Work Safe Kit
Risk Management

Risk Assessment

Risk assessment is the systematic process of evaluating the likelihood and potential consequences of harm arising from exposure to identified hazards, enabling you to prioritize and implement effective control measures. It transforms the abstract legal duty to ensure safety "so far as is reasonably practicable" into concrete, defensible actions.

What is Risk Assessment?

Risk assessment is not merely a form to fill out—it's the central engine of your Work Health and Safety (WHS) management system. It's the diagnostic tool you use to bridge the gap between the physical reality of your workplace and your legal obligation to ensure safety under the WHS Act.

In the Australian regulatory context, risk assessment is the operational method by which you demonstrate due diligence. By understanding not just what can cause harm (the hazard) but how it causes harm and how likely it is (the risk), you move from reactive hazard spotting to proactive risk management.

While WHS laws drive the requirement for risk assessment, the methodology is often underpinned by ISO 31000:2018 Risk Management Guidelines. This international standard defines risk broadly as "the effect of uncertainty on objectives," ensuring your safety risk management aligns with your broader enterprise risk architecture.

The Distinction Between Hazard and Risk

A critical failure mode in many Australian businesses is conflating "hazard" and "risk." Understanding this distinction is the first step in effective assessment.

Hazard: A situation or thing that has the potential to harm a person. Hazards are intrinsic to your workplace—electricity, moving vehicles, repetitive manual tasks, and workplace bullies are all hazards. They exist regardless of whether anyone is interacting with them.

Risk: The possibility that harm (death, injury, or illness) might occur when exposed to a hazard. Risk is a dynamic calculation involving the likelihood of the harm occurring and the severity (consequence) of that harm.

Practical Example: Consider a shark in a tank at an aquarium. The shark is the hazard—it has intrinsic potential to cause catastrophic harm via biting. But if you're a visitor viewing through 100mm reinforced glass, the risk is negligible. If you're a diver entering the tank to clean it, the risk is high. The hazard hasn't changed, but the risk (interaction + likelihood + consequence) has shifted dramatically.

Your risk assessment process must focus on the interaction between your workers and the hazards, not just the hazards themselves.

Streamline risk assessments

Digital templates, consultation workflows, and automated control verification

 Explore risk tools

How Risk Assessment Works: The Four-Step Process

The risk assessment process in Australia generally follows a four-step cycle outlined in the Code of Practice: How to Manage Work Health and Safety Risks. This cycle is iterative—you never truly "finish" risk management; you only complete a cycle.

Step 1: Identify Hazards

You cannot manage a risk you don't know exists. Hazard identification requires you to look for sources of harm across your entire operation.

Physical Inspections: "Walk the floor." Look for obvious hazards like trailing cables, unguarded machinery, or blocked exits.

Consultation: Ask your workers. They know the "Work-as-Done" (reality) versus "Work-as-Imagined" (procedure). They can tell you about the jam that happens every Tuesday or the tool that always slips.

Data Analysis: Review your near-miss reports, injury registers, and workers' compensation data. Look for trends—if three people have cut their hands in the warehouse, you have an identified hazard.

Process Review: Analyze your work processes. Break tasks down into steps (Job Safety Analysis) to find hidden hazards in the workflow.

Category Examples Potential Harm
Physical Noise, radiation, temperature, vibration Hearing loss, heat stroke, HAVS
Mechanical Moving plant, vehicles, pressurized equipment Crushing, entanglement, impact
Chemical Solvents, silica dust, cleaning agents, fumes Burns, respiratory disease, poisoning
Biological Bacteria, viruses, moulds, bodily fluids Infection, allergy, zoonosis
Ergonomic Manual handling, repetitive movement, workstation design Musculoskeletal disorders (MSDs)
Psychosocial Workload, bullying, harassment, fatigue, trauma exposure Stress, anxiety, burnout, PTSD

Step 2: Assess Risks

Once hazards are identified, you must assess the risk they pose. This involves evaluating two key dimensions: Likelihood and Consequence.

Likelihood: How often are workers exposed? How long is the exposure? How close are they to the hazard? Has this incident happened before?

Consequence: What is the most probable outcome? Is it a minor cut requiring a band-aid, or a fatality?

Many organisations use a risk matrix to combine these two factors into a risk rating (e.g., Low, Medium, High, Extreme). While useful for prioritization, you must be wary of its limitations, including range compression and subjectivity.

When is Assessment Mandatory? You don't always need a complex risk assessment. If a hazard is well-known and there's a recognized control (e.g., noise in a factory controlled by isolation and hearing protection), you can proceed directly to controlling it. However, you must assess risks when there's uncertainty about how a hazard may cause injury, when the hazard involves confined spaces, diving work, working at heights, or live electrical work, or when changes in the workplace may impact existing controls.

Step 3: Control Risks (The Hierarchy of Control)

This is the most critical step. You must select controls to eliminate or minimize the risk. The WHS Regulations mandate the use of the Hierarchy of Control, which ranks measures from most effective to least effective.

Level 1: Elimination — The gold standard. You physically remove the hazard. Example: Automating a manual handling task so workers never touch the load. Effectiveness: 100%. The risk is gone.

Level 2: Substitution — Replace the hazard with something safer. Example: Replacing a solvent-based cleaner with a water-based detergent.

Level 2: Isolation — Separate the hazard from people. Example: Installing concrete barriers between forklifts and pedestrians.

Level 2: Engineering — Use mechanical devices to control the risk. Example: Installing presence-sensing guards on a press machine; using Local Exhaust Ventilation (LEV) for dust.

Level 3: Administrative — Rules, training, signage, and procedures. Example: "Do not enter" signs, Safe Work Method Statements (SWMS), rotation rosters. Weakness: Relies entirely on human behavior compliance.

Level 3: PPE — Personal Protective Equipment. The last resort. Example: Hard hats, gloves, respirators. Weakness: Only protects the wearer, and only if worn correctly. It doesn't fix the hazard.

Your Duty: You must implement Level 1 (Elimination) if reasonably practicable. If not, you move down the list. You cannot simply jump to PPE because it's cheaper.

Step 4: Review Control Measures

The risk management cycle is closed by reviewing your controls. Are they working? Have they introduced new risks?

Triggers for review include: a notifiable incident or near-miss occurs; a Health and Safety Representative (HSR) requests a review; you change your work practices, equipment, or location; or new information becomes available (e.g., a safety alert about a chemical you use).

Track control effectiveness

Automated review schedules, verification checklists, and incident triggers

 See compliance tools

Why Risk Assessment Matters

The Primary Duty of Care

Under the Model Work Health and Safety Act 2011 (adopted in NSW, QLD, SA, TAS, ACT, NT, and WA), you, as a Person Conducting a Business or Undertaking (PCBU), have a primary duty of care.

Section 17: Management of Risks is explicit: "A duty imposed on a person to ensure health and safety requires the person to eliminate risks to health and safety, so far as is reasonably practicable; and if it is not reasonably practicable to eliminate risks to health and safety, to minimise those risks so far as is reasonably practicable."

This means risk assessment is not optional. It's the mechanism by which you determine what is "reasonably practicable." If you fail to assess risks, you cannot effectively demonstrate that you've met your legal obligations.

State Variations: Victoria

Victoria operates under the Occupational Health and Safety Act 2004. While not part of the harmonized WHS system, the principles are nearly identical. Section 20 mandates that employers eliminate or reduce risks so far as is reasonably practicable. WorkSafe Victoria emphasizes the same four-step process (Identify, Assess, Control, Review). Whether you're in Melbourne or Perth, the core requirement to systematically manage risk remains.

Business Value Beyond Compliance

Effective risk assessment delivers value beyond avoiding fines:

Operational Continuity: By preventing incidents, you prevent downtime, investigation costs, and equipment damage.

Resource Allocation: It helps you spend your safety budget where it matters most—on the high risks—rather than on trivial issues.

Worker Engagement: Involving workers in risk assessment (Consultation) builds trust and improves safety culture. Workers feel heard and valued.

Legal Defense: In the event of a prosecution, a comprehensive, documented risk assessment is a key piece of evidence that you took "all reasonable steps" to prevent harm.

Common Challenges

While the theory of risk assessment is logical, the practice is fraught with challenges. You must be aware of these pitfalls to avoid a "tick and flick" culture.

The "Tick and Flick" Mentality

One of the most common failures is treating risk assessment as a bureaucratic hurdle. Workers or managers may fill out a risk assessment form (like a Take 5 or JSA) without engaging their brains, simply ticking "No" to every hazard to get the job started.

This creates "Safety Clutter"—useless paperwork that provides a false sense of security. Courts have criticized this approach, noting that a form filled out by rote does not constitute a "safe system of work."

The Limitations of the Risk Matrix

The 5×5 risk matrix is a standard tool, but it's scientifically flawed if used blindly.

Compression of High-Consequence Risks: Events that are "Catastrophic" (e.g., multiple fatalities) but "Rare" often score as "Medium" or "Low" risk on a matrix. This can lead to complacency. A risk with a catastrophic consequence must be treated with high-level controls (engineering/elimination) regardless of how "rare" the matrix says it is.

Subjectivity: Two people can look at the same task and score it differently based on their own biases. A veteran might rate a risk as "Low" because "we've always done it this way," while a new starter might rate it "High."

Work-as-Imagined vs. Work-as-Done

A risk assessment written in the office often reflects "Work-as-Imagined"—the ideal procedure where all tools are available, time is ample, and the weather is perfect.

In reality ("Work-as-Done"), workers adapt to broken tools, rushing, and messy environments. If your risk assessment doesn't capture these adaptations, it's evaluating a fantasy.

Solution: You must observe the work and consult the workers to understand the actual hazards they face, not just the theoretical ones.

Cognitive Biases

Your risk assessment is only as good as the thinking behind it. Several biases can distort your judgment:

Confirmation Bias: You look for evidence that the workplace is safe and ignore evidence that it's dangerous.

Optimism Bias: "It won't happen to me." This leads to underestimating likelihood.

Groupthink: In a risk workshop, if the boss says "I don't think that's a risk," everyone else tends to agree, suppressing valid concerns.

Best Practices

1. Facilitate, Don't Dictate

Use consultation effectively. Section 47 of the WHS Act requires it. Don't just show workers the assessment; build it with them. Use toolbox talks for daily briefings to discuss specific risks for the day's tasks. Consider running "Learning Teams" to discuss successful work—ask: "What is difficult, dangerous, or different about this job?"

2. Focus on Critical Risks

Prioritize your energy. Don't spend hours assessing the risk of a papercut while ignoring the forklift traffic management plan. Focus on Critical Risks—those that can kill or permanently disable. Ensure these have verification of critical controls (e.g., "Is the interlock working?").

3. Apply Safety II Principles

Shift from just preventing things going wrong (Safety I) to ensuring things go right (Safety II). Ask workers: "What tools do you need to do this safely?" rather than "Why didn't you follow the procedure?" Recognize that workers are the solution, not the problem. Their adaptability keeps the system running.

4. Dynamic Risk Assessment

Supplement your formal documents (SWMS, JRA) with Dynamic Risk Assessment (DRA). This is the mental check a worker does before touching a tool. Encourage the "Pause." If the job changes (e.g., it starts raining), stop and re-assess. Make sure the Take 5 card is a prompt for conversation, not just a tick-box exercise.

5. Review Competency

Ensure the people leading your risk assessments are competent. They don't necessarily need a PhD, but they should understand the WHS Act, the Hierarchy of Control, and the specific technical hazards of the work. For high-risk industries (mining, oil & gas), formal competencies (e.g., RIIRIS402E) are often required.

Frequently Asked Questions

Is a written risk assessment always mandatory?

No, not for every single hazard. If a risk is well-known and a standard control is used (e.g., checking a cord for damage), a formal document may not be needed. However, for high-risk work (confined spaces, diving, live electrical) and complex situations where risks are uncertain, a written assessment is mandatory under WHS Regulations.

Who should conduct the risk assessment?

It should be a collaborative effort. While a safety professional or manager might lead the process, you must consult with the workers who actually do the job. They have the practical knowledge of "Work-as-Done." In some high-risk sectors, specific competencies are required for the facilitator.

How often should we review our risk assessments?

There's no set expiry date (e.g., "every year") in the Act, but you must review them when: a control fails (incident), things change (new plant/process), new information arises, or an HSR requests it. Best practice is to review critical risks annually and operational risks whenever the task environment changes.

References

  1. Safe Work Australia. Identify, assess and control hazards. https://www.safeworkaustralia.gov.au/safety-topic/managing-health-and-safety/identify-assess-and-control-hazards
  2. CCOHS. Hazard and Risk - Risk Assessment. https://www.ccohs.ca/oshanswers/hsprograms/hazard/risk_assessment.html
  3. Safe Work Australia. (2018). Model Code of Practice: How to manage work health and safety risks. https://www.safeworkaustralia.gov.au/doc/model-code-practice-how-manage-work-health-and-safety-risks
  4. Foremind. Work Hazards Vs Risks: Key Differences Explained. https://www.foremind.com.au/post/work-hazards-vs-risks
  5. ZenGRC. The ISO 31000 Risk Management Process. https://www.zengrc.com/the-iso-31000-risk-management-process/
  6. Protecht. ISO 31000 Risk Management Framework: Your Complete Guide USA. https://www.protechtgroup.com/en-us/blog/iso-31000-risk-management-framework-your-complete-guide
  7. Riskonnect. The Basics of ISO 31000 – Risk Management. https://riskonnect.com/business-continuity-resilience/the-basics-of-iso-31000-risk-management/
  8. OSHA. Hazard Identification and Assessment. https://www.osha.gov/safety-management/hazard-identification
  9. Safe Work Australia. Identify, assess and control hazards - Managing risks. https://www.safeworkaustralia.gov.au/safety-topic/managing-health-and-safety/identify-assess-and-control-hazards/managing-risks
  10. PubMed. What's wrong with risk matrices? https://pubmed.ncbi.nlm.nih.gov/18419665/
  11. Safe Work Australia. When to use risk management. https://www.safeworkaustralia.gov.au/safety-topic/managing-health-and-safety/identify-assess-and-control-hazards/when-use-risk-management
  12. WorkSafe Victoria. The hierarchy of control. https://www.worksafe.vic.gov.au/hierarchy-control
  13. WorkSafe WA. Risk assessment and management including operational risk assessment: guide. https://www.worksafe.wa.gov.au/system/files/migrated/sites/default/files/atoms/files/241286_gl_ramiora.pdf
  14. Riskware. How to Review Your WHS Control Measures & Make Sure They Remain Effective. https://www.riskware.com.au/risk-management-blog/how-to-review-your-whs-control-measures-make-sure-they-remain-effective
  15. WorkSafe Queensland. Managing risks. https://www.worksafe.qld.gov.au/safety-and-prevention/creating-safe-work/managing-risks
  16. Queensland Legislation. Work Health and Safety Act 2011. https://www.legislation.qld.gov.au/view/whole/html/current/act-2011-018
  17. WorkSafe Victoria. Health and safety responsibilities. https://www.worksafe.vic.gov.au/office-health-and-safety-health-and-safety-responsibilities
  18. WorkSafe Victoria. Office health and safety: Risk management. https://www.worksafe.vic.gov.au/office-health-and-safety-risk-management
  19. WorkSafe Victoria. Consultation: Safety basics. https://www.worksafe.vic.gov.au/consultation-safety-basics
  20. The Coalface. The Top 5 Problems in Safety Management Today. https://thecoalface.net.au/the-top-5-problems-in-safety-management-today/
  21. CBP Lawyers. Beyond Box-Ticking: kicking the 'tick-and-flick' approach in favour of effective compliance. https://www.cbp.com.au/insights/publications/beyond-box-ticking-kicking-the-tick-and-flick-approach-in-favour-of-effective-compliance
  22. Veriforce. Rethinking the Risk Matrix: Balancing Severity and Probability. https://veriforce.com/blog/rethinking-the-risk-matrix-balancing-severity-and-probability
  23. Psych Safety. Work as Imagined vs Work as Done. https://psychsafety.com/psychological-safety-work-as-imagined-vs-work-as-done/
  24. Humanistic Systems. The Varieties of Human Work. https://humanisticsystems.com/2016/12/05/the-varieties-of-human-work/
  25. Intenseye. Measuring the gap between work-as-Imagined and Work-as-Done. https://www.intenseye.com/blog/work-as-imagined-vs-work-as-done-can-we-measure-the-gap
  26. Risk Management Magazine. How to Overcome Cognitive Biases in Risk Management. https://www.rmmagazine.com/articles/article/2025/11/06/how-to-overcome-cognitive-biases-in-risk-management
  27. WorkSafe GEAR Australia. Understanding Safety Culture in the Workplace. https://worksafegear.com.au/blogs/news/understanding-safety-culture-in-the-workplace
  28. Sidney Dekker. Safety Differently. https://sidneydekker.com/safety-differently
  29. WorkSafe WA. Demonstrating competency for statutory positions. https://www.worksafe.wa.gov.au/demonstrating-competency-statutory-positions
  30. National Training Register. PUAEMR007B Conduct risk assessment. https://training.gov.au/training/details/PUAEMR007B
Protect your lone workers with WorkSafeKit

Real-time monitoring, check-ins, and emergency alerts for your team.

 Get in touch
Back to Glossary

Simplify workplace safety management

From risk assessments to real-time monitoring, WorkSafeKit helps you keep your team safe and compliant.

Get in touch Learn more