A risk register is the central record of the risks your business faces, how serious they are, what you are doing about them, and who is accountable. Done well, it turns scattered concerns into a single prioritised view that leadership can act on. Done poorly, it becomes a spreadsheet built once to satisfy an auditor or a tender, then left to gather dust while the real risks shift around it.
The difference is not the template. It is whether the register is treated as a living tool. A good register is reviewed, challenged and updated as conditions change — new equipment, new sites, new contractors, a near miss that exposes a gap. If your register looks the same today as it did two years ago, it is almost certainly out of date.
What goes in a risk register
Structure matters because it forces clear thinking. Each row should capture a single, well-defined risk and carry enough information for someone to act on it without a meeting. At a minimum, include columns for:
- Risk ID — a unique reference so the risk can be tracked and cited.
- Description — a plain statement of the risk, not just a hazard label.
- Category — safety, environmental, quality, operational, financial or reputational.
- Cause — what could trigger the event.
- Consequence — the realistic outcome if it occurs.
- Inherent risk rating — the rating before existing controls are considered.
- Existing controls — what is already in place to manage it.
- Residual risk rating — the rating once those controls are accounted for.
- Risk owner — the named person accountable for the risk.
- Treatment actions — further steps to reduce the risk.
- Due dates and status — when actions are due and where they stand.
Separating inherent and residual ratings is what makes a register useful. It shows how much your controls are actually doing and where you remain exposed.
Rating likelihood and consequence
Every risk should be rated on two dimensions: how likely it is to occur, and how severe the outcome would be. Combining the two on a risk matrix produces a consistent rating — typically low, medium, high or extreme — that lets you compare very different risks on the same scale and prioritise accordingly.
Likelihood
Use a defined scale, for example rare, unlikely, possible, likely and almost certain. Anchor each level with a description so people rate consistently rather than guessing. “Possible” might mean the event has occurred in the industry and could occur here within a few years.
Consequence
Rate the realistic severity across the categories that matter to you — injury, environmental harm, cost, downtime, reputation. A clear consequence scale stops minor issues being inflated and serious ones being downplayed.
The matrix is a tool for conversation, not a maths exercise. The value is in the discussion it forces about how bad an outcome could really be and how often it might happen.
Choosing controls that work
Once a risk is rated, decide how to treat it. The hierarchy of controls ranks options from most to least effective, and you should always reach for the top of the list first:
- Elimination — remove the hazard entirely. The most effective control.
- Substitution — replace it with something less hazardous.
- Engineering — isolate people from the hazard with guards, barriers or design changes.
- Administrative — procedures, training, signage and safe systems of work.
- PPE — personal protective equipment, the last line of defence.
Administrative controls and PPE rely on people behaving as intended every time, which is why they sit at the bottom. Wherever practical, design the risk out or engineer it away rather than depending on a procedure being followed.
Assigning owners and target dates
A risk without an owner is a risk no one is managing. Every entry needs a named individual — not a department — who is accountable for monitoring the risk and seeing treatment actions through. Each action should carry a realistic target date and a clear status so progress is visible and overdue items stand out. Owners should understand they are accountable, and leadership should review whether actions are actually being closed.
Keeping the register alive
A risk register reflects a point in time, so it needs a defined review cadence to stay relevant. Build in three triggers:
- Regular reviews — scheduled at a sensible interval, such as quarterly, to revisit ratings and action status.
- Event-driven reviews — after an incident, near miss, audit finding or any significant change to people, plant, sites or processes.
- Management review — leadership formally reviewing the top risks, confirming controls are working and resourcing the actions that matter.
This rhythm is what separates a register that drives decisions from one that exists only to be produced on request. It also aligns neatly with the requirements of ISO management systems, where risk-based thinking and ongoing review are central.
How Robust HSEQ can help
We help Perth and WA businesses build risk registers that are accurate, proportionate and genuinely used — from setting up a fit-for-purpose matrix and facilitating risk workshops to embedding a review cadence your team will actually maintain. If you want a register that holds up under audit and informs real decisions, talk to us about our Risk & Compliance services.