Request a Call Back

We'll get back to you within 24 hours to discuss your health and safety needs

Thank you for your request!

We've received your call back request and will contact you within 24 hours during business hours.

For urgent matters, please email us directly at support@nzohs.co.nz

Best time to call (select all that apply):

Hazard Register & Risk Assessment

How to identify, assess and control workplace risk under the HSWA

In short

Under the HSWA you must eliminate risks so far as is reasonably practicable, and if you can't, minimise them using the hierarchy of controls. A risk assessment is how you work that out; a hazard register is how you record it. Together they are the backbone of a compliant health and safety system.

Eliminatethe law's first step: remove the risk so far as is reasonably practicable.Source: HSWA 2015, s30
Minimiseif you can't eliminate, reduce the risk using the hierarchy of controls.Source: GRWM Regulations 2016, reg 6
PPE lastpersonal protective equipment is the lowest-ranked control — never the first choice.Source: GRWM Regulations 2016, reg 6
Reviewcontrols must be monitored and reviewed — risk management is not "set and forget".Source: WorkSafe NZ guidance

Hazard vs risk: what's the difference?

A hazard is a source of harm. A risk is the chance that the hazard actually harms someone, combined with how serious that harm could be.

For example, a chemical is a hazard; the risk is the likelihood and severity of someone being harmed by it — which depends on how it is stored, handled and controlled. Getting this distinction right matters, because the law is about managing risk, not just listing hazards. Your job is to find the hazards, judge the risk, and put controls in place that bring the risk down as far as is reasonably practicable.

What the law requires: eliminate, then minimise

Under section 30 of the HSWA, you must first try to eliminate risks so far as is reasonably practicable. If a risk can't be eliminated, you must minimise it so far as is reasonably practicable.

“Reasonably practicable” means what a reasonable business would do, weighing up the likelihood of harm and how serious it could be, what you know (or ought to know) about the hazard and the ways to control it, and the availability and cost of those controls. Cost only excuses you when it is grossly disproportionate to the risk — you cannot skip an obvious, affordable control just because it is inconvenient.

The hierarchy of controls

When you can't eliminate a risk, you minimise it by working down the hierarchy of controls — from the most reliable (engineering out the risk) to the least (relying on people and PPE).

RankControl typeExamples
1. EliminateRemove the hazard entirely.Stop doing the task, remove faulty equipment, design the hazard out.
2. Substitute / isolate / engineerMinimise the risk — these three sit at the same level.Swap for a safer material; separate people from the hazard; guard, extract or automate.
3. Administrative controlsChange the way people work.Safe procedures, training, signage, job rotation, permits.
4. PPEThe last line of defence, used with higher controls — not instead of them.Gloves, hearing protection, respirators, eye protection.

Based on regulation 6 of the Health and Safety at Work (General Risk and Workplace Management) Regulations 2016. PPE alone is rarely enough — WorkSafe expects higher-order controls to be considered first.

How to do a risk assessment, step by step

A risk assessment follows a simple loop: identify, assess, control, record, review.

  1. Identify hazards — walk the workplace, talk to your workers, look at tasks, equipment, substances and past incidents.
  2. Assess the risk — judge how likely harm is and how serious it could be. A risk matrix (likelihood against consequence) is a common, optional tool to help prioritise.
  3. Decide controls — work down the hierarchy of controls, eliminating where you can and minimising where you can't.
  4. Implement — put the controls in place and make sure people know about them.
  5. Record — capture the hazard, the risk and the controls in your hazard register.
  6. Review — check the controls are working, and reassess whenever something changes.

You must engage with your workers when identifying hazards and deciding controls — they often see risks and practical fixes that management misses.

What is a hazard register, and what goes in it?

A hazard register is a living record of your hazards, the risks they create, the controls in place, who is responsible, and when each will be reviewed.

The HSWA does not use the words “hazard register”, but it does require you to identify hazards, manage risks so far as is reasonably practicable, and be able to show how — and a register is the standard, practical way to do that. A useful register captures, for each hazard:

  • the hazard and who could be harmed;
  • the risk rating (before and after controls);
  • the controls in place, ranked by the hierarchy;
  • the person responsible; and
  • the review date.

The key word is “living” — a register that is written once and never updated is worse than useless. Review it on a regular cycle and whenever you bring in new work, new equipment, or after an incident.

A hazard register that does the heavy lifting

Book a demo and we'll show you how it works — free 30-day trial included.

Book a Demo

Frequently asked questions

What is the difference between a hazard and a risk?

A hazard is a source of harm (for example, a chemical or a moving machine). A risk is the chance that the hazard actually harms someone, together with how serious that harm could be. Health and safety law is about managing the risk, not just identifying the hazard.

What is the hierarchy of controls in New Zealand?

The hierarchy of controls ranks ways of managing risk from most to least reliable: eliminate the hazard first; if you can't, minimise the risk by substituting, isolating or engineering it out (these sit at the same level), then administrative controls, then PPE as a last resort. It comes from regulation 6 of the General Risk and Workplace Management Regulations 2016.

Is a hazard register legally required in New Zealand?

The HSWA does not name a “hazard register”, but it requires every business to identify hazards, manage risks so far as is reasonably practicable, and be able to demonstrate how. A hazard register is the standard, practical way to meet and prove those duties.

How often should I review my hazard register and risk assessments?

Review them on a regular cycle and whenever something changes — new work or equipment, a change in how work is done, or after an incident or near miss. A register that is never updated does not reflect your actual risks and offers little protection.

Can I just give workers PPE instead of other controls?

No. PPE is the lowest-ranked control and the least reliable. You must first consider eliminating the risk, then higher-order controls such as substitution, isolation, engineering and administrative controls. PPE is used alongside those higher controls, not instead of them.

More health & safety guides

Sources
  1. Health and Safety at Work Act 2015, s30 (management of risks) — New Zealand Legislation: legislation.govt.nz
  2. Health and Safety at Work (General Risk and Workplace Management) Regulations 2016, reg 6 (hierarchy of control measures) — New Zealand Legislation: legislation.govt.nz
  3. Identifying, assessing and managing work risks — WorkSafe New Zealand: worksafe.govt.nz

Need advice specific to your business? Contact NZOHS for guidance.

Disclaimer: This guide is provided for general information only and does not constitute legal, business, professional, or business-specific advice. It does not take into account your specific business, workplace, industry, or circumstances and should not be relied on as such. Requirements may change over time, and it is your responsibility to check current official sources and assess the accuracy, completeness, and relevance of this information before relying on it. For advice or guidance specific to your business, please contact NZOHS. To the fullest extent permitted by law, NZOHS accepts no liability for any errors, omissions, failure to update, loss, damage, or consequence arising from the use of, or reliance on, this guide.