Risk Management Toolkit
Guiding principles and practical tools for identifying, assessing, and managing risk.
Steps for managing WHS risks
The below table provides a brief overview of the 4 steps involved in handling risk. As you move through this page you’ll find more specific tools.
| Steps | Description |
| Step 1: Identify Hazards | To identify potential hazards in the workplace, you can try several methods. Start by inspecting the physical work environment to observe any obvious risks. Consult with workers directly, or gather their input through surveys or workplace representatives. You can also seek information from industry bodies, regulators, or safety specialists who may provide relevant insights or best practices. Reading instruction manuals or safety data sheets can help you understand how to safely use equipment and substances. Additionally, reviewing your own records, such as incident reports, complaints, and health monitoring data, can highlight areas of concern. When assessing where to look for hazards, consider all aspects of work. This includes the physical environment, the equipment, materials and substances being used, and the tasks themselves, including how they are performed. It's also important to examine the overall design and management of work, such as shift patterns or workload distribution, as these can also contribute to health and safety risks. |
| Step 2: Assess Hazards | Work out the level of risk by considering the possible consequence and likelihood of it occurring. The level of risk will increase as the likelihood and consequence increase. All hazards that are identified must be reported to the appropriate persons. |
| Step 4: Review Controls | You can rank ways of controlling risks from the highest level of protection and reliability to the lowest. This ranking is known as the hierarchy of controls. Always start at the most effective control (avoidance/elimination), and work down the hierarchy. You should also assess the control by using the table “Control Effectiveness Ratings”. All controls, and this WHS Risk Assessment & Management Plan must be approved by the appropriate person. |
| Step 4: Review Controls | The control measures that you put in place should be reviewed regularly to make sure they work as planned. Don’t wait until something goes wrong. If you find problems, go back through the risk management steps, review your information and make further decisions about risk control. |
Tool for identifying risks and hazards
Traffic Lights Model: Categorising job practices
WorkSafe promotes the ‘Traffic Light Model’ consistently across their publications as a simple and accessible way to understand risk. This risk management approach asks you to focus on your job duties and practices.
In practice: a valuable exercise is to think about your day - to - day duties. Is there any that you could categorize as ‘red’, or high risk? Is there anything you do that warrants medium risk?
Tool for assessing the severity of a risk
Risk Matrix: Identify the severity of the risk
The risk matrix provides a more thorough risk analysis. Rather than thinking about specific practices, think about risk specifically. It is imperative to consider how likely something is to go wrong, and what the consequences would be.
In practice: ask yourself the questions “What might go wrong? Who might be harmed and how?” - once you have the risk in mind, assess it by thinking about the likelihood it will occur and the severity of the consequence. Give the risk a rating on Likelihood and Consequence. Multiplying the two will assess the risk within the range ‘Very Low’ (1) to Extreme (25)
In Practice: Think about the risk you’ve identified and it’s rating. Find the risk rating on the table below and use the description to guide appropriate action for controlling the risk.
| Risk Rating | Description |
| Extreme (17-25) | Extreme risk – Unacceptable. Cease Activities and endorse for immediate action. Requires senior management attention and reporting to the Executive, ARC, Governing Body and Directors. |
| High (10-16) | High risk – Tolerable. Must be reviewed in a timely manner to carry out improvement strategies. Requires senior management attention and reporting to the Executive, ARC, Governing Body and the Directors. Seek independent assurance that controls are robust and effective. |
| Medium (5-9) | Moderate risk – Adequate. Requires further analysis for appropriate action to be identified and where appropriate, action taken. |
| Low (3-4) | Low risk – Acceptable. Requires management to routinely monitor the risk and where appropriate, seek independent assurance that controls are robust and effective. |
| Very Low (1-2) | Very Low risk – Acceptable. No further action needed and maintained control measures. |
Tool for finding the best control
Hierarchy of Controls: Ranking of highest level of control to lowest level of control
The hierarchy of controls shows both the types of controls to consider, as well as their effectiveness. As you can see, eliminating the risk completely is the most effective means of controlling it.
In Practice: think about the risk you have identified from the previous activities. You have a risk, and it’s rating. You also have a description on how you should act with that rating. Now, looking at the Hierarchy of Controls and think about the most plausible control measure. If you can’t eliminate the risk, what else might you do to control its impact?
Hierarchy of Controls
Control Effectiveness Rating
Once you’ve considered the type of control you might use to minimize your risk, you can use the table below to think about its effectiveness.
In practice: Using the risk that you identified, and your selected control type, consider where you would place the control on the ‘Control Effectiveness Assessment Ratings’
| Rating | Description |
| Highly Effective | Controls are strong and operating properly, providing a reliable level of assurance. There is very limited opportunity for improvement to further strengthen operating effectiveness. The control environment reflects elements of good or best practice, and accountability is clearly assigned and effectively managed. |
| Effective | Controls are sufficient to achieve the intended objectives. The control environment is of effective quality, providing adequate management. It generally follows recognised good practice. Accountability is assigned; however, some management attention is needed to improve overall effectiveness. |
| Weak | Control inefficiencies have been identified. Although these do not present a serious risk exposure, management attention is required to provide a reasonable level of assurance. Risk is not being adequately managed. In some cases, the control has only recently been designed or implemented, and its effectiveness is not yet known. Further improvement or evaluation is required. |
| Unsatisfactory | Controls do not meet a suitable standard, as many weaknesses and inefficiencies exist and do not provide reasonable assurance. The control is not being managed effectively and requires serious and immediate improvement to achieve objectives. Accountability may not be clearly assigned, and risk is not being managed. |
Reviewing controls
Examples of reviewing controls
There are many ways to review risk controls. Draw from the table below for examples - you may already do some of these things without even knowing.
| Review Method | Description / Example |
| Quarterly HSC Meetings | Formal review of risks and control effectiveness across the business. |
| Workplace Inspections | Controls are sufficient to achieve the intended objectives. The control environment is of effective quality, providing adequate management. It generally follows recognised good practice. Accountability is assigned; however, some management attention is needed to improve overall effectiveness. |
| Team Discussions / Toolbox Talks | Informal chats or meetings to raise any issues with current processes or risks. |
| Incident and Near Miss Reviews | Reviewing what went wrong (or almost did) and how controls could be improved. |
| Staff Feedback / Surveys | Asking workers if controls are practical and effective in real settings. |
| Training Refreshers / Reviews | Checking if staff still understand and follow procedures — adjust if not. |
| Audits (Internal or External) | Periodic audits to confirm controls are compliant and functioning as intended. |
| Observational Checks | Informally watching tasks to ensure procedures are followed and controls are used. |
| Policy / Procedure Updates | Reviewing documents and controls when legislation, work practices, or tools change. |