Code of Practice — How to Manage Work Health and Safety Risks

The full title is the Code of Practice: How to Manage Work Health and Safety Risks, published by Safe Work Australia. The code becomes legally binding from 1 July 2026 under Section 26A of the WHS Act. The code applies to all workplaces and all work activities across every industry. It establishes the four-step risk management process: identify hazards, assess risks, control risks, and review control measures. The code covers methods for hazard identification including workplace inspection, consultation with workers, review of incident records, and analysis of Safety Data Sheets. It establishes the risk assessment methodology considering likelihood and consequence. The hierarchy of controls is defined: elimination, substitution, isolation, engineering controls, administrative controls, and personal protective equipment. The code requires regular review of controls and reassessment when incidents occur, new hazards are identified, work processes change, or new information becomes available.

The code applies to every PCBU and every officer in every industry. There are no exemptions based on industry type, business size, or risk level. A sole trader operating from a home office has the same obligation to follow the risk management process as a multinational construction company. The code's requirements scale with the nature and level of risk — a high-risk construction project requires more detailed and frequent risk assessment than a low-risk office environment, but both must follow the same systematic process. Officers have specific due diligence obligations that require them to ensure the PCBU has and uses processes for identifying hazards and managing risks. The code also establishes the obligation to consult with workers about hazard identification, risk assessment, and control selection, meaning that health and safety representatives and committees have a defined role in the risk management process.

The code requires a systematic and proactive approach to hazard identification that goes beyond responding to incidents after they occur. PCBUs must actively look for hazards through regular workplace inspections, task observation, consultation with workers who perform the tasks, review of incident and near-miss reports, analysis of injury and illness data, review of Safety Data Sheets and manufacturer instructions, and consideration of non-routine activities including maintenance, cleaning, and emergency situations. Risk assessment must consider both the likelihood of harm occurring and the severity of the potential harm. The code does not mandate a specific risk matrix but requires a systematic approach that can be documented and communicated. Controls must be selected and implemented in accordance with the hierarchy, with higher-order controls (elimination, substitution, engineering) preferred over lower-order controls (administrative, PPE). The code explicitly states that PPE must not be used as the primary or sole control measure where higher-order controls are reasonably practicable. Control effectiveness must be reviewed through monitoring, inspection, and consultation.

First, audit the current risk management process against the code's four-step methodology, identifying any gaps in hazard identification coverage, risk assessment documentation, control hierarchy application, and control review frequency. Second, review risk assessment documentation for all current work activities to ensure each assessment identifies the specific hazards, assesses the risk using a systematic methodology, selects controls from the hierarchy in the prescribed order, and documents the residual risk after controls are implemented. Third, verify that worker consultation is integrated into the risk management process, with documented evidence that workers have been consulted about hazard identification, risk assessment, and control selection for their work activities. Fourth, establish a control review schedule that triggers reassessment at defined intervals and in response to specific events including incidents, near-misses, process changes, new equipment, and new regulatory requirements. Fifth, implement a documented risk register that tracks all identified hazards, assessed risks, implemented controls, and review dates in a single auditable system.

Failure to follow the systematic risk management process established in this code undermines compliance with every other code of practice, because all other codes apply the same methodology to specific hazards. After 1 July 2026, failure to follow the code constitutes a standalone offence. A PCBU that cannot demonstrate a systematic approach to hazard identification, risk assessment, and control implementation will struggle to defend any prosecution because the risk management process is the foundation of the duty of care. Category 2 penalties of up to $1,731,500 for a body corporate apply where inadequate risk management exposes workers to risk. Improvement notices are commonly issued for workplaces where risk assessments are absent, incomplete, or not reviewed. For officers, failure to ensure the PCBU has risk management processes in place is a direct breach of the due diligence obligations, exposing officers to personal liability. All penalties are uninsurable in NSW since 10 June 2020.