0.1 OSHA (Malaysia) - HIRARC Requirement
Under the Occupational Safety and Health Act 1994 as amended by the OSHA (Amendment) Act 2022, employers in Malaysia are legally required to perform risk assessment, which in practice includes HIRARC (Hazard Identification, Risk Assessment and Risk Control):
Relevant Clause : The OSHA (Amendment) Act 2022 introduced Section 18B and strengthened risk assessment obligations, making it mandatory for employers to conduct and document risk assessments and implement risk controls before work begins and whenever work processes change.
So :
Employers must carry out a proactive, documented risk assessment for workplace hazards.
In Malaysia, this HIRARC process is the commonly prescribed method for fulfilling that legal duty and is required for OSHA compliance.
0.2 CIDB
Embedding risk assessment into construction standards that contractors are expected to follow:
The CIDB Construction Industry Standard CIS 25:2018 titled Construction Activities Risk Assessment (CARA) requires contractors to implement hazard identification, risk analysis and risk control (HIRARC) as part of managing site safety and risk control in construction activities.
1.0 Why HIRARC Often Fails to Prevent Accidents and Delays
Hazard Identification, Risk Assessment and Risk Control (HIRARC) is a mandatory and widely recognised tool in occupational safety and health (OSH). Yet despite its widespread use, serious incidents, unsafe conditions, and project delays continue to occur even on projects with “approved” HIRARC documents.
The problem is not the concept of HIRARC itself, but how it is positioned and applied. In many organisations, HIRARC exists as a standalone safety document, disconnected from pre-project risk assessment, programme planning, and critical path analysis. As a result, safety risks are managed operationally but ignored strategically.
This article argues that HIRARC must be integrated with pre-project risk assessment and critical path planning to be truly effective and with bonus topic :
how legal/contracts, Integrated Management Systems (IMS - ISO 9000 + ISO 45000 + ISO 14000) plays a strategic and most effective role
2.0 Common Structural Weaknesses in Current HIRARC Practice
Across industries, several recurring weaknesses are observed:
Generic, template-driven HIRARC - Hazards and controls are copied from previous projects or standard checklists, with little adaptation to specific processes, environments, or sequencing,
HIRARC treated as a one-off exercise - Assessments are prepared at project start and rarely updated, even when scope, methods, or site conditions change,
Focus on paperwork rather than execution - Controls are listed but not translated into physical measures, permits, inspections, or hold points.
Disconnection from planning and programme - Safety controls that require time, resources, or sequencing are not reflected in the construction programme or manufacturing schedule.
These weaknesses explain why HIRARC often satisfies audits but fails to prevent incidents or programme disruption.
3.0 The Missing Link: Pre-Project Risk Assessment
Before HIRARC is conducted, most organisations already perform some form of pre-project or strategic risk assessment, covering areas such as:
Design and constructability risks,
Environmental and regulatory constraints,
Construction methodology risks,
Supply chain and resource risks
However, this high-level risk information is rarely carried forward into task-level HIRARC.
4.0 What Should Happen Instead
Pre-project risks should form the starting reference for HIRARC, not a separate exercise.
For example:
A pre-project risk identifying “leakage risk in water-retaining structures” should directly inform HIRARC items on crack repair methods, confined space work, curing duration, and retesting cycles.
A strategic risk related to “compressed commissioning timeline” should alert assessors to elevated risks during testing, handover, and non-routine activities.
In this way, HIRARC becomes the execution layer of the project’s overall risk strategy.
5.0 HIRARC and the Critical Path: Where Safety Meets Programme Reality
A critical but often ignored principle is this:
Any activity with high or extreme residual OSH risk is potentially a critical path activity even if CPM analysis says otherwise.
Why?
Safety controls are not abstract concepts, they consume time, resources, and sequencing discipline. When these are not embedded into the programme, the project plan becomes unsafe by design.
Examples of safety controls that directly affect the critical path include:
Permit-to-work systems,
Confined space entry requirements,
Curing and drying periods,
Independent inspections and testing,
Competent person availability,
Weather and environmental constraints
If these controls are not modelled as predecessors, constraints, or lags in the programme, delays and unsafe shortcuts become inevitable.
6.0 Industry Example 1: Construction : Reinforced Concrete Water Tank
In water-retaining structures, generic HIRARC typically lists “working at height” or “chemical exposure”. A properly integrated HIRARC, however, identifies:
Confined space hazards during injection works,
Hydrostatic pressure risks during ponding tests,
Rescue limitations due to single access points,
Extended curing and retesting cycles,
When linked to planning:
Confined space permits become programme hold points,
Curing periods become mandatory lags,
Leakage retesting becomes a near-critical or critical activity
Ignoring these realities results in repeated rework, programme slippage, and dispute over responsibility.
7.0 Industry Example 2: Manufacturing – Metal Press and Stamping Lines
In manufacturing, many severe incidents occur not during production, but during:
Die changeovers,
Jam clearing,
Maintenance and calibration
A customised HIRARC recognises:
Stored mechanical and electrical energy,
Human factors such as interlock bypass,
Frequency of non-routine interventions,
When linked to the schedule:
Lockout–Tagout becomes a mandatory predecessor,
Try-start tests become release gates
Competency requirements affect resource loading
Without these links, pressure to meet output targets drives unsafe behaviour.
8.0 Linking HIRARC to ISO 45001/MS 1722
A good practice increasingly observed among more mature organisations is the formal linkage of HIRARC outcomes to ISO 45001 and MS 1722 governance processes, where risk findings are reviewed not only at toolbox talks, but also at management and project control meetings.
In these organisations, HIRARC is treated as a management input, not merely a site safety requirement. High and residual risks, safety-critical activities, permit dependencies, and control effectiveness are escalated to project reviews alongside cost, programme, and quality matters. This allows management to make informed decisions on sequencing, resources, tolerable risk, and contingency, rather than leaving risk ownership solely at supervisory level.
Such integration aligns strongly with the intent of ISO 45001 Clauses 5 (Leadership), 6 (Planning), 8 (Operational Control), and 9 (Performance Evaluation), as well as MS 1722 expectations on continual improvement. It also reflects what regulators increasingly expect to see: evidence that OSH risks are actively governed, not just communicated downward during toolbox meetings.
By elevating HIRARC discussions to management and project control forums, organisations shift safety from a compliance activity to a strategic control mechanism, improving both risk visibility and decision quality across the project lifecycle.
9.0 How Integrated Management System (IMS) - Quality, Safety and Environment Management Systems play a role
Note : I’ve been advocating for Integrated Management Systems since the late 1990s, when certification bodies still treated quality, safety, and environmental systems as separate silos often charging independently for each, driving costs skyrocketted highly.
IMS is where HIRARC, planning, audits, and leadership finally connect into one system, instead of three parallel universes.
Briefly this is how Integrated Management System (IMS) combining ISO 9001 (Quality), ISO 45001 (OSH), and ISO 14001 (Environment) actually helps in real operations, not just on paper.
The problem :
Without IMS, most organisations look like this:
ISO 9001 = focused on programme, cost, defects,
ISO 45001 = focused on accidents, HIRARC, PPE,
ISO 14001 = focused on waste, pollution, permits
Each has:
separate risk registers,
separate procedures,
separate meetings,
separate audits
The result?
Same activity reviewed three times,
Conflicting controls,
Gaps at the interfaces (where incidents usually happen)
10.0 IMS collapses these silos into one risk-based management system.
How IMS Improves HIRARC Specifically :
A. One Risk, Three Perspectives
Take a single activity, confined space work in a tank
D. What They Did Right in The Construction Industry
In the construction industry, contractual requirements which effectively give them legal standing have driven the integration of Method Statements with reference to Standards and Codes of Practice, Construction Methodology, Safe Work Practices, Job Safety and Environmental Analysis, HIRARC etc.
These elements are also consistently cross-referenced within the Inspection and Test Plans, ensuring alignment between planning, safety, environmental control, and quality verification.
IN THE EYES OF A CONSULTANT, THIS IS HOW I SEE IT WAY BACK IN 2008
(The Methods portrayed here has changed significantly - the diagrams/flowcharts are for reference purposes only - if you see it anywhere - that's my masterpiece)
D1. What They Did Right in the Civil Services
The Manual doesn’t need to be overly detailed. At the beginning, a brief executive summary, a company introduction, and similar essentials are sufficient. The core business processes that connect everything, along with all procedures, are presented as flow charts within the same manual. (with exceptional to documented information required by contracts/law)
Back in the 1990s, when I taught many Malaysian Civil Servants, they had already, through the Total Quality Management (TQM) concept before the shift to ISO 9000, spearheaded by YAB Tun Dr. Mahathir and guided by my mentor Allahyarham Tun Ahmad Sarji and his predecessor cleverly integrated these processes ahead of others, producing the original Manual Prosedur Kerja. Today, the civil services have high-quality Manuals that consolidate all aspects of IMS (including Risk Management)
While Plans, Method Statements, and ITPs are contractual requirements in the construction industry, the Civil Services went a step further by linking their documented information to laws, circulars, and work instructions, making compliance mandatory.
E. Management & Project Control Meetings Become Meaningful
In effective IMS organisations:
HIRARC outcomes,
Quality risks,
Environmental aspects
are reviewed together at:
management review meetings (Clause 9.3),
project control meetings,
risk review boards
Management sees:
what is critical,
what is near-critical,
what is deteriorating
That’s leadership in action.
F. Better Use of Data (Clause 9)
IMS integrates:
incidents & near misses (45001),
defects & NCRs (9001),
spills & environmental noncompliance (14001)
Patterns emerge:
same contractor,
same activity,
same stage/phase of work
This enables predictive intervention, not reactive firefighting.
G. Fewer Accidents, Fewer Disputes, Fewer Surprises
From a business perspective, IMS helps by:
reducing rework,
preventing stop-work orders,
avoiding regulatory action,
strengthening defensibility in disputes
When an incident happens, IMS provides:
evidence of planning,
evidence of control,
evidence of leadership oversight
That matters to regulators, clients, and courts.
11.0 Why I Have Great Respect for Any Company Doing This
Because I can see clearly :
consistency between plan, execution, and review
hazards reflected in programme logic
risks escalated to management
continuous improvement in action
IMS shows the organisation understands risk, not just standards.
Furthermore : IMS also assists the ABMS in gaining a clearer understanding of which areas or processes are at risk of corruption
