In a lot of Malaysian operations, a new production line, a new machine, or a new process step can be approved by management in minutes, while the risk assessment required to operate it safely takes weeks to catch up. This isn’t a documentation delay. It’s a structural gap between how fast capital decisions move and how fast HSE processes are built to move — and it carries real legal exposure for the management chain.
Two Clocks Running at Different Speeds
A capital approval decision moves at business speed: a proposal is reviewed, a budget is checked, a board or management committee signs off, often inside a single meeting. A HIRARC update moves at HSE speed: hazards need to be identified for the new equipment or process, likelihoods and severities assessed, controls specified, and the document reviewed and approved through whatever governance the organisation has in place.
When these two clocks aren’t deliberately synchronised, the new line frequently starts running before its risk assessment exists. Nobody intends this to happen. The capital decision usually makes sound financial sense, and HSE is rarely invited into the room where it’s made — not out of exclusion, but because nobody built a checkpoint requiring it.
Why the Document Matters Even When Nothing Goes Wrong
It’s tempting to treat this gap as a paperwork issue that resolves itself once the HIRARC is eventually completed. Under Malaysian law, the gap matters regardless of outcome. The Occupational Safety and Health Act 1994, as amended in 2022, places a general duty on the employer to ensure the safety and health of employees — and this duty applies from the moment a process or piece of equipment is in operation, not from the moment its paperwork is finished.
If an incident occurs on equipment that was running before its risk assessment existed, the absence of that HIRARC is not treated as an administrative oversight. It becomes evidence that the organisation operated a process without first identifying what could go wrong — which is a materially harder position to defend than a HIRARC that existed but, in hindsight, missed something.
Where Personal Liability Comes In
Under the 2022 amendments, the courts have increasingly interpreted the general duty to ensure safety as extending through the management chain, not resting solely with the HSE officer or safety committee. A capex approval made by management, without HSE input or a corresponding risk assessment timeline, is a decision the management chain made — and one they can be expected to answer for if it results in harm.
This shifts the capex-timing gap from “an HSE backlog issue” to a director and management liability issue, which is precisely the framing that OSHA 2022 training for management is designed to address.
The Fix Isn’t Slowing Down Capital Decisions
The instinct might be to insert a lengthy HSE review into every capital approval process, which tends to be resisted because it’s seen as a brake on legitimate business decisions. That’s the wrong fix, and it’s also not necessary.
The fix that actually works is a single gate, not a lengthy process: no new equipment, machine, or process step goes into operational use until the corresponding risk assessment exists and has been reviewed. This doesn’t require slowing down the approval meeting. It requires making “risk assessment completed” a precondition for “equipment goes live,” the same way many organisations already treat “permit issued” as a precondition for work commencing.
Building This Into Management of Change
Organisations that handle this well typically do so through a structured Management of Change (MOC) process, where any change to equipment, process, personnel structure, or operating parameters triggers a defined set of reviews — including a risk assessment — before the change is considered complete. Without an MOC trigger, risk assessment updates depend on someone remembering to ask for one, which is precisely the kind of dependency that produces the multi-week gaps seen in practice.
What Management Should Be Asking
For any organisation reviewing its own exposure here, the right question isn’t “do we have a HIRARC for every piece of equipment we operate?” Most organisations will answer yes, eventually. The right question is: “is there a single point in our capital approval process where ‘risk assessment complete’ is required before ‘equipment operational’ is permitted — and who is responsible for enforcing that gate?”
If the answer is “no formal gate exists,” the organisation is currently relying on HSE catching up in time, every time, with no system ensuring that it does.
Want your management team to understand exactly where their legal exposure sits under OSHA 2022? Cikgu Barrier’s OSH Obligations for Management program is built specifically for directors, managers, and HR teams who need to understand employer duties, personal liability, and what DOSH expects — not just what HSE departments are expected to handle alone.