How to Conduct a Workplace Risk Assessment for ISO 45001

Why Risk Assessment Is the Heart of ISO 45001

If you are pursuing ISO 45001 certification, the workplace risk assessment is not just a box to tick. It is the foundation everything else is built on. Without a solid, well-documented risk assessment, your entire occupational health and safety management system (OH&S MS) will struggle to hold up under audit scrutiny.

ISO 45001 is the international standard for occupational health and safety management systems. It replaced OHSAS 18001 and introduced a much stronger emphasis on identifying hazards, assessing risks, and taking proactive action before incidents occur. The risk assessment process sits at the core of Clause 6.1, which deals with actions to address risks and opportunities.

This guide walks you through exactly how to conduct a workplace risk assessment that meets ISO 45001 requirements, holds up during a certification audit, and actually improves safety outcomes in your business. Not just on paper, but in practice.

Understanding What ISO 45001 Requires

Before you start filling in risk assessment templates, it helps to understand what the standard actually expects. ISO 45001 does not prescribe a specific risk assessment methodology. That is intentional. The standard gives you flexibility to choose an approach that suits your workplace, your industry, and your hazard profile.

What the standard does require is that you:

• Identify hazards on an ongoing basis
• Assess the OH&S risks associated with those hazards
• Determine controls to eliminate or reduce those risks
• Document and maintain the results of your risk assessment
• Review and update assessments when changes occur or incidents happen

Clause 6.1.2 specifically requires organisations to establish, implement and maintain processes for hazard identification and risk assessment. This is not a one-time activity. It is a living process that needs to be embedded into how your business operates day to day.

If you are new to the standard, our beginner's guide to ISO 45001 gives a solid overview before diving into the specifics of risk assessment.

Step 1: Define the Scope and Context of Your Assessment

The first practical step is to define what you are assessing. This sounds obvious, but it is where many businesses go wrong. They either assess too narrowly (missing entire departments or activities) or too broadly (creating a generic assessment that does not reflect actual conditions).

What to include in scope

Your risk assessment should cover all activities, locations, and people that fall within your OH&S management system scope. This includes:

• Routine and non-routine tasks (maintenance, shutdowns, emergency responses)
• All workers, including contractors, labour hire staff, and visitors
• All physical locations where work is performed, including remote sites and client premises
• Equipment, materials, and substances used in the workplace
• Human factors such as fatigue, stress, and workload

Understanding your organisational context matters here. The ISO 45003 guide on psychosocial risk is worth reading alongside this process, because psychological hazards like burnout, bullying, and role ambiguity are increasingly expected to appear in ISO 45001 risk assessments.

Step 2: Identify Hazards Systematically

Hazard identification is the process of finding, recognising, and describing anything that has the potential to cause harm. This is where you need to be thorough and systematic rather than relying on memory or gut feel.

Common hazard identification methods

There is no single right method. Most workplaces use a combination of approaches:

• Workplace inspections and walkthroughs conducted by a cross-functional team
• Job Safety Analysis (JSA) or Safe Work Method Statements (SWMS) for high-risk tasks
• Review of incident and near-miss records from the past two to three years
• Worker consultation and interviews, particularly with frontline staff who know the real hazards
• Review of equipment manuals, Safety Data Sheets (SDS), and manufacturer guidance
• Regulatory guidance from Safe Work Australia and state-based work health and safety authorities

Categories of hazards to consider

When walking through your workplace or reviewing tasks, think across all hazard categories:

• Physical hazards: noise, vibration, temperature extremes, manual handling, working at heights
• Chemical hazards: exposure to hazardous substances, fumes, dusts, or solvents
• Biological hazards: exposure to bacteria, viruses, mould, or animal-related risks
• Ergonomic hazards: repetitive motion, awkward postures, poorly designed workstations
• Psychosocial hazards: workload, harassment, shift work, job insecurity
• Electrical and mechanical hazards: live electrical work, moving machinery, pressure systems

Document every hazard you identify. Do not filter at this stage. You will assess severity and likelihood in the next step.

Step 3: Assess the Risk for Each Hazard

Once hazards are identified, you need to assess the level of risk associated with each one. Risk is typically expressed as a combination of two factors: the likelihood that harm will occur, and the severity of that harm if it does.

Using a risk matrix

The most common approach in Australian workplaces is a risk matrix, often a 5x5 grid that plots likelihood against consequence. Each combination produces a risk rating, typically expressed as extreme, high, medium, or low.

For each hazard, ask yourself:

• How likely is it that this hazard will cause harm? (Rare, Unlikely, Possible, Likely, Almost Certain)
• How severe would that harm be? (Negligible, Minor, Moderate, Major, Catastrophic)

The resulting risk rating tells you how urgently you need to act. Extreme and high risks require immediate attention and robust controls. Low risks may be acceptable with basic precautions in place.

Consider existing controls

When assessing risk, you need to consider what controls are already in place. This is the concept of inherent risk versus residual risk. Inherent risk is the raw risk before any controls. Residual risk is what remains after existing controls are applied.

Both matter. If your existing controls are unreliable, poorly maintained, or not consistently followed, your residual risk may be higher than you think. Be honest in this assessment. Auditors will probe this, and workers know the reality better than any document.

Step 4: Apply the Hierarchy of Controls

Once you have assessed risks, you need to determine what controls to put in place. ISO 45001 requires you to apply the hierarchy of controls, which is also embedded in Australian work health and safety legislation under the model WHS Act.

The hierarchy, from most to least effective, is:

1. Elimination: Remove the hazard entirely. Can you stop using a hazardous chemical? Can you automate a dangerous task?
2. Substitution: Replace the hazard with something less dangerous. A less toxic cleaning product, a lighter tool, a safer process.
3. Engineering controls: Physical changes to the workplace or equipment that reduce exposure. Guards, ventilation systems, noise barriers.
4. Administrative controls: Changes to how work is done. Safe work procedures, job rotation, training, supervision.
5. Personal Protective Equipment (PPE): The last line of defence. Gloves, helmets, respirators, hearing protection.

ISO 45001 auditors will look at whether you have genuinely considered higher-level controls before defaulting to PPE and training. “We give them gloves” is not an adequate response to a chemical exposure risk if substitution or engineering controls were feasible.

Safe Work Australia's guidance on managing WHS risks aligns closely with the ISO 45001 hierarchy and is a useful reference for Australian businesses building their control frameworks.

Step 5: Document the Risk Assessment Properly

Documentation is critical. ISO 45001 requires you to retain documented information as evidence of your risk assessment process and results. This does not mean you need hundreds of pages of paperwork, but you do need records that demonstrate your process was systematic and your decisions were justified.

What your risk register should include

A well-structured risk register typically captures:

• Hazard description and location or task
• Who is at risk (workers, contractors, visitors)
• Existing controls already in place
• Likelihood and consequence ratings (with the resulting risk level)
• Additional controls required
• Person responsible for implementing controls
• Target completion date
• Review date
• Residual risk rating after controls are applied

The format matters less than the content. A well-maintained spreadsheet can be just as effective as specialist software, provided it is kept current and accessible to those who need it.

Version control and document management

Your risk assessment documents need to be controlled. That means version numbers, review dates, and a clear process for updating them when conditions change. If you do not already have a document control process in place, this is worth setting up early. Our guide on what controlled documents are and how to implement them covers this in practical detail.

Step 6: Consult Workers Throughout the Process

This step is non-negotiable under ISO 45001. Clause 5.4 requires organisations to consult and involve workers in the development, planning, implementation, evaluation, and improvement of the OH&S management system. Risk assessment is explicitly part of this.

Worker consultation is not just a compliance requirement. It is genuinely useful. Frontline workers often identify hazards that management never sees, and they know which controls actually work in practice versus which ones look good on paper.

Practical ways to involve workers include:

• Including frontline staff in workplace inspections and hazard identification walkthroughs
• Running toolbox talks where workers can raise safety concerns
• Using anonymous hazard reporting systems
• Establishing a health and safety committee or representative structure
• Reviewing risk assessments with the relevant work team before finalising

Document your consultation process. Auditors will ask how workers were involved, and you need to be able to show evidence of genuine engagement, not just a signature on a form.

If you are struggling to get meaningful worker participation, our article on how to get worker participation in ISO 45001 implementation has practical strategies that actually work.

Step 7: Review and Update Your Risk Assessment Regularly

A risk assessment completed once and filed away will fail an audit and, more importantly, will fail your workers. ISO 45001 requires you to review your hazard identification and risk assessment processes when:

• Changes to operations, equipment, materials, or work methods are planned or introduced
• An incident, near miss, or dangerous occurrence takes place
• New information about hazards becomes available
• Legal or regulatory requirements change
• At planned intervals, regardless of whether changes have occurred

Most businesses set an annual review as a minimum, with trigger-based reviews occurring whenever the above conditions are met. The review should not be a formality. It should involve re-examining each hazard, checking whether controls are still effective, and updating ratings and actions accordingly.

Common Mistakes That Will Fail an ISO 45001 Audit

Having reviewed many OH&S management systems over the years, the same problems come up repeatedly. Here are the ones that cause the most trouble during certification audits.

Generic risk assessments that do not reflect actual work

If your risk assessment looks like it was copied from a template with your company name pasted in, an auditor will notice. The hazards, controls, and risk ratings need to reflect your specific workplace, your specific tasks, and your specific workforce. Generic documents are a major red flag.

Missing non-routine and emergency activities

Most businesses do a reasonable job assessing routine tasks. Where they fall short is non-routine activities like equipment maintenance, emergency response, and after-hours work. These often carry higher risk and need specific assessment.

Treating PPE as the primary control

As mentioned earlier, defaulting to PPE without genuinely considering higher-level controls is a common finding. It suggests the hierarchy of controls has not been properly applied.

No evidence of worker consultation

Completing a risk assessment without involving workers, or without documenting that involvement, will result in a nonconformance against Clause 5.4.

Outdated documents

Risk assessments with review dates that have passed, or that predate significant changes to the workplace, suggest the system is not being maintained. This is a management system issue, not just a documentation issue.

Linking Risk Assessment to the Broader ISO 45001 System

Your risk assessment does not sit in isolation. It feeds into multiple other parts of your ISO 45001 management system:

• Objectives and targets (Clause 6.2): High risks should inform your safety objectives and improvement targets
• Operational controls (Clause 8.1): Controls identified in the risk assessment need to be implemented and maintained
• Emergency preparedness (Clause 8.2): Severe risk scenarios should feed into your emergency response planning
• Competence and training (Clause 7.2): Risk assessments identify where specific skills or knowledge are needed
• Internal audit program (Clause 9.2): High-risk areas should receive greater audit attention
• Management review (Clause 9.3): Risk assessment outcomes should be reported to top management

Understanding how these elements connect helps you build a system that actually functions rather than one that exists only to satisfy an auditor. If you want to understand how ISO 45001 fits alongside other management system standards, our integrated management systems guide explains how these frameworks work together.

For a broader view of risk management principles that complement the ISO 45001 approach, the ISO 31000 risk management standard provides the underlying framework that many organisations apply across their entire risk landscape.

Getting Support for ISO 45001 Certification

Conducting a thorough workplace risk assessment takes time, expertise, and genuine commitment from leadership. For many businesses, particularly those pursuing ISO 45001 certification for the first time, it makes sense to work with an experienced consultant who can guide the process, identify gaps, and ensure the documentation is audit-ready.

The challenge is finding a consultant who has real OH&S experience and understands your industry. Not all consultants are equal, and the wrong choice can cost you time and money.

That is exactly the problem CertBetter was built to solve. CertBetter is a free platform that connects businesses with verified ISO consultants and accredited certification bodies. You submit one form, and you receive up to three competing quotes from vetted providers with relevant experience. There is no cost to your business, and no obligation to proceed with any quote. If you are ready to move forward with ISO 45001, it is a practical first step.