WHS Risk Assessment: A Plain English Guide for 2026

Ask most small business owners if they do risk assessments and they'll say yes. They think about the job before they start. They spot the obvious hazards. They tell their workers to be careful. They've been doing this for years and, so far, nothing bad has happened.

Here's the uncomfortable truth: informal hazard thinking is not the same as a risk assessment. And under Australian WHS law, only one of them satisfies your legal obligation.

This guide explains what risk assessment actually means under WHS law, why documentation isn't optional, and what a practical risk management process looks like for a small business - without the jargon.

What the WHS Act actually requires

Under the model Work Health and Safety Act 2011 - adopted across most Australian states and territories - every person conducting a business or undertaking (PCBU) has a primary duty of care. In plain English: if you run a business and people work in it, you are legally required to ensure, so far as is reasonably practicable, that workers and others are not exposed to health and safety risks.

"So far as is reasonably practicable" is a specific legal standard. It doesn't mean doing everything possible. It means taking measures that are proportionate to the level of risk, considering factors like likelihood of harm, severity of potential consequences, and what's feasible given your size and resources.

The key word in the phrase "so far as is reasonably practicable" is as - you need to demonstrate that you've genuinely assessed the risk and made active decisions about control.

Risk assessment is how you prove you've done this. It's the documented record of the decisions you've made about workplace hazards. Without it, you have no evidence of your risk management process - and in the event of an incident, that gap matters enormously.

Note: Victoria operates under the Occupational Health and Safety Act 2004, not the model WHS laws. The risk management obligations are broadly similar, but the specific legislative framework and penalty structure differ. If you're in Victoria, check with WorkSafe Victoria for jurisdiction-specific guidance.

The four-step risk management process

The model Code of Practice How to Manage Work Health and Safety Risks - which provides the benchmark regulators and courts use when assessing whether a PCBU has met their obligations - describes a four-step process. Following the Code is strong evidence of compliance. (In NSW, from October 2025, approved Codes of Practice became legally binding requirements, not just evidentiary guides.)

Step 1: Identify hazards

A hazard is anything in the workplace that has the potential to cause harm. This includes physical hazards (machinery, electrical equipment, manual tasks, working at heights), environmental hazards (noise, heat, chemicals), organisational hazards (excessive workload, shift work, remote or isolated work), and psychosocial hazards (bullying, harassment, poor management practices).

Identifying hazards isn't a one-off exercise. You need to consider hazards during work design, when setting up a new site, when introducing new equipment or processes, and when something changes in how work is done.

Step 2: Assess the risk

Once you've identified a hazard, you need to assess how likely it is to cause harm and how severe that harm could be.

Risk assessment involves weighing up who could be affected, how often they're exposed to the hazard, and what the likely consequence of exposure is. This doesn't have to be complicated - a simple risk matrix with likelihood and consequence ratings is enough for most small businesses. What matters is that you've thought it through and written it down.

Step 3: Control the risk

Controls are the measures you put in place to eliminate or minimise the risk. The WHS Regulations specify a hierarchy of controls - an ordered list of the most to least effective options:

1. Elimination - remove the hazard entirely (the most effective control and always the first option to consider)

2. Substitution - replace the hazard with something less risky

3. Isolation - separate people from the hazard (guards, barriers, restricted zones)

4. Engineering controls - design changes that reduce risk (ventilation, modified equipment)

5. Administrative controls - procedures, training, and schedules that reduce exposure

6. Personal protective equipment (PPE) - the last resort, not the first

PPE is the least effective control because it relies entirely on correct use every time. Relying on PPE as your primary control for a significant hazard is not adequate under WHS law. A regulator will notice - and so will a court.

Step 4: Review your controls

Controls need to be reviewed to make sure they're still working. The Code of Practice specifies that you must review your risk management process: after an incident or near miss, whenever a workplace change creates new hazards, when a control measure isn't working as intended, and whenever a worker or their Health and Safety Representative raises a concern.

Annual reviews are a sensible minimum for lower-risk areas. Higher-risk tasks warrant more frequent checks. Set a review date when you complete the assessment - don't wait for something to go wrong to trigger the review.

Why "we do it in our heads" doesn't count

The most common mistake small businesses make is treating risk assessment as something that happens informally - a gut check before the job starts, a quick verbal briefing to the crew.

This might sting, but you need to hear it: that doesn't count.

Here's why. If a worker is injured and a regulator investigates, the first thing they'll ask for is your documented risk assessment. Not your intentions. Not what you told people. Not your track record of nothing going wrong. The document.

Without a documented risk register and completed risk assessment forms, you have no evidence that you identified the hazards, assessed the risks, implemented controls, or reviewed them. From the regulator's perspective, you have no evidence you met your primary duty at all.

Under the model WHS Act, a Category 2 offence - failure to comply with a health and safety duty that exposes a worker to a risk of death or serious injury - is the most commonly prosecuted WHS offence in Australia. Penalties can reach $11.8 million for a body corporate and $2.4 million for an individual PCBU (as at 1 July 2025, indexed annually).

Category 2 doesn't require proof of recklessness. It just requires that your failure exposed someone to a risk - and an undocumented process is exactly the kind of gap that opens you up to that charge.

"But we're a low-risk business" - here's the reality

Every business has workplace hazards, regardless of industry. An office business has hazards: manual handling (yes, even lifting boxes), ergonomics, emergency procedures, slips and trips, psychosocial risks. A landscaping business has machinery, chemicals, UV exposure, and manual handling. A cleaning business has chemical exposure, wet floors, and repetitive strain.

The obligation to identify, assess, and document hazards applies to every PCBU - a sole trader with two workers and a 200-person manufacturing site are both required to have a risk management process. The scale and complexity will differ, but the obligation doesn't.

If your business is genuinely low-risk, your risk register will be relatively simple. That's fine. But "we're low risk" is not a reason to have no documentation. It's just a reason to have lighter documentation.

What your documentation actually needs to include

The essential documents for a risk management process aligned to Australian regulations are:

A hazard register. A live record of the hazards in your workplace, the risk rating assigned to each, the control measures in place, and the review date. This doesn't need to be complex - a simple spreadsheet or form works fine. What matters is that it exists, it's accurate, and it's kept up to date.

Task-specific risk assessments. For higher-risk tasks - working at heights, operating machinery, handling chemicals, working near live electrical equipment, manual handling of heavy loads - you need a written risk assessment for each task. This is what the forms in a WHS Management System provide.

Evidence of controls. Records showing the controls you've implemented: maintenance logs, inspection reports, training records, PPE issue records. These demonstrate you didn't just identify the risk and move on.

A review record. Documentation showing your controls have been reviewed. This might be as simple as a note in your risk register showing the review date and outcome - "controls still adequate" or "updated to reflect change in process."

Your risk management procedure should live inside your WHS Manual alongside your other documented procedures: incident reporting, inductions, emergency procedures, and so on. Together, these create the written evidence of a functioning safety system - not just a folder of policies, but a documented approach to how your business actually manages safety.

Where to start

A risk assessment doesn't have to be done all at once. Start with your highest-risk tasks or work areas. Build the hazard register from there. Work through the hierarchy of controls for each identified hazard. Set review dates. Get your workers involved - they're often the best source of information about what the real hazards are.

If you need the full risk management framework - hazard register, risk assessment forms, control documentation, and a documented procedure aligned to Australian WHS regulations - that's exactly what's inside the Everything OHS WHS Management Systems. Industry-specific, fully editable, and ready to use today.

Everything OHS has helped more than 12,000 Australian businesses get their WHS documentation right since 2008 - with 60+ five-star Google reviews and counting. Our systems are built by WHS specialists with deep knowledge of Australian legislation, and they're kept current as the law changes.

This article provides general guidance on WHS risk management obligations for Australian small businesses. It is not legal advice. For advice specific to your situation, consult a qualified WHS professional or contact your state or territory WHS regulator.