Risk Assessment in Indonesia: What You Have Not Measured Is What Will Cost You the Most 

Indonesia’s enforcement model no longer waits for an incident to identify compliance gaps. Under the risk-based licensing framework, the occupational health and safety regime, and the industrial relations framework, regulators assess whether your organization has a functioning risk management system, not just whether you hold the right documents. XPND conducts structured risk assessments that produce defensible, audit-ready risk registers so your company can demonstrate it identified and controlled exposure before an incident or inspection surfaced it. 

When the Risk Was Always There, But Nobody Measured It

Most enforcement actions and industrial disputes in Indonesia do not arise from genuinely unforeseeable events. They arise from risks that existed, were not assessed, and therefore were not controlled.

Your company has more than 100 employees or operates in a sector classified as high risk under the OSS Risk-Based Approach. Under Minister of Manpower (Peraturan Menteri Ketenagakerjaan or Permenaker) No. 13 of 2025, effective 17 November 2025, your company is required to have an active Occupational Health and Safety Committee (Panitia Pembina Keselamatan dan Kesehatan Kerja  or P2K3). The regulation requires the chairperson to be the company’s top management and the secretary to be a certified Occupational Health and Safety Expert or Ahli K3. The P2K3 must have a documented work program, conduct regular meetings, and submit digital reports every six months to the provincial labor department. A company that has a P2K3 in name only, without a functioning work program and reporting structure, is non-compliant under Permenaker No. 13 of 2025.

A fatal accident occurred at your facility. The investigation found that the task involved was not covered in the company’s Hazard Identification, Risk Assessment and Determining Control or HIRADC (Identifikasi Bahaya, Penilaian Risiko, dan Pengendalian). Under Government Regulation (Peraturan Pemerintah or PP) No. 50 of 2012 on the Implementation of Occupational Health and Safety Management Systems, the HIRADC is a mandatory component of the SMK3 framework. The absence of a HIRADC entry for the task means the employer cannot demonstrate that the hazard was identified and controlled. Under Law No. 1 of 1970 on Workplace Safety, employers carry direct criminal liability for accidents resulting from failure to implement safety measures. Under the Manpower Law, the Work Accident Insurance (Jaminan Kecelakaan Kerja or JKK) claim process also triggers a Ministry of Manpower audit of the company’s K3 compliance posture.

Your company is preparing for an SMK3 audit. Under PP No. 50 of 2012, companies with more than 50 employees or that operate in high-risk sectors are required to implement SMK3. The audit evaluates 166 criteria for large companies or 64 criteria for companies with medium risk classification. Your company has not maintained a risk register, does not have a documented hazard control hierarchy, and has not conducted a formal internal SMK3 review since the audit obligation was first triggered. The audit will find these gaps.

Your workforce includes daily workers, outsourced staff, and project-based contractors operating alongside permanent employees. These categories of workers carry different risk profiles: inconsistent safety training history, multiple employers within a short period, and varying levels of familiarity with site-specific hazards. Under Permenaker No. 14 of 2025, occupational health and safety compliance is now a prerequisite for maintaining business licensing under the risk-based approach. A company that cannot demonstrate it has assessed and controlled the risk profile of its full workforce, not just its permanent staff, faces both licensing and criminal exposure.

Your company is about to begin operations in a new facility or expand into a new business activity. The operational risk profile of the new activity has not been formally assessed. Equipment hazards, chemical exposures, ergonomic risks, and emergency response adequacy have not been documented. Under the SMK3 framework, a new operational site or significant change in operations triggers a reassessment obligation. Commencing operations without it creates a compliance gap from the first day of activity.

Tell us about your operations and what risk areas you are most uncertain about. We will scope the assessment that matches your actual exposure.

The Regulatory Framework Behind Workplace Risk in Indonesia

Risk assessment in Indonesia’s workplace context sits within an interlocking framework of laws, government regulations, and ministerial regulations that collectively define what an employer must do to demonstrate that workplace hazards have been identified and controlled.

Law No. 1 of 1970 on Workplace Safety is the primary statute. It establishes the employer’s obligation to provide a safe workplace, implement safety measures for all identified hazards, and ensure that workers understand the risks they face. Violations carry criminal penalties including imprisonment and fines, and importantly, the liability attaches to the management responsible for the workplace, not only to the company as an entity.

Government Regulation or PP No. 50 of 2012 on SMK3 implements the Occupational Health and Safety Management System framework. It requires companies above the threshold to implement a structured management system that includes hazard identification through HIRADC, risk control through a defined hierarchy of controls, documented safety procedures, internal audits, and external audits by accredited institutions. The SMK3 audit results in a gold, silver, or zero-flag rating that is publicly accessible and affects the company’s compliance profile.

Permenaker No. 13 of 2025 on P2K3, effective 17 November 2025, replaced the previous regulation that had been in place since 1987. The new regulation strengthens the role of the Occupational Health and Safety Committee from an administrative advisory body to an active risk governance instrument. P2K3 must now be integrated with the company’s SMK3, submit digital reports every six months, and operate with a mandatory top management chairperson. Companies that were operating under the old P2K3 structure need to update their committee composition, work program, and reporting process to comply with the new regulation.

Permenaker No. 14 of 2025 explicitly establishes that occupational health and safety compliance is a prerequisite for maintaining business licensing under the risk-based approach. This means a company’s K3 compliance posture now directly affects its OSS licensing standing.

HIRADC: The Document That Determines Employer Liability

The Hazard Identification, Risk Assessment and Determining Control or HIRADC is the cornerstone document in Indonesia’s workplace safety framework. Under PP No. 50 of 2012, the HIRADC must systematically identify every hazard present in the workplace, assess the likelihood and severity of harm from each hazard, determine which control measures are required and at what level of the hierarchy, and document the residual risk after controls are applied.

The hierarchy of controls under SMK3 follows the internationally recognized sequence: elimination first, then substitution, then engineering controls, then administrative controls, then personal protective equipment. A company that relies primarily on PPE as its primary control measure is not compliant with the SMK3 risk control requirement, regardless of whether PPE is available and used.

When an accident occurs and the investigation examines the HIRADC, two scenarios are possible. The first is that the hazard was identified, the controls were documented, and the accident occurred despite the controls being in place. In this scenario, the employer can demonstrate due diligence. The second is that the hazard was not identified in the HIRADC, or was identified but not adequately controlled. In this scenario, the employer faces direct liability under Law No. 1 of 1970 because the omission is treated as a failure to implement required safety measures.

XPND conducts HIRADC development and review as a structured process that covers all work tasks, areas, and equipment types, applying the correct risk scoring methodology and producing a risk register that satisfies both SMK3 audit requirements and the documentary standard needed for employer liability defense.

When was your HIRADC last reviewed? If your operations have changed since the last review, the gap may already exist.

Industrial Relations Risk: What Workplace Risk Assessment Often Misses

Workplace risk in Indonesia extends beyond physical safety. Industrial relations disputes, wrongful termination claims, and collective labor action all represent material operational risks that are quantifiable and to a significant degree, preventable through structured assessment.

The most common industrial relations risks XPND identifies in risk assessments are employment contracts that do not reflect actual employment arrangements, creating vulnerability when employees claim permanent status under Government Regulation or PP No. 35 of 2021; Company Regulations that have not been updated to reflect current law, particularly the changes under Law No. 4 of 2024 on Mother and Child Welfare; and wage structures where the base salary component falls below the 75 percent threshold required under the wage regulations, creating latent THR and severance calculation errors.

The practical approach to industrial relations risk assessment is identical to physical hazard assessment: identify the exposure, assess the likelihood and consequence, determine whether existing controls are adequate, and document the residual risk. A company that has done this work before a dispute arises is in a fundamentally different position from one that discovers its exposure when a claim is filed.

Operational Risk Assessment for Project-Based and Multi-Site Operations

For companies conducting project-based operations, operating across multiple sites, or deploying workers in client environments rather than their own facilities, the risk assessment process has additional dimensions.

Workers entering a client’s site carry the risk profile of that site, which may not have been assessed by the deploying company. Under Law No. 1 of 1970, the obligation to ensure worker safety attaches to the party deploying the worker, not only to the site owner. A deploying company that places workers in a client’s facility without conducting or obtaining a site-specific risk assessment is responsible for the outcome of hazards that were present but unassessed.

For construction, installation, and commissioning activities, the risk changes continuously as the project progresses. A HIRADC prepared at the beginning of a project does not automatically remain valid as the site configuration changes. Periodic review and update of the risk assessment is required under SMK3 whenever significant changes occur.

XPND designs risk assessment programs for project-based and multi-site operations that establish the process for initial site assessment, periodic review, and incident response, so that the risk management obligation is met continuously rather than only at project initiation.

Managing workers across multiple sites or deploying to client facilities? XPND can design the risk assessment structure that covers your full operational footprint.

How XPND Structures the Risk Assessment Engagement

HIRADC development and review

XPND conducts a systematic identification of all workplace hazards across work tasks, areas, equipment, and materials, applies the SMK3 risk scoring methodology, maps controls to the hierarchy of controls required under PP No. 50 of 2012, and produces a risk register in a format that satisfies both the internal management and external audit requirements. For companies with existing HIRADCs, XPND reviews and updates them to reflect current operations and regulatory requirements.

SMK3 gap assessment

XPND evaluates the company’s current SMK3 implementation against the audit criteria applicable to its size and risk classification, identifies gaps in documentation, procedure, and practice, and provides a prioritized remediation plan that prepares the company for the next external audit cycle.

P2K3 compliance under Permenaker No. 13 of 2025

XPND reviews the company’s current P2K3 structure against the new requirements, advises on the composition changes required, develops the annual work program, and establishes the digital reporting process required for six-monthly submissions to the provincial labor department.

Industrial relations risk assessment

XPND reviews the company’s employment contracts, Company Regulation, wage structure, and leave administration practices against current legal standards, identifies exposure arising from contract misclassification, wage structure deficiencies, and outdated policies, and quantifies the liability that exists before a dispute surfaces it.

Project-based and multi-site risk program design

For companies deploying workers to multiple sites or client facilities, XPND designs the risk assessment process for initial deployment, periodic review, and significant change triggers, ensuring the obligation under Law No. 1 of 1970 is met continuously across all operational locations.

Starting a new project, expanding to a new site, or preparing for an SMK3 audit? Talk to XPND before the activity begins.

Why Risk Assessment

The companies that manage operational risk well in Indonesia are not the ones that never have accidents or disputes. They are the ones that can demonstrate, when an accident or dispute occurs, that they identified the hazard, assessed the risk, implemented controls, and documented the process. That demonstration is what separates a company that faces an enforcement action from one that does not.

Risk assessment in Indonesia’s current regulatory environment is not a box-ticking exercise. Permenaker No. 13 of 2025 elevated P2K3 from an administrative committee to an active governance instrument. Permenaker No. 14 of 2025 made K3 compliance a prerequisite for business licensing. PP No. 50 of 2012 requires an external SMK3 audit on a scheduled cycle. The regulatory expectation is that risk management is embedded in operations, not stored in a file.