SWMS vs Risk Assessment: What's the Difference?

The clearest way to understand the difference between a SWMS and a risk assessment is to look at the legal basis of each. A SWMS is required by the Work Health and Safety Regulation 2025. The obligation applies specifically to high-risk construction work and is triggered by the 18 HRCW categories listed in Schedule 1 of the Regulation. If the work is HRCW, a SWMS is mandatory. The regulation prescribes the content requirements: identify the work, specify the hazards and risks, describe the control measures, and describe how the controls will be implemented, monitored, and reviewed. The SWMS must be prepared before the HRCW commences and must be available at the workplace while the work is being performed.

A risk assessment, by contrast, is required by the general duty of care under the Work Health and Safety Act 2011. Every person conducting a business or undertaking has a primary duty to ensure, so far as is reasonably practicable, the health and safety of workers and others affected by the work. Meeting this duty requires identifying hazards and managing risks, which in practice means conducting a risk assessment. The WHS Act does not prescribe a specific format, document type, or methodology for the risk assessment. It says only that the PCBU must identify hazards and manage risks, and the method is left to the PCBU's judgement.

The practical consequence is that the SWMS obligation is narrow and specific, while the risk assessment obligation is broad and general. A PCBU in construction must prepare a SWMS whenever HRCW is involved and must also conduct risk assessments for non-HRCW activities. A PCBU in a non-construction industry — manufacturing, healthcare, hospitality, retail — does not need to prepare SWMS at all, because the SWMS obligation is tied to construction work. They must conduct risk assessments for their workplace risks under the general duty.

A useful analogy: a risk assessment is like a vehicle. A SWMS is like a specific vehicle type — a Toyota HiLux. The HiLux is a vehicle, but not every vehicle is a HiLux. A SWMS is a form of risk assessment, but not every risk assessment is a SWMS. This distinction matters because it tells you which tool to reach for in which situation.

A direct comparison across the dimensions that matter makes the distinction between the two document types concrete. The following comparison covers legal basis, scope, format, worker sign-off, review triggers, and penalties.

Legal basis: A SWMS is required by Work Health and Safety Regulation 2025, in the sections of the Regulation dealing with high-risk construction work. This is a specific, prescribed statutory obligation that applies to HRCW only. A general risk assessment is required by Section 19 of the Work Health and Safety Act 2011, which establishes the primary duty of care. The duty is broad, principles-based, and flexible in implementation.

Scope: A SWMS applies only to the 18 HRCW categories defined in Schedule 1 of Work Health and Safety Regulation 2025. These categories include work involving a risk of falling more than 2 metres, work on a telecommunication tower, demolition of a load-bearing element, disturbance of asbestos, structural alterations requiring temporary support, confined space work, excavation deeper than 1.5 metres, tunnelling, use of explosives, work near pressurised gas or chemical lines, work near energised electrical installations, work in contaminated or flammable atmospheres, tilt-up and precast concrete, work adjacent to traffic corridors, work near powered mobile plant, work in extreme temperatures, and work near water with a drowning risk. A risk assessment applies to any workplace hazard in any industry — manual handling in a warehouse, psychosocial hazards in an office, chemical exposure in a laboratory, fatigue management in a mine.

Format: A SWMS has prescribed content requirements under the Regulation. It must include specific information in a recognisable structure — HRCW identification, hazards, risks, controls, responsibilities, consultation, sign-on, and review. A risk assessment has no prescribed format under the WHS Act. The PCBU can use whatever method and format suits the context, including a 5x5 risk matrix, a simple hazard checklist, a bowtie diagram, a formal HAZOP, a fault tree analysis, or a narrative assessment.

Worker sign-off: Workers must sign on to a SWMS before commencing HRCW to confirm they have been consulted and briefed on the content. There is no mandatory sign-off requirement for a general risk assessment under the WHS Act, although some industry codes of practice require acknowledgement of task-specific risk assessments and many organisations impose sign-off as an internal policy.

Review triggers: A SWMS must be reviewed when conditions change, when a control is found to be inadequate, after an incident or near miss, when the SWMS is not being followed, when workers request a review, or at regular intervals set by the preparer. A risk assessment should be reviewed periodically and when circumstances change, but the triggers are less prescriptive and typically follow the organisation's own risk management framework rather than a specific regulatory requirement.

Penalties: Failing to prepare or follow a SWMS for HRCW carries specific penalties under Work Health and Safety Regulation 2025. In New South Wales, SafeWork NSW inspectors can issue on-the-spot penalty infringement notices of $3,600 for individuals and $18,000 for body corporates for specified SWMS offences. Prosecution penalties under the model WHS Act range from $500,000 for Category 3 offences up to $3,000,000 for Category 1 offences against body corporates. Failing to conduct a risk assessment breaches the general duty of care, which carries its own penalties but is harder to prosecute for a specific document absence.

Every SWMS includes a risk assessment component, which is the source of considerable confusion. The SWMS requires the preparer to identify hazards associated with the HRCW, assess the risk level before controls are applied using a likelihood and consequence matrix, determine control measures following the hierarchy of controls, and assess the residual risk level after controls are applied. This is a risk assessment by any reasonable definition. It follows the same fundamental process described in AS/NZS ISO 31000:2018 — identify, analyse, evaluate, treat — and produces the same output: a documented set of hazards, risks, and controls.

The difference is that the SWMS wraps this risk assessment inside a broader document that also includes the scope of HRCW, worker responsibilities, worker sign-on, emergency procedures, and review arrangements. A general risk assessment may contain only the identification, analysis, evaluation, and treatment — the core risk management content. A SWMS contains all of that plus the structural and procedural elements required by the Regulation. You can think of a SWMS as a risk assessment embedded in a structured compliance document.

The risk matrix used within a SWMS is typically a 5x5 matrix with likelihood ratings of rare, unlikely, possible, likely, and almost certain, combined with consequence ratings of insignificant, minor, moderate, major, and catastrophic. The intersection produces a risk score of low, medium, high, or extreme. Controls are applied to reduce the risk rating from the pre-control level to a tolerable residual level. The SWMS records both ratings, demonstrating that the controls are expected to be effective. A matrix that records only one rating does not demonstrate control effectiveness and will not satisfy the inspector expectation of a structured risk assessment.

Safe Work Australia's guidance describes the SWMS as a structured risk assessment for high-risk construction work. The word structured is key — it means the risk assessment follows a mandated format tied to a mandated set of content requirements. A general risk assessment can take whatever form suits the context. A SWMS must take the specific form prescribed by the Regulation. A PCBU who submits a general risk assessment for HRCW is not meeting the SWMS obligation, no matter how thorough the risk assessment.

There are many situations where a general risk assessment is the correct tool and a SWMS is neither required nor appropriate. Understanding these situations prevents the common error of creating a SWMS for non-HRCW work, which produces an over-documented workflow without any compliance benefit.

Non-construction work. If the work is not construction work — manufacturing, warehousing, mining, agriculture, office work, healthcare, retail, hospitality, transport, education — a SWMS is not required regardless of the risk level. The SWMS obligation is tied specifically to construction work and does not apply in other industries. For high-risk work in these industries, the appropriate tool is a Job Safety Analysis, a Job Safety and Environment Analysis, a formal risk assessment under AS/NZS ISO 31000:2018, or a Safe Operating Procedure, depending on the industry convention and the organisation's safety management system.

Construction work that is not HRCW. If the construction work does not trigger any of the 18 HRCW categories in Schedule 1 of the Regulation, a SWMS is not legally required. The PCBU still has a general duty to manage risks under the WHS Act, which can be satisfied by a risk assessment, a JSA, or a safe system of work. Example: painting interior walls at ground level on a construction site, installing floor tiles in a single-storey building, or assembling prefabricated components that do not require work at height. These are construction activities but not HRCW.

Strategic and organisational risk assessment. Risk assessments at the strategic, operational, or project level — assessing the risks of a project delivery strategy, a procurement approach, a change management initiative, or a technology deployment — are not SWMS territory. These use the AS/NZS ISO 31000:2018 framework or the organisation's equivalent enterprise risk management approach. The output is a risk register, not a SWMS.

Environmental risk assessment. Assessing environmental impacts such as contamination, emissions, waste disposal, water discharge, or biodiversity impact uses environmental risk assessment frameworks. These are sometimes integrated with safety assessment in industries like mining and oil and gas as a Job Safety and Environment Analysis, but they are not SWMS.

Psychosocial risk assessment. Assessing workplace psychological hazards such as bullying, harassment, workload stress, exposure to traumatic events, and poor organisational justice uses the psychosocial hazard provisions introduced in many jurisdictions from 2022 to 2024 and a psychosocial risk assessment approach. These assessments are distinct from physical hazard management and are not included in a construction SWMS.

Routine low-risk tasks. For everyday activities with well-understood and well-controlled risks — carrying tools from a ute to a work area on a flat clear path, setting up a laptop in an office, making coffee in a staffroom — a formal risk assessment is usually not proportionate. The organisation's general safe work rules, inductions, and supervision are sufficient to manage the risk.

In a mature safety management system, risk assessments and SWMS coexist at different levels of the safety hierarchy. Each level has its own purpose, its own audience, and its own document type, and the levels work together to catch hazards at every scale.

At the project level, a risk assessment identifies all significant risks across the entire construction project — programme risks, environmental risks, community interface risks, and work health and safety risks. This project-level assessment is typically documented in a project risk register following AS/NZS ISO 31000:2018 or the organisation's equivalent framework. It captures the big picture: which risks could threaten delivery, safety, or public interface, and how will they be governed at the project management level. The audience is the project leadership, the client, and the regulator in the context of the WHS Management Plan.

At the activity level, a SWMS covers each specific HRCW activity within the project. The SWMS drills into the hazards and controls for a specific scope of work performed by a specific subcontractor. The project risk register provides context, and the SWMS provides task-level detail. Each subcontractor prepares their own SWMS for their own scope, and the principal contractor collects, reviews, and monitors each SWMS as part of their duty under the Regulation.

At the task level, a Job Safety Analysis may provide even more granular analysis for a specific high-consequence task within the SWMS scope. For example, a JSA for the isolation procedure within an electrical SWMS, or a JSA for the initial breach of a confined space within a confined space SWMS. The JSA is prepared by the workers performing the task, reviewed by the supervisor, and used as a pre-task briefing tool.

This layered approach means risks are assessed at every level: strategic, operational, and task. No hazard falls through the gaps because each layer catches what the others might miss. The project risk register catches site-wide issues such as traffic management and community interface. The SWMS catches activity-specific HRCW hazards. The JSA catches task-step-level hazards. Principal contractors on large projects typically maintain all three levels. Subcontractors on smaller projects may only need the SWMS level for HRCW and possibly a JSA level for complex tasks within the SWMS scope. Sole traders on simple jobs may need only the SWMS. Regardless of how many levels you use, the principle is the same: identify hazards, assess risks, implement controls, monitor, and review. The document type changes. The process does not.

Several predictable failures occur at the interface between SWMS and general risk assessments. Avoiding these failures is usually more valuable than perfecting the content of either document.

The first and most common failure is submitting a general risk assessment in place of a SWMS for HRCW. A subcontractor produces a thorough AS/NZS ISO 31000:2018 risk assessment, submits it to the principal contractor, and assumes the SWMS obligation is satisfied. It is not. The Regulation requires a SWMS specifically, and a risk assessment that omits the prescribed SWMS content elements — HRCW identification, hierarchy-tagged controls, consultation record, sign-on register, emergency procedures — is not a SWMS regardless of how rigorous the risk analysis is. The principal contractor should reject the document and require a proper SWMS.

The second failure is duplicating content between the risk assessment and the SWMS. A project has a risk register that identifies fall from height as a top-tier risk, and then every subcontractor SWMS also identifies fall from height as a hazard. This is not a failure so much as an inefficiency — the content is duplicated but the organisation's intent is clear. The two documents work at different levels and should not be expected to share content line by line. The project risk register captures the site-wide governance of the risk. The SWMS captures the task-specific controls.

The third failure is treating the SWMS as a substitute for a risk assessment when the work is not HRCW. A subcontractor who does occasional HRCW may be tempted to produce a SWMS for every job regardless of whether HRCW is involved, on the theory that more documentation is always better. This produces two problems: it wastes time, and it dilutes the significance of the SWMS by treating a highly structured compliance document as a general risk assessment. For non-HRCW work, a JSA or a general risk assessment is the right tool and the SWMS is overkill.

The fourth failure is failing to review. A SWMS or risk assessment that was prepared correctly six months ago may have drifted out of date as site conditions change, workers change, or equipment changes. Both document types must be reviewed when conditions change, after incidents, and at regular intervals. The review trigger is the same for both — what differs is the specificity of the review and the sign-off required. A SWMS review for HRCW typically requires re-briefing workers and re-capturing sign-on. A general risk assessment review may require only an internal sign-off from the preparer.