Quick answer: A risk register is a document that records every identified workplace hazard alongside a formal assessment of the risk it poses — including likelihood, consequence, risk rating, control measures, and residual risk after those controls are applied. It is a central tool in any WHS management system and is commonly required in tender responses, WHS audits, and ISO 45001 certification.
Last reviewed: June 2026 by the BlueSafe Technical Team. Reflects current Model WHS framework.
If you have ever been asked to produce a risk register for a tender, a principal contractor pre-qualification, or a WHS audit — and wondered exactly what it needs to contain — this guide explains it clearly. It covers what a risk register is, what each column records, how it fits into your broader WHS management system, and how to build and maintain one that will hold up to scrutiny.
What is a risk register?
A risk register is a structured record of all identified workplace hazards that includes a formal risk assessment for each one. Unlike a basic hazard register, which simply lists hazards and controls, a risk register applies a risk matrix to rate how likely a harm is to occur and how severe it would be — both before and after controls are applied.
The result is a document that gives your organisation, your workers, and any external auditor a clear picture of:
- what risks exist in your workplace
- how serious each risk is
- what you are doing to manage them
- who is responsible
- when each assessment will be reviewed
Risk registers are a standard requirement in ISO 45001 occupational health and safety management systems, in AS/NZS risk management frameworks, and in most principal contractor pre-qualification and tender documentation.
What does a risk register record?
A well-structured risk register will include the following fields for each entry.
Hazard
What the hazard is — for example, working at heights, forklift traffic, manual handling of heavy loads, or exposure to hazardous chemicals. Be specific enough that a person unfamiliar with your workplace would understand what is being assessed.
Risk description
A clear statement of what could go wrong and who could be harmed. For example: "Worker falls from scaffold, causing serious injury or death." The risk description turns the hazard into a harm scenario and is the foundation of the entire risk assessment.
Likelihood
A rating of how likely the harm is to occur, typically on a scale of 1 (Rare) to 5 (Almost certain). This rating should reflect the current state of the workplace and work practices — not a worst-case hypothetical.
Consequence
A rating of how severe the harm would be if it did occur, typically on a scale of 1 (Negligible) to 5 (Catastrophic). Consequence ratings usually consider physical harm to people, but can also reflect financial, legal, or reputational impact depending on your risk framework.
Risk rating (inherent)
The combined risk score before any controls are applied — sometimes called the "inherent" or "raw" risk. This is calculated by plotting likelihood and consequence on a risk matrix to produce an overall rating such as Extreme, High, Medium, or Low.
For guidance on using a risk matrix, see our guide to using a risk matrix.
Control measures
The specific measures in place to eliminate or minimise the risk, listed in accordance with the hierarchy of controls — from elimination (most effective) through to PPE (least effective). Controls should be described specifically enough to be verifiable, not just listed as a category (e.g., "edge protection, safety harness, and SWMS" rather than just "engineering controls").
Residual likelihood and consequence
The likelihood and consequence ratings after the controls are applied. These reflect the remaining risk once your controls are in place and operating as intended.
Residual risk rating
The overall risk score after controls — sometimes called the "treated" or "controlled" risk. This is the figure that tells you whether your controls are adequate or whether further action is needed. A High or Extreme residual risk rating indicates that additional controls are required before work proceeds.
Risk owner
The person responsible for managing the risk and ensuring controls are maintained. This should be a named individual or a specific role, not just "management."
Review date
When the risk assessment for this entry will next be reviewed. Review dates should be realistic and monitored — a risk register where all review dates have passed is a red flag in any WHS audit.
How is a risk register different from a hazard register?
The key difference is the depth of analysis. A hazard register tells you a hazard exists and what is being done about it. A risk register tells you how serious the risk is, how effective your controls are, and what level of risk remains.
For a detailed side-by-side comparison of both documents — including examples and guidance on which your business needs — see our article on hazard register vs risk register.
Risk registers and your WHS management system
A risk register does not stand alone. It is one output of a broader process that the Model Work Health and Safety (WHS) laws and ISO 45001 both require PCBUs to follow: identify hazards, assess risks, implement controls, and review.
Under the Model WHS Act, PCBUs must eliminate risks to health and safety so far as is reasonably practicable — and where elimination is not possible, minimise risks. The risk register is the documentary evidence that this obligation is being actively managed.
Under ISO 45001, the international standard for occupational health and safety management systems, a risk register (or equivalent document) is a core element of the planning phase. ISO 45001 requires organisations to:
- determine and assess OH&S risks and opportunities (clause 6.1.2)
- plan actions to address those risks (clause 6.1.4)
- implement and maintain documented information as evidence (clause 7.5)
A properly maintained risk register satisfies all three requirements and will be examined during any ISO 45001 certification or surveillance audit.
Your risk register should also connect with other parts of your WHS system: incident investigation records (new hazards identified from investigations go into the register), safe work method statements and procedures (controls listed in the register should be reflected in your SWMSs), training records (workers should be trained on the controls in place for their work), and management review (risk ratings and review dates should be reported to senior leadership).
How to build and maintain a risk register
Step 1 — Identify your hazards
Walk through your workplace and work processes systematically. Consult workers, review incident and near-miss reports, look at your equipment and chemical registers, and consider psychosocial hazards as well as physical ones. Every identified hazard becomes a row in your register.
Step 2 — Write the risk description
For each hazard, describe the harm scenario clearly. Who could be harmed? How? Under what circumstances? A well-written risk description makes the rest of the assessment straightforward.
Step 3 — Rate likelihood and consequence
Apply your risk matrix to rate the inherent likelihood and consequence. Be honest — the purpose is to understand your real risk exposure, not to produce a flattering result. Your risk matrix should be consistent with the scale you use across your organisation.
Step 4 — Record your controls
List the controls currently in place, working down the hierarchy of controls. Be specific and verifiable. If a control is planned but not yet implemented, note this clearly.
Step 5 — Assess residual risk
Re-rate likelihood and consequence with your controls in place. If the residual risk rating is still High or Extreme, further controls are required. Do not close out a high-residual-risk entry without documenting what additional action is being taken.
Step 6 — Assign ownership and review dates
Every row needs a named owner and a review date. Review dates should reflect the level of risk — higher-risk entries warrant more frequent review.
Step 7 — Review and update
Your risk register is a living document. Assign someone to monitor review dates, trigger updates after incidents or workplace changes, and report on overdue entries at management review meetings.
Sample risk register
The table below shows three example entries to illustrate how a completed risk register is structured.
| Hazard | Risk Description | Inherent Likelihood | Inherent Consequence | Inherent Rating | Controls | Residual Likelihood | Residual Consequence | Residual Rating | Risk Owner | Review Date |
|---|---|---|---|---|---|---|---|---|---|---|
| Working at heights — scaffold (4 m) | Worker falls from scaffold, causing serious injury or death | 3 (Possible) | 5 (Catastrophic) | High | Compliant scaffold with edge protection, fall arrest harness, SWMS in place, pre-start checklist, workers trained | 2 (Unlikely) | 5 (Catastrophic) | Medium | Site Supervisor | December 2026 |
| Manual handling — bags of cement (20 kg) | Worker sustains musculoskeletal injury to back or shoulders from repetitive lifting | 4 (Likely) | 3 (Moderate) | High | Mechanical assist (hand trolley) available, team lifting for loads over 16 kg, manual handling training completed, rest breaks scheduled | 2 (Unlikely) | 3 (Moderate) | Low | Warehouse Manager | December 2026 |
| Hazardous chemical — solvent-based adhesive | Worker inhales vapours causing acute respiratory illness or long-term lung damage | 3 (Possible) | 4 (Major) | High | Substitution to water-based adhesive in progress; in the interim — forced ventilation, respiratory PPE (P2 mask), chemical stored in ventilated cabinet, SDS accessible, workers trained | 2 (Unlikely) | 4 (Major) | Medium | Safety Officer | September 2026 |
Note that the solvent entry has an earlier review date, reflecting that a substitution control is in progress and needs to be followed up sooner than the annual cycle.
Frequently asked questions
Is a risk register a legal requirement in Australia?
No Australian WHS law specifically requires a document called a "risk register." However, all PCBUs have a duty to identify and manage workplace risks so far as is reasonably practicable. A risk register is the most practical way to demonstrate that duty is being met — and it is commonly required by principal contractors, tender processes, insurers, and ISO 45001 audits.
What is the difference between a risk register and a hazard register?
A hazard register is a simple list of identified hazards and their controls. A risk register goes further — it includes a formal risk assessment for each hazard, with likelihood and consequence ratings, an overall risk score, residual risk after controls, and a review date. For a detailed comparison, see our guide on hazard register vs risk register.
How often should a risk register be reviewed?
Your risk register should be reviewed after any incident or near miss, when work processes or the workplace change, when a new hazard is identified, and at least annually as part of your routine WHS management review. ISO 45001-certified organisations may have more frequent review obligations set out in their WHS management system documentation.
Can a small business use a simple risk register?
Yes. A risk register does not need to be complex to be effective. A small business can maintain a straightforward spreadsheet with columns for hazard, risk description, likelihood, consequence, risk rating, controls, residual risk, and review date. A simple register used consistently is far more valuable than an elaborate one that is never updated.
Ready to set up your risk register?
BlueSafe Online gives you access to ready-to-use WHS document templates including risk registers, hazard registers, and combined formats — designed for Australian small business and built to satisfy audit and tender requirements.
This guide provides general information only and does not constitute legal advice. Risk register requirements will depend on the nature of your business, applicable legislation, and any contractual obligations specific to your work.