Risk Assessment: A Complete Guide

Why risk assessments matter

Workplace injuries cost Australian businesses over $12 billion per year in workers’ compensation premiums alone, according to Safe Work Australia. In the United States, the National Safety Council estimates the total cost of work injuries at $167 billion annually. The vast majority of these injuries are preventable through systematic hazard identification and risk control, which is exactly what a risk assessment delivers.

Beyond the financial case, risk assessments are a legal requirement in virtually every jurisdiction. Under the Australian WHS Act 2011, PCBUs must identify reasonably foreseeable hazards, assess the associated risks, and implement controls following the hierarchy of controls. Failure to do so can result in fines exceeding $3 million for a body corporate, or $600,000 and up to five years imprisonment for an individual officer under Category 1 offences. OSHA in the US and the HSE in the UK impose comparable penalties.

Critically, risk assessments shift a safety programme from reactive to proactive. An organisation that waits for an incident to reveal a hazard is always one step behind. A structured risk assessment process identifies hazards before they cause harm, prioritises them by severity and likelihood, and assigns clear ownership for controls. This creates a documented trail that regulators, insurers, and courts expect to see when something goes wrong.

The five steps of risk assessment

Step 1: Identify hazards. Walk the site, review incident reports, consult workers, and examine safety data sheets. Hazards include physical (moving machinery, working at height), chemical (dust, solvents), biological (mould, needlestick), ergonomic (repetitive motion, manual handling), and psychosocial (fatigue, bullying). Do not rely solely on checklists; talk to the people doing the work, because they know where the real risks are.

Step 2: Determine who might be harmed and how. Consider all groups, not just permanent employees. Contractors, visitors, maintenance crews, and members of the public may be exposed. A spray-painting booth affects the operator directly, but vapour drift could reach adjacent workers. Identify the exposure pathway and the type of harm (acute injury, chronic illness, fatality).

Step 3: Evaluate the risks and decide on controls. Use a risk matrix to rate each hazard by likelihood and consequence. Apply the hierarchy of controls: eliminate the hazard first, then substitute, isolate, use engineering controls, apply administrative controls, and finally require personal protective equipment (PPE). Always aim for the highest-order control that is reasonably practicable.

Step 4: Record your findings and implement them. Document each hazard, its risk rating, the controls selected, the person responsible, and the completion date. This record is both a legal requirement and a practical tool for tracking progress. Digital platforms like MapTrack allow teams to capture risk assessments on mobile devices, attach photos, and assign corrective actions with due dates, which eliminates the problem of paper forms sitting in a filing cabinet.

Step 5: Review and update. Risk assessments are living documents. Review them after any incident, near-miss, or change to work processes, equipment, or personnel. As a minimum, schedule an annual review. Each review should check whether controls are working, whether new hazards have emerged, and whether the risk ratings remain accurate.

Types of risk assessment

A baseline risk assessment is a comprehensive evaluation of all hazards across a site or operation. It is typically done when a workplace is first established, when a major process changes, or as part of an annual safety review. Baseline assessments produce the risk register that underpins the entire safety management system. In construction, a baseline assessment might cover the full scope of a new build project before any work begins.

Issue-based risk assessments focus on a single hazard, task, or change. Examples include assessing the risk of a new chemical being introduced to a workshop, evaluating a confined-space entry, or reviewing the manual handling requirements of a new production line. These are targeted, shorter, and more frequent than baseline assessments.

Continuous risk assessments happen in real time as work is being performed. Take 5 assessments, where a worker pauses for five minutes before starting a task to identify immediate hazards, are the most common example in Australian mining and construction. Pre-task risk assessments like Job Safety Analyses (JSAs) fall into this category as well, breaking a job into steps and assessing hazards at each step.

From a methodology standpoint, qualitative assessments use descriptive scales (low, medium, high) and are suitable for most workplace hazards. Quantitative assessments assign numerical probabilities and consequence values, often used in process safety (chemical plants, refineries) where failure data exists. Semi-quantitative approaches, like a 5x5 risk matrix, sit between the two and are the most widely used in practice.

Risk assessment in construction and heavy industry

In construction, the top causes of fatalities are falls from height, being struck by moving objects, being caught in or between equipment, and electrocution. A risk assessment for a roofing task, for example, must evaluate the roof pitch, fragility, edge protection, access method, weather conditions, and worker competency. The Safe Work Method Statement (SWMS), mandatory for high-risk construction work in Australia under the WHS Regulations, is essentially a documented risk assessment linked to specific control measures for each step of the task.

In mining, interactions between light vehicles and heavy mobile equipment are a leading cause of serious injury and death. Risk assessments must address traffic management plans, exclusion zones, communication protocols, and visibility. The risk profile of a site changes with each shift as equipment moves, ground conditions shift, and new personnel arrive. This is why continuous and pre-task assessments are so critical in these environments.

Facilities and infrastructure maintenance carry their own set of hazards: confined spaces, working with energised electrical equipment, exposure to asbestos, and lone work in remote locations. Risk assessments for these tasks often need to satisfy permit-to-work requirements. Using a digital tool to complete risk assessments on a mobile device ensures that the assessment is done at the point of work, not retrospectively in an office. MapTrack users in these industries complete pre-start inspections and risk assessments on the same platform, linking hazard data directly to the asset being worked on.

Risk matrices and scoring

Likelihood is typically scored on a five-point scale: rare, unlikely, possible, likely, and almost certain. Consequence follows a parallel scale: insignificant (first aid), minor (medical treatment), moderate (lost-time injury), major (permanent disability), and catastrophic (fatality or multiple fatalities). Multiplying the two values gives a risk score. A 5x5 matrix produces scores from 1 to 25, which are grouped into risk bands: low (1 to 4), medium (5 to 9), high (10 to 16), and extreme (17 to 25).

Risk scoring should be applied twice for each hazard: once for the inherent risk (before any controls) and once for the residual risk (after controls are applied). This demonstrates the effectiveness of your controls and highlights any residual risk that needs additional attention. If a hazard scores "extreme" on inherent risk but only drops to "high" after controls, that is a signal the controls are insufficient and the job may need to be redesigned or stopped.

Common pitfalls with risk matrices include inconsistent interpretation (one assessor rates a hazard as "likely" while another rates it "possible"), anchoring bias (defaulting to "medium" for everything), and failing to reassess after controls are implemented. Training assessors on consistent criteria and calibrating scores against real incident data improves reliability. Some organisations use bow-tie analysis for complex hazards, mapping both the causes (threats) and consequences of a top event along with the barriers in place to prevent escalation.

Common risk assessment mistakes

Tick-and-flick assessments are the single biggest problem. When workers fill in a risk assessment form without genuinely thinking about the hazards, the document exists but provides no actual protection. This often happens when assessments are overly long, completed under time pressure, or perceived as a compliance burden rather than a safety tool. The solution is to keep assessments focused on the specific task and site conditions, involve the workers doing the job, and make the process quick enough to be practical.

Using generic, off-the-shelf templates without customisation is another frequent failure. A risk assessment for "working at height" pulled from the internet will not reflect the specific conditions of your site, your equipment, your workers’ training levels, or your local regulatory requirements. Templates are a starting point, not a finished product. Every assessment must be tailored to the actual work environment.

Failing to review and update is equally damaging. A risk assessment completed two years ago for a process that has since changed is worse than no assessment at all, because it creates a false sense of compliance. Regulators in Australia, the US, and the UK all expect assessments to be current. After any incident, near-miss, audit finding, or process change, the relevant risk assessments should be reviewed. Setting review reminders in a digital system ensures this does not fall through the cracks.

Finally, many organisations make the mistake of treating risk assessment as a safety department function rather than an operational responsibility. The people best placed to identify hazards are the workers on the front line. Supervisors and safety professionals should facilitate and review assessments, but the input must come from those closest to the work.

Digital risk assessment tools vs paper

Paper-based risk assessments have been the default for decades, and many organisations still rely on them. The problems are well known: forms get lost in the field, handwriting is illegible, data cannot be aggregated or analysed without manual transcription, and there is no mechanism to automatically escalate a high-risk finding to a manager. When a regulator asks to see all risk assessments for a particular site over the past 12 months, paper-based organisations spend hours, sometimes days, gathering and photocopying records.

Digital tools solve these problems at the point of capture. A worker completes a risk assessment on a tablet or smartphone, the risk score is calculated automatically based on the selected likelihood and consequence, and if the score exceeds a threshold, a notification is sent to the relevant supervisor or safety manager immediately. Photos, GPS location, and timestamps are attached automatically, creating a richer and more defensible record than any paper form.

MapTrack, for example, lets organisations build custom risk assessment forms with conditional logic, so the form adapts based on the hazards identified. If a worker selects "working at height" as a hazard, the form can prompt for specific controls like edge protection, harness inspection, and rescue plan. Completed assessments are stored against the relevant asset or location, making it simple to pull a full risk history during audits or incident investigations. The shift from paper to digital is not about technology for its own sake; it is about making risk assessments faster to complete, easier to review, and harder to ignore.

Legal and regulatory requirements

In Australia, the model WHS Act 2011 (adopted by all states and territories except Victoria, which operates under the Occupational Health and Safety Act 2004) requires PCBUs to manage risks by following a four-step process: identify hazards, assess risks if not already obvious, control risks using the hierarchy of controls, and review controls. Risk assessments are specifically required for certain high-risk activities, including work involving hazardous chemicals (WHS Regulation 351), confined spaces (Regulation 66), and high-risk construction work via Safe Work Method Statements. Codes of Practice issued by Safe Work Australia provide detailed guidance on how to manage specific risks and are admissible in court proceedings.

In the United States, OSHA does not have a single "risk assessment" standard, but the General Duty Clause (Section 5(a)(1) of the OSH Act) requires employers to provide a workplace free from recognised hazards likely to cause death or serious harm. Specific standards mandate risk assessment for particular activities: Process Safety Management (29 CFR 1910.119) requires process hazard analyses for facilities handling highly hazardous chemicals, and the Permit-Required Confined Spaces standard (29 CFR 1910.146) requires hazard identification before entry. OSHA’s voluntary Safety and Health Program Management Guidelines explicitly recommend hazard assessment as a core element.

In the United Kingdom, the Management of Health and Safety at Work Regulations 1999, Regulation 3, requires every employer to make a suitable and sufficient assessment of risks to employees and anyone else affected by their work. Employers with five or more employees must record the significant findings. The HSE’s five-step approach to risk assessment is the de facto standard and aligns with the framework described earlier in this guide. Penalties under the Health and Safety at Work Act 1974 include unlimited fines for organisations and up to two years imprisonment for individuals.

Regardless of jurisdiction, the common thread is clear: regulators expect documented, current, and specific risk assessments. "We do risk assessments" is not a defence if the assessments are generic, outdated, or not acted upon. The documented record of hazard identification, risk evaluation, control selection, and review is what demonstrates due diligence.