A safety program gap analysis is a systematic comparison of your current health and safety management system against a defined standard or best practice framework - identifying deficiencies, quantifying their severity and prioritizing improvements to close the gaps. Organizations that conduct formal gap analyses before launching improvement initiatives are 3 times more likely to achieve their safety performance targets according to EHS management research, because they focus resources on the areas that matter most rather than guessing at priorities.
Whether you are benchmarking against ISO 45001, preparing for COR certification in Canada, pursuing OSHA's Voluntary Protection Programs (VPP) or simply trying to understand where your safety program stands, this guide provides the complete methodology. You will learn how to assess your current maturity level, score your program against recognized frameworks, prioritize improvements, build action plans and track progress through a continuous improvement cycle.
Self-Assessment Frameworks: Where to Start
A gap analysis requires two reference points: where you are now and where you need to be. The "where you need to be" is defined by the standard or framework you select. The "where you are now" is determined through self-assessment.
Free Download: 5 Safe Work Procedures
Choose from 112 professionally written SWPs. No credit card required.
Get Free SWPsChoosing Your Benchmark Standard
Select a benchmark that aligns with your organizational goals, industry and regulatory environment:
| Framework | Best For | Scope | Certification Available |
|---|---|---|---|
| ISO 45001 | Organizations seeking international recognition | Complete OHS management system | Yes - third-party audit |
| COR (Certificate of Recognition) | Canadian employers seeking WCB premium reductions | 19-element safety management system | Yes - certifying partner audit |
| OSHA VPP | US employers seeking premier safety recognition | Management leadership, worker involvement, hazard assessment, prevention and control | Yes - OSHA on-site evaluation |
| ANSI Z10 | US employers wanting a structured OHSMS | Management system based on Plan-Do-Check-Act | No formal certification |
| CSA Z45001 | Canadian adoption of ISO 45001 | Identical to ISO 45001 with Canadian context | Yes - through accredited bodies |
| Internal maturity model | Organizations wanting custom benchmarking | Customizable to your specific needs | No - internal use |
For organizations unsure where to begin, ISO 45001 provides the most comprehensive and internationally recognized framework. For Canadian employers, COR provides the additional benefit of direct financial return through WCB premium reductions. Read our detailed guides on ISO 45001 requirements and implementation and COR certification requirements for standard-specific guidance.
Self-Assessment Methods
Effective self-assessment combines multiple evidence-gathering approaches:
- Document review: Examine existing policies, procedures, forms, records and reports against the benchmark requirements
- Management interviews: Assess leadership understanding of and commitment to safety management system elements
- Worker interviews: Evaluate whether documented programs are implemented and effective at the operational level
- Physical observation: Verify that physical controls, equipment and practices match documented requirements
- Data analysis: Review incident rates, inspection findings, audit scores, training records and other performance data
The most common mistake in self-assessment is relying solely on document review. A company may have beautiful written programs that exist only on paper. Physical observation and worker interviews reveal the truth about implementation.
The EHS Maturity Model: 5 Levels
A maturity model provides a structured way to evaluate where each element of your safety program falls on a continuum from reactive to world-class. This approach is more nuanced than a simple pass/fail assessment and helps you set realistic improvement targets.
Level 1: Reactive
At the reactive level, safety management is primarily driven by incidents and regulatory enforcement. Characteristics include:
- Safety activities occur mainly in response to incidents, injuries or regulatory citations
- No formal safety management system or written programs
- Safety is viewed as the safety department's responsibility, not a management function
- Training is minimal and delivered only when required by regulation
- Incident investigation focuses on blame rather than root causes
- No safety metrics tracked beyond OSHA recordable rates
- Worker involvement in safety is minimal or nonexistent
Organizations at Level 1 face the highest injury rates, regulatory risk and insurance costs. The priority at this level is establishing basic compliance with applicable regulations.
Level 2: Compliant
At the compliant level, the organization meets minimum regulatory requirements but has not developed a proactive safety culture. Characteristics include:
- Written safety programs exist for regulatory requirements (hazard communication, lockout/tagout, etc.)
- Mandatory training is delivered and documented
- Safety inspections occur but on an inconsistent schedule
- Incident investigation procedures exist but root cause analysis is shallow
- Safety committee exists where required but has limited influence
- Safety data is collected but rarely analyzed for trends
- Management supports safety but does not actively champion it
Level 2 organizations have reduced their regulatory risk but still experience preventable incidents because their programs address minimum requirements rather than actual risks.
Level 3: Proactive
At the proactive level, the organization has moved beyond compliance to actively identify and control hazards before they cause incidents. Characteristics include:
- Comprehensive safety management system documented and implemented
- Hazard assessments conducted proactively for all significant tasks
- Leading indicators tracked alongside lagging indicators
- Regular safety inspections with systematic follow-up on findings
- Active safety committee making and tracking meaningful recommendations
- Supervisor accountability for safety integrated into performance management
- Workers encouraged and empowered to report hazards and near misses
- Toolbox talks delivered consistently with worker engagement
Level 3 represents the threshold where organizations begin seeing significant injury rate reductions and cultural improvement. Most ISO 45001 and COR-certified organizations operate at this level.
Level 4: Integrated
At the integrated level, safety is embedded in business operations rather than managed as a separate function. Characteristics include:
- Safety objectives integrated into business planning and capital budgeting
- Safety considerations built into procurement, design, project planning and change management
- Data analytics drive strategic safety decisions
- Cross-functional collaboration on safety improvement projects
- Workers actively participate in hazard identification, risk assessment and solution design
- Management of change process evaluates safety implications of all operational changes
- Continuous improvement culture with regular program evaluation and enhancement
- Benchmarking against industry peers and best practices
Level 4 organizations have significantly lower incident rates than industry averages and demonstrate the kind of proactive culture that OSHA's VPP Star status recognizes.
Level 5: World-Class / Generative
At the world-class level, safety is a core organizational value that drives decision-making at every level. Characteristics include:
- Zero-harm philosophy genuinely believed and pursued (not just a slogan)
- Safety culture is self-sustaining - workers hold each other accountable
- Innovation in safety management and technology adoption
- Organization shares best practices and mentors other organizations
- Predictive analytics anticipate and prevent incidents before they occur
- Safety performance consistently in the top decile of industry benchmarks
- Workers at all levels demonstrate safety leadership in daily decisions
- Organizational resilience - the system adapts effectively to novel situations
Very few organizations consistently operate at Level 5 across all elements. It is an aspirational target that drives continuous improvement rather than a fixed destination.
Gap Analysis Methodology: Step by Step
Follow this structured methodology to conduct a thorough gap analysis that produces actionable results.
Step 1: Define Scope and Objectives
Clarify what you are assessing, against which standard and for what purpose. A gap analysis preparing for COR certification has different scope and depth than one benchmarking against ISO 45001 or evaluating a single element like emergency preparedness.
Key scoping decisions include:
- Which standard or framework will serve as the benchmark
- Which elements or clauses will be assessed (all or selected priorities)
- Which sites or operations are included
- What level of detail is needed (high-level screening or detailed element assessment)
- Timeline for completing the analysis
- Resources available (internal team, external consultant or hybrid)
Step 2: Develop the Assessment Tool
Create a structured assessment tool that breaks down the benchmark standard into evaluable components. For each component, define:
- The specific requirement from the standard
- Evidence criteria (what "conformance" looks like)
- Scoring scale (maturity level 1-5 or percentage-based)
- Evidence collection methods (document review, observation, interview)
For ISO 45001, your assessment tool should address each clause and sub-clause. For COR, evaluate each of the 19 elements. For custom maturity models, define the criteria for each level within each element.
Step 3: Collect Evidence
Systematically gather evidence for each assessment component using the methods defined in your tool. For each component, document:
- What currently exists (documents, practices, controls)
- What is required by the standard
- The gap between current state and required state
- Supporting evidence (document references, observation notes, interview summaries)
Involve a cross-functional team in evidence collection. Different perspectives reveal different gaps. A safety professional may find the written program adequate while an operations supervisor recognizes that the program is not implemented on the production floor.
Step 4: Score and Prioritize Gaps
Score each element using your defined scale and identify the gaps between current scores and target scores. Then prioritize gaps using a risk-based approach that considers:
| Prioritization Factor | High Priority | Medium Priority | Low Priority |
|---|---|---|---|
| Safety risk if gap persists | Potential for serious injury or fatality | Potential for moderate injury | Minor risk or quality issue |
| Regulatory risk | Non-compliance with mandatory requirements | Weakness in regulated area | Best practice gap only |
| Gap size | Maturity Level 1-2 (reactive/compliant) | Maturity Level 3 (proactive) | Maturity Level 4 (integrated) |
| Impact on certification | Would prevent certification | Would reduce audit score | Minimal impact on score |
| Business impact | Affecting insurance, contracts, operations | Moderate business consequence | Limited business impact |
Step 5: Develop the Gap Closure Plan
For each prioritized gap, develop a specific action plan that includes:
- Description of the gap and current state
- Target state (what conformance looks like)
- Specific actions required to close the gap
- Responsible person(s)
- Required resources (budget, time, expertise, technology)
- Implementation timeline with milestones
- Success criteria (how you will know the gap is closed)
Sequence actions logically. Some gaps depend on others being closed first - for example, you cannot implement effective hazard assessments (gap) if you have not defined your hazard assessment methodology (prerequisite gap). Map these dependencies and sequence your plan accordingly.
Step 6: Implement and Monitor
Execute the gap closure plan with regular progress monitoring. Monthly progress reviews keep implementation on track and allow for course corrections when obstacles arise. Use monthly review tools to track action items, completion rates and timeline adherence.
Step 7: Reassess and Iterate
After implementing gap closure actions, reassess the affected elements to verify that gaps have been genuinely closed. It is common to find that initial actions addressed symptoms but not root causes, requiring additional iterations. Schedule a full reassessment 6-12 months after the initial analysis to measure overall progress.
Scoring Rubrics for Key Safety Elements
The following scoring rubrics provide detailed criteria for assessing common safety management system elements on the 5-level maturity scale. Use these rubrics to ensure consistent and objective scoring across your assessment team.
Hazard Identification and Risk Assessment
| Level | Score | Criteria |
|---|---|---|
| Reactive | 1 | Hazards identified only after incidents. No formal process. No documented assessments |
| Compliant | 2 | Basic hazard assessments exist for some tasks. Risk matrix used inconsistently. Worker involvement minimal |
| Proactive | 3 | Formal hazard assessment process for all significant tasks. Workers participate. Hierarchy of controls applied. Assessments reviewed on schedule |
| Integrated | 4 | Hazard assessment integrated into all operational planning. Management of change triggers reassessment. Risk data analyzed for trends. Controls verified for effectiveness |
| World-Class | 5 | Predictive risk identification using leading indicators. Workers autonomously identify and control hazards. Continuous improvement of assessment methodology based on outcome data |
Training and Competency
| Level | Score | Criteria |
|---|---|---|
| Reactive | 1 | Training occurs only when regulatory citations received. No training records. No needs assessment |
| Compliant | 2 | Mandatory training delivered and documented. Orientation program exists. No effectiveness evaluation |
| Proactive | 3 | Training needs assessment completed. Training matrix in place. Refresher training scheduled. Basic competency verification |
| Integrated | 4 | Competency-based training with field verification. Training effectiveness measured through behavior observation. Continuous learning culture. Career development includes safety competency |
| World-Class | 5 | Workers mentor others in safety. Training content continuously refined based on incident analysis and emerging best practices. Knowledge sharing across the organization. Innovation in delivery methods |
Incident Investigation
| Level | Score | Criteria |
|---|---|---|
| Reactive | 1 | Investigations occur only for serious injuries. Blame-focused. No root cause analysis. Corrective actions superficial |
| Compliant | 2 | All recordable incidents investigated. Basic investigation procedure exists. Root cause analysis attempted but shallow. Corrective actions tracked inconsistently |
| Proactive | 3 | All incidents and significant near misses investigated. Formal root cause methodology (5-Why, fishbone). Corrective actions tracked to closure. Findings shared with workforce |
| Integrated | 4 | Investigation findings drive systemic improvements. Trend analysis identifies emerging risk patterns. Investigation quality reviewed and improved. Cross-functional investigation teams |
| World-Class | 5 | Near-miss investigation culture captures precursors before incidents occur. Learning organization approach. Findings benchmarked against industry. Investigation methodology continuously refined |
Management Leadership and Commitment
| Level | Score | Criteria |
|---|---|---|
| Reactive | 1 | Safety delegated entirely to safety department. No management involvement. No safety policy or objectives. Safety budget minimal |
| Compliant | 2 | Safety policy signed by senior management. Basic safety budget exists. Management attends safety meetings when required. Safety performance reviewed annually |
| Proactive | 3 | Management regularly participates in safety activities (inspections, meetings, reviews). Safety objectives set with measurable targets. Safety included in management performance evaluation |
| Integrated | 4 | Safety integrated into business strategy and decision-making. Senior leadership visibly champions safety. Safety performance reviewed at board level. Resources allocated proactively |
| World-Class | 5 | Safety is a core value demonstrated in every business decision. Leaders at all levels model safety behavior. Organization influences industry safety standards. Investment in safety innovation |
Benchmarking Against Standards: Detailed Requirements
ISO 45001 Key Clauses for Gap Analysis
ISO 45001 is structured around the Plan-Do-Check-Act cycle with 10 main clauses. Your gap analysis should address each:
- Clause 4 - Context of the organization: Understanding internal/external issues, worker needs and expectations, scope definition
- Clause 5 - Leadership and worker participation: Top management commitment, OH&S policy, roles/responsibilities, consultation and participation
- Clause 6 - Planning: Addressing risks and opportunities, OH&S objectives, planning to achieve objectives
- Clause 7 - Support: Resources, competence, awareness, communication, documented information
- Clause 8 - Operation: Operational planning and control, emergency preparedness, procurement, contractors, outsourcing
- Clause 9 - Performance evaluation: Monitoring, measurement, analysis, evaluation, internal audit, management review
- Clause 10 - Improvement: Incident investigation, nonconformity, corrective action, continual improvement
COR 19 Elements Overview
COR gap analysis evaluates these 19 elements (specific elements vary slightly by province):
- Management leadership and organizational commitment
- Hazard identification, assessment and control
- Worker competency and training
- Ongoing inspections
- Qualifications, orientation and training of workers
- Emergency response planning
- Incident investigation and reporting
- System administration (program management and documentation)
- Joint worksite health and safety committee
- Worker participation and involvement
- Return to work and disability management
- Procurement and contractor management
- Management of change
- Occupational health assessment and management
- First aid
- Preventive maintenance
- Records and statistics
- Legislation, regulations and standards
- Continuous improvement
Each element is scored based on documentation, implementation (observation) and effectiveness (interviews). A total score of 80% or higher is typically required for certification with no single element scoring below 50%.
OSHA VPP Star Criteria
VPP evaluation focuses on four pillars:
- Management leadership and employee involvement: Clear policy, goals, visible management commitment, employee involvement at all levels, accountability, annual self-evaluation
- Worksite analysis: Comprehensive surveys, change analysis, routine job hazard analysis, employee hazard reporting, accident investigation
- Hazard prevention and control: Engineering controls, administrative controls, PPE, emergency planning, preventive maintenance, medical program
- Safety and health training: Understanding of hazards, applicable standards, site-specific procedures and emergency response
VPP applicants must demonstrate a Total Recordable Incident Rate (TRIR) and Days Away, Restricted or Transferred (DART) rate below their industry average for the most recent three complete years.
Improvement Prioritization Framework
After identifying gaps, you will likely have more improvement opportunities than resources to address them simultaneously. A structured prioritization framework ensures you invest where the return is highest.
The Impact-Effort Matrix
Plot each improvement opportunity on a two-axis matrix:
- High Impact / Low Effort (Quick Wins): Implement immediately. These deliver significant safety improvement with minimal resource investment. Examples: updating outdated procedures, fixing inspection schedule gaps, implementing a hazard reporting process
- High Impact / High Effort (Strategic Projects): Plan and resource carefully. These are transformational improvements that require investment but deliver major returns. Examples: implementing a comprehensive hazard assessment program, deploying safety management software, building a management of change process
- Low Impact / Low Effort (Incremental Improvements): Implement as resources allow. These are worthwhile but not urgent. Examples: updating training presentation formats, reorganizing safety document filing systems
- Low Impact / High Effort (Deprioritize): Defer or eliminate these from your plan. The resource investment is not justified by the safety return
Risk-Based Prioritization
Within each quadrant of the impact-effort matrix, further prioritize by risk. Gaps that expose workers to serious injury or fatality risk take precedence over gaps that represent compliance or administrative weaknesses. Use your existing incident data, industry fatality statistics and professional judgment to assess the risk associated with each gap.
Action Planning and Budget Allocation
Transform your prioritized gap list into a funded action plan that management can approve and the organization can execute.
Action Plan Template
For each gap closure action, document:
| Field | Content |
|---|---|
| Gap Reference | Element number and description from gap analysis |
| Current State | Brief description of the current condition |
| Target State | Specific description of what conformance looks like |
| Actions Required | Numbered list of specific tasks to close the gap |
| Responsible Person | Named individual accountable for implementation |
| Resources Needed | Budget, personnel time, external expertise, technology |
| Start Date | When work begins |
| Target Completion | Deadline for full implementation |
| Milestones | Intermediate checkpoints for long-term actions |
| Success Criteria | Measurable indicators that the gap is closed |
| Verification Method | How closure will be confirmed (audit, inspection, assessment) |
Budget Allocation Approach
Build the budget case for gap closure by connecting safety investment to business outcomes:
- Regulatory compliance costs avoided: Calculate potential citation penalties for regulatory gaps
- Workers compensation savings: Estimate claim cost reduction from improved hazard controls (use your experience modification rate and claim history)
- COR premium rebate: For Canadian employers, quantify the WCB premium reduction from achieving or maintaining COR certification (typically 10-20% of premiums)
- Productivity improvements: Estimate the value of reduced incident-related production disruption
- Insurance premium reductions: Document how improved safety metrics reduce commercial insurance costs
- Contract eligibility: Identify contracts requiring safety certifications or performance thresholds your organization currently does not meet
Present the total cost of gap closure alongside the projected financial return. Most comprehensive safety improvement programs deliver 3:1 to 6:1 return on investment within 2-3 years.
Progress Tracking and Reporting
Without disciplined progress tracking, gap closure plans stall. Implement a tracking rhythm that maintains momentum and accountability.
Monthly Progress Reviews
Review action plan progress monthly with the implementation team. For each action item, assess:
- Is the action on schedule, behind or ahead?
- What has been completed since the last review?
- What obstacles have been encountered?
- What support is needed from management?
- Is the target completion date still realistic?
Use digital review platforms to maintain a real-time dashboard of action plan status accessible to all stakeholders.
Quarterly Management Reports
Report progress to senior management quarterly with a focus on:
- Overall gap closure percentage (e.g., 45 of 78 identified gaps closed)
- Maturity score progression by element
- Budget expenditure vs. plan
- Safety performance correlation (are improvements reflected in incident data?)
- Key achievements and upcoming milestones
- Risks to the plan and mitigation strategies
Visual Progress Tracking
Create visual dashboards that make progress intuitive to understand:
- Radar/spider chart: Shows maturity scores across all elements with current state and target state overlaid. This visualization immediately communicates which elements need the most improvement
- Heat map: Color-coded matrix showing each element's maturity level (red, amber, green) updated monthly
- Burndown chart: Shows the number of open gap closure actions decreasing over time against the planned trajectory
- Trend line: Plots overall maturity score over time to demonstrate progress trajectory
The Continuous Improvement Cycle
A gap analysis is not a one-time event. It is the assessment phase of an ongoing continuous improvement cycle that should be embedded in your safety management system permanently.
Plan-Do-Check-Act for Safety
Plan: Conduct gap analysis, prioritize improvements, develop action plans, allocate resources
Do: Implement gap closure actions, train workers, deploy new processes and controls
Check: Monitor implementation through inspections, audits, data analysis and reassessment. Verify that gaps are genuinely closed and that new processes are effective
Act: Analyze what worked and what did not. Adjust the approach for remaining gaps. Identify new gaps that have emerged. Feed lessons learned into the next planning cycle
Annual Reassessment Cycle
Conduct a full gap reassessment annually. This reassessment serves multiple purposes:
- Verify that previously closed gaps remain closed (regression is common)
- Identify new gaps created by organizational changes, regulatory updates or evolving best practices
- Recalibrate maturity scores based on actual performance rather than implementation assumptions
- Set new improvement targets for the coming year
- Inform the annual safety budget and resource planning process
Trigger-Based Reassessment
Beyond the annual cycle, reassess specific elements when triggers occur:
- Serious incident or fatality
- Significant regulatory change
- Major organizational change (merger, expansion, new operations)
- New standard or certification requirement
- Loss of certification or failed external audit
- Significant change in safety performance trends
Common Gap Analysis Mistakes
Mistake: Scoring Too Generously
Self-assessment bias leads most organizations to overrate their current state. Combat this by using specific evidence criteria for each maturity level, having multiple assessors score independently and compare results and including external perspectives (consultants, industry peers) to calibrate scoring.
Mistake: Treating the Analysis as a Paper Exercise
A gap analysis that only reviews documents without physical observation and worker interviews will miss the implementation gaps that matter most. Budget adequate time for field verification.
Mistake: Creating an Unachievable Action Plan
Listing 200 improvement actions with aggressive timelines guarantees failure. Prioritize ruthlessly, phase implementation over 12-24 months and ensure each phase is resourced realistically.
Mistake: No Accountability for Implementation
Action plans without named accountable individuals and regular progress reviews stall within weeks. Every action needs an owner and every owner needs a review checkpoint.
Mistake: Neglecting the Reassessment
Closing gaps and walking away invites regression. Systems degrade without ongoing monitoring. Build reassessment into your annual safety calendar as a non-negotiable activity.
Frequently Asked Questions About Safety Gap Analysis
How long does a comprehensive gap analysis take?
For a medium-sized organization (100-500 workers), a full gap analysis against ISO 45001 or COR standards typically takes 4-8 weeks from planning through report delivery. This includes 1-2 weeks of planning and document review, 1-2 weeks of on-site assessment (observation and interviews) and 1-2 weeks of analysis, scoring and report writing. Smaller organizations or focused assessments can be completed more quickly.
Should we use an external consultant or do it internally?
Both approaches have merit. Internal assessment builds organizational knowledge and is less expensive. External assessment provides objectivity, benchmarking capability and specialized expertise. The best approach for most organizations is a hybrid: internal team conducts the initial self-assessment, then an external consultant validates the scoring, identifies blind spots and helps prioritize the action plan.
What if our organization scores at Level 1 across most elements?
Starting from Level 1 is more common than many organizations admit. Focus your initial efforts on achieving Level 2 (compliance) across all elements before pursuing higher maturity in any single element. Regulatory compliance provides the foundation upon which proactive and integrated safety management is built. A phased approach - compliance first, then proactive, then integrated - is more sustainable than trying to achieve world-class in one leap.
How does gap analysis relate to safety audits?
A gap analysis is typically broader and more strategic than an audit. An audit evaluates conformance against a defined standard at a point in time. A gap analysis evaluates the overall maturity of the safety management system, identifies improvement priorities and produces a strategic action plan. Organizations often use gap analysis results to prepare for formal audits by closing critical gaps before the audit occurs.
Can we use gap analysis results to satisfy certification requirements?
A self-assessment gap analysis is not a substitute for a formal certification audit. However, gap analysis results demonstrate your preparation process and commitment to continuous improvement. Sharing your gap analysis and closure plan with your external auditor provides context for their assessment and demonstrates a systematic approach to safety management that auditors view favorably.
Start Your Gap Analysis Today
Understanding where your safety program stands is the critical first step toward building the program your workers deserve and your business needs. The frameworks, scoring rubrics and implementation strategies in this guide give you everything you need to conduct a thorough assessment and build a roadmap for improvement.
Make Safety Easy provides integrated tools for tracking your improvement plan and conducting the assessments and inspections that verify gap closure. Our platform helps you move from analysis to action with digital corrective action tracking, automated reminders and management dashboards that keep your improvement program on track.
Read our related guides on ISO 45001 implementation and COR certification requirements for standard-specific guidance that complements your gap analysis.
Book a demo to see how safety teams use Make Safety Easy to manage their continuous improvement programs. Or view our pricing to find the plan that supports your safety program goals.