Risk management

It is considered best practice to apply risk management principles to your business activities. The state of knowledge around risk management is well established, with guidance, standards and information widely available. EPA recommends that you adopt an appropriate risk management framework for your business activities, proportionate to the nature and scale of the risks involved.

Assessing and controlling risk: A guide for busines (publication 1695.1) provides a structured framework to identify hazards assess risks, implement controls and monitor those controls. It aligns with the approach in AS ISO 31000:2018 Risk Management and is adaptable to businesses of all sizes. However, larger businesses or those with more complex environmental and human health risks may need to adopt suitable or more complex risk management frameworks or methods or seek professional advice. EPA has published guidelines to assist you in assessing hazards and controlling various types of environmental risks. These documents are listed in References of this guideline.

Identify hazards

Understanding your site activities, features, operational processes and environmental settings (as explained in Site description) is essential for identifying potential hazards.

Potential hazards or risk sources may include chemical or sewage spills, microbial hazards, fire, emission of pollutants, and migration of contaminants to the surrounding environment (soil, water and air). Extreme weather events can also pose significant risk. The extent of your risk assessment should be proportionate to the complexity and risks associated with your site and activities. For more examples of common hazards, see Table 2 in Assessing and controlling risk: A guide for busines (publication 1695.1).

You should identify all potential environmental and human health hazards associated with your site activities and features and record them in your risk register (see Risk register). You may refer to your CSM, if you have one, to assist with identifying hazards.

The next step is to assess how these hazards might affect the environment and human health, which will form the basis of your risk assessment.

Assess risks

Risk assessment is a fundamental component of your RMMP. It uses information from the hazards you have identified to determine which site activities require some form of control to minimise their potential human health and environmental impacts.

Your risk assessment may also identify your compliance obligations. For example, those arising from your EPA licence conditions, the EP Act and subordinate legislation.

Your risk assessment must cover the risks of harm to the environment and human health. These harms may be cumulative and could be a result of multiple occurrences of harm arising from the same activity or the effects of harm from various activities. Different risks can interact, intensifying their overall impact. For example, combined effects of noise, dust and odour from a landfill may significantly affect community wellbeing and local amenity.

By understanding how multiple risks combine or escalate, you can assess whether existing controls remain sufficient and take timely action to prevent harm.

Risk assessment method

You need to perform a risk assessment for each identified environmental and human health hazard. Use an appropriate risk assessment method to accurately and adequately assess your risks. If appropriate, you may follow the risk assessment method outlined in pages 8 – 10 of in Assessing and controlling risk: A guide for busines (publication 1695.1). Depending on the scale and complexity of your site, you may use different methods.

Your RMMP should clearly set out your chosen risk assessment method. It should describe the criteria for assessing the likelihood and consequence of risks to human health and the environment. It should also explain the rationale or justification behind selecting the criteria.

Your risk assessment should also include a risk matrix and a description of risk ratings. For example: What does a ‘high’ or ‘medium’ rating mean? Are existing controls sufficient or are more controls needed? This can be incorporated as a dedicated section in the main body of the document or in the risk register spreadsheet, with the detailed procedure as an appendix.

The entire risk assessment process should be documented, and those documents should be maintained to provide a basis for your implemented controls. They will also enable regular checking of controls or reassessment of risks.

Detailed risk assessment and supporting documents

Where relevant, your RMMP may be supported by detailed risk assessments for key environmental aspects associated with your site. For example:

human health risk assessment
fire risk assessment
ecological risk assessment
soil and groundwater risk assessment
emerging contaminant risk assessment
climate change risk assessment.

The RMMP should reference the reports for any risk assessments conducted for your site and provide a summary of the key findings and actions detailed in these reports.

Risk register

Your RMMP should include a complete up-to-date risk register (also known as an ‘aspects and impacts’ register). This is a critical component of an RMMP.

Risk registers are commonly presented in a tabular format, such as a table or spreadsheet. EPA recommends that you include the following key columns and associated information:

activities/features
location/area of site
hazards/risk sources
causes of hazards/risks
environmental impacts and consequences
environmental segment/receptor (for example, wetlands, waterways, and residential areas)
inherent risk level/rating
existing controls/control measures
critical controls (Describe critical controls)
residual risk level/rating
future controls/action or improvement plans.

You may also wish to include:

risk event
how controls are monitored (see Check controls and Monitoring)
control effectiveness
control maintenance information
control references/procedures
control checks/verification
references to management plans
compliance requirements
action plan implementation/target dates
risk owners
references to other risk studies/assessments
date of last review of risk assessment.

See Appendix B for an example risk register.

Appendix B Risk register example template

Excel 21.53 KB

EPA may ask you to provide further information or details on any of the above, for example:

evidence of control effectiveness
evidence that your controls are reasonably practicable
details of your risk action plan
control improvement or upgrade plans
links to trigger action plans.

Implement controls

Controls are essential for both minimising your risks so far as reasonably practicable and achieving your environmental performance objectives. This is why it is important to establish, implement and maintain your controls.

Reasonably practicable (publication 1856) explains, with examples, all the key factors and criteria that need to be considered in determining reasonably practicable risk controls.

Identify controls

As outlined in publication 1695.1, the options for controlling risk should be prioritised from the highest level of effectiveness to the lowest:

Elimination (remove the hazard entirely)
Substitution (replace hazardous materials or processes with safer alternatives) / Engineering controls (install plant, processes and equipment to reduce risk)
Administrative controls (implement policies, procedures, and training to reduce risk) and personal protective equipment (provide protective gear to workers).

These controls can be used individually or in combination using the hierarchy of the options (from 1 to 3).

The type and number of controls in your risk register will depend on the nature of your activities, the level of risk, opportunities, environmental aspects and compliance obligations.

Ideally, controls should be developed and maintained by suitably experienced people (these may include consultants) with input from employees and managers who will be responsible for implementing them.

Describe critical controls

Controls are considered critical when their absence or failure could lead to severe incidents that will impact human health and the environment. You should highlight your critical controls in your risk register. For example, a local exhaust ventilation (LEV) system is a critical control. This is an engineering control that reduces exposure to airborne contaminants such as dust, mist, fumes, vapour and gas. It works by capturing emissions at their source and transporting them to a safe emission point or a filter/scrubber.

In your RMMP, you should clearly describe your critical controls for activities with high inherent risk ratings. This description should cover their purpose, functionality, maintenance and monitoring for effectiveness. You are encouraged to describe the processes for identifying, responding to and reviewing failures of critical controls to ensure their ongoing effectiveness.

The level of detail when describing critical controls should reflect:

the complexity of the activities
the potential severity of the environmental impact it is preventing or minimising.

These headings are an example of what would be appropriate for a wet scrubber control.
Name of the control: Wet scrubber
Purpose: To capture and neutralise harmful air pollutants such as particulate matter, sulphur oxides (SOₓ), hydrogen chloride (HCl), ammonia (NH3) and odours from the smelter, incinerator, or preconditioning gases before biofiltration.
Risk control performance objective/s and relevant indicators, parameters and metrics (see Risk control performance objectives):
Objective: Achieve and maintain a particulate collection efficiency of over 95%.
Indicators that help assess the scrubber’s effectiveness:
- pressure differential
- liquid flow rate
- scrubber liquid outlet concentration
- pollutant levels in exhaust
- gas temperature
- pH.
Functionality: A packed bed scrubber containing Raschig rings that uses a liquid scrubbing solution (for example, water, caustic soda (NaOH), limestone (CaCO3) to remove pollutants from a gas stream. The packing is held in place with wire mesh. The gas stream is brought into contact with the liquid scrubbing solution. Pollutants are collected in the liquid and then separated from the clean gas. The clean gas is discharged while the liquid stream is processed and treated.
Brief explanation of the integrated critical features/systems: Supervisory control and data acquisition system (SCADA) continuously monitors parameters (for example, chemical levels, pH, flow rate) and not only triggers alarms when thresholds are exceeded but also automatically initiates dosing procedures via programmable logic controllers (PLCs).
Reference to any plan or procedure: Wet scrubber trigger action response plan. Wet scrubber maintenance plan.
Personnel responsible: Environmental engineer.

Check controls

Your RMMP should also document how you check your controls.

Ensuring the functionality and effectiveness of controls is crucial. Regular checks and monitoring help to verify that controls are functioning as intended and are reducing risks of potential harm to human health and the environment. See also Risk control performance objectives.

The frequency of control checks and reviews is typically determined by the level of risk associated with the activity or emission being managed. Critical controls may require more frequent verification and performance monitoring. For further details see Evaluating environmental performance.

Management of change

You should regularly review your risk assessment and risk register to ensure that hazards remain relevant and control measures and risk management strategies continue to be effective and fit for purpose.

Several factors may also trigger a review including, but not limited to:

changes in legislation or other sources of new compliance requirements
changes to your activities, equipment or processes
incidents or near misses
inefficiencies or failures in existing controls
organisational changes – for example, mergers, acquisitions, decommissioning, or internal restructuring
emerging risks or changes in the operational environment
extreme weather and climate change or variability
availability of new technologies and state of knowledge
periodic evaluations of performance
concerns or recommendations from key stakeholders
risk register reviews.

Changes should be documented and managed to ensure that they do not compromise existing risk management controls or introduce a new risk that itself requires control.

Updated 17 June 2026