Risk Management Process

The four-step loop every WHS code is built on: identify hazards, assess risks, control risks, review controls.

Quick Take

• Always work to eliminate the hazard first; PPE is the last resort.
• Walk the workplace and consult workers — they see hazards supervisors miss.
• From 1 July 2026, complying with this code (or an equivalent/higher standard) becomes a duty under the model WHS laws.
• A simple risk register is the easiest record to keep — and the first thing a regulator asks for.
• Review controls after any change (people, plant, process, legislation) — don't assume old controls still work.

1. Who's responsible

PCBU duties (WHS Act s.19)

• Eliminate risks so far as is reasonably practicable; if not, minimise them.
• Apply the 4-step risk management process and the hierarchy of control.
• Consult workers directly affected — including contractors, on-hire, apprentices, volunteers.
• Manage supply-chain pressures (deadlines, delivery windows) that can erode safety.

Officer due diligence (s.27)

• Understand the hazards and risks of the business.
• Provide resources and processes to eliminate or minimise them.
• Build personal WHS competency; verify the system actually works.

Worker duties (s.28)

• Take reasonable care for own and others' safety.
• Follow reasonable instructions; use PPE as trained.
• Raise concerns and report problems promptly.

2. The 4-step process

![[risk_management_process_img001.jpg|520]] Figure 1 — The risk management process. Four steps that loop: identify → assess → control → review.

Step 1 — Identify hazards

• Walk the site regularly; observe how work is actually done, not how procedures say it should be done.
• Consult workers about near misses, incidents, ergonomic strain.
• Review: SDSs, manufacturers' instructions, incident records, sick-leave patterns, inspection results.
• Check supply-chain partners (deliverers, hirers) for hazards they import.
• Maintain a running hazard list.

Step 2 — Assess risks

• For each hazard: how severe could the harm be, how likely is it, who is exposed?
• Skip formal assessment only when the hazard is well known and the control is well established.
• Range of methods: 5-minute team huddle → formal risk analysis with specialist input.

Step 3 — Control risks

See §3 for the hierarchy of control. Rules of thumb:

• Pick the highest level of control that is reasonably practicable.
• Combine controls where one alone is not enough.
• Make controls reliable, available, and suited to the actual workplace conditions.
• Train, induct, and assign accountability before the control goes live.

Step 4 — Review controls

Review when:

• A control is found ineffective.
• The workplace changes (new plant, process, person, layout, legislation).
• A new hazard is identified.
• A worker, HSR or HSC asks for a review.
• After any incident or near miss.

3. Hierarchy of control measures

Always work down the hierarchy. Don't jump to PPE.

![[risk_management_process_img002.jpg|520]] Figure 2 — Hierarchy of control measures. Higher levels are more reliable because they don't depend on human behaviour.

Level 1 — Eliminate (most effective)

• Remove the hazard entirely. Best done at design/planning stage.
• Example: do the work at ground level instead of at height; specify a non-hazardous chemical.

Level 2 — Substitute, Isolate, Engineer

• Substitute: water-based paint instead of solvent; quieter plant for noisy plant.
• Isolate: guardrails to edges, fume cabinets, exclusion zones, remote operation.
• Engineer: machine guards, safety switches, mechanical lifting aids, sound dampening.

Level 3 — Administrative

• Safe work procedures, SWMS, training, signage, rotation, scheduling, exposure-time limits.
• Useful as a layer on top of higher controls — not a replacement for them.

Level 4 — PPE (least effective)

• Hard hats, gloves, hearing protection, respirators, eye protection.
• Only effective if it fits, is worn correctly, is maintained, and is supervised.

Administrative controls and PPE rely on human behaviour and supervision — that's why they sit at the bottom.

4. "How could this go wrong?"

![[risk_management_process_img003.jpg|520]] Figure 3 — Tracing the chain from hazard to harm. Useful for assessing low-probability/high-consequence risks.

Walk the chain backwards: what would have to happen for this hazard to harm someone? Each link is a place a control can be inserted.

5. Consultation, training, records

Consultation triggers (full list in [[whs_consultation_cooperation_coordination]]):

• When identifying hazards or assessing risks.
• When deciding on controls.
• When proposing a change that affects WHS.
• When developing WHS procedures.

Training

• Induction covering site hazards and the risk management process.
• Task-specific training before any new control goes live.
• Refresher when controls or workers change.

Records to keep (a simple risk register does most of this):

• Identified hazards, assessed risks, chosen controls.
• Who was consulted; when controls were implemented, monitored, reviewed.
• Training records, plans for changes, review dates.
• Specific records mandated by regulation (chemicals, plant, asbestos, confined spaces).

6. Common pitfalls / quick wins

Do

• Walk the floor; observe the actual work — not the SOP.
• Consult workers and HSRs before decisions are locked.
• Eliminate at the design stage — it is far cheaper than retrofitting.
• Keep one running risk register so reviews are easy.
• Re-test controls after any change.

Don't

• Skip assessment because "we know this hazard" — assumptions are how incidents start.
• Jump to PPE as the first control. It's the bottom of the hierarchy for a reason.
• Add a new control without checking it doesn't create a new hazard (e.g. a barrier that creates a blind spot).
• Set and forget — controls drift without review.
• Rely on one-size-fits-all controls; suitability depends on your workplace.

7. Cross-references

• See also: [[whs_consultation_cooperation_coordination]], [[workplace_environment_and_facilities]]
• Glossary: [[glossary_and_key_concepts]]
• Construction-specific application: see §02 [[02 - Construction Work/_section_overview|Construction Work]]

---

Source: manage_work_health_and_safety_risks.md (Safe Work Australia, model Code of Practice, CC-BY-NC 4.0). Edition: May 2018. Last verified against SWA: 2026-04-27.