Risk management process

A risk management process helps prevent harm to human health and the environment from your activities.

On this page

A risk management process can help you meet your obligations and duties under the Environment Protection Act 2017(opens in a new window). It's the same approach that many workplaces use to manage occupational health and safety risks under health and safety laws.

It can be a condition of your permission to have a risk management process that is:

  • documented
  • continually followed and updated.

Understanding and documenting your hazards and associated risks helps you decide the controls you need to manage your risk of harm.

Harm is any adverse impact on the environment, of any degree or duration. It includes impacts that add up over time (cumulative impacts).

Risk is the threat that a hazard poses to a receptor. A receptor is something of value that can be harmed – for example, the environment or human health.

The way that the hazard reaches the receptor is the pathway – for example, air, water, or soil. To learn more about receptors and pathways, visit How contamination causes harm.

Your risk management process should:

  1. identify any hazards or activities that could cause harm
  2. assess and rate the level of risk, based on the likelihood of it happening and the consequence if it does
  3. implement suitable and available risk control measures
  4. check controls regularly to make sure they're working.
Risk management process
Risk management process

Identify your hazards

You should identify hazards that could cause harm – for example, release of smoke or spills into stormwater.

To learn about common hazards, visit:

How to identify hazards

There are many ways to identify hazards.

Review your business activities. Reflect on how your business activities could pose a risk of harm – for example:

  • storing and handling material
  • using detergent
  • landscaping
  • grinding.

Inspect your workplace. Look at:

  • plant, equipment, buildings and structures
  • internal systems of work
  • standard operating procedures.

Consult with employees, specialists and industry associations. Workshops and meetings can help you identify aspects of work that might present hazards. Take opportunities to involve key stakeholders, such as fire authorities and your local council.

Review available information that can help you identify hazards – for example:

  • advice from insurance providers
  • information about hazards and risks from your industry association
  • safety data sheets
  • supplier and manufacturer instructions
  • technical, fire, and work health and safety specialists
  • trade waste arrangements for your site.

An expert can help you identify and assess hazards. They can also advise you on appropriate controls. Visit work with a consultant.

Once you identify hazards, record and document them. You can use a hazard and risk register to do this.

How to identify hazards from

Follow a risk management process.

Assess your level of risk

You need to assess the level of risk the hazards you've identified.

The level of risk is a combination of:

  • how likely it is that harm will occur (likelihood)
  • the degree of harm that could be caused (consequence).

Work out the likelihood of harm

Likelihood of harm is the chance that harm will occur. Consider:

  • previous incidents and near misses in your business and industry
  • how often the hazard occurs – for example, sometimes or all the time
  • the behaviour of people on your site
  • whether changes to your operating conditions throughout the year change the likelihood of risk
  • how pollution may reach other areas – for example, by air, water or soil (the pathways)
  • where pollution may go – for example, neighbouring properties, parks, or creeks (the receptors).

Also consider what controls you already have in place to manage risk. Are they effective? Is there residual risk that needs additional controls?

There are many ways to assess how likely it is that harm will occur. Choose a way that best suits your circumstances. An example of a scale you can use is:

  1. could happen but probably never will
  2. not likely to happen in normal circumstances
  3. may happen at some time
  4. expected to happen at some time
  5. expected to happen regularly under normal circumstances.

Work out the consequence of harm

Consequence is the degree of harm that could result from the hazard. There are many things to consider.

Consider the kinds of harm that could be caused. A single incident might cause multiple types of impact. For example, the same incident might harm both the environment and human health.

Consider factors that influence the degree of harm. It might depend on the circumstance. For example, if your business is located near houses, then a spill or hazardous substances may increase the degree of harm.

Consider non-routine or extreme situations, such as an extreme weather event.

Consider impacts to [receptors]. This includes:

  • wetlands, creeks and waterways
  • surrounding residential areas and roads
  • hospitals and schools
  • onsite and neighbouring properties.

Identify who could be impacted. This could include:

  • employees
  • visitors
  • customers
  • contractors
  • emergency service personnel.

Consider your current controls. What is the pre-control and post-control risk? Pre-control risk is the degree of harm when no controls are in place. Post-control risk is the degree of harm when there are controls in place.

Consider if activities are actually done in the way they should be. Assess if your work practices reflect actual operating procedures or best-practice standards.

Assess the consequence of each hazard. An example of a scale you can use is:

  1. no or minimal environmental impact, or no health and wellbeing impacts
  2. low environmental impact and/or low potential for health and wellbeing impacts
  3. medium environmental harm and/or medium-level harm to health and wellbeing over an extended period of time
  4. serious environmental harm and/or high-level harm to health and wellbeing
  5. permanent or long-term serious environmental harm and/or life-threatening or long-term harm to health and wellbeing.

Combine likelihood and consequence

Work out the level of risk by looking at likelihood and consequence together. You can do this using a risk matrix.

In this example of a risk matrix, hazards are rated from low to extreme.

The register is a table with 11 columns grouped into 3 colours. In navy blue are the columns: Hazard number, Hazard, Potential harm. In red are risk assessment columns: Consequence, Likelihood, Risk rating, Existing controls. The final columns in yellow are: What further controls are required? Action by, Due date, Date complete.
Example risk matrix

Other tools you can use to assess risk are listed in the Standards Australia guide Risk management – guidelines on risk assessment techniques(opens in a new window) (HB 89:2013).

How to assess risks

Implement controls

Implement controls that:

  • prevent (eliminate) or mitigate risk
  • are proportionate to the risk
  • are guided by the hierarchy of controls.

Record controls in a hazard and risk register.

Prevent or mitigate risk

Preventative controls stop harmful events from happening. They eliminate the risk altogether. Examples include:

  • storing chemicals safely
  • leak detection
  • maintenance programs.

When you cannot eliminate risk, use mitigating controls to limit the damage from a harmful event (consequence). Examples include:

  • spill kits
  • fire extinguishers
  • an emergency management plan.

Proportionate controls

Proportionate controls are the most suitable controls available to eliminate or minimise the harm. A proportionate control:

  • is effective in preventing or mitigating risk
  • can be implemented in the circumstances
  • does not introduce new and higher risks.

You may need a combination of controls to be proportionate.

Sometimes the likelihood or consequence of a hazard cannot be worked out. In this case, apply the precautionary principle and put in place controls that are:

  • available
  • easily implemented.

Industry associations might help you find appropriate controls for your business activities. You may need to look further for options to control your risk.

To find industry specific information, visit Know your industry's obligations.

Hierarchy of controls

Use this hierarchy to determine the most appropriate controls to use.

1: Eliminate the hazard and its associated risk

This is the most effective option because it eliminates the risk. Look to eliminate the hazard first. If this is not possible, consider substitution or administrative controls.

For example, don't store liquids where there's a high risk of water pollution or land contamination.

2: Substitute or contain the hazard

Substitute the cause of the harm or hazard with something safer. Alternatively, put engineering or physical controls in place to contain the hazard and reduce the risk.

For example, you can reduce noise from an air conditioner by substituting it with a better model. If there's not a better model available, then engineering controls could buffer the noise.

3: Use administrative controls

This is the least effective option.

Develop procedures and train and supervise workers. This includes providing and training staff to use personal protective equipment.

Often, you need a combination of these 3 approaches.

Hazard and risk register

Document the hazards, risks and controls in a register.

A register:

  • communicates your business risks
  • supports decision-making
  • helps identify when you need new controls.

Use our hazard and risk register template as a guide.

Example hazard and risk register
Example hazard and risk register

How to implement controls

Check and maintain controls

Check your controls the same way you identified your hazards and controls. Regular checking:

  • keeps you aware of your hazards and risks
  • identifies when controls fail
  • identifies opportunities for improvement
  • enables you to apply new and changing knowledge and technology.

To check the effectiveness of controls:

  • conduct regular site inspections and audits
  • consult employees, contractors, occupants and landlords
  • inspect and test your risk control systems
  • look at records and data, such as incident and near-miss reports
  • use available information, such as manufacturer or supplier instructions.

To maintain effective controls:

  • allocate responsibility and accountability for risks and their controls
  • communicate clearly and effectively about hazards and risk controls to everyone affected by them
  • regularly consult with employees and stakeholders, such as insurance providers and emergency service representatives
  • regularly review, test and maintain your engineering controls
  • regularly review your hazards and risk assessments, as they can change over time
  • run regular training for staff, including refresher training for administrative controls.

When controls fail, apply your risk management process, and review your hazard and risk register.

How to check controls

Updated

Back to top