Information on this page is not current law. It details new laws that commence on 1 July 2021 under the Environment Protection Act 2017.

Use this four-step process to manage any potential risks your business activities may pose to the environment and human health. 

You can apply these steps to a business of any size. Or you can use a different risk management approach if it’s better suited to your business. 

Four-step risk management process

Steps in controlling hazards and risks infographic

We have produced a series of short videos to help explain this process. You can run through all four videos as a playlist (7.24 minutes) or you can view them individually.

Step one: Identify hazards

Video transcript

Assessing and Controlling Risk, a guide for business.

Video one: Identify hazards.

It’s the responsibility of businesses to manage and prevent unnecessary risk.

Assessing and controlling risks helps businesses prevent harm and meet legal obligations.

Risk assessment can mean simply adopting four steps. Identify hazards, assess risks, implement controls, check controls.

Let’s discuss the first of these steps, how to identify hazards. 

A hazard is anything that could cause harm to human health or the environment. Chemical spills, stormwater contamination, dust, odour, and hazardous wastes, are common examples of hazards. Ask yourself how your business activities may be hazardous. For example, material storage and handling, and detergent use are common activities which can present hazards.

Once you know what to look for, simply walking around the workplace is a good way of identifying any hazards. Your checklist shouldn’t just include equipment and buildings, but also internal work systems and standard operating procedures.

Houses, waterways or parks near your business could be harmed. Consider how pollution travels through creeks or stormwater drains.

The following platforms and tools can help employees and stakeholders work together to identify hazards. Workshops and meetings, safety data sheets (formerly called material safety data sheets) and industry associations.

Identify all hazards on your site that could harm human health or the environment. Chemical spills, stormwater contamination, dust, odour and hazardous waste are common examples of hazards.

Think about how your business activities may be hazardous. For example, detergent use and material storage and handling are common activities that can present hazards.

Step two: Assess risks

Video transcript

Assessing and Controlling Risk, a guide for business.

Video two: Assess risks.

Once you identify your hazards, you need to assess the risk they could pose.

This involves looking at how hazards might cause harm based on how likely they are to happen, and how severe that harm could be.

Simply put, risk assessment means understanding, preventing and controlling hazards on your site that could cause harm.

Now let’s discuss the second of these steps, how to assess risks.

The first step is to establish the likelihood of the harm happening. You should find out if the hazard has already caused harm in the past at your operating site or other similar sites, what controls are currently in place, the frequency of the hazard (does it exist all the time or only sometimes), and the way that your staff or others may behave when the hazard occurs.

Once you understand the likelihood, it is then important to work out how severe this harm could be if it happens, this is sometimes called the consequence.

Think about impacts to community and the environment, including local creeks and waterways. (cat) Likelihood and consequence information gathered as part of this risk assessment process will help you decide what controls to put in place.

A risk matrix which rates the likelihood and consequence can be a helpful ranking tool to inform a business’s processes and systems.

Once you identify your hazards, you need to assess the risks they could pose. This involves looking at how hazards might cause harm.  

Base your assessment on how likely they are to happen and how severe that harm could be.  

Step three: Implement controls

Video transcript

Assessing and Controlling Risk, a guide for business.

Video three: Implement controls.

The controls you set up to prevent your business activity from posing a risk to human health and the environment is a key priority.

Let’s discuss the third of these steps, how to implement controls.

The most effective control is to eliminate the hazard and any associated risks.

The second most effective control is to substitute the source of the hazard with something safer or to reduce the risk of the hazard with engineering controls.

Secondary containment, such as bunding, can be used in conjunction with automated shutoff systems meaning there is no need for a person to be present operating the equipment to shut it down.

Administrative controls are the least effective type of controls as these rely on people doing the right thing or taking care at all times, introducing the risk of human error.

An example of a preventative control is the safe storage of potentially hazardous liquids. The respective mitigating control is a spill kit that can be quickly deployed in the event of a spill.

Another preventative control is designating a wash area where the ground is impervious and sloped towards a drain which leads towards a storage tank.  This prevents the wastewater from being washed down into the storm water system.

All identified hazards and their associated risks can need to be recorded in a register. This enables key personnel to understand the businesses risk profile, record existing controls for hazards and risks, and address risk as part of decision-making processes.

It is also helpful in identifying when new controls may be introduced to further address any residual risk.

Regular reviews can help maintain your business’ focus on hazard controls, as well as supporting continuous improvement.

Put in place the most appropriate controls to manage the risks you assessed at step two. These should reflect the likelihood and consequence of a hazard occurring.  

The most effective control is to eliminate the hazard and its potential risk.  

Step four: Check controls

Check controls video

Video transcript

Assessing and Controlling Risk, a guide for business.

Video four: Check controls.

Controls that are put in place to prevent or mitigate risks must be monitored to ensure they work as planned.

Checking controls involves the same methods as demonstrated in our first video identifying hazards.

Examples of ways to check the effectiveness of controls are: regular site inspections and audits, Consulting with staff, contractors and landlords, inspecting, testing and maintenance of risk control systems, using available information such as manufacturer and supplier instructions, analysing records and data such as incident and near miss reports.

In order to maintain controls in place at your business, and ensure that they remain effective, you should: review hazards and risk assessment regularly, review, test and maintain all engineering controls, allocate responsibility and accountability at your workplace for risks and their controls, consult with staff and other stakeholders on effectiveness of controls and on any new or changed hazards, communicate clearly and effectively about hazards and risk control, conduct regular training of staff, including refresher courses for administrative controls.


Regularly check the controls you put in place are working as planned. Improve them if they’re not. Your check might also identify more hazards. If it does, you must return to step one for these hazards.  

Your actions shouldn’t stop at step four. You should repeat this process often to make sure your risk management is working.

EPA’s compliance approach can also help your business meet its environmental duties and obligations.  

How to increase your knowledge

Under the general environmental duty (GED), you must understand the risks from your businesses activities and how to address them as far as reasonably practicable.  

State of knowledge is what is known about the risks from your business activities. It’s also what’s known or ought to be known about the controls you can put in place to manage the risks.

Getting this knowledge means using trusted sources. Existing knowledge may include:

  • business and industry knowledge 
  • regulatory and government agency knowledge 
  • knowledge that independent organisations hold. 

Find out about common hazards and find guidance for your industry.

Assessing and controlling risk: a guide for business (publication 1695) provides more information for businesses who want to follow a risk management process. It’s also available in languages other than English. 

Reviewed 12 March 2021