Action Register
An Action Register is a dynamic governance tool that tracks the implementation of corrective and preventative measures arising from hazard identification, incident investigations, and audit findings. It serves as the primary evidence of "due diligence" under Australian Work Health and Safety legislation.
What is an Action Register?
Your Action Register is the tactical engine of safety improvement. Unlike your Risk Register, which maps potential threats and theoretical controls, the Action Register functions as your "to-do list" of safety compliance—bridging the gap between identifying a problem and fixing it.
In the context of the Australian Work Health and Safety Act 2011 (WHS Act), your Action Register transforms abstract legal duties into concrete, trackable tasks. It answers the fundamental questions posed by regulators after an incident: "What did you know?" and "What did you do about it?"
While your Risk Register might be reviewed periodically (annually or upon change), your Action Register is a living document. You should access it daily or weekly to manage workflow, consolidating tasks from audits, workplace inspections, regulatory notices, and safety committee meetings into a single source of truth for accountability.
Action Register vs Risk Register: Understanding the Difference
A common failure in enterprise risk management is conflating your Risk Register with your Action Register. This confusion leads to "stale" risk registers that don't reflect reality, or action registers that become dumping grounds for unassessed hazards.
Your Risk Register: The diagnostic map
Your Risk Register is strategic. It identifies hazards, assesses their inherent risk, documents existing controls, and determines residual risk ratings. It describes the "state of play." For example, your entry for "Forklift Operations" might list "Traffic Management Plan" as a current control—but it doesn't track whether you're updating that plan right now.
Your Action Register: The therapeutic plan
Your Action Register captures specific, time-bound tasks required to improve your control environment or rectify non-conformances. If a workplace inspection reveals your "Traffic Management Plan" is outdated, you enter a specific task: "Review and update Traffic Management Plan by 30 November."
The symbiotic data lifecycle
The relationship between your two registers should be cyclical and integrated. Your Risk Register identifies a high residual risk due to inadequate controls. You generate a task in your Action Register to implement a new control (e.g., "Install Armco barriers"). You track that task to completion, verify the barrier's effectiveness, then update your Risk Register to include "Armco barriers" as a current control, lowering your residual risk rating.
| Feature | Risk Register | Action Register |
|---|---|---|
| Primary Question | What could go wrong? | What are we doing to fix it? |
| Content | Hazards, risks, control descriptions | Tasks, owners, due dates, status |
| Temporal Nature | Static (until reviewed) | Dynamic (daily/weekly changes) |
| Key Metric | Risk rating (high/medium/low) | Closure rate (% completed on time) |
| Legal Function | Evidence of hazard identification | Evidence of reasonably practicable steps |
| ISO 45001 Clause | Clause 6.1 (Actions to address risks) | Clause 10.2 (Incident, nonconformity and corrective action) |
WorkSafeKit links incidents, audits, and hazards directly to corrective actions with automated reminders and effectiveness verification.
The Australian Legal Framework
In Australia, your Action Register is arguably the most critical document for demonstrating "due diligence" in court. It serves as the contemporaneous record of your organisation's response to known hazards.
The duty of officers (Section 27)
Under Section 27 of the model WHS Act, officers (directors and executives) must exercise due diligence to ensure the Person Conducting a Business or Undertaking (PCBU) complies with its duties. This includes taking reasonable steps to "verify the provision and use of the resources and processes."
Your Action Register is the primary tool for this verification. By reviewing your register, an officer can verify timeliness (are safety issues being addressed promptly?), resourcing (does a backlog indicate insufficient budget or staffing?), and awareness (are actions commensurate with your risk profile?).
A failure to monitor your Action Register can be interpreted as a failure to exercise due diligence. If an officer never asks about corrective action status, they cannot claim to be actively verifying compliance.
The "reasonably practicable" standard
The cornerstone of Australian WHS law is the requirement to eliminate or minimise risks so far as is "reasonably practicable." When an incident occurs, regulators assess what you knew and whether your response was reasonable.
An Action Register showing a hazard was identified months before an accident, but the corrective action was repeatedly deferred, acts as a "smoking gun." It proves foreseeability (you knew the risk) and potentially negligence or recklessness (you didn't address it despite the opportunity).
Conversely, a robust Action Register showing a systematic, prioritised approach to fixing issues can serve as a powerful defence, demonstrating you were actively managing risk within available resources.
Industrial manslaughter and "known hazards"
With the introduction of Industrial Manslaughter laws in Victoria, Queensland, and Western Australia, the stakes for mismanaging your Action Register have escalated. These laws impose severe penalties (including imprisonment) for negligent conduct that causes death.
A "known hazard" that you leave unaddressed is a primary trigger for such prosecutions. If your Action Register lists "Repair faulty guard rail" as an open item for 12 months, and a worker falls to their death, your register provides irrefutable evidence that you were aware of the lethal risk and failed to act.
Regulatory notices and enforceable undertakings
When a regulator issues an Improvement Notice or Prohibition Notice, the required remediation becomes a mandatory entry in your Action Register. Failure to comply with these notices is a strict liability offence.
Your register must track these statutory deadlines with absolute precision. Missing a regulator-imposed date invites prosecution for non-compliance with the notice itself, independent of the original hazard.
Building a Robust Action Register
To function as both a legal safeguard and an operational tool, your Action Register must capture specific data points. A generic "to-do" list is insufficient for WHS assurance.
Essential data fields
Unique identifier and traceability
Every action must have a unique ID (e.g., CAR-2025-042). This allows you to trace the action back to its source document (e.g., "Audit Report #5" or "Incident Report #99"). Without traceability, the "Golden Thread" of evidence is broken, making it difficult to prove to an auditor that a specific non-conformance was rectified.
Hazard description and risk rating
Your register must detail what the hazard is and its associated risk rating before the action is taken. This ensures high-risk actions can be prioritised. An action related to a "Critical" risk (potential fatality) must take precedence over a "Low" risk (administrative error).
The action description (SMART)
Vague entries like "Fix safety issue" or "Review procedures" are common compliance failures. Your actions must be SMART: Specific, Measurable, Achievable, Relevant, and Time-bound.
Poor example: "Improve guarding."
Good example: "Fabricate and install interlocked mesh guarding on Conveyor Belt 4 in accordance with AS 4024.1."
Hierarchy of control classification
Sophisticated registers classify actions according to the hierarchy of controls (Elimination, Substitution, Isolation, Engineering, Administration, PPE). This allows you to analyse the quality of your safety interventions. If 90% of your actions are "Administrative" (e.g., "Toolbox Talk"), you're likely relying on weak controls and failing to address root causes.
Responsible person (ownership)
"Management" or "HR" is not a responsible person. Actions must be assigned to a specific role or individual (e.g., "Maintenance Manager"). Shared responsibility often leads to "diffusion of responsibility," where no one acts because they assume another will.
Due date and status
Your Due Date is a commitment to the regulator and your workforce. It must be realistic. Constantly extending due dates ("kicking the can down the road") acts as a red flag to auditors, suggesting lack of resources or commitment.
Status fields should include: Open, In Progress, Overdue, Awaiting Verification, and Closed.
Prioritisation logic
Given limited resources, not all actions can be completed simultaneously. Your Action Register must use risk-based prioritisation:
Priority 1 (Critical/High): Immediate action required. Work may need to cease until interim controls are in place. Typically closed within 24-48 hours or strictly project-managed.
Priority 2 (Medium): Action required within a set timeframe (e.g., 1 month).
Priority 3 (Low): Actioned during routine maintenance or scheduled reviews (e.g., 3-6 months).
This logic aligns with the legal concept of "reasonably practicable," which allows you to weigh cost and inconvenience against risk severity—except where risk is severe, in which case cost is a secondary consideration.
The Lifecycle of a Corrective Action
Managing your Action Register should follow a disciplined lifecycle, mirroring the Plan-Do-Check-Act (PDCA) cycle inherent in ISO 45001.
Phase 1: Identification and immediate containment
When you identify a hazard, an immediate "Correction" is often required to secure the scene (e.g., cleaning up a spill). This is distinct from the "Corrective Action," which addresses the root cause (e.g., fixing the leaking valve). Your Action Register should capture the long-term Corrective Action.
Phase 2: Root cause analysis (RCA)
To ensure your action prevents recurrence, it must address the root cause, not just the symptom. Your Action Register should reference the RCA methodology used (e.g., "5 Whys," ICAM, or Fishbone Diagram).
Symptom: Worker slipped on oil.
Weak action: Clean oil and retrain worker (Administrative).
Root cause action: Replace defective gasket and install drip tray (Engineering).
Linking your action to investigation outcomes is critical for ISO 45001 compliance.
Phase 3: Consultation and assignment
Under Sections 47-49 of the WHS Act, you must consult with workers who are likely to be affected by a health and safety matter. Before you finalise an action in your register, consultation with Health and Safety Representatives (HSRs) or the Safety Committee should occur. This ensures your proposed solution is practical and doesn't introduce new hazards.
Phase 4: Implementation
The "Doing" phase. The Responsible Person executes the task. Your Action Register tracks progress, often via automated reminders.
Phase 5: Verification of effectiveness
This is the most critical and frequently neglected phase. An action is often marked "Closed" when the invoice is paid or the email is sent. However, ISO 45001 Clause 10.2(b) requires you to "evaluate the effectiveness of the corrective action."
The test: Did the action actually reduce the risk?
The method: A scheduled review (e.g., 3 months post-closure) to inspect the fix.
The record: Your Action Register should have a field for "Effectiveness Verified By" and "Date."
If you installed a noise barrier (Action Closed), verification involves a follow-up noise survey to prove decibel levels have dropped. If risk remains, you must re-open the action or raise a new one.
WorkSafeKit prompts you to verify that corrective actions actually reduced risk, not just created paperwork.
ISO 45001:2018 Alignment
Your Action Register is the central engine for complying with ISO 45001:2018 Occupational health and safety management systems.
Clause 10.2: Incident, nonconformity and corrective action
This clause explicitly mandates that you must: react to nonconformities and incidents; evaluate the need for action to eliminate causes; implement any action needed; review the effectiveness of any corrective action taken; and retain documented information as evidence.
Your Action Register is the "documented information" required by this standard. External auditors will invariably sample your register to test your responsiveness.
Clause 10.3: Continual improvement
Your register also supports Clause 10.3 by providing data on systemic issues. By analysing trends in your Action Register (e.g., "30% of actions relate to PPE failure"), you can identify broader opportunities for improvement, moving from reactive fixing to proactive system strengthening.
Common Challenges: "Tick and Flick" Culture
The integrity of your Action Register is heavily influenced by your organisation's safety culture. A technically perfect register can be undermined by human factors.
The "tick and flick" syndrome
"Tick and flick" refers to marking actions as complete without genuinely performing the work or verifying the standard. In Action Registers, this manifests as premature closure (closing actions to meet KPIs or prepare for an audit), pencil whipping (fabricating records of maintenance or inspections), or focusing on easy administrative actions while ignoring difficult engineering fixes.
Causes include production pressure (when operational targets override safety), fear (if "Open Actions" are seen as failure, staff will hide them), and fatigue (overwhelming volume of low-value actions desensitizes staff to critical risks).
Safety culture maturity
A "Generative" or "Proactive" safety culture views your Action Register as a health monitoring tool. A backlog of actions is seen as a resourcing signal, not a failure.
Conversely, a "Pathological" or "Reactive" culture views the register as a "Blame List." In such cultures, a register with zero overdue actions is often a red flag for auditors, suggesting data manipulation or failure to report issues.
Digital Transformation: From Excel to SaaS
The medium you use to manage your Action Register significantly impacts its legal robustness and operational utility.
The limitations of spreadsheets
Many Small to Medium Enterprises (SMEs) rely on Microsoft Excel. While accessible, Excel poses significant governance risks: it's difficult to prove who changed a cell or when an action was deleted; multiple versions of "truth" can exist across different hard drives; and spreadsheets don't actively notify users of impending deadlines.
Digital safety management systems (SaaS)
Modern governance favours cloud-based platforms which offer an immutability (unalterable log of who created, modified, and closed actions), automation (automatic escalation of overdue items to senior management), integration (seamless linking between Incident Reports and your Action Register), and real-time visibility (dashboards that allow officers to monitor compliance from mobile devices).
Strategic Assurance and Board Reporting
For your Board and Executive Team, your Action Register provides critical Leading Indicators of safety performance.
Key metrics
Action Closure Rate: The percentage of actions closed on or before the due date. A rate below 85-90% often indicates a resource/risk mismatch.
Age of Open Actions: "Stagnant" actions (open > 6 months) represent accumulated risk liability.
Source Distribution: Where are actions coming from? A healthy system sees a mix of Proactive (Audits, Hazard Reports) and Reactive (Incidents). If 100% of actions are reactive, you're failing to prevent harm.
Effectiveness Rate: The percentage of closed actions that passed effectiveness verification on the first attempt.
Record Retention and Data Security
Action Registers are legal records and must be retained in accordance with statutory requirements.
| Record Type | Retention Period (Typical) | Regulatory Reference |
|---|---|---|
| General WHS Actions | 5–7 Years | WHS Act (General Limitation Periods) |
| Notifiable Incident Actions | 5 Years | WHS Regs s171 |
| Health Monitoring Actions | 30 Years | WHS Regs s378 (Asbestos/Lead) |
| Major Hazard Facility (MHF) | Life of Facility | MHF Regulations |
You must ensure digital or physical archives are secure and accessible for these durations to support future legal defence.
Best Practices for Implementation
Establishing a high-functioning Action Register requires more than software—it requires process discipline.
The "purge" and triage
You often inherit registers cluttered with years of irrelevant data. A "clean-up" is the first step: review all open actions older than 6 months; re-evaluate whether the risk still exists and the action is still relevant; consolidate duplicate actions; and close obsolete actions with a clear justification note.
Authority levels
Establish a "Two-Step Closure" process for high-risk actions. The assignee marks the work as complete, but a second person (e.g., Safety Manager or HSR) must verify evidence before the action is formally closed. This prevents "pencil whipping" of critical controls.
The standing agenda item
Your Action Register should be a standing agenda item at all Health and Safety Committee meetings and Executive Management meetings. The discussion should focus on "Exceptions"—overdue items and high-risk items—rather than reading the entire list.
Frequently Asked Questions
What's the difference between an Action Register and a Risk Register?
Your Risk Register identifies hazards and documents existing controls (what could go wrong). Your Action Register tracks specific tasks to improve controls (what you're doing to fix it). The Risk Register is strategic and relatively static; the Action Register is tactical and changes daily. They should work together: your Risk Register identifies gaps, your Action Register fixes them, then your Risk Register is updated to reflect the new controls.
How long should I keep Action Register records?
General WHS actions should be retained for 5-7 years based on general limitation periods. Notifiable incident actions require 5 years retention under WHS Regs s171. Health monitoring records (asbestos, lead) must be kept for 30 years under WHS Regs s378. Major Hazard Facility records should be retained for the life of the facility. Always ensure your archives are secure and accessible for these durations to support potential legal defence.
What makes an action "SMART" in an Action Register?
SMART actions are Specific, Measurable, Achievable, Relevant, and Time-bound. Avoid vague entries like "Fix safety issue" or "Improve guarding." Instead, write: "Fabricate and install interlocked mesh guarding on Conveyor Belt 4 in accordance with AS 4024.1 by 15 March 2025." This gives clear accountability, a measurable outcome, and a deadline that can be tracked and verified.
How do I prevent "tick and flick" culture in my Action Register?
Stop measuring cards completed—measure hazards fixed and verified. Implement a "Two-Step Closure" process where high-risk actions require verification by a second person before closing. Focus on quality over quantity: a single action that fixes a systemic issue is worth more than dozens of administrative tasks. Make your Action Register a standing agenda item at safety meetings, focusing discussion on overdue items and high-risk actions rather than reading the entire list.
References and Further Reading
Safe Work Australia. (2024). Identify, assess and control hazards - Managing risks. Provides the foundation for risk management processes that inform both Risk Registers and Action Registers.
Safe Work Australia. (2024). How to Manage Work Health and Safety Risks: Code of Practice. November 2024 edition providing guidance on the risk management process including corrective action tracking.
Safe Work Australia. (2023). Measuring and Reporting on Work Health and Safety. Explains leading and lagging indicators, including how Action Register metrics demonstrate proactive safety management.
International Organization for Standardization. (2018). ISO 45001:2018 Clause 10.2 Incident, nonconformity and corrective action. Details the requirements for corrective action systems that Action Registers must satisfy.
WorkSafe Victoria. (2024). Getting help to improve health and safety. Victorian guidance on implementing safety management systems including action tracking.
GoAudits. (2025). How to Prevent Box Ticking and Pencil Whipping in 2025. Practical strategies for maintaining Action Register integrity and preventing compliance theatre.
DigiClip. Action Registers: Ensuring Accountability and Workflow Tracking in SMBs. Industry perspective on practical implementation challenges and digital solutions for small to medium businesses.