How often should a risk assessment be reviewed?

There is no single mandated frequency under the WHS Act, but best practice is to review risk assessments at least annually or whenever there is a significant change. Significant changes include new equipment, altered work processes, an incident or near miss, new legislation, or a change in personnel. Many organisations set calendar reminders for annual reviews and treat any workplace incident as an automatic trigger for reassessment of the relevant risks.

Who is responsible for conducting a risk assessment?

Under the Work Health and Safety Act 2011, the person conducting a business or undertaking (PCBU) holds the primary duty. In practice, the PCBU can delegate the task to a competent worker, safety officer or external consultant, but accountability stays with the business. Workers also have a duty to cooperate with risk management procedures and report hazards they identify.

What is the difference between a hazard and a risk?

A hazard is anything with the potential to cause harm, such as a chemical, a piece of machinery, working at height or manual handling. A risk is the likelihood that the hazard will actually cause harm and the severity of that harm. Risk assessment brings these two elements together so you can prioritise which hazards need controls first.

Can I use a generic risk assessment template?

A template is a good starting point, but it must be tailored to your specific workplace, tasks and conditions. A generic template for manual handling will not cover the unique layout of your warehouse or the specific loads your team moves. SafeWork Australia recommends using templates as a framework and customising them with site-specific hazards, controls and review dates.

What is a 5x5 risk matrix and when should I use it?

A 5x5 risk matrix plots the likelihood of an event (from rare to almost certain) against its consequence (from insignificant to catastrophic) on a grid, producing a risk score from 1 to 25. It is the most common semi-quantitative method used in Australian workplaces. Use it when you need a structured, repeatable way to compare and prioritise risks across different hazards or work activities.

How often should a risk assessment be reviewed?

There is no single mandated frequency under the WHS Act, but best practice is to review risk assessments at least annually or whenever there is a significant change. Significant changes include new equipment, altered work processes, an incident or near miss, new legislation, or a change in personnel. Many organisations set calendar reminders for annual reviews and treat any workplace incident as an automatic trigger for reassessment of the relevant risks.

Who is responsible for conducting a risk assessment?

Under the Work Health and Safety Act 2011, the person conducting a business or undertaking (PCBU) holds the primary duty. In practice, the PCBU can delegate the task to a competent worker, safety officer or external consultant, but accountability stays with the business. Workers also have a duty to cooperate with risk management procedures and report hazards they identify.

What is the difference between a hazard and a risk?

A hazard is anything with the potential to cause harm, such as a chemical, a piece of machinery, working at height or manual handling. A risk is the likelihood that the hazard will actually cause harm and the severity of that harm. Risk assessment brings these two elements together so you can prioritise which hazards need controls first.

Can I use a generic risk assessment template?

A template is a good starting point, but it must be tailored to your specific workplace, tasks and conditions. A generic template for manual handling will not cover the unique layout of your warehouse or the specific loads your team moves. SafeWork Australia recommends using templates as a framework and customising them with site-specific hazards, controls and review dates.

What is a 5x5 risk matrix and when should I use it?

A 5x5 risk matrix plots the likelihood of an event (from rare to almost certain) against its consequence (from insignificant to catastrophic) on a grid, producing a risk score from 1 to 25. It is the most common semi-quantitative method used in Australian workplaces. Use it when you need a structured, repeatable way to compare and prioritise risks across different hazards or work activities.

How to Conduct a Risk Assessment: Step-by-Step Guide

What is a risk assessment

A risk assessment is a structured process for identifying hazards in a workplace, evaluating the risks they pose, and deciding what controls are needed to prevent harm. It is not a one-off compliance exercise. It is the foundation of any effective safety management system, and it is a legal requirement under Australian workplace health and safety law.

At its core, a risk assessment answers three questions: What could go wrong? How likely is it, and how bad could it be? What are we doing about it? The process forces you to think systematically about the hazards your workers face rather than relying on experience, assumptions or reacting after someone gets hurt.

The concept is straightforward, but execution is where most organisations struggle. A well-conducted risk assessment captures hazards that people walk past every day, assigns meaningful risk scores, and produces controls that are actually implemented and monitored. A poorly conducted one becomes a filing cabinet exercise that satisfies an auditor but does nothing to prevent injuries.

This guide walks through the process step by step, covers the most common methods, and explains how to avoid the mistakes that undermine the value of the entire exercise.

When you need a risk assessment

In Australia, the Work Health and Safety Act 2011 (WHS Act) requires persons conducting a business or undertaking (PCBUs) to manage risks to health and safety. The WHS Regulations specify particular situations where a risk assessment is mandatory, including working with hazardous chemicals, noise exposure, manual handling, working at heights, and confined spaces.

Beyond the specific mandatory triggers, SafeWork Australia recommends conducting a risk assessment whenever:

A new piece of equipment, substance or work process is introduced
There is a change to the workplace layout or environment
An incident, near miss or injury has occurred and you need to understand what went wrong
New information about a hazard becomes available, such as updated safety data sheets or industry alerts
Workers raise concerns about a specific task or condition
You are planning a high-risk activity such as a shutdown, demolition or working near live services

The AS/NZS ISO 31000:2018 standard provides a broader risk management framework that many Australian organisations use alongside their WHS obligations. While ISO 31000 is not legally mandated, it provides a structured approach to risk management that aligns with the intent of the WHS Act and is widely adopted across mining, construction, utilities and government.

In practical terms, if your workers are exposed to a hazard and you have not documented how you assessed and controlled that risk, you are exposed to regulatory action. A risk assessment is both your planning tool and your evidence that you have met your duty of care.

The five steps of a risk assessment

SafeWork Australia outlines a four-step risk management process: identify, assess, control and review. In practice, most organisations break this into five distinct steps that are easier to follow and assign responsibility for.

Step 1: Identify hazards

Walk the workplace and look for anything that could cause harm. Physical hazards are the most obvious: unguarded machinery, trip hazards, working at height, electrical equipment, mobile plant. But hazards also include chemical exposure, noise, vibration, heat stress, manual handling loads, biological agents, and psychosocial factors such as fatigue, bullying or isolated work.

Do not rely on a single method to identify hazards. Use a combination of workplace inspections, task observations, incident and near-miss reports, safety data sheets, manufacturer instructions, consultation with workers (they know where the problems are), and review of industry-specific guidance from SafeWork Australia or your state regulator.

Step 2: Assess the risks

For each identified hazard, assess the level of risk by considering two factors: the likelihood of harm occurring and the consequence (severity) if it does. A risk matrix is the most common tool for this step, plotting likelihood against consequence to produce a risk rating (low, medium, high, extreme).

Consider existing controls when assessing the risk level. A hazard with effective controls already in place will have a lower residual risk than one with no controls. Document both the inherent risk (before controls) and the residual risk (after controls) so you can see whether your controls are adequate.

Step 3: Determine control measures

Apply the hierarchy of controls to each risk, starting with the most effective measures and working down:

Elimination - Remove the hazard entirely. Can you stop the task, remove the substance, or redesign the process so the hazard no longer exists?
Substitution - Replace the hazard with something less dangerous. Use a less toxic chemical, a quieter machine or a different method.
Engineering controls - Physically isolate people from the hazard. Guards, barriers, ventilation, fall arrest systems.
Administrative controls - Change the way people work. Procedures, training, signage, job rotation, permits to work.
Personal protective equipment (PPE) - The last resort. PPE protects the individual but does nothing to reduce the hazard itself.

The WHS Regulations require you to work through this hierarchy and not jump straight to PPE. For a practical walkthrough of how to score and prioritise risks, see our risk matrix guide.

Step 4: Implement controls

A control measure that exists only in a document is not a control measure. Implementation means assigning responsibility, setting a deadline, providing resources (budget, training, equipment), and confirming that the control is in place and working. This is where many risk assessments fall down: the analysis is thorough, but nobody follows through on the actions.

Record who is responsible for each action, the completion date, and any evidence that the control has been implemented. If you are using digital inspection forms, you can attach photos, sign-offs and completion records directly to the risk assessment record.

Step 5: Review and monitor

Risk assessments are living documents. Review them at scheduled intervals (annually at minimum) and whenever a trigger event occurs: an incident, a change in equipment, a new process, or updated regulations. Check whether the controls you put in place are still effective, whether new hazards have emerged, and whether risk ratings need to be updated.

A scheduled review cycle, combined with incident-triggered reviews, keeps your risk assessments current. Without regular review, risk assessments become outdated paperwork that no longer reflects the actual conditions in your workplace.

Risk assessment methods

There is no single correct method for assessing risk. The right approach depends on the complexity of the hazard, your industry, and the level of rigour required. Here are the three most common methods used in Australian workplaces.

Qualitative risk assessment

A qualitative assessment uses descriptive categories rather than numbers. Likelihood is described as "unlikely", "possible" or "likely". Consequence is described as "minor", "moderate" or "major". The risk level is determined by professional judgement based on these descriptions.

This approach is fast, accessible, and suitable for straightforward hazards where the risk is well understood. It works well for routine workplace inspections and when workers without a safety background need to participate in the assessment. The downside is subjectivity: different people may assess the same hazard differently.

Semi-quantitative risk assessment (5x5 matrix)

The 5x5 risk matrix is the workhorse of workplace risk assessment in Australia. It assigns numerical values to likelihood (1 to 5, from rare to almost certain) and consequence (1 to 5, from insignificant to catastrophic). The risk score is calculated by multiplying likelihood by consequence, giving a range of 1 to 25.

Scores are typically banded into risk levels: 1 to 4 (low), 5 to 9 (medium), 10 to 16 (high), and 17 to 25 (extreme). Each band has a corresponding response: low risks are managed through routine procedures, medium risks require planned action, high risks need immediate attention, and extreme risks mean work should stop until controls are in place.

The 5x5 matrix provides consistency and comparability. When everyone uses the same scale, you can rank risks, allocate resources to the highest-scoring ones first, and track whether scores improve over time as controls are implemented.

Quantitative risk assessment

Quantitative methods use measured data, such as exposure levels, failure rates, historical incident frequencies and financial cost estimates, to calculate risk numerically. These assessments are more complex and typically require specialist input, but they are essential for high-consequence scenarios: major hazard facilities, chemical process safety, structural engineering and environmental risk.

Most field-based organisations will use qualitative or semi-quantitative methods for day-to-day risk management and reserve quantitative assessments for major projects or regulatory submissions.

Common risk assessment mistakes

Risk assessments fail not because the concept is flawed, but because of how they are executed. These are the mistakes that come up most often.

Treating it as a one-off. A risk assessment completed during commissioning and never reviewed again is worse than useless. It creates a false sense of security. Conditions change, equipment ages, new tasks are introduced, and the risk profile shifts. If your risk assessment is more than 12 months old and nothing has changed, it is probably out of date.

Generic assessments that do not reflect reality. Downloading a template and signing it without tailoring it to your specific workplace, tasks and conditions is a compliance shortcut that a regulator will see through immediately. A risk assessment for "manual handling" that does not describe the actual loads, movements and environment your workers deal with is not fit for purpose.

Skipping worker consultation. The WHS Act requires consultation with workers. More importantly, the people doing the work know where the real hazards are. A risk assessment written entirely by a safety manager in an office, without input from the crew on the ground, will miss practical hazards and produce controls that do not work in practice.

Jumping straight to PPE. PPE is the lowest level of the hierarchy of controls. If your risk assessment lists "wear gloves" or "wear hearing protection" as the primary control for every hazard, you have not worked through the hierarchy properly. Regulators expect to see evidence that higher-order controls were considered first.

No follow-through on actions. Identifying a hazard and writing "install guardrail" as a control achieves nothing if nobody is assigned the action, given a deadline, or held accountable for completion. The gap between documented controls and implemented controls is where injuries happen.

Inconsistent risk scoring. If one team rates a hazard as "high" and another rates the same hazard as "medium", your risk register becomes unreliable. Calibration is important: define what each likelihood and consequence level means in your context, provide examples, and train people to apply the scale consistently.

Digital vs paper risk assessments

Paper risk assessments have been the default for decades. They work, up to a point. A printed form, a clipboard, a pen and a filing cabinet will satisfy a regulatory requirement. But paper introduces problems that become harder to ignore as your operation scales.

Paper forms are difficult to search. If a regulator asks to see all risk assessments related to working at height across your last three projects, you need someone to dig through filing cabinets or folders on a shared drive. Paper forms get lost, damaged, or filed incorrectly. Version control is a constant problem: which version of the risk assessment is current, and is everyone using it?

Digital risk assessments solve these problems. A cloud-based system stores every assessment in a searchable database with version history, timestamps and author records. You can filter by site, by hazard type, by risk level or by review date. You can set automated reminders for reviews. You can attach photos and supporting documents directly to the assessment.

The real advantage of digital is workflow. When a risk assessment identifies an action, the system can assign it to a person, set a due date, send a notification and track completion. This closes the gap between identifying a risk and actually controlling it. On paper, that gap relies entirely on someone remembering to follow up.

For teams managing multiple sites, the difference is even more pronounced. A digital system gives you a real-time view of compliance status across every location: which assessments are current, which are overdue for review, and which have open actions. That visibility is impossible with paper unless someone manually consolidates data from every site.

Risk assessment templates and tools

A good template provides structure without being prescriptive. It should include sections for hazard description, existing controls, likelihood and consequence ratings, risk score, additional controls required, responsible person, due date and review date.

SafeWork Australia publishes free risk assessment templates that align with the WHS Regulations. These are a solid starting point for most workplaces. Industry-specific templates are available from state regulators and industry bodies. For construction, Resources Safety (WA) and SafeWork NSW publish templates tailored to common construction hazards.

MapTrack offers a free, downloadable risk assessment template designed for field-based operations. It includes a built-in 5x5 risk matrix, hierarchy of controls prompts, and fields for assigning actions with due dates. You can use it as a standalone document or as the starting point for a digital risk assessment workflow within the platform.

When choosing a template or tool, look for these features:

A clear structure that follows the five-step process (identify, assess, control, implement, review)
A built-in risk matrix so scoring is consistent across your organisation
Fields for assigning actions, owners and deadlines, not just documenting hazards
Space for worker consultation records and sign-offs
Version control and review date tracking
The ability to link related documents: safe work method statements, safety data sheets, inspection records

How MapTrack supports risk management

Risk assessments do not exist in isolation. They connect to your assets, your inspections, your maintenance schedules and your compliance records. MapTrack brings these elements together in a single platform built for field-based teams.

With MapTrack, you can create and manage digital custom forms for risk assessments, inspections and audits. Forms are completed on mobile devices in the field, with photos, GPS location stamps and digital signatures. Every submission is stored against the relevant asset or site, creating a complete compliance history.

When a risk assessment identifies a control that requires action, such as a repair, a replacement, or an inspection, you can create a task directly from the form. That task is assigned to a person, given a due date, and tracked to completion. No handwritten notes, no emails that get lost, no actions that fall through the cracks.

For organisations managing compliance across multiple sites, MapTrack provides a dashboard view of assessment status, overdue reviews and open actions. You can see at a glance which sites are current and which need attention, without chasing paper trails or waiting for monthly reports.

The platform also supports pre-start inspections, maintenance scheduling and asset tracking, so the data from your risk assessments feeds into the broader safety and maintenance ecosystem rather than sitting in a silo. If a risk assessment flags that a piece of equipment needs an additional safety check, that check can be scheduled and tracked within the same system.

Risk management is only as good as the follow-through. MapTrack helps you move from identifying risks on paper to controlling them in practice.

What is a risk assessment

This guide walks through the process step by step, covers the most common methods, and explains how to avoid the mistakes that undermine the value of the entire exercise.

When you need a risk assessment

Beyond the specific mandatory triggers, SafeWork Australia recommends conducting a risk assessment whenever:

A new piece of equipment, substance or work process is introduced
There is a change to the workplace layout or environment
An incident, near miss or injury has occurred and you need to understand what went wrong
New information about a hazard becomes available, such as updated safety data sheets or industry alerts
Workers raise concerns about a specific task or condition
You are planning a high-risk activity such as a shutdown, demolition or working near live services