Show menu. Show menu.
Show menu. Show menu.

Discussion on
Demystifying Record-Keeping for Hazards and Risks

The Issue

There can be some confusion in relation to whether something is a "hazard" or a "risk" and what records should be kept.

This discussion:

  • presents a pragmatic way of differentiating hazards and risks, and
  • outlines the benefits of having separate records of hazards and risks.

Do We Need Definitions?

So what exactly do the terms "hazard" and "risk" mean, and how does a workplace manage them?

In the 1990’s there was a strong emphasis on incident management and analysis. By keeping details of every incident, no matter how minor (even paper cuts for instance), the theory was that an organisation could assemble enough data to allow deficiencies in workplace practice to be identified and corrected. The objective was to improve things in the future, but it relied on knowledge gained from accidents in the past. This became known as a "reactive" approach: after bad things happen, work practices are improved to avoid more bad things happening.

As the health and safety, and risk, professions developed, the emphasis shifted to a "proactive" approach. The objective was to anticipate problems before they resulted in injury to a worker, and/or damage to the productivity, finances or image of the organisation.

One component of the proactive approach in WHS was the successful "spot the hazard, assess the risk, make the changes" campaign. For instance: identify that a package is very heavy and then use the correct technique to pick it up safety.

Risk management professionals don’t tend to use the term "hazard". They look at every aspect of organisational risk: health & safety risk, operations risk, financial risk, reputation risk, and more. They build a register of all identified risks and develop controls that aim to reduce the level of risk.

There are definitions of hazard and risk in the various regulations and national Standards but depending on who you ask you could get any one of several different explanations of risk.

What follows does not rely on a formalised definition of hazard or risk. Instead it is a pragmatic way to approach the management of the corresponding data.


For each of the following hazard/risk examples, consider:

  • is it a hazard?
  • is it a risk?
  • what data would you store about it?
  • what actions would you take in relation to it?
  1. A very heavy parcel needs to be moved.
  2. An electrical extension cable is on the floor, unattended and unmarked.
  3. There is an upturned area of carpet.
  4. An acid storage container is leaking.

Any of the above situations can potentially arise at any time. In deciding whether to treat each as a "hazard" or as a "risk" it is helpful to distinguish between danger that is present now and danger that could arise in the future:

  • If the danger exists right now we may be able to apply a "corrective action" to eliminate it.
  • If the danger is something that cannot be eliminated, or could arise in the future, we may be able to implement "controls" that aim to prevent occurrence or minimise any negative consequences. (i.e. We will aim to reduce the risk to "as low as reasonably practicable", or ALARP).

So it is suggested that:

  • if something dangerous exists right now, and it can be eliminated, we think of it (and record it) as a hazard and we take (and record) the appropriate corrective actions, and
  • if something dangerous could occur in the future, or it is something that is always present because of the nature of the business, we think of it (and record it) as a risk and we implement (and record) appropriate controls to reduce the likelihood of occurrence or to prevent or minimise any negative consequences.

OSHatWork allows you to keep the corresponding records:

  • a register of hazards, together with details of the relevant corrective actions (and reminders to ensure they are completed), and
  • a register of risks, together with details of the appropriate controls.

The four examples listed above will now be used to illustrate this. The example actions and controls are not comprehensive, and are not presented as WHS or risk advice. Instead they are outlined to illustrate how the corresponding data can be logically structured and stored.

Example 1: A very heavy parcel needs to be moved.

If a business regularly delivers heavy parcels they certainly would not want to record every heavy parcel as a hazard so there will be no corresponding hazard records kept.

However a worker could sustain injury by using the wrong technique to lift a heavy parcel.

There will also be a limit on the weight that an individual can lift.

So, this is recorded as a risk ("Improper lifting technique for heavy objects") rather than as a hazard, and some of the controls that may be considered and recorded are:

  • clearly label all packages that exceed 25kg;
  • train workers to know when it is okay for them to lift alone, and when they must have the assistance of another person or specialised equipment;
  • train workers in correct lifting technique (when working alone and in combination with others);
  • train workers in the use of lifting equipment (e.g. a forklift); etc.

If a delivery driver determined that a specific package was in excess of 25kg, and had not been labelled as such before he received it from the despatch department, this would be recorded as a hazard. The corresponding corrective actions recorded could include:

  • "apply the warning label to the package"; and
  • "investigate why the label had not been applied and take steps to avoid recurrence".

Example 2: An electrical extension cable is laying on the floor across a walkway, unattended and not marked with hazard warning signs.

This problem exists right now and action must be taken. So it is recorded as a hazard ("Electrical extension cable left unattended and unmarked on floor in main corridor"), and the appropriate corrective actions such as the following are recorded and performed:

  • "put the cable in its proper storage location", and.
  • "locate the person responsible and give them additional training".

Irrespective of whether the potential for this to happen was identified before or after the instance above occurred, a risk record is created ("Electrical extension cable left unattended or not marked with warning sign"), together with appropriate controls such as:

  • "have appropriate storage facilities";
  • "train workers to position cables correctly, display warning signs, and put them away after use"; and
  • "have regular inspections to check for compliance".

Example 3: There is an upturned area of carpet in the main office.

This example is similar to the electrical extension cable one above in that:

  • there is an immediate hazard (recorded as "Upturned area of carpet in north doorway of main office") so there will be corrective actions to record such as:
    • "fix the carpet back down";
    • "check whether the carpet needs to be replaced"; and
    • "consider whether inspections are regular enough";
  • there is a risk that this could occur at any time (recorded as "Carpet deteriorates to the extent that it becomes a tripping hazard") so there will be controls to record such as:
    • "install good quality commercial carpet";
    • "use certified installers"; and
    • "have regular inspections to identify deterioration before it becomes a hazard".

Example 4: An acid storage container is leaking.

There is one hazard (recorded as "500ml hydrochloric acid container in store 101 leaking"), and there will be appropriate corrective actions to record.

A risk identification and control process might come up with multiple risks and their corresponding controls to record such as:

  • risk 1: "substandard storage practices for acid", and controls:
    • "initial inspection/audit by external specialists"; and
    • "subsequent annual inspections/audits by external specialists";
  • risk 2: "personnel exposure to acid", and controls:
    • "product entered on chemical register";
    • "Standards-compliant labels on storage containers";
    • "regular inspections to ensure labels have not deteriorated";
    • "current Safety Data Sheet easily accessible"; and
    • "personnel trained in correct handling including use of PPE";
  • risk 3: "leakage in acid store", and controls:
    • "Standards-compliant containers";
    • "Standards-compliant bunding for large-volume storage";
    • "well-documented emergency response procedures, and personnel trained in these"; and
    • "regular inspections".

All of the above are basic examples and a WHS/risk consultant could provide more comprehensive guidance appropriate to each particular business.

The benefit of clearly separating records of hazards and risks in the above way is that you get two separate registers (which you can do in OSHatWork), each with a clearly defined purpose:

  • a list of hazards that have appeared and need to be acted upon,
  • a list of risks that need ongoing control,

plus you get:

  • a list of the scheduled corrective actions, related to the hazards, that you can follow through to completion (and OSHatWork provides reminders for these), and
  • a list of the controls, related to the risks, that you can continue to monitor for effectiveness and adjust from time to time as considered necessary.

Risk > Hazard > Incident

How do hazard and risk records potentially tie in with incident records?

Let's use the example of a person having tripped on dangerously worn/damaged carpet.

In this case you would (in OSHatWork):

  • record the incident;
  • ensure that there is a record of the hazard (the specific instance of dangerously worn/damaged carpet);
  • ensure that there is a record of a hazard corrective action to repair or replace the carpet;
  • if the hazard was not already recorded, schedule a review of hazard identification and reporting by workers (because the hazard should have been reported before someone tripped), and record this review as a corrective action associated with the incident;
  • associate the incident record with the hazard record;
  • ensure there is a record of the risk (the potential for carpet to become dangerously worn/damaged);
  • review the controls recorded for the risk and, if necessary, add to or modify them;
  • if the risk was not already recorded, schedule a review of risk identification processes, and record the review as a corrective action associated with the incident;
  • optionally associate the incident record with the risk record.


For more information on using OSHatWork you might like to also read these discussions:

A complete list of all the OSHatWork Guides is available here.