The risk management process
Guidance on this page explains the risk management process. It is for employers. It may also help others with workplace health and safety duties. In this guidance, 'employees' includes contractors and their employees.
A series of steps
This page is part of a series on risk management. The series explains risk assessment and the control of hazards and risks at work.
An organised approach
A safe workplace requires an organised approach to finding and fixing hazards and risks. This organised approach is known as the risk management process.
The risk management process is a continuous cycle. See Diagram 1. It begins with consultation between employers and their employees. The process then follows a series of steps. The steps are:
- Identify the hazards.
- Assess the risks from those hazards.
- Control the risks.
- Review and, if necessary, revise the risk controls.
Consultation with employees continues through every step of the process. Your employees might have health and safety representatives, known as HSRs. Consultation must involve HSRs.

Diagram 1: The cycle of the risk management process. The continuous cycle starts with consultation, followed by 4 steps: 1 Identify hazards. 2 Assess risks. 3 Control risks. 4 Review and revise risk control measures. Consultation continues throughout each step of the process.
You need a plan
The risk management process requires a plan – a risk control plan.
A risk control plan sets out and guides the risk management process. It is the document with all the details about how you will control risks.
The plan helps you do the following:
- Find workplace hazards that could harm people. Hazards can be physical and psychological.
- Work out the level of risk from those hazards.
- Work out how the hazards can harm people.
- Work out the likelihood of the hazards harming people.
- Fix the problem with the most effective risk controls. Refer to the hierarchy of control for a structured system to control risks in the workplace.
- Make sure the risk controls continue to work.
As an employer, you have a legal duty to identify and control workplace hazards and risks. A risk control plan sets out how you plan to control risks in your workplace. It also helps you identify which risk controls are in place.
Your risk control plan should set out how you will comply with the law and manage hazards and risks. The plan should also set out your timeframe to comply with the law.
A risk control plan can help you meet your legal obligations. It can help protect business resources. It can also protect and improve the business brand. A risk control plan may prevent incidents that affect processes and performance.
Some businesses have complex risk control plans. Others have simple plans. Complex or simple, what is important is that the plans control risks. They help protects people's health and safety at work.
WorkSafe guidance includes questions to help you test your risk control plan.
Inspectors can help
WorkSafe inspectors enforce occupational health and safety (OHS) laws. Inspectors can also provide advice on how to comply with OHS duties. They can help you improve workplace health and safety.
In some cases, WorkSafe inspectors may inspect an employer's risk control plan. They may also recommend employers prepare a risk control plan.
Inspectors can assess whether your risk control plan is suitable. They can also check the schedule of your plan. You may need to carry out the plan within an agreed time. If you fail to meet the deadline, an inspector may instruct you to take further compliance and enforcement action to control risks. Penalties can apply if you fail to comply.
Inspectors do not endorse or approve risk control plans.
Risk control is a team effort
Creating a risk control plan and controlling risks at work should be a team effort. Make sure you involve:
- your employees
- any HSRs
- the OHS committee, if there is one.
Involving employees in the plan will help ensure they understand and engage with it. Additionally, employees must cooperate with their employer’s efforts to comply with the Occupational Health and Safety Act 2004 (OHS Act) or regulations. You might need to provide training for HSRs, managers and supervisors. You might also need to provide training about specific hazards.
Harm
Harm is death, injury, illness or disease a person may suffer from a hazard or risk. Illness and injury include psychological illness and injury.
Consult
Consultation is a two-way exchange of information and ideas between employers and employees. It is crucial to your risk control plan. Consultation with employees helps identify OHS hazards and control risks.
As an employer, you must consult with your employees. You have duties under OHS Act and Occupational Health and Safety Regulations 2017 (OHS Regulations) to do so. The duty to consult is a positive for your business. It's easier to create a safe workplace when employers and employees talk to each other. You can discuss potential problems and work together to find solutions.
Consultation involves:
- sharing information about health and safety
- giving your employees a reasonable opportunity to express their views
- taking those views into account.
The OHS Act lists matters employers must consult their employees about. You must consult employees who are directly affected by any of the matters listed in the OHS Act. You must also consult employees who are likely to be directly affected by those matters. Your employees might have HSRs. Consultation must involve HSRs, either with or without employees' direct involvement.
The times when you must consult with employees and any HSRs include when you are:
- identifying and assessing hazards or risks
- making decisions about risk controls
- making decisions about procedures to resolve health or safety issues at the workplace.
Remember to include all affected employees and those who are likely to be affected. This includes, for example:
- shift workers
- employees with intellectual or physical disabilities
- employees from different cultural or language backgrounds.
You must consult so far as is reasonably practicable.
More information about employers' duties to consult is available on the WorkSafe website. It includes information about when you must consult.
Allocate responsibilities for the plan
Appoint someone to prepare and carry out the risk control plan. Choose a senior manager, senior employee or person who manages or controls the workplace.
Preparing the plan might require:
- administrative support
- expert advice, for example, an OHS professional or an ergonomist
- information and access to the workplace
- training
- approval to buy new equipment.
Decide on working arrangements for the plan
An organisation can have a risk control plan for the entire workplace. It can also have risk control plans for different work areas. There may be, for example, a risk control plan for:
- the workplace as a whole
- different work areas, particularly at larger workplaces
- individual projects, for example, for a construction company
- different hazards across the workplace. For example, high job demands, exposure to trauma, manual handling, plant or hazardous substances.
Consider creating teams to prepare different parts of the risk control plan. For example, each work area could set up a team. Each team would prepare the section of the plan that applies to its work area. Once finished, each team could provide its section to the person in charge of the plan. That person could then combine the sections into an overall plan.
Communicate across the workplace
Regularly tell managers, any HSRs and employees what is happening.
Separate groups might be working on the risk control plan. If so, make sure they keep each other up to date with their progress. Often, the work of one group will affect the work of others.
Different groups in the workplace will have different needs. For example, some employees may not be able to read or speak English very well. Others might work night shift or off-site. Those workers may not get the informal communication that day shift workers receive. They also may not be able to attend meetings. Consider all factors when choosing how you will communicate with employees.