WHS risk assessment: A step-by-step guide for business owners

If something goes wrong in your workplace, a regulator won’t ask if you meant well. It’s whether you had a system in place to identify and manage the risks in your workplace. That’s what a WHS risk assessment is for.

Risk assessments are one of the most practical tools you have for protecting your people and staying on the right side of WHS legislation. A proactive approach to risk is what keeps your business ahead of the curve and out of trouble.

This guide walks you through what a WHS risk assessment is, how to complete one step by step, and when it makes sense to bring in WHS consultants to help you get it right.

What is a WHS risk assessment?

A WHS risk assessment is a structured process for identifying potential workplace hazards, evaluating the likelihood and severity of harm they could cause, and deciding what controls to put in place.

There’s three terms worth understanding upfront:

• Hazard: Anything with the potential to cause harm. This includes machinery, substances, environmental conditions, and psychological stressors like excessive workload or workplace conflict.
• Risk: The likelihood that a hazard will actually cause harm, and how serious that harm could be.
• Risk assessment: The process of identifying hazards, evaluating associated risks, and selecting appropriate control measures to reduce or eliminate them.

Under Australia’s Work Health and Safety Act and broader health and safety regulations, every person conducting a business or undertaking has a primary duty of care to ensure, so far as is reasonably practicable, a safe work environment. It’s the foundation of occupational health and safety law in Australia, and risk assessments are your bread and butter in showing compliance.

Why risk assessments matter

First and foremost, risk assessments are about prevention. By systematically identifying potential workplace hazards before they cause harm, you can put the right safety controls in place and significantly reduce the likelihood of workplace accidents and injuries.

Beyond prevention, risk assessments support your WHS compliance obligations in concrete ways. They create a documented record of your safety practices – one of the first things a SafeWork inspector will review. Staying on top of workplace conditions and maintaining regulatory compliance is far easier when your risk register is current and accurate.

They also reinforce that workplace health and safety is everyone’s responsibility – the foundation of a genuine safety culture. A well-maintained risk register is also one of the clearest ways to demonstrate WHS compliance if a regulator ever comes knocking.

The numbers speak for themselves: fewer incidents mean lower workers’ compensation costs, better productivity, and better job satisfaction across your team. A safe workplace supports employee wellbeing and retention too. WHS support from qualified experts makes it easier to get there.

When to carry out a risk assessment

Workplace safety isn’t a set-and-forget exercise and the law backs that up. Under Australian WHS legislation, ongoing hazard identification is a requirement. Specific triggers include:

• Introduction of new work activities, equipment, or substances.
• A workplace incident or near miss.
• Changes to your physical work environment.
• New workers joining, particularly in high-risk roles.
• Changes to workers’ circumstances that affect their exposure to risk.
• Updates to WHS legislation or codes of practice.

Build regular review cycles into your safety management system, not just reactive assessments when something goes wrong.

The five steps of a WHS risk assessment

Step one: Identify hazards

Walk through your workplace systematically and examine every task your team performs, every tool and piece of equipment they use, and every environment they work in. Safe Work Australia recommends consulting directly with workers. The people doing the work every day often have the clearest view of where the safety risks actually sit.

Hazards span several categories:

• Physical: Machinery, noise, manual handling, working at heights.
• Chemical: Hazardous substances, fumes, solvents.
• Biological: Bacteria, viruses, sharps.
• Ergonomic: Repetitive tasks, poor workstation design, awkward postures.
• Psychological: Excessive workload, role ambiguity, workplace conflict, exposure to traumatic events.

Don’t overlook psychosocial hazards. Across all Australian jurisdictions, employers are required to identify and manage risks to mental health under the WHS Act. In NSW, the WHS Regulation 2025 goes further, explicitly requiring psychosocial risks to be managed using the hierarchy of controls. Policies and EAPs alone are no longer sufficient. Higher-order controls such as improved work design and workload management are now required, and regulators nationally are treating psychosocial risk as an active enforcement priority.

Providing safety training to workers on how to recognise and report hazards is one of the most effective ways to keep your hazard identification current between formal reviews. Good reporting habits and clear safety protocols catch hazards that a formal walkthrough might miss.

Step two: Assess the risks

For each hazard, evaluate how likely it is to cause harm and how severe that harm would be. Consider who might be affected, such as employees, contractors, and visitors, and how exposure could occur. Most businesses use a risk matrix to prioritise hazards by plotting likelihood against consequence.

This step shapes your decision-making. It tells you where to act first, where the biggest safety risks sit, and where existing safety procedures may already be reducing risk effectively.

Step three: Control the risks

This is where you act. Australian WHS legislation requires you to work through the hierarchy of controls when deciding how to manage a risk:

1. Elimination: Remove the hazard entirely. The most effective control, and always the first option to explore.
2. Substitution: Replace the hazard with something less harmful.
3. Isolation: Physically separate the hazard from people.
4. Engineering controls: Redesign processes or install physical safeguards.
5. Administrative controls: Change how work is organised or carried out. Includes safe work procedures and safety training.
6. PPE: Gloves, safety glasses, hearing protection. The last line of defence, not the first response.

A common compliance failure is defaulting to PPE or administrative controls when higher-order measures were reasonably practicable. If your risk assessments don’t record why certain controls were chosen, that’s a gap worth closing.

Once you implement measures, they need to be embedded into your health and safety policies and broader safety management systems, not left as standalone decisions. Your controls must meet legal requirements and safety standards, which means documenting them clearly so they can be communicated and audited.

Providing customised training on the hierarchy of controls helps workers understand not just what the safety measures are, but why they were chosen.

Step four: Record your findings

Document every assessment clearly: hazards identified, risk ratings, and the controls implemented. This record is your audit-ready evidence that your safety management system is functioning, and the clearest way to demonstrate compliance if a regulator requests documentation. It also gives you a baseline for future reviews.

Best practice is to store records in a WHS system – a central management platform that keeps everything in one accessible place, making it easier to make informed decisions when conditions change.

Make records accessible to relevant workers and managers. Transparency is part of implementing safety plans that people actually follow.

Step five: Review and update

Risk assessments must remain current. Workplaces change – equipment ages, new tasks emerge, teams evolve. Review assessments after incidents, after significant workplace changes, and at regular intervals even when nothing obvious has shifted. This cycle of review is what drives continuous improvement in your safety programme and helps ensure ongoing compliance as WHS laws evolve. The absence of incidents doesn’t mean risks are being managed, it may simply mean they haven’t materialised yet.

Four common mistakes to avoid

1. Filing it once and forgetting it

Outdated documentation that no longer reflects how work is actually done can undermine your legal position significantly. It’s one of the most common WHS issues businesses face, and one of the most avoidable.

2. Ignoring psychosocial risks

Stress, burnout, and workplace conflict are within scope of your WHS obligations in every jurisdiction. In NSW, the WHS Regulation 2025 now explicitly requires psychosocial risks to be managed through the hierarchy of controls. Policies and EAP programs aren’t enough on their own. If your risk register doesn’t address psychosocial hazards, it’s incomplete regardless of where you operate.

3. Not consulting workers

Consultation is both a legal requirement and a practical necessity. Workers know the real hazards better than anyone.

4. Generic templates

A standard template is a starting point, not a substitute for a genuine assessment of your specific workplace, tasks, and risks. Many businesses navigate health and safety WHS obligations using off-the-shelf documents that don’t reflect how their work is actually done, which can create serious legal issues if something goes wrong. Make sure any template is customised to your specific equipment, tasks, and people, including safe machinery operation.

When to bring in a WHS risk consultant

Some businesses can manage risk assessments effectively in-house. Many can’t, and that’s not a failure. WHS legislation is complex, safety regulations are updated regularly, and the consequences of getting it wrong are significant.

When you bring in a WHS risk consultant, the scope of WHS consultation covers more than most business owners expect. You’re getting someone with recognised credentials from relevant professional bodies who knows what regulators look for, not just what the legislation says.

Our consultants bring expert WHS support and a full range of WHS services to the assessment process, covering comprehensive audits of your current business operations, practices, and documentation. They can identify potential hazards that a business owner without a safety background might miss, and they help build WHS management systems and safety policies that hold up under scrutiny. The goal is a thriving workplace where safety is genuinely embedded, not bolted on. And that’s what effective WHS consulting helps you build.

It’s worth getting expert help when:

• You operate in a high-risk industry such as construction, manufacturing, healthcare, or logistics.
• You’ve had a workplace incident or near miss.
• Your safety procedures haven’t kept pace with business growth.
• You’re preparing for a regulatory audit or inspection.
• You don’t have a dedicated safety officer in-house.

For smaller operations, WHS consultants for small business provide proportionate, practical support without the overhead of a full-time hire. If you’re in New South Wales or Queensland, WHS consultants Sydney and WHS consultants Brisbane cover the local regulatory picture in detail.

How Citation Group can help

WHS obligations are complex, but you don’t have to work through them alone. Citation Group provides comprehensive WHS support for Australian businesses, from sole traders to large enterprises. Our WHS consultants conduct thorough hazard identification and risk assessments tailored to your specific work environment, industry, and legal obligations under WHS laws. We help you build a safe environment where health and safety is part of how your business operates every day.

Ready to get your WHS sorted? Reach out to our friendly team for a confidential chat.

FAQs

Is a WHS risk assessment a legal requirement in Australia?

Yes. Under the Work Health and Safety Act, every person conducting a business or undertaking must identify and manage risks to workers and others in the workplace. Risk assessments are a core part of meeting that obligation, and regulators can request your documentation as part of any inspection or investigation.

How often should a WHS risk assessment be reviewed?

A WHS risk assessment should be reviewed whenever there are significant changes to your workplace, tasks, equipment, or workforce, and after any incident or near miss. Most businesses also build regular scheduled reviews into their safety management system. The key is that your assessments must stay current and reflect how work is actually done.

What is the hierarchy of controls?

The hierarchy of controls is a prioritised framework for managing workplace risks under Australian WHS legislation. In order: elimination, substitution, isolation, engineering controls, administrative controls, and PPE. You must work through higher-order controls before defaulting to lower ones. PPE should only be a last resort.

What hazards should a risk assessment cover?

A risk assessment should cover all categories: physical (machinery, noise, manual handling), chemical (substances, fumes), biological (bacteria, sharps), ergonomic (repetitive tasks, poor posture), and psychosocial (workload, conflict, burnout). Current WHS regulations require psychosocial hazards to be managed with the same rigour as physical ones.

When should I use a WHS risk consultant?

You should use a WHS risk consultant when you operate in a high-risk industry, have had a workplace incident, lack in-house safety expertise, or your safety systems haven’t kept up with business growth. A WHS risk consultant brings regulatory knowledge, practical health safety expertise, and the ability to identify hazards that may not be visible from the inside.