Guide · Safety
How to do a risk assessment
Risk assessment is the core skill behind WHS compliance and ISO 45001 — and behind not hurting anyone. It's also simpler than the paperwork makes it look. Here's the five-step process, how a risk matrix and the hierarchy of control fit in, and how to keep your assessments current instead of filed and forgotten.
The five steps
- Identify the hazards. Walk the task, the plant, the substances and the environment. What could cause harm — a fall, a moving part, dust, noise, a chemical, fatigue?
- Decide who could be harmed, and how. Workers, subcontractors, visitors, the public — and the specific way each hazard could hurt them.
- Assess the risk. Rate the likelihood and the consequence, and combine them on a risk matrix to get a risk level.
- Control the risk. Apply the hierarchy of control, working from the top down.
- Record and review. Write it down, and revisit it when the work changes, after an incident, or at set intervals.
Using a risk matrix
A risk matrix turns judgement into a shared language. You rate two things — how likely the harm is, and how severe it would be — and read off a risk level (commonly low, medium, high, extreme). The point isn't false precision; it's to prioritise. Extreme and high risks demand strong controls now; low risks might just be monitored. Rate the risk both before and after controls so you can show the controls actually reduced it.
The hierarchy of control
Not all controls are equal. The hierarchy ranks them from most to least effective, and you work from the top:
| Level | Control | Example |
|---|---|---|
| 1 | Eliminate the hazard | Do the work at ground level instead of at height. |
| 2 | Substitute it | Swap a hazardous chemical for a safer one. |
| 3 | Isolate it | Barricade an area; use an exclusion zone. |
| 4 | Engineering controls | Guarding on plant; local exhaust ventilation. |
| 5 | Administrative controls | Procedures, training, signage, job rotation. |
| 6 | PPE | Gloves, hearing protection, harness. |
PPE and administrative controls are the least effective because they rely on people doing the right thing every time. Reach for elimination and engineering first; use PPE as the last line, not the first.
Risk registers that stay alive
The hard part isn't the first assessment — it's keeping them current. BigTick holds your risk assessments and registers on every phone, rates before-and-after controls, and can even draft the common hazards and controls for your industry with AI, so you start from a real list instead of a blank page.
Risk assessment, SWMS and JSA
Risk assessment is the underlying process. A JSA (Job Safety Analysis) applies it to the steps of a specific task. A SWMS is a legally required document for high risk construction work that draws on the same thinking but has defined content. Use a general risk assessment for most work, and a SWMS where the WHS Regulations require one.
Build your risk register the easy way
Start a free trial and get risk registers, safe work procedures and a whole WHS / ISO 45001 system built around your work — current on every phone in your crew.
Start a free trialFrequently asked questions
What are the steps of a risk assessment?
Identify the hazards; decide who could be harmed and how; assess the risk with a likelihood-and-consequence matrix; control the risk using the hierarchy of control; then record it and review after changes, incidents or at planned intervals.
What is a risk matrix?
A grid that combines how likely a hazard is to cause harm with how bad the harm would be, to give a risk level (e.g. low, medium, high, extreme). It's a simple way to prioritise which risks need the strongest controls.
What is the hierarchy of control?
A ranking of controls from most to least effective: eliminate, substitute, isolate, engineering, administrative, then PPE. You work from the top down, and PPE is the last resort, not the first.
Related guides
General information about workplace risk assessment, not legal advice. Follow the WHS legislation and codes of practice for your state, territory or country.