A risk register helps you manage safety risks. By documenting risks in your risk register, you can note the steps needed to reduce those risks.

On this page you’ll find a step-by-step process designed to help you build your risk register. The process looks like this:

  1. Set the scene
  2. Identify where the risks come from
  3. Explain what the risks are
  4. Determine why the risks happen
  5. Figure out what will happen if the risks occur
  6. Estimate how likely the risks are to happen
  7. Evaluate the risks
  8. Decide how to deal with the risks
  9. Decide who is responsible for managing the risks
  10. Show how safety risks have been reduced or eliminated as much as possible.

Remember, communication and consultation are crucial in every step of the risk management process. The Bus Safety Act 2009 (Vic) Section 13 emphasises the importance of including everyone involved in providing bus services in planning and implementing risk management processes. By talking with affected parties, you’ll gain a better understanding of the risks.

In order to document the risk environment, you need firstly to be able to define it. Here are the steps necessary to establish the risk context, or to set the scene:

  • define what the organisation does
  • define any relationships with other stakeholders
  • describe any standards and guidelines adopted by the organisation
  • record any risks outside of the risk owner’s legal obligations (for example, occupational health and safety legislation, financial risks)
  • describe how changes affecting the bus industry are considered, including seasonal physical changes
  • document the risk management process.

This step requires identifying and recording potential elements that could lead to risks, such as the environment where the activity is taking place.

Ideally, a risk should be identified in the following terms: (Something happens) leading to (outcomes expressed in terms of impact on objectives). For example, ‘a spill of oil in the creek damages our reputation with the local community’.

It’s crucial to consider all possibilities, not just the most likely ones. Even if a risk source is unidentified, the responsibility to ensure safety cannot be avoided if it’s reasonable for someone to have known about it.

To identify risk sources, gather individuals with relevant expertise and discuss potential safety risks.

The following is an example of what your risk register could look like once you start building it. At the end of Step 2, it could look like this:

To understand the possible outcome of a risk, consider what could happen if each identified risk becomes a reality, and write them down in the risk register. Note: a single risk source can trigger multiple events.

The risk register should now have a new column titled ‘Event’. It might  look like this:

This step is used to understand the causes that would lead to a risk event. Some examples of risk causes are equipment malfunctions, human error and environmental factors.

Here are some suggested methods to identify potential risk causes:

  • check previous accidents and incidents, both internal and external
  • examine TSV documentation such as safety alerts and bus newsletters
  • analyse past failures and investigations, including technical component failures and human errors/violations. For instance:
    • maintenance/inspection schedules may reveal components that fail regularly
    • certain situations may make people more prone to making mistakes when not following rules and procedures
  • review previous near-miss incidents
  • look into audit and inspection results.

Risk owners must identify and record the factors that could lead to a risk event in the risk register. This will lead to another column in the risk register.

Using the examples above, the register would now look like this:

The consequences of these risks occurring is possible harm to people, including passengers, workers and members of the public. This harm could result in injuries or fatalities.

To manage risk effectively, it’s crucial to identify and document all the possible outcomes of a risk event in the risk register. One event could lead to several different consequences.

You can also determine the severity of the consequence by using a consequence matrix like this:

Consequence ratings matrix:

It’s essential not to underestimate the consequence of a risk, as this could result in ranking the risk lower than it should be. If you’re unsure about the category of a risk source, always choose the most severe consequence.

Risk owners must also consider all the possible outcomes of a risk. For instance, even a low-speed collision can lead to minor injuries, but there’s still a potential for multiple fatalities and injuries in specific situations.

If risk owners rank a consequence based on implemented treatments, they must ensure that these treatments are genuinely in place and functioning as expected. The effectiveness of the control measures should be verified and tested to prevent the risk from being undervalued.

Now, your risk register should have a column which rates the consequence (C) of the risk. For example:

The likelihood of a risk means how often or how likely it is that the event might happen.

To determine the probability of an event occurring for each identified risk, use a likelihood ratings matrix like the one shown below.

Likelihood ratings matrix:

Do not underestimate the likelihood, as it may lead to a lower ranking than it actually deserves. If you’re not sure which category a hazard falls within, suggest a higher risk rating.

When determining likelihood:

  • use knowledgeable people
  • get advice and use technical experts if needed
  • use categories that make sense to you
  • be consistent with ratings.

Your risk register should have a column which rates the likelihood (L) rating of a risk. For example:

Risk evaluation helps to decide which risks need to be treated first by prioritising them based on the risk analysis outcomes.

The risk score of an event can be determined by multiplying the likelihood and consequence ratings. Risk owners can use a risk rating matrix to assign a score to each risk; for instance, a risk with a consequence of 2 and a likelihood of 3 has a risk score of 6.

To group risks into priority categories, assign number ranges, and rank the risks accordingly. Here is an example:

  • a score of 1 – 3 = low risk
  • a score of 4 – 6 = medium risk
  • a score of 8 – 12 = high risk
  • a score of 15 – 20 = extreme risk.

Choose a risk matrix that works best for you and adjust it as needed. Make sure you allocate enough resources to each risk to minimise or eliminate it as much as possible.

A risk owner can determine different levels of risk based on severity. An example of the levels of risk could be:

  • extreme: stop the activity that creates the risk immediately
  • high: attention required from senior personnel with specific action plans
  • medium: manage by specific monitoring or response procedures
  • low: manage by routine procedures without additional resources.

To evaluate risk, a matrix can be used. The matrix lists consequences across the top with five columns: insignificant (1), minor (2), moderate (3), major (4) and extreme (5). Down the side are four stages of likelihood: rare, unlikely, likely and definitely.

To determine the risk rating, the consequence value is multiplied by the likelihood value and entered in the square where the row and column intersect.

Tip: Colour coding the low priorities green, the medium yellow, the high orange and the extreme red gives a quick visual representation of where risks sit.

Risk evaluation matrix:

Risk register example. By adding the risk ratings (R) your register could look like:

There are different ways to handle risks after they are identified and evaluated, such as:

  • accept insignificant risks that cannot be practically treated
  • Mitigate the likelihood or consequence of an event through preventative or mitigative action
  • transfer responsibility for managing the risk to another party or organisation, partially or fully, such as through insurance.

Good risk management involves ensuring that key factors are in place. These include, for example:

  • competent people: Ensure that individuals have the necessary experience, knowledge, and motivation to perform their tasks. Also, consider whether they need supervision and make sure they understand their responsibilities.
  • safe work practices: document all procedures and work instructions accurately so that individuals can perform their tasks safely. Ensure that individuals are aware of and understand what they are required to do.
  • appropriate equipment and materials: provide the right tools and equipment necessary for safe task performance. Additionally, if the equipment has limitations, install warning devices to alert users.
  • controlled work environment: control the physical conditions of the work location, including noise, temperature and vibration. Additionally, manage work schedules and communication effectively.

1. Risk treatment methods

Each risk treatment involves the implementation of one or more of the following strategies.

A treatment can be any process, practice, device or action that aims to eliminate or decrease risk. Physical equipment, management processes and personnel actions are all possible treatments.

There are various methods for reducing risk, including:

  • eliminating the source of risk: this is the most effective way to control the risk and should be preferred if reasonably possible. An example of elimination is changing a bus route to avoid hazardous situations such as passive level crossings or unsealed roads
  • substituting the risk source with a less dangerous one, such as using a safer substance instead of a hazardous one
  • isolating or separating the risk source, such as limiting bus operations in high pedestrian traffic areas
  • using engineering treatments, such as installing automatic sensors to detect obstructions in the door space
  • using administrative/educational treatments, such as providing driver training
  • using personal protective equipment, such as providing specialised clothing
  • using standard treatments, such as applying the appropriate standard when selecting the location of a bus stop
  • using maintenance controls, such as properly maintaining buses according to company requirements and specified standards.

The level of risk should determine the number and effectiveness of treatments. High-risk sources need more effective controls to manage the risk.

When deciding on controls, document those already in place for each cause and effect identified.

To prevent a risk source from becoming an event, identify and prioritise ‘preventative controls’ first. If the event has already occurred, risk owners must consider ‘mitigative controls’ to manage the consequences.

2. Consider how effective the treatment is

Use the control checklist to evaluate treatments. Remember that treatments should be:

  • effective at reducing the risk
  • reliable; that is, is it likely to be available on demand
  • suitable to the climatic conditions or operating environment.

In an audit, you may be asked for evidence to see that these treatments are in place, and they are effective.

3. Identify any other alternative controls available

To find new treatments, look at best practices, current standards, and industry knowledge. An example of this would be increasing inspections or adjusting staff schedules to reduce fatigue. Use a control checklist to evaluate the effectiveness of  these new treatments.

Remember that when designing or including new equipment, make sure it meets current best practice standards if possible.

If you rank a consequence with treatments apparently already in place, make sure they are actually in place and working as expected. Test the reliability of the treatment to avoid underestimating the risk.

4. Risk treatment checklist

When evaluating a treatment for managing risk, keep notes on the following:

  • does the treatment actually reduce the risk? If it’s not effective then it’s not a good control
  • can the treatment be relied upon to work when needed?
  • is the treatment appropriate for the operating environment?
  • will the treatment interfere with other systems or requirements?
  • do employees understand and follow the treatment correctly?
  • what happens if the treatment fails?
  • if the treatment is based on a standard or code, has it been applied correctly?
  • does the treatment rely on other systems that could fail?
  • could the treatment introduce new hazards?
  • are there new standards, systems, or technologies that could be used instead?
  • is the treatment a recognised best practice that has been shown to improve safety in similar situations? Make sure to consider the specific circumstances of your situation and compare it to established practices in similar jurisdictions or industries.

Remember: Best practices change over time due to increased knowledge and changes in technology. It’s important to regularly review current best practices and use professional judgement to understand the information.

Identify and document measures to reduce or mitigate risks. These measures should be recorded on a risk register. Multiple measures can be used for each risk.

Risk register example:

In the following example of a risk register, the columns have been removed due to space limitations. The item numbers still correspond to previous steps. See the sample risk register at the end of this document for a clearer depiction.

To make sure that risks are being managed properly, it’s important to assign someone to be responsible for completing any necessary treatments. This will help keep track of progress and ensure that someone is accountable for managing the risks.

On the risk register, make sure to record the status of any risk treatments, the person responsible for completing them and either an expected completion date (if it’s a new treatment) or a review date (for existing treatments).

It’s also important to regularly review the effectiveness of risk treatments to make sure they are still working as they should be.

Risk register example:

In the following example of a risk register, the columns have been removed due to space limitations. The item numbers still correspond to previous steps. See the sample risk register at the end of this document for a clearer depiction.

It’s important to summarise why you believe your risks have been eliminated or reduced So Far As Is Reasonably Practical (SFAIRP).

The documentation on the risk register of SFAIRP decision-making is important, because it demonstrates that risks have been eliminated or reduced So Far As Is Reasonably Practical.

To show that a risk is being managed SFAIRP several things are necessary:

  1. treatments are in place that meet recognised codes and standards and have been applied properly. This can include using engineering, operational or maintenance codes and standards, but it depends on the specific situation
  2. good practice is followed by considering new or alternative controls that are known to be effective
  3. competent people with the right knowledge have evaluated the risk and its source
  4. the effectiveness and availability of the controls have been tested and validated within the company.

If the item is complex or unclear, it shows that further analysis is needed. This could include risk-based assessments such as quantitative risk assessment and cost-benefit analysis, but codes, standards, good practices and engineering judgement still matter.

Benefit vs cost

It may be reasonable to reject a treatment option if the cost versus benefit is grossly disproportionate. Any assumptions relating to costs or risk benefit must be documented as these significantly affect the robustness of the outcome.

If you can’t afford to implement a treatment that is reasonably practicable, you should not engage in the activity that gives rise to that risk.

Below is an example of how this could be summarised in the risk register:

When your risk register is complete, it should look something like this.

Please note: Due to space limitations, this example includes the first four risk items only.