HIRARC Malaysia: What It Is, Why It Matters, and How It Connects to Your Insurance Coverage

HIRARC Malaysia: What Every Employer Must Get Right

Every employer in Malaysia has a legal duty to keep workers safe. DOSH (the Department of Occupational Safety and Health) expects you to prove it, and the primary tool they use to measure your commitment is HIRARC.

HIRARC stands for Hazard Identification, Risk Assessment, and Risk Control. It's the structured process that turns vague safety intentions into documented, actionable workplace protections. Get HIRARC wrong, and you're looking at fines up to RM500,000, imprisonment, rejected insurance claims, and, worst of all, preventable injuries on your watch.

Here's what this guide covers:

• What HIRARC means and how it works in Malaysia
• The legal basis under OSHA 1994, FMA 1967, and the DOSH Guidelines on HIRARC 2008
• Who must conduct HIRARC and when
• The complete step-by-step HIRARC process, including the 5x5 risk matrix
• Common mistakes that get employers into trouble
• How HIRARC quality directly affects your insurance premiums and claims
• What DOSH inspectors actually look for during audits

What Is HIRARC? Understanding the Three Components

HIRARC is a systematic process outlined in the DOSH Guidelines on HIRARC 2008 (Second Edition). It breaks workplace safety into three connected stages: identifying what can hurt people, measuring how likely and severe the harm could be, and putting controls in place to prevent it.

If you want to understand the Malay terminology behind HIRARC, read our detailed breakdown in HIRARC Maksud Malaysia.

Component	Full Term	Purpose	Key Question
HI	Hazard Identification	Find everything that could cause harm	What can go wrong?
RA	Risk Assessment	Evaluate likelihood and severity of harm	How bad could it be, and how likely is it?
RC	Risk Control	Implement measures to eliminate or reduce risk	What are we doing about it?

Hazard Identification (HI)

This is where you walk through every work activity and ask: "What here could injure or make someone sick?" You're looking for sources of potential harm, not just obvious dangers like unguarded machinery, but also less visible threats like repetitive motion, chemical exposure, or excessive noise.

The DOSH guidelines require you to consider all factors that may cause harm to employees and others. This includes routine tasks and non-routine activities like maintenance, cleaning, or emergency situations.

Risk Assessment (RA)

Once you've identified the hazards, you need to score each one. The DOSH HIRARC guidelines use a semi-quantitative approach: you rate the likelihood of the hazard causing harm and the severity of that harm, then multiply them together. This gives you a risk rating that determines your priority for action.

Risk Control (RC)

The final step is deciding what to do about each risk. DOSH follows a strict hierarchy of controls, starting with elimination (remove the hazard entirely) and working down to PPE (personal protective equipment) as the last resort. You must document each control measure, assign responsibility, and set timelines.

Legal Basis for HIRARC in Malaysia

HIRARC is not optional. It's grounded in multiple pieces of Malaysian legislation and reinforced by DOSH guidelines. Understanding the legal framework helps you grasp why non-compliance carries such serious consequences.

For a full breakdown of OSHA 1994 penalties, see our guide on OSHA 1994 Penalties and Fines in Malaysia.

Legislation / Guideline	Key Provisions	HIRARC Relevance
OSHA 1994 (Act 514), Section 15	General duties of employers to ensure safety, health, and welfare of employees so far as is practicable	HIRARC is the primary method to demonstrate compliance with this duty
OSHA 1994, Section 18	Duties of occupiers to non-employees at the workplace	HIRARC must cover risks to visitors, contractors, and the public
OSHA (Amendment) 2022 (Act A1648)	Expanded duties, risk assessment obligations, penalties increased to RM500,000; effective 1 June 2024	Employers must conduct risk assessments and develop emergency procedures
Factories and Machinery Act 1967 (Act 139)	Safety requirements for factories, machinery registration, and inspections	HIRARC supports compliance with machinery safety and factory safety obligations
DOSH Guidelines on HIRARC 2008 (Second Edition)	Detailed methodology for hazard identification, risk matrix, hierarchy of controls	The official reference document for conducting HIRARC in Malaysia

What Section 15 of OSHA 1994 Requires

Section 15 places a broad duty on every employer to ensure, so far as is practicable, the safety, health, and welfare of all employees at work. This includes providing safe systems of work, safe use of plant and substances, adequate information and training, and maintaining safe premises.

The 2022 Amendment added Section 15(2)(f), which now explicitly requires employers to develop and implement procedures for dealing with emergencies. You can't build emergency procedures without first identifying the hazards, which brings you right back to HIRARC.

Penalty Structure After the 2022 Amendment

Before the amendment, breaching Sections 15 to 18 carried a maximum fine of RM50,000. The Occupational Safety and Health (Amendment) Act 2022 (Act A1648), effective 1 June 2024, increased that tenfold.

Offence	Previous Penalty (Pre-2024)	Current Penalty (Post 1 June 2024)
Breach of Sections 15-18 (employer/occupier duties)	Fine up to RM50,000 or 2 years imprisonment, or both	Fine up to RM500,000 or 2 years imprisonment, or both
Breach of Sections 20-21 (improvement/prohibition notice non-compliance)	Fine up to RM50,000 or 2 years imprisonment, or both	Fine up to RM200,000 or 2 years imprisonment, or both

These are not theoretical numbers. DOSH actively enforces them, and the absence of proper HIRARC documentation is one of the most common triggers for enforcement action.

Who Must Conduct HIRARC in Malaysia?

The short answer: every employer covered by OSHA 1994. After the 2022 Amendment (effective 1 June 2024), this now includes the public sector as well. There are no size exemptions; whether you run a two-person workshop or a 5,000-worker factory, HIRARC applies to you.

Industry / Sector	HIRARC Required?	Key Obligations
Manufacturing and factories	Yes	HIRARC for all production lines, machinery, chemical handling, maintenance activities
Construction	Yes	Site-specific HIRARC, updated per work phase; required for CIDB compliance
Oil and gas	Yes	PETRONAS HSE requirements mandate HIRARC; additional quantitative risk assessments often needed
Hospitality, retail, offices	Yes	HIRARC for fire risks, electrical hazards, ergonomic risks, slips/trips/falls
Agriculture and plantations	Yes	Chemical exposure (pesticides), machinery hazards, heat stress, biological hazards
Healthcare and laboratories	Yes	Biological hazards, sharps, chemical agents, radiation, ergonomic risks
Public sector (post-2024)	Yes	All government agencies and statutory bodies now covered under OSHA 1994
Transport and logistics	Yes	Vehicle operation, loading/unloading, warehouse operations, driver fatigue

Employer Obligations at a Glance

As the employer, your obligations go beyond just filling out the HIRARC form. You must make sure the process is led or supervised by someone competent, that findings are communicated to all affected workers, and that control measures are actually implemented, not just written down.

If your workplace has 40 or more employees (or is in a high-risk industry as specified by DOSH), you're also required to appoint a Safety and Health Officer (SHO) and establish a Safety and Health Committee. Both play a direct role in the HIRARC process.

The HIRARC Process: Step-by-Step

The DOSH Guidelines on HIRARC 2008 outline four key steps. Here's how to work through each one. For a practical walkthrough of filling out the actual HIRARC form, see our guides in English and Bahasa Malaysia.

1. Classify work activities
2. Identify hazards for each activity
3. Conduct risk assessment (likelihood x severity)
4. Determine and implement risk control measures

Step 0: Classify Work Activities

Before identifying hazards, you need a clear list of every work activity at your site. Group them logically: by department, by process stage, or by location. Include routine tasks, non-routine tasks (maintenance, cleaning, shutdowns), and emergency scenarios.

For each activity, document the work area, personnel involved, tools and equipment used, materials handled, and any existing control measures already in place.

Step 1: Hazard Identification

This is the foundation of the entire HIRARC process. Miss a hazard here, and it won't appear in your risk assessment, which means it won't get controlled. DOSH expects you to use multiple identification methods: workplace inspections, task analysis, accident and incident records, safety data sheets (SDS), and worker consultation.

The DOSH guidelines categorise hazards into five main types:

Hazard Type	Description	Workplace Examples
Physical	Energy sources that can cause injury	Noise, vibration, extreme temperatures, radiation, electricity, unguarded machinery, working at height, falling objects
Chemical	Substances that can harm health through exposure	Solvents, acids, gases, dusts, fumes, pesticides, cleaning agents, paints
Biological	Living organisms or their products that can cause disease	Bacteria, viruses, fungi, parasites, insect bites, animal handling, sewage
Ergonomic	Workplace conditions that strain the body	Repetitive motions, awkward postures, heavy lifting, prolonged standing, poorly designed workstations
Psychosocial	Work organisation and relationships that affect mental health	Excessive workload, shift work, workplace bullying, job insecurity, lone working

Here's the thing: most companies do a decent job identifying physical and chemical hazards. But ergonomic and psychosocial hazards are routinely overlooked, and DOSH inspectors know it. Make sure your HIRARC covers all five categories.

Step 2: Risk Assessment (The 5x5 Matrix)

Once hazards are identified, you assess each one by rating two factors: how likely the hazard is to cause harm (likelihood) and how severe that harm would be (severity). The DOSH HIRARC guidelines use a 5-point scale for each.

Likelihood Scale:

Rating	Level	Description
1	Inconceivable	Is practically impossible and has never occurred
2	Remote	Has not been known to occur after many years of exposure
3	Conceivable	Might occur at some time in the future
4	Possible	Has a good chance of occurring and is not unusual
5	Most Likely	The most likely result of the hazard being realised

Severity Scale:

Rating	Level	Description
1	Negligible	Minor abrasions, bruises, cuts; first aid type injury
2	Minor	Disabling but not permanent injury; less than 4 days MC
3	Serious	Non-fatal injury, permanent disability; 4 days or more MC
4	Fatal	Single fatality; major property damage
5	Catastrophic	Multiple fatalities; irrecoverable property damage

The risk score is calculated by multiplying likelihood by severity: Risk = Likelihood x Severity. This gives you a score between 1 and 25.

Step 3: Risk Control (Hierarchy of Controls)

After scoring each risk, you need to apply controls. The DOSH guidelines follow an internationally recognised hierarchy of controls, listed from most effective to least effective. You should always start at the top and work your way down.

Priority	Control Type	Description	Example
1 (Most Effective)	Elimination	Remove the hazard entirely from the workplace	Stop using a toxic chemical by redesigning the process to not require it
2	Substitution	Replace the hazard with something less dangerous	Switch from solvent-based paint to water-based paint
3	Engineering Controls	Isolate people from the hazard through physical changes	Install machine guards, ventilation systems, noise enclosures, safety interlocks
4	Administrative Controls	Change how people work through procedures, training, and scheduling	Job rotation, permit-to-work systems, safety signage, SOPs, training programmes
5 (Least Effective)	Personal Protective Equipment (PPE)	Provide equipment worn by workers as the last line of defence	Safety helmets, gloves, goggles, hearing protection, respiratory protection, harnesses

The catch? Many Malaysian workplaces jump straight to PPE because it's the cheapest and easiest option. DOSH inspectors will question why higher-level controls were not applied. If your HIRARC shows PPE as the primary control for every hazard, that's a red flag. For details on employer PPE obligations, see our guide on PPE Requirements in Malaysia.

The 5x5 Risk Matrix: Scoring and Interpretation

The 5x5 risk matrix is the centrepiece of the HIRARC risk assessment process. Here's the complete matrix showing how likelihood and severity combine to produce a risk score.

Likelihood / Severity	1 (Negligible)	2 (Minor)	3 (Serious)	4 (Fatal)	5 (Catastrophic)
5 (Most Likely)	5	10	15	20	25
4 (Possible)	4	8	12	16	20
3 (Conceivable)	3	6	9	12	15
2 (Remote)	2	4	6	8	10
1 (Inconceivable)	1	2	3	4	5

The colour coding corresponds to the three risk levels defined in the DOSH guidelines:

• Green (1-4): Low Risk
• Yellow (5-12): Medium Risk
• Red (15-25): High Risk

Risk Level Interpretation and Required Actions

Your risk score doesn't just sit on paper. Each level triggers specific actions your organisation must take.

Risk Level	Score Range	Acceptability	Required Action	Timeline
Low	1 to 4	Acceptable	Risk is tolerable. No immediate action needed, but monitor to ensure controls remain effective.	Review during next scheduled HIRARC review
Medium	5 to 12	Tolerable	Planned approach to controlling the hazard. Temporary measures may be needed while permanent controls are implemented.	Implement controls within a reasonable timeframe (weeks to months)
High	15 to 25	Not Acceptable (Intolerable)	Immediate action required. Work should not start or continue until the risk has been reduced. If it's not possible to reduce risk even with unlimited resources, work must remain prohibited.	Immediate; stop work if controls cannot be applied right away

That said, a "low" risk score doesn't mean you can ignore it. You still need to document it and confirm that existing controls are adequate. And remember, the risk score should be assessed both before controls (inherent risk) and after controls (residual risk).

When to Conduct and Review HIRARC

HIRARC is not a one-time exercise. The DOSH guidelines state that it should be a living document, reviewed and updated whenever circumstances change. There's no fixed schedule mandated by law, but DOSH recommends reviewing at minimum every three years, and sooner if any trigger events occur.

Trigger Event	Why HIRARC Review Is Needed	Example
New process, machinery, or material introduced	New hazards may be present that were not previously assessed	Installing a new CNC machine on the factory floor
Change in work process or method	Altered processes may create new risks or invalidate existing controls	Changing from manual welding to automated welding
After a workplace accident or near-miss	The incident reveals gaps in hazard identification or inadequate controls	Worker injured by forklift in warehouse loading area
Changes in personnel or organisational structure	New workers may lack training; changed responsibilities may affect safety oversight	New shift supervisor without HIRARC training
Changes in legislation or DOSH guidelines	New legal requirements may demand additional controls or documentation	OSHA 1994 Amendment 2022 coming into effect
DOSH inspection findings or improvement notice	Inspector has identified deficiencies in current HIRARC	DOSH issues improvement notice for inadequate chemical hazard controls
Scheduled periodic review	Ensures HIRARC stays current even without specific trigger events	Annual or triennial scheduled review
Physical workplace changes	Layout changes alter traffic flow, escape routes, and hazard exposure patterns	Factory renovation or extension of production area

Best practice is to integrate HIRARC reviews into your Emergency Response Plan (ERP) review cycle. When you update one, you should be updating the other. For a deeper look at HIRARC guidelines and review schedules, see our comprehensive HIRARC guideline article.

Common Mistakes in HIRARC Implementation

After years of working with Malaysian businesses on safety and insurance, we see the same HIRARC mistakes over and over again. Some are obvious. Others are subtle but equally damaging when DOSH comes knocking, or when you need to make an insurance claim.

Mistake	Why It's a Problem	What to Do Instead
Copy-pasting generic HIRARC templates	Templates don't reflect your specific workplace hazards; DOSH inspectors will spot this immediately	Use templates as a starting point, but customise every entry to your actual work activities
Only identifying obvious hazards	Ergonomic, psychosocial, and biological hazards are routinely missed	Systematically cover all five hazard categories for every work activity
Under-rating risk scores	Artificially low scores mean you avoid applying proper controls; this creates real danger	Be honest about likelihood and severity; use incident data and industry benchmarks
Relying solely on PPE as the control measure	PPE is the lowest level of the hierarchy; DOSH expects you to justify why higher controls are not feasible	Apply the hierarchy of controls from top (elimination) down; document why higher controls were not practicable
Not involving frontline workers	Workers who do the job daily know the real hazards; desk-based HIRARC misses practical risks	Include operators, technicians, and floor supervisors in the HIRARC team
Writing HIRARC once and never updating it	Outdated HIRARC doesn't reflect current workplace conditions; creates legal liability	Review at least every three years and after every trigger event
Not communicating findings to workers	A HIRARC that workers have never seen cannot protect them; DOSH may interview workers to verify	Brief affected workers on HIRARC findings, display key hazards and controls, and record communication
No residual risk assessment	You can't confirm controls are adequate without re-scoring risk after controls are applied	Always assess both inherent risk (before controls) and residual risk (after controls)

HIRARC and Insurance: The Connection Most Employers Miss

Here's the thing: your HIRARC quality directly affects your insurance costs, your claims experience, and whether your coverage actually protects you when something goes wrong. Insurers don't just look at your policy; they look at your risk management practices, and HIRARC is at the centre of that assessment.

How HIRARC Affects Insurance Premiums

When you apply for property insurance, Contractor's All Risk (CAR) insurance, or Industrial All Risks (IAR) insurance, underwriters evaluate your safety management systems. A well-documented, regularly reviewed HIRARC signals a lower-risk operation, which can translate into better premium rates.

On the other hand, incomplete or outdated HIRARC raises red flags. Underwriters may impose higher premiums, additional exclusions, or higher deductibles if they believe your risk management is weak.

HIRARC Quality	Impact on Premiums	Impact on Claims	Impact on Coverage
Strong HIRARC (comprehensive, current, implemented)	Potentially lower premiums; better negotiating position with insurers	Stronger defence for claims; clear evidence of due diligence	Full coverage more likely; fewer exclusions
Weak HIRARC (generic, outdated, paper-only)	Higher premiums; risk loading applied	Claims may be disputed; insurer may argue negligence contributed to loss	Additional exclusions; higher deductibles; potential coverage gaps
No HIRARC	Some insurers may decline coverage entirely	Claims can be rejected on grounds of statutory non-compliance or material non-disclosure	Policy may be voided if non-disclosure of material facts is established

The Claims Connection

When a workplace incident results in property damage, business interruption, or injury claims, insurers investigate. One of the first things they look at is whether you had adequate safety systems in place, and HIRARC is exhibit one. If the incident involved a hazard that your HIRARC failed to identify, or a control measure that was documented but never implemented, the insurer has grounds to dispute the claim.

This is especially relevant for construction and engineering projects where CAR insurance is mandatory. Project-specific HIRARC is a standard underwriting requirement, and your insurer expects it to be a living document that evolves with the project.

DOSH Inspection: What They Look for Regarding HIRARC

DOSH officers don't just glance at your HIRARC binder and move on. They conduct thorough document reviews, site walkthroughs, and worker interviews to verify that your HIRARC reflects reality.

Inspection Area	What DOSH Checks	Common Deficiencies Found
Document review	HIRARC exists for all work activities; dated, signed, and reviewed; risk scores are justified	HIRARC missing for some activities; no review dates; unsigned documents
Hazard coverage	All five hazard types assessed; non-routine tasks included; emergency scenarios considered	Only physical hazards identified; maintenance activities not assessed
Control measures	Hierarchy of controls applied; responsible persons assigned; implementation timelines documented	PPE listed as sole control; no evidence of implementation; no responsible persons named
Site walkthrough	Documented controls are actually in place; guards on machinery match HIRARC; signage present	Controls documented but not implemented; guards removed; broken safety equipment
Worker interviews	Workers aware of hazards in their area; trained on controls; know emergency procedures	Workers unaware of HIRARC; no training records; language barrier issues with foreign workers
Review history	Evidence of regular review; updates after incidents; revision tracking	No evidence of review since initial creation; no updates after process changes

What Happens When DOSH Finds Deficiencies

If DOSH identifies inadequate HIRARC, they can issue an improvement notice under Section 48 of OSHA 1994, requiring you to correct the deficiency within a specified timeframe. If the risk is imminent, they can issue a prohibition notice under Section 49, requiring you to stop work immediately until the hazard is controlled.

Non-compliance with these notices carries its own penalties: up to RM200,000 or two years imprisonment, or both, under the amended Act. And these enforcement actions become part of your regulatory record, which affects future DOSH interactions, insurance renewals, and contractor pre-qualifications.

Frequently Asked Questions About HIRARC in Malaysia

What does HIRARC stand for?

HIRARC stands for Hazard Identification, Risk Assessment, and Risk Control. It's the systematic process required by DOSH (Department of Occupational Safety and Health) for managing workplace risks in Malaysia. For a detailed breakdown of the term in Bahasa Malaysia, read our article on HIRARC Maksud Malaysia.

Is HIRARC legally required in Malaysia?

Yes. While the DOSH Guidelines on HIRARC 2008 are technically a guideline (not a regulation), they are the accepted method for fulfilling your legal duties under Sections 15 and 18 of the Occupational Safety and Health Act 1994. The 2022 Amendment (Act A1648) made risk assessment an explicit statutory requirement. Failure to conduct adequate risk assessments can result in fines up to RM500,000.

How often must HIRARC be reviewed?

There's no fixed statutory schedule. DOSH recommends reviewing at least every three years, but you should also review whenever there's a change in processes, new machinery or materials, an accident or near-miss, organisational changes, or updated legislation. Many companies adopt an annual review cycle as best practice.

Who should conduct the HIRARC?

A competent person or team should lead the HIRARC process. This typically includes your Safety and Health Officer (SHO) if you have one, line managers or supervisors, and frontline workers who know the job activities. External safety consultants can assist, but the responsibility remains with the employer.

What's the difference between hazard and risk?

A hazard is anything with the potential to cause harm: a chemical, an unguarded machine, noise, working at height. Risk is the combination of how likely that harm is and how severe it would be. HIRARC takes you from identifying the hazard to quantifying the risk to controlling it.

Can I use a HIRARC template from the internet?

You can use templates as a starting point, but you must customise them to your specific workplace, activities, and hazards. DOSH inspectors will immediately recognise a generic, copy-pasted HIRARC. Your HIRARC must reflect what actually happens at your worksite. See our guide on filling up a HIRARC form for a practical walkthrough.

What happens if I don't have HIRARC documentation during a DOSH inspection?

You could receive an improvement notice requiring you to complete HIRARC within a specified timeframe. In serious cases, or if there's an imminent risk, DOSH may issue a prohibition notice stopping work entirely. Under the amended OSHA 1994, penalties for non-compliance with employer duties go up to RM500,000 in fines or two years imprisonment, or both.

Does HIRARC apply to small businesses?

Yes. There is no minimum employee threshold for HIRARC requirements. OSHA 1994 applies to all employers, and the 2022 Amendment extended coverage to the public sector as well. The scale and complexity of your HIRARC should be proportionate to your operations, but every workplace needs one.

How does HIRARC affect my insurance coverage?

Strong HIRARC documentation can help you secure better insurance terms and support your claims in the event of an incident. Weak or absent HIRARC can lead to higher premiums, claims disputes, and, in extreme cases, policy voidance. Insurers view HIRARC as evidence of your risk management commitment.

What's the relationship between HIRARC and the Safety and Health Committee?

Your Safety and Health Committee should be actively involved in the HIRARC process, reviewing HIRARC findings, monitoring the implementation of control measures, and recommending improvements. The committee serves as the bridge between management decisions and worker awareness on safety matters.

Protect Your Workforce and Your Business

HIRARC is not just paperwork. It's the process that keeps your workers safe, keeps DOSH off your back, and keeps your insurance working when you need it most.

At Foundation, we specialise in property and engineering insurance for Malaysian businesses. We understand how safety compliance and risk management connect to your insurance programme, because we see the consequences when they don't. Whether you're setting up a new factory, managing a construction project, or reviewing your existing coverage, we can help you ensure your insurance reflects the reality of your operations.

Need help reviewing your insurance coverage in light of your HIRARC and safety compliance? Talk to our team. We'll help you understand where your coverage stands and what gaps you might be exposed to.

Get a Free Insurance Review from Foundation

Disclaimer: This article provides general guidance based on the Occupational Safety and Health Act 1994 and DOSH Guidelines on HIRARC 2008 as of February 2026. Regulations may be amended. Always verify current requirements with DOSH or qualified safety professionals before making compliance decisions.