The formal process of developing and OHSMS for any business is the same. It is a multi step process starting with identification of necessary safety protocols. Businesses can get these from incident or accident reports, loss evaluations, and even lawsuits. The purpose isn't just to keep people safe, it is to make sure that the business isn't hemorrhaging money. Therefore, even if there is only a slight risk or a small handful of incidents historically, but they cost exponentially more for the company to fix, those are areas that will more often be addressed as a priority due to the potential losses the company may endure.
Next, the process involves setting up formal policies to deal with employee health and safety. They can be simple policies that are as basic as, "Anyone entering the facility must check in at the guard shack and be administered full PPE before entering the plant floor," or they can be very complex. Usually, a safety policy is very blunt, and leaves nothing to interpretation because as an administrator, you do not want people taking liberty with the policy due to excess grey areas.
Following the formation of policies, the OHSMS must review those policies to ensure they are doing exactly what they were designed to do. For example, if a policy on requiring all employees to wear steel toed shoes is developed, but the number of crush injuries to the foot does not decrease, a more stringent policy addendum should be made. Perhaps the steel toed shoes are not rated to the proper specifications required in the plant, or maybe the crushes happen on the metatarsals instead of the toes.
In addition to auditing the policy, it must be enforced. Using the safety shoe example again, if the policy requires employees to wear safety shoes, but nobody does or they take liberty with the policy, supervisors need to follow-up with disciplinary actions. This seems harsh, but it is the reasoning behind why people get speeding tickets. Personally, if I knew I would never get a ticket for speeding, I would drive as fast as I felt comfortable doing. Just like speeding, violation of safety policies put you and others at risk of serious injury and even death.
Lastly, the process needs to be audited on a consistent basis. This can be annually, bi-annually, or even every day if it is feasible to do so. Whatever the time frame is, it needs to be done thoroughly and by competent people so that critical areas of improvement are identified. Audits should also be done by people who are impartial to the groups involved in the audit. This is often why corporate offices often have audit teams that travel to various locations where they have little to no personal connection with the individuals there.
http://www.education.vic.gov.au/Documents/school/principals/management/ohsmsguide.pdf
https://www.worksafe.qld.gov.au/__.../safety-mngt-sys-audit-report.doc
http://www.worksafe.vic.gov.au/safety-and-prevention/health-and-safety-topics/ohs-management-systems/ohsms-audit-tools
