Work Health and Safety (How to Manage Work Health and Safety Risks) Code of Practice 2015

The Work Health and Safety (How to Manage Work Health and Safety Risks) Code of Practice 2015 is an approved code of practice under section 274 of the Work Health and Safety Act 2011. The Code describes itself as a practical guide to achieving the standards of health, safety and welfare required under the WHS Act and the Work Health and Safety Regulations.

That matters because approved codes sit in a practical middle ground between broad legal duties and day-to-day business operations. The Code is not just background reading. It explains a structured process for managing risks and gives guidance that regulators, inspectors and courts can use when looking at whether a business has met its WHS duties.

The Code also says that in most cases, following an approved code of practice would achieve compliance with the health and safety duties in the WHS Act in relation to the subject matter of the code. It is admissible in court proceedings, and courts may regard it as evidence of what is known about a hazard, risk or control and may rely on it in determining what is reasonably practicable in the circumstances. An inspector may also refer to an approved code when issuing an improvement or prohibition notice.

At the same time, the Code recognises that compliance can also be achieved by another method, such as a technical or industry standard, if that method provides an equivalent or higher standard of work health and safety than the Code. So the practical question for a business is not simply whether it has copied the Code word for word, but whether its actual system of work reaches at least the same safety standard.

The Commonwealth instrument was made under the Work Health and Safety Act 2011 and approved on 17 December 2015. It was registered on 30 March 2016 and commenced on the day after registration. The Federal Register of Legislation lists it as in force.

The Code also states that it was developed by Safe Work Australia as a model code of practice for adoption by the Commonwealth, state and territory governments. That is important for businesses operating across Australia. A business covered by the Commonwealth WHS regime should read this Code directly. A business operating under a state or territory WHS regime should check whether the local jurisdiction has adopted this model code, adopted a modified version, or uses different guidance.

Before relying on this page, a business should check four things. First, which WHS law applies to it in practice. Second, whether there is a local version of this code or another approved code that applies to the same hazard. Third, whether the WHS Regulations impose specific mandatory controls or risk assessment requirements for the work being done. Fourth, whether technical standards, supplier instructions, safety data sheets or hazard-specific guidance add further requirements or more suitable controls.

This is especially important because the Code itself says other approved codes of practice should be referenced for guidance on managing the risk of specific hazards. In other words, this Code is the general risk management framework, not the only WHS document a business may need.

The Code says the duty to manage risks is placed on persons conducting a business or undertaking. It then gives a broad list of who may have health and safety duties to manage risks. That includes those who engage workers to undertake work for them, those who direct or influence work carried out by workers, those whose business activities may put other people at risk, those who manage or control the workplace or fixtures, fittings or plant at the workplace, those who design, manufacture, import or supply plant, substances or structures for use at a workplace, and those who install, construct or commission plant or structures at a workplace.

In practical terms, this means the Code reaches far beyond traditional employers. A sole trader with subcontractors, a startup fitting out office space, a warehouse operator, a café, a labour hire host, a business importing equipment, or a landlord or operator controlling workplace plant may all have relevant duties depending on the circumstances.

The Code also makes two important points about overlapping duties. A person can have more than one duty, and more than one person can have the same duty at the same time. That is why shared worksites, contractor arrangements, labour hire and on-hire arrangements need active coordination. The Code specifically warns businesses never to assume someone else is taking care of a health and safety matter.

Officers are also addressed. The Code says officers, for example company directors, must exercise due diligence to ensure the business or undertaking complies with the WHS Act and Regulations. This includes taking reasonable steps to understand the hazards and risks associated with the operations of the business and ensuring the business has and uses appropriate resources and processes to eliminate or minimise risks to health and safety.

The Code sets out a four-step process for managing WHS risks. Step 1 is to identify hazards by finding out what could cause harm. Step 2 is to assess risks if necessary, so you understand the nature of the harm that could be caused, how serious it could be and how likely it is. Step 3 is to control risks by implementing the most effective control measure that is reasonably practicable in the circumstances. Step 4 is to review control measures to ensure they are working as planned.

The Code presents this as a proactive process. A safe and healthy workplace does not happen by chance or guesswork. Businesses need to think about what could go wrong and what the consequences could be, then do whatever they can, meaning whatever is reasonably practicable, to eliminate or minimise risks arising from the business or undertaking.

The Code also makes a useful practical point for smaller businesses. Many hazards and their associated risks are well known and have well established and accepted control measures. In those situations, a formal risk assessment is unnecessary. If, after identifying a hazard, you already know the risk and how to control it effectively, you may simply implement the controls. That means the Code does not require paperwork for its own sake. It expects businesses to focus on effective controls.

At the same time, the process should be planned, systematic and broad enough to cover all reasonably foreseeable hazards and associated risks. It is not limited to obvious physical dangers. The Code's examples include noisy machinery, moving forklifts, chemicals, electricity, working at heights, repetitive jobs, bullying and violence at the workplace.

The Code says WHS duties require risks to be eliminated so far as is reasonably practicable, and if elimination is not reasonably practicable, minimised so far as is reasonably practicable. This is the central decision-making test running through the whole Code.

According to the Code, deciding what is reasonably practicable requires taking into account and weighing up all relevant matters. Those matters include the likelihood of the hazard or risk occurring, the degree of harm that might result, what is known about the hazard or risk and ways of eliminating or minimising it, the availability and suitability of ways to eliminate or minimise it, and then, after assessing the extent of the risk and the available ways of dealing with it, the cost associated with available ways of eliminating or minimising the risk, including whether the cost is grossly disproportionate to the risk.

For business owners, this means safety decisions should be evidence-based and practical. It is not enough to say a control is inconvenient or costs money. The seriousness of the possible harm, the likelihood of it happening, and whether a control is available and suitable all need to be weighed up first. Cost is part of the analysis, but the Code frames it as a question of whether the cost is grossly disproportionate to the risk.

The Code also says the risk management process it describes will help businesses decide what is reasonably practicable in particular situations. In practice, that means a business should be able to explain how it identified the hazard, what it knew about the risk, what control options were available, why it chose the controls it did, and how it checked those controls were working.

The Code says managing work health and safety risks is an ongoing process that is triggered when changes affect work activities. It then lists situations where businesses should work through the steps in the Code.

Those trigger points include starting a new business or purchasing a business, changing work practices, procedures or the work environment, purchasing new or used equipment or using new substances, planning to improve productivity or reduce costs, receiving new information about workplace risks, responding to workplace incidents even if they caused no injury, responding to concerns raised by workers, health and safety representatives or others at the workplace, and where the WHS Regulations require it for specific hazards.

This part of the Code is especially useful for growing businesses because it links WHS risk management to ordinary business decisions. A new roster, a faster service model, a warehouse reconfiguration, a second-hand machine, a new chemical cleaner, a fit-out, a change in staffing levels or a push for higher output can all be WHS trigger points. The Code also says the risk management approach should be used when designing and planning products, processes or places used for work, because it is often easier and more effective to eliminate hazards before they are introduced into a workplace.

The Code says identifying hazards involves finding things and situations that could potentially cause harm to people. Hazards generally arise from the physical work environment, the equipment, materials and substances used, work tasks and how they are performed, and work design and management.

The examples in the Code show how broad this can be. Common hazards include manual tasks, gravity, electricity, machinery and equipment, hazardous chemicals, extreme temperatures, noise, radiation, biological hazards and psychosocial hazards. The psychosocial examples given in the Code include work-related stress, bullying, violence and work-related fatigue.

To find hazards, the Code recommends regularly walking around the workplace and observing how things are done. It says businesses should look at how people actually work, how plant and equipment is used, what chemicals are around and what they are used for, what safe or unsafe work practices exist, and the general state of housekeeping. It also prompts businesses to ask whether the work environment enables workers to carry out work without risks to health and safety, for example whether there is enough space for unobstructed movement and adequate ventilation and lighting.

The Code also stresses that hazards are not always obvious. Some affect health over a long period of time. Others may result in stress or fatigue. Businesses should also think about hazards brought into the workplace through new, used or hired goods. If a straightforward problem is spotted, action should be taken immediately. If there is immediate or significant danger, people should be moved to a safer location first and the hazard dealt with urgently.

The Code says consultation with workers is required, so far as is reasonably practicable, with workers who carry out work for you who are or are likely to be directly affected by a WHS matter. If workers are represented by a health and safety representative, the consultation must involve that representative. Consultation involves sharing information, giving workers a reasonable opportunity to express views and taking those views into account before making decisions on health and safety matters.

The Code says consultation with workers and their health and safety representatives is required at each step of the risk management process. This is not a one-off meeting after decisions have already been made. The Code explains that by drawing on workers' experience, knowledge and ideas, businesses are more likely to identify all hazards and choose effective control measures. It also says workers should be encouraged to report hazards and health and safety problems immediately so risks can be managed before an incident occurs.

Hazard identification should also be informed by available information. The Code points businesses to regulators, industry associations, unions, technical specialists and safety consultants. Manufacturers and suppliers can provide information about hazards and safety precautions for substances, plant or processes, including safety data sheets and instruction manuals. Businesses should also analyse their own records, such as health monitoring, workplace incidents, near misses, worker complaints, sick leave and inspection or investigation results, to identify patterns and underlying hazards.

The Code says a risk assessment involves considering what could happen if someone is exposed to a hazard and the likelihood of it happening. It can help determine how severe a risk is, whether existing controls are effective, what action should be taken and how urgently that action needs to be taken.

A risk assessment can be simple or more detailed depending on the hazards and the information, data and resources available. The Code says it can be as simple as a discussion with workers or involve specific risk analysis tools and techniques recommended by safety professionals.

According to the Code, a risk assessment should be done when there is uncertainty about how a hazard may result in injury or illness, when the work activity involves a number of different hazards and there is a lack of understanding about how they may interact to produce new or greater risks, or when changes at the workplace may impact the effectiveness of control measures.

The Code also says a risk assessment is mandatory under the WHS Regulations for some high-risk activities, such as entry into confined spaces, diving work and live electrical work. It notes that some hazards with exposure standards, such as noise and airborne contaminants, may require scientific testing or measurement by a competent person to accurately assess the risk and check that the relevant exposure standard is not being exceeded.

Just as importantly, the Code says a risk assessment is not necessary in some situations. If legislation already requires a hazard or risk to be controlled in a specific way, those requirements must be complied with. If a code of practice or other guidance sets out a control method that applies to your situation and you choose to use it, that guidance can be followed. If there are well-known and effective controls used in the industry that suit your workplace, those controls can simply be implemented.

When assessing risk, the Code says businesses should work out how severe the harm could be, how hazards may cause harm and how likely harm is to occur. It gives practical questions to guide that thinking.

On severity, the Code asks what type of harm could occur, how severe it could be, what factors could influence severity, whether harm may occur immediately or over time, how many people are exposed and could be harmed, whether one failure could lead to other failures, and whether a small event could escalate into a much larger event with more serious consequences.

On how hazards may cause harm, the Code explains that incidents often occur as a result of a chain of events and a failure of one or more links in that chain. One way to analyse this is to determine the starting point where things begin to go wrong and then ask, if this happens, what may happen next. The Code also says businesses should consider the effectiveness of existing controls, how work is actually done rather than relying only on written procedures, and infrequent or abnormal situations such as maintenance, cleaning, equipment breakdowns and failures of health and safety controls.

On likelihood, the Code suggests considering how often the task is done, how often people are near the hazard, how close they get to it, whether it has happened before, how long people may be exposed, how effective current controls are, whether organisational changes increase the likelihood, whether the working environment makes harm more likely, whether fatigue or stress may affect behaviour, and whether differences between individuals in the workplace, such as inexperience or disability, increase the chance of harm.

The Code's examples are practical. It notes that signs and painted lines used to separate forklifts from pedestrians in a warehouse may need to be upgraded to physical barriers. It also notes that increased demand, such as the pre-Christmas rush in restaurants and bistros, can increase the potential for human error and the likelihood of harm.

The table of contents and published extract confirm that the Code's next stages are controlling risks, reviewing controls and keeping records. The extract states that the most important step in managing risks involves eliminating them so far as is reasonably practicable, or if that is not possible, minimising the risks so far as is reasonably practicable. It also confirms that the Code includes sections on the hierarchy of risk control, how to develop and implement control options, how to ensure controls remain effective, how to review controls and keeping records.

Although the available public extract is truncated part-way through the control section, the structure and confirmed text make the practical direction clear. Businesses should not stop at identifying hazards or discussing risks. They need to implement effective controls, make sure those controls remain effective, review them to ensure they are working as planned, and keep records that support the process.

In practice, that means turning findings into action. If a spill hazard is identified, the response is not just to note it but to fix storage, housekeeping and response arrangements. If pace of work is creating fatigue or error risk, the business should review staffing, workflow or supervision. If existing traffic controls are not enough, stronger controls may be needed. The Code's approach is operational, not merely documentary.

Records also have a practical role. The Code includes a dedicated section on keeping records and an appendix with a risk register. Suitable records can help a business track hazards, decisions, controls, reviews, incidents and changes over time. They can also help show that the business has taken a planned and systematic approach rather than reacting only after something goes wrong.

The Code says the WHS Act requires businesses to consult, co-operate and co-ordinate activities with all other persons who have a work health or safety duty in relation to the same matter, so far as is reasonably practicable. This is especially important where responsibility is shared across multiple businesses or operators.

The Code gives the example of on-hire workers. If you engage on-hire workers as part of your workforce, you share a duty of care to those workers with the business that provides them. In those situations, the Code says you must discuss the hazards and risks associated with the work and what precautions will be taken with the on-hire firm.

The Code is direct on this point. Never assume someone else is taking care of a health and safety matter. Find out who is doing what and work together in a co-operative and co-ordinated way so that all risks are eliminated or minimised as far as reasonably practicable. When entering into contracts, the Code says businesses should communicate their safety requirements and policies, review the job to be undertaken, discuss any safety issues that may arise and how they will be dealt with. It also says responsibilities cannot be transferred to another person.

For businesses using contractors, labour hire, shared premises or specialist installers, this means WHS should be built into procurement, onboarding, site access, supervision and communication, not treated as an afterthought.

The Code is best read as a working framework for ordinary business decisions. It is relevant when you buy equipment, redesign a workspace, increase output, change staffing, bring in contractors, introduce a new substance, respond to complaints, or investigate a near miss. It is also relevant in lower-risk settings because the Code applies to all types of work and all workplaces covered by the WHS Act.

For example, a warehouse buying used equipment should treat that purchase as a trigger to identify hazards and check whether existing controls are still suitable. A hospitality business preparing for a seasonal rush should consider whether increased pace of work, fatigue, heat, slips, manual handling and supervision issues change the risk profile. An office-based business moving premises should still consider layout, electrical safety, contractor coordination, emergency access and psychosocial hazards. A business using labour hire should actively coordinate inductions, supervision, hazard reporting and incident response with the provider.

The Code also encourages businesses to look beyond written procedures and examine how work is actually done, including under pressure, during maintenance, in abnormal situations and when controls fail. That is often where real risk sits. A business that only has paperwork, but does not inspect, consult, implement, review and coordinate, is not using the Code in the way it is intended.

Finally, businesses should remember that this Code is the general risk management guide. It should often be read alongside other approved codes and hazard-specific requirements. If your work involves a specific regulated hazard, a technical process, or exposure standards, you may need more detailed guidance than this Code alone provides.

Businesses often ask whether this Code is only relevant after an incident. The answer is no. The Code describes risk management as a proactive and ongoing process. It is meant to be used before harm occurs, especially when work changes, new equipment or substances are introduced, or workers raise concerns.

Another common question is whether lower-risk businesses can ignore it. Again, no. The Code says it applies to all types of work and all workplaces covered by the WHS Act. The level of risk and the controls needed will differ between a professional office and a warehouse, but both still need a process for identifying hazards, consulting workers and managing risks.

Businesses also ask whether they need a large amount of paperwork. The Code does not say that every hazard needs a formal written risk assessment. It expressly says that where hazards and controls are already well known, the formal assessment step may be unnecessary and the business may simply implement the controls. The focus is on effective action, supported by sensible records.

A final practical question is whether this Code is enough on its own. Usually, it is the starting point rather than the whole answer. The Code itself says other approved codes of practice should be referenced for specific hazards. Businesses should also check whether the WHS Regulations, supplier instructions, safety data sheets or technical standards add more detailed requirements for the work they do.