RosterElf Logo
Start trial
FREE HR TEMPLATE Last updated 27 June 2026

Risk management policy template

A free, ready-to-edit risk management policy template for Australian businesses. Set out your risk appetite, a clear assessment methodology, the hierarchy of controls and who is accountable — so you can manage workplace risk systematically and meet your WHS duties. No signup required.

Risk management policy

PDF format • Ready to download

Risk appetite & tolerance framework
Likelihood × consequence methodology
Hierarchy of controls
Roles & responsibilities

By downloading, you agree to our template disclaimer

This risk management policy template reflects Australian work health and safety standards at the time of publication and is provided as a general guide to adapt for your business and specific workplace hazards. It does not constitute legal, HR, or professional advice and should not be relied on as a substitute for advice specific to your business, workforce, or circumstances.

Why your business needs a risk management policy

A risk management policy is the official document that sets out how your organisation identifies, analyses and controls the risks that could affect your objectives — from financial and operational risks to the work health and safety hazards your people face every day. It defines your appetite for risk, the methodology you use to assess it, and who is accountable at every level from frontline staff to the owners or board.

Under Australian WHS law, every PCBU (person conducting a business or undertaking) must manage risks to health and safety so far as is reasonably practicable. A documented policy demonstrates that systematic approach to regulators, insurers and your team — and it pairs naturally with your WHS policy and hazard & risk policy.

Good risk management is more than compliance: it prevents incidents before they disrupt operations, protects your people, and supports better decisions. Store the policy and capture employee acknowledgements in your HR software so you can show every worker has read and understood it.

Business professional reviewing risk assessment documents

What a risk management policy should cover

The essentials of a systematic risk framework

Purpose & scope

Why you manage risk and which activities, sites and people the policy applies to.

Risk appetite & tolerance

How much risk the business is willing to accept in pursuit of its objectives.

Risk identification

How risks and hazards are identified systematically across the business.

Assessment methodology

Rating likelihood and consequence to prioritise the risks that matter most.

Hierarchy of controls

The preferred order for eliminating or minimising each identified risk.

Roles & responsibilities

Who is accountable for managing risk, from workers to leadership.

What's included in this template

A complete framework for identifying, assessing and controlling risk

Purpose & scope

Why risk management matters and the activities and people it covers.

Risk management framework

The overarching structure aligned with WHS duties and good practice.

Risk appetite & tolerance

The level of risk the business is prepared to accept.

Risk identification process

How hazards and risks are identified across the workplace.

Assessment methodology

Likelihood, consequence and a risk matrix to set priorities.

Hierarchy of controls

Elimination through to PPE as the order for treating risk.

Risk register

Recording, owning and tracking identified risks and their controls.

Monitoring & review

Schedules and triggers for reviewing risk assessments.

Roles & responsibilities

Accountability from frontline workers to owners or board.

Review & acknowledgement

Policy maintenance, consultation and employee sign-off.

Assessing and controlling risk

A consistent method keeps decisions defensible

Define your risk appetite

A good policy states how much risk the business is willing to accept in pursuit of its objectives. Setting risk appetite and tolerance up front gives managers a consistent benchmark — so similar risks are treated the same way across teams and sites, and you focus effort where it matters most.

Consultation is a legal duty

Under WHS law you must consult workers on matters that affect their health and safety. Involve the people who do the tasks, plus supervisors and health and safety representatives — they understand the real risks. Document who you consulted as part of a WHS assessment.

The risk management process

Identify

Systematically find the hazards and risks across tasks, sites and activities.

Assess

Rate likelihood and consequence to prioritise each risk.

Control

Apply the hierarchy of controls, starting with elimination.

Review

Monitor controls and reassess when work or conditions change.

Record every risk, its rating, owner and controls in a risk register so nothing is lost between reviews — and keep it alongside your incident reporting policy so lessons from incidents feed back into your assessments.

When you assess a risk, combine likelihood (how probable it is) with consequence (how severe the outcome would be) to produce a risk rating, then treat high-likelihood, high-consequence risks first. Always work down the hierarchy of controls — eliminate the hazard if you can, then substitute, isolate, apply engineering and administrative controls, and use PPE only as a last resort. Safe Work Australia’s model WHS laws and codes of practice set out how to manage risk so far as is reasonably practicable.

Who should use this template?

Every Australian business with employees has a duty to manage risk

Especially valuable in higher-risk sectors like construction, manufacturing and healthcare, where a documented framework supports due diligence.

Manage your policies the easy way

RosterElf helps Australian businesses store policies, capture employee acknowledgements at onboarding and keep an audit trail — all in one place.

Start free trial See HR software
FAQ

Risk management policy FAQ

  • A risk management policy is an official document that sets out an organisation’s overarching strategy for identifying, analysing and controlling risk. It defines the purpose and scope, the business’s risk appetite and tolerance, the methodology used to assess risks, the controls applied, and the roles and responsibilities for managing risk — from frontline staff through to the owners or board.

  • A complete policy should include its purpose and scope, the risk management framework, your risk appetite and tolerance, a process for identifying risks, an assessment methodology (likelihood and consequence), the hierarchy of controls, a risk register, monitoring and review arrangements, clear roles and responsibilities, and an employee acknowledgement.