Work Safe Kit
Risk Management

Residual Risk

Residual risk is the level of risk remaining after you have implemented control measures to eliminate or minimise a hazard. It represents the actual risk exposure your workers face during a task, assuming your controls are working as intended.

What is Residual Risk?

Residual risk is the "net" risk that your organisation accepts when undertaking work. In the risk management process, you begin by identifying the Inherent Risk (or Gross Risk)—the level of risk present if no controls existed at all. Once you apply treatments such as engineering guards, safety procedures, or personal protective equipment (PPE), the risk reduces. The remaining value is the Residual Risk.

Ideally, your residual risk should align with your organisation's Target Risk (risk appetite). If the residual risk remains higher than your target, the activity is generally considered unsafe to proceed until further controls are implemented.

For Australian duty holders, residual risk is the metric of truth. While inherent risk is a theoretical baseline used to demonstrate the value of controls, residual risk is the operational reality. It determines whether you have met your legal duty to ensure health and safety "so far as is reasonably practicable" (SFAIRP). If a residual risk rating remains "High" or "Extreme," it suggests that you may not have exhausted all reasonably practicable means of risk reduction, or that the activity is inherently too dangerous to continue in its current form.

Track residual risk in real-time

Monitor control effectiveness and verify residual risk ratings across your operations

 Explore risk tools

How it Works

Calculating residual risk is typically a structured process involving your organisation's Risk Matrix.

The Four-Step Process

1. Assess Inherent Risk: Determine the Consequence and Likelihood of a hazard without controls. For example, a fall from heights is "Catastrophic" consequence and "Possible" likelihood = Extreme Risk.

2. Apply Controls: Identify existing or planned controls using the hierarchy of controls. For instance, installing a handrail or safety barrier.

3. Re-Assess Parameters: Consequence often remains the same—a fall is still potentially fatal—though some controls like seatbelts can reduce consequence. Likelihood is drastically reduced by effective controls. For example, a handrail makes a fall "Rare".

4. Determine Residual Score: Plot the new Likelihood and Consequence on the matrix to get the Residual Risk rating, such as Low or Medium.

The Subtraction Model

Many risk systems conceptualise this as:

Residual Risk = Inherent Risk − Control Effectiveness

This highlights that your safety relies entirely on the reliability of your controls. A large gap between Inherent and Residual risk indicates a "high energy" hazard being held back by controls. If those controls fail, the risk snaps back to its Inherent (Extreme) level immediately.

Why it Matters

Understanding residual risk is not just a paperwork exercise—it is a fundamental component of meeting your obligations under the Work Health and Safety (WHS) Act 2011.

Legal Duty (SFAIRP)

Under Section 17 of the Model WHS Act, you must eliminate risks, and where that is not reasonably practicable, minimise them So Far As Is Reasonably Practicable (SFAIRP). Your residual risk rating is evidence of this process.

If you accept a "High" residual risk when a "Low" risk was achievable via a reasonably practicable engineering control, you may be in breach of your primary duty of care.

Officer Due Diligence

Officers (Directors and Executives) have a positive duty under Section 27 to exercise due diligence. This includes ensuring the organisation has processes to minimise risks. Officers cannot rely on a risk register that shows all residual risks as "Green/Low" without interrogation.

You must verify that the residual risk reported matches the reality in the field. Blind reliance on "paper safety" is a failure of due diligence.

Operational Authority

Residual risk dictates who can authorise work. Most Safety Management Systems (SMS) link residual risk to authority levels:

Residual Risk Level Authorization Required
Low Risk Manage at worker/supervisor level
Medium Risk Requires Superintendent/Manager approval
High/Extreme Risk STOP WORK. Requires Executive approval or significant system redesign
Enforce work authorization levels

Automatically route high-risk activities to appropriate approval authorities

 See compliance tools

Common Challenges

Optimism Bias

Humans naturally underestimate the likelihood of negative events happening to them. A supervisor might rate the residual likelihood of a vehicle accident as "Rare" because "my team are good drivers," even though industry statistics suggest it is "Possible."

This cognitive bias leads to artificially low residual risk scores, masking the true danger.

The "Paper Safe" Illusion

A common failure mode involves reducing residual risk to "Low" by relying heavily on Administrative Controls such as procedures, training, or signs. In the hierarchy of controls, these are the least effective and most prone to human error.

Case Study: In the inquest into the death of Cameron Cole (2015), the risk of a crushing injury was rated "Medium" based on administrative guidelines. The Coroner found these controls were inadequate for the gravity of the risk. The reliance on procedure rather than engineering controls created a "paper safe" environment that failed in practice.

Risk Entropy

Residual risk is dynamic. A task assessed as "Low Residual Risk" on Monday can become "High Risk" on Wednesday due to rain, fatigue, or equipment wear.

Static risk registers often fail to capture this drift. If you treat residual risk as a fixed number rather than a changing state, you may be working unprotected.

Best Practices

Verify, Don't Just Calculate

Implement Critical Control Verification (CCV). Do not assume a control is reducing risk just because it is listed on a SWMS. Go to the field and test it. Is the guard in place? Is the interlock functioning? If the control isn't working, your residual risk is actually the Inherent Risk.

Prioritise Hierarchy of Controls

Be sceptical of "Low" residual risk ratings achieved solely through administrative controls or PPE. Strive to lower residual risk using Elimination, Substitution, or Engineering controls, which are far more reliable.

Dynamic Risk Assessment

Empower workers to reassess residual risk immediately before starting work using a Take 5 or Job Hazard Analysis (JHA). If conditions change, they must have the authority to stop and recalculate using dynamic risk assessment.

Define "Reasonably Practicable"

Use the SFAIRP test, not just the ALARP (As Low As Reasonably Practicable) triangle. In Australia, even if a risk is "Low," you must still implement further controls if they are inexpensive and easy to install. There is no "Broadly Acceptable" region where you can simply ignore further safety improvements.

Frequently Asked Questions

Can my organisation accept "High" residual risk?

Generally, no. A "High" residual risk typically indicates that the risk has not been minimised so far as is reasonably practicable. Work should cease until controls are improved. In rare exceptions where the activity is critical and no further controls exist (such as emergency rescue), it requires senior executive sign-off and extreme monitoring.

What is the difference between SFAIRP and ALARP?

SFAIRP (So Far As Is Reasonably Practicable) is the Australian statutory standard—it focuses on weighing the risk against the cost and effort of controls. ALARP (As Low As Reasonably Practicable) is an engineering concept often using a "tolerability triangle." While similar, Australian courts apply the SFAIRP test, meaning you must implement controls unless the cost is grossly disproportionate to the risk.

If residual risk is "Low," is the task safe?

Not necessarily. "Low" risk means the risk is accepted, not that it is zero. "Zero risk" is rarely possible. A "Low" rating implies the remaining risk is manageable, but it still requires vigilance to ensure controls like PPE or procedures remain effective throughout the task.

Can residual risk be higher than inherent risk?

Generally, no—unless a control introduces a new, worse hazard. For example, if you introduce a chemical substitute that is more toxic than the original, or if a control creates additional hazards. This indicates a control failure and requires immediate reassessment.

References

  1. Safe Work Australia. (2024). Model Code of Practice: How to manage work health and safety risks. Safe Work Australia. https://www.safeworkaustralia.gov.au
  2. Comcare. (2020). Exercising due diligence: Guidance for officers. Australian Government. https://www.comcare.gov.au
  3. ISO/AS NZS 31000:2018. Risk management – Principles and guidelines. Standards Australia.
  4. Caponecchia, C., & Shebelski, B. (2012). It Won't Happen to Me: An Investigation of Optimism Bias in Occupational Health and Safety. Safety Science.
  5. Comcover. An Overview of the Risk Management Process. Australian Government Department of Finance. View document
  6. Queensland Courts. (2015). Coronial findings – Cameron Brandt Cole. View findings
  7. ONRSR. (2021). Guideline – Meaning of duty to ensure safety so far as is reasonably practicable (SFAIRP). Office of the National Rail Safety Regulator. View guideline
  8. R2A Due Diligence Engineers. SFAIRP not equivalent to ALARP. https://www.r2a.com.au
Protect your lone workers with WorkSafeKit

Real-time monitoring, check-ins, and emergency alerts for your team.

 Get in touch
Back to Glossary

Simplify workplace safety management

From risk assessments to real-time monitoring, WorkSafeKit helps you keep your team safe and compliant.

Get in touch Learn more