned time.
and communicated at all levels within
the organisation and maintained as • Responsibilities and authorities are
documented information. assigned for ensuring that the SMS
• Operational staff at each level across conforms to relevant standards and
the organisation assume responsibility reporting on the performance of the SMS
for those aspects of the SMS over which to senior management.
OC 1
they have control. • The system for setting performance
standards is integrated into the contractor
management system.
• H&S roles are allocated mainly to those
dedicated to H&S functions, e.g. H&S Culture
team or individuals who control site Employees recognise when performance
safety. standards exist and use them if available.
Managed
• H&S responsibilities appear in job Most employees, but not all, know what is
descriptions or objectives, though not expected of them in relation to their H&S
consistently. responsibilities.
• There is no overall policy on, or evidence
of, responsibility being allocated in a • Some performance standards exist
consistent and systematic way. for collaborative situations, but no
consistency in their application.
• Inconsistent application of performance
standards in the organisation.
• H&S roles, tasks and objectives are not
defined. Culture
• Responsibilities relating to H&S are not Employees do what is necessary to get
Ad-hoc
allocated to individuals and teams. the job done, if it is done safely then all the
better.
• There is no process for identifying
performance standards relating to H&S
responsibilities, so no standards are
identified or applied.
• Areas of collaboration are not identified.
29
OC 2 Management and supervisory accountability
Those with responsibilities for health and safety (H&S) are motivated and held accountable for
performance in-line with systems and methods used for other parts of the business.
All those with roles, responsibilities, authorities and accountabilities, tasks and objectives relating
to H&S are:
• Motivated and rewarded in-line with the organisation’s reward systems with an emphasis on
positive rewards for good work in risk control and;
• Held accountable for meeting those expectations.
Adequate supervision is provided. Spans of control and supervisory ratios are appropriate and
realistic, taking into account the nature of the work, the dispersion of staff and human factors
OC 2
considerations.
• The organisation actively shares best
practice whilst learning and implementing Culture
improvements from wider industry The organisation understands the
groups. wider-industry culture and takes active
• The processes allow the organisation participation to improve H&S risk control.
Excellence
to actively participate in sharing good

management practice from other industry • The organisation uses the mechanisms
groups. in place to instigate change and have the
• The organisation proactively takes confidence to use them.
ownership to influence improvements to • The organisation seeks out wider
H&S risk control. opportunities across the sector’s key
• Good supervision and effective stakeholders and beyond, to learn
supervisory roles are embedded within from and share best practice with other
the organisation’s corporate structure and industries.
operational delivery.
• Individuals can adapt and manage
change in accountability to influence Culture
improvements in standards and risk Individuals recognise the risks and are
management. proactive in informing others and forming
• The processes provide individuals groups that support a culture of risk
with the confidence to challenge minimisation.
Predictable
organisational norms and proactively and

independently seek out improvements to • The individuals understand the
the risk management systems. mechanisms in place to instigate change
• Managers and supervisors fully and have the confidence to use them.
understand how taking accountability • Individuals actively seek additional roles
lends itself to risk reduction methodology. and accountabilities to achieve the
• Individuals pro-actively take ownership organisation’s strategic risk management
to influence improvements to H&S risk aims.
control. • Changes in supervisory arrangements
and accountabilities are planned as part of
any change.
30
• Teams and individuals responsible for
controlling significant risks, know and Culture
understand their responsibilities and There is recognition and acceptance
apply them in the correct manner. between individuals in the organisation
• There are processes in place to allow over roles and responsibilities and mutual
Standardised
managers to manage appraisal systems involvement to achieve business objectives.

to reward and correct behaviours and
• Collaboration is effective and individuals
outcomes, but also to make sure there
are given and accept additional
are no unintended consequences of
responsibilities.
these appraisals.
• Supervision and supervisory roles are
• Individuals are clear on their roles and
adequate.
responsibilities and effectively deploy
and actively engage to improve H&S risk • Supervisory arrangements are
OC 2
controls. proportionate and adaptable to control
risks associated with those new to a job,
• There are effective procedures and
learning new processes, carrying out
processes in place for all significant risks.
infrequent high risk work and remote /
lone working.
• Some managers and supervisors hold
their employees accountable, but there is Culture
no consistency of application. Individuals know their responsibilities,
• Some processes for controlling but there is no consistent evidence of
Managed
responsibilities exist, through procedures ownership across the organisation.

or performance reviews, but not for all
significant risks.
• Individuals are unclear on some roles • There is some definition of collaborative
and responsibilities relating to control of arrangements, but with minimal impact on
H&S risks. collaboration.
• There are some procedures and
processes in place, but not for all
significant risks.
• Managers and supervisors rarely, if ever,
hold their employees to account for their Culture
H&S duties. There is a culture of non-acceptance and
• There is inconsistency between lack of understanding of responsibilities.
Ad-hoc
accountability for H&S and accountability

for other business activities.
• Supervision and supervisory roles are not
• Individuals are unclear on their roles and clearly defined or consistently applied.
responsibilities relating to control of H&S
risks.
• Collaboration arrangements are undefined
and there is no proactive inclusion
• There is a lack of procedures and of employees involved (a failure of
processes to ensure accountability for organisational structure).
H&S. (e.g. in job descriptions).
31
OC 3 Organisational Structure
Disaggregated organisations, such as railway and tram companies, are complex operations
requiring flexible and collaborative working, both within the organisation and through interfaces
with other business partners.
The clarity of roles for health and safety (H&S) between front-line operations, support staff and
technical experts, needs careful thought, to ensure that H&S roles, responsibilities, authorities
and accountabilities, fit sensibly into management structures and to ensure there are no gaps in
responsibilities. Layers of management structure complicate reporting lines and accountabilities.
Maintaining an effective organisation structure is a continual challenge, as operational conditions
and demands change.
OC 3
• The organisational structure is designed

to be flexible to respond to internal Culture
and external changes, whilst still Individuals believe that the organisational
delivering H&S objectives and continual structure is evolving to drive continuous
Excellence
improvement. improvement in risk management.

• The board and senior managers look
to learn from the structure of other • The organisation actively seeks new or
organisations, who are effectively improved standards to drive continuous
managing H&S, and identify improvement.
improvements for their own organisation. • Pre and post-collaborative project
• The organisational structure evolves to reviews are carried out, to learn and drive
continuously improve performance in risk continuous improvement.
management.
• The organisational structure is designed
in-line with the H&S policy and Culture
objectives. Individuals believe that structures are
• Responsibilities for risk control are sufficiently flexible to ensure effective risk
allocated from the top to the bottom of management even in periods of change.
Predictable
the organisation, not just at working

levels. • Organisational structures are sufficiently
• There is systematic alignment of the H&S flexible to continue to effect risk
policy and objectives with organisational management during periods of change.
structure. • Organisational structures for collaborative
• The organisation remains structured to projects are sufficiently flexible to continue
deliver objectives stated in H&S policies to effect risk management during periods
and procedures, even after changes to of change.
structure or operations are undertaken by
the organisation.
32
• The structure of the organisation means
that all of the H&S risks are managed Culture
by the people or teams carrying out the Individuals believe that the organisation’s
work, and there is effective control of structure is planned to achieve effective risk
Standardised
risks, which are shared between teams. management.

• Responsibility for risk control systems
is in-line with responsibility for other • Overall policies and strategies are
business objectives. This provides consistent with those of the relevant
clarity and consistency between similar business units.
activities and business units. • There is a systematic approach used to
• Standards are identified and used to implement collaborative management
ensure that organisational structures structures, well-suited to deliver effective
are best able to deliver effective risk risk management.
OC 3
management.
• The structure of the organisation means
that most risks are managed by the Culture
people or teams carrying out the work, Some individuals understand the link
but some risks are shared between between structure and effective risk
teams, so that responsibilities could still
Managed
management but there is no system in

be confused, missed or duplicated. place to ensure it happens.
• There is little consistency between the
activities of a business unit and the wider • There is conflict between H&S and other
aims of a strategy or policy. objectives.
• Some collaborative ventures have • There is inconsistent use of standards.
management structures developed to
allow effective risk management, but no
systematic approach.
• The organisation’s management
structure is not aligned with its H&S Culture
objectives. Employee responsibilities There is little or no understanding of the
and accountabilities are easily confused, need for organisational structures to enable
missed or duplicated. effective risk management.
Ad-hoc
• The organisational structure is not linked

to the SMS or risk management systems. • There is ineffective use of any standards.
Organisational structure is as it is for • The structure of departments involved in
historical reasons, rather than being collaboration are not considered in terms
tailored to needs. of risk management.
• The objectives of the SMS are not
achieved, because key roles are not in
place.
33
Internal communication
OC 4 arrangements
Communication throughout the organisation is sufficient and suitable to ensure those making
decisions, which impact on health and safety (H&S), are appropriately informed with up-to-date
relevant information. Arrangements make sure that all those making a decision or performing a
task, which impact on H&S, have the right information, in the right form and by the right method,
including things such as:
• Corporate messages;
• Procedures and standards;
• Factual data, (plans, diagrams, records) and intelligence; and
• Instructions and reports.
OC 4
• Employees are able to communicate

any concerns and issues or identify Culture
improvements to information, There is a culture throughout the
instructions, standards and procedures. organisation of open communication
This is acted upon by managers and
Excellence
which is effective and supports continuous

feedback is given promptly. improvement.
• The organisation looks at how other
organisations communicate H&S • There are active attempts to continuously
information and implements best improve the two-way exchange of
practice. risk management information with
• There is active pursuit of continuous collaborators.
improvement in communication within the • Effective risk management is based on
organisation. the provision of adequate information.
• Users are involved in regular reviews of

information, instructions, standards and Culture
procedures to ensure they remain current There is a culture of employees reporting
Predictable
and relevant. their performance / experiences and these

• The right information is available to are routinely acted on by the organisation.
support the making of correct decisions.
• Effective procedures for gathering • Communication of changes to task
feedback, ensure that communications instructions, systems of work etc.. with
are understood and there is effective two- collaborators (including contractors and
way communication. suppliers) is an integral part of ensuring
successful change.
34
• Information, instructions, standards and
procedures for controlling significant risks Culture
Standardised
are in formats optimised for users. The Factual information is used to share
information is readily available. experiences and guide future performance
• Employees routinely look towards the and decisions among the various levels and
relevant instructions and procedures functions of the organisation. For example
before performing tasks or making through safety bulletins.
decisions and understand the reasons
why the information should be followed.
• Managers give instructions which
reinforce H&S procedures.
• Some procedures and standards relating
to risk controls are available to staff. Culture
OC 4
• Most employees recognise importance, Decisions are made on the basis of what
Managed
of instructions, standards and procedures information is available, even if this is

and use these to make decisions or guide incomplete.
them in performing a task.
• Managers give instructions and receive • Some information is shared, but this is
reports relating to controlling risks, but inconsistent and depends on individuals,
there is a lack of consistency. rather than a systematic approach.
• Some information is used to guide
decisions.
• Employees making decisions or
performing tasks make little or no attempt Culture
to find relevant procedures. There is a culture of employees making
• There is no formalised system to ensure decisions on their own judgement without
Ad-hoc
knowledge is imparted to those who need reference to documents or other personnel.

to use it.
• Managers do not talk to employees, • No intelligence is collected or shared to
or talk ineffectively, so that the right demonstrate the effectiveness of the risk
risk control actions are not followed. control information.
Employees are not alerted to the • Little or no information is shared as part of
presence of new or changed procedures. collaborative enterprises.
35
OC 5 System safety and interface arrangements
There is effective collaboration on health and safety (H&S) risk control across system and
organisational boundaries. Risk Management (PI1) deals with the identification of interfaces and
the associated risk controls.
Effective teamwork and co-operation are needed to implement these controls and make sure
systems across the organisation and between organisations are safe.
Organisations need to collaborate to agree a common understanding of interface / shared
hazards and risks and the development, and the implementation of compatible means of risk
control, in pursuit of common goals and priorities.
Safety management system methods and requirements are aligned to facilitate common working.
OC 5
• The organisation looks to other sectors

and countries to identify system- Culture
safety issues and controls and there is There is a culture that people are
evidence that this has led to continuous empowered and encouraged to understand
improvement. and share information beyond their own
• The procedures and standards drive organisation to continually improve the
Excellence
the organisation to strive for continuous control of shared, common and emerging
improvement and look for best practice risks.
from other industries in the UK and
internationally.
• Best practice is drawn from, implemented
and shared with other organisations in
the UK and internationally.
• There are arrangements for sharing
information between organisations
with shared H&S risks, in order to
promote effective reviews and continual
improvement.
• There is effective use of industry
knowledge and collaboration across Culture
direct and indirect interfaces leading to There is an organisational culture which
clear understanding and control of shared enables proactive management of
Predictable
and common risks. emerging risks across direct and indirect

• The procedures and standards are interfaces.
effective and consistently used to control
both shared and common risks, including • All system safety interface risks are
emerging risks. reviewed within specified timescales.
• There are regular discussions These reviews ensure awareness is given
with other organisations to agree to changes at any level.
objectives, standards, processes and
arrangements.
36
• Organisational arrangements are in place
to ensure direct interfaces are identified Culture
and there is effective collaboration and There is an organisational culture which
implementation of shared risk controls. enables effective understanding, sharing
• Procedures and standards are in place and risk control across direct interfaces.
Standardised
and consistently used to control shared

risks. • Organisational oversight results in the
• Communications outside the organisation procedures and standards for shared risks
make sure that anyone making a being owned, reviewed and effectively
decision relating to risk controls with implemented.
cross-organisational boundaries is in
possession of the right information in
the form of procedures and standards,
OC 5
factual data and intelligence, and
instructions and reports.
• Procedures identify interfaces between

business units at a working level. There Culture
is liaison with other organisations over There is a culture of sharing information
procedures and standards implemented. generally only at working levels.
•
Managed
Procedures are used by employees for

some shared risk controls. • There is a culture of sharing information
• There is co-ordination of practical issues generally only at working levels.
at working level between individuals of
organisations, but there is no overall
organisational oversight, resulting in
inconsistent planning and execution.
• The organisation makes little attempt to

identify or collaborate on work with other Culture
organisations in respect of shared risk
Ad-hoc
People work in isolation with little

controls. understanding or concern of how their
• Procedures to identify and manage activities may influence and affect others.
shared risk control do not exist or are
weak.
• No information is collected or shared.
37
OC 6 Organisational culture
The significant ways of thinking and doing, which underpin a positive health and safety (H&S)
culture suited to the organisation, are identified and applied.
Culture is a lever, which can assist the board and senior managers to improve company and
safety performance. Setting out a culture strategy for H&S as part of a health and safety
management system (SMS) is a necessity for excellence.
Culture consists of the shared of ways of thinking and doing in respect of the most significant
risks of the organisation, which underpin the approach to devising and implementing the SMS.
Current thinking suggests there are 'seven attributes of an integrated H&S culture', these are
OC 6
shown opposite.
Different positive cultural characteristics may be more relevant to some parts of the business. For
example, a just and fair reporting culture, may be more pertinent to enhance learning in front-line
work, whereas a process safety culture of doubt, and a challenge culture of questioning, may be
more relevant to those in engineering functions concerned with the high hazard systemic risks of
the infrastructure.
Testing organisational culture and RM3

There are different ways of finding out about an organisation's H&S culture:
1. By routinely gathering informal information about the H&S culture during monitoring,
inspections, investigations and other dealings with employees / volunteers, interfacing
organisations and the supply chain. For instance, workers on site during a routine
preventive inspection may comment that performance pressures sometimes take priority
over risk controls. In this case, as well as investigating the allegation, the background
should be recorded to build-up a picture of the organisation’s H&S culture.
2. Organisations can conduct H&S culture or safety climate assessments, using techniques
and toolkits, such as the RSSB's Safety Culture toolkit. These assessments can provide
useful information on the current safety culture, and provide information and views about
leadership, communications, learning culture, employee involvement and attitudes to
blame.
3. RM3 is not intended to be a substitute for other safety culture assessment tools, but in this
version there are highlighted 'culture call-outs' against every level of maturity in all criteria.
Assessors using these 'call-outs" will see elements of the 'seven attributes' throughout
3
the RM criteria. The 'call-outs' suggest typical actions, beliefs and behaviours held by
employees, at all levels, suggesting the culture of the organisation.
An explanation of how to collate and use the culture indications from the 'call-outs' is provided on
pages 40 and 41.
38
Seven attributes of an integrated health and safety culture1
• Shared awareness of the most significant risks, anticipate risks beyond what the most
frequent accidents reveal:
• Indicators other than incident rate;
• Explain the content of the safety case / certificate and;
• Fight against fatalism.
• Questioning attitude, share the conviction that risks are never fully controlled:
• Culture of doubt;
• Culture of sensitivity to operations;
• Shared vigilance;
• Search for the root causes of events and;
OC 6
• Learning culture.
• Integrated culture everyone is mobilised, acknowledging that no single person has all
the knowledge necessary to ensure safety:
• Senior management, managers, employees / volunteers;
• Support departments;
• Interface management;
• Employee representative bodies and;
• Contractor companies.
• Right balance between rule-based and managed safety, anticipate as best as possible
and deal with the unexpected:
• Preparation for crises and unexpected events;
• Developing resilience and;
• Flexible culture.
• Constant attention to the three pillars:
• Human and organisation factors;
• Health and safety management system; and
• Technical safety.
• Management leadership and employee involvement, encourage safe compliance and
proactiveness:
• Importance given to safety decision-making;
• Participative directive leadership;
• Dialogue;
• Role of work groups and;
• Debates between professionals.
• Culture of transparency, anticipate as best as possible and deal with the unexpected:
• Just culture;
• Information flow;
• Consistency between words and actions and;
• Truthful external communication.
1 'Attributes to an integrated safety culture' model from 'The essentials of safety culture'; ICS 2017
39
How to use the culture ‘call-outs’:
For each criteria maturity-level there is a culture ‘call-out- box’ this identifies the typical values,
and behaviours associated with the maturity level.
For all criteria except OC6.
• Use the culture ‘call-out’, in the same way as the other bullets, to determine a maturity
level for the criteria. Apply the same evidence factors of Quality, Quantity, Currency and
Consistency.
• The culture maturity level may be different to the assessed level you determine (which
should be based on the modal average). If the culture maturity level is the same or
higher than your assessed level, this will probably mean that there is an understanding,
commitment and willingness, which will support continuous improvement. Where the
OC 6
culture level is lower, than the assessed level you determine, progression to higher levels
of maturity may be more challenging.
For this criterion, OC6.
• You could use the template opposite to capture an indicated level of maturity for your
organisations culture. This is available on our website at orr.gov.uk.
• The template includes other commonly used maturity level descriptors, as well as the
familiar descriptors used throughout RM3.
40
Organisation Name:
Fenrail Limited
Team/Area/Division assessed:
Whole Organisation
RM3 assessment by: Alison Jones Date: 23/11/18
SP OC OP PI & RCS MRA Row totals
Continually
Excellence
improving
OC 6
SP1
Cooperating
Predictable
SP4 PI1
RCS4 MRA5 6
RCS5
Standardised
SP2 OP2 PI2 MRA3

Involving
SP3 OC3
OC4 RCS1 MRA4 10
RCS2
OC1 OP1 MRA1

Managing
Managed
OC2 RCS3 MRA2 7

OC5
Emerging
Ad-hoc
PI3 1
assessed
Not
OC7 1
Organisational culture maturity

indicated level Standardardised/Involving
Figure 6 Organisational culture template
41
Record-keeping, document control and
OC 7 knowledge management
Suitable information is collected, stored and is readily retrievable to support health and safety
(H&S) decision-making and effective and reliable control of risk at all levels.
Preserving ‘corporate memory’ on H&S within the health and safety management system (SMS)
is essential for learning and continuous improvement. Learning what does and does not work, is
the basis of repeating good performance and avoiding repeating mistakes.
This includes information, such as:
• Records of assets, design parameters and calculations, diagrams and drawings;
• Processes and procedures;
OC 7
• Hazard studies and risk assessments;

• Progress with strategies and plans, monitoring, audit and review; and
• Records of important decisions.
The SMS needs to identify key information and processes for updating the information and
storage and retrieval systems, to enable ready access by those who need to know, so they can
make informed decisions.
Knowledge management processes capture the experience and learning of those who are
leaving the organisation.
• Records, decisions and information from

outside the industry are available to users Culture
and decision-makers who use them to The importance of maintaining and growing
continuously improve risk controls. corporate knowledge to deliver continuous
Excellence
• Records and documents are improvement is embedded in all levels of

comprehensive in scope and include all the organisation’s culture.
relevant features to assist in managing
H&S risks, or they are readily available • Records are effectively used to drive
from third-parties through transparent continuous improvement in risk control.
communication.
• The procedures and standards facilitate
learning lessons and sharing information
beyond the industry enabling continuous
improvement.
• Comprehensive records, including
shared industry records, of risk-related Culture
processes and standards, decisions There is a culture of making decisions
and information are available to users
Predictable
based on corporate knowledge.

and decision-makers, who use them
effectively to develop and review risk
controls. • All records have periods of retention
• The organisation’s records and decision- assigned to them.
making are shared with industry and the • Systems are in place for capturing and
organisation uses industry data in its own retaining corporate knowledge.
decision-making and reviews, and this
is effective in developing cross-industry
best practice.
42
• Records of risk-related processes and
standards, decisions and information are Culture
readily available and utilised consistently All employees understand why corporate
by decision-makers. knowledge is important and work with the
• The procedures and standards look organisational processes to develop and
Standardised
beyond internal records to support and maintain it.

draw on shared industry knowledge in
decision-making. • Record keeping includes sharing relevant
• The organisation’s records and decision records during collaborative working.
making are shared with industry and the • Records are kept of important information
organisation uses industry data in its own and decisions that are likely to be valuable
decision-making and reviews, and this in the future.
is effective in developing cross-industry
OC 7
best practice.
• Documented information contains
appropriate identification and description,
format, status, review and approval.
• There are some records of information
on important risk controls, but the records Culture
are inconsistent and not used effectively There are pockets of information retention
by decision-makers. by individuals or parts of the organisation,
• Procedures are used for managing but the importance of developing and
some record keeping, document retaining corporate knowledge is not widely
Managed
control and knowledge management, understood or valued.

but are inconsistent in use across the
organisation.
• There are records of processes and
standards for main risks which are
used to inform decisions, but are used
inconsistently across the organisation.
• Records are created, maintained and
updated by appropriate competent
individuals.
• There are few or no written records.
• Procedures to identify and manage Culture
record keeping, document and There is no evidence of corporate
knowledge management do not exist or knowledge, only individual's memory.
are weak.
Ad-hoc
• Any decisions made are frequently only

based on an individual's knowledge.
• The organisation is unable to use records
to demonstrate that risk management
was considered in decision-making.
• There is no sharing of information on
decision-making.
43
organising for control and communication:
• Annual Safety Performance Report: a review of safety trends for passengers, workforce
and the public.
• LHSBR Quarterly Monitoring Report: a summary of implementation actions in the LHSBR
priority areas.
• RED programme: a series of briefing tools on a range of safety issues for the workforce.
Some include dramatic reconstructions of incidents.
• Right Track: a newspaper for front line rail industry workers with news and guidance on
OC
safety issues. Published three times a year.

44
Securing co-operation, competence and
OP development of employees at
all levels
Purpose
• To find out whether the organisation has employees (including volunteers) with the
competencies (knowledge, skills, experience and abilities) needed to perform effectively,
efficiently and safely.
• To see if the organisation’s recruitment, selection, training and development policies focus,
as far as possible, on meeting the organisation’s health and safety (H&S) objectives.
• To prove how much the organisation consults its employees at all levels to make sure that
knowledge and experience are shared, and H&S becomes ‘everybody’s business’.
Introductory notes
Employee (including volunteer) involvement and engagement supports risk control by:
• Drawing on their experience and learning so that the health and safety management system
(SMS), risk assessments and risk controls are practical and reality-based and;
• Encouraging ‘ownership’ of H&S policies and procedures.
OP
It makes sure the organisation as a whole, and people working in it, benefit from good H&S
performance. Sharing knowledge and experience means that H&S becomes ‘everybody’s
business’.
Organisations need an effective system for managing competence to help make sure that their
employees and volunteers have the appropriate skills. Making sure that workers, supervisors,
managers and directors have and keep, the appropriate skills, helps assure those members of
staff make safe decisions and carry out their work safely, reducing the risks to themselves and to
other people.
Securing co-operation and competence ensures:
• OP1 Worker involvement and internal co-operation - employees / volunteers, trade
unions and their representatives are actively consulted and engaged in making the
business safe and healthy; and
• OP2 Competence management system - the organisation is capable of effectively
managing OHS by having sufficient employees with the requisite competences at all levels.
45
OP 1 Worker involvement and internal co-operation
By law, all employees in Great Britain must be consulted on, not just told about, health and safety
(H&S) issues in the workplace that affect them. There are two sets of general regulations under
which a duty holder must consult the workforce about H&S:
• The Safety Representatives and Safety Committees Regulations 1977 and;
• The Health and Safety (Consultation with Employees) Regulations 1996.
These regulations build on sections 2(6) and 2(7) of the Health and Safety at Work etc. Act 1974
and encourage employers and employees to work together to:
• Develop, maintain and promote measures for protecting H&S at work and;
• Check the effectiveness of those measures.
Successful organisations often go further than the law specifies and actively encourages and
supports consultation done in different ways. Effective organisations will actively involve the
workforce and their trade unions to encourage them to use their knowledge and experience and
build commitment to achieving shared objectives.
• The organisation makes full use of

OP 1
its employees’ potential and actively Culture

involves them to develop. There is a culture of shared values trust,
• The organisation involves employees openness and empowerment.
at all levels, to gather ideas for
Excellence
improvement, puts these into practice • Collaborative working is recognised as

and provides feedback. an important way for the organisation
to obtain and share ways of continually
• Employees feel empowered to use their improving management of risk.
knowledge and experience to propose
or champion ideas which support • Employees are motivated to deliver the
continuous improvement. organisation's objectives and demonstrate
a consistent understanding of how this is
• Employees show a commitment to achieved.
exceeding those goals by following
existing processes and indicating where
they can be improved.
• The organisation regularly consults its
workforce in a range of ways, such as Culture
through surveys, workshops, meetings Employees believe their views will be
with managers and safety tours. listened to and acted upon during times of
change.
• The organisation has a process of
Predictable
seeking to involve employees at all • Employees understand the need for

levels of the organisation, and there is change and confirm that they are
a clear structure through which it can consulted on how changes are introduced.
communicate this. • Leaders take responsibility for supporting
• Employees show that they understand the establishment and functioning of H&S
how they contribute to achieving committees.
the organisation’s goals. That • There is consultation during periods of
understanding is consistent with the change and employees believe they can
organisation’s relevant policies and vision have a say in the way the organisation
of the senior team. develops, through collaborative projects.
46
• The organisation has a way of making
sure that employees are consulted on Culture
H&S matters. Employees share the organisation's goals
• The organisation has established, and vision, there are effective arrangements
Standardised
implemented and maintained processes for consulting and participating; and their
for employee consultation and views will be listened to and acted upon.
participation at all levels in H&S matters.
• Employees understand how they
contribute to the H&S of the organisation. • The same systematic approach to
• Employees feel able to make decisions involvement and consultation is applied
within a goal-setting framework. The during collaborative and organisation-only
organisation provides the mechanisms, working.
time, training and resources necessary
for consultation and participation.
• There is some consultation on H&S

matters, but it is not carried out in a Culture
systematic way, or it does not involve all Employees feel that some managers will
employees and is only done broadly to listen and act on their views, but there is
comply with legislation. no consistency in the organisation. The
• There is a process for involving staff organisations goals and vision are generally
OP 1
Managed
and consulting but it is not adopted known about, but not widely understood
consistently, frequently it is only with and respected.
limited sectors of the workforce. Non-
members of trades unions may not be • Employees understand that they are
included. responsible for their own H&S and that
• People in similar roles apply standards in of colleagues, but this is not consistent
the same way. across the organisation.
• Involvement of individuals in collaborative
project decision-making is inconsistent
and depends on the individuals involved.
• There is little or no consultation.
Culture
• There is no process for involving Employees feel that senior managers have
employee in H&S matters. no interest in their ideas and they do not
Ad-hoc
• Employees do not understand how they share a commitment to the organisations

contribute to their own H&S and to the goals.
safety of the people that they work with.
• There is little or no involvement of • No standards are defined, so none are
workers from collaborative organisations implemented.
in decision-making during projects.
47
OP 2 Competence management system (CMS)
The organisation is capable of managing health and safety (H&S) effectively by having sufficient
employees (including volunteers) with the appropriate competences at all levels.
An organisation needs to maintain an adequate organisational capability for H&S, including:
• Having the right number of people, in the right place, at the right time with the right
competence;
• Ensuring recruitment, training and development systems are able to anticipate and cater
for retirements and resignations, especially when there is an ageing workforce and / or a
potential skills shortages and;
• Understanding the minimum human resource needs to maintain safe operation and
particularly to ensure effective risk control during times of organisational change.
A CMS should secure the competence of all those who have roles, responsibilities, authority
and accountabilities, within the organisation’s health and safety management system (SMS),
at all levels of the organisation. This includes directors, senior, middle and junior managers,
supervisors and front-line workers and volunteers.
Regulation 13 of the Management of Health and Safety at Work Regulations 1999 (MHSWR)
requires consideration of people's capabilities as regards H&S when appointing them. Regulation
OP 2
24 of The Railways and Other Guided Transport Systems (Safety) Regulations 2006 (ROGS)
requires companies to have a system in place for ensuring that staff who carry out safety-critical
work are competent and fit to do so.
• The organisation looks to improve and
test its employee competence by using Culture
innovative and technological solutions. The organisation makes full use of its
• The organisation considers innovative employees’ potential and actively involves
technological solutions, addressing them through shared values and a culture
human factors issues, to continuously of trust, openness and empowerment.
Excellence
improve risk control and resilience.

• The right people are always in the right • The CMS clearly considers operational
place at the right time and there is in- competences related to safety-critical
built resilience with some employees work, referencing relevant legislation
competent in both current and next roles. where necessary (e.g. ROGS).
• The CMS is subject to regular monitor, • There is a clear and well defined link
audit and review to ensure that risk between the CMS and the need to
controls are continuously improving. maintain necessary organisational
• The organisation uses employee capability.
involvement to gather ideas for
improvement and puts them into practice.

• RSP1 - Developing and maintaining staff competence: ORR 2016
48
• There is a comprehensive CMS based on
thorough risk assessments of tasks and Culture
includes policies on recruitment, selection Employees believe they have a role to play
and training in-line with identified in the CMS and routinely act to support and
objectives. develop themselves and colleagues.
Predictable
• There are a range of processes in place

to manage organisational competence
including succession and resilience • Changes in the risk profile routinely trigger
planning. Changes to roles are planned. a review of the CMS.
• Employees have required competencies • The CMS is proactive and predictive in
to ensure effective risk control when identifying emerging operational risks
undertaking safety-critical tasks, including associated with safety critical employees
when their role may change. and activities.
• Appropriate priority is given to managing
competence by sharing resources.
• The organisation has an effective CMS
in place. This covers the competencies Culture
needed to meet the business's objectives The value of the CMS is understood by all
and manage risks; and includes both employees and there is a consistent belief
Standardised
technical and non-technical skills. that it will provide them with the necessary
• There is a process which consistently competencies to undertake tasks safely
OP 2
ensures that the appropriate skills, and manage risks competently. Employees
knowledge and experience are included accept ownership of their own competence
in the CMS and this leads to effective and its development.
control of identified and emerging risks.
• Risk controls repeatedly identify the skills,
• The organisation provides individuals knowledge and experience needed by
with the skills, knowledge and experience individuals to manage the risk.
required and makes full use of the
competencies of its employees.
• There is a CMS, which is linked to the
risk profile, but it is inconsistently applied Culture
and does not apply to all staff. Employees believe that the competence
• There are policies on recruitment, management system is important for H&S,
Managed
selection and training, but they do not but effectiveness varies depending on the
always link to the risk profile, or are not in managers implementing it.
-line with the business objectives.
• Training is provided as and when training
needs are identified locally. The right • Risk controls identify the skills, knowledge
people, may not be in the right place, at and experience needed by individuals
the right time, to manage the risks. to manage the risk, but not consistently
across the organisation.
• There is no evidence of any clear
approach to managing competence or Culture
the system is inappropriate for the risks
Ad-hoc
Employees do not believe they are provided

to be controlled by people. with the necessary information, instruction
• Employees may have the competencies and training to undertake their roles,
they need, but there are no arrangements which may result in them deviating from
to check this. procedures and ineffective risk control.
49
securing co-operation, competence and development of employees
at all levels:
• Taking Safe Decisions: the industry-agreed framework for safety decision making on our
railways. How to account for safety and the principles to apply.

OP
50
Planning and implementing risk controls
PI & RCS through co-ordinated management
arrangements
Purpose
To make sure that the organisation has risk controls, that enable it to operate safely.
Introductory notes
Safe operation is based on the adequate control of risk. The health and safety management
system (SMS) needs to set out how decisions are made for the control of risks to ensure legal
compliance is achieved in a structured, efficient and effective way. This includes strategy-making,
planning and processes for the control of risk.

• Pl1 Risk assessment and management - there are adequate, appropriate and
proportionate methods for identifying hazards and assessing risks as a basis of effective
control of health and safety (H&S) risk in the organisation.
• Pl2 Objective / target setting - suitable objectives and targets support the motivation of
employees in the pursuit of H&S strategies, plans and the implementation of risk controls.
• Pl3 Workload planning - effective workload planning ensures that the right resources with
the right skills are in place at the right time to deliver safe and healthy operation.
• RCS1 Safe systems of work (including safety-critical work) - appropriate safe systems
of work (SSOW) are developed and implemented for high hazard, safety-critical work to
safeguard both those carrying out the work, the integrity of the assets involved and others
H&S.
• RCS2 Management of assets - assets are managed to ensure that they remain in good
PI & RCS
condition, and can continue to operate reliably within their design parameters.
• RCS3 Change management, (operational, process, organisational and engineering)
- effective change management ensures that the quantity, frequency and nature of change,
(to assets, process or organisation), does not adversely affect H&S management and risk
control.
• RCS4 Control of contractors and suppliers - selection and control of contractors secures
risk control compatible with organisational standards and expectations.
• RCS5 Emergency planning - effective emergency planning ensures the mitigation of risk
and consequences in foreseeable emergency scenarios.
51
PI1 Risk assessment and management
There are adequate, appropriate and proportionate methods for identifying hazards and
assessing risks as a basis of effective control of health and safety (H&S) risk in the organisation.
Proportionate, appropriate hazard identification, risk assessment methods, and the design of risk
controls are a necessary basis for effective risk management. This includes arrangements which:
• Consider personal as well as process / system risks;

• Are based on the reality of the way work is done and engage employees, (or volunteers)
and / or their representatives;
• Recognise the impact of ageing, stretched and fragile assets;
• Recognise the impact of interfaces, shared risks and involve business partners;
• Apply human factors knowledge about behaviour and consider both H&S risks; and
• Consider both the risks of performing work and the impact of that work on other risk
controls.
• Risk assessment is used to drive

continual improvement in the risk profile Culture
of the organisation. Employees at all levels seek to learn from
• The organisation strives for continuous others and readily share their knowledge
improvement in risk assessment and experience, knowing that this will lead
processes looking at alternative to improved risk control, within their own
Excellence
techniques, which challenge the organisation and collaborating partners.

effectiveness of risk controls, by working
with other organisations in their own and • The organisation is recognised as an
other industry sectors. industry-leader in risk management.
PI 1
• The organisation maintains an external • The organisation leads cross-industry risk

view to identify effective risk controls from reduction programmes.
other organisations and other industry • Appropriate risk assessment processes
sectors. are used to make strategic choices related
• The organisation’s adoption of new and to the totality of the rail infrastructure.
novel techniques in risk management has
led to significant risk reductions.
• Risk assessments are integrated
throughout the organisation to make sure Culture
there is a systematic approach to risk Risk assessments, including removing risk
Predictable
control, even during periods of change. at its source, are part of the culture of the
• The approach to risk management is organisation; “Risk assessment is how we
embedded and applied consistently do things round here”.
throughout the organisation and enables
effective collaboration with stakeholders. • Removing risk at its source is part of a
• The risk assessment review cycle is consistent approach and is reflected in the
prioritised on a risk-basis. organisation’s policies.
• Risk management principles are • There is evidence of participation in cross-
intelligently applied at all levels. industry risk reduction programmes.

• EU Common Safety Method for risk evaluation and assessment; Guidance
on the application of Commission Regulation (EU) 402/2013: ORR
52
• The organisation has clear policies
on using risk assessments. The Culture
organisation's risk profile has been Employees understand the purpose of risk
established. There is clear understanding assessment, they are actively involved
of what risks will be tolerated. and see the value of risk assessment in
• Risk management of system / process controlling hazards and ensuring their H&S.
Standardised
risks, as well as individual risk, is used

in a consistent way in different parts of
the organisation using quantitative and • The organisation makes effective use
qualitative techniques proportionate to of the risk control hierarchy (General
the risk profile. principles of prevention from MHSWR
• Control measures in place are those that 1999, Schedule 1) and there is evidence
have been identified by risk assessment. that some risks have been eliminated at
• The effectiveness of control measures source.
for both H&S risks are evaluated and • There is evidence of collaboration with
proportionate corrective action is taken. other organisations, where the control of
a risk requires action by more than one
party.
• Risk assessments are completed, but
there is a lack of consistency on how risk Culture
assessments are conducted, with some Managers recognise that risk assessment
managers doing better than others. is their responsibility, but they frequently
• There is a process for risk assessment, use risk assessment to demonstrate that
but it is not applied consistently across controls already in place are adequate, or
the organisation. to justify not doing more.
• There is some coordination of risk
Managed
There is some involvement of employees

control, but focus is on operational risks
in the risk assessment process and some
and not the complete risk profile.
understanding by employees as to why it is
• The organisation uses a range of risk
PI 1
important.
assessment techniques, but not always
appropriately to the risk profile. • There is evidence that the organisation
• Control measures within an activity co-operates with other organisations to
do not always include the measures identify and control shared risks, but not
identified by the risk assessment. consistently.
• Health risk controls rely on lower level
controls from the hierarchy such as
personal protective equipment (PPE) and
training.
• Risk assessments are not completed or
used to develop effective risk controls Culture
relevant to the hazards associated with There is widespread evidence that the
the organisation's operations. risk control hierarchy is not understood
• There is no process to identify the risk by employees at many levels in the
profile associated with the organisation, organisation. Managers / supervisors
Ad-hoc
or to develop and review risk controls. think it is someone else’s job to carry out
• Risk assessments are inappropriate for risk assessments. Employees see risk
their intended use. assessment as a bureaucratic process
getting in the way of them doing their job.
• Health risks are not considered by the
organisation. • No evidence of collaboration over the
• The hierarchy of risk control is poorly improved control of shared risks.
used and there is over-reliance on use of
information, instruction and training.
53
PI2 Objective / target setting
Suitable objectives and targets support the motivation of employees in the pursuit of health and
safety (H&S) strategies, plans and the implementation of risk controls.
H&S objectives need to be ‘specific, measurable, and agreed with those who deliver them,
realistic and to a suitable timescale’ (SMART). Both short and long-term objectives should be set
and prioritised alongside wider organisation objectives.
Objectives at different levels or parts of an organisation, should be aligned so they support the
overall objectives of the organisation’s H&S policy. Personal targets can also be agreed with
individuals to help ensure the objectives are met.
Objectives and targets are a means of providing motivation and incentives and a basis of
rewarding success for good risk control. They should be set carefully to avoid:
• Conflicts with other business objectives and;
• Perverse behaviours leading to unintended consequences such as under reporting of
incidents, or activity to control one risk to the detriment of another.
An objective is defined as the desired end point.
A target is a measurable step taken towards achievement of an objective.
• The management of performance is
measured against that of others, within Culture
and outside the rail industry, to drive Organisations can demonstrate a coherent
continual improvement. cascade of objectives against delivery
•
Excellence
There is a commitment to continuous of continual improvement, in a balanced

improvement backed by performance suite of performance objectives, such that
targets for managers and board they create an evident culture of continual
members. improvement through the use of process,
PI 2
• Achievement or non-achievement is plant and people development.

recorded and used to help with continual
• Mutual performance standards are set
improvement.
for collaborative relationships and these
• Performance objectives are challenging are recognised to drive continuous
and reviewed to demonstrate continuous improvement.
improvement in H&S achievements.
• Objectives are SMART, prioritised and in
line with each other to support the overall Culture
policy. The organisation incentivises the delivery
• The health and safety management of objectives, but does not fully understand
Predictable
system (SMS) makes sure that targets if the objectives have made a substantial
are set and achievement is measured. change to the capability of the organisation
• The organisation plans to achieve H&S to deliver sustained H&S control.
objectives and these plans determine;
what will be done; what resources are • The importance of performance targets
required; who is responsible, when it for H&S is recognised and achievements
will be completed; how the results will rewarded.
be evaluated and how actions will be • Systems are in place to follow up on
completed. non-achievement.
54
• H&S performance targets and objectives
are set. Culture
Standardised
• Attempts are made to achieve SMART Individuals expect to be held accountable to
objectives and to prioritise objectives and fair, clear and achievable objectives.
targets and bring them in-line with each
other. • Objectives include performance
• Systems are in place to follow up on standards for collaboration internally
achievement. and with external organisations, such as
• Achievement of objectives is not well contractors, etc..
aligned to the review process.
• There are objectives. Some may be
SMART and prioritised, but team and Culture
individual objectives within different parts The organisation does not have a
of the organisation are not aligned and do consistent approach to the setting of
not always support the objectives of the objectives. This results in an incoherent
Managed
organisation’s overall policies. cross organisation approach with conflicting

• Personal targets are not related to the priorities.
objectives of the organisation’s overall
policies. • The organisation does not have a
• Failure to meet targets or objectives is consistent approach to the setting of
tolerated. objectives for collaborative situations.
• No consistent application of standards of This results in an incoherent inter-
any performance standards that do exist. organisational approach with conflicting
priorities.
• There are few or no H&S targets set for
the organisation. Culture
• Any targets which do exist are not The assumption is that individuals must
SMART or prioritised or aligned to the be delivering if the organisation is still
risk profile. operating but there is no evidence to back
PI 2
Ad-hoc
• No clear idea of performance of this up.

individuals involved in the SMS.
• No effective application of standards for
setting performance targets.
• No performance targets set for
collaborative ventures or joint-risk
management with contractors, other
operators, etc..
55
PI3 Workload planning
Effective workload planning ensures that the right resources, with the right skills (with the right
equipment) are in place, at the right time, to deliver safe and healthy operation.
Good planning will significantly improve the way an organisation manages health and safety
(H&S) by making sure there are the right resources to carry out tasks. This will lead to effective
risk control and efficient working.
Planning should be realistic drawing on human factors, to ensure that work demands do not
exceed human capabilities.
• The organisation looks beyond its
organisational boundaries for factors Culture
which may impact on its workload Employees at all levels feel they are able to
planning. influence their own work plan, have active
• The organisation collaborates with others involvement in planning additional work and
Excellence
to achieve continuous improvement in that there is a healthy balance between

planning systems of all collaborating their needs and those of the organisation.
parties.
• The workload planning system supports • Active pursuit of best practice which is
a healthy lifestyle for the individual implemented even when planning the
balanced against delivering the workloads of collaborative teams.
organisation’s objectives, efficiently.
• The organisation actively seeks out best
practice in managing workloads and
implements ideas that enable continuous
improvement in risk management.
• The planning system includes regular
PI 3
reviews of workload and resources, both Culture

within the organisation and the supply Employees actively support managers
chain. over workload planning and resource
• When major projects and changes management and feel that their ideas and
Predictable
occur, the workload planning system concerns are valued and will be acted
is designed to ensure that nobody is upon.
overloaded with work.
• The fatigue management system is part • Standards reviewed following changes to
of a comprehensive health and safety workloads or tasks.
management system (SMS) and applied • Effective workload planning system
to all staff at all levels of the organisation. includes changes to workloads, or task
• Even when there is extra work or content, including collaborative project
changes, nobody becomes overloaded teams.
with work.
56
• A planning system is in place to make
sure that tasks are given to the correct Culture
person and can be completed on time. Employees feel that resources and
• The organisation determines; what will workload are aligned and reasonable. They
be done; what resources are required; are comfortable to challenge managers
who is responsible and when it will be about additional tasks, particularly
completed. when related to safety critical activities.
Standardised
• The resource management system Employees accurately record the hours

captures work and travel hours to be they work including travelling for work.
recorded to identify / monitor excessive
hours worked. • Standards identified and used effectively.
• The fatigue management system • Effective use of systematic workload
considers activity, workload, environment planning, leading to effective risk
and travel, but is principally focused on management, including collaborative work
operational employees. teams.
• The organisation determines and
provides the resources needed for
the establishment, maintenance and
continual improvement of the SMS.
• Workloads vary, but some thought has

been given to allocating tasks in a way Culture
that aims to reduce overloading. Employees recognise the importance
• There is a process to identify and of safety-critical tasks. There is some
prioritise safety-critical tasks, but challenge of managers by employees
workloads are not reviewed to manage where there is inadequate resource.
Managed
areas of overloading. Managers accept that working excessive

• There is a simple process of looking hours is just part of the job and will tend to
at hours and shift patterns to manage under report the hours they work.
PI 3
workload-related health issues.
• Safety-critical tasks are mostly completed • Standards to reduce fatigue identified, but
effectively. used inconsistently.
• There is some monitoring of workloads, • Inconsistent application of workload
but people still become overloaded, planning to collaborative projects
leading to failures in risk control. dependent on individuals not systems.
• There is little or no control of workloads.
• There is no effective process for Culture
managing workloads. There is a culture of accepting tasks that
• There is evidence that poor performance are allocated, without challenging, even
Ad-hoc
in carrying out tasks is due to not enough if this results in becoming overloaded
time being given and tasks which are and non-completion of tasks. Managers
critical to safety not being prioritised think it is acceptable to employee to work
properly. excessive hours.
• Some people are overloaded, while
others are lightly loaded. • No effective workload planning for
• No standards identified and used. collaborative work.
57
Safe systems of work (SSOW)
RCS 1 including safety critical work
Appropriate safe systems of work (SSOW) are developed and implemented for high hazard,
safety-critical work, to safeguard both those carrying out the work, or affected by it, and the
integrity of the assets involved.
The focus of this element is to evaluate an organisation’s ability to identify risks relating to
specific tasks and put appropriate controls in place to protect the health and safety (H&S) of
those carrying out and affected by those tasks.
• There is a commitment to continually
improve SSOW by, for example, Culture
benchmarking within and outside of the The culture is one where everyone across
rail industry.
Excellence
the organisation is actively seeking

• The SSOW have the best possible blend improvement, identifying, deploying and
of processes, plant and people to achieve sharing best practice from all relevant
excellent results, delivered efficiently and sources.
safely.
• The SSOW are shared with industry and • Consistent use and continual
are recognised as excellent by outside improvement of shared SSOW and active
organisations. sharing of good practice, for example at
conferences.
• The SSOW are used to both implement

risk controls and get feedback on how Culture
adequate they are. The culture involves a mature and
Predictable
• Changes to the SSOW are checked integrated approach, with a carefully

carefully and are well-managed. They managed library of SSOW based on robust
produce the result that was predicted risk assessments.
RCS 1
and planned for, before the change was

made. • Extensive consultation is carried out with
• Standards are maintained even after those using and those affected by the
changes to SSOW. Consistency is clearly SSOW. Shared SSOW are subjected to
evident across departments and projects. the same processes as the organisation's
own ones.
• There is a clear, consistent approach to
developing and putting in place SSOW Culture
that use effective risk management. The culture of risk management is mature,
Standardised
• The tasks, including ones critical to effectively using and improving existing
H&S, are clearly understood and can be safe SSOW.
repeated across sites and shifts.
• Standards are applied consistently
across the organisation in the
management of SSOW.
• Collaborating parties consistently use
shared SSOW.
58
• SSOW are in place, but there are clear
differences in how they are applied Culture
across the organisation. The culture is to use what is available for
• The SSOW are sometimes less than a specific task or area, but in isolation, not
Managed
adequate because the procedures cause learning from elsewhere or sharing good
mistakes, or are not effective in achieving practice.
the intended result.
• There is inconsistent compliance with
standards across departments and areas
of work.
• SSOW are not used consistently between
collaborating parties.
• The SSOW actually used are not the
same as the written procedures. Culture
• The SSOW do not take account of risk, The culture is reactive, using SSOW
and tasks that are critical to H&S are not
Ad-hoc
inconsistently and not communicating the

always identified and prioritised. requirements using a systematic approach.
• No or only weak evidence of application
of standards.
• SSOW are not co-ordinated with those of
collaborators.
RCS 1
59
RCS 2 Management of assets
Assets are managed to ensure that they remain in good condition and can continue to operate
reliably within design parameters.
Successful management of assets involves:
• Identifying the assets the organisation owns and manages and;
• Having systems in place to make sure that assets remain in a good condition and capable
of operating reliably within design parameters.
Suitable predictive maintenance techniques should be employed where appropriate. The
condition and life expectancy of assets should be factored into maintenance and renewal
decisions. Asset condition and life expectancy should be factored into enhancement project
thinking to ensure that a balance is struck between safety, performance and efficiency in
investment decisions.
• Information on work history type and
cost, condition and performance are Culture
recorded at asset component level. There is a demonstrable alignment between
•
Excellence
Systematic and fully optimised data asset management objectives, systems and
collection programme is in place with individual responsibilities at all levels and
supporting metadata. across the organisation.
• There is evidence of an effective pro-
active and predictive maintenance regime • There is clear evidence of searching for
across the organisation. best practice in asset management and
• Enterprise-level guidelines and condition monitoring as part of the drive to
standards are in place with best practices continuous improvement.
incorporated from other industries.
RCS 2
• A reliable register of physical, financial

and risk attributes are recorded in a Culture
system with data analysis and reporting The organisation is structured to support
functionality. effective asset management and the
• Systemic and documented data collection importance of this is understood by
Predictable
processes are in place. everyone. There is a consistent approach to

• The organisation has successfully asset management across the organisation.
implemented a condition-based,
preventative maintenance regime that is • Changes to frequencies or content of
effective. examinations are communicated to
• There is a governance plan in place collaborator organisations to ensure that
which is continuously reviewed and joint assets are correctly maintained.
updated to incorporate learning from • Audit is used by all parties in collaborative
the organisation’s asset management activities, individually and jointly.
activities.
60
• The data held by the organisation is
sufficient to support prioritisation of asset Culture
management programmes (criticality). The organisation’s leadership own and
Standardised
• Asset hierarchy, identification and visibly support the asset management

attribute systems are documented and programme. There is an awareness at all
appropriate metadata is held. levels of the organisation of the importance
• Maintenance is conducted against a of asset management in managing system
periodic maintenance plan, which is in safety.
the most part achieved.
• There are standards in place for each
asset type.
• Joint assets are part of the asset
management system.
• Asset management is inconsistent across
the organisation. Culture
• Basic physical information for assets is Asset management functions are carried
held in a spreadsheet or other simple out by small groups. Roles reflect asset
system, but is typically based on broad management requirements. Understanding
Managed
assumptions, or it is incomplete. of the importance of asset management

• There is evidence of a generally reactive is typically limited to individuals directly
approach to maintenance across the involved.
organisation. Where maintenance is
planned, there is widespread evidence of • Some joint assets are included in the
backlog. asset management system, but no
• The standards in place in the consistency.
organisation are generally those defined
by the original equipment manufacturer
(OEM) / asset vendors.
RCS 2
• There is a general awareness of the
need to manage assets to maintain their Culture
integrity and to hold an asset register. There is little recognition that asset
•
Ad-hoc
Asset information is held in multiple management is important.

formats.
• Equipment is repaired when it fails. There • Shared assets are not maintained
is little evidence of planned preventative proactively.
maintenance (PPM).
• There are no defined standards for asset
management.
61
Change Management (Operational, Process,
RCS 3 Organisational and Engineering)
Effective change management is proactive and secures the quantity, frequency and nature of
change, (to assets, operation, process or organisation), does not adversely affect health and
safety (H&S) management and risk control.
All individual changes need to be managed to prevent adverse impact on the SMS) and control
of risk. This includes risk arising from the process of change itself, as well as the new end-state.
Appropriate methods of risk assessment should be employed where appropriate.
The total amount and pace of change should be managed to ensure the collective impact does
not adversely affect safety performance.
• There is an understanding that
change can affect other aspects of Culture
an organisation’s business or other Employees feel that all changes which are
organisations with shared accountabilities implemented have an overall positive effect
this leads to business risk being linked upon themselves and the organisation.
with H&S risk during and as a result of
Excellence
any change. • The organisation actively seeks

• All employees are fully conversant with improvements to standards of change
the change management process and management to drive continuous
there is no need for a dedicated change improvement.
management team, changes lead • The organisation actively seeks
towards continuous improvement. collaborators to assist in driving
• Changes which are implemented, continuous improvement in management
only ever reduce the organisation’s of change.
overall risk profile and seek continuous • There is a clear review process in place
improvement. that analyses the effectiveness of changes
RCS 3
as and when they take place.

• The change process requires a review
to be carried out after a change, which Culture
is structured to consider the wider The importance of involving employees in
implications of the change including the the change process is recognised to bring
effect the change has had on the culture benefits and those employees are actively
Predictable
of the organisation. involved, because they understand the

• There is an efficient and effective change importance of managing change and the
management process, which considers role they play in that organisation.
the wider impact of change including the
impact on other organisations. • Effective control of change extends to
• All changes are well managed and their cross-organisational change involving
risks well controlled. collaborators and includes effective
• Organisational standards for information transfer post-change on H&S
management of change exist and are performance.
uniformly applied.
62
• There is an efficient approach to
managing any process, technical, Culture
operational or organisational changes, Employees recognise the importance of
engaging staff in the process. effective change management, but still feel
Standardised
• There is a structured approach to that changes are often implemented without

change, involving a number of steps and proper consideration of the impact on their
a defined process in the management safety and/or health.
system.
• There is a consistent approach to risk • Standards include clear processes for
assessment and risk control after a managing changes involving collaborators
change is made. and these are applied.
• Organisational standards for • Risk assessments consider human
management of change exist and are performance.
uniformly applied.
• The importance of change management
is understood and there is some degree Culture
of control over all types of change or Some employees recognise the importance
inconsistent types of control over different of a systematic approach to change, but
types of change (technical, operational, this is inconsistent and depends on the
organisational). individual’s experience.
Managed
• There is a process for managing change,

but it is either not used consistently, or • Inconsistent involvement of collaborator
it is not effective at managing the risks organisations in the management of
following a change. changes, depending on individuals
• Some changes are made without their involved not systematic process.
risks being controlled.
• Some departments have standards for
change management, but not all, and
RCS 3
even those that exist are inconsistently
applied.
• There is little or no control of change
and changes are made without effective Culture
consideration of their risks or their wider Employees feel that the effect of change on
impacts. their safety and/or health is not considered.
• There is no process or system for
Ad-hoc
making changes, which leads to risks not • There is little or no involvement of

being identified or controlled following a collaborator organisations in managing
change. change, even to shared processes or
• The risks associated with a change are risks.
not identified and so are not controlled.
• No organisational standards for
managing change exist, so none are
applied.
63
RCS 4 Control of contractors and suppliers
Organisations need to effectively manage the health and safety (H&S) of their contractors and
suppliers and those affected by their activities, wherever those activities are carried out.
Maintaining a sound intelligent customer capability is essential, to ensure the organisation
retains understanding and knowledge of the products or services being supplied by the range of
contractors.
Some key features of effective contractor / supplier control are:
• Selection (including resources, equipment, knowledge and experience);
• Co-ordination between clients, contractors and sub-contractors (i.e. who does what, when
and how);
• Induction to site rules, procedures, hazards and emergency arrangements;
• Supervision (by whom - including on-the-job and checks of completed work);
• Competence of contractors (e.g. consider the role of the client and the contractor’s
management);
• Assessment of new hazards introduced by the activities of contractors – which could be
direct (e.g. in the case of asbestos removal), or indirect (e.g. caused by undetected, latent
faults left behind when a contractor completes work) and;
• Review of the contractor selection and management system.
• The contractor supply chain seamlessly
delivers all of the organisation’s Culture
objectives. A culture of openness and mutual trust
• Effective processes exists for pre- and respect exists in which the boundary
qualification, selection, induction, between contractor and organisation is
management and post-contract review of seamless, and values and objectives are
RCS 4
Excellence
contractors. These processes are under shared.

continual review and improvement.
• The contractor’s / supplier’s main • The contractor / supplier collaborates
H&S activities are in line with the seamlessly with the organisation and
organisation’s. customer, all parties operate inter-
• The process is consistently applied dependently for mutual benefit. Evidence
and measured for effectiveness. There of transparent and effective two-way
is evidence of formal audit, and of communication.
measurable continuous improvement • The organisation maintains an intelligent
delivering tangible benefits. customer capability for contractor
selection, control and management.
64
• There is a systematic approach to
contractor / supplier control. Culture
• Effective pre-qualification arrangements A culture exists in which communication is
take a balanced approach, considering open and honest. The integration between
Predictable
H&S performance. Effective processes contractor / supplier and the organisation

exist for the ongoing management is strengthened through collaboration and
of contractors at all stages of the sharing of objectives.
relationship.
• Performance measures and post-contract
• There is a clear understanding of reviews help guide decisions on the
responsibility at all stages of the contract. choice of contractors for further work.
Good working relationships between
client and all contractors, are delivered
• The contractor / supplier collaborates
effectively with the organisation. Evidence
through effective interface arrangements.
of effective two-way communication.
• The importance of contractor control
is recognised and this is reflected Culture
in the organisation’s relevant policy A culture exists in which communication
and process, but measurement of the is open and honest. The contractor and
Standardised
effectiveness of the process may be organisation are still distinct, but there is
lacking. some evidence of collaboration and sharing
• There is robust evidence of induction and of objectives.
communication with contractors.
• Contractors are closely aligned with the • Comprehensive processes exists to
customers expectations. ensure that contractors are chosen on
their ability to complete work safely and
• The contractor’s performance is
to a satisfactory standard, and managed
monitored during the contract, and
effectively following appointment.
appropriate performance measures are
used effectively to track achievement.
•
RCS 4
Some elements of a risk control system
are in place for contractor control, but Culture
there is no systematic process from A ‘contractual’ culture exists in which
selection through to post-contract review. communication is open and honest but the
Managed
• There is some evidence of induction of contractor / supplier and organisation are

and communication with contractors. clearly separated.
• Contractors are broadly aligned with the • The key elements of the contractor
customers expectations. relationship are managed through formal
• There is some evidence of a managed processes.
process in the initial selection, • The contractor is loosely managed by the
monitoring, and post-contract review, but organisation, but operates mostly as an
application may be inconsistent. independent entity.
• Contractors and suppliers are appointed
when needed, but when selected there Culture
are few considerations other than cost. An ‘us and them’ culture exists. The
• There is no formal process for managing contractor / supplier is blamed for
Ad-hoc
contractors / suppliers, monitoring their operational failings. The organisation is

performance or review of the completed blamed by the contractor / supplier for lack
contract. of information / management.
• There is little evidence of integration
• There is little consideration of the
of contractors / suppliers with the
responsibilities for risk control when
organisation, and consequently a lack of
deciding how to do the work.
shared objectives and values.
65
RCS 5 Emergency planning
Effective emergency planning ensures the mitigation of risk and consequences in foreseeable
emergency scenarios.
The overall aim of emergency planning is to make sure that appropriate measures will be used
when and where necessary to prevent or reduce the harmful effects of major accidents.
• The organisation proactively looks

outward when planning emergency Culture
response to identify and use good Culture of striving for continual
practice in a spirit of continuous improvement in response to all
improvement. emergencies.
Excellence
• Emergency response arrangements are

in place and reflect good practice from • Information sharing is fully collaborative
both within and outside the rail industry. both with direct collaborating
• Lessons from published reports are organisations and others with relevant
included in procedure reviews and information and / or experience.
incorporated into revised emergency
procedures.
• The organisation actively seeks to find
and share more effective ways of dealing
with emergencies.
• Emergency responses are developed
and reviewed in response to developing Culture
risks and emergency scenarios. Culture of making the best possible
• Feedback from exercise 'wash-ups' is response if an emergency occurs.
RCS 5
taken into account when procedures

Predictable
are reviewed to make sure emergency

• Changes to the emergency response
responses remain up to date and
procedures are based on evidence from
effective.
experience and demonstrably lead to
• The full suite of emergency arrangements improvements.
have been assessed so that appropriate
• Collaborative organisations are fully
risk reduction strategies are evident
involved in wash-up sessions including
should they be realised. Feedback from
reviews of procedures.
exercise 'wash-ups' is taken into account
when procedures are reviewed to make
sure emergency responses remain up to
date and effective.
66
• Potential emergencies arising from tasks
are identified as part of risk assessments. Culture
• Control measures, including training The culture is to recognise and plan for
Standardised
and resources, are in place to deal with effective emergency responses.

emergencies.
• The organisation determines and • Joint emergency response exercises take
provides the resources needed to support place with other organisations involved in
the emergency planning arrangements. a task. Roles in emergency response are
• The organisation recognises that clear and understood.
emergency planning is a critical part
of the business and is applying the
appropriate standards.
• The organisation realises that emergency
responses are an important part of a risk Culture
control system. Emergency responses are developed
• Major emergencies that could arise are locally and owned by individual
Managed
identified and there are some plans in departments or sites, rather than being
place to deal with them. jointly developed and co-ordinated.
• Emergency responses are the
responsibility of departments or divisions • Emergency procedures requiring multi-
of the organisation. agency response are recognised,
• The organisation applies basic but there is no structured planning of
requirements to the plans for major responses required.
emergencies that could arise.
• There is no organised identification
of possible emergencies and how to Culture
respond if they arise. The culture is that there is a recognition
• The organisation relies on the emergency that major emergencies could occur, but no
RCS 5
services to deal with all aspects of an planning is undertaken to deal with specific
Ad-hoc
emergency. ones; a generic emergency response is

• The organisation does not consider the thought to be enough.
risks or the consequences of possible
emergencies on the business or its • There is no consideration of the need
workforce. for co-ordinated responses with other
• The organisation does not apply organisations in the event of major
standards to support emergency planning incidents requiring joint responses.
or arrangements.
67
planning and implementing risk controls through co-ordinated
management arrangements:
and the public.
• Close Call: to record and manage conditions and behaviours that, under different
circumstances, could have led to injury or harm.
• The Safety Risk Model: access to a network-wide risk profile. Use the outputs to
understand your own risk profile, make risk assessments and investment decisions.
• Safety Risk Model Profile Tool
• Measuring Safety Performance Guidance: to help you identify the best safety
performance indicators to monitor for your key risks.
• Leading Health and Safety on Britain’s Railway (LHSBR): Looks at 12 priority risk areas,
a framework for the collaborative improvement of health and safety risk management.
• LHSBR Quarterly Monitoring Report: a summary of implementation actions in the LHSBR
priority areas.
• Taking Safe Decisions: the industry-agreed framework for safety decision making on our
railways. How to account for safety and the principles to apply.
• Common Safety Method for Risk Assessment and Evaluation: Six CSM RA Rail
Industry Guidance Notes (including GEGN8646).
• Rail Industry Supplier Qualification Scheme: single point of entry for buyers of products
and services for the rail industry.
• Safety Management Intelligence System: for the collection, sharing and analysis of safety
incident data.
PI / RCS

68
MRA Monitoring, audit and review
Purpose
The aim is to make sure that risk controls are in place, working correctly and achieving the
organisation’s objectives.
Introductory notes
Organisations need to measure, audit and review the implementation and effectiveness of all
parts of the SMS. This is the basis of feedback, learning and continuous improvement.
Monitoring - organisations need to measure the effectiveness of risk controls to make sure that
risk controls are identified and work in practice. Safe systems of work (SSOW) must be monitored
to make sure they are appropriate and are actually being followed. Systems for monitoring,
auditing and reviewing performance should be in place to make sure that the health and safety
management system (SMS) is working correctly.
Audit - an audit checks that the organisation is doing what it says it will do. It should be
supported by regular reviews to make sure that the organisation’s business objectives are
correct.
Review - the review should also check that the arrangements put in place to meet the business
objectives are working as intended.
Monitoring, audit and review form a feedback loop within the overall SMS, and are an essential
part of programmes for continual improvement and achieving excellence.
• MRA1 - Proactive monitoring arrangements - proportionate, targeted monitoring before
an accident or incident to provide feedback on the implementation of strategies and plans,
and the effectiveness of the SMS arrangements essential to motivate and reward success
in risk control.
• MRA2 - Audit - Independent, systematic audits check that risk-control systems and
management arrangements within the SMS are effective.
• MRA3 - Incident investigation – proportionate investigation of accidents, incidents and
near misses is essential to learn from adverse events.
• MRA4 - Management review - review at appropriate levels to ensure that policies, MRA
strategies and plans remain appropriate and effective in the face of feedback from
monitoring, investigations and audit findings.
• MRA5 - Corrective action - Corrective action through change management programmes
secure the proportionate, prioritised close out of actions arising from monitoring,
investigations, audits and reviews.
69
MRA 1 Proactive monitoring arrangements
Proportionate, targeted monitoring before an accident or incident to provide feedback on

the implementation of strategies and plans, and the effectiveness of the health and safety
management system (SMS) arrangements essential to motivate and reward success in risk
control.
Monitoring provides managers with confidence that risk control measures identified in risk
assessment are in place and working as intended to control risk before something goes wrong.
This includes hardware controls, work systems and practices controlling risks. For example, train
dispatch arrangements at the platform train interface (PTI), or maintenance procedures for relief
valves in process industries.
Monitoring should be proportionate to the hazards / risk and include:
• Critical systems (those relied upon to prevent a serious risk outcome being realised);
• Vulnerabilities - those systems with a tendency to degrade over time, (such as controls
with a large human input, for example train dispatch and valve maintenance, and those for
which current performance is not being implemented well and;
• Sampling cultural characteristics.
and a mixture of:
• Activity / process measures (doing something, e.g. number of valves maintained); and
• Outcome measures result (for example number of valves passing examination).
Suitable analysis of the results of monitoring assists in identifying common underlying issues and
systemic problems. Choosing the correct monitors is important; “measure what is important, don’t
make important what you can measure” 1.
• Active steps are taken to identify,
evaluate and utilise novel ways of Culture
monitoring to achieve continuous Monitoring is understood to be a key part
improvement in risk control. of assurance and component of continuous
• Managers actively participate in improvement.
industry-wide and cross-industry groups
to improve risk control monitoring • The organisation is known for mature
Excellence
techniques e.g. remote condition relationships with collaborators who

monitoring. strive to work again with the organisation
MRA 1
• The organisation is an early adopter of as they are assured that risks will be
new standards relating to monitoring controlled.
and recognised as an 'early complier' • Across the organisation monitoring
organisation. activities are recognised as vital in
• The organisation has closely linked improving risk control.
outcome and activity indicators which • The monitoring arrangement address
demonstrate risk controls are optimised. proportionately and appropriately all the
processes and systems within the SMS
to ensure their implementation, adequacy
and effectiveness.

• HSG 254 ‘Setting Performance Measures in the Process Industries’
• RSSB guidance ‘Measuring Safety Performance’.
• EU Common Safety Method for monitoring,
70 1 Robert McNamara, U.S. Defence Secretary at the time of Operation Rolling Thunder.
• Change processes ensure that risk-
based monitoring is in place following a Culture
change. Monitoring of risk controls is part of the way
Predictable
• Managers and supervisors are well- risk is managed, including during periods of
trained and have the necessary change.
resources, and there is evidence of
challenge of SSOW (see RCS1). • The outcomes of monitoring are shared
• Monitoring remains key to understanding with collaborators to ensure mutual
risk control, even in times of change. assurance of the effectiveness of risk
controls.
• Monitoring is reviewed to ensure
continuing compliance with standards.
• There is a systematic approach to
monitoring, based on published Culture
guidance. The importance of monitoring risk controls
• Monitoring flows from the risk is understood and the right things are
assessment, and all risk controls are measured, giving assurance of the
Standardised
monitored in a systematic way across the effectiveness of risk controls. Monitoring

organisation. provides feedback and positive motivation /
• The organisation has established, reward.
implemented and maintained processes
for monitoring, measurement, analysis
• Management receive information from
and performance evaluation. Including,
monitoring activities that allows them to
the extent to which legal and other
have assurance that key risk controls are
requirements are fulfilled, progress
in place and working as intended.
towards achievement of H&S objectives,
the effectiveness of operational and • Monitoring is compliant with the
other controls. These systems apply to requirements of CSM for Monitoring or
collaborative working too. ISO 45001:2018.
• Some risk controls are monitored, but
there is no systematic approach to Culture
monitoring. Some monitoring is undertaken, but it is
• Monitoring is not a systematic process, not risk-based and any assurance obtained
Managed
records of monitoring activities are not from it is purely by chance.

co-ordinated and there is evidence that
adverse outcomes are not actioned. • Most people in the organisation
• There are inconsistencies between understand the need to monitor risk
different areas of the business in the controls. MRA 1
way monitoring is done and the action • Some risk controls for collaborative
taken in response to the outcomes of working are monitored but there is no
monitoring. systematic approach to monitoring.
• There is little or no monitoring, so little
understanding of whether risk controls Culture
are in place or are working effectively. There is little or no evidence of
Ad-hoc
• There is no evidence that risk controls understanding why risk controls must be
are monitored. monitored.
• There is little or no data analysis done to
inform the organisation that monitoring is • Little or no monitoring of risk controls
needed to ensure that risk controls are in needed for collaborative working.
place and effective.
71
MRA 2 Audit
Independent, systematic audits check that risk-control systems and management arrangements
within the health and safety management system (SMS) are effective.
An audit is an independent, systematic check of risk-control systems and management
arrangements to make sure that business objectives are being met. An audit can be an internal
audit (first party, conducted by the organisation) or an external audit (second or third party,
conducted on behalf of the organisation).
Auditing is recognised as a key part of SMS in ISO45001:2018.
Audit processes are described in more detail in BS EN ISO19011; 'Guidelines For Auditing
Management Systems'. Auditing relies on a number of principles that are set out in the guidance.
A proportionate, targeted audit programme should be devised and implemented to provide the
board with adequate assurance about the 'health' of the SMS and the sustainability of safety
performance.
• Audit actions identify ways to
continuously improve management of Culture
risk in the organisation by referring to The organisation strives to identify best
examples of excellence in the rail or other practice in business risk management to
sectors. inform the audit programme.
Excellence
• Identification of innovative solutions that

improve risk management is encouraged • Peer-to-peer reviews with other
in audit reporting and actions. comparable organisations are routinely
• Audit and completion of actions arising is included in the audit approach.
understood to be a driver of continuous • The audit process provides a high level of
improvement. assurance across the organisation.
• Auditors are competent to make effective
challenge and encouraged to identify and
deliver findings which drive continuous
improvement.
• Post-change audits are carried out as
part of the verification of change process. Culture
• The audit programme includes Audit is understood to be an essential
MRA 2
consideration of new processes and part of development of processes and

Predictable
procedures. procedures contributing to improvement in

• Audit of processes that have been risk management.
changed is understood to be an important
part of the change process. • Auditors keep their competencies up-
• Audit is used by all parties in to-date through practice and Continuing
collaborative activities Individually and Professional Development (CPD)
jointly. activities.
• Audit findings are recognised as
important indicators of successful
changes.
72
• There is evidence of a co-ordinated,
effective and up to date audit programme. Culture
Standardised
• The organisation can show that audits The value of audit is understood at all levels
are completed by competent auditors. in the organisation and there is a culture
• Audit is understood as an essential part that the challenges and recommendations
of the risk management process and staff are positive influences.
readily engage with the audit programme.
• Audit results are accepted, acted upon • Collaborative activities are included in the
and tracked through to completion. audit programme.
• Audit programmes are adequately
resourced.
• There is some auditing, but there is no
coordinated audit plan. The audit plan is Culture
not proportionate to the risk profile of the The value of audit is inconsistently
organisation or implemented consistently. understood and challenges are often taken
• Some departments / processes are personally, resulting in conflict between
Managed
audited, but not all. auditors and auditees.

• The role of audit is not understood
consistently in the organisation. Audit is • Some collaborative activities are subject
perceived defensively and negatively. to audit, but there is no consistency.
• Some findings are acted upon dependent
on the individuals involved. There are
some competent auditors, but no system
in place to ensure that they carry out the
audits.
• There is little or no evidence of any audits
being carried out. Culture
• Audits that are carried out are not There is little or no understanding of the
planned or prioritised and the findings are value of auditing, which is seen as a chore.
Ad-hoc
not acted upon.

• The value of audit is not understood, or • There is no oversight of audit to ensure
audits are only completed to satisfy a corrective actions and recommendations
requirement. are acted on. There is little or no evidence
• There is no auditing of collaborative / joint that the organisation can demonstrate
working. that persons undertaking audits are
MRA 2
competent.
73
MRA 3 Incident investigation
Proportionate investigation of accidents, incidents and near misses is essential to learn from
adverse events
Accidents, incidents and near misses provide stark learning opportunities. It is important events
from all sources are reported. An open and just culture is necessary to support an effective
system.
It is not usually feasible to investigate all events; an appropriate system of selection is often
necessary – usually prioritising high hazard events, i.e. those with severe actual injury or those
with potential for serious injury.
Investigations need to be proportionate getting to underlying causes and concluding with practical
lessons for improvement and learning. Suitable analysis of events and investigation findings
assists in identifying common underlying issues and systemic problems.
• The organisation actively seeks to

implement findings from external Culture
investigations to support continuous There is a ‘just’ organisational culture
improvement. where all employees freely participate in the
• Managers and board members have investigation, openly and honestly. Incident
investigation is seen by all employees
Excellence
objectives to review reports of external

investigations from the rail and other as an opportunity to deliver continuous
sectors to identify opportunities for improvement and managers respond fairly.
continuous improvement.
• Collaborative working incidents are
• Relevant investigation outcomes are investigated to learn lessons that aid
routinely shared within and outside of the continuous improvement.
organisation.
• Board members and managers are
active in promoting and supporting the
development of techniques and training
for investigations.
• The quality of investigation produces
recommendations that can be applied Culture
both within and outside the organisation. Investigations and recommendations
MRA 3
• The range of incidents investigated arising from them, are generally accepted
includes, where appropriate, non- as important ways of improving risk
Predictable
compliance, non-conformance, near management.

miss / hit reports and health and safety
(H&S) complaints or disruptions to work • Employee representatives including,
and where expected outcomes are not where appropriate, trades union safety
achieved. representatives are actively involved in
• Investigations produce recommendations investigations.
which can be applied across the • The effects of recommendations
organisation and relevance outside the from investigations on risk control in
organisation is routinely considered as collaborative working, are themselves
is the impact of the recommendations on reviewed to demonstrate improvements in
risk management. risk control.
74
• The defined management arrangements
for when and how investigations are Culture
carried out are followed consistently There is a general understanding of the
across the organisation. importance of good quality investigations
• The underlying causes of an incident are into a range of occurrences generating
Standardised
identified and investigated. Investigations recommendations that improve systematic

are also carried out after a near miss or control of risks.
near hit and H&S complaints.
• The investigation team selected is • The investigation procedures include
proportionate to the type and severity of collaborative working and the need to
the matter under investigation. Employee investigate reports of non-compliance,
representatives participate in the non-conformance, near miss / hit reports
investigation. and H&S complaints.
• There are systems in place to ensure • Human factors and human performance
that the competence of investigators is are considered as part of the investigation
maintained. and the training for investigators.
• Incidents are investigated, but only where
the organisation’s guidance directs. The Culture
investigation process followed is not The culture is to accept inconsistencies
proportionate to the risk. in investigations and superficial
• Frequently, only immediate causes are recommendations which do not improve
identified and investigated. risk management.
Managed
• The range of incidents investigated is

limited to accidents. Recommendations • Investigations are carried out only by
are limited to preventing the same thing safety professionals or managers, who
happening again. They do not identify are not independent of the incident.
areas for wider improvement. • Inconsistent use of investigations during
collaborations.
• Confidential incident reporting is
embedded in the investigation process
(see Annex 1).
• There is no evidence of effective

investigations, and the culture of the Culture
organisation is to find someone to blame. Evidence of a blame culture when
MRA 3
• Employees do not believe it safe to something happens.
Ad-hoc
speak up and therefore tend to cover up

genuine errors. • No joint investigations of incidents during
• The organisation focuses on the actions collaborative ventures.
of the individuals, rather than looking to
challenge the adequacy of systems and
risk controls.
• No training in investigation techniques,
no independent investigators.
75
MRA 4 Management review
Management reviews check to ensure that policies, strategies and plans remain appropriate and
effective in the face of feedback from monitoring, investigations and audit findings.
Reviewing safety performance takes a ‘big picture’ overview of the patterns of evidence arising
from all forms on monitoring, investigation and audit to decide whether the overall approach,
policies, resources, priorities, improvement targets and the SMS remain relevant and appropriate
in pursuing the safety vision and strategy and cultural development.
• Board reviews are carried out routinely

as planned and result in suggestions Culture
for continuous improvement of risk The organisational culture encourages
management performance. suggestions for improvement and these
• The board and senior management routinely trigger management reviews.
reviews bring about demonstrable
Excellence
continuous improvement and confirm the • Reviews are carried out collaboratively
strategic direction or lead to changes. with other organisations, using shared
• There is clear evidence that the outputs evidence and strategies, and measures
of management reviews are shared to of good and bad performance with the
improve processes or shape positive purpose of continuous improvement.
behaviours.
• Reviews are informed by corrective
actions, monitoring and measuring
results, audit results and consultation
and participation of employees and, if
appropriate trades unions.
• Management reviews systematically
include learning lessons from events in Culture
other organisations and other industries. Widespread belief that management
• There is a process to review lessons reviews result in changes which are
Predictable
learnt from other organisations, including effective in controlling H&S risks.

reviewing the output from confidential
reporting services (see Annex 1). • Changes resulting from collaborative
• Management reviews include measures working are included in board reviews of
MRA 4
of the outcome of changes. outcomes.

• Reviews of the outcomes of changes
are compliant with the relevant
requirements of recognised management
system standards and guidance e.g.
ISO45001:2018 Clause 9.3.
76
• Management automatically uses findings
from monitoring and audits to review the Culture
organisation’s performance and make Good communications of outcomes
changes where necessary. from board reviews and actions arising
• Reviews are also triggered following leads to culture where all believe that the
Standardised
events in addition to planned cyclical organisation cares about risk management

reviews. and that individuals can and do contribute
• Recommendations from reviews are to it.
clearly allocated, tracked and show that
• Management reviews for collaborative
the wider implications are considered to
working are compliant with the relevant
ensure continuing suitability, adequacy
requirements of recognised management
and effectiveness.
system standards and guidance e.g. BS
• Management reviews are compliant with ISO45001:2018 Clause 9.3.
the relevant requirements of recognised
management system standards and
guidance e.g. BS ISO45001:2018 Clause
9.3.
• Management reviews are carried
out but do not always align with the Culture
organisational risk profile and strategies. Some understanding and support for the
• Reviews of the organisation’s health and board role in setting and reviewing safety
Managed
safety management system (SMS) are performance, but it is inconsistent.

only undertaken at planned intervals.
• Management reviews are limited
to simple data such as outcomes
and status of actions from previous
management reviews.
• Inconsistent application of standards
to some reviews of some areas of the
organisation.
• There is no analysis of the findings
of monitoring and audits by senior Culture
management. No or little understanding, at any level, of
• Achievement of risk management the importance of senior level review to
Ad-hoc
objectives is not reviewed. ensure that risk management objectives

• Management are not able to demonstrate are delivered. Culture of believing that the
that the SMS has delivered the intended board do not care about safety or safety MRA 4
objectives. risk management.
• No effective application of
management system standards • No effective review of objectives relating
relating to management review, e.g. BS to collaborative working arrangements.
ISO45001:2018 Clause A9.3.
77
MRA 5 Corrective action
Corrective action and change management programmes secure the proportionate, prioritised
close out of actions arising from monitoring, investigations, audits and reviews.
• The organisation monitors reports from

the rail and other industries to identify Culture
and implement corrective actions that Individuals can and do identify actions from
improve risk management. outside the organisation which improve risk
•
Excellence
The board and senior managers can management within the organisation.
provide evidence on how corrective
action has supported continuous • Effective collaboration ensures that
improvement. corrective actions are shared and adopted
• Corrective actions are sought and by organisations with shared or similar
shared from national and international risks.
organisations.
• There is a highly effective systematic
approach and demonstrable
improvements to risk management.
• Corrective actions are linked to objectives
set out in the H&S management system Culture
to deliver the greatest benefit possible. Reviews following change are
Predictable
• The board and senior managers actively recognised as opportunities to implement

support and resource the delivery of improvements to risk management in the
corrective actions. organisation.
• Corrective actions are considered as part
of the change management process.
• Corrective actions are verified and
validated proportionately to ensure
effective risk control.
• Underlying causes are routinely identified
and corrective actions are appropriate to Culture
the potential risk. Individuals understand the importance
Standardised
• The right people are tasked with of completing corrective actions and the
MRA 5
owning actions to ensure effective organisation can demonstrate a learning

implementation. culture.
• Corrective action will be at any level of
the SMS and all actions are tracked to
• System for addressing corrective actions
includes those affecting or arising from
closure.
collaborative ventures.
• Corrective actions are actioned in a
timely fashion that is proportionate to the
risk addressed by the action.
78
• Corrective actions address only the
immediate causes or those which are Culture
quick and simple to implement and rarely Inconsistent completion of corrective
address underlying causes. actions. Completion depends on individuals
• Actions are owned, but not always by the involved and not system driven.
Managed
individual best placed to implement them

effectively.
• There is some tracking of corrective
action to completion by senior managers,
but not consistently.
• Corrective actions are not prioritised
consistently on the basis of risk.
• Inconsistent sharing of lessons learned
during collaborative ventures.
• Monitoring, audits and reviews result in
little or no change, either because none Culture
are carried out or they are not followed Culture of acceptance of non-completion of
up. corrective actions.
• No systematic process for ensuring
corrective actions are completed.
Ad-hoc
• The organisation does not know if

lessons are being learned from incidents
and cannot demonstrate continuous
improvement or a learning culture.
• No application of legal or other
standards.
• No sharing of lessons learned with
collaborators.
MRA 5
79
monitoring, audit and review:
and the public.
• Close Call: to record and manage conditions and behaviours that, under different
circumstances, could have led to injury or harm.
• Common Safety Method for Monitoring: guidance on how to complete the CSM
monitoring process.
• Accident Investigation Training: standard, advanced and refresher training courses for
incident investigators working to RIS-3119.
• Human Factors Awareness Course for Incident Investigators: for people involved in
undertaking incident and accident investigations in the rail industry.
• Safety Management Intelligence System: for the collection, sharing and analysis of safety
incident data.

MRA
80
Glossary
CMM Capability Maturity Model
CMS Competence Management System
CPD Continuing Professional Development
CSM Common Safety Method (of the EU)
EU European Union
HSWA Health and Safety at Work etc. Act 1974
H&S Health and Safety
HSE Health and Safety Executive
IOSH Institution of Occupational Safety and Health
MHSWR Management of Health and Safety At Work Regulations 1999
NED Non-Executive Director
OEM Original Equipment Manufacturer
LNER London North Eastern Railway Limited
PDCA Plan-Do-Check-Act Cycle
PPE Personal Protective Equipment
RDG Rail Delivery Group
ROGS Railways and other Guided Transport Systems (Safety) Regulations 2006
RSSB Rail Safety and Standards Board
SMART Specific, Measurable, Achievable, Realistic and Time-bound
SMS Health and Safety Management System
SSOW Safe Systems of Work
81
Annex 1
The role of independent confidential reporting
The use of an independent confidential reporting service is an enabler of many aspects of the
cultural excellence we are looking for. Leaders who genuinely welcome intelligence about their
operations, ‘work as done’, and transparently use it, are effectively fulfilling the need for pro-
active monitoring. Effective internal reporting systems which encourage people to speak up,
set alongside a confidential reporting channel which people know they can use if they don’t feel
able to raise their voices internally, maximise the opportunity for leaders to capture this leading-
indicator intelligence and act before an incident. This holds true during periods of stability when
unsafe practices can creep in and during periods of change when feedback on unintended or
unanticipated impacts of change is critical.
The confidential reporting service provided by CIRAS supports collaboration on two fronts.
Enabling third party confidential reporting across contractual boundaries helps surface concerns
that may otherwise remain hidden due to unclear reporting routes or fear of jeopardising
commercial relationships. Active participation in the CIRAS membership community enables
sharing of learning from reports and corrective actions taken, together with in-sector and cross-
sector good practice on the topics raised by reporters.
To take well informed decisions, executive leaders and boards need access to transparent
information on health, well-being and safety performance which is tested against independent
sources of intelligence. Use of the data that CIRAS provides on the trends in topics reported
confidentially, and of the reasons why people say they are reporting confidentially, provides
independent insight into safety culture as felt on the ground, and an organisation’s effectiveness
at listening to and responding to concerns. CIRAS also delivers a degree of assurance that
reported performance is genuine, by providing an outlet if safety targets have a negative impact on
reporting culture.
82
83
© Crown copyright 2020
This publication is licensed under the terms of the Open Government Licence v3.0 except where
otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/
version/3 or write to the Information Policy Team, The National Archives, Kew, London TW94DU,
or email: psi@nationalarchives.gsi.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission
from the copyright holders concerned.
This publication is available at orr.gov.uk
Any enquiries regarding this publication should be made to us at orr.gov.uk

Risk Management Maturity Model rm3 PDF

Uploaded by

Copyright:

Available Formats

Risk Management Maturity Model rm3 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Management Maturity Model rm3 PDF

Uploaded by

Copyright:

Available Formats

What is the Risk Management Maturity Model (RM3) and what is its purpose?

What is the Risk Management Maturity Model (RM3) and what is its purpose?

What are the five levels of maturity in RM3?

What are the five levels of maturity in RM3?

3

For more information contact us at rm3@orr.gov.uk

© Crown Copyright 2020

Excellence in health and safety management systems 6

Using the criteria 12

The Risk Management Maturity Model (RM3) criteria 15

Health and safety policy, SP1 Leadership

Organising for control OC3 Organisational structure

Monitoring, audit and review MRA1 Proactive monitoring arrangements

Figure 1 The Plan-Do-Check-Act cycle (HSG 65 2013)

Polic th & safet

MRA W tion bilities

P r Variation and change is controlled

Good practice synthesised into

Ad-hoc and unco-ordinated

Figure 3 RM3 maturity levels

The generic maturity descriptors

It is characteristic of processes at this level that the focus is on continually

It is characteristic of processes at this level that, using process metrics,

It is a characteristic of processes at this level that there are sets of defined

It is characteristic of processes at this level that some processes are

repeatable, possibly with consistent results. Process discipline is unlikely to

It is characteristic of processes at this level that they are (typically)

undocumented and in a state of dynamic change, tending to be driven in an

Table 1 Generic maturity descriptors

1 The Capability Maturity Model (CMM) was developed by US Department of Defense

Our aim is that:

Assessors should adopt an evidence-based approach to evaluating the management of risk.

Information on the performance of

Figure 4 illustrates the type of information

Figure 4 Information sources and collection methods

1 The Management of Health and Safety at Work Regulations 1999 (MHSWR)

This approach enables assessors to interpret information to:

The criteria in this section include:

and efficient as possible.

• No effective application of H&S

Guidance and further reading:

decisions at all levels.

chain and with external parties to achieve improvement.

to consultation and participation of H&S policy.

• Employees across the organisation which results in them being responded to in

• There is no evidence of employees being or why it is relevant.

to reduce exposure to risk from whatever

following changes to organisational safety assurance and has mechanisms

management. in managing H&S is understood. A

meetings, but there is no systematic H&S.

Board meetings do not include reviews of

Guidance and further reading: • The UK Government report into the

The SMS should:

• The SMS demonstrates how the

CHECK- ACT model.

• There is no written SMS, or if there is

The SMS is based on a template or understood.

LHSBR Quarterly Monitoring Report: a summary of implementation actions in the LHSBR

RSSB Disclaimer and Intellectual Property Statement