BlueSafe
← Back to Compliance Guides
Compliance Guide

How to Conduct a WHS Risk Assessment - Step-by-Step Guide

✍️ BlueSafe Technical Team📅 18 Mar 2026

Quick answer: A WHS risk assessment is the process of finding workplace hazards, judging how serious they are, choosing controls, and checking that the controls keep working. It helps a PCBU show that risks are being managed so far as is reasonably practicable.

Last reviewed: March 2026 by the BlueSafe Technical Team. Reflects current Australian WHS laws and regulations.

A good risk assessment is one of the clearest ways to show that a business is doing more than reacting after something goes wrong. It turns safety from guesswork into a repeatable process that supervisors, workers, and managers can follow.

For most businesses, the value of the assessment is not the form itself. The value is the thinking behind it: what could go wrong, who could be harmed, and what controls are actually in place.

What is a WHS risk assessment?

A WHS risk assessment is a structured way of deciding how dangerous a task or workplace condition is and what needs to be done about it. It sits inside the broader risk management process used in Australian WHS law.

The purpose is to answer three practical questions:

  1. What is the hazard?
  2. How likely is harm to occur, and how serious could it be?
  3. What controls are needed to reduce the risk to an acceptable level?

Safe Work Australia describes risk management as a cycle of identifying hazards, assessing risks where needed, controlling risks, and reviewing control measures. That cycle is useful because work changes. A safe system this month may not be safe next month if plant, materials, people, or site conditions change.

When must you conduct a risk assessment?

You should conduct a risk assessment whenever the work could expose people to harm and the current controls have not already been tested and documented for that exact situation.

Common trigger points include:

  • Starting a new business or new work activity.
  • Changing the way work is done.
  • Introducing new plant, substances, or work methods.
  • Bringing in a new supplier or contractor.
  • Responding to an incident, near miss, or worker concern.
  • Introducing new or returning workers to a task.

For construction work, the assessment is often built into the SWMS or the task planning process. For routine business work, it may sit inside a safe work procedure, a checklist, or a job planning form.

The 5-step risk assessment process

The process works best when it is simple enough to use on site, but detailed enough to show what was actually considered.

Step 1: Identify hazards

Start by finding what could cause harm. Use direct observation, consultation, previous incidents, and any relevant supplier information. For some tasks, the hazard is obvious. For others, the hazard is hidden until the work starts.

Useful ways to identify hazards include:

  • Workplace inspections and walk-throughs.
  • Consultation with workers and supervisors.
  • Reviewing incident, near miss, and first aid records.
  • Reviewing existing SWMS, procedures, and previous assessments.
  • Checking manufacturer and supplier information.
  • Looking at what can change during the task, such as weather, traffic, or other trades.

Link your inspection methods to a practical reference like hazard identification methods.

Step 2: Assess the risk

Once a hazard is identified, decide how bad the harm could be and how likely it is to happen. A useful risk assessment looks at the actual work, not a generic ideal version of the work.

When assessing the risk, consider:

  • The likelihood of the incident occurring.
  • The severity of the possible harm.
  • How often workers are exposed.
  • How long they are exposed.
  • Whether existing controls are actually effective.

This is where a simple matrix can help. A matrix is not the answer by itself; it is just a way to organise judgment so supervisors and workers can compare tasks consistently. For a clear explanation of the scoring approach, see how to use a risk matrix.

Step 3: Select and implement controls

The next step is to choose controls that reduce the risk as far as is reasonably practicable. The hierarchy of controls should guide the decision, starting with the most effective option that is realistically available.

In practice that means:

  • Eliminate the hazard if the task can be redesigned.
  • Substitute a safer plant, material, or method.
  • Use engineering controls to separate people from the hazard.
  • Add administrative controls such as procedures, permits, supervision, and training.
  • Use PPE only as the final layer, not the main control.

If the task is high-risk construction work, the control set should be reflected in the SWMS. A useful cross-check is what must SWMS include.

Step 4: Document and communicate

The assessment should be recorded in a form that workers can actually use. A document that no one reads is not a control. A document that workers understand and sign off on can support the whole system.

Good documentation should record:

  • The task or area being assessed.
  • The hazards identified.
  • The level of risk before controls.
  • The controls selected.
  • The person responsible for each control.
  • The date, version, and reviewer.

The assessment should then be communicated to the people doing the work, and workers should have a chance to ask questions before the task begins.

Step 5: Review and monitor

A risk assessment is not complete just because it has been signed. It needs to be reviewed when the work changes or when the controls stop being good enough.

Review the assessment when:

  • The task, plant, or site conditions change.
  • A new hazard is identified.
  • An incident or near miss happens.
  • Consultation shows the control is not working.
  • Enough time has passed that the assessment may no longer reflect reality.

If the control measures are not effective, revise them and tell the workers about the changes.

What should you record in a risk assessment?

A useful risk assessment record is short enough to read and complete, but specific enough to be meaningful. The table below is a practical checklist.

FieldWhat to includeExample
Task or activityThe exact work being assessedRoof access for solar panel maintenance
HazardWhat could cause harmFall from edge, brittle roof sheet
People at riskWho could be affectedInstallers, supervisor, nearby trade workers
Initial riskThe level of risk before controlsHigh
ControlsWhat will be done to reduce the riskEdge protection, exclusion zone, harness system, supervision
Responsible personWho ensures each control happensSite supervisor
Review triggerWhen the assessment must be checked againWeather change, new access point, incident

This record also makes it easier to compare similar jobs and build a library of tested control measures instead of starting from zero every time.

How do you consult workers during the process?

Consultation is not an optional extra. It is part of how the WHS system is supposed to work.

Workers often know where the real problems are because they see the task day after day. They know which controls are ignored, which equipment is awkward, and which steps create shortcuts.

A good consultation process usually includes:

  • Asking workers how the task is actually done.
  • Checking whether they have seen the hazard before.
  • Asking if there is a safer way to do the task.
  • Confirming that the controls make sense on site.
  • Recording any worker concerns and how they were addressed.

For tasks involving supervisors, contractors, or multiple trades, consultation should happen before the job starts and again if anything changes. If your broader system needs a consultation structure, WHS consultation requirements is the right companion guide.

Risk assessment vs SWMS

A risk assessment and a SWMS are related, but they are not the same document.

A risk assessment is the general process for deciding what the hazards and risks are. A SWMS is the document required for high-risk construction work that sets out the steps, hazards, controls, and how the work will be monitored.

Use this rule of thumb:

  • If you need to understand the overall risk, use a risk assessment.
  • If you are doing high-risk construction work, use a SWMS.
  • If you are managing both, make sure the SWMS reflects the risk assessment and not a generic template.

For a deeper comparison, see safe work procedures vs SWMS.

State and territory variations

The information on this page is based on the Model WHS Act and Model WHS Regulations published by Safe Work Australia, adopted with some variations across most jurisdictions.

JurisdictionRegulatorKey notes
NSWSafeWork NSWFollows the model WHS framework with local variations
VICWorkSafe VictoriaUses the OHS Act 2004, so some terminology differs
QLDWorkplace Health and Safety QueenslandFollows the model WHS framework with local variations
SASafeWork SAFollows the model WHS framework with local variations
WAWorkSafe Western AustraliaFollows the model WHS framework with local variations
TASWorkSafe TasmaniaFollows the model WHS framework with local variations
ACTWorkSafe ACTFollows the model WHS framework with local variations
NTNT WorkSafeFollows the model WHS framework with local variations

Always verify current requirements with your state or territory regulator, as local codes of practice and guidance may impose additional obligations.

Frequently asked questions

What are the steps in a WHS risk assessment?

A WHS risk assessment follows five steps: identify the hazards, assess the risk, choose and implement controls, document and communicate the result, and review it when conditions change. The steps are simple, but they only work if the controls reflect the actual task and the people doing it.

Who must conduct a risk assessment?

The PCBU is responsible for making sure risk assessments happen. In practice, a competent person may prepare the assessment, but workers and supervisors should be involved because they know how the task is actually done.

When is a risk assessment required?

Use a risk assessment before new work starts, when conditions change, after incidents or near misses, when a new hazard appears, and during routine reviews of ongoing operations. If the work is high-risk construction work, the assessment should feed into the SWMS.

Does a risk assessment need to be in writing?

It is not always legally prescribed in a specific format, but writing it down is strongly recommended. A written assessment creates a record of the hazards, controls, and consultation, which helps demonstrate due diligence.

Get the right documents for your business

A documented risk assessment gives your business a practical record of hazards, controls, and review points. If you need a higher-risk work document or a fuller system, the right templates help you keep the process consistent.

SWMS templates | WHS Management Systems

Need Help with Compliance?

Get the templates mentioned in this guide to ensure you meet your obligations.

View SWMS TemplatesView Management Systems

Still have questions?

Our team of WHS experts is here to help.

Contact Support More Guides