shopify visitor statistics
Risk Management
Risk Management

This chapter sponsored by NW Group


(Last revised 17 November 2017 )

Risk management is the start and finish of any safety management system. A risk assessment builds knowledge and understanding about hazards and risks that have been identified so that informed decisions can be taken about controlling them.

Key Element

Risk management is the start and finish of any safety management system. A risk assessment builds knowledge and understanding about hazards and risks that have been identified so that informed decisions can be taken about controlling them.

A detailed risk assessment prepared in consultation with all stakeholders is the most efficient way to detect and control all risks and hazards in the workplace under review.

It does not always have be a long, complex process involving lots of paperwork. Risk assessment is a means to an end, not an end in itself. As such, it should be straightforward, purposeful, and actionable.

Always allow sufficient time to complete the initial assessment and to find appropriate control measures.

While risk assessment is an important part of the process for controlling unknown risks, you may not need to conduct a formal assessment if a risk is well known and the solution is obvious.

2.1 Definitions

2.1.1 What are hazards and risks?

A hazard is anything in the workplace that has the potential to harm people. Hazards can include objects in the workplace, such as machinery or dangerous chemicals.

Other hazards relate to the way work is done. For instance, hazards in a workplace could include manual handling, excessive noise and fatigue caused by the hours of work.

A risk arises when it’s possible that a hazard will actually cause harm. The level of risk will depend on factors such as how often the job is done, the number of people involved and how serious any injuries that result could be.


2.2 Risk management – Australian Standard

In November 2009, AS/NZS ISO 31000: 2009 replaced the previous Australian and New Zealand risk management standard AS/NZS 4360: 2004.

ISO31000 – Definition of ‘risk’
The definition of risk has changed from ‘the chance of something happening that will have an impact on objectives’ to ‘the effect of uncertainty on objectives’.
Uncertainty (or lack of certainty) is a state or condition that involves a deficiency of information and leads to inadequate or incomplete knowledge or understanding. In the context of risk management, uncertainty exists whenever the knowledge or understanding of an event, consequence, or likelihood is inadequate or incomplete.
For the sake of WHS / OHS risk management both definitions can be used.


2.3 Risk Management system

The risk management process should be an integral part of management, be embedded in culture and practices and tailored to the business processes of the PCBU. The risk management process includes five activities:

  • communication and consultation,
  • establishing the context,
  • risk assessment,
  • risk treatment,
  • monitoring and review.

These activities, as well as recording the risk management process, are described in clause 6 of ISO31000:2009.

2.3.1 Communicate and consult

Communication and consultation with internal and external stakeholders as far as reasonably practical should take place at each stage of the risk management process. A plan to communicate and consult with both internal and external stakeholders should be developed at an early stage. This plan should address issues relating to the risk itself, its consequences and the measures being taken to manage it.

Effective internal and external communication and consultation should take place to ensure that those accountable for implementing the risk management process understand the basis on which decisions are made, and the reasons behind particular actions.

A stakeholder is a person or an organisation that can affect or be affected by a decision or an activity. Stakeholders also include those who have the perception that a decision or an activity can affect them. ISO 31000 distinguishes between external and internal stakeholders.

A consultative approach is useful to:

  • help define the context appropriately;
  • ensure that the interests of stakeholders are understood and considered;
  • bring different areas of expertise together for analyzing risks;
  • help ensure that risks are adequately identified;
  • ensure that different views are appropriately considered in evaluating risks;
  • enhance appropriate change management during the risk management process;
  • secure endorsement and support for a treatment plan; and
  • develop an appropriate internal and external communication and consultation plan.

The communication and consultation plan should:

  • be an exchange of information between stakeholders;
  • convey messages which are honest, accurate, understandable and based on evidence; and
  • be useful, realistic and related to the workplace

Communication and consultation with stakeholders is important not only to make sure all areas are covered but also to make sure the implementations of controls is understood and not creating additional hazards or risks.

2.3.2 Establish the context

Establishing the context defines the internal and external parameters to be taken into account when managing risk, and setting the scope and risk criteria for the remaining process within the workplace.

This process must not only identifies the various work activities within the workplace, it must also identify when these activities take place i.e. pre-production, bump-in, operational, bump-out, post event.

For example, here are some of the base areas that need to be identified, note the list is neither exhaustive nor complete:

  • Venue – Existing entertainment venue, indoor – outdoor, alternative use of a venue such as a concert in a sporting stadium, temporary structure, greenfield, etc.
  • Type of event – concert, corporate dinner, exhibition, theatrical performance, community event, kids’ entertainment, etc.
  • Demographics – Age and gender mix, cultural signature (i.e. fan behaviour, ethnic or religious expectations), preferred mode of transport, food and beverage expectations, consumption of drugs, etc.
  • Suppliers – Staging, Audio, Lighting, Video, Catering, Security, FOH staff, Ticketing (or crowd registration), Special FX or Pyrotechnics, Logistics, Traffic Management, etc.
  • Time of year – Weather (mostly for outdoor events but can also impact on cloakroom facilities), daylight hours, school holidays, etc.

A stakeholder is a person or an organization that can affect or be affected by a decision or an activity. Stakeholders also include those who have the perception that a decision or an activity can affect them. ISO 31000 distinguishes between external and internal stakeholders.

2.4 Risk assessment

Risk assessment is a process that is, in turn, made up of three processes: risk identification, risk analysis, and risk evaluation. There are many different systems to conduct a risk assessment, it will be important to find the way that works best within your environment to get the best results.

Risk identification is a process that involves finding, recognising and describing the risks that could affect the achievement of the event. It is used to identify possible sources of risk in addition to the activities and circumstances that could affect the achievement of the event. It also includes the identification of possible causes and potential consequences. You can use historical data, theoretical analysis, informed opinions, expert advice, and stakeholder input to identify the event specific risks.

Risk analysis is a process that is used to understand the nature, sources, and causes of the risks that you have identified and to estimate the level of risk. It is also used to study impacts and consequences and to examine the controls that currently exist.

Risk evaluation is a process that is used to compare risk analysis results with risk criteria in order to determine whether or not a specified level of risk is acceptable or tolerable. Risk evaluation often uses a matrix to determine the risk level.


A Insignificant The consequences are dealt with by routine operations.

B Minor The consequences would threaten the efficiency or effectiveness of some aspects of the event, but would be dealt with internally.

C Major The consequences would not threaten the overall event, but would mean that the completion of the event could be subject to significant review or changed ways of operating.

D Critical The consequences would threaten the completion of the event or may have a long term impact on the company.

E Extreme The consequences would terminate the completion of the event and will have long term effects on the company, contractors and the venue.


1 Almost certain The event will occur in most circumstances

2 Likely The event will probably occur at least once

3 Possible The event might occur at some time

4 Unlikely The event is not expected to occur

5 Rare The event may occur only in exceptional circumstances

Risk Level:

Risk levels based on the evaluation are in turn used to prioritise the risk treatment within the event. The basic risk level is simply calculated by multiplying the Likelihood with the Consquence.

1 – 3 Low Acceptable risk level, implement control measures where suitable

4 – 8 Medium Unacceptable risk level, control measures to be implemented as soon as practical

9 – 12 High Unacceptable risk level, control measures must be implemented immediately

15 – 25 Extreme Unacceptable risk level, task or activity must not be carried out in the current format

Risk treatment is a risk modification process. It involves selecting and implementing one or more treatment options. Once a treatment has been implemented, it becomes a control or it modifies existing controls.

A control is any measure or action that modifies risk. Controls include any policy, procedure, practice, process, technology, technique, method, or device that modifies or manages risk. Risk treatments become controls, or modify existing controls, once they have been implemented.

Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances.

Hierarchy of risk control sets out the preferred sequence of control options:

  1. Design or reorganise to eliminate the hazard: try to ensure that hazards are designed out when new materials, equipment and work systems are being planned for the workplace.
  2. Remove or substitute the hazard: where possible remove the hazard or substitute with less hazardous materials, equipment or substances.
  3. Enclose or isolate the hazard: this can be done through the use of barriers, introducing a strict work area, enclosing a noisy process from a person.
  4. Minimise through engineering controls: this can be done through the use of machine guards, effective ventilation systems etc.
  5. Minimise the risk by adopting administrative controls: establish appropriate procedures and safe work practices such as job rotation to reduce exposure time or boredom; timing the work so that fewer employees are exposed; routine maintenance and housekeeping procedures; training on hazards and correct work methods.
  6. Personal Protective Equipment: provide suitable and properly maintained personal protective equipment and ensure employees are trained in its proper use (examples include gloves, earplugs etc.).

If no single control is appropriate, a combination of the above controls needs to be taken to minimise the risk to the lowest level that is reasonably practicable.

When determining treatments for identified risks, be well aware of Section 18 in the model WHS Act.

18 What is “reasonably practicable” in ensuring health and safety
In this Act, reasonably practicable, in relation to a duty to ensure health and safety, means that which is, or was at a particular time, reasonably able to be done in relation to ensuring health and safety, taking into account and weighing up all relevant matters including:
(a) the likelihood of the hazard or the risk concerned occurring, and
(b) the degree of harm that might result from the hazard or the risk, and
(c) what the person concerned knows, or ought reasonably to know, about:
(i) the hazard or the risk, and
(ii) ways of eliminating or minimising the risk, and
(d) the availability and suitability of ways to eliminate or minimise the risk, and
(e) after assessing the extent of the risk and the available ways of eliminating or minimising the risk, the cost associated with available ways of eliminating or minimising the risk, including whether the cost is grossly disproportionate to the risk.

The really tricky one is (c) “ought to reasonably know”. What that indicates is that if there is a known risk common to the industry, you must apply as a minimum the industry standard controls.

It also means that if an identified risk is subcontracted to another PCBU, you still have a shared duty to ensure the risk is controlled.

Be very careful with (e), the Act does not take into consideration if you can afford the best way to eliminate a risk but instead looks at the cost versus the damage or injury done. If there is a risk of permamnent disability or death, don’t rely on the cost factor as being ‘reasonable’ for not implementing a control.

Residual risk is the risk left over after you’ve implemented a risk treatment option. It’s the risk remaining after you’ve reduced the risk, removed the source of the risk, modified the consequences, changed the probabilities, transferred the risk, or retained the risk.

2.5 Communicate and consult

The next crucial stage is to share the risk assessment with all stakeholders and consult all stakeholders about the identified risks and the controls required to bring the risk to an acceptable level. There are two reason why this is an integral part in the risk management process. Unless the risk assesment is communicated in a timely fashion to all stakeholders they may not be aware of the risks or the controls to be implemented. This in turn could cause dangerous situations in the workplace, delays in work starting because the required controls are not in place or available.

By communicating the risk assessment information with all stakeholders and open lines of consultation you also broaden the scope of the assessment, identify overlooked risks and improve the efficiency of the controls put in place.

And finally it also satisfies the WHS requirements as set out in Section 46 of the model WHS Act 2011.

46 Duty to consult with other duty holders
If more than one person has a duty in relation to the same matter under this Act, each person with the duty must, so far as is reasonably practicable, consult, co-operate and co-ordinate activities with all other persons who have a duty in relation to the same matter.

2.6 Monitoring and Review

To monitor means to supervise and to continually check and critically observe. It means to determine the current status and to assess whether or not required or expected performance levels are actually being achieved. Monitoring should be part of the consultation process and part of workplace standard operating procedures.

A review is another activity. Review activities are carried out in order to determine whether something is a suitable, adequate, and effective way of achieving established objectives.

In general, ISO 31000 expects you to review your risk management framework and your risk management process. It specifically expects you to review your risk management policy and plans as well as your risks, risk criteria, risk treatments, controls, residual risks, and risk assessment process.

For the entertainment industry, unless there was an incident that requires a review of procedures, a review should be an annual event across all WHS systems and procedures.

Further guidance on risk management is available in the Code of Practice: How to Manage Work Health and Safety Risks.

2.7 Risk Management for contractors

2.7.1 Know your business

That may seem very obvious but you will also have to take into consideration the effects your work may have on others in a shared workspace. Or your workers may be affected by what others are doing in the shared workspace. Refer to Section 18 (c) of the model WHS Act.

What that means is that not only must you understand the direct risks related to your work but also any risks introduced by other stakeholders. You may not use forklifts but if they are in use in the workplace by others then you must address that in your risk assessment.

2.7.2 Know the legislation covering your business

It is crucial to know exactly what legislation applies to all areas of your business. There will be Australian Standards that cover certain areas, other activities may be covered by Codes of Practice, Regulations or Acts. All these bits of legislation will outline certain expectations about how you should manage the risks they impose on your workers or others in the workplace.

2.7.3 Consultation with workers

You must also consider how the work is done, including on remote sites outside your control. This is why it is important to involve active workers in the risk assessment process. There is no point in having a paper-based system that can’t effectively be implemented on-site.

2.7.4 Consultation with others

Once you have documented your business risks and how these are controlled it is time to consult with others in the workplace on how they manage the risk they have identified.

Sometimes there may be several PCBU’s who have identified a similar risk but have different ways of controlling the same risk. That can be confusing within a workplace and it is important that a single approach is applied across the whole workplace at least for that event.