ISO 45001 in 2026: Why SME Health & Safety Leaders Can No Longer Rely on the Annual Audit

The traditional approach to ISO 45001 compliance—maintain your documentation, schedule your annual surveillance audit, correct any nonconformities—worked reasonably well until 2020. But the world of work has changed fundamentally since then, and so have the expectations of IRCA-registered auditors. If your SME is still treating occupational health and safety management as a once-a-year exercise, you're likely building risk into your system rather than managing it out.

As an IRCA Registered Principal Auditor working with SMEs across the UK, I've watched this shift accelerate over the past eighteen months. The old audit cadence is broken. Here's why, and what you need to do about it.

Why the Annual Audit Model No Longer Works for Post-COVID Workplaces

The return to office hasn't been a return at all—it's been a complete reconfiguration of how, when, and where work happens. Hybrid schedules, staggered shifts, and remote-first policies mean your workforce is more distributed than ever. The hazards associated with isolation, mental health, DSE setup at home, and irregular commuting patterns don't fit neatly into the annual audit snapshot.

ISO 45001 requires you to determine risks and opportunities (Clause 6.1) on an ongoing basis, not just when the auditor arrives. Yet many SMEs still conduct their annual risk assessment in the weeks before the audit, updating a spreadsheet that hasn't been touched since the previous year. This approach was already weak. In a dynamic, hybrid workplace, it's actively dangerous.

Auditors are now probing how frequently your risk assessments are reviewed in practice, not just in policy. They want evidence that your OH&S management system responds to real-time changes—new equipment, staff turnover, revised working patterns—not just annual reviews. If you can't demonstrate that, you'll struggle to close out findings.

The AI-Driven Near-Miss Reporting Trend Auditors Are Watching

One of the most significant changes I've observed in 2025 and into 2026 is the rise of AI-enabled near-miss and incident reporting tools. These platforms—often integrated into existing HRIS or ERP systems—use natural language processing to encourage employees to report observations in their own words, then automatically categorise, trend, and escalate issues.

The result? SMEs are capturing five to ten times more near-miss data than they did three years ago. That's excellent for proactive hazard identification under Clause 6.1.2.1. But it also creates a new compliance challenge: what are you doing with that data?

IRCA auditors are increasingly looking for evidence that:

• Near-miss trends are being analysed at a frequency appropriate to the volume of reports (not quarterly if you're receiving dozens per week)


• Root cause analysis is being conducted on patterns, not just individual incidents


• Corrective actions are being tracked through to effectiveness verification


• Workers are receiving feedback on their reports to maintain engagement

If your system generates rich data but you're only reviewing it at the annual management review, you're failing to meet the intent of ISO 45001. Auditors will challenge this as a gap between your stated commitment to continual improvement and actual practice.

What IRCA Auditors Are Now Looking For in SME Systems

The IRCA guidance for ISO 45001 auditing has evolved, particularly around Clause 9 (Performance Evaluation). Auditors are being trained to assess the responsiveness of your system, not just its documentation completeness.

In practical terms, expect your next audit to include:

• Evidence of real-time monitoring: Can you show how you track leading indicators (near misses, safety observations, training completion) between audits?


• Digital proof of consultation: How do you demonstrate ongoing worker consultation and participation (Clause 5.4) in a hybrid environment? Email trails and meeting minutes aren't enough if half your workforce is remote.


• Linkage between AI tools and management action: If you're using automated reporting, auditors want to see the audit trail from report to investigation to action to verification.


• Agility in risk assessment: How quickly can you reassess and control a new hazard? If the answer is 'at the next quarterly review', that's a problem.

The standard hasn't changed, but the application has. Auditors are looking for evidence that your OH&S management system is a living framework, not an annual compliance ritual.

Three Practical Changes Your SME Can Make This Quarter

You don't need to overhaul your entire system overnight, but you do need to shift from annual to continuous thinking. Here are three changes you can implement in the next twelve weeks:

1. Move to rolling quarterly risk reviews

Schedule a light-touch risk assessment review every quarter, tied to your operational calendar. Focus each review on a specific area: hybrid working arrangements in Q1, contractor management in Q2, and so on. This ensures your risk register evolves with your business and provides audit-ready evidence of responsiveness.

2. Establish a monthly near-miss trend analysis routine

If you're using an AI or digital reporting tool, commit to a monthly 30-minute review of trends with your health and safety lead and at least one operational manager. Document what you found, what you're doing about it, and when you'll check effectiveness. This single habit will transform your audit readiness.

3. Create a simple digital consultation log

Move away from relying solely on meeting minutes. Use a shared document, Teams channel, or dedicated consultation platform where workers can raise H&S concerns asynchronously and you can track responses. This is especially critical for remote and shift workers who may not attend scheduled meetings.

Is Your ISO 45001 System Ready for 2026?

The shift from annual compliance to continuous assurance isn't optional—it's the direction the standard has always pointed, and auditors are now holding organisations to that expectation. If you're unsure whether your current approach will stand up to scrutiny, it's worth finding out before your next audit.

At TAC, we offer a free ISO 45001 readiness check for SMEs. It's a no-obligation, practical review of your current system's strengths and gaps, conducted by an IRCA Registered Principal Auditor. If you'd like to understand where you stand and what needs to change before your next surveillance or recertification audit, get in touch. We're here to help you build a system that works in practice, not just on paper.