OH Consultant
Risk AssessmentsGuide
Technical13 min read30 April 2026

Risk Assessment Documents — Australia

What Is a Risk Assessment?

A risk assessment is a systematic process of identifying hazards in a workplace, evaluating the likelihood and consequence of harm those hazards could cause, and determining the controls required to eliminate or minimise risk. Under the Work Health and Safety Act 2011 (Cth) and its state and territory equivalents, every person conducting a business or undertaking (PCBU) has a primary duty to ensure, so far as is reasonably practicable, that workers and others are not exposed to health and safety risks arising from the business or undertaking. Conducting a risk assessment is the mechanism through which that duty is discharged in practice.

A risk assessment is not a one-off administrative exercise. It is a living document that must be reviewed whenever there is a change in the work environment, after an incident or near-miss, when new information about a hazard becomes available, or at intervals determined by the nature of the risk. The WHS Regulation 2025 reinforces this obligation by explicitly requiring PCBUs to manage risks through a four-step hierarchy: eliminate the hazard, substitute or isolate it, implement engineering or administrative controls, and finally provide personal protective equipment where other controls are not reasonably practicable.

A well-constructed, consultant-drafted risk assessment provides structure for this process. It prompts the assessor to consider every relevant hazard category — physical, chemical, biological, ergonomic, and psychosocial — and records the findings in a format that is defensible to a regulator, comprehensible to workers, and actionable by supervisors. Without a structured starting-point document, assessments tend to be incomplete, inconsistent between assessors, and difficult to review at a later date.

Legal Basis for Risk Assessments in Australia

The legal requirement to conduct risk assessments flows from the WHS Act 2011 and the WHS Regulation 2025, both of which have been adopted in substantially identical form across New South Wales, Queensland, Victoria, South Australia, Tasmania, the Australian Capital Territory, and the Northern Territory. Western Australia operates under its own Work Health and Safety Act 2020, which mirrors the national model law.

Section 17 of the WHS Act requires PCBUs to manage risks to health and safety. The WHS Regulation amplifies this obligation by specifying that a PCBU must identify reasonably foreseeable hazards, eliminate health and safety risks so far as is reasonably practicable, and if elimination is not reasonably practicable, minimise those risks so far as is reasonably practicable. Codes of Practice issued by Safe Work Australia and the state regulators (SafeWork NSW, WorkSafe Queensland, WorkSafe Victoria, SafeWork SA, WorkSafe WA, NT WorkSafe, and WorkSafe ACT) provide practical guidance on how to comply with these requirements for specific hazard types.

The penalties for failure to comply are significant. Under the national model law, a Category 1 offence — reckless conduct that exposes a person to risk of death or serious injury — carries fines of up to $3,000,000 for a body corporate and up to $300,000 and five years' imprisonment for an individual. A Category 2 offence — failure to comply with a health and safety duty that exposes a person to risk — carries fines of up to $1,500,000 for a body corporate. These penalties apply not only to employers but to officers of a business who fail to exercise due diligence, meaning that directors and senior managers carry personal liability.

A documented risk assessment is one of the key pieces of evidence that demonstrates a PCBU has met its duty of care. Regulators and courts consistently look to whether a written assessment existed, whether it was adequately considered hazards specific to the task, and whether the controls identified were actually implemented.

The Five Steps of a Risk Assessment

Safe Work Australia's How to Manage Work Health and Safety Risks Code of Practice outlines a five-step methodology that forms the basis of any compliant risk assessment.

**Step 1 — Identify the hazards.** A hazard is anything that has the potential to cause harm. Hazard identification should be conducted by someone with knowledge of the work — ideally the workers performing the task, their supervisor, and an occupational health and safety (OHS) representative. Effective identification techniques include workplace inspections, task observations, incident report reviews, consultation with workers, and review of Material Safety Data Sheets (SDS) for chemical hazards. The risk assessment should prompt the assessor to consider all five hazard categories: physical (noise, vibration, manual tasks, falls, plant and equipment), chemical (gases, dusts, liquids, fumes), biological (infectious agents, allergens, mould), ergonomic (repetitive strain, posture, workstation layout), and psychosocial (workload, bullying, fatigue, trauma exposure).

**Step 2 — Assess the risk.** For each identified hazard, the assessor must evaluate the likelihood that harm will occur and the severity of that harm if it does. Most Australian risk assessments use a 5×5 risk matrix, scoring likelihood from 1 (rare) to 5 (almost certain) and consequence from 1 (negligible) to 5 (catastrophic), producing a risk rating from 1 to 25. Ratings above 15 are typically classified as extreme and require immediate action; ratings of 10–15 are high and require action within a defined timeframe; lower ratings are medium or low priority.

**Step 3 — Control the risks.** Controls must be selected in accordance with the hierarchy of controls. Elimination — physically removing the hazard — is the most effective control and must be considered first. Where elimination is not reasonably practicable, the assessor should consider substitution, isolation, engineering controls, administrative controls, and finally personal protective equipment (PPE). The risk assessment should record each control, the residual risk rating after controls are applied, and the person responsible for implementing the control.

**Step 4 — Implement the controls.** Controls identified in the assessment must actually be put in place. This step requires assigning responsibility, setting timelines, and ensuring workers are informed and trained in the controls. Without implementation, the risk assessment is a paperwork exercise with no safety benefit.

**Step 5 — Review and update.** The risk assessment must be reviewed when the work changes, after an incident, or at defined intervals. The risk assessment should include a review history section recording the date, reviewer name, and nature of any changes.

What a Compliant Risk Assessment Must Include

A risk assessment that is fit for regulatory scrutiny must include the following elements as a minimum.

**Document header information:** Business name and ABN, site or workplace address, assessment date, assessor name and qualifications, review date, and document version number. These details establish the accountability chain and allow the document to be linked to a specific workplace context.

**Task or activity description:** A clear description of the work activity being assessed, including the location, the workers involved, and the plant, equipment, substances, or processes used. Vague descriptions such as "general construction" are insufficient; the description should be specific enough that a regulator can understand what was assessed and why.

**Hazard register:** A table listing each identified hazard, the hazard category, the affected body part or health outcome, the source of the hazard, and who may be harmed (workers, contractors, visitors, members of the public).

**Risk matrix and initial risk rating:** The likelihood and consequence scores for each hazard before any controls are applied, producing an inherent risk rating.

**Existing controls:** Documentation of any controls already in place at the time of assessment. This distinguishes the initial risk rating from the residual risk after accounting for existing safeguards.

**Additional controls required:** For each hazard where the residual risk remains unacceptable, the document should identify additional controls in hierarchy order, the responsible person, and the target completion date.

**Residual risk rating:** The risk rating after all proposed additional controls are implemented. This is the rating against which management decisions about acceptability are made.

**Worker consultation record:** Evidence that workers were consulted in the assessment process, as required by Section 47 of the WHS Act. This may be a signature block or a separate consultation record attached to the assessment.

**Review history:** Dates and nature of previous reviews, including any changes made to hazards or controls.

Our CIH-reviewed risk assessments include all of these elements as standard and are formatted for both digital use and printed sign-off. Each document is supplied as an editable DOCX file so it can be customised to your workplace specifics.

Common Mistakes in Workplace Risk Assessments

Despite the regulatory requirement and the volume of guidance material available, risk assessment quality in Australian workplaces remains inconsistent. The following are the most common deficiencies identified by regulators and occupational hygienists during workplace audits.

**Generic hazard descriptions.** Assessments that list "manual tasks" or "chemicals" without specifying the actual hazards present at that workplace are inadequate. The assessment should name the specific chemical (by SDS), the specific manual task (by body part and movement pattern), and the specific piece of plant or equipment. Vague descriptions cannot drive meaningful control selection.

**Failure to apply the hierarchy of controls.** Many assessments jump directly to PPE without demonstrating that elimination, substitution, engineering, and administrative controls were genuinely considered and found not to be reasonably practicable. This approach is both legally insufficient and practically ineffective — PPE is the least reliable control because it depends entirely on the individual worker using it correctly, every time.

**No residual risk rating.** Recording only the initial risk rating before controls gives no indication of whether the controls selected are adequate. The residual risk rating is the basis for the management decision about whether the work can proceed.

**Assessments conducted without worker input.** Workers who perform the task every day have knowledge of the hazards that supervisors and safety officers may not. Conducting a risk assessment without consulting affected workers is non-compliant under Section 47 of the WHS Act and typically produces an incomplete hazard register.

**Failure to review after changes.** Workplaces change — new plant is introduced, processes are modified, staffing levels fluctuate, and legislative requirements evolve. An assessment that was adequate three years ago may not reflect current conditions. The absence of a review history is a significant audit finding.

**Treating the document as an endpoint.** A risk assessment that sits in a filing cabinet unread by workers or supervisors provides no safety benefit. The controls identified must be communicated, implemented, and monitored. Our risk assessments include a communication and implementation section specifically to address this gap.

Risk Assessment vs. SWMS: Understanding the Difference

Confusion between risk assessments and Safe Work Method Statements (SWMS) is common, particularly in the construction industry. They serve related but distinct purposes.

A risk assessment is a broader tool used to identify and evaluate hazards across an entire workplace, a work area, or a category of work. It can cover multiple tasks, multiple hazard types, and multiple workers. It is the foundational safety document for a workplace or worksite.

A Safe Work Method Statement is a task-specific document that identifies the high-risk construction work (HRCW) activities within a particular task, lists the health and safety hazards and risks associated with each activity, and describes the measures that will be used to control those risks. An SWMS is mandatory under the WHS Regulation for any high-risk construction work as defined by Schedule 1 of the Regulation — work that involves the risk of a person falling more than 3 metres, work near energised electrical installations, work in or adjacent to a shaft or trench deeper than 1.5 metres, work involving structural alterations that require temporary support, and a range of other specified activities.

In practice, a risk assessment is often the input to an SWMS — the risk assessment identifies the hazards, and the SWMS translates the control measures into a step-by-step safe work procedure for a specific task. Both documents should be consistent with each other and both should be reviewed whenever the task or the work environment changes.

For construction work, both documents may be required. For non-construction workplace hazards — chemical exposure, psychosocial risks, noise, ergonomic hazards — a risk assessment is typically the primary compliance document rather than an SWMS.

Our CIH consultants can prepare both risk assessments and SWMS documents, or advise on which document is required for your specific work activity and jurisdiction.

Why CIH-Reviewed Risk Assessments Are Worth the Investment

Certified Industrial Hygienists (CIH) are health science professionals with specialist training in recognising, evaluating, and controlling workplace health hazards. The CIH credential is awarded by the American Board of Industrial Hygiene and requires a combination of academic qualifications, professional experience, and examination. In Australia, the equivalent body is the Australian Institute of Occupational Hygiene (AIOH), which awards the Certified Occupational Hygienist (COH) credential.

What distinguishes a CIH-reviewed risk assessment from a generic checklist filled out by a site supervisor is depth of hazard identification and the quality of control selection. An occupational hygienist will identify chemical exposure pathways that a generalist may miss, apply exposure modelling to determine whether controls are adequate to bring workers below the Workplace Exposure Standards (WES) published annually by Safe Work Australia, and specify controls that are targeted at the actual mechanism of harm rather than the most convenient administrative option.

For complex hazards — silica dust from concrete cutting, flour dust in bakery operations, isocyanate exposure in automotive spray painting, psychosocial risks in high-demand or trauma-exposed roles — the difference between a generic checklist and a CIH-reviewed assessment can be the difference between a workplace that is genuinely safe and one that passes a superficial audit while workers accumulate occupational disease.

From a cost perspective, the investment in a professional risk assessment is small relative to the potential cost of a WorkCover claim, a regulatory investigation, or litigation. The median cost of a serious workplace injury claim in Australia exceeds $130,000. A thorough risk assessment that prevents one such injury returns its cost many times over.

Our consultant-drafted risk assessments start from $49 AUD for trade-specific and activity-specific documents. Complex assessments covering multiple hazard categories — chemical, biological, psychosocial — are priced higher to reflect the depth of professional input. Contact us to discuss your specific requirements.

Downloading and Using Our Risk Assessments

Our consultant-drafted risk assessments are supplied as fully editable Microsoft Word (.docx) documents. They are compatible with all modern versions of Microsoft Word, Google Docs, and LibreOffice, and can be saved and printed as PDF once completed.

Each document is reviewed by a Certified Industrial Hygienist or Certified Occupational Hygienist with Australian regulatory knowledge. The documents are reviewed annually to ensure compliance with the current WHS Regulation and any updated Safe Work Australia Codes of Practice.

All documents include Australian-specific regulatory references, including the relevant section of the WHS Act or WHS Regulation, the applicable Code of Practice, and where relevant, the Australian Standard that governs the hazard category (for example, AS/NZS 1336 for eye protection, AS/NZS 1337 for eye and face protection, AS 2865 for confined space entry).

The documents are suitable for use by: - Small businesses completing their compliance obligations under WHS legislation - Safety officers at mid-size employers who need a starting-point document for site-specific risk assessments - Principal contractors who require subcontractors to complete risk assessments before commencing high-risk work - WHS consultants who need a professionally structured, consultant-grade document for client engagements - NDIS providers, aged care facilities, and other regulated industries that have risk assessment obligations under both WHS law and their sector-specific regulatory framework

Once purchased, the document is yours to use for any number of assessments at any of your worksites. There is no subscription fee and no limit on the number of completed assessments you can generate from the document.

For organisations that require custom, consultant-drafted risk assessments — for example, documents that reflect their specific industry, hazard profile, or branding — we offer a bespoke development service. Contact us to discuss your requirements and receive a fixed-fee quote.

Frequently Asked Questions

**Is a written risk assessment legally required in Australia?** The WHS Act does not explicitly require every risk assessment to be in writing, but the WHS Regulation requires that where a risk assessment is conducted, the findings must be recorded where the hazard or risk is not well known, where the results of the assessment may need to be communicated to others, or where the work is of a hazardous nature. In practice, a written assessment is essential for any non-trivial hazard, and a failure to document an assessment makes it nearly impossible to demonstrate compliance in the event of an incident or investigation.

**Who is required to conduct a risk assessment?** The PCBU has the duty to ensure risks are managed, but the actual assessment can be carried out by a competent person — someone with the knowledge, skills, and experience to identify hazards and assess risks for the work in question. Workers must be consulted in the process. For complex hazards such as chemical or biological exposures, a qualified occupational hygienist should be involved.

**How often should a risk assessment be reviewed?** At a minimum, the assessment should be reviewed when the work changes, after an incident or near-miss involving the assessed hazard, when a worker raises a concern about the assessment, when a new code of practice or standard is issued that applies to the hazard, and at defined intervals — typically annually for high-risk work and every two to three years for moderate-risk work.

**Can I use the same risk assessment for multiple sites?** A risk assessment prepared for one site should not simply be adopted for another without review. The hazards, layout, plant, and workforce at each site may differ. However, a document prepared for a particular type of work (e.g., concrete cutting, fork truck operation) can be adapted for each site by completing the site-specific sections.

**What is the difference between a hazard and a risk?** A hazard is a source of potential harm — for example, an unguarded rotating shaft, a chemical with toxic properties, or a workload that exceeds a worker's capacity. A risk is the likelihood that the hazard will actually cause harm, combined with the severity of that harm. Risk assessment is the process of evaluating risks arising from hazards.

Download a CIH-Reviewed Risk Assessment

Consultant-drafted, compliant with WHS Act 2011 and WHS Regulation 2025. Editable Word format. From $49 AUD — no subscription.

Buy Risk Assessment — from $49