View Current

WHSMP02: Hazard Identification, Risk and Opportunity Management Procedure

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose and Scope

(1) The purpose of this procedure is to ensure the management of risks associated with health and safety at Southern Cross University (SCU) are appropriately managed and controlled. 

(2) The purpose of this procedure is to ensure Southern Cross University’s management, employees, contractors, students, visitors and others are aware of the risks associated with health and safety in the workplace, management strategies and to provide advice on appropriate controls. 

(3) All employees, students and others including both independent contractors and contractors under SCU control are to be made aware of and follow this procedure. 

(4) This Procedure applies to all SCU Work Units and sites. The procedure aligns with WHS legislation in the relevant jurisdictions SCU operates in. 

Top of Page

Section 2 - Definitions 

Assessor/Facilitator 
The person applying the risk management process to a hazard or risk.  (Either undertaking the process as an individual or facilitating a team.) 
Consequence 
The credible outcome or potential outcome of an event that causes injury or harm to people, damage to property, environmental harm, business loss, harm to reputation and adverse compliance findings. 
Critical Control 
A specific act, object or technological system which of itself will prevent or mitigate an incident.  Further, these ‘things’ are specifiable, measurable and auditable and their absence would significantly increase the potential for an unwanted incident to occur or have a much more significant outcome. 
Critical Risk 
All CREDIBLE RISKS, assessed with a consequence of a Fatality and of ANY Likelihood.  (Catastrophic as per the risk matrix.) 
Hazard 
 
A situation or entity that, through interaction, has the potential to harm a person, the environment or reputation, cause damage to property, or business loss, or result in adverse compliance findings. 
Task Hazard Analysis (THA) 
A formal team-based risk assessment for a specific task that involves breaking the job into logical steps. 
Risk 
The chance or possibility that harm or loss might occur when exposed to a hazard. 
Risk Assessment 
The overall process of risk identification, analysis and evaluation. 
Risk Control 
Process of elimination or reduction of a specified risk 
Risk Identification 
The identification of hazards sources, events, their causes and their potential consequences. 
Risk Owner 
The individual accountable for ensuring the managing risk in a workplace and has the necessary level of authority to be able to spend resources and mandate treatment strategies for the critical risk.  
So Far As is Reasonably Practicabal (SFARP) 
That which is, or was at a particular time, reasonably able to be done to ensure health and safety, taking into account and weighing up all relevant matters including: (a) the likelihood of the hazard or the risk concerned occurring (b) the degree of harm that might result from the hazard or the risk (c) what the person concerned knows, or ought reasonably to know, about the hazard or risk, and ways of eliminating or minimising the risk (d) the availability and suitability of ways to eliminate or minimise the risk, and (e) after assessing the extent of the risk and the available ways of eliminating or minimising the risk, the cost associated with available ways of eliminating or minimising the risk, including whether the cost is grossly disproportionate to the risk. 
Top of Page

Section 3 - General Principles 

Risk Management  

(5) This procedure aligns with the requirements of the Code of Practice for How to Manage Work Health and Safety Risks (2019) and ISO310000:2018 Risk Management.  

(6) SCU must eliminate risks in the workplace, or if that is not reasonably practicable, minimise the risks so far as is reasonably practicable. Supervisors, at all levels, must ensure that hazards are identified, risks assessed, controls implemented, and controls reviewed. 

(7) Risk management involves the four steps set out in this procedure: 

  1. Identify hazards – understand what could cause harm. 
  2. Assess risks if necessary – understand the nature of the harm that could be caused by the hazard, how serious the harm could be and the likelihood of it happening. 
  3. Control risks – implement the most effective control measure that is reasonably practicable in the circumstances. 
  4. Review control measures - to ensure they are working as planned. 

(8) (Figure 1: How to manage workplace Health and Safety Risks, Code of Practice 2019). 

Risk Management Tools 

(9) SCU has implemented a suite of standard risk management tools.  Each tool has a specific function and selection is based on the complexity of the risk and the outcome required. Risk assessment tools shall be facilitated by persons trained and competent in facilitating risk assessments and in the use of the specific tools.  

 Tool 
Use 
WHSMP02 – FOR 01 - Hazard Identification, Risk Assessment and Control (HIRAC) 
 
Provides line-by-line detail of all credible scenarios to assess single or multiple hazards. 
By utilising a scoring process, it identifies where controls are sufficient or additional controls may be implemented. 
WHSMP02 – FOR – 02 - Critical Risk Cause and Control Assessment 
Details critical risk and associated causes (hazards).  The assessment also records all controls for the risk, critical controls and their design. 
WHSMP02 – FOR – 03 - Task Hazard Analysis (THA) 
Task-specific risk assessment used for: 
One-off tasks  
Management of Change or introduction of a new process/task 
Management of existing processes/tasks 
WHSMP02 – FOR – 04 - Journey Management Plan and Risk Assessment 
Mandatory requirement of the journey management procedure.  Assesses specific risks of driving and assesses if controls are sufficient to approve the travel. 
WHSMP02 – FOR – 05 - Plant Hazard Checklist 
Plant-specific, team-based risk assessment is used for identifying hazards and controls associated with the operation of the plant. 
WHSMP02 – FOR – 06 - Hazardous Substance Risk Assessment 
To assess the risk of the storage, handling and use of hazardous substances and dangerous goods. 
WHSMP02 – FOR – 07 - Hazardous Manual Task Risk Assessment  
To risk assess hazardous manual tasks to assess force, movement and postures that increase the risk of musculoskeletal disorders. 
WHSMP02 – FOR – 08 - Risk Assessment (Guided Conversation) 
A guided conversation for on-the-job personal hazard identification for daily tasks. 
WHSMP02-FOR-09 – Field Risk Assessment 
Mandatory requirement field work. Assesses specific hazards in field work and allows for sign off. 
WHSMSPO2-FOR-10-Safe Work Instruction  
Written instructions for a process or activity that outlines the recommended safe method of undertaking the process or activity. Required for any routine or repeated activity or process. 

Risk Assessment Threshold 

Low 
Risks are below the risk acceptance threshold and do not require active management.  Requires ongoing monitoring by Supervisor. 
Moderate 
Risks that lie on the risk acceptance threshold and require active monitoring by the Supervisor and Head of Work Unit. 
High 
Risks that exceed the risk acceptance threshold and require proactive management. Approval to start or restart an activity must be given by the Head of Work Unit in consultation with the Manager, Workplace Health and Safety (WHS). 
Extreme 
Risks that significantly exceed the risk acceptance threshold and need urgent and immediate attention. Approval to start or restart an activity must be given by the Vice Chancellor or their delegate. 

When to undertake a Risk Assessment 

(10) Supervisors, at all levels, shall ensure a risk assessment should be completed when: 

  1. There is uncertainty about how a hazard may result in injury or illness. 
  2. The work activity involves several different hazards and there is a lack of understanding about how the hazards may interact with each other to produce new or greater risks. 
  3. Changes at the workplace occur that may impact the effectiveness of control measures. 
  4. A risk assessment is mandatory under the WHS regulations for high-risk activities such as entry into confined spaces, construction work, demolition of a structure, disturbance of asbestos, explosives, working near a trench, working on energised electrical parts, the handling, storage and use of hazardous chemicals listed in Schedule 11 of the WHS Regulation, mobile plant and diving work. 
  5. Legislation requires some hazards or risks to be controlled in a specific way – these requirements must be complied with. 
  6. A code of practice or other guidance sets out a way of controlling a hazard or risk that applies to your situation. 
  7. There are well-known and effective controls that are in use in the particular industry that is suited to the circumstances in your workplace.  In these situations, you may be able to simply implement these control measures. 
  8. Examples of when risk assessments may be completed include, but are not limited to: 
  9. When new hazards are identified. 
  10. As a result of an incident investigation, including near-miss. 
  11. Before the commencement of new work activity. 
  12. Proposed changes to work procedures or activities. 
  13. New plant or equipment and modifications to existing plant or equipment. 
  14. Where hazardous substances or dangerous goods are to be used, stored or transported. 
  15. When required by legislation and/or codes of practice/industry standards (e.g. confined space and working at heights). 

Consultation 

(11) SCU shall ensure that consultation occurs with employees and other stakeholders at all stages of the risk management process. Consultation is a two-way process of informed communication between an organisation and its stakeholders on an issue before deciding or determining a direction on that issue. Consultation is: 

  1. A process that impacts a decision through influence rather than power. 
  2. An input to decision-making, not joint decision-making. 
  3. Employees and stakeholders shall be included in the identification and assessments of risk, as well as the identification and implementation of controls. 

Identify Hazards 

(12) Before commencing work or a task, all employees are to identify potential hazards in the workplace.  Hazards that are present or are likely to occur can be identified by any or all of the following means: 

  1. Continual review and inspection of work units by management, supervisors, WHS or employees and documenting observations made. 
  2. Communication with all employees, at all work locations, and practical information about work practices and procedures. 
  3. Incident investigation analysis. 
  4. Consultation with employees. 
  5. Risk, location, plant, or task-based identification. 
  6. Completion of a work unit visits, audit or management review. 
  7. Professional experience of WHS or other employees. 
  8. Information from industry sources or work unit specific information. 

(13) Explore Context:

  1. To determine if a hazard is a credible potential risk, the assessor shall consult with employees and stakeholders and explore the internal and external context of the work including: 
  2. Capabilities understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies). 
  3. Governance, organisational structure, roles and accountabilities. 
  4. Policies, objectives, and the strategies that are in place to achieve them. 
  5. Information systems, information flows and decision-making processes (both formal and informal). 
  6. Relationships with, and perceptions and values of, internal stakeholders. 
  7. The organisation's culture. 
  8. Standards, guidelines and models adopted by the organisation. 
  9. The form and extent of contractual relationships. 

Assess Risk 

(14) For a hazard to be assessed as a credible risk, the assessor shall identify the worst case of credible scenarios by identifying the: 

  1. Hazard. 
  2. Target (what could be harmed). 
  3. How the target and the hazard interact. 
  4. The potential credible worst-case consequence of the specific interaction between the hazard and the target. 
  5. This worst case of credible scenarios can then be assessed and evaluated following the SCU Risk Matrix (Appendix 1). 
  6. The credible worst-case consequence must be plausible and reasonable.  SCU recognises that this is a subjective decision and will be made in consultation with employees and stakeholders and consider: 
  7. The context of the risk. 
  8. Industry history. 
  9. Similar risks in other industries. 

(15) When utilising the matrix, the likelihood is identified by assessing the possibility of the exact potential consequence occurring as a direct result of the specific interaction between the target and the hazard. 

Risk Control  

(16) The assessor shall facilitate the team identification of the most effective control following the principle of ‘so far as is reasonably practicable’ (SFARP) and the hierarchy of controls. Time frames and priority for the implementation of controls shall be determined by the highest level of risk. 

(17) To decide what is ‘reasonably practicable’ assessors shall consider and weigh up all relevant matters, including: 

  1. The likelihood of the hazard or risk concerned occurring. 
  2. The degree of harm that might result from the hazard or risk. 
  3. Knowledge about the hazard or risk, and ways of eliminating or minimising the risk. 
  4. The availability and suitability of ways to eliminate or minimise the risk. 

(18) After assessing the extent of the risk and the available ways of eliminating or minimising the risk, the cost associated with available ways of eliminating or minimising the risk, including whether the cost is grossly disproportionate to the risk. 

(19) The priority for managing risks shall be to eliminate them so far as is reasonably practicable, or if that is not possible, minimising the risks so far as is reasonably practicable. 

(20) When considering how to control risks, the assessor shall: 

  1. Consult with employees and stakeholders directly affected by the risk and/or control. 
  2. Choose the control that most effectively eliminates the hazard or minimises the risk in the circumstances. 
  3. This may involve a single control measure or a combination of different controls that together provide the highest level of protection that is reasonably practicable. 

Hierarchy of Control  

(21) The most effective control of a risk is to either eliminate the risk by eliminating the hazard, interaction or consequence.   Risk controls are ranked according to the Hierarchy of Controls, which ranks controls from the highest level of protection and reliability to the lowest.   

Level 1 Control Measures 

(22) The most effective control measure involves eliminating the hazard and associated risk. The best way to do this is by, firstly, not introducing the hazard into the workplace. 

(23) Eliminating hazards is often cheaper and more practical to achieve at the design or planning stage of a product, process or place used for work. In these early phases, there is greater scope to design out hazards or incorporate risk control measures that are compatible with the original design and functional requirements.  

(24) If you cannot eliminate the hazard, then eliminate as many of the risks associated with the hazard as possible.   

Level 2 Control Measures 

(25) If it is not reasonably practicable to eliminate the hazards and associated risks, you should minimise the risks using one or more of the following approaches:  

  1. Substitute the hazard with something safer. 
  2. Isolate the hazard from people: This involves physically separating the source of harm from people by distance or using barriers.  
  3. Use engineering controls: An engineering control is a physical control measure, including a mechanical device or process.  

Level 3 Control Measures 

(26) These control measures (i.e. administrate and PPE) do not control the hazard at the source. They rely on human behaviour and supervision, and used on their own, tend to be least effective in minimising risks.  

Assessing residual risk 

(27) When considering the implementation of controls, the assessor shall identify the residual risk remaining after the control has been implemented. 

(28) Preventative controls implemented can either eliminate a risk or reduce the likelihood of the consequence occurring because of the risk.  Whilst mitigating controls may reduce the consequence of an event in some circumstances, in order not to understate risk, SCU requires that the consequence is not reduced because of these controls. 

Review and Monitoring of Control Measures 

(29) Supervisors shall ensure that control measures are monitored and regularly reviewed to assure that they are implemented and effective. (Work as planned.) The monitoring and review process shall determine the suitability and effectiveness of the controls. 

(30) The ongoing monitoring of existing controls measures implemented shall be through: 

  1. Scheduled workplace inspections and audits. 
  2. Planned task observations. 
  3. Workplace monitoring (where necessary). 
  4. Behavioural observations. 
  5. Scheduled risk and management reviews. 
  6. Incident investigations and hazard reporting 
  7. Maintenance defect reporting. 

(31) A review shall also be completed when: 

  1. The control measure is not effective in controlling the risk. 
  2. Before a change at the workplace that is likely to give rise to a new or different health and safety risk that the existing control measure may not effectively control. 
  3. A new hazard or risk is identified. 
  4. The results of the consultation indicate that a review is necessary. 
  5. A health and safety representative requests a review. 

Review and Monitoring of Control Measures 

(32) Every two years the SCU WHS Manager shall undertake a review of the risk management system to assure the performance of an effective system that identifies, and controls risks exposed to the business.  

Critical Risk Management 

Identification of Critical Risks 

(33) The SCU WHS Manager is responsible for coordinating the identification of critical risks across the organisation.  Critical risks shall be identified when:  

  1. Critical risk management is established within an existing or new work unit.  
  2. Identified as part of the management of change. 

(34) Critical risks will be identified utilising risk assessment workshops coordinated by the WHS Manager in consultation with each work unit.  When identifying risks, the following shall be considered by the risk assessment workshop group: 

  1. The knowledge of competent persons working in the area. 
  2. Previous significant incidents within SCU. 
  3. Previous potential significant incidents within SCU. 
  4. Historical industry evidence. 
  5. Applicable legislative guidance and prescription. 
  6. Resource Regulator’s incidents, alerts, and investigations. 
  7. Critical risks shall be documented in SCU’s Critical Risk Register and stored online. 

Review of Critical Risk Register 

(35) The Head of Work Unit or their delegate is responsible for reviewing the organisation’s Critical Risk Register to ensure that all relevant critical risks for their work unit have been identified.   

(36) The register shall be reviewed at a minimum of every 2 years and:  

  1. Within 12 months of the establishment of critical risk management within an existing or a new work unit.  
  2. A new service has been introduced within the work unit.  
  3. Identified as part of the management of change.  
  4. A significant or notifiable event has occurred. 
  5. Risk assessment workshops coordinated by the WHS Manager in consultation with each work unit will be utilised to review each risk.   
  6. Critical risk reviews shall be documented in RiskWare and stored online. 

Risk Owners 

(37) The Head of Work Unit shall be deemed the Risk Owner for critical risks within their work unit and are accountable for ensuring the risk is managed appropriately.  For organisation-wide risks, the Vice-Chancellor may appoint a Risk Owner to be accountable for managing the risk across the organisation. 

(38) The Risk Owner has the necessary level of authority to be able to spend resources and mandate treatment strategies (Critical Controls) for the critical risk.  The Risk Owner for each Critical Risk shall: 

  1. Review and approve the risk assessment, controls, critical controls and verification activities. 
  2. Oversee the critical risk and associated critical control verification processes for each critical risk. 
  3. Review and approve any changes or updates submitted to the risk assessment or critical controls. 
  4. Complete the annual review of the critical risk. 
  5. Supervisors are responsible for approving risk assessments, controls including performance standards, design descriptions, communication plans and verification activities. 

Risk Assessment and Control Selection Methodology 

(39) Risk Owners shall ensure that a Cause and Control risk assessment workshop is facilitated for any new Critical Risk and ensure that the following employees are included at a minimum: 

  1. The risk owner. 
  2. Employees who physically perform the task and/or operate the equipment/plant. 
  3. Employees who physically maintain the equipment/plant. 
  4. WHS team members, as applicable. 
  5. Health and Safety Representatives (for Health and Safety risks only). 
  6. Technical experts as required. 
  7. The risk assessment team shall utilise a brainstorming workshop to identify credible causes associated with the risk scenario. 
  8. Existing controls for each cause shall be reviewed against SFARP with additional or alternative controls being identified based on the Hierarchy of Control. 
  9. The risk assessment team shall acknowledge human factor causes and assume site-wide generic controls as established.  Generic controls include inductions, trained and competent employees, supervision, task-based risk assessments, fitness for work requirements, general preventative maintenance, standard personal protective equipment and pre-work meetings. 
  10. From the specific controls identified, the risk assessment team shall identify Critical Controls for design, monitoring, and testing utilising the Control Decision Tree (Appendix 2).  Where a control does not specifically meet the definition in this procedure, but the working group determines that the control is ‘critical’ from an operational perspective, that control will be determined as meeting the criteria for a critical control. 
  11. Risk Assessment workshops for Critical Risks shall be documented on the Critical Risk Cause and Control Assessment Template and stored online. 

Critical Controls design and monitoring 

(40) Risk owners, with assistance from WHS, shall ensure that a Critical Control design is developed for each critical control which provides sufficient detail to enable a full understanding of the Control. 

(41) The design should be specific, measurable and include: 

  1. A description of the Critical Control. 
  2. Objectives. 
  3. Performance requirements. 
  4. Management system activities. 
  5. Target performance. 
  6. Triggers for shutdown, critical control review or investigation. 
  7. Failure mechanism and prevention strategies. 
  8. Verification activities. 
  9. Management system activities shall include planned tasks that support the critical control being able to meet the performance requirements. 
  10. These can be normal maintenance tasks that can be scheduled and can be tracked. However, it may also include other scheduled tasks such as taking samples.  The tasks should be listed in detail and include the role responsible for each activity, as well as the corresponding frequency/parameters/measures needed for the control to be effective. 
  11. Risk owners shall ensure that the control design includes verification activities for each critical control that ensure the ongoing monitoring of control effectiveness and compliance.  Verification activities may include: 
  12. Inspections. 
  13. Audits. 
  14. Field observations. 
  15. Critical Control designs shall be documented on the Critical Risk Cause and Control Assessment Template and stored online. 

Review of Critical Controls 

(42) Risk Owners shall ensure that control measures are regularly reviewed to assure that they are implemented and effective including when: 

  1. The control measure is not effective in controlling the risk. (A significant/notifiable incident.) 
  2. Before a change at the workplace that is likely to give rise to a new or different health and safety risk that the existing control measure may not effectively control. 
  3. An inspection indicates a deficiency in a control measure. 
  4. A new hazard or risk is identified. 
  5. The results of any consultation indicate that a review is necessary. 
  6. A health and safety representative requests a review. 

(43) The Risk Owner shall ensure that an annual effectiveness test of the control is completed by each Control Owner including a review of the: 

  1. Design standards to ensure that they meet the applicable current Regulatory, Code of Practice, Original Equipment Manufacturer, Australian Standards and SCU’s requirements. 
  2. Compliance with design standards. 
  3. Maintenance schedule and planned tasks completed as planned. 
  4. Audit findings. 
  5. Field leadership completed concerning the Critical Control. 
  6. Annual Review of Critical Risks 

(44) The Head of Work Unit is responsible for undertaking an annual review of their work unit’s Critical Risks to assure that the critical risk is tolerable and that the risk has been reduced so far as reasonably practicable.  The review shall consider: 

  1. The effectiveness of critical controls. 
  2. Tolerability of the risk. 
  3. Findings. 
  4. Sufficiency of verification activities 
  5. Critical Controls Reporting 
  6. The WHS Manager is responsible for coordinating the quarterly reporting of the status of critical control management to the VC and the Vice Chancellor’s Group.  The quarterly report shall contain, as a minimum: 
  7. Compliance with critical control verification activities. 
  8. Critical Control failures. 
  9. Significant or High Potential Incidents. 
  10. Compliance with requirements for Critical Control Design 
Top of Page

Section 4 - Records of Documentation  

(45) All relevant documentation will be recorded and kept in accordance with WHS Legislation and other legislative obligations including:  

  1. Hazard Identification Records. 
  2. Risk Assessments 
  3. Documentation of Hazards 
  4. Risk Control Measures 
  5. Consultation Records 
  6. Training and Competency Records 
  7. Incident and Investigation Records 
Top of Page

Section 5 - Revision and approval history 

(46) This procedure will be reviewed as per nominated review dates or because of other events, such as: 

  1. Internal and external audit outcomes. 
  2. Legislative changes. 
  3. Outcomes from management reviews. 
  4. Incidents. 
Top of Page

Section 6 -  Roles and Responsibilities

Refer to WHS Responsibility and Accountability Statement
Top of Page

Section 7 - References 

Work Health and Safety Act 2011 
Work Health and Safety Regulation in applicable jurisdiction that SCU operates  
Top of Page

Section 8 - Related Documents 

WHSMP02 - FOR - 01 - Hazard Identification, Risk Assessment and Control Tool 
WHSMP02 - FOR - 02 - Critical Risk Cause and Control Assessment Template 
WHSMP02 - FOR - 03 - Task Hazard Analysis 
WHSMP02 - FOR - 04 - Journey Plan Management and Risk Assessment 
WHSMP02 – FOR – 05 - Plant Hazard Checklist 
WHSMP02 - FOR - 06 - Hazardous Substances Risk Assessment 
WHSMP02 - FOR - 07 - Hazardous Manual Task Risk Assessment Tool 
WHSMP02 - FOR - 08 - Risk Assessment (Guided Conversation) 
WHSMP02 – FOR - 09 – Field Risk Assessment 
WHS Responsibility and Accountability Statement