Quick answer: A risk management procedure is the documented process a business follows to identify hazards, assess risks, apply controls using the hierarchy of controls, and review outcomes. It is the backbone of a WHS system, giving every person in the business the same repeatable method for managing risk.
Last reviewed: June 2026 by the BlueSafe Technical Team. Reflects current Australian WHS laws and regulations.
Managing risk is not a one-off task. It is a cycle — and a risk management procedure is the document that defines how that cycle runs inside your business. Without it, every supervisor and site manager makes their own judgment about what a hazard is, how serious it might be, and what to do about it. With it, the business applies a consistent, defensible standard every time a new task, site, or situation arises.
What is a risk management procedure?
A risk management procedure is a formal, written document that describes the process a business uses to manage health and safety risks. It sets out, step by step, how hazards are identified, how risks are evaluated, which controls are selected and applied, and how the effectiveness of those controls is checked and maintained over time.
It is different from a risk assessment. A risk assessment is a record of the analysis done for a specific task, area, or activity. A risk management procedure is the broader process that tells the business how to produce that risk assessment and what to do with the findings.
In practical terms, a risk management procedure answers four questions:
- How do we find hazards before someone is harmed?
- How do we decide how serious a risk is?
- What controls do we apply, and in what order?
- How do we know the controls are still working?
Why a risk management procedure is a core WHS document
Under the WHS Act, a PCBU must ensure, so far as is reasonably practicable, that workers and others are not exposed to health and safety risks arising from the work carried out. That duty is not satisfied by good intentions — it is satisfied by a system that produces consistent, documented evidence that risks have been identified, assessed, controlled, and reviewed.
A risk management procedure is the foundation of that system. It is the document that tells every manager, supervisor, and worker how to carry out the risk management process, so the outcome does not depend on who happens to be on shift or how experienced a particular supervisor is.
It also connects directly to other WHS documents. The procedure feeds into the risk register, informs risk assessments, and shapes the controls included in a SWMS. Without the procedure, those documents can still exist, but they lack a consistent process behind them.
The four steps of a risk management procedure
The risk management process in Australia follows four steps, which are recognised in Safe Work Australia guidance and reflected in the WHS Regulations. A well-written risk management procedure sets out each step clearly and assigns responsibility for completing it.
Step 1: Identify hazards
The first step is to find what could cause harm before harm occurs. This means looking at the physical environment, the tools and equipment used, the tasks being performed, the people involved, and the way work is organised.
Hazards can be identified through workplace inspections, job safety analyses, consultation with workers, review of incident and near-miss reports, manufacturer or supplier information, and observation of actual work being done. Workers are often the most reliable source of hazard information because they see the work up close.
The procedure should specify when hazard identification takes place — for example, before a new task starts, when work moves to a new location, after an incident, or when plant, people, or processes change.
Step 2: Assess the risks
Not every hazard creates the same level of risk. The purpose of a risk assessment is to evaluate each identified hazard in terms of the likelihood that harm will occur and the consequence if it does. Together, those two factors produce a risk rating — typically expressed as low, medium, high, or critical.
A risk assessment is not a bureaucratic exercise. It is the step that determines how urgently a control is needed and how robust that control must be. A hazard rated critical needs immediate, reliable controls. A hazard rated low may be manageable through existing procedures with a monitoring plan in place.
For more detail on how to conduct a risk assessment correctly, see our guide to conducting a WHS risk assessment.
Step 3: Control the risks
Once risks have been assessed, the next step is to apply controls. The WHS Regulations require that controls be selected using the hierarchy of controls — a ranked list of control types ordered from most to least effective.
The hierarchy of controls runs as follows:
- Elimination — remove the hazard entirely. This is the most effective control and should always be considered first.
- Substitution — replace the hazardous thing or process with something less dangerous.
- Isolation — separate the hazard from workers using barriers, enclosures, or distance.
- Engineering controls — use physical changes to the work environment or equipment to reduce exposure.
- Administrative controls — change how work is organised or how workers are trained and instructed.
- Personal protective equipment (PPE) — provide PPE as the last line of defence, never as a substitute for higher-level controls.
In practice, a risk management procedure will often result in a combination of controls from different levels of the hierarchy. What matters is that the controls chosen are the highest reasonably practicable and that lower-level controls are not used when higher-level options are available.
For a detailed breakdown of each level and how to apply it, see our guide to the hierarchy of controls.
The procedure should also specify how controls are documented — usually through a risk assessment form, a SWMS, or an entry in the risk register — and who is responsible for implementing them before work begins.
Step 4: Review controls
Risk management is not complete once controls are in place. Controls can become ineffective over time, tasks change, new equipment is introduced, and workers rotate. The review step closes the loop by checking whether controls are working as intended and updating them when circumstances change.
The procedure should define when reviews are triggered — for example, after an incident or near miss, when a new hazard is identified, when the work method changes, when new or modified plant is introduced, or at a fixed interval as part of the business's safety review calendar.
Reviews should be recorded so the business can demonstrate ongoing monitoring, not just an initial assessment.
How a risk management procedure connects to other WHS documents
A risk management procedure does not sit in isolation. It is one part of a broader WHS system, and it connects directly to several other documents.
| Document | Relationship to the procedure |
|---|---|
| Risk register | Records the hazards, risk ratings, and controls produced by applying the procedure. It is the live summary of all risk management activity. |
| Risk assessment | The document produced at step two of the procedure for a specific task or area. |
| SWMS | The step-by-step safe work method that incorporates the controls identified at step three. Required for high-risk construction work. |
| Safe work procedures (SWP) | Broader procedure documents for non-construction tasks that incorporate the risk management findings. |
| Incident register | Feeds back into the procedure — incidents and near misses trigger a review at step four. |
| Training records | Show that workers have been instructed in the controls selected at step three. |
When these documents work together under the same risk management procedure, the business has a coherent, auditable system. When they are created independently without a linking process, gaps almost always appear.
Who is responsible for the risk management procedure?
Under the WHS Act, the PCBU holds the primary duty to manage risks. In practice, this means the business must ensure the procedure exists, is understood, and is actually being followed — not just stored in a folder.
Officers of a PCBU are required to exercise due diligence, which includes acquiring and keeping up-to-date knowledge of WHS matters and ensuring the business has appropriate resources and processes in place. A well-implemented risk management procedure is direct evidence of both.
Supervisors, managers, and workers all play a role in applying the procedure. Supervisors typically lead the hazard identification and assessment steps. Workers contribute knowledge of the actual work and must be consulted during the process. Managers are responsible for ensuring controls are resourced and implemented.
The procedure should make these roles explicit so there is no ambiguity about who is responsible at each step.
When should the procedure be used?
A risk management procedure should be applied:
- before a new task or project starts;
- when work is performed at a new location;
- when new plant, equipment, or substances are introduced;
- when the work method changes;
- after an incident or near miss;
- when a worker identifies a new hazard;
- as part of a planned WHS review cycle.
The procedure should not be treated as a one-time exercise completed at the start of a project. Risk management is an ongoing obligation, and the procedure should be embedded in how the business plans and reviews work.
State and territory variations
The information on this page is based on the Model WHS Act and Model WHS Regulations published by Safe Work Australia, adopted with some variations across most jurisdictions.
| Jurisdiction | Regulator | Key notes |
|---|---|---|
| NSW | SafeWork NSW | Model WHS framework applies |
| VIC | WorkSafe Victoria | Uses OHS framework; risk management obligations are equivalent in practice |
| QLD | Workplace Health and Safety Queensland | Follows Model WHS Regulations |
| SA | SafeWork SA | Follows Model WHS Regulations |
| WA | WorkSafe Western Australia | Model WHS framework with local guidance |
| TAS | WorkSafe Tasmania | Follows Model WHS Regulations |
| ACT | WorkSafe ACT | Follows Model WHS Regulations |
| NT | NT WorkSafe | Follows Model WHS Regulations |
Always verify current requirements with your state or territory regulator. Local codes of practice and regulator guidance may impose additional obligations for specific industries or risk types.
Related guides
Frequently asked questions
What is a risk management procedure?
A risk management procedure is a documented process that tells a business how to identify hazards, assess risks, apply controls using the hierarchy of controls, and review those controls over time. It is a core procedure inside a WHS management system.
What are the four steps in a risk management procedure?
The four steps are identify, assess, control, and review. Each step has defined activities, responsible parties, and outputs — such as a risk register entry, a risk assessment, or a SWMS — that together form a complete record of how the risk was managed.
How does a risk management procedure link to a risk assessment and a SWMS?
The procedure is the process. A risk assessment is the document produced when you apply step two of that process to a specific task. A SWMS translates the controls from step three into a step-by-step safe work method for workers to follow.
Is a risk management procedure legally required in Australia?
The WHS Act requires PCBUs to manage risks to health and safety. The obligations that duty creates — identifying hazards, assessing and controlling risks, reviewing controls — are most defensibly met through a formal written procedure that the business follows consistently.
Get the right tools for your risk management process
A risk management procedure works best when it is supported by ready-to-use templates, risk assessment forms, and a risk register that are already structured around the four-step process. BlueSafe's WHS management tools are built to support exactly that.
This article is general educational information only and does not constitute legal advice. WHS obligations vary by jurisdiction, industry, and specific workplace circumstances. Always consult the relevant legislation and your state or territory regulator for guidance that applies to your situation.