View current

Health and Safety Risk Management Procedure

This is the current version of the approved document. You can provide feedback on this document to the Enquiries Contact - refer to the Status and Details tab from the menu bar above.

Section 1 - Purpose and Scope

(1) This Procedure outlines the approach for managing health and safety risks at The University of Queensland (UQ) and applies to all areas of UQ including controlled entities.

(2) This Procedure supports UQ’s Health, Safety and Wellness Policy commitment to ensure health and safety risk management processes are in place, are proportionate, evidence informed, and align with the risk appetite statement (RAS) approved by the Senate.

(3) UQ’s Health and Safety Risk Management requirements are at both the enterprise and operational level. Where more specific guidance is required for assessment of operational hazards, tasks or activities, refer to the Health and Safety Risk Assessment Procedure.

(4) The objectives of this Procedure are to:

  1. align the management of health and safety risk with the UQ Enterprise Risk Management Framework (ERMF);
  2. support the Health, Safety and Wellness Policy;
  3. comply with health and safety risk management’s legislative requirements;
  4. provide an overview of health and safety risk management and direction on how it is applied at all levels within the organisation; and
  5. align UQ’s Health and Safety practices with ISO 45001 Occupational Health and Safety.


(5) This Procedure aligns with the legislative requirements for work health and safety risk management, primarily the Work Health and Safety Act 2011 (the Act) and the Work Health and Safety Regulation 2011 (the Regulation) and How to Manage Work Health and Safety Risks - Code of Practice 2021. The Act requires that risks are eliminated, and if not reasonably practicable to do so, must be minimised as far as reasonably practicable. 

(6) In addition to the general workplace health and safety laws noted above, additional regulatory obligations may apply to activities conducted at UQ, which are covered in specific procedures (e.g., electrical safety, gene technology, biosecurity, radiation, and marine safety and health).

Top of Page

Section 2 - Process and Key Controls

(7) The Health and Safety Risk Management process involves the systematic application of UQ’s policies and procedures, including the practices of consulting, planning, identifying, assessing, evaluating, controlling, monitoring and reviewing health and safety risk.

(8) This process is applied at both an enterprise and operational level. The enterprise level refers to the whole of the organisation, whereas the operational level refers to the day-to-day activities performed by Organisational Units.

(9) UQ manages health and safety risk as an ongoing, continuously improving process. Qualitative techniques are used for the risk analysis to determine the level of risk and prioritise risk treatment according to risk evaluation criteria.

Top of Page

Section 3 - Key Requirements

Enterprise Risk Management Framework (ERMF) Alignment

(10) UQ’s Enterprise Risk Management Framework (ERMF) provides UQ’s overall framework, direction and oversight for the systematic, disciplined and consistent identification and assessment of risks (including opportunities) and for their effective and efficient management.

(11) At the enterprise level, health and safety risk management is guided by the Senate approved health and safety Risk Appetite Statement (RAS). The RAS states that UQ’s overall attitude towards risk is that of a prudent risk taker. The tolerance and treatment of health and safety risks, as outlined in the RAS, is low or nil appetite. This means that in some cases, despite having a low or nil appetite for some risks, UQ may have to tolerate those risks at higher levels because:

  1. it is impossible, impracticable and/or cost prohibitive to eliminate those risks or reduce them to low levels; and
  2. those risks cannot be avoided as they are inherent to initiatives, operations and activities that are essential to UQ given its objectives and strategy.

(12) Refer to the ERMF for more details. 

Enterprise Health and Safety Risk Management

(13) UQ has a focus on the mitigation of risks and considers managing health and safety risk as an ongoing, continuously improving process. Qualitative techniques are used for risk analysis to determine the level of risk and prioritise risk treatment according to risk evaluation criteria.

(14) The health and safety enterprise risk management procedure follows the process represented in the linked diagram:

Enterprise Health and Safety Risk Registers

(15) The Health, Safety and Wellness Division (HSW Division) coordinates the development and review of the UQ enterprise-level Health and Safety Risk Register and undertakes a regular assessment of the top UQ health, safety and wellness risks. The UQ Risk Register and list of top health and safety risks is conducted through the review, assessment and understanding of the Faculty, Institute and Central Support Services (CSS) Divisions’ health and safety risks, as well as by reviewing incident data, national and/or state government priorities, information from across the higher education industry sector and findings from internal and external audits. The priority of risks will be determined by:

  1. the impact of these risks for UQ from a people perspective, while also taking into consideration legal/regulatory compliance and reputation perspectives;
  2. Managed Risk Level (MRL) which assesses the current risk of harm (consequence and likelihood) to people; and
  3. prevalence of the identified risk across the organisation.

(16) The final UQ top health and safety risks are determined in consultation with the Faculties, Institutes and CSS Divisions. 

Enterprise Health and Safety Top Risks and Watch List

(17) The HSW Division consolidates the Organisational Unit’s identified top risks to help inform the UQ Health and Safety Risk Register. The top UQ health and safety risks are determined:

  1. from analysing the Enterprise Health and Safety Risk Register against the Managed Risk Level (MRL);
  2. by the frequency of which certain risks appear; and
  3. in consultation with the UQ safety network and the University Senior Executive Team (USET).

(18) In addition to the top risks, a ‘watch list’ is developed by the HSW Division which will be monitored for movement in risk levels. Items for the watch list are identified by risks with:

  1. a “high” or “extreme” inherent risk level (IRL) but low MRL and significant exposure across UQ; or
  2. insufficient information to assess the current MRL.

Organisational Unit Health and Safety Risk Registers

(19) The Organisational Unit Health and Safety Risk Register is developed as a consolidation of information from local risk assessments in UQSafe and the Enterprise Health and Safety Risk Register. This risk register, when considering other components such as incident data and the MRL, can be used to inform the completion of the Organisational Unit’s top risks. The recorded MRLs of these risks can assist with the prioritisation of resources and should be discussed at the relevant HSW Committee and brought to the attention of the senior management of the Organisational Unit. Top risks should be incorporated into the Organisational Unit’s annual HSW Safety Management Plan for actioning to reduce the MRL of these risks.

(20) Organisational Units are responsible for:

  1. maintaining an Organisational Unit Health and Safety Risk Register;
  2. developing an Organisational Unit Health and Safety Management Plan;
  3. monitoring and reporting Organisational Unit health and safety performance; and
  4. providing an annual top health and safety risks report to the Director, Health Safety and Wellness (Director, HSW)

Local Health and Safety Risk Management

(21) Local health and safety risk management is the day-to-day activity of identifying hazards/risks related to work activities, analysing the risks in terms of consequences and their likelihood, and evaluating the risks to prioritise action. This process is commonly referred to as “Risk Assessment”.

(22) Organisational Units are responsible for the identification and appropriate management of their unit’s specific hazards and risks, including:

  1. completing and recording specific risk assessments for identified hazards and risks and taking appropriate action where needed;
  2. reviewing these risk assessments at the appropriate intervals; and
  3. preparing adequate documentation and reporting of risk assessments to support management with their health and safety responsibilities.

Health and Safety Risk Identification

(23) Health and safety risks must be assessed through the risk assessment process to ensure all existing and foreseeable risks are identified and mitigated to the lowest practical level. The risk assessments are to be recorded in UQSafe.

(24) Health and safety risk identification is an ongoing activity and involves identifying and describing the health and safety risk factors associated with tasks and the environment in which these tasks are performed. Risk identification occurs at both the enterprise level and the operational level which together ensure a holistic approach to UQ’s health and safety risk management.

(25) Risk assessments, and other identifying activities, at each level will include and consider:

  1. constructive consultation with relevant stakeholders;
  2. Organisational Unit processes, operational planning, project management, day-to-day operations;
  3. tangible and intangible risks (e.g., reputation risk);
  4. continual improvements to enhance health and safety; and
  5. changes in the external and internal environment.

Health and Safety Control Measures

(26) Health and safety control measures are applied to all identified risk exposures. Control measures involve identifying and implementing ‘controls’ to eliminate or reduce the risk as low as reasonably practicable. Controls are either categorised as ‘existing controls’ which are already in place and inform the MRL or ‘proposed or additional controls’ which will be implemented to achieve the target risk level (TRL). The Hierarchy of Controls must be used for all actions to ensure more effective higher order controls are used in preference to less effective lower order controls (e.g., administration controls such as a sign, or personal protective equipment requirement). Multiple controls can be used collectively to provide multi-layered risk control. Risk mitigation strategies should be proportionate to the risk being controlled, must be robust, and be determined in consultation with those exposed to the risk.

Communication and Consultation

(27) Communication and consultation efforts apply to both enterprise and operational health and safety risk management. The communication process will be open and transparent and engage all relevant stakeholders (e.g., those working with the hazards and those that are accountable and/or responsible for implementation and managing the controls). The communication and consultation process will be both at the local level and the organisation level.

(28) At the organisational level, consultation involves the HSW Division being aware of the legal, regulatory and compliance environment as well as the sector risks, both current and future, and discussing these with UQ stakeholders. At the local operational level, the HSW Division can facilitate consultation with relevant stakeholders to discuss the operational and enterprise risk registers process.

Top of Page

Section 4 - Roles, Responsibilities and Accountabilities

Senate Risk and Audit Committee (SRAC)

(29) The role of the SRAC is to exercise oversight of UQ’s governance, risk and compliance frameworks, including health and safety. The SRAC's responsibilities in relation to health and safety risk include:

  1. receiving advice from management on the implementation of UQ’s Health, Safety and Wellness Policy and management system, including the safety culture and promotion of safe work practices at UQ; and
  2. receiving information on health and safety activities, trends and emerging safety risks or contentious issues.

Vice-Chancellor's Risk and Compliance Committee (VCRCC)

(30) The role of VCRCC is to exercise management oversight and provide assurance to the Vice-Chancellor and President and to the SRAC that UQ’s governance, risk management and compliance controls and culture are adequate and effective. This includes oversight of UQ’s Health, Safety and Wellness framework, including the management of health and safety risks and assurance programs.

UQ Officers

(31) Members of UQ Senior Management if participating in decision making that affect the whole of, or a substantial part of UQ, may be an officer under the Act. As officers, there is a requirement under the Act to apply adequate due diligence, which includes being responsible for:

  1. assessing and managing health and safety risks relevant to their portfolio’s activities and environments;
  2. maintaining health and safety risk registers and ensuring the accuracy and currency of their risk registers;
  3. monitoring and reviewing their risks and controls with sufficient frequency to ensure the ongoing relevance and effectiveness of controls;
  4. providing timely and positive assurance on the management of their risks and on the effectiveness of the controls, including addressing audit findings related to health and safety risk;
  5. facilitating annual reviews of their health and safety risks to meet SRAC and VCRCC needs and ensuring any deficiencies identified through the review and assurance processes are promptly rectified; and
  6. ensuring their direct reports undertake steps 1 to 5 above for their respective areas of responsibility.

Enterprise Risk Services (ERS)

(32) ERS is responsible for ensuring the ERMF is implemented across UQ and effective oversight is maintained. ERS is also responsible for providing UQ’s Top Risks based on MRL and their management and reporting of these to VCRCC and SRAC.

(33) UQ’s top health and safety risks are considered when ERS compiles UQ’s Top Risks. In addition, ERS includes the HSW Division in any development or changes to the ERMF during the consultation process to ensure continuous alignment of the ERMF with health and safety risk management processes.

Health, Safety and Wellness Division (HSW Division)

(34) The HSW Division is responsible for:

  1. UQ’s health and safety risk management governance;
  2. Supporting operational management in managing their health and safety risks through the development and implementation of policies, procedures, tools, training, monitoring and other supporting activities; and
  3. Assisting HSW Managers and WHSCs with the development of their Faculty/Institute/CSS risk registers. The content of these Faculty/Institute/CSS risk registers are considered in the development and review of the UQ health and safety risk register and list of top health and safety risks and watch list.

Health, Safety and Wellness Managers (HSW Managers) and Work Health and Safety Coordinators (WHSCs)

(35) HSW Managers and WHSCs have specific health and safety risk management responsibilities including:

  1. driving the development and ensuring the continued relevance of their local operational risk registers and risk management processes (risk registers are reviewed on a continuous basis to ensure their currency and that the strategies for addressing the risks continue to be adequate and managed appropriately;
  2. performing health and safety audit activities; and
  3. consulting with their operational areas and the HSW Division to ensure risks are reasonably mitigated in a timely and appropriate manner.
Top of Page

Section 5 - Monitoring and Review

Operational Monitoring and Review

(36) Heads of Organisational Units will monitor and review their operational activities, risks and controls to ensure effective and efficient health and safety risk management and compliance. Local risk registers (e.g., Faculty and Institute risk registers) will be reviewed at least annually at the local health and safety committee meeting. HSW Managers and committees will review risks on a regular basis to inform potential changes to risk registers ensuring that risks are continually managed effectively and efficiently.

(37) Each year, a Level one audit program (refer to Health, Safety and Wellness Audit Procedure) is undertaken by local health and safety team members as part of the local assurance program to audit the effectiveness of a sample of operational controls and risk management practices.

HSW Division Monitoring and Review

(38) HSW Division will provide objective assurance over UQ’s internal controls and health and safety risk management practices via implementation of the annual HSW audit plan and regular performance reporting. Consultation will occur with USET and VCRCC to ensure that health and safety risks are adequately reviewed and monitored on a timely basis within their areas of responsibility.

Top of Page

Section 6 - Recording and Reporting

(39) The following reports on health and safety risks and controls will be produced:

Report Title Report Content Report Author Report Recipient Frequency
HSW Monthly Overview of key HSW risks, emerging risks, high or extreme level identified risk assessments, compliance risks, workers’ compensation risks. HSW Division USET,


Prepared for each meeting

Forwarded monthly to USET members

Forwarded to each meeting of SRAC
Health and Safety Risk Register Updated UQ HSW risk register, Top Health and Safety Risks (and Watch list) showing IRL, MRL and TRL. HSW Division with input from Faculties/Institutes and CSS USET, VCRCC and SRAC Annually
HSW Annual Report Overview of previous year’s performance - key HSW risks, emerging risks, high or extreme level identified risk assessments, compliance risks, workers compensation risks. HSW Division USET, VCRCC and SRAC Annually

Presented at the first relevant VCRCC meeting each year
HSW Internal Audit Program Proposed audit program for the following year based on risk levels, emerging risks and compliance issues. HSW Division with input from Faculties/Institutes and CSS USET and VCRCC Last meeting of the calendar year.


(40) Local risk assessments are completed in UQSafe.

(41) The following templates are available from the HSW Division:

  1. Health and Safety Risk Register Template.
  2. Health and Safety Top Risks and Watch List Report Template.
Top of Page

Section 7 - Appendix


Term Definition
Intangible Risk A threat or opportunity that is by nature not quantifiable or cannot be quantified using typical risk management tools and analysis.
ISO 45001 Occupational Health and Safety An International Standard that specifies requirements for implementing and maintaining an occupational health and safety management system to improve occupational health and safety, eliminate hazards and minimise HSW risks (including system deficiencies), take advantage of HSW opportunities, and address HSW management system nonconformities associated with its activities.
Risk Appetite Statement (RAS) The amount of risk that an organisation is willing to take to meet its strategic objectives (this includes reference to both the organisation’s risk appetite as well as its risk tolerance).
Risk Levels Inherent risk level (IRL) – the level of risk assuming there are no controls specifically designed and implemented to manage that particular risk.

Managed risk level (MRL) – the level of risk taking into consideration the total effectiveness of all the existing controls or risk treatments that act upon that risk.

Target risk level (TRL) – the desired (or accepted) level of risk considering the University’s risk appetite and tolerance levels to be achieved via implementation of proposed controls.
Risk Profile The threats to which an Organisational Unit is exposed.
Risk Register A document that contains the information about identified risks, results of the risk analysis and the risk response plans.
UQSafe UQ’s risk management system that allows for risk assessments to be completed and approved online.