WHS Risk Management Overview

Table of Contents

1. Scope and Purpose ...... 3 1.1. Codes of Practice Guidelines ...... 3 2. Critical Elements ...... 4 3. Code Requirements and Guidelines ...... 5 3.1. Safe Systems of Work ...... 5 3.2. Guide to Risk Management ...... 6 3.3. Consultation and Communication ...... 6 3.4. Establishing the Context...... 7 3.5. Hazard Identification ...... 7 3.6. Risk Assessment...... 8 3.7. Evaluation and Control of Risks ...... 8 3.8. Monitor and Review of Risks ...... 10 4. Training and Competence ...... 11 4.1. Awareness Training ...... 11 4.2. Competent Person Training ...... 11 5. Responsibility, Authority & Accountability ...... 11 6. Definitions ...... 12 7. Reference Material ...... 12 8. Appendices ...... 13 Appendix 1 – WHS Risk Management Overview ...... 13 Appendix 2 – WHS Risk Control Guidelines ...... 14 Appendix 3 – WHS Risk Rating and Prioritisation Table ...... 16

Risk Management Code of Practice Issue Date: 20.02.2018 GA-WHS-RM-COP-001 Version: 5 Authorised By: GFG Alliance Australia OHSE Council Page 2 of 25 GFG Alliance Australia Safety Intranet version is the only controlled version

1. Scope and Purpose Each GFG Alliance Australia site is required to comply with this Code.

1.1. Codes of Practice Guidelines This Code should be read in conjunction with the CoP Guidelines. The Guidelines provide information that is generic across the CoP, covering:  CoP scope  system requirements, including risk management, audit and review, and Variation procedure  training and competence  responsibility, authority and accountability for General Manager, Plant/Location/Department Manager, Responsible Manager  definitions  reference material.

WHS Risk Management Code of Practice Page 3 of 17

2. Critical Elements The Critical Elements must be conveyed and understood at each GFG Alliance Australia site.

1. Stop and report any hazards you cannot resolve to your Team Leader.

2. Verify operating and maintenance procedures are in place for routine activities and based on risk assessment processes.

3. Follow risk controls as documented in approved work procedures.

4. Carry out a Pre-task Risk Assessment if there is not an approved work method for the task.

5. Document and control risks from identified hazards.

WHS Risk Management Code of Practice Page 4 of 17

3. Code Requirements and Guidelines Risk Management at work is our proactive, fundamental way of recognising what could cause injury and providing controls so that people are not injured. Following recognised risk management systems and processes provides a consistent and effective way of preventing injury. This section outlines the requirements to be fulfilled in relation to the management of risk.

3.1. Safe Systems of Work

 Develop, document and implement systems to identify, assess, control and review hazards and risks.

Hazards to be identified and risks assessed and controlled in a planned and scheduled manner. This is to occur:  before setting up and using a workplace  when planning work processes  before installing, commissioning or erecting plant  whenever changes are made to the workplace  when the system or method of work is changed  when plant or substances are used  when new information on processes becomes available  during the review process of control measures. Risk management tools may include:  informal risk assessments (RA)  Pocket Risk Assessment (PRA)  job safety analyses (JSA)  hazard operability studies (HAZOP)  permit to work systems  safe operating systems  modification control procedures.

 Have systems in place for recording hazards and the management of risks.

The GFG Alliance Australia data management system (or similar) should be used as a risk register to record:  identified hazards  risk assessments  risk control measures  monitoring processes  related responsibilities and timeframes for activities.

WHS Risk Management Code of Practice Page 5 of 17

 Develop and implement safe operating procedures (SOP). This includes identifying requirements for routine maintenance and cleaning. Procedures to be based on risk assessment.

 Follow SOP and risk controls.

3.2. Guide to Risk Management

 Follow the International Standards (ISO) for Risk Management when determining the approach to use for each risk situation.

The ISO risk management process includes:  consultation and communication  establishing the context  hazard identification  risk assessment  evaluation and control of risks  monitor and review of risks. The WHS Risk Management Overview has examples of GFG Alliance Australia risk management methods, procedures, forms and records.

 Refer to Appendix 1 – WHS Risk Management Overview.

 Refer to ISO 31000 – Risk Management.

 Record risk management activities according to site systems and procedures.

The GFG Alliance Australia data management system should be used for the recording of risk management activities.

3.3. Consultation and Communication

 Communicate and consult with relevant people at each stage of the risk management process.

Consultation is required when:  risks to health and safety are examined or reviewed  determining measures to eliminate or control risks  introducing or altering procedures for identifying and monitoring risks  changes are proposed to the system of work, or the plant and substances used for work.

WHS Risk Management Code of Practice Page 6 of 17

 Document consultation about the management of workplace hazards and risks.

Document consultation for future reference. Examples include:  names of people involved in risk assessment teams on risk assessment and modification control forms  WHS meeting minutes  Toolbox Talks/Safety Communication Meetings.

3.4. Establishing the Context

 Determine the risk management process to evaluate risks.

Consider the context of the risk situation, to determine the method for conducting the risk management process. For example, determine:  which risk management tool is the most appropriate for the risk (e.g. PRA, JSA, HAZOP)  how the risk should be assessed and evaluated  who should be involved (e.g. specialists for technical advice)  the appropriate time frame (e.g. urgency of the hazard/risk)  where the process should occur (e.g. on-site, central location, in hazard and risk area, in office area)  how the process should occur (e.g. coordination of consultation, engagement of specialists).

3.5. Hazard Identification

 Identify hazards in the workplace.

Hazards are to be identified proactively, before and during work activities, as well as in the workplace generally. Hazard identification can be triggered using many methods, as detailed in the WHS Risk Management Overview.

Refer to Appendix 1 – WHS Risk Management Overview. 

 Complete a pre-task risk assessment (PTRA) where there is not an approved work method for the task.

Even where approved work methods exist, unique or unusual circumstances may require PTRA.

WHS Risk Management Code of Practice Page 7 of 17

3.6. Risk Assessment

 Assess risks according to the GFG Alliance Australia WHS Risk Rating Table.

Identify, evaluate and take existing controls into consideration when conducting risk assessment. Estimate:  the most realistic consequence that an interaction with a hazard might result in, and  the likelihood of that consequence occurring. Risk level can be determined by either the two parameter (consequence and likelihood) or three parameter model (consequence and likelihood, where the probability and frequency of exposure to risk determines the likelihood). Determine level of risk by adding consequence level and likelihood level. This analysis should consider the range of potential consequences and how these could occur. Where possible involve more than one person in the assessment of risks (e.g. a person involved in the task being assessed and an independent person). In determining the risks, review relevant information:  hazard information – safe operating procedures (SOP), on-the-job training guides (OTJTG), policies, safety data sheets (SDS)  experience within the workplace - records and observations by employers and employees, incident/injury data  legislative requirements  industry codes of practice  WHS statutory authority guidance material Australian Standards.

 Refer to Appendix 3 - WHS Risk Rating and Prioritisation Table.

3.7. Evaluation and Control of Risks

 Evaluate the risk.

Review the estimated levels of risk against the WHS Risk Control Guidelines considering the balance between potential benefits and adverse outcomes. Determine if actions are required to control the risks.

 Refer to Appendix 2 – WHS Risk Control Guidelines

 Follow the Hierarchy of Controls to select risk control measures.

Develop and implement controls that are reasonably practicable to implement and action plans to address the identified hazards and risks. Control measures below are listed in order of decreasing effectiveness. This means that measures closest to the top should be adopted where practicable: Note: In most cases a combination of control measures from the Hierarchy of Controls provides the most effective solution. Eliminate the Hazard – remove the hazard from the workplace/work process.

WHS Risk Management Code of Practice Page 8 of 17

Substitute the Hazard – substitute with a hazard that poses a lower risk of harm (e.g. the use of less hazardous chemicals, materials or different equipment). Isolate the Hazard – enclose the hazard (e.g. barriers and fencing enclosures), remote handling, isolate by distance/time. Implement Engineering Controls – for example, ventilation systems, machine guarding. Administrative Controls – for example, safe work methods, training, job rotation, warning signs, supervision. Personal Protective Equipment (PPE) – for example, hardhat, hearing protection, respirators. Several controls may be required to control the risks.

 Immediately act to reduce any risk that has a ‘Very High’ rating, to a rating of ‘High’ or lower.

If it is not possible to immediately put controls in place, then the process or activity must be stopped to address the hazard. The process or activity can re-commence once controls are put into place and the risk is reduced.

 Implement controls according to risk prioritisation criteria.

Implementation includes verification of the effectiveness of controls.

 Refer to GA-WHS-RM-TOOL-001 WHS Risk Rating and Prioritisation Table on the GFG Alliance Australia Safety Intranet.

 Refer to Appendix 2 – WHS Risk Control Guidelines

 Where there is a risk that cannot be resolved, stop activity and report it to Team Leader.

 Review residual risks.

Undertake a further risk assessment to determine the level of risk following implementation of controls. Implement further controls if risk is not adequately reduced. Record the risk (with controls implemented) in the GFG Alliance Australia data management system/risk register or suitable format.

 Identify risks for which the rating is ‘as low as reasonably practical’ (ALARP).

These should be identified in the GFG Alliance Australia data management system/risk register or similar.

WHS Risk Management Code of Practice Page 9 of 17

3.8. Monitor and Review of Risks

 Maintain risk register.

Update risk register where appropriate when:  new hazards are identified  there are changes to processes, plant, substances (including commissioning/decommissioning of plant)  reviewing risk assessments  there are new requirements (e.g. legislative, industry, organisational).

 Monitor the effectiveness of control measures.

Existing control measures need to be reviewed to verify that changing circumstances have not reduced their effectiveness.

 Monitor the effectiveness of the risk management process.

This is for the purpose of continuous improvement and includes reviewing risk register at appropriate intervals. Systematically review the risk register to verify that:  new risks are being included where appropriate  new risks have controls prioritised to reduce risk  existing risks are being controlled  existing risks are ALARP.

 Review ‘Very High’ risks that are managed with administrative controls annually.

Administrative controls for ‘Very High’ risks need to be reviewed to verify that they are effective. The GFG Alliance Australia data management system (or similar) should be used as a tool to schedule review periods. Risk control effectiveness review periods are contained in the WHS Risk Control Guidelines.

 Refer to Appendix 2 – WHS Risk Control Guidelines

WHS Risk Management Code of Practice Page 10 of 17

4. Training and Competence The training provided to individuals is to be determined by training needs assessment. Training requirements that are generic across the CoP are described in the CoP Guidelines. In addition, the following training requirements are specific to this CoP.

4.1. Awareness Training

 Provide awareness training to employees and site contractors.

Training to provide knowledge of:  hazards and hazard identification  reporting of hazards  overview of risk assessment process  Hierarchy of Controls. Include awareness training in general induction.

4.2. Competent Person Training

 Provide training and assessment for employees performing risk assessments.

Training is to be specific for the risk management process to be used. For example, varying levels of training will be required to conduct PTRA, to complete JSA, or be involved in HAZOP.

5. Responsibility, Authority & Accountability Responsibilities that apply to all CoP for General Managers, Plant/Department/Location Managers, and Responsible Managers are described in the CoP Guidelines.

WHS Risk Management Code of Practice Page 11 of 17

6. Definitions

GFG Alliance The workplace health and safety management system including its Australia data databases, policies, procedures and processes. management system

As Low As Risks that are at a tolerable level based on the application of controls Reasonably that are reasonably practicable. Practical (ALARP)

Consequence (C) The harm to people, environment, property and/or process resulting from the hazardous/risk scenario.

Hazard A potential source of harm to people, environment, property and/or process.

Likelihood (L) The probability of the consequence occurring when exposed to the risk scenario.

Risk The consequence from a hazardous scenario and the likelihood that the consequence will occur.

Risk Level A descriptive rating linked to the risk rating. This includes Low, Moderate, High or Very High.

Risk Rating A numeric value assigned to a specific risk by adding the Consequence (C) and the Likelihood (L), assessed from the risk rating definitions.

Risk Register A database of hazards and their associated risks showing initial risk rating, current risk rating, planned or existing controls, and ALARP status.

7. Reference Material The material listed in the GFG Alliance Australia WHS Legislative Matrix may provide additional information to assist in the implementation of this CoP. Note: The currency of the reference material listed in the GFG Alliance Australia WHS Legislative Matrix should be confirmed.

 GFG Alliance Australia WHS Legislative Matrix (GA-WHS-LEG-TOOL-021)

WHS Risk Management Code of Practice Page 12 of 17

8. Appendices Appendix 1 – WHS Risk Management Overview

WHS Risk Management Code of Practice Page 13 of 17

Appendix 2 – WHS Risk Control Guidelines Identification, Planning & Implementation of Risk Controls The GFG Alliance Australia WHS Risk Management CoP requires that corrective actions be implemented for identified risks and each business shall have a program for those controls that systematically addresses their risk profile. The key principle is that sites are to have an active risk register and be able to demonstrate that they are actively addressing the highest rated risks. The key philosophy is that the risk management process is a method of determining priorities and items to address first, thus sites are encouraged to focus on the top priority risks rather than all risks. Control measures implemented to manage a risk should be reviewed and monitored to determine if changing circumstances have altered the control measures required to effectively manage the risk. When reviewing risks, it is good practice to review each of the risks for a particular hazard based on review period for the highest ranked risk. The following table outlines the risk control priorities, timeframes to assess and decide on controls, and timeframes for review of risk control effectiveness.

Low Risk Moderate High Very High Risk Control Manage by Responsibility Reduce as Immediate action to Priorities routine and action dates soon as reduce risk, stop work procedures must be possible as soon as practicable specified Time to Assess 60 days 60 days 10 days 24 hours and Decide on Controls Implement 12 months 60 days 30 days 24 hours Additional Controls Review of Risk 36 months 24 months 12 months Not applicable (risks to Control be reduced) Effectiveness

WHS Risk Management Code of Practice Page 14 of 17

Appendix 2 (continued)

Qualifying Notes Low Risk – Manage by routine procedures The level of risk is such that resources are most probably better directed at addressing higher rated risks. When a risk is identified and rated as a low risk, and the business context warrants additional controls then a reasonable timeframe would be for implementation of the controls to be performed using routine methods within 365 days.

Moderate Risk - Responsibility and action dates must be specified Resources should be allocated to higher rated risks first. An action plan that outlines planned controls or steps to determine planned controls and allocates responsibility should be developed within 60 days.

High Risk - Reduce as soon as possible Where a risk scenario has been rated as high risk, the existing controls should be reviewed and any further controls that are reasonably practical identified and implemented as soon as possible, preferably within 30 days. There may be situations where a risk has been identified and rated as high risk and after due consideration no further controls are reasonably practicable or known (ALARP), in such cases the General Manager shall determine whether the risk scenario is to be tolerated. Similarly, there may be cases where additional controls may take longer than 30 days, in such cases the General Manager shall confirm that the timeframe is acceptable within the context of the specific risk scenario.

Very High Risk - Immediate action to reduce risk, stop work as soon as practicable Immediate (within 24 hours) interim controls should be implemented to protect persons from the hazard. Prior to the stopping of work assessment should be made to check whether any additional risks might be introduced by stopping the process and appropriate controls implemented. Given the subjective nature of the risk rating method, good practice is to seek a greater understanding of the hazard and risk and confirm the level and nature of risk prior to establishing further controls once initial controls have been implemented.

WHS Risk Management Code of Practice Page 15 of 17

Appendix 3 – WHS Risk Rating and Prioritisation Table Consequence Categories Level Rating Description (Safety) 1 Negligible Negligible Low-level short-term subjective inconvenience or symptoms. No measurable physical effects. (E.g. minor laceration, burn or abrasion requiring basic first aid) 2 Minor Objective but reversible disability / impairment. (E.g. laceration, sprain/strain, burn etc. that requires medical treatment and/or modified duties) 3 Medium Moderate short-term or irreversible disability or impairment. (E.g. fracture, crush injury, burns etc requiring specialist medical and/or hospital treatment) 4 Major Near fatality, Single fatality or severe irreversible disability or impairment. (E.g. loss of life, loss of limbs, loss of bodily function such as major paralysis) 5 Extreme Short or long term health effects leading to multiple fatalities. (E.g. as for 4 but with multiple victims) Likelihood Categories Level Rating Description 1 Rare The event may occur only in exceptional circumstances (1 chance in 10,000 per year) 2 Unlikely The event could occur at some time (1 chance in 1,000 per year) 3 Possible The event might occur at some time (1 chance in 100 per year) 4 Likely The events will probably occur in most circumstances (1 chance in 10 per year) 5 Almost The event is expected to occur in most circumstances Certain (1 chance per year) Note: Add consequence and likelihood to achieve risk rating Risk Rating Table

Negligible Minor Medium Major Extreme

1 2 3 4 5

Almost Certain 5 6 7 8 9 10

Likely 4 5 6 7 8 9

Possible 3 4 5 6 7 8

Unlikely 2 3 4 5 6 7

Rare 1 2 3 4 5 6

Risk Prioritisation

Risk Level Suggested Actions

Low Manage by routine procedures

Moderate Responsibility and action dates must be specified

High Reduce as soon as possible

Very High Immediate action to reduce risk, stop work as soon as practicable

WHS Risk Management Code of Practice Page 16 of 17

 Notes

WHS Risk Management Code of Practice Page 17 of 17