Is It safe to remotely access my organisation system through RDWeb Access Or VPN is required ?

It's a terrible idea to do this without a VPN.
Even if you had a VPN, users would still be entering their domain credentials on non-company devices, which any strict security policy should surely forbid.

Give them company device to take home with them. If RDP is still needed, then, setup a VPN.

RDWeb access is rather secure when using SSL.

Things I would however do and have done:

• Do not allow drive or device redirection other than printers
• Do not allow copy and pasting to/from remote systems

Remote Desktop Gateway is secure. RDWeb on exposes TLS over 443 on the Remote Desktop Gateway, and TLS over 443 for IIS on the RD Web Server.

Remote employees should use a virtual private network (VPN) to tunnel into your organization network using strong authentication, preferably multi-factor authentication.

Check the following links:
https://www.sans.org/security-awareness-training
https://www.sans.org/security-awareness-training/blog/top-three-behaviors-creating-cybersecure-remote-workforce
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf
https://www.xbandenterprises.com/security-awareness-deployment-guide-securely-working-at-home/
https://www.xbandenterprises.com/wp-content/uploads/2020/03/Security-Awareness-Deployment-Guide---Securely-Working-at-Home.pdf
https://www.us-cert.gov/ncas/alerts/aa20-073a
https://www.sans.org/security-resources/policies/network-security/pdf/remote-access-policy
https://www.experts-exchange.com/articles/32551/BYOD-and-Secure-Mobile-Computing.html
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/751987/ssl-vpn-with-ldap-integrated-certificate-authentication

Could the author let us know whether they use company devices to connect from? Or do they use their private devices?

Let me summarize the above links:

• Secure remote access must be strictly controlled with encryption, strong passphrases & Multi-Factor Authentication
• If your employees are working from specified IP block, you can enable IP filtering.
• Ensure even while connecting via VPN, users can only access resources they would normally access even while on-prem via ACL.
• Configure your SSL VPN to use LDAP-integrated certificates - in such a way that - non-corporate devices cannot connect via VPN.
• Antiviruses installed on end-user laptop should be configured to receive antivirus updates either directly from the internet or through the VPN.
• Enable auditing and logging to be sent to your SIEM for monitoring.

There are several drawbacks with VPNs. For example, many apps do not work well over the VPN (what RDP fixes as no data is going back and forth the connection tunnel - screen updates only). Also if the devices are not corporate owned, are these being scanned once the tunnel is established to guarantee the device health? Many places deploy VPNs and the VLAN where the devices end up are not properly locked down so now they may be bringing devices that are not patched, potentially with malware/viruses, etc into a network segment that may access other segments.
And the same way VPNs can have filtering and MFA capabilities, a properly installed and configured RDGW can have it too, with the added benefit of not allowing any other type of traffic (RDP only).
At the end of the day these are all tools that address certain use cases. If they do need access to apps and apps that they either do not have on their endpoint or apps that do suffer over VPN connections (like many legacy ones do), RDGW is the way to go here.
So right tool for the job. You have nails, we give you a hammer, not a screwdriver :-)

CR

Staff have been given company laptops and few staff use personal apple Macs to remote access.

Ok, that's important to know.

If you enter domain credentials on an unmanaged client (your personal Mac), these may be recorded by some key logging software and thus become leaked. I would not allow this.

Anyone on this post connect to banks, Experts-exchange or other login services using SSL?

I mean we use these but don't seem to consider this a security risk. ;)

#justSayin'

All banks or payment services I connect to are using 2-factor authentication.
And I don't type anything that I need to guard.

Connecting to work with 2FA is not possible for many. Typing business related things on your personal machine is not advisable as well, even if you use 2FA.

#justSaying'

On the other hand, preventing total access from non-corporate machines when the company is NOT providing machines to everyone AND during COVID-19 does not seem like a good idea either. It is a matter for the business to decide on the potential risks (very low IMHO but that said I am NOT the business and cannot decide for them).
Also if Macs are involved a VPN may be useless as the apps users may be required to run could be Windows only. Then you may have to ask users to load VMware Fusion/Parallels Desktop/VirtualBox AND setup a Windows VM to access these apps from inside the VM, over a VPN tunnel what IMHO is a major hassle (as RDP may not be allowed, RDP on Mac is not the same as RDP on Windows, etc).
At the end of the day, IT and Security are there to serve USERS and NOT to create hassles for them. Security is paramount, yes. But that said it cannot and should not ruin the user experience just because there is a 0.00001% chance some hacker will get access to non-privileged account info off a Mac a user owns.
Even in this case, if you are that paranoid, you probably have all sorts of checks/tools on the backend to prevent lateral movement (i.e. every single system has a different local administrator account with a different password and that is changed on a daily basis), what makes the point of putting all this effort on the local endpoints moot.

CR

Beware attackers may use graphical remote desktop protocols (RDP) when available. Protocols like Windows Remote Desktop can provide the attacker with access to a target machine, so system hardening is a must.

https://security.berkeley.edu/education-awareness/best-practices-how-tos/system-application-security/securing-remote-desktop-rdp
https://calcomsoftware.com/rds-configuration-hardening-guide/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rdp-security-explained/
https://www.exploit-db.com/exploits/47683

Any protocol, remote display or not, has vulnerabilities. This is nothing new or tied to RDP in particular. Just look at the CVE the Citrix ADCs suffered at the end of last year. Or several ones Cisco devices had, VPNs included.
One thing is a host with RDP exposed to the internet directly. Another is a host BEHIND an RD Gateway with either two separate domains or with MFA. VERY different scenarios and attack surface.

CR

By hardening a system, you reduce its exposure to vulnerabilities as well as its potential to be exploited. Specific hardening techniques include applying security patches and adjusting the system's configurations, like closing open ports and disabling unnecessary services that add to the system's attack surface. Always, follow your organization's security policies and procedures.

Be watchful for possible attacks. Any applications or services on the host can provide a vector for attack. Keep yourself updated with https://www.exploitdb.com/; it's a searchable archive of exploits and vulnerable software, supplied in a standard format.

@Claudio Rodrigues

At the end of the day, IT and Security are there to serve USERS and NOT to create hassles for them. 

Truer words never spoken :)

Thanks guys
Really much appreciated!!!