What are the 5 steps of risk assessment?

The five steps are: (1) Identify hazards, look at the task, environment, equipment and people to find anything that could cause harm. (2) Assess the risk, use a likelihood and consequence matrix to rate each hazard. (3) Control the risk, apply controls following the hierarchy of controls (elimination, substitution, engineering, administrative, PPE). (4) Record the findings, document hazards, risk ratings, controls and residual risk in the assessment form. (5) Review and update, revisit the assessment when conditions change, after incidents or at scheduled intervals.

Who should complete a risk assessment?

Under the model WHS Act, a Person Conducting a Business or Undertaking (PCBU) has the primary duty to identify and manage risks. In practice, the risk assessment is usually completed by a competent person with knowledge of the task, such as a supervisor, site safety officer or team leader, in consultation with the workers who will perform the work. Workers who are familiar with the day-to-day hazards of the task should always be involved, as they often identify risks that others miss.

How often should risk assessments be reviewed?

Risk assessments should be reviewed whenever there is a change in the task, equipment, environment or personnel. They should also be reviewed after an incident, near miss or hazard report related to the assessed activity. Beyond these triggers, most organisations schedule periodic reviews, commonly every 6 to 12 months, to ensure controls remain effective and the assessment reflects current conditions. Safe Work Australia recommends reviewing risk assessments as part of your ongoing risk management process.

What is the difference between a risk assessment and a JSA?

A risk assessment is a broad hazard identification and risk evaluation process that can apply to a workplace area, project, piece of equipment or general activity. A Job Safety Analysis (JSA) is a specific type of risk assessment that breaks a single task into sequential steps and identifies the hazards and controls for each step. In short, a risk assessment looks at risk across a broader scope, while a JSA focuses on the step-by-step hazards of one particular job. Many organisations use both: risk assessments for overall planning and JSAs for individual high-risk tasks.

Is this risk assessment template free?

Yes. Download and use this risk assessment template for free. Open the template in your browser and use Print, then Save as PDF. No MapTrack account is required. If you want to manage risk assessments digitally with a built-in risk matrix, automatic review reminders, control effectiveness tracking and a centralised register across all your sites, MapTrack can do that. Book a demo to see how it works.

What is the hierarchy of controls and why does the order matter?

The hierarchy of controls sets the order in which control measures must be considered: eliminate the hazard, substitute with a less hazardous option, isolate the hazard, apply engineering controls, apply administrative controls, then use PPE as the last line of defence. Under WHS Regulations 2011 reg 36, a PCBU must work through these in order and apply higher-order controls before resorting to lower-order ones. Going straight to PPE without showing why engineering or substitution was not reasonably practicable is one of the most common reasons a regulator rejects a risk control plan during an incident investigation.

What does "so far as is reasonably practicable" mean in a risk assessment?

Reasonably practicable is the test the WHS Act applies to every duty. It means doing what is reasonable to do in the circumstances, weighing the likelihood of harm, the degree of harm, what is known about the hazard, the availability and suitability of controls and the cost of the controls relative to the risk. Cost can be considered but cannot be the sole reason to avoid a control. A risk assessment that documents this weighing process protects the PCBU because it shows the regulator how the controls were chosen.

Should workers be consulted while the assessment is being prepared?

Yes, under section 47 of the WHS Act 2011 a PCBU must consult with workers who are or are likely to be directly affected. Consultation is not optional and not satisfied by sending the finished document for review. Workers must be involved while hazards are being identified, when risk ratings are assigned and when controls are chosen. Health and safety representatives must also be consulted where they have been elected. Record the names of workers consulted on the form. Regulators ask for this evidence when assessing whether the duty to consult was met.

How do we score risks consistently between assessors?

Use a 5x5 likelihood-by-consequence matrix and brief assessors on what each rating means with concrete examples. Likelihood 5 (almost certain) might mean expected to occur weekly across the site. Likelihood 1 (rare) might mean may occur in exceptional circumstances, once every five years or more. Consequence 5 (catastrophic) covers multiple fatalities. Consequence 1 (insignificant) covers a near miss with no harm. Calibrate the team using a worked example before they assess alone. Inconsistent scoring is the single biggest weakness in a risk register and undermines prioritisation.

What is residual risk and when is it acceptable?

Residual risk is the risk level remaining after all chosen controls are applied. It is acceptable when it falls into the low band on the matrix, the controls are practical and sustainable, and any higher-order controls have been considered and ruled out with documented reasoning. For medium residual risk, additional controls or a more frequent review cycle may be required. High or extreme residual risk is not acceptable. The task must be redesigned, additional controls applied, or the work suspended until the risk can be reduced. Record the residual risk and the basis for accepting it on the form.

How does AS/NZS ISO 31000:2018 apply to a workplace risk assessment?

AS/NZS ISO 31000:2018 is the enterprise risk management framework that most Australian safety management systems align to. It defines the cycle of communication and consultation, scope and context, risk assessment (identification, analysis and evaluation), risk treatment, monitoring and review, and recording. A WHS-focused risk assessment fits inside the assessment and treatment steps. Where ISO 31000 differs from a pure WHS assessment is in the context-setting work: defining external and internal context, stakeholder expectations and risk criteria before scoring begins. Mature organisations use ISO 31000 for the framework and the WHS Act 2011 with WHS Regulations 2011 Part 3.1 for the legal duties.

Who can sign off a risk assessment under WHS Act 2011 and who is legally accountable?

The risk assessment can be prepared by any competent worker with knowledge of the task, typically a supervisor, safety officer or experienced team leader. Legal accountability sits with the PCBU under WHS Act 2011 section 19 (primary duty of care) and with officers under section 27 (officer due diligence). A signature on the form is procedural acknowledgement of the documented decisions, it does not transfer the statutory duty. The supervisor or site manager who countersigns is accepting the controls as practicable and authorising the work to proceed. Health and safety representatives must be consulted where they have been elected, and that consultation should be recorded on the form.

What records must we keep and for how long?

WHS Regulations 2011 sets specific minimum retention periods for several risk-management records: hazardous chemical risk assessments at 30 years for carcinogen exposure under reg 419, asbestos register and management plan for the life of the workplace under regs 425-430, and plant risk assessments for five years under the general plant duties. There is no single retention period for general workplace risk assessments, but five years is the practical minimum aligned with WHS Regulations 2011 record-keeping conventions. Most organisations retain assessments for seven years to align with workers compensation, common-law limitation periods and the principal contractor's project records. Retain assessments connected to litigation or notifiable diseases indefinitely.

Can a risk assessment app or software replace paper-based assessments?

Yes, digital risk assessments are accepted by every Australian WHS regulator provided the record can be produced on request, the audit trail is intact and the worker consultation evidence is preserved. The practical benefits are significant: automated review reminders so nothing falls overdue, a single risk register across all sites rather than dispersed files, photo capture against each hazard, version control showing what changed and when, and the ability to score residual risk consistently using a built-in matrix. ISO 45001:2018 Clause 7.5 (documented information) accepts digital records as equivalent to paper. The risk to avoid is treating the digital form as a tick-box exercise that bypasses the consultation step. The consultation under WHS Act 2011 section 47 must still happen in person.

Is this risk assessment template free and can we adapt it to our industry?

Yes. Download and use this risk assessment template for free. Open the file in your browser and use Print then Save as PDF. No MapTrack account is required. Adapt the categories of hazards (physical, chemical, biological, ergonomic, psychosocial) to match your industry context, add columns for any industry-specific reference standards (for example AS/NZS 4801 OHS management or sector-specific codes), but keep the core sequence intact: scope, hazards, inherent risk, controls in hierarchy order, residual risk, sign-off and review date. If you want to manage risk assessments digitally with a built-in matrix, automatic review reminders, control effectiveness tracking and a centralised register across sites, MapTrack can do that. Book a demo to see how.

Free risk assessment template

Q: What is a risk assessment template?

A risk assessment template is a structured form used to identify workplace hazards, evaluate the likelihood and consequence of each hazard, determine the overall risk level and document the control measures needed to eliminate or minimise the risk. It provides a consistent, repeatable process that helps organisations meet their duty of care under Work Health and Safety (WHS) legislation. The completed form becomes a record of the risk management decisions made for a specific task, area or project.

Jump to download form ↓

Enter your email below to download this risk assessment template as a ready-to-use PDF.

Free risk assessment template (PDF). Covers hazard identification, likelihood and consequence matrix, controls and residual risk rating.

Jarrod Milford

Commercial Director

Updated 18 May 2026

Also see:Compliance and inspections →Best inspection software →MapTrack vs SafetyCulture →

Key takeaways

A risk assessment identifies hazards, evaluates likelihood and consequence and records the controls applied. It satisfies the duty under WHS Act 2011 sections 17-19 to manage health and safety risks so far as is reasonably practicable.
Score risk on a 5x5 likelihood-by-consequence matrix and re-score after controls. WHS Regulations 2011 reg 36 requires that higher-order controls be considered before PPE, and the residual rating proves the control was effective.
Apply the hierarchy of controls in order: eliminate, substitute, isolate, engineer, administer, then PPE. Going straight to PPE without showing why higher-order controls were not reasonably practicable is the single most common reason regulators reject a control plan.
A risk assessment is broader than a JSA. Use a risk assessment for sites, areas or activities and ISO 31000:2018 contexts. Use a JSA when you need step-by-step controls for a single task.
Review annually, when work conditions change, after an incident or near miss, and when new plant, substances or workers are introduced. Worker consultation under WHS Act 2011 section 47 must be documented at each review.

Updated 18 May 2026

How to use: download the PDF, print or complete digitally on any device.

PDF format, ready to print or fill on screen
Use as-is or customise to suit your operation
Go digital in MapTrack for photos, alerts and audit trails

Download free PDF template

FreePDFUpdated May 2026

Trusted by teams across Australia and New Zealand

We respect your privacy. Unsubscribe anytime.

Used by construction, mining and field service teams

What is a risk assessment template?

A risk assessment is a systematic process for identifying hazards in the workplace, evaluating the likelihood and consequence of each hazard, and determining what controls are needed to eliminate or minimise the risk of harm. Under the model Work Health and Safety (WHS) Act 2011 administered by Safe Work Australia, a Person Conducting a Business or Undertaking (PCBU) must ensure, so far as is reasonably practicable, the health and safety of workers and others affected by the work. Risk assessments are one of the primary tools for meeting this duty and the documented output is what an inspector or insurer asks to see after an incident.

The legal anchor is WHS Act 2011 sections 17 to 19, supported by WHS Regulations 2011 Part 3.1 (managing risks) and Part 3.1 Division 4 (the hierarchy of controls in reg 36). Safe Work Australia's Code of Practice for How to Manage Work Health and Safety Risks sets out the four-step cycle of identify, assess, control and review. Internationally, AS/NZS ISO 31000:2018 provides the risk management framework that most enterprise safety systems are built on, and ISO 45001:2018 Clause 6.1.2 requires documented determination of OHS risks. The cost of skipping or rushing this step is concrete. Safe Work Australia's most recent Key WHS Statistics report cites traumatic injury fatalities at 200 workers in 2023 and serious workers compensation claims trending around 130,000 per year, with a typical median claim cost in the tens of thousands of dollars before lost productivity.

What good looks like: every documented risk assessment has a clearly defined scope, named workers who were consulted, an inherent risk rating from a 5x5 matrix, controls assigned in hierarchy order with a responsible person and a target date, and a residual rating that falls into the low or medium band on the matrix. A scheduled review date is set and the assessor and supervisor both sign. Mature teams aim for at least 90 percent of active risk assessments inside their review window at any given moment, and they treat any residual rated high or extreme as an open work item rather than a closed assessment.

The common failure modes are predictable. Generic copy-and-paste assessments that do not reflect the actual site or task; risk ratings assigned without a calibrated matrix so scores drift between assessors; no consultation evidence, which is the regulator's first audit question under WHS Act 2011 section 47; controls written as administrative-only (signs, training, PPE) when a higher-order control was reasonably practicable; and assessments that sit at high residual without an escalation path.

A Sydney-based civil contractor running an upgrade on a council substation found their risk register sitting at 65 percent overdue review after eighteen months. The fix was not to write more assessments, it was to pair the review trigger with the work-pack approval workflow so the document moved with the work. The board-level risk profile dropped within two reporting periods and the contractor cleared its principal contractor audit without findings.

Learn more about compliance and inspections in MapTrack.

Benefits of using this risk assessment template

Consistent process: - a standardised template ensures every assessment follows the same structure, regardless of who completes it. This reduces the chance of hazards being overlooked.
WHS compliance: - demonstrates that your organisation has identified, assessed and controlled risks as required under the model WHS Act and Regulations. A completed risk assessment is a key compliance record.
Proactive hazard identification: - forces teams to think through hazards before work starts, not after an incident has occurred. This shifts the focus from reactive to preventive safety management.
Clear risk prioritisation: - the likelihood and consequence matrix provides an objective way to rank risks, so resources are directed to the highest-priority items first.
Documented audit trail: - a signed, dated risk assessment provides evidence of your risk management decisions for regulators, clients and internal audits.
Continuous improvement: - reviewing past assessments over time reveals trends, recurring hazards and opportunities to improve controls and reduce incidents.

Benefits of digitising forms in MapTrack

When you move your reports from paper to MapTrack, you get:

Field users can easily scan a QR code to complete a form on mobile. Unlimited users.
Automatically get alerts when faults are identified.
Link every form digitally as a PDF to the relevant asset, location or person.
Receive a digital PDF copy with every submission to your email.
Ability to share forms digitally.
Build conditional logic (show or hide questions based on answers).
Take pictures or attach photos. Not possible with a paper-based form.
Electronic signatures.
Edit forms later without reprinting.
Restrict permissions (who can view, complete or approve).
Build forms with AI (describe what you need and MapTrack suggests the form).
Escalate critical hazards instantly to safety managers via push notification.
Maintain an auditable safety register that satisfies WHS regulator requests.
Correlate incident trends across sites with built-in safety analytics.

Book a demo to see how MapTrack handles reports.

Try MapTrack free for 30 days

Full access to every feature. No credit card required. Per-asset pricing so you scale as your fleet grows.

Start free trial

No credit card required
30 days free trial
Cancel anytime

1-2 days/week saved

“Bloody amazing! We used to spend 1-2 days a week tracking and managing our generators alone.”

Steve McAllister

Asset Coordinator, Saunders International

What to include in a risk assessment template

This risk assessment template covers 9 key areas:

Assessment details: title or description of the task, area or project being assessed, location, date and the name of the person conducting the assessment.
Hazard identification: a description of each hazard identified, the potential harm it could cause and who is at risk (workers, visitors, public).
Existing controls: any controls already in place before the assessment, such as guarding, signage, training or PPE.
Risk rating (inherent): the risk level before additional controls are applied, calculated using a likelihood and consequence matrix (see below).
Additional control measures: new controls to be implemented, documented using the hierarchy of controls (elimination, substitution, engineering, administrative, PPE).
Residual risk rating: the risk level after all controls (existing and additional) are applied. This shows whether the remaining risk is acceptable.
Responsible person: who is accountable for implementing each control measure and by when.
Review date: the scheduled date for the next review of the assessment, or the trigger events that would require an earlier review.
Sign-off: signatures of the assessor, supervisor or manager, and any workers consulted during the process.

How to use this risk assessment template

Define the scope of the assessment: Determine what is being assessed: a specific task, a work area, a piece of equipment or a project phase. Record the assessment title, location, date and the names of everyone involved. Set the boundary clearly. An assessment that tries to cover an entire site in one document loses traction and an assessment scoped to one minor sub-task wastes effort. Consult with the workers who perform the task, as required under WHS Act 2011 section 47, because they have first-hand knowledge of the hazards and practical constraints that influence how controls can be implemented.
Identify all hazards: Walk through the task or area and list every hazard that could cause harm. Consider physical hazards (moving parts, falling objects, manual handling), chemical hazards (fumes, dust, corrosive substances), biological hazards (mould, bacteria), ergonomic hazards (repetitive movements, awkward postures) and psychosocial hazards (fatigue, time pressure, isolated work). Use previous incident reports, near miss data and manufacturer safety information to identify hazards that may not be immediately visible from a single walkthrough.
Calibrate the risk matrix with the assessment team: Before scoring anything, run a five-minute calibration with the team using a single worked example. Agree what likelihood 5 (almost certain) and consequence 5 (catastrophic) mean for this site or task. Without calibration, scores drift, two assessors will rate the same hazard differently and the resulting risk register cannot be prioritised. This step is the single highest-impact fix in most safety management systems.
Assess the inherent risk for each hazard: For each hazard, determine the likelihood of harm occurring (rare, unlikely, possible, likely, almost certain) and the potential consequence if it does occur (insignificant, minor, moderate, major, catastrophic). Use your organisation's risk matrix to combine these two factors into an overall risk rating: low, medium, high or extreme. Assess the inherent risk first, before considering existing controls, so you understand the full exposure if every control failed.
Document existing controls and identify gaps: List the controls already in place: machine guarding, ventilation systems, training, signage, PPE, permit-to-work, isolations. Be specific. A line saying "guarding fitted" is weaker evidence than "fixed mesh guard to AS 4024.1-2019 over chain drive, last inspected 2026-04-12". The audit value of the assessment depends on this specificity.
Apply the hierarchy of controls in order: For each hazard where the inherent risk is unacceptable, work through the hierarchy in order: eliminate, substitute, isolate, engineer, administer, PPE. Under WHS Regulations 2011 reg 36, you must show why higher-order controls were not reasonably practicable before relying on lower-order controls. Each new control must have a responsible person and a target completion date. Engineering and substitution controls are preferred because they do not rely on human behaviour for effectiveness.
Re-score the residual risk: With all chosen controls in place, re-rate the likelihood and consequence to produce the residual risk. The test is whether the residual sits in the low or medium band on the matrix. If residual is high or extreme, the assessment is not complete. Either redesign the controls, escalate to senior management for explicit acceptance, or stop the work until the risk can be reduced. Record the basis for accepting any non-low residual on the form.
Record, communicate and set review triggers: Complete the form with all hazards, ratings, controls and sign-off from the assessor, supervisor and consulted workers. Share the completed assessment with every worker involved and ensure they understand the controls. Set a review date and explicit trigger events (change in conditions, incident, new equipment, change in personnel) that require an earlier review. File the form as part of your safety management records and retain it for the period specified in your WHS management plan, typically a minimum of five years under WHS Regulations 2011 record-keeping requirements.

In MapTrack, you can digitise safety inspections and compliance forms. Each submission is stored as a timestamped PDF against the asset record.

Get the free templateEnter your email above to download the full risk assessment template as a PDF.Back to download form

How often should you complete this report?

A risk assessment must be completed before any new task, process or piece of equipment is introduced to the workplace. It should also be performed before work begins at a new site or location, when the scope of existing work changes significantly, and whenever a new hazard is identified through incident reports, near miss data or worker consultation. After any workplace incident, injury or near miss related to the assessed activity, the existing risk assessment must be reviewed and updated to reflect the new information.

Beyond these event-driven triggers, organisations should schedule periodic reviews of all active risk assessments, typically every 6 to 12 months, to confirm that controls remain effective and that the assessment reflects current conditions, equipment and personnel. Safe Work Australia recommends that risk assessments form part of an ongoing risk management cycle rather than a one-off exercise. Regulatory audits, changes in WHS legislation or codes of practice, and the introduction of new Australian Standards may also require assessments to be revisited. In MapTrack, you can set review dates and automated reminders for each risk assessment to ensure nothing falls through the cracks.

Frequently asked questions

Applicable regulatory standards

This template aligns with the following regulations and standards:

Work Health and Safety Act 2011 (Cth) - Sections 17-19 (duty to manage risks)
WHS Regulations 2011 - Part 3.1 (managing risks to health and safety)
WHS Regulations 2011 reg 36 - hierarchy of control measures
Safe Work Australia - Code of Practice: How to manage work health and safety risks (July 2018)
AS/NZS ISO 31000:2018 - Risk management: Guidelines
ISO 45001:2018 - Occupational health and safety management systems (Clause 6.1.2)

Need to digitise safety inspections and compliance forms?

Register every asset in MapTrack, attach digital forms, and get a complete history of every inspection, service and compliance record.

Start free trial Book a demo

Compliance and inspections · All templates · Pricing · Book a demo

Free risk assessment template

Key takeaways

Get your free template

What is a risk assessment template?

Benefits of using this risk assessment template

Benefits of digitising forms in MapTrack

Try MapTrack free for 30 days

What to include in a risk assessment template

How to use this risk assessment template

How often should you complete this report?

Frequently asked questions

What is a risk assessment template?

What are the 5 steps of risk assessment?

Who should complete a risk assessment?

How often should risk assessments be reviewed?

What is the difference between a risk assessment and a JSA?

Is this risk assessment template free?

What is the hierarchy of controls and why does the order matter?

What does "so far as is reasonably practicable" mean in a risk assessment?

Should workers be consulted while the assessment is being prepared?

How do we score risks consistently between assessors?

What is residual risk and when is it acceptable?

How does AS/NZS ISO 31000:2018 apply to a workplace risk assessment?

Who can sign off a risk assessment under WHS Act 2011 and who is legally accountable?

What records must we keep and for how long?

Can a risk assessment app or software replace paper-based assessments?

Is this risk assessment template free and can we adapt it to our industry?

Applicable regulatory standards

Related resources

More from this category

Need to digitise safety inspections and compliance forms?