Open any HIRARC document in a Malaysian workplace. Find the residual risk column. It will almost certainly show Low or Medium for most hazards. Now ask the person who signed it: how do you know the controls that produced those ratings are actually in place?
In most cases, the answer is: because we listed them in the document. That is the problem with residual risk in HIRARC documents across Malaysia. The rating reflects the assumed state of controls — not the verified state.
How Residual Risk Is Assessed — And Where It Goes Wrong
The standard process: identify hazards, assess likelihood and consequence, list controls, apply reductions, arrive at residual risk. Everyone signs. It goes on file. The critical failure is in “in place.” Controls are listed because someone believes they exist — not because someone verified they exist, function, and are being used correctly.
An engineering control listed in a HIRARC is not the same as one that is physically installed, inspected, functional, and maintained. An administrative control listed is not the same as a procedure being followed. The residual risk rating in your HIRARC tells you what your risk would be if controls were working perfectly. It does not tell you what your risk actually is today.
Why This Gap Matters: Two Failure Modes
Failure Mode 1: Workers Operating in Higher-Risk Conditions Than the HIRARC Shows
If your HIRARC shows residual risk as Low because three engineering controls are listed — and one was removed for maintenance six months ago and never reinstalled — the actual risk is not Low. Workers making decisions based on what the HIRARC says are exposed to a risk the document does not reflect.
Failure Mode 2: No Evidence of Control Effectiveness for DOSH
When a DOSH inspector reviews your HIRARC following an incident, they look for evidence that controls were functioning — not just that they were listed. A HIRARC without associated verification records says “we intended for these controls to exist.” That is not a defence.
What a Verified Residual Risk Assessment Looks Like
For each control listed, there should be a corresponding record: when was it last verified, by whom, and what was the finding? For engineering controls: inspection and maintenance records. For administrative controls: training records showing the specific SOP, version, and competency assessment method. For supervision requirements: a defined scope of what the supervisor is verifying.
When verification is absent, the residual risk rating should not be treated as reliable. The gap between assumed residual risk and verified residual risk is where incidents happen.
The Question to Ask at Your Next HIRARC Review
For every control listed, ask: where is the evidence that this control is working today? If the answer is “it’s in the document,” the rating is based on an assumption. Closing that gap is what a functional HIRARC process in Malaysia looks like — not a completed form, but a live record of verified controls.
Build a HIRARC Process That Actually Works
Cikgu Barrier’s Risk Assessment That Works training covers the full HIRARC methodology — from hazard identification and risk rating to control verification and residual risk management. Designed for safety officers, supervisors, and OSH coordinators.