A PCBU must follow the risk management process in order to comply with its H&S duties.

This guide explains the risk management process that a PCBU must follow under WHS laws.

It accompanies two other guides which explain the other two important components of the risk management process, namely:

management commitment (which is simply another name for corporate culture) and
the duties to consult.

WHS Series –
How a PCBU manages its risks –
The process

Note – This information is designed for those small business owners who do not have a health & safety representative or health and safety committee in their workplace.

Download PDF

The contents of this guide are for information purposes only and should not be treated as being legal advice.

The required outcome

The WHS Act 2011 requires a person having a duty to ‘ensure health & safety’ requires that person to either:

to eliminate risks to health and safety, so far as is reasonably practicable, or
if it is not reasonably practicable to eliminate risks to health and safety, to minimise those risks so far as is reasonably practicable¹.

Under the WHS Act 2011

‘So far as is reasonably practicable’

It then goes on to define ‘reasonably practicable’ as:

meaning - “that which is, or was at a particular time, reasonably able to be done in relation to ensuring health and safety, taking into account and weighing up all relevant matters…”, and
including:
- the likelihood of the hazard or the risk concerned occurring,
- the degree of harm that might result from the hazard or the risk,
- what the person concerned knows, or ought reasonably to know, about:
  - the hazard or the risk, and
  - ways of eliminating or minimising the risk,
- the availability and suitability of ways to eliminate or minimise the risk, and
- after assessing the extent of the risk and the available ways of eliminating or minimising the risk, the cost associated with available ways of eliminating or minimising the risk, including whether the cost is grossly disproportionate to the risk.”²

______________________________

¹ Section 17 of the WHS Act 2011.

² Section 18 of the WHS Act 2011.

Under the WHS Regulation 2016 and Codes of Practice

The WHS Regulation 2016³ provides further detail about what a PCBU must do before it can be said to have managed the risks to health and safety.

Step 1 – Hazards

The first step is for a duty holder to ‘identify reasonably foreseeable hazards’⁴, where a hazard is defined as being ‘a situation or thing that has the potential to harm a person’⁵.

Step 2 – Risk management – what to do

A risk is defined as being ‘the possibility of harm (death, injury or illness) might occur when exposed to a hazard’⁶.

When managing a risk, a duty holder must⁷:

First of all – eliminate the risk to health & safety, so far as is reasonably practicable, and
Secondly – if it is not reasonably practicable to eliminate risks to health & safety, then minimise those risks so far as is reasonably practicable.

Step 3 – Risk management – how to do it

The WHS Regulation 2016 requires a duty holder who finds that it is NOT reasonably practicable to eliminate risks to health and safety to minimise risks to health and safety by ‘implementing risk control measures’.

Both the WHS Regulation 2016 and the Code of Practice: How to manage work health and safety risks (August 2019) explain how a PCBU should do this.

Implement control measures⁸

The hierarchy of controls works in the following way:

First of all – a duty holder must minimise risks, so far as is reasonably practicable, by doing one or more of the following:
- substituting (wholly or partly) the hazard giving rise to the risk with something that gives rise to a lesser risk,
- isolating the hazard from any person exposed to it, or
- implementing engineering controls (where an engineering control means⁹ ‘a control measure that is physical in nature, including a mechanical device or process’).
Then, if a risk remains – the duty holder must minimise risks, so far as is reasonably practicable, by implementing administrative controls (where an administrative control means¹⁰ ‘a method of work, a process or a procedure designed to minimise risk, but does not include … an engineering control, or … the use of personal protective equipment’).
Finally, if a risk still remains – the duty holder must minimise risks, so far as is reasonably practicable, by ensuring the provision and use of personal protective equipment (where personal protective equipment means¹¹ ‘anything used or worn by a person to minimise risk to the person’s health and safety, including air supplied respiratory equipment’).

Maintain and review control measures

A duty holder’s risk management obligations do not end with the implementation of control measures.

Once implemented, a duty holder must ensure that the control measures it has implemented are both:

maintained¹² – so they remain effective, including that they remain:
- fit for purpose,
- suitable for the nature and duration of work, and
- installed, set up and used correctly, and
reviewed and revised¹³ – so a work environment is maintained without risks to health and safety.

There is no set program for reviewing and, if necessary, revising the control measures that have been implemented, but some examples of when this needs to be done include where:

the control measure no longer controls the risk it was implemented to control so far as is reasonably practicable,
there will be a change¹⁴ to the workplace which is likely to give rise to a new risk (to health and safety) which the measure may not effectively control,
a new relevant hazard or risk is identified, or
the results of a consultation indicates that a review is required.

____________________________________________

³Part 3.1 Managing risks to health and safety

⁴Clause 34 of the WHS Regulation 2016.

⁵Code of Practice: How to manage work health and safety risks (August 2019), at page 26.

⁶Code of Practice: How to manage work health and safety risks (August 2019), at page 27.

⁷Clause 35 of the WHS Regulation 2016.

⁸Clause 36 of the WHS Regulation 2016.

⁹Clause 5 of the WHS Regulation 2016.

¹⁰Clause 5 of the WHS Regulation 2016.

¹¹Clause 5 of the WHS Regulation 2016.

¹²Clause 37 of the WHS Regulation 2016.

¹³Clause 38 of the WHS Regulation 2016.

¹⁴Either to the workplace itself, to any aspect of the work environment or a change to a system of work, a process or procedure.

Codes of Practice provide more detail on how to comply with WHS laws both:

generally, and
in relation to specific circumstances.

The important role of a Code of Practice

Codes of Practice are also regulatory documents and must be followed.

This is especially important, given how they are used by WHS inspectors and the law courts.

How WHS inspectors use Codes of Practice

An inspector can refer to a Code of Practice when issuing an improvement or prohibition notice.

How law courts use Codes of Practice

During a hearing (for a prosecution for a breach under the WHS Act 2011) the court may:

have regard to the particular code as evidence of what is known about:
- a hazard or risk,
- risk assessment or
- risk control, and
rely on the code in determining what is ‘reasonably practicable’ in the circumstances.

In other words, the reason why Codes of Practice exist is primarily to assist a court of law in determining whether or not someone has breached their legal obligations¹⁵.

However, this doesn’t stop the duty holder from bringing evidence of how, even though it managed the particular risk in question in a different way, it still provided a standard of work health and safety that is equivalent to or higher than the standard required by the code.

This is why the contents of Codes of Practice are important, as their contents are relevant to determining whether the control measures implemented and reviewed by a PCBU are ‘reasonably practicable’.

______________________________________

¹⁵Sections 274 & 275 of the WHS Act 2011.

Conclusion

A PCBU holds a duty to ‘ensure health and safety’ and can only discharge that duty if it follows its mandatory risk management obligations.

Therefore, it is important that every PCBU understands:

• what risk management is, and

• how to follow the risk management process.

This guide is to be read in conjunction with the guides that explain how a PCBU manages its risks by incorporating management commitment and consultation.