What is Corrective Action?
Corrective action is the systematic process of identifying, analysing, and eliminating the root cause of a detected non-conformance, incident, or hazard to prevent its recurrence. It's the fundamental mechanism by which a safety management system learns from failure, transforming reactive incidents into proactive system improvements.
Moving Beyond "Quick Fixes"
In Australian Work Health and Safety (WHS), "Corrective Action" is frequently misunderstood as simply "fixing the thing that broke." You might see a broken guard rail, weld it back together, and consider the job done. However, in the eyes of a regulator or a sophisticated auditor, you've merely performed a correction, not a corrective action.
Understanding this distinction is the single most critical step in maturing your organisation's safety culture. Confusing these two concepts is the primary reason organisations suffer from "repeat incidents," where the same accidents occur year after year despite "fixing" them every time.
Correction vs. Corrective Action: The Critical Distinction
| Feature | Correction | Corrective Action |
|---|---|---|
| Trigger | The Event (Incident/Hazard) | The Root Cause Analysis (RCA) |
| Focus | Symptom (The "What") | Cause (The "Why") |
| Time Horizon | Now (Minutes/Hours) | Future (Days/Weeks/Months) |
| Action | Containment, Repair, Replacement | System Modification, Process Change |
| Outcome | Hazard temporarily removed | Risk of recurrence eliminated |
Correction example: A hydraulic hose bursts, spraying oil on a walkway. The correction involves shutting down the machine, cleaning the oil, and replacing the hose. This does not prevent the hose from bursting again next week due to the same underlying maintenance failure.
Corrective action example: Following the hose burst, an investigation reveals the wrong hydraulic fluid was used, degrading the rubber. The corrective action involves updating the procurement specification, purging the system, and training maintenance staff on fluid compatibility.
Australian Legal Requirements
You cannot design a compliant corrective action process without understanding your obligations under the Work Health and Safety Act 2011 (WHS Act) and associated Regulations. In Australia, corrective action is not optional—it's a codified legal duty.
The Duty to Review Control Measures (Regulation 38)
The most direct legal mandate for corrective action is found in Regulation 38 of the Model WHS Regulations. As a Person Conducting a Business or Undertaking (PCBU), you must review and, as necessary, revise control measures in specific circumstances:
You must review when the control measure does not control the risk it was implemented to control. If an incident occurs, the law assumes the control failed. You must also review before a change at the workplace that is likely to give rise to a new or different risk, when you identify a new hazard, when consultation outcomes indicate a review is necessary, or when a Health and Safety Representative requests a review.
This regulation kills the idea that a Risk Assessment is a "set and forget" document. It requires a dynamic loop where every failure triggers a mandatory review. If you have an incident and do not review your controls, you are technically in breach of Regulation 38.
Officer Due Diligence (Section 27)
For Officers of your organisation (Directors, CEOs, Executives), corrective action is a key component of Due Diligence under Section 27 of the WHS Act. An Officer must verify that the PCBU has, and uses, appropriate resources and processes to eliminate or minimize risks.
Officers should review reports on "Overdue Corrective Actions." They should ask, "Show me the fix." Officers must ensure budget is available for the corrective action. If a corrective action requires a $50,000 ventilation upgrade and the Officer denies the budget, the Officer may be personally liable for failing due diligence if a worker is subsequently exposed to fumes.
Automated workflows, escalation alerts, and verification tracking to ensure actions are completed and effective
Systems Thinking: Why Things Go Wrong
To implement effective corrective actions, you must fundamentally change how you view "cause." In the past, it was common to blame "human error" for accidents. If a worker tripped, the corrective action was "tell worker to watch their step."
Modern safety science and best practice corrective action reject this simplistic view. We rely on the Hierarchy of Reliability and Systems Thinking. The Swiss Cheese Model shows that incidents happen when active failures (unsafe acts) align with latent conditions (system weaknesses). Your corrective actions must target the latent conditions—the holes in the cheese—not just the active failure.
Human error is a symptom. If a worker makes a mistake, the system allowed that mistake to happen. Perhaps the buttons were labelled confusingly, the lighting was poor, or fatigue was induced by the roster.
If your Corrective Action Register is full of "Re-train worker" or "Counsel worker," you are targeting the individual, not the system. These actions are weak and will fail to prevent recurrence.
Root Cause Analysis Methodologies
You cannot fix what you do not understand. A corrective action based on assumptions is a waste of time and money. Once you have the data from your investigation, you need a methodology to process it. "Gut feeling" is not a methodology. You must use a structured root cause analysis tool to derive the corrective action.
The "5 Whys" Technique
This is the most accessible tool for low-to-medium complexity incidents. It forces you to move past the immediate cause by asking "Why?" five times (or as many as needed) until you reach a systemic cause.
Example: A forklift hit a bollard. Why? Brakes failed (Direct Cause). Why? Brake fluid was empty. Why? A seal was leaking. Why? The seal was not checked during the last service. Why? The maintenance checklist for this model of forklift is outdated and doesn't include a seal check (Root Cause). Corrective Action: Update the maintenance checklist for all forklifts of this model.
The limitation of this approach is that it is linear. Real world accidents often have multiple causes. It can oversimplify complex events.
Fishbone Diagram (Ishikawa)
Better for complex problems, this method categorizes causes into themes to ensure you don't miss anything. The 6 Ms are: Man (People), Machine, Method, Material, Measurement, and Mother Nature (Environment).
This approach ensures you look at the "Environment" and "Machine" and don't just blame the "Man".
RCA2 (Root Cause Analysis and Action)
High-reliability industries (healthcare, aviation) are moving to RCA2 (RCA "Squared"). The "Squared" emphasizes that the analysis is useless without the Action.
The output of an RCA is not a "report"; it is a set of "Actions." RCA2 explicitly classifies corrective actions as "Strong," "Intermediate," or "Weak." It demands that organisations prioritize Strong actions (Architectural/Physical changes) over Weak actions (Training/Policy).
If your investigation team proposes a "Weak" action for a serious risk, the RCA2 process requires them to justify why a "Stronger" action was not chosen.
The Hierarchy of Controls: Selecting the Right Fix
When selecting a corrective action, you are legally required to apply the Hierarchy of Controls (Regulation 36). This is a ranking of control measures from the highest level of protection and reliability to the lowest. Your corrective action must aim for the highest practicable level.
| Level | Control Type | Description | Corrective Action Example |
|---|---|---|---|
| 1 (Highest) | Elimination | Physically remove the hazard | Stop using a toxic chemical; automate a manual handling task |
| 2 | Substitution | Replace the hazard | Switch to a water-based cleaner; use a drone for inspection instead of working at height |
| 3 | Isolation | Separate people from hazard | Install barriers; enclose a noisy machine |
| 4 | Engineering | Physical control measures | Install guarding; interlocks; ventilation systems |
| 5 | Administrative | Rules and procedures | Update SWMS; install signs; rotate staff (fatigue management) |
| 6 (Lowest) | PPE | Personal Protective Equipment | Issue respirators; gloves; earplugs |
Levels 1-4 are "Hard Controls" (Place-based). Levels 5-6 are "Soft Controls" (Person-based). Hard controls work even if the worker is tired, stressed, or distracted. Soft controls fail if the worker lapses for even a second.
Most Corrective Action Registers are filled with Level 5 and 6 actions (Training and PPE) because they are cheap and fast. This is a compliance trap. If you rely solely on PPE for a high risk when Engineering was possible, you may fail the "Reasonably Practicable" test in court.
So Far As Is Reasonably Practicable (SFAIRP)
In Australia, you are not required to eliminate every risk at any cost. You are required to do so So Far As Is Reasonably Practicable. This legal concept (Section 18 WHS Act) balances the risk against the cost/difficulty of the fix.
You must weigh: the likelihood of the hazard, the degree of harm (consequence), what you know (or ought to know) about the risk, the availability of controls, and cost—only as a final tie-breaker if the cost is grossly disproportionate to the risk.
If your RCA suggests an Engineering control (e.g., install a $100,000 ventilation system), you cannot simply say "Too expensive." You must document the SFAIRP analysis. If the risk is cancer from silica dust, $100,000 is likely not grossly disproportionate. If the risk is a minor bad smell, it might be.
Analytics that reveal recurring root causes, hazard hotspots, and control effectiveness across your operations
Implementation and Change Management
Designing the fix is only half the battle. Implementing it introduces new risks. This is where Management of Change (MoC) becomes vital.
The Risk of "Risk Migration"
A corrective action can inadvertently create a new, worse hazard. For example, to prevent unauthorized entry, you install a high-security lock on a door (Corrective Action). That door was an emergency fire exit. Now workers are trapped during a fire.
Every physical corrective action must undergo a secondary risk assessment (MoC) before implementation to check for these side effects.
Consultation with Workers
You must consult with the workers who will use the new control (Section 47 WHS Act). They know "Work as Done." If you install a guard that makes it impossible to change the tool bit, they will remove the guard.
Show them the proposed design. Ask: "Will this make your job harder?" "Does this introduce new risks?" Their buy-in is essential for the effectiveness of the control.
Verification and Validation: The Missing Link
The step most often skipped in Australian organisations is Verification of Effectiveness. There's a crucial difference between an implementation check ("Did we do it? Yes, the sign is up") and an effectiveness check ("Did it work? Has the behavior changed? Has the incident rate dropped?").
Best practice is to leave a Corrective Action "Open" (or in a "Monitoring" state) for 1-3 months after implementation. Schedule a review, go back to the site, test whether the guard is still there and the screws are tight, and interview workers to ask if the new process is working.
Only then can you formally close the action. ISO 45001 auditors specifically look for this evidence of effectiveness review.
Common Challenges and Failure Modes
Even with robust procedures, corrective action systems fail. Recognising these failure modes is key to prevention.
The "Retrain Worker" Cycle of Doom
If your investigation concludes "Human Error" and your action is "Retrain," you are likely trapped in a cycle of failure. Training does not change the physical reality of the hazard. It relies on memory.
Dig deeper. Why did they need retraining? Was the first training bad? Is the task too complex?
The "Tick and Flick" (Paper Compliance)
Organisations often focus on closing the action item in the database rather than fixing the hazard in the field. KPIs focus solely on "Time to Close." Managers rush to close actions to meet the KPI.
The result is a database full of "Closed" actions, but a workplace full of hazards. Audit the quality of actions, not just the speed.
The "Black Hole" Register
Hazards are identified, logged, and then sit in the register for years with no resources assigned. This is evidence of negligence. You knew about the risk and chose to do nothing. It is legally safer to have no system than to have a system that documents your inaction.
The fix: Mandatory executive review of all "Overdue greater than 90 Days" actions.
Just Culture and Reporting
Your corrective action system relies entirely on inputs. If workers don't report incidents, you have nothing to correct. If a worker reports a mistake and is disciplined, they will never report again. This creates a dangerous culture of silence.
You must adopt a "Just Culture" model that distinguishes between human error (console the worker), at-risk behavior (coach the worker), and reckless behavior (discipline the worker).
When you take corrective action (e.g., fixing a pothole reported by a worker), advertise it. "You said, we did." This proves that reporting leads to improvement, not punishment.
The Corrective Action Register
Your corrective actions should be tracked in an Action Register—whether digital or Excel, the register must contain these columns to be effective:
| Column | Description |
|---|---|
| ID | Unique Reference (e.g., CA-2024-001) |
| Source | Origin (Incident, Audit, Hazard Report, HSR Request) |
| Risk Rating | Initial Risk (High/Med/Low) - determines priority |
| Issue Description | What is wrong? |
| Root Cause | The systemic cause (from RCA) |
| Action Description | Specific, Measurable fix |
| Hierarchy Level | (1-6) To track quality of controls |
| Owner | Person responsible (Name, not just "Maintenance") |
| Due Date | Realistic deadline based on risk |
| Status | Open / In Progress / Implemented / Verified / Closed |
| Verification Evidence | Link to photo or document proving it worked |
Frequently Asked Questions
Can I close a corrective action as soon as the maintenance is done?
No. You can mark it as "implemented," but it should not be formally "closed" until you have verified its effectiveness. This usually requires a follow-up check (e.g., 1-3 months later) to ensure the maintenance actually fixed the root cause and the issue hasn't returned. This "Verification" step is a specific requirement of ISO 45001.
What if we can't afford the engineering fix identified in the Root Cause Analysis?
You must apply the "Reasonably Practicable" (SFAIRP) test. If the cost is grossly disproportionate to the risk, you may implement a lower-level control (e.g., administrative). However, you must document this cost-benefit analysis formally. You must also implement robust interim controls (like extra supervision) to manage the risk in the absence of the engineering fix.
Is "disciplining the worker" a valid corrective action?
Rarely. Discipline addresses individual behavior but ignores the systemic factors (fatigue, poor training, bad design) that allowed the behavior. In a "Just Culture," discipline is reserved for reckless sabotage or willful negligence, not for honest mistakes or shortcuts driven by production pressure. If you discipline for errors, you drive reporting underground.
How do I handle "Corrective Actions" from external audits vs internal incidents?
They should live in the same register. An audit non-conformance is just a "potential incident" that hasn't happened yet. Managing them in separate silos (e.g., a "Quality Register" vs a "Safety Register") prevents you from seeing systemic weaknesses across the organisation.
References
- Safe Work Australia. Model Code of Practice: How to manage work health and safety risks. Australian Government. https://www.safeworkaustralia.gov.au/doc/model-code-practice-how-manage-work-health-and-safety-risks
- SafeWork NSW. Maintaining and reviewing control measures. https://www.safework.nsw.gov.au/resource-library/list-of-all-codes-of-practice/codes-of-practice/engineered-stone-code-of-practice/maintaining-and-reviewing-control-measures
- WorkSafe Victoria. The hierarchy of control. https://www.worksafe.vic.gov.au/hierarchy-control
- International Organization for Standardization. (2018). ISO 45001:2018 Occupational health and safety management systems. https://www.iso.org/standard/63787.html
- National Patient Safety Foundation. RCA2: Improving Root Cause Analyses and Actions to Prevent Harm. Institute for Healthcare Improvement. https://www.ihi.org/library/tools/rca2-improving-root-cause-analyses-and-actions-prevent-harm