Risk management
Guidance for employers on how to manage risks in the office environment.
Key words and their meanings
Hazard: A hazard is something that can cause harm.
Risk: A risk is the chance of a hazard causing harm.
Harm: Harm includes injury, illness and death.
The risk management process
Working in an office environment can expose people to a wide range of hazards and risks. The aim of occupational health and safety (OHS) risk management is to eliminate or reduce the risk of injuries and illness associated with work, so far as reasonably practicable.
A safe and healthy workplace requires an organised approach to finding and fixing hazards and risks. This approach is known as the risk management process.
Effective management of health and safety hazards also involves:
- training
- consultation
- documentation of health and safety activities
- regular review of the management system.
Managing health and safety hazards is not only about preventing harm. It also makes good business sense. It can:
- reduce costs
- increase productivity
- boost morale
- improve employee relations.
The risk management process is a continuous cycle. Consultation between employers and their employees must occur at each step of the process. The steps are:
- Identify hazards.
- Assess the risks those hazards create.
- Control the hazards and risks. Do this by eliminating the risk. If it's not reasonably practicable to eliminate risks, reduce them as far as is reasonably practicable.
- Review and revise risk control methods.
- Consultation
The Occupational Health and Safety Act 2004 (OHS Act) places health and safety duties on employers and others. It requires employers to consult with employees, so far as is reasonably practicable, and any health and safety representatives (HSRs). Under the OHS Act, your employees can include:
- independent contractors you have engaged
- employees of the independent contractors.
Consultation between employers and employees, including any HSRs, is an important part of risk management. It continues through every step of the risk management process. Employers must consult with employees, so far as is reasonably practicable, and HSRs about certain things that will affect them or are likely to directly affect them.
This includes when:
- finding and assessing hazards and risks
- deciding how to control risks
- planning changes to how work is done
- planning changes to the workplace
- planning changes to the equipment, substances or other things used at the workplace.
Employers must give employees and HSRs a reasonable opportunity to share their views. Employers must also take employee and HSR views and suggestions into account.
Consultation with employees must involve sharing information about their health, safety and welfare.
How to manage OHS risks
The following 4-step process can help control health and safety risks in the office. When identifying, assessing and controlling hazards, employers must consult with employees, so far as is reasonably practicable, and any HSRs.
Identifying hazards involves finding all the hazards in the workplace. It also involves understanding the possible harm the hazards may cause. These can include things like musculoskeletal disorders (MSDs), post-traumatic stress disorders (PTSDs) and vicarious trauma.
Offices can have a range of hazards. Some hazards are obvious but others are not. Examples of hazards to look for in the office include:
- Mechanical hazards; for example:
- filing cabinets that can tip when heavy top drawers are open.
- Gravity hazards; for example:
- tripping
- falls from heights.
- Physical hazards; for example:
- glare or reflections from screens
- poorly designed chairs that do not provide adequate back support
- poorly designed workstations
- inadequate space
- poorly designed jobs
- tasks that demand prolonged work in a fixed posture.
- Chemical hazards; for example:
- vapours in the atmosphere from paint or solvents
- airborne particles such as photocopier toner.
- Psychosocial hazards; for example:
- low job control
- high and low job demands
- poor support
- poor organisational change management
- poor organisational justice
- low recognition and reward
- low role clarity
- poor workplace relationships
- poor environmental conditions
- remote or isolated work
- aggression or violence
- sexual harassment
- exposure to traumatic events or content.
- Electrical hazards that may lead to the risk of electric shock. For example, damaged electrical cords or overloaded power points.
How to identify hazards
Employers must consult with employees, so far as is reasonably practicable, and any HSRs when identifying hazards. Other ways to identify hazards include:
- inspecting the workplace
- speaking to clients
- using information from industry bodies, regulators and specialists, and others
- reading instruction manuals
- reviewing records of incident reports, complaints, the injury register and health monitoring. When reviewing these records, you should particularly look for:
- reports of pain in the back, neck, shoulders and upper limbs
- cuts or bruising
- trips and falls
- headache and vision problems.
To identify psychosocial hazards, evaluate:
- productivity levels
- leadership capability
- rates of absenteeism
- workers compensation claims
- separation rates/turnover
- exit interviews
- employee engagement/morale
- customer feedback
- peak/seasonal demands
- incident reports
- data trends.
Audit tools and surveys might also help identify relevant psychosocial hazards.
There may be no history or only a small number of recorded accidents or incidents. But the hazard may still exist and the risks need to be controlled.
Where to look
Look at all parts of work, including:
- the physical work environment
- equipment, materials and substances used
- work tasks and how they are performed
- work design and management; for example, shift work, task allocation.
Hazard identification provides information about hazards in the workplace area you have assessed. Different areas may require different assessments.
A checklist is a useful method for identifying physical hazards. It is not necessary to be an expert in health and safety to use one. Use checklists alongside other risk control measures to ensure that emerging hazards are not overlooked.
Keep a list of what the hazards are and their location. This will help ensure nothing is forgotten when deciding how to keep employees safe and healthy.
HSRs also have a right under the OHS Act to undertake workplace inspections:
- at any time after giving reasonable notice to the employer
- immediately after an incident or an immediate risk to health or safety (OHS Act s58).
Employers should encourage them to do so.
Guidance for identifying hazards
WorkSafe has guidance on its website to help employers identify hazards. The guidance includes:
- Compliance codes, such as:
- Compliance code: Hazardous manual handling
- Compliance code: Workplace facilities and the working environment
- Compliance code: Noise
- Compliance code: Plant.
- Guides, including on:
- stress
- fatigue
- aggression or violence
- bullying
- gendered violence
- sexual harassment.
- Fact sheets and safety solutions.
- Mechanical hazards; for example:
Risk assessment is a process for developing knowledge and understanding about hazards and risks. It helps ensure sound decisions about risk controls.
Risk assessments help work out:
- what levels of harm can occur
- how harm can occur
- the likelihood that harm will occur.
Employers can work out the likelihood of injury or illness from different types of health and safety hazards in the workplace using data from sources such as:
- WorkSafe Victoria
- Comcare
- Safe Work Australia
- journals and other texts.
Typically, the common injuries or illnesses arising from the workplace include:
- physical or psychological harm from:
- work-related stress
- exposure to traumatic events or content
- bullying
- aggression or violence.
- MSDs of the back, neck and upper limbs from:
- lifting
- repetitive work
- computer use.
- minor injuries due to:
- cuts
- slips, trips and falls
- being hit by an object.
Employers should assess the likelihood of these or other injuries at their workplace.
Information about the most common injuries and hazards for people working in an office environment
Level of risk
Work out the level of risk. To do this, consider how severe an injury could be and the likelihood of it occurring. The level of risk will increase as the likelihood and severity of harm increase.
Likelihood of harm
Work out the likelihood of harm occurring. You can estimate the likelihood of harm by considering, for example:
- How often the task is done. Does this make the harm more or less likely?
- The circumstances in which the hazard occurs.
- Has harm happened before, either in your workplace or somewhere else? How often?
Consider whether the harm is:
- certain to occur
- very likely
- possible
- unlikely or rare.
Risks must be eliminated, so far as is reasonably practicable. If risks cannot be eliminated, they must be reduced so far as is reasonably practicable.
Controlling risks requires the use of risk control measures. Risk control measures are also known as risk controls or controls. Deciding on appropriate risk controls involves the following:
- Identifying the options for risk controls. A risk control option may be a single control or it may be made up of different controls. Together, the different controls provide protection against a risk.
- Considering risk control options and selecting suitable options. A suitable option is one that most effectively eliminates or reduces risk in the circumstances. Reducing the risk might require multiple risk controls, not just one.
- Implementing the selected option or options.
Finding the best control
The ways of controlling risks can be ranked from the highest level of protection and reliability to the lowest. This ranking is known as the hierarchy of risk control. Always start at the most effective control – Level 1, eliminate the hazard – and work down the hierarchy.
Remember, risk control may involve a combination of different controls. The aim is to provide the highest level of reasonably practicable protection.
The OHS Regulations require employers to control certain physical hazards in line with specific hierarchies of control. For example:
- noise
- plant
- hazardous substances
- hazardous manual handling.
For more information on managing specific risks, see the relevant WorkSafe compliance code or guidance.
The hierarchy of risk control
Level 1 – most effective
Eliminate the hazard.
For example, if copying is essential, a high-quality photocopier can sort, collate and staple. This eliminates manual handling.
Level 2
Reduce the risk with one or more of the following controls:
- Substitution
Substitute the hazard with something safer. For example, replace a telephone handset with a good quality handsfree headset when there is prolonged use of the telephone.
- Isolation
Isolate people from the hazard. For example, install barriers at reception areas to physically separate employees from clients who may act aggressively.
- Engineering controls
Reduce the risks through engineering changes or changes to systems of work. For example, a heavy compactus system may have a mechanical winder or electric controls. This means there is no need to push and pull the compactus sections.
Level 3
Use administrative actions to reduce exposure to risks and reduce level of harm.
Administrative controls may involve establishing policies, procedures and work practices that are designed to reduce an employee’s exposure to a risk.
Administrative controls may also include providing relevant training or appropriate supervision. For example, structuring work tasks so employees do not have to use a keyboard for long periods.
Level 4
Use personal protective equipment.
Personal protective equipment (PPE) refers to anything employees use or wear to minimise risks to their health and safety. For example, providing skin and eye protection for people using cleaning products.
PPE limits exposure to the harmful effects of a hazard, but only if employees wear and use it correctly.
Using administrative controls and PPE to reduce risks does not control the hazard at the source. Administrative controls and PPE rely on human behaviour and supervision. Used on their own, they tend to be least effective in minimising risks.
Use administrative controls and PPE only:
- as last resorts when there are no other practical control measures available
- as an interim measure while introducing a more effective way of controlling the risk
- to increase the effectiveness of higher-level control measures.
Reviewing risk control measures will help you ensure they are working. Reviews will also help you identify if your controls become less effective, or if there are other controls you should introduce.
Regular reviews
Review your risk controls regularly to make sure they work as planned. Don’t wait until something goes wrong.
If you find problems, go back through the risk management steps. Review your information and make further decisions about risk control.
An OHS policy sets out an organisation's approach to health and safety. It explains how employers will manage the health, safety and welfare of employees, contractors, visitors and members of the public affected by the organisation's work. The policy should clearly state who does what, when and how. It needs to be consistent with OHS laws.
Preparing an OHS policy is an important step towards providing and maintaining a work environment that is safe and without risks to health. Developing an effective OHS policy involves consultation with senior management, any HSRs and employees.
Management must consult with employees, so far as reasonably practicable, and any HSRs when developing health and safety procedures. The procedures should detail the organisational arrangements for:
- identifying, assessing and controlling hazards
- dealing with specific health and safety issues.
The procedures should be the basis for:
- management and supervisor responsibilities
- employee involvement
- goals and action plans, and reviews of their effectiveness.
To ensure a specific OHS policy is effective, employers should:
- consult with employees and any HSRs on how to turn policy objectives into a plan of action
- regularly monitor and review the plan to ensure it aligns with changes in legislation and organisational needs.
A copy of the policy document must be accessible for employees to view. Many organisations make OHS policies part of their quality management systems.
What should a health and safety policy do?
A policy statement should show, in clear and simple terms, the organisation’s health and safety goals and how to achieve those goals, including the allocation of functions and responsibilities. The policy should include:
- senior management commitment
- the incorporation of that commitment into all organisational activities
- a commitment to set down the functions and duties of all people in the organisation for maintaining workplace health and safety
- accountability of all levels of management
- consultation leading to effective action
- training in health and safety practices and procedures
- communication of health and safety practices and procedures
- regular monitoring and reviewing of the policy and its effectiveness
- the role of HSRs and how their activities will be supported.
Specific health and safety policies
Health and safety policies about specific issues should be consistent with an organisation’s general health and safety policy. Specific issues include:
- smoking
- drugs (including prescription medication) and alcohol
- bullying
- sexual harassment
- gendered violence
- infectious diseases.
Specific policies and procedures will be more successful where there is an existing general health and safety structure. These policies will vary from one organisation to another because they reflect the needs and operational requirements of individual organisations. However, all specific health and safety policies must fulfil the requirements of relevant legislation.
Related pages
This information is from WorkSafe's Office health and safety guidance. The complete guidance is available in two formats.