Risk assessment and management - University of the Sunshine Coast, Queensland, Australia

Accessibility links

Risk assessment and management

In accordance with the Work Health and Safety Act (the Act) and Regulations (the Regs) 2011, USC has an obligation to 'manage risks' that occur at USC or as a result of USC business/activities, so far as is reasonably practicable. This entails:

  • identifying foreseeable hazards and the risks associated with these hazards
  • analysing the risks - determining potential causes and sources of risks to analyse the consequence and likelihood of the risk occurring
  • evaluating the risk – based on the risk analysis, risk evaluation assists in making decisions about which risks need treatment, and the priority of the treatment implementation
  • treatment of the risk – implementing control measures to eliminate or reduce the risks
  • monitor and review of the above process, to ensure risk treatment is effective and is not introducing secondary risks that may occur as a result of risk treatment

This is referred to as the 'Risk Management Process'. In accordance with USC policy this process must then be documented in the form of a risk assessment.

Why do a risk assessment?

The purpose of a risk assessment is to systematically identify the risks associated with a task, activity or process and put appropriate controls in place to eliminate or reduce the risks associated with the task, activity or process. This not only fulfils our obligations under the Act and the Regs to identify and control hazards and risks, it assists in ensuring a safe and healthy work and study environment. Completing a risk assessment ensures that hazards, risks and the method for controlling risks are documented and can be used to communicate this information to relevant stakeholders.

For every task, activity or process at USC that has a risk or potential risk to health and/or safety, a risk assessment must be undertaken. For example, a risk assessment should be undertaken when:

  • undertaking any high-risk work
  • planning an event
  • starting a new project (including research)
  • changing an existing project (such that new hazards are identified)
  • planning to undertake fieldwork
  • planning excursions and outdoor or external teaching activities
  • sending a student on placement
  • changing work practices, procedures or environment (such that new hazards are identified)
  • responding to health and safety concerns raised by workers or others at the workplace
  • new hazards have been identified

For information on managing health and safety risks and the risk management process please refer to 'How to Manage Work Health and Safety Risks: Code of Practice 2011'.

How to do a risk assessment

You must document your risk assessment and have it approved by the appropriate USC staff member before you can begin your activity. The method of documenting a risk assessment will vary depending of the type of activity you are undertaking. USC has templates available to assist you to undertake your risk assessment.

  • Events - any individual or group organising an event (of any nature or size) must complete a risk assessment on the USC event risk assessment templates. These templates can be found here.

Teaching

    • practicals in laboratories, workshops, kitchens, field or excursion activities
    • clinical simulation activities
    • practical sessions in communities or organisations (including short-term mobility)

Research

    • projects or activities conducted in laboratories, workshops, kitchens, research facilities (NMR, AIF, Aquaculture, Plant Growth) or in the field
    • projects or activities in communities or organisations
  • Other - if you do not have a template for documenting your risk assessment, contact hsw@usc.edu.au.

Each area at USC has it's own risk assessment approval process. Clarify this process with your Manager.

Note: Human Resources (Health, Safety and Wellbeing) can provide advise, but cannot approve your risk assessment.

Whichever template or approval process is used there are some points to remember:

  • A risk assessment must include a brief statement outlining the task, activity or process that is being covered by the risk assessment and the date it is to take place.
  • The supervisor or manager of the task, activity or process MUST be involved in the risk assessment process. They are responsible for ensuring that the risk assessment is completed.
  • Risk assessments must be approved or authorised, usually by a department head or cost centre manager (as the Risk Owner) or their representative. This person must have sufficient knowledge of the activity to understand the hazards and risks involved and sufficient authority to accept the risk on behalf of USC.
  • Risk assessments must be reviewed every twelve months or more often if required (ie: when new hazards are identified, after incidents or near misses, if there are any changes that may introduce additional hazards).
  • The author of the risk assessment must be identified.
  • All people directly involved in the activity detailed in the risk assessment (including students) must have read and understood the contents.

The following information details the process required to undertake a risk assessment.

Steps in doing a risk assessment
1. Define the scope

This means setting the boundaries of what you are going to risk assess. For example: if you are doing a risk assessment for a field work activity, do you simply assess the field work itself or do you include travel to and from the field work? The scope must give an overview of the activity so all who read it understand exactly what is being risk assessed.

Once the scope has been defined, break the activity into components, this can make it easier to identify all hazards eg:

  • loading vehicle
  • travel
  • unload and set up camp
  • "activity" set up
  • etc.
2. Identify the risks

Looking at one component at a time, brainstorm all of the hazards or potential risks and list them in the left hand column of the risk assessment table. For example:

  • Loading vehicle
    • musculoskeletal injury from manual handling
    • slips trips and falls
  • Travel
    • traffic accident
    • loss of unsecured equipment
    • mechanical problems/breakdowns (including running out of fuel)
    • getting lost

This must be done for every component identified. There may be some repetition at this stage, as risks such as musculoskeletal injury will occur throughout many components of a task, activity or process. How you act on this risk in each different component may vary considerably though, so it should still be recorded.​

3. Analyse the risk

When all the risks have been identified you then have to analyse the risk to ascertain the level of risk associated with each one. To do this you have to determine the potential consequence of the risk, if it were to occur, and the potential likelihood of this happening. Consequence and likelihood are described using the tables below:

Table 1. Consequence

Rating Criteria
Insignificant
  • minor injuries or discomfort, may require first aid
  • near miss/hazard with potential to require first aid
  • no notifiable or reportable security incident
Minor
  • incident requiring medical treatment or QAS without being admitted to hospital (eg outpatient only)
  • incidents that result in up to 5 days lost time from work
  • near miss/hazard with the potential to require medical attention; lost time < 5 days
  • chemical spill/release involving known substances that are not classified as explosive, high or extremely flammability or toxic or very toxic less than 1L
  • biological spill/release of material involving blood, body fluids, human tissues or biohazardous Group 1 microbes; small volumes <200ml of Group 2 microbes, unknown biohazard or materials subject to biosecurity control
  • localised & readily contained routine security incident
  • staff or student misconduct, harassment or discrimination incident that is managed locally
Moderate
  • admitted to Hospital as an inpatient
  • incidents that result in 5 or more days lost time from work
  • a hazard and near miss that has the potential to cause serious injury or illness
  • chemical spill/release involving a known substance classified as highly flammable or toxic in a manageable volume and location
  • biological spill/release of material involving large volumes (>200ml) of Group 2 micro-organisms or of unknown risk, and materials subject to biosecurity control
  • any ‘notifiable’ safety incident that does not lead to injury
  • routine security incident causing disruption to core services
  • staff or student misconduct, harassment or discrimination incident that requires formal mediation or investigation
Major
  • multiple injuries requiring immediate hospitalisation
  • likely to result in medium to long term lost workday or permanent disability
  • any ‘notifiable’ safety incident requiring medical attention
  • chemical spill/release where there is the significant risk of fire, explosion or serious injury
  • significant security incident causing considerable disruption to services
  • staff or student misconduct, harassment or discrimination incident
Catastrophic
  • injury causing permanent disability
  • single or multiple fatalities
  • mass illness requiring assistance external resources

Table 2. Likelihood

Rating Criteria
Rare May occur only in exceptional circumstances
Unlikely The risk event could occur at some time (during a specified period), but not considered likely
Possible Might occur at some time
Likely Will probably occur in most circumstances
Almost Certain Is expected to occur in most circumstances

Using Table 1: look at the potential consequence. To ensure that health and safety risk is approached at in a uniform manner, you must use the criteria listed in the table. Eg: You are aware that there are heavy items to be loaded, as well as numerous items that need to be stored on the roof racks. You decide that this could cause an injury that could potentially lead to hospitalisation. The consequence is "Moderate".

Using Table 2: look at likelihood. This is the predicted likelihood of the risk event occurring. This must be determined by using the criteria listed in the table. For example, you may be looking at the risk of musculoskeletal injury whilst loading the car. You determine that it is "Possible" that an injury may occur (remember that this is without any controls in place).

Once you have determined both the consequence and the likelihood you combine them using the risk matrix (Table 3) to determine the risk rating. For example: if you have determined that the consequence of a musculoskeletal injury is "Moderate" and the likelihood of this injury occurring is "Possible", the resulting risk rating is "Medium". This is the rating of the inherent risk, i.e. the risk before you have implemented any treatments or controls.

Table 3. Risk matrix

  ​​​Consequence​
Insignificant Minor Moderate Major Catastrophic
​​​Likelihood​ Almost Certain​ ​Medium High High Extreme ​Extreme
Likely ​Low Medium High High Extreme
Possible Low Medium Medium High High
Unlikely Low Low Medium Medium High
Rare Low Low ​Low Medium Medium

It is important to note, that an event does not have to result in a major injury or illness to be considered a high risk. A small incident happening frequently and affecting many people can often be considered a high priority.

It is paramount that the likelihood and consequence tables are used and combined using the risk matrix provided to determine the level of risk. This lessens the chance of people using their own biases when interpreting risk. This also standardises the way we look at and interpret risk.

4. Evaluating the risk

The purpose of evaluation is to assist in making decisions, based on the outcome of the risk analysis, about which risks need treatment and the priority for treatment implementation. A higher risk rating indicates that higher order (or more effective) controls or treatments are required to eliminate or minimise the risk. A higher risk rating will also indicate that treating the risk is a higher priority.

5. Treatment of the risk

Now that the risk rating has been determined you can then ascertain what sort of action you need and its priority. Obviously, something with a higher risk rating is of greater priority.

When deciding how to reduce risk it is important that you do so in accordance with the "Hierarchy of Control", depicted below. This stipulates the best methods for controlling risks.

Hierarchy of Control​s

i. Elimination. Eliminating the risk is the best and most effective way of controlling it. This may mean not doing the activity, or part of the activity.

If this is not practical, then:

ii. Substitution. This refers to substituting something that you have deemed to be a risk with something that is a lower risk that achieves the same or similar thing. An example of this would be substituting a hazardous chemical with a less hazardous chemical.

If this is not practical, then:

iii. Engineer. This requires redesign of the workplace to make it safer. Examples might be: non-slip flooring/paving to prevent slips, trips and falls, the provision of storage facilities to ensure safe and effective storage of items, introduction of mechanical lifting aids/devices, the purchase of low noise tools and machinery.

If this is not practical, then:

iv. Administration. Administrative controls include policies, procedures, guidelines and training. These provide people with information and skills about safe work practices. However, they are not as effective as controls i – iv. The above controls, especially the first two, are designed to remove the hazard and eliminate the risk. With administrative controls, the hazard still exists, we are relying on guiding human behaviour to reduce the level of risk. Teaching people to drive safely does not prevent road hazards and hence road accidents.

If this is not practical, then:

v. Personal protective equipment (PPE). The least effective control measure is PPE, such as: gloves, plastic gowns or aprons, safety glasses, boots etc. This relies on the PPE being available, in good working order, being used appropriately or being used at all. Again, this does not eliminate the hazards or risks, so should not be used as the only control but in conjunction with other controls.

The best way to control any hazard/risk is to eliminate it, but this is not always feasible. The most effective way to control or lessen the risks associated with the hazards that cannot be eliminated is to use a combination of controls. For example:

  • have policies, procedures and guidelines, that assign responsibility and provide information about safe work practices
  • design the task or work environment to minimise injury
  • provide training and supervision to ensure policies and procedures are being followed and to ensure competency
  • consider health, safety and wellbeing in the design and purchasing of any equipment

When selecting your risk treatments there are some important points to consider; the treatments must:

  • be realistic and achievable
  • not cause additional hazards (eg: requiring people to wear ear plugs. Some ear plugs may prevent people from hearing emergency instructions/warnings and if these are not removed properly, they could cause damage to the eardrum)
  • align with USC policies, procedures and guidelines
  • align with relevant legislation
  • consider the values and perceptions of the stakeholders
  • consider level of training and experience of those involved in the activity
  • etc.

It is worth noting that you cannot allocate the responsibility for implementing risk controls or treatments to another person (or department), without their knowledge and consent.

You should record the treatments/controls you plan to implement on your risk assessment form and the residual risk. The residual risk is calculated in the same way as the initial or inherent risk, by determining the likelihood and consequence in accordance with the tables used earlier and then combining them in the risk matrix. This time you consider your treatments or controls and their impact on the likelihood and consequence of the risk event and determine the rating for the residual risk.

At this stage the risk assessment should be authorised or approved. This process involves another party (usually a department head or cost centre manager or their representative) reviewing the risk assessment to ensure that it is appropriate, and that the implementation of controls is approved.

For more complex risk assessments or if numerous stakeholders are involved, it may be advisable to have two people authorising the risk assessment. The person approving the risk assessment must have sufficient knowledge of the task/activity being undertaken and the hazards and risks involved. They must be satisfied that all hazards have been identified and that the controls listed in the risk assessment will reduce the risk to an acceptable level.

The following points should be considered when reviewing a risk assessment for approval:

  • Are there any USC policies, procedures or guidelines that pertain to this work (eg: working from home)? Has this been considered in the risk assessment?
  • Are there likely to be legislative compliance issues associated with this task/activity (eg: work involving: confined space entry, hazardous noise, diving, work with prohibited or restricted substances etc.)?
  • Is the person/s involved in the activity/task suitably qualified?
  • Are specific licences or authorisations required for any part of the work (eg: high risk work, working with prohibited and restricted carcinogens and/or restricted hazardous chemicals?)
  • Are any hazardous chemicals used? Are these detailed in the risk assessment?
  • Does the task/activity involve:
    • working remotely
    • working alone
    • working after hours

If so, is there a communication plan and an emergency plan detailed in the risk assessment?​

If you are required to approve a risk assessment you must ensure, as far as is reasonably practicable, that the risk assessment identifies the hazards and controls the risks. If there are hazards that have not been identified, or you believe that insufficient controls are being implemented to control the risk, you should not approve the risk assessment. You should discuss this with the author and request that suitable changes are made. Do not approve a risk assessment that you do not feel achieves its objective, which is to identify hazards and control risks associated with the hazards.

5. Implement controls

Once the risk assessment has been approved you must implement the controls. This may require the addition of further training, procedures, or guidelines.

6. Monitor and review

The next step is the most important step, as there is no point implementing controls if you don't monitor and review what you have implemented. This should be a continual process if it is to be effective. The best planned control measures may not be as effective as you thought they would be once put into practice. Or, you may find that some controls cause unintended additional hazards or secondary hazards. If this is the case, you may have to implement further controls. Any changes should be documented on your risk assessment.

USC staff and students are required to capture risk assessments in an approved records management system in accordance with the University’s Information and Records Management – Procedures.

For more information about information and records management, visit MyUSC (staff-only service) or contact records@usc.edu.au.