Risk assessment and management | UniSC | University of the Sunshine Coast, Queensland, Australia

Accessibility links

Risk assessment and management

In accordance with the Work Health and Safety Act (the Act) and Regulations (the Regs) 2011, UniSC has an obligation to 'manage risks' that occur at UniSC or as a result of UniSC business/activities, so far as is reasonably practicable. This entails:

  • identifying foreseeable hazards and the risks associated with these hazards
  • analysing the risks - determining potential causes and sources of risks to analyse the consequence and likelihood of the risk occurring
  • evaluating the risk – based on the risk analysis, risk evaluation assists in making decisions about which risks need treatment, and the priority of the treatment implementation
  • treatment of the risk – implementing control measures to eliminate or reduce the risks
  • monitor and review of the above process, to ensure risk treatment is effective and is not introducing secondary risks that may occur as a result of risk treatment

This is referred to as the 'Risk Management Process'. In accordance with UniSC policy this process must then be documented in the form of a risk assessment.

Why do a risk assessment?

The purpose of a risk assessment is to systematically identify the risks associated with a task, activity or process and put appropriate controls in place to eliminate or reduce those risks. Completing a risk assessment ensures that hazards, risks and the method for controlling risks are documented and can be used to communicate this information to relevant stakeholders.

For every task, activity or process at UniSC that has a risk or potential risk to health and/or safety, a risk assessment must be undertaken. For example, a risk assessment should be undertaken when:

  • undertaking any high-risk work
  • planning an event
  • starting a new project (including research)
  • changing an existing project (such that new hazards are identified)
  • planning to undertake fieldwork
  • planning excursions and outdoor or external teaching activities
  • sending a student on placement
  • changing work practices, procedures or environment (such that new hazards are identified)
  • purchasing new equipment
  • responding to health and safety concerns raised by workers or others at the workplace
  • new hazards have been identified

For information on managing health and safety risks and the risk management process please refer to 'How to Manage Work Health and Safety Risks: Model Code of Practice'.

How to do a risk assessment

You must document your risk assessment and have it approved by the appropriate UniSC staff member before you can begin your activity. The method of documenting a risk assessment will vary depending of the type of activity you are undertaking. UniSC has templates available to assist you to undertake your risk assessment.

  • Events - any individual or group organising an event (of any nature or size) must complete a risk assessment on the UniSC event risk assessment templates. These templates can be found here.


    • practicals in laboratories, workshops, kitchens, field or excursion activities
    • clinical simulation activities
    • practical sessions in communities or organisations (including short-term mobility)


    • projects or activities conducted in laboratories, workshops, kitchens, research facilities (NMR, AIF, Aquaculture, Plant Growth) or in the field
    • projects or activities in communities or organisations
  • Other - the attached template can be used to document your risk assessment

Each area at UniSC has it's own risk assessment approval process. Clarify this process with your Manager.

Whichever template or approval process is used there are some points to remember:

  • A risk assessment must include a brief statement outlining the task, or scope of the task, activity or process that is being covered by the risk assessment and the date it is to take place. This scope, should include all aspects of the activity (e.g. travel, set-up, pull down etc), to ensure that the entire activity/process is risk assessed.
  • The supervisor or manager of the task, activity or process MUST be involved in the risk assessment process. They are responsible for ensuring that the risk assessment is completed.
  • Risk assessments must be approved or authorised, usually by a department head or cost centre manager (as the Risk Owner) or their representative. This person must have sufficient knowledge of the activity to understand the hazards and risks involved and sufficient authority to accept the risk on behalf of UniSC.
  • Risk assessments must be reviewed every twelve months or more often if required (ie: when new hazards are identified, after incidents or near misses, if there are any changes that may introduce additional hazards).
  • The author of the risk assessment must be identified.
  • All people directly involved in the activity detailed in the risk assessment (including students) must have read and understood the contents.

The following information details the process required to undertake a risk assessment.

Steps in doing a risk assessment
1. Define the scope

This means setting the boundaries of what you are going to risk assess. The scope must give an overview of the activity so all who read it understand exactly what is being risk assessed. It also ensures that all components of the activity are risk assessed. Remember, that an activity or process does not take place in isolation, you must include all aspects that may impact your activity or be impacted by your activity. E.g. consider environment, persons involved, other activities that may impact, or be impacted be your activity etc.

Once the scope has been defined, break the activity into components, this can make it easier to identify all hazards eg:

  • loading vehicle
  • travel
  • unload and set up camp
  • "activity" set up
  • etc.
2. Identify the risks

Looking at one component at a time, brainstorm all of the hazards or potential risks and list them in the left hand column of the risk assessment table. For example:

  • Loading vehicle
    • musculoskeletal injury from manual handling
    • slips trips and falls
  • Travel
    • traffic accident
    • loss of unsecured equipment
    • mechanical problems/breakdowns (including running out of fuel)
    • getting lost

This must be done for every component identified. There may be some repetition at this stage, as risks such as musculoskeletal injury will occur throughout many components of a task, activity or process. How you respond to this risk and the controls you implement in each different component may vary considerably, so it should still be recorded.​

3. Analyse the risk

When all the risks have been identified you then have to analyse the risk to ascertain the level of risk associated with each one. To do this you have to determine the potential consequence of the risk if it were to occur, and the potential likelihood of this happening. Consequence and likelihood are described using the tables below:

Table 1. Consequence

Rating Criteria
  • minor injuries or discomfort, may require first aid
  • near miss/hazard with potential to require first aid
  • no notifiable or reportable security incident
  • incident requiring medical treatment or QAS without being admitted to hospital (eg outpatient only)
  • incidents that result in up to 5 days lost time from work
  • near miss/hazard with the potential to require medical attention; lost time < 5 days
  • chemical spill/release involving known substances that are not classified as explosive, high or extremely flammability or toxic or very toxic less than 1L
  • biological spill/release of material involving blood, body fluids, human tissues or biohazardous Group 1 microbes; small volumes <200ml of Group 2 microbes, unknown biohazard or materials subject to biosecurity control
  • localised and readily contained routine security incident
  • staff or student misconduct, harassment or discrimination incident that is managed locally
  • admitted to Hospital as an inpatient
  • incidents that result in 5 or more days lost time from work
  • a hazard and near miss that has the potential to cause serious injury or illness
  • chemical spill/release involving a known substance classified as highly flammable or toxic in a manageable volume and location
  • biological spill/release of material involving large volumes (>200ml) of Group 2 micro-organisms or of unknown risk, and materials subject to biosecurity control
  • any ‘notifiable’ safety incident that does not lead to injury
  • routine security incident causing disruption to core services
  • staff or student misconduct, harassment or discrimination incident that requires formal mediation or investigation
  • multiple injuries requiring immediate hospitalisation
  • likely to result in medium to long term lost workday or permanent disability
  • any ‘notifiable’ safety incident requiring medical attention
  • chemical spill/release where there is the significant risk of fire, explosion or serious injury
  • significant security incident causing considerable disruption to services
  • staff or student misconduct, harassment or discrimination incident
  • injury causing permanent disability
  • single or multiple fatalities
  • mass illness requiring assistance external resources

Table 2. Likelihood

Rating Criteria
Rare May occur only in exceptional circumstances
Unlikely The risk event could occur at some time (during a specified period), but not considered likely
Possible Might occur at some time
Likely Will probably occur in most circumstances
Almost Certain Is expected to occur in most circumstances

Using Table 1: look at the potential consequence. To ensure that health and safety risk is approached at in a consistent manner, you must use the criteria listed in the table. Eg: You are aware that there are heavy items to be loaded, as well as numerous items that need to be stored on the roof racks of a car. You decide that this could cause an injury that could potentially lead to hospitalisation. The consequence is "Moderate".

Using Table 2: look at likelihood. This is the predicted likelihood of the risk event occurring. This must be determined by using the criteria listed in the table. For example, you may be looking at the risk of musculoskeletal injury whilst loading the car. You determine that it is "Possible" that an injury may occur (remember that this is without any controls in place).

Once you have determined both the consequence and the likelihood you combine them using the risk matrix (Table 3) to determine the risk rating. For example: if you have determined that the consequence of a musculoskeletal injury is "Moderate" and the likelihood of this injury occurring is "Possible", the resulting risk rating is "Medium". This is the rating of the inherent risk, ie the risk before you have implemented any treatments or controls.

Table 3. Risk matrix

Insignificant Minor Moderate Major Catastrophic
​​​Likelihood​ Almost Certain​ ​Medium High High Extreme ​Extreme
Likely ​Low Medium High High Extreme
Possible Low Medium Medium High High
Unlikely Low Low Medium Medium High
Rare Low Low ​Low Medium Medium

It is important to note, that an event does not have to result in a major injury or illness to be considered a high risk. A minor incident happening frequently and affecting many people can often be considered a high risk and a high priority.

It is paramount that the likelihood and consequence tables are used and combined using the risk matrix provided to determine the level of risk. This lessens the chance of people using their own biases when interpreting risk. This also standardises the way we look at and interpret risk.

4. Evaluating the risk

The purpose of evaluation is to assist in making decisions, based on the outcome of the risk analysis, about which risks need treatment and the priority for treatment implementation. A higher risk rating indicates that higher order (or more effective) controls or treatments are required to eliminate or minimise the risk. E.g. a high risk of musculoskeletal injury may indicate that more staff are required, or lifting devices should be used. A higher risk rating will also indicate that treating the risk is a higher priority. You must consider that persistent high risk rating may also indicate that it is not be safe/advisable to proceed with the activity/process, or that major changes are required to make the activity safe and the level of risk acceptable.

5. Treatment of the risk

Now that the risk rating has been determined you can then ascertain what sort of action you need and its priority. Obviously, something with a higher risk rating is of greater priority.

When deciding how to reduce risk it is important that you do so in accordance with the "Hierarchy of Control", depicted below. This stipulates the best methods for controlling risks.

Hierarchy of Control​s

i. Elimination. Eliminating the risk is the best and most effective way of controlling it. This may mean not doing the activity, or part of the activity.

If this is not practical, then:

ii. Substitution. This refers to substituting something that you have deemed to be a risk with something that is a lower risk that achieves the same or similar thing. An example of this would be substituting a hazardous chemical with a less hazardous chemical.

If this is not practical, then:

iii. Engineer. This requires design or redesign of the workplace to make it safer. Examples might be: non-slip flooring/paving to prevent slips, trips and falls, the provision of storage facilities to ensure safe and effective storage of items, introduction of mechanical lifting aids/devices, the purchase of low noise tools and machinery.

If this is not practical, then:

iv. Administration. Administrative controls include policies, procedures, guidelines and training. These provide people with information and skills about safe work practices. However, they are not as effective as controls i – iv. The above controls, especially the first two, are designed to remove the hazard and eliminate the risk. With administrative controls, the hazard still exists, we are relying on guiding human behaviour to reduce the level of risk. Teaching people to drive safely does not prevent road hazards and hence road accidents.

If this is not practical, then:

v. Personal protective equipment (PPE). The least effective control measure is PPE, such as: gloves, plastic gowns or aprons, safety glasses, boots etc. This relies on the PPE being available, in good working order, being used appropriately or being used at all. Again, this does not eliminate the hazards or risks, so should not be used as the only control but in conjunction with other controls.

The best way to control any hazard/risk is to eliminate it, but this is not always feasible. The most effective way to control or lessen the risks associated with the hazards that cannot be eliminated is to use a combination of controls. For example:

  • have policies, procedures and guidelines, that assign responsibility and provide information about safe work practices
  • design the task or work environment to minimise injury
  • provide training and supervision to ensure policies and procedures are being followed and to ensure competency
  • consider health, safety and wellbeing in the design and purchasing of any equipment

When selecting your risk treatments there are some important points to consider; the treatments must:

  • be realistic and achievable
  • not list treatments that you cannot implement
  • not cause additional hazards (eg: requiring people to wear ear plugs. Some ear plugs may prevent people from hearing emergency instructions/warnings and if these are not removed properly, they could cause damage to the eardrum)
  • align with USC policies, procedures and guidelines
  • align with relevant legislation
  • consider the values and perceptions of the stakeholders
  • consider level of training and experience of those involved in the activity
  • etc.

It is worth noting that you cannot allocate the responsibility for implementing risk controls or treatments to another person (or department), without their knowledge and consent.

You should record the treatments/controls you plan to implement on your risk assessment form and the residual risk. The residual risk is calculated in the same way as the initial or inherent risk, by determining the likelihood and consequence in accordance with the tables used earlier and then combining them in the risk matrix. This time you consider your treatments or controls and their impact on the likelihood and consequence of the risk event and determine the rating for the residual risk.

At this stage the risk assessment should be authorised or approved. This process involves another party (usually a department head or cost centre manager or their representative) reviewing the risk assessment to ensure that it is appropriate, and that the implementation of controls is approved.

For more complex risk assessments or if numerous stakeholders are involved, it may be advisable to have two people authorising the risk assessment. The person authorising/approving the risk assessment must have sufficient knowledge of the task/activity being undertaken and the hazards and risks involved. They must be satisfied that all hazards have been identified and that the controls listed in the risk assessment will reduce the risk to an acceptable level.

The following points should be considered when reviewing a risk assessment for approval:

  • Are there any USC policies, procedures or guidelines that pertain to this work (eg: working from home)? Has this been considered in the risk assessment?
  • Are there likely to be legislative compliance issues associated with this task/activity (eg: work involving: confined space entry, hazardous noise, diving, work with prohibited or restricted substances etc.)?
  • Is the person/s involved in the activity/task suitably qualified?
  • Are specific licences or authorisations required for any part of the work (eg: high risk work, working with prohibited and restricted carcinogens and/or restricted hazardous chemicals?)
  • Are any hazardous chemicals used? Are these detailed in the risk assessment?
  • Does the task/activity involve:
    • working remotely
    • working alone
    • working after hours

If so, is there a communication plan and an emergency plan detailed in the risk assessment?​

If you are required to approve a risk assessment you must ensure, as far as is reasonably practicable, that the risk assessment identifies the hazards and controls the risks. If there are hazards that have not been identified, or you believe that insufficient controls are being implemented to control the risk, you should not approve the risk assessment. You should discuss this with the author and request that suitable changes are made. Do not approve a risk assessment that you do not feel achieves its objective, which is to identify hazards and control risks associated with the hazards.

6. Implement controls

Once the risk assessment has been approved you must implement the controls. This may require the addition of further training, procedures, or guidelines.

7. Monitor and review

The next step is the most important step, as there is no point implementing controls if you don't monitor and review what you have implemented. This should be a continual process if it is to be effective. The best planned control measures may not be as effective as you thought they would be once put into practice. Or, you may find that some controls cause unintended additional hazards or secondary hazards. If this is the case, you may have to implement further controls. Any changes should be documented on your risk assessment.

USC staff and students are required to capture risk assessments in an approved records management system in accordance with the University’s Information and Records Management – Procedures.

For more information about information and records management, visit MyUniSC (staff-only service) or contact records@usc.edu.au.