Work Health and Safety

Risk Management Code of Practice

In this 40-minute session, we look at the Risk Management Code of Practice (CoP). We cover: who has WHS duties; the four-step process; keeping records, appendices & a summary of detailed requirements; and further commentary. This CoP is one of the two that are generally applicable.

The Risk Management Code of Practice (Demo of the full, 40-minute, video).

Risk Management Code of Practice: Topics

Risk Management Code of Practice (CoP):

  • Who has WHS duties;
  • The four-step process;
  • Keeping records, appendices & summary of detailed requirements;
  • Further commentary; and
  • Where to get more information.

Risk Management Code of Practice: Transcript

Risk Management Code of Practice: Transcript

Hello, everyone, and welcome to the Safety Artisan. I’m Simon, your host, and today we’re going to be talking about the Risk Management Code of Practice.

Today we’re talking about the Risk Management Code of Practice. It’s a code of practice that I’ve used myself. I’ve used it to guide my work and to guide other people to help them in their work. I’ve used it to simplify the whole practice of what we do because once you know what you’re supposed to do, you can do that and then you don’t have to worry about working out what you need to do. And conversely, it’s giving you everything you need to do so you can do more if you want to, but you don’t have to. So, it makes life a lot easier and simpler. And then finally, you can use it to justify what you’ve done. That what you’ve done is correct, and what you’ve done is complete and is enough. So, it’s very useful and that’s why I’m teaching it because it makes life easier.

And I’m going to explain how to use it- you’ll still need to go away and read the Code of Practice, as you’ll see, to get all the details – but I’m going to go through the leading particulars and explain how to use it. And then finally, at the end of the session, I’m going to show you where you can get more help on this topic and indeed other related topics because this Code of Practice is one of several. And there’s one other that you must refer to. This Risk Management Code of Practice is one that you really can’t do without. There is one more and then the others are optional, depending on whether you’re working in their respective areas. Anyway, let’s get on with it.

Code of Practice: Risk Management

So we’re talking about the Risk Management Code of Practice, which is under Australian Work Health and Safety Law. Now, if you’re not operating in Australia, this is not a requirement for you but nevertheless, it does contain some very useful guidance. And I’ve seen similar requirements in the US and in the UK, and I suspect all across the English-speaking world.

Topics for this Session

So, what we’re going to cover today. First of all, who has WHS duties because it’s a wider group of people than you might think it is. There’s the four-step process for actually doing risk management. And then I think we’ve got a slide each on keeping records, the appendices in the Code of Practice, and a summary of the detailed requirements in the Code of Practice. Then I’ve provided some further commentary and, as I’ve said before, where to get more information.

Who has WHS Duties?

So, first of all, who has WHS duties? Well, it’s kind of everybody. First of all, if you are a person conducting a business or undertaking or a PCBU for short, then you have duties. And it says business or undertaking, so it includes voluntary groups, non-profit, government, military, you name it. It doesn’t have to be a commercial business. Then you have duties if you are a designer, manufacturer, importer, supplier, or if you install test or commission plant substances or structures. So again, a wide range of people.

And it’s not just about managing safety in a workplace. There’re lots of duties on duty holders with upstream software- sorry not software, upstream safety duties. Like designers and manufacturers. Then finally, officers have additional duties and an officer basically is like a director of a company that sort of level. So, senior management with control over resources and they have to provide due diligence. So, there’s a bunch of requirements on them as well. And then, of course, there’s the workers and any visitors. They’ve got to cooperate and take reasonable care of themselves and look out for each other, which is all very important.

And as it says, and this is a quote from the CoP, “A person can have more than one duty at the same time, and more than one person can share the same duty”. So, you can’t go playing tag, as it were. A sort of a responsibility tag. ‘It wasn’t me. It was him. Governor!’ The court ultimately decides who is responsible.

A Four-Step Process

So, in our four-step process, we have; first of all, we have to identify hazards. We have to assess the risks. So, we need to look at causes and consequences. And the CoP doesn’t say this, but exposure comes into it as well. So, a risk might be present, but if nobody is exposed to that risk, then you can’t hurt them. So, that’s an important point to remember. And controlling exposure is important to one degree or another in almost all areas, but very important in certain industries. Those industries that have got the real estate to be able to separate the risky thing from the human and this is very useful. So step three, we have to control risks. And then step four, we have to review control measures because it’s recognized that these control measures will be in place for some time, for the lifetime of whatever it is we’re doing or undertaking. So, they need to be periodically reviewed and there’s guidance on that.

Now, I keep saying guidance – take a look at the introduction to Codes of Practice and you will see why Codes of Practice are a bit more than guidance. They are guidance that you cannot afford to ignore because if things go wrong, you will get hung out to dry based on what CoP said you should have done. So, if you are ignorant of what CoP said and haven’t done it, then you’re stuffed basically before you even start. That’s point one to note.

And secondly, you’ll notice in the diagram on the left, we’ve got management commitment at the centre and we’ve got consultation all the way around. And there’s another Code of Practice, the Code of Practice on Communication, Cooperation and Coordination . So the C,C&C CoP and that is the other CoP that is essential. So, this one and the C, C and C CoP you must have a look at because they apply to everything in effect. Let’s move on.

Step 1, Identify Hazards

So, first of all, we need to identify hazards. Now, CoP is written for any Australian business or undertaking, so it’s pretty basic. It’s pretty pragmatic, but it’s pretty basic and it’s got a workplace focus. So, it says inspect the workplace, look around, talk to your workers. Now, I work in a business and day job for a consultancy where we, generally speaking, are not looking at an existing workplace, but we’re helping a customer buy or assure a complex product that’s going to come into service at some time in the future. So, there are no current workers to discuss, but we always do try and include end-user representatives in our safety workshops. So, you may not be able to consult workers directly, but you should try and include people who have relevant work experience.

Secondly, the CoP tells us to use good work design and safe design. Now that’s a whole topic in itself and I’ve got some guidance on safe design. If you go to that safety page on safe design (, you will see it and I’ll take you through the subject and refer you on to the source material itself.

Thirdly, we need to consult supply chains and networks. I think that works two ways. First of all, when you get people to supply you stuff, make sure that they supply the data that you need. The safety data, all the information that you need to take and use the product safely. And that’s part of the duty on all of these duty holders, on the designer, the manufacturer, the importer, the supplier. They all have duties to pass on the relevant safety information but make sure you ask for it in your contract. And secondly, suppliers, particularly if you’re buying an expensive piece of kit off them, suppliers can be an excellent source of information. If they’re the designers, then they know this kit better than anybody else. Make use of their expertise, contract them to do some work for you and take part of the load off you. They are best placed to do some of the work, so get them to do it.

And then fourthly, it says review available information. Now, this is very important. There’s historical information or there should be – it’s not always easy to come by sometimes. Do make the effort to get actual historical information for your piece of kit, maybe from the supplier. Or if you can’t do that, if it’s a new piece of kit, then try and get information on similar equipment, or services, or functionality, or go to a trade organization, or go to the regulator depending on what domain you’re in. Do look around for historical information. It is out there. It can be hard to find, but it is worth the effort because, again, the guidance requires it. So, if you don’t do it, if you don’t bother or you’ve not made reasonable efforts to do so, you’ll get clobbered if things go wrong.

And then it’s also advisable to compliment that historical information with diverse approaches. One of them is you can use a hazard checklist approach, and we talk about that in the session on preliminary hazard identification. There are lots of checklists freely available out there on the Internet. Some are general and some are more specific to different pieces of kit or different domains. Try and find the most relevant one for you and use it. And then maybe there are specific safety analyses techniques that you can use as well so have a go at those. And a lot of them are quite simple so don’t be put off. You don’t have to necessarily have to get an expensive consultant in to do this for you. A lot of these techniques are really quite simple and just require a bit of imagination and a little bit of self-discipline in the way you go about it. And I talk about analysis methods for hazard identification in that same session on Preliminary Hazard Identification (PHI).  

So, that’s identifying hazards.

Step 2, Assess Risks

Step two, we need to assess the risks. So, if we recall risk is a combination of likelihood and severity. So, how likely is the harm could arise? And how severe is that harm? The way to do that, the CoP says, is to work out how hazards may cause harm. And as always, don’t be afraid to ask the dumb questions. That’s part of my job as a consultant. You’re allowed to turn up and ask dumb questions. Or maybe sensitive questions that nobody in the firm dares to ask because they think they get fired. So, be brave and do try and work out how to ask the questions in a non-threatening way, but do ask the questions.

Work out how severe the harm could be. What is the worst credible consequence? And also, to keep it simple, what’s the worst direct consequence? Yes, you can come up with a fanciful chain of events that will lead to ‘it’s the end of the world as we know it’, but keep it direct would be my advice. At least to start with. It’s better to get a range of stuff than to work one scenario to the nth degree, I would suggest.

Then work out the likelihood of that harm occurring. Very often the most severe harm can only occur when there is a particular combination of circumstances. And if you read any kind of accident report, even in the press, you’ll very often say this was happening and it just so happened on this particular day that somebody wasn’t available to supervise and then this went wrong and something else went wrong. And then the final result of this chain of consequences was somebody gets hurt. So, do factor in all of those things.

There are probably lots of existing controls already unless you’re doing something very novel indeed, which is unusual. So, do look at what’s there and record it all. Conversely, do be aware of the ‘it will never happen brigade’ is I’ve met several people who say, ‘Oh, that will never happen; or was it ‘No British pilot would be stupid enough to do that. Ho, ho, ho.’ I was foolish enough to believe that. Anyway, that’s another story. So, don’t believe the people who say, ‘It can never happen’. Well, if I say, ‘OK, what’s the justification? Why can it never happen? Where’s the evidence for that claim?’ So, do dig into those responses.

There’s more detail in the Code of Practice. There are some good questions to ask in the workplace. And with a bit of imagination, you can take your imaginary piece of kit and sort of think about it in the workplace and go, ‘Well, let’s think up a suitable question.’ So, there’s good guidance in there. Historical data can’t be beat as a reality check and it shuts up the naysayers as well because if you can pull out information, say, ‘Well this accident has happened and it’s happened lots of times to lots of good people who thought they were clever’. So, it shuts up the naysayers do work hard to get the historical data. It’s fantastic if you can get it.

And then, as I said before, there are multiple specialist cause and consequence analysis techniques available. I talk about some of them and in other posts that I’ve already done, and I will talk about more in the future. But you may not need that level of sophistication. It’s always better to do some good basic work as early as you can. Then maybe if you come up against something and say, ‘We’re not cracking this. We suspect there’s a problem, but we can’t be sure’ then think about bringing out big guns. But if you’ve done the basic work first, that will really help you zero in on the areas where you think you need to do more work.

Step 3, Control Risks

The third one, controlling risks. Really, this is what it’s all about because you can do all the analysis you like, but you don’t do analysis for the sake of it. You do analysis in order to inform your selection of risk controls. And we are required to use a hierarchy of control measures, and that’s a legal requirement in Australia. It’s also a requirement in other jurisdictions and in other many other standards – safety standards that you’ll see it just may not be called this. But it will talk about more and less effective controls.

At the top of the control hierarchy, we’ve got the most effective control which is to eliminate the risk entirely. And by that, I mean you get rid of it. Let’s say you’re working in an explosive atmosphere and you’ve decided you don’t want any electrical devices in that explosive atmosphere. So, if you need to have power for machinery, you’re going to do it with pneumatics, let’s say, or hydraulics. So, you’ve eliminated the electrical risk. Elimination does not mean massaging the probability figures to get them very low and then you have eliminated the risk you have not. You’ve just played games with probability figures. So first off, that’s what elimination really means.

The second level, you’ve got three choices. We can substitute something hazardous with a safer alternative. I’ve mentioned getting rid of electricity entirely. You could say, ‘Well, I’ve got hydraulics, but they can burst and cause damage so I’ll have something else. Or let’s say there was a particular lubricant, which is ideal, but actually it’s quite dangerous this lubricant, so we’ll pick something safer. Maybe it doesn’t perform quite as well. Or a refrigerant, let’s say, an ideal refrigerant might be a potent greenhouse gas so we go ‘We’re going to have something else instead’.

You can isolate the hazard from people – I’ve spoken about that before. Some industries you’ve got a lot of real estate to play with. You can keep the hazard away from people. Or you can reduce the risk through engineering controls. And by engineering controls, I mean, you can build a safety feature or an interlock or something physically into the product. You’re not relying on a person to avoid the risk. It’s been done for them. It’s automatic or built-in.

At third level, we can use admin controls. So we can give people procedures and rules and we can say, ‘Do this, don’t do that’. And most of the time they’ll probably do it and obey the rules, but sometimes they won’t. And sometimes for good reason, by the way, because people come up with ridiculous rules that can’t be obeyed or that make the task or the job so difficult that people break the rules all the time because that’s the only way to get the job done effectively. So, do be aware of putting silly controls onto people because they won’t get obeyed. It’s your responsibility to consult the workers and come up with something practical.

And then finally, we can use personal protective equipment. Now that doesn’t do anything to the probability of the accident, but it reduces the severity. So, for example, if I’m wearing a hard hat, something falls on my head. It reduces the severity of the accident. If I’m wearing protective goggles and there’s a spark or a piece of debris flies out of the machine. If I’m wearing the goggles, it just bounces off probably and saves my eyes. So, there’s a couple of really good examples of where the PPE will help us. And of course, in this season of COVID, we’ve all got PPE bonkers. It’s become headline news all over the world. So, we all now know what PPE is, which is great. Well, and it’s not great. It’s terrible, but it’s good for knowledge.

So, we have to work through that hierarchy in that order. We have to see whether it’s feasible to eliminate the risk to start at the top with the most effective controls and work our way down. We have to do that. And the subject of another chat, another lesson, we have to apply all reasonably practical controls in order to say that we have eliminated or minimized risks SFARP. So far as is reasonably practicable. So, we’ve got to apply all reasonably practical controls. I’ll explain exactly what that means in a separate session.

Aside: Control Effectiveness

A Quick aside: are controls effective? I’ve sort of hinted at this before about the admin stuff. How do we get effective controls? Well, the CoP says we need people to be accountable for health and safety. We need maintenance of plant and equipment. We need up to date training and competency for our people. We need up to date hazard information – that’s a duty in its own right. And we need regular review and consultation. And you’ll find out about that in the CC&C CoP in my next lesson.

Now, these things are required everywhere, they can be achieved informally. If you work in a high-risk industry, you’ll probably have a thing called a safety management system. And your safety management system will be documented in a safety management plan. And typically, the safety management system is the thing that delivers all of these things, all five of these things and much more. So, that’s what you’ll probably end up doing.

First thing to say on that, of course, is that this information has got to be generated. You’ve got to get it from source and it’s usually the designer, the manufacturer, and the installer, and the testers who can provide this information. So, do make sure that you are imposing requirements on your suppliers, on your subcontractors to do this stuff and to provide you with the information. It is their duty to do so. It’s a legal duty, but you’re probably still going to have to pay for it and say when you want it and in what format that’s most useful to you and all the other good stuff.

Step 4, Reviewing Controls

Step four, which is maybe not so obvious. We’ve got some controls, we’re up and running, we need to review those controls. Well, why would we review them? First of all, if you’ve discovered that the control measure is not effective. So, you might have had some incident data., you might’ve had some near misses. Or you might have some reliability data that says ‘My control isn’t as reliable as I thought it was going to be’. But of course, to be aware of that, you’ve got to be collecting this information and you’ve got to be on the lookout for it.

So, you do need a workable incident reporting system and you do need to encourage people to use it and use it either anonymously or honestly. So, that’s where a good safety culture comes in, where you do not punish people for telling the truth. Where you encourage and reward them for the reporting stuff and making things better, you champion. And that’s where management commitment comes in.

The other point where the guidance says you have to do it is if you’re making any kind of change that’s likely to alter or give rise to new risks and you suspect that the existing control measures may not be effective. So, you’re going to make some kind of change – you’ve got to review what you’re doing. But of course, how would the PCBU know that unless they’d actually sort of basically documented the baseline situation? So, you’ve got to have some kind of control over your workplace or over your product or functionality to know what your current situation is and to know that a change is coming. You’ve got to have some kind of baseline control and change control to be able to do that. As I say, it doesn’t have to be that complicated, you just control what goes on at the workplace.

You’ve got to do it if you’ve identified a new hazard or risk. Once you’ve identified something, you’ve got to kind of start from scratch. But that’s okay because hopefully, you’ve already got all of the background analysis that you’ve done. So, you know what you’ve done in the past and therefore you can spot what the delta is. I’m anticipating the record-keeping, but this is where good record keeping really helps you when it comes to managing change. Because if you’ve documented the baseline and understand it, change is relatively straightforward.

Another reason, maybe you’ve consulted with workers or health and safety representatives and you’ve discovered those consultations suggest that a review is necessary. Or maybe a health and safety representative requests a review. In that case, you need to do one.

So those are the five cases where you must conduct a review of controls in order to keep things safe. And very often that’s how accidents occur. We start pretty well and then over a period of time, maybe years or decades, slowly our performance degrades over time or we get a bit blasé about stuff because we’ve never had a problem or so we think. If you’ve got poor incident and near-miss reporting, you won’t be aware of the problems that are happening. So, things slide over time so maybe it’s a good idea to have a periodic review even if you haven’t had any of these triggers. So, that’s a good idea as well. I don’t think it’s in the Code of Practice, but it’s sensible.

Keeping Records

Those are the four steps. Now let’s talk about these three other things, the first of which is keeping records. As it says, keeping records demonstrates what you have done. So, if you have a problem and the regulator comes round to inspect you or maybe even consider shutting you down or issuing a notice to improve or prohibition, then the fact that you’ve got some documentation is going to help you. And also helps you with downstream risk management activities, as I’ve just said.

Then also, there are some specific recordkeeping requirements for particular hazards. So, if you’re exposing people to noise or certain chemicals that may accumulate in the body, then you’re almost certainly going to have to have a monitoring program and a tracking program to keep an eye on this stuff and monitor people’s exposure. So, if you if you’ve got those particular hazards, then there’s going to be some very specific requirements on you that you have to meet and you must keep the records for the time periods required. In general, I would advise keeping the records for at least the life of the system, equipment service, whatever it is, and then a few years afterwards. Just in case there’s an issue that emerges later on. Exactly what you do is up to you.

And from a pragmatic point of view, I would say from experience precision and clarity in record-keeping is so important. Work hard on precision. It might sound like you’re being a bit anal about the way you record stuff if you feel you’re overdoing it, believe me, you are not. Make it simple. Make it crystal clear what you mean. Be very specific and precise as you can and then your records will be a lot more use. I put my hand up and say I’ve written stuff down and then a couple of years or even a few months later, I’ve gone back to something I’ve written down and thought, ‘What did I mean by that?’ Ambiguity is very easy to achieve so write some stuff down. Get somebody else to independently look at it for you and say’ What do you understand that to mean?’ Because English, unfortunately, is a very ambiguous language, very flexible.


So, going back to the CoP, in particular, there are four appendices to the CoP. First of all, in A there’s a glossary of terms, which is very useful. Appendix B, we got some examples of a risk management process. Appendix C, there’s some help and guidance on assessing how things can go wrong. And then in Appendix D, there is a sample format blank risk register for you to use if you haven’t got anything else. And all of these examples and appendices, they are simple. They are workplace focused. As I say, if you work in a high-risk domain, maritime, aviation, you work with flammable chemicals or a big industrial plant, the CoP is not going to be sophisticated enough for your use. You’re going to have to meet and exceed it but you’re probably going to be using a standard that requires far more than what the CoP asks for. And that’s okay.

Detailed Requirements

But looking at it the other way around, the CoP is where everybody needs to start and there are some detailed requirements in each Code of Practice. And in this one, the words ‘must’, ‘requires’ or ‘mandatory’ tell you that there is a legal requirement that must be complied with. There are 35 ‘musts’, 39 ‘required’ of various kinds, and three instances are ‘mandatory’ in this Code of Practice. So, you’ve got to obey them.

Then there’s the word ‘should’, which indicates a recommended course of action and ‘may’ is an option. There are 43 ‘shoulds’ in this document and 82 ‘mays’. Again, my advice would be if it’s a ‘should’, I would do it unless you’ve got a reason not to. In which case you should probably write down why you’re not doing it. And that’s perfectly okay. If it isn’t going to work in your circumstances, or you don’t think it’s reasonable to do something, or you’ve got another way of doing it, which is better. Great. Do that, write it down.

And then the ‘mays’ are options so if you think they’re going to be useful and helpful, do it. If not, you don’t have to. There’re the different levels of compliance that you’ve got in the Code of Practice. And those three levels are in all the Codes of Practice.


So, I’ve gone through what’s in the Code of Practice, I’m just going to give you a brief resumé of what I think is good advice based on personal and practical experience. I’ve said it already, but a quick reminder, Code of Practice provide minimum requirements. So, you do need to start with CoP and probably as the risk gets higher in whatever industry you’re in, you need to do more with higher-risk or to manage higher-risk.

It does have a workplace focus, so it isn’t a lot to use if you’re a designer and you’re trying to work out ‘What safety margins do I need? I need to do a design trade-off’. I know I’ve sort of leaked into the final point. The CoP won’t help you do that. You’ll need a more sophisticated approach, probably based on standards and tolerability. So, the CoP won’t help you with this sophisticated design decisions and trade-offs, and how much margin is enough. You’re probably going to have to go to standards and industry good practice for that.

And, really, what we’re now talking about is, are the risks are SFARP. Have we done everything that’s reasonably practicable? So first of all, have we done enough? Look at the definition of reasonably practicable, which is in Section 18 of the WHS Act. And if you look at that definition, you’ll find that it is a risk assessment process. So, by following the risk management CoP, the risk assessment process, you will have inherently begun to address SFARP. And you need to do that to demonstrate that you reduce risks SFARP. Then deciding how much is enough, well that depends on the particular risk. A simple approach may suffice and for most instances, for some risks can have to do some more sophisticated work. Which will take you beyond the bounds of the CoP.

And then the last point I’m going to make is the Codes of Practice, not just this one but all of them will repay careful reading. There are some detailed requirements in there and they contain lots of good, sensible, pragmatic advice. And if you have to write a safety management plan or a hazard management plan, then do go to CoP and steal the wording. Don’t make stuff up when you don’t have to. If the CoP tells you what to do and that’s part of your solution just copy and paste it. Use it – you’re allowed to!

Do pay attention to the copyright where you go to do make sure you get the right version of CoP for your jurisdiction. So, if it’s a federal workplace you need the Commonwealth version of CoP. If it’s commercial, then you probably state and territory. So, go to the correct regulator’s website, find the right CoP. You will probably find that the copyright allows you to copy and paste absolutely everything out of the CoP. So, do that and save yourself some work. And also, if you’ve done that it’s very easy to demonstrate that you’ve met the requirements of CoP because you’ve copied them. What could be easier? Save yourself some hassle.

As a consultant, I never make up anything unless I can’t possibly avoid it. So, do use the stuff out there because CoP has been developed for you by a bunch of people in consultation. Lots of people have put a lot of hard work into coming up with a good CoP, which is authorised by the relevant government minister. So, use it, don’t ignore it. It’s there to help you.

Copyright & Attribution

Now, I’ve mentioned that you can dig this stuff out of the right website, and that’s exactly what I’ve done. So, any words that you see in italics, in speech marks, I have lifted from the Federal Register of legislation and I’m allowed to do so under the terms of the Creative Commons license. And as part of the terms of that license, I’m required to tell you that I got this stuff on the 15th of August 2020. But you should always go to the website to check that you’re using the latest version. Don’t rely on what I’ve said, go and check you using the latest version. And for more information on what you can and can’t do with this Creative Commons license, I’ve got a page at the Safety Artisan that sets out what my obligations are and you’ll be able to see that I’ve met them.

For More…

And then for more information, if you’d like to get free video lessons on safety and free previews of paid content, do please go look at the Safety Artisan channel on YouTube and hit that subscribe- Yes, please! And you will then be informed of whenever a new video comes out which you believe you will find very helpful. And then for all lessons and resources, you can go to And as you can see, it’s a secure website, so you’re safe to browse there. Go and have a look at the stuff that’s on there. This lesson is there, as are many others.


So that’s the end of our lesson for today, and we’ve gone on for almost 40 minutes. That’s because there’s a lot of good stuff out there to talk about. So just remains me to say thanks very much for tuning in and bothering to listen to this. Thank you for supporting the Safety Artisan. Your subscription, your money, enables me to carry on doing this stuff, and I hope you and many others will find it helpful. So, thanks very much. Bye-bye.

End: Risk Management Code of Practice

You can find the Model Code of Practice here.  Back to the Topics Page.

Leave a Reply

Your email address will not be published. Required fields are marked *