Risk management and risk assessment for health and safety

Accessibility links

Risk management and risk assessment for health and safety

Breadcrumbs

What is risk management? 

In accordance with the Work Health and Safety Act (the Act) and Regulations (the Regs) 2011, USC has an obligation to ‘manage risks’ that occur at USC or as a result of USC business/activities, so far as is reasonably practicable. This entails:

  • identifying foreseeable hazards and the risks associated with these hazards
  • assessing the risks - determining the consequence and likelihood of the risk occurring
  • controlling the risk – implementing control measures to eliminate or reduce the risks
  • monitor and review of the above process 

This is referred to as the ‘Risk Management Process’. In accordance with USC policy this process must then be documented in the form of a risk assessment.

Why do a risk assessment?

The purpose of a risk assessment is to systematically identify all of the risks associated with a task, activity or process and put appropriate controls in place to eliminate or reduce the risks associated with the task, activity or process. This not only fulfils our obligation under the Act and the Regs to identify and control hazards and risks, it assists in ensuring a safe and healthy work and study environment. Completing a risk assessment also ensures that hazards, risks and the method for controlling risks are documented and can be used to communicate this information to relevant stakeholders.

For every task, activity or process at USC that has a risk or potential risk to health and/or safety a risk assessment must be undertaken. For example a risk assessment should be undertaken when:

  • undertaking any high risk work
  • planning an event
  • starting a new project
  • sending a student on placement
  • changing work practices, procedures or environment (such that new hazards are identified)
  • responding to health and safety concerns raised by workers, Health and Safety Representatives or others at the workplace
  • new hazards have been identified

For information on managing health and safety risks and the risk management process please refer to ‘How to Manage Work Health and Safety Risks: Code of Practice 2011’ (PDF 510KB)*

How to do a risk assessment

USC currently has two methods of completing a risk assessment:

  • Risk Management and Safety System (RMSS) - USC is in the process of introducing RMSS (on line risk management system, for conducting risk assessments and audits) to key work areas and rolling this system out University-wide to create one centralised area for risk assessments.
  • paper based risk assessment

Whichever system you use there are some basic requirements for both:

  • A risk assessment must include a brief statement outlining the task, activity or process that is being covered by the risk assessment and the date it is to take place.
  • The supervisor or manager of the task, activity or process MUST be involved in the risk assessment process.
  • Risk assessments must be approved or authorised, usually by a department head or cost centre manager or their representative. This person must have sufficient knowledge of the activity to understand the hazards and risks involved.
  • Risks assessments must be reviewed every twelve months or as required (ie: when new hazards are identified, after incidents or near misses, if there are any changes that may introduce additional hazards).
  • The author of the risk assessment must be identified.
  • There must be evidence that all people directly involved in the activity detailed in the risk assessment (including students) have read and understood it.

The method you chose to do a risk assessment may depend on faculty or department policies and procedures, as they may stipulate which method you are required to use. The following information details the use and requirements of the USC paper based risk assessment system. A template (PDF 99KB)* for undertaking the paper based risk assessment has been provided.

Steps in doing a risk assessment
1. Define the scope

This means setting the boundaries of what you are going to look at. For example: if you are doing a risk assessment for a field work activity, do you simply assess the field work itself or do you include travel to and from the field work?

Once the scope has been defined, break the activity into components, this can make it easier to identify all hazards eg:

  • loading vehicle
  • travel
  • unload and set up camp
  • “activity” set up
2. Identify the risks

Looking at one component at a time, brainstorm all of the hazards or potential risks and list them in the left hand column of the risk assessment table. For example:

  • Loading vehicle
    • musculoskeletal injury
    • slips trips and falls
  • Travel
    • traffic accident
    • loss of unsecured equipment
    • mechanical problems/breakdowns (including running out of fuel)
    • getting lost

This must be done for every component identified. There may be some repetition at this stage, as risks such as musculoskeletal injury will occur throughout many components of a task, activity or process. How you act on this risk in each different component may vary considerably though, so it should still be recorded.

3. Assess the risks

When all the risks have been identified you then have to ascertain the level of risk associated with each one. To do this you have to determine the potential consequence of the risk, if it were to occur, and the potential likelihood of this happening. Consequence is described using the table below:

Table 1. Consequence

Rating

Criteria

Insignificant

  •   Minor injury
  •   No or basic first aid required

Minor

  •   Medical or paramedical treatment
  •   Up to four days lost time from work
  •   Small amount of local print media coverage (< one week)

Moderate

  •   Treatment by hospital EMD or admission to hospital and/or four or more days lost time from work
  •   Persistent negative local and/or state media coverage
  •   Short term disruption to core activities (days)
  •   Long term disruption to non-core activities (weeks)
  •   Minor breaches is WHS (or related) legislation
  •   Small scale investigation by regulatory bodies (local branch only)
  •   Any notifiable incident that does not lead to injury, i.e. does not require medical or paramedical treatment (eg. electrical incident with no injury)
  •   Uncontrolled non-hazardous chemical spill/release

Major

  •   Permanent impairment/disability (unable to return to work)
  •   National and/or international negative media coverage
  •   Medium term disruption to core activities (weeks)
  •   Investigation by regulatory bodies with prosecution, enforceable undertakings and/or possible criminal charges or civil suits
  •   Any notifiable incident requiring medical attention
  •   Uncontrolled hazardous chemical spill/release

Catastrophic

  •   Fatality/ies
  •   Significant damage to reputation
  •   Widespread ongoing negative media coverage
  •   Long term cessation of core activities
  •   Investigation resulting in large legislative breaches and resultant legal actions, criminal charges, civil suits
  •   Long term extensive environmental damage

 

Likelihood is described using the table below:

Table 2. Likelihood

Rating

Criteria

Rare

May only occur in exceptional circumstances

Unlikely

The risk event could occur at some time (during a specified period), but it is unlikely

Possible

Might happen at some time, occurrence would not be unusual

Likely

Will probably occur in most circumstances

Almost Certain

Is expected to occur in most circumstances

 

Using Table 1: look at the potential consequence. To ensure that health and safety risk is approached at in a uniform manner, you must use the criteria listed in the table. You are aware that there are heavy items to be loaded, as well as numerous items that need to be stored on the roof racks. You decide that this could cause an injury that could potentially lead to hospitalisation. Hence the consequence is “Moderate”.

Using Table 2: look at likelihood. This is the predicted likelihood of the risk event occurring. This must be determined by using the criteria listed in the table. For example, you may be looking at the risk of musculoskeletal injury whilst loading the car. You determine that it is “Possible” that an injury may occur (remember that this is without any controls in place).

Once you have determined both the consequence and the likelihood you combine them using the risk matrix (Table 3) to determine the risk rating. For example: if you have determined that the consequence of a musculoskeletal injury is “Moderate” and the likelihood of this injury occurring is “Possible”, the resulting risk rating is "Medium".

Table 3. Risk matrix

 

 

Consequence

 

 

 

Insignificant

Minor

Moderate

Major

Catastrophic

Likelihood

Almost Certain

Medium

High

High

Extreme

Extreme

Likely

Medium

Medium

High

High

Extreme

Possible

Low

Medium

Medium

High

Extreme

Unlikely

Low

Low

Medium

Medium

High

Rare

Low

Low

Low

Medium

High

 

It is important to note, that an event does not have to result in a major injury or illness to be considered a high priority. A small incident happening frequently and affecting many people can often be considered a high priority.

It is paramount that the likelihood and consequence tables are used and combined using the risk matrix provided to determine the level of risk. This lessens the chance of people using their own biases when interpreting risk. This also standardises the way we look at and interpret risk.

4. Decide on control measures

Now that the risk rating has been determined we can then ascertain what sort of action we need and its priority. Obviously something with a higher risk rating is of greater priority.

When deciding how to reduce risk it is important that you do so in accordance with the “Hierarchy of Control”, depicted below. This stipulates the best methods for controlling risks.

Hierarchy of Controls

i. Elimination. Eliminating the hazard is the best and most effective way of controlling it. This may mean not doing the activity, or part of the activity.

If this is not practical then:

ii. Substitution. This refers to substituting something that you have deemed to be a risk with something that is a lower risk that achieves the same or simular thing. an example of this would be substituting a hazardous chemcial with a less hazardous chemical.

If this is not practical then:

iii. Engineer. This requires redesign of the workplace to make it safer. Examples might be: non-slip flooring/paving to prevent slips, trips and falls, the provision of storage facilities to ensure safe and effective storage of items, introduction of mechanical lifting aids/devices, the purchase of low noise tools and machinery.

If this is not practical then:

iv. Administration. Administrative controls include policies, procedures, guidelines and training. These provide people with information and skills about safe work practices. However, they are not as effective as controls i – iv. The above controls, especially the first two, are designed to remove the hazard and eliminate the risk. With administrative controls, the hazard still exists, we are relying on guiding human behavior to reduce the level of risk. Teaching people to drive safely does not prevent road hazards and hence road accidents.

If this is not practical then:

v. Personal protective equipment (PPE). The least effective control measure is PPE, such as: gloves, plastic gowns or aprons, safety glasses, boots etc. This relies on the PPE being available, in good working order, being used appropriately or being used at all. Again this does not eliminate the hazards or risks, so should not be used as the only control but in conjunction with other controls.

The best way to control any hazard/risk is to eliminate it, but this is not always feasible. The most effective way to control or lessen the risks associated with the hazards identified is to use a combination of controls. For example:

  • have policies, procedures and guidelines, that assign responsibility and provide information about safe work practices
  • provide training and supervision to ensure policies and procedures are being followed and to ensure competency
  • consider health, safety and wellbeing in the design and purchasing of any equipment

You should record the controls you plan to implement on your risk assessment form and the residual risk. The residual risk is calculated in the same way as the initial risk, by determining the likelihood and consequence in accordance with the tables used earlier and then combining them in the risk matrix.

At this stage the risk assessment should be authorised or approved. This process involves another party (usually a department head or cost centre manager or their representative) reviewing the risk assessment to ensure that it is appropriate and that the implementation of controls is approved. For more complex risk assessments or if numerous stakeholders are involved, it may be advisable to have two people authorising the risk assessment. The person approving the risk assessment must have sufficient knowledge of the task/activity being undertaken and the hazards and risks involved. They must be satisfied that all hazards have been identified and that the controls listed in the risk assessment:

  • are realistic and achievable
  • will reduce the level of risk
  • will not cause additional hazards (eg: requiring people to wear ear plugs. Ear plugs prevent people from hearing emergency instructions/warnings and these are not removed properly, they could cause damage to the eardrum)

The following points should be considered when reviewing a risk assessment for approval:

  • Are there any USC policies, procedures or guidelines that pertain to this work (eg: working from home)? Has this been taken into account in the risk assessment?
  • Are there likely to be legislative compliance issues associated with this task/activity (eg: work involving: confined space entry, hazardous noise, diving, work with prohibited or restricted substances etc.)?
  • Is the person/s involved in the activity/task suitably qualified?
  • Are specific licences or authorisations required for any part of the work (eg: high risk work, working with prohibited and restricted carcinogens and/or restricted hazardous chemicals?)
  • Are any hazardous chemicals used? Are these detailed in the risk assessment?
  • Does the task/activity involve:
    • working remotely
    • working alone
    • working after hours

If so, is there a communication plan and an emergency plan detailed in the risk assessment?

If you are required to approve a risk assessment you must be ensure, as far as is reasonably practicable, that the risk assessment identifies the hazards and controls the risks. If there are hazards that have not been identified, or you believe that insufficient controls are being implemented to control the risk, you should not approve the risk assessment. You should discuss this with the author and request that suitable changes are made. Do not approve a risk assessment that you do not feel achieves its objective, which is to identify hazards and control risks associated with the hazards.

Note: if the risk rating cannot be reduced to ‘Low’ the risk assessment must also have the approval of the Head of Department/School or Cost Centre Manager (this cannot be delegated to a representative). To continue with a task, process or activity that has a risk rating of ‘Moderate’ or above the risk assessment must have the approval of, and be signed by, the Head of Department/School or Cost Centre Manager.

5. Implement controls

Once you have decided on the controls you are going to put in place and the risk assessment is authorised or approved, you have to implement these controls. This may require the addition of further training, procedures, or guidelines.

6. Monitor and review

The next step is the most important step, as there is no use implementing controls if you don’t monitor and review what you have implemented. This should be a continual process if it is to be effective. The best planned control measures may not be as effective as you thought they would be once put into practice. Or, you may find that some controls may cause unintended additional hazards. If this is the case you may have to implement further controls. Any changes should be documented on your risk assessment. Copies of risk assessments should be retained, even the ones that have been reviewed and/or changed.

Back to top

* For PDF documents you must have the free Adobe Acrobat Reader, which can be downloaded from the Adobe Download Page.

Back to top

Searching {{model.SearchType}} for "{{model.Query}}" returned more than {{model.MaxResults}} results.
The top {{model.MaxResults}} of {{model.TotalItems}} are shown below, ordered by relevance ({{model.TotalSeconds}} seconds)

Searching {{model.SearchType}} for "{{model.Query}}" returned {{model.TotalItems}} results, ordered by relevance ({{model.TotalSeconds}} seconds)

Searching {{model.SearchType}} for "{{model.Query}}" returned no results.

No search results found for

{{model.ErrorMessage}}