What is a Risk Register?
A Risk Register is a centralised database or master document that records identified workplace hazards, their severity, the control measures implemented to mitigate them, and the individuals responsible for those controls. It acts as your organisation's "single source of truth" for managing safety risks and demonstrating compliance with Australian WHS legislation.
In the Australian workplace safety context, a risk register is more than an administrative checklist. It's a critical operational tool used to demonstrate compliance with the Primary Duty of Care under Section 19 of the Work Health and Safety Act 2011. While the WHS Act doesn't explicitly mandate a document titled "Risk Register" for every general hazard, maintaining one is the standard method for a Person Conducting a Business or Undertaking (PCBU) to prove they have identified hazards and eliminated or minimised risks so far as is "reasonably practicable".
Without a current risk register, your business lacks the evidentiary trail required to defend against negligence claims or regulatory prosecution in the event of a serious incident. Beyond legal protection, an effective risk register delivers operational value by protecting production continuity, enabling tender compliance, and reducing the substantial indirect costs of workplace incidents.
What is a Risk Register?
A risk register functions as your organisation's risk management command centre. It systematically captures every identified hazard, evaluates the associated risk levels, documents what controls are in place, and tracks who is responsible for maintaining those controls.
Think of it as a living document that evolves with your business. When new equipment is introduced, when processes change, when incidents occur, or when legislation updates, your risk register should reflect these changes. It's the documented evidence that you're actively managing workplace safety rather than simply reacting to problems as they arise.
The register serves multiple stakeholders. Frontline workers use it to understand the risks they face and the controls protecting them. Supervisors use it to monitor control effectiveness. Senior leadership uses it for due diligence oversight. Regulators examine it during audits to verify your risk management systems are functioning.
Track hazards, controls, and accountabilities in one centralised platform with automated review reminders
Legal Requirements and Mandatory Registers
Managing risk is a mandatory legal duty, not optional best practice. Australian WHS laws impose strict obligations on PCBUs to manage risks according to the "reasonably practicable" test.
Under the WHS Act, you must eliminate risks to health and safety. If elimination is not possible, you must minimise risks so far as is reasonably practicable. A risk register serves as documented evidence that you have weighed the required statutory factors: likelihood of the hazard occurring, degree of harm that might result, knowledge reasonably available about the hazard and controls, availability and suitability of ways to eliminate or minimise the risk, and cost of controls.
While a general risk register covers broad operational risks, specific WHS Regulations explicitly mandate separate or integrated registers for high-risk hazards. Failure to maintain these specific registers is a direct breach of the law:
| Register Type | Regulatory Requirement | Key Details |
|---|---|---|
| Hazardous Chemicals | WHS Regulation 346 | Must list all hazardous chemicals and include current Safety Data Sheets (SDS). Must be accessible to workers using the chemicals. |
| Asbestos | WHS Regulation 425 | Mandatory for buildings constructed before 31 Dec 1989 (or where asbestos is identified). Must record location, type, and condition of asbestos. |
| Confined Spaces | WHS Regulation 62-77 | Risk assessments and entry permits must be documented and retained for specified periods (e.g., 28 days or 2 years post-incident). |
| Psychosocial Risks | Vic OHS Regs / Model Laws | Recent amendments require the management of psychosocial hazards (stress, bullying), which should be documented in the risk register. |
Key Components of an Effective Risk Register
A compliant risk register must be actionable. It should move beyond generic descriptions to specific, trackable data points that enable actual risk management.
Hazard Identification
Each entry should include a unique risk ID (e.g., RISK-024) to link the hazard to incident reports or audit findings. Specify the exact location or activity (e.g., "Warehouse B - Forklift Charging Zone") rather than vague descriptions. Document both the hazard description (the source of potential harm, such as "Leaking battery acid") and the risk description (the mechanism of injury, such as "Worker slips on acid or suffers chemical burns during refilling").
Risk Analysis
Your register should assess risk levels at three stages. Inherent risk represents the risk level without any controls (Likelihood × Consequence). Residual risk shows the remaining risk level after existing controls are applied. Target risk defines the acceptable risk level your business aims to achieve.
Control Measures
Controls must be selected according to the Hierarchy of Control Measures. The register should classify controls to highlight reliability: Level 1 (highest) eliminates the hazard entirely; Level 2 uses substitution, isolation, or engineering controls like machine guarding; Level 3 (lowest) relies on administrative actions like training or personal protective equipment.
| Field | Purpose | Example |
|---|---|---|
| Risk ID | Unique tracking identifier | RISK-024 |
| Location/Activity | Specific context | Warehouse B - Forklift Charging Zone |
| Hazard | Source of potential harm | Leaking battery acid |
| Risk | Mechanism of injury | Worker slips on acid or suffers chemical burns |
| Risk Owner | Manager with authority/budget | Warehouse Operations Manager |
| Action Owner | Person implementing controls | Forklift Team Leader |
| Due Date | Implementation deadline | 30 June 2025 |
Accountability
Clear ownership transforms a risk register from a static document into an active management tool. Assign a risk owner (the manager with authority and budget to manage the risk), an action owner (the person responsible for implementing specific controls tracked in an action register), and a due date for implementation.
Why It Matters: The Business Case
Beyond avoiding regulatory penalties—which can reach millions of dollars for corporations or imprisonment for individuals under industrial manslaughter laws—an effective risk register delivers substantial operational value.
Work-related injury and illness cost the Australian economy billions annually. For individual businesses, the indirect costs of an incident (downtime, investigation, retraining, productivity loss) are often 4-10 times higher than direct insurance costs. By systematically identifying and controlling risks before incidents occur, your register protects both people and profitability.
Government and Tier 1 commercial contracts almost universally require a WHS Risk Register for tender eligibility. Without a current, comprehensive register, you may be excluded from bidding on significant contracts regardless of your technical capabilities or pricing.
The register also protects operational resilience. By identifying "single points of failure"—such as critical machinery breakdown or key person dependencies—the register helps you protect production continuity as well as worker safety.
Connect your risk register to real-world events and track control effectiveness over time
Practical Considerations and Common Pitfalls
The "Set and Forget" Trap
The most common failure identified in WHS audits is creating a register solely for compliance and never updating it. A register dated three years ago is evidence that you are not actively managing risk—it may actually harm your legal position in the event of an incident.
Best practice involves scheduling quarterly reviews of the register as a whole. Additionally, trigger a review whenever an incident occurs to capture lessons learned, a process changes, new equipment is introduced, or new legislation is introduced. Treat your risk register as a living document that evolves with your operations.
Finding the Right Level of Detail
Avoid listing every minor defect (such as a flickering light bulb) in your master register; these belong in maintenance logs. Focus the register on significant risks that require management oversight and strategic decision-making.
Conversely, avoid broad generalisations like "Manual Handling" without specifying the task. Instead, use specific descriptions like "Manual Handling - Unloading 25kg Cement Bags from Delivery Trucks". This level of detail enables targeted, effective controls.
Consultation is Mandatory
You must consult with workers when identifying hazards and selecting controls (WHS Act sections 47-49). Workers are the subject matter experts on their daily tasks. A register created in isolation by a manager often misses the real-world risks faced on the floor and may implement controls that prove impractical in actual operations.
Effective consultation doesn't mean asking workers to write the register themselves. It means engaging them in structured conversations about the hazards they encounter, the controls they find effective, and the gaps they've observed. This input produces a more accurate, more useful register.
Frequently Asked Questions
Is a risk register legally required for small businesses?
While the WHS Act doesn't specify a "risk register" document for every business size, you must identify hazards and control risks—and document that you've done so. For a small business, this might be a simple list rather than a complex database. However, if you store hazardous chemicals or have asbestos, specific registers are strictly mandatory regardless of business size.
Who should have access to the risk register?
The register should not be locked in a manager's office. Workers must be aware of the risks they face and the controls in place. While you may restrict editing rights to maintain data integrity, read access should be available to Health and Safety Representatives (HSRs) and relevant workers. Digital systems often allow field access via mobile devices, enabling workers to review risks before starting tasks.
How is a Risk Register different from a SWMS?
A Risk Register is a strategic master list of all risks across the organisation. A Safe Work Method Statement (SWMS) is a task-specific document required for "high risk construction work" that details exactly how a specific job will be performed safely on a specific site. The register captures the big picture; the SWMS captures the immediate task. However, your risk register should inform what goes into your SWMS documents.
References
Safe Work Australia: Model Code of Practice: How to manage work health and safety risks
Safe Work Australia: WHS Duties and Consultation
WorkSafe Queensland: Hazardous Chemicals Register
SafeWork NSW: Asbestos Registers and Management Plans