Guide · Safety

How to do a risk assessment

Risk assessment is the core skill behind WHS compliance and ISO 45001 — and behind not hurting anyone. It's also simpler than the paperwork makes it look. Here's the five-step process, how a risk matrix and the hierarchy of control fit in, and how to keep your assessments current instead of filed and forgotten.

The five steps

  1. Identify the hazards. Walk the task, the plant, the substances and the environment. What could cause harm — a fall, a moving part, dust, noise, a chemical, fatigue?
  2. Decide who could be harmed, and how. Workers, subcontractors, visitors, the public — and the specific way each hazard could hurt them.
  3. Assess the risk. Rate the likelihood and the consequence, and combine them on a risk matrix to get a risk level.
  4. Control the risk. Apply the hierarchy of control, working from the top down.
  5. Record and review. Write it down, and revisit it when the work changes, after an incident, or at set intervals.

Using a risk matrix

A risk matrix turns judgement into a shared language. You rate two things — how likely the harm is, and how severe it would be — and read off a risk level (commonly low, medium, high, extreme). The point isn't false precision; it's to prioritise. Extreme and high risks demand strong controls now; low risks might just be monitored. Rate the risk both before and after controls so you can show the controls actually reduced it.

The hierarchy of control

Not all controls are equal. The hierarchy ranks them from most to least effective, and you work from the top:

LevelControlExample
1Eliminate the hazardDo the work at ground level instead of at height.
2Substitute itSwap a hazardous chemical for a safer one.
3Isolate itBarricade an area; use an exclusion zone.
4Engineering controlsGuarding on plant; local exhaust ventilation.
5Administrative controlsProcedures, training, signage, job rotation.
6PPEGloves, hearing protection, harness.

PPE and administrative controls are the least effective because they rely on people doing the right thing every time. Reach for elimination and engineering first; use PPE as the last line, not the first.

Risk registers that stay alive

The hard part isn't the first assessment — it's keeping them current. BigTick holds your risk assessments and registers on every phone, rates before-and-after controls, and can even draft the common hazards and controls for your industry with AI, so you start from a real list instead of a blank page.

Risk assessment, SWMS and JSA

Risk assessment is the underlying process. A JSA (Job Safety Analysis) applies it to the steps of a specific task. A SWMS is a legally required document for high risk construction work that draws on the same thinking but has defined content. Use a general risk assessment for most work, and a SWMS where the WHS Regulations require one.

Build your risk register the easy way

Start a free trial and get risk registers, safe work procedures and a whole WHS / ISO 45001 system built around your work — current on every phone in your crew.

Start a free trial

Frequently asked questions

What are the steps of a risk assessment?

Identify the hazards; decide who could be harmed and how; assess the risk with a likelihood-and-consequence matrix; control the risk using the hierarchy of control; then record it and review after changes, incidents or at planned intervals.

What is a risk matrix?

A grid that combines how likely a hazard is to cause harm with how bad the harm would be, to give a risk level (e.g. low, medium, high, extreme). It's a simple way to prioritise which risks need the strongest controls.

What is the hierarchy of control?

A ranking of controls from most to least effective: eliminate, substitute, isolate, engineering, administrative, then PPE. You work from the top down, and PPE is the last resort, not the first.

Related guides

General information about workplace risk assessment, not legal advice. Follow the WHS legislation and codes of practice for your state, territory or country.