MAEZ guide
Using a Chartered Risk Lens to Close Chain of Responsibility Gaps in Australian Transport
A chartered risk approach to Chain of Responsibility identifies the safety, legal, and operational gaps that lead to HVNL enforcement action, audit failure, and accreditation loss — then closes them with evidence-backed controls before the regulator does.

What does a chartered risk lens do for Chain of Responsibility compliance?
A chartered risk lens applies structured risk management methodology to Chain of Responsibility (CoR) obligations under the Heavy Vehicle National Law (HVNL). It maps each duty holder in your transport supply chain, identifies where controls are missing or not evidenced, and prioritises remediation by the severity of potential harm, breach category, and likelihood of enforcement. For Australian operators, this means moving from scattered paperwork and reactive compliance to a documented system that withstands NHVR scrutiny, NHVAS audits, and internal executive review.
MAEZ helps operators [stop losing sleep over transport compliance](/) by turning HVNL duties, WHS obligations, and NHVAS requirements into practical, evidence-backed systems. Our [Chain of Responsibility Consulting](/cor-consulting/) uses a chartered risk framework to close gaps before they become fines, prohibitions, or accreditation losses.
Key takeaways
- The HVNL imposes a **primary duty** (s26C) on every party in the transport chain — consignor, consignee, packer, loader, driver, operator, and scheduler — to ensure safety so far as reasonably practicable.
- **Executive officers** (s26D) face personal liability if they know or ought to know a CoR breach is occurring and fail to act — Category 1 offences carry the heaviest penalties.
- A chartered risk lens prioritises gaps by breach category (minor, substantial, severe risk) across mass, dimension, loading, speed, fatigue, and vehicle standards.
- **NHVAS accreditation** and a documented **Safety Management System (SMS)** are the two strongest defences against enforcement — but only if the evidence is current, complete, and auditable.
- MAEZ advisory closes gaps; CoRGuard at chainresponsibility.au is the SaaS platform where the evidence lives.
What is a chartered risk lens in transport compliance?
A chartered risk lens means applying the discipline of professionally credentialed risk management — the kind used in finance, insurance, and critical infrastructure — to transport safety obligations. It goes beyond a simple checklist audit. Instead, it asks:
- What could go wrong in each transport activity we control?
- How severe is the potential breach — minor, substantial, or severe risk under the HVNL?
- What controls do we already have, and are they evidenced?
- What is the residual risk, and is it acceptable?
- Who in the executive team knows about this exposure, and what have they done about it?
This approach directly maps to the HVNL's principles applying to duties (s26B), which require duty holders to eliminate or minimise risk so far as is reasonably practicable. A chartered risk practitioner does not just look at whether a policy exists — they assess whether the control actually reduces risk in practice and whether the organisation can prove it.
The [NHVR defines Chain of Responsibility](https://www.nhvr.gov.au/safety-accreditation-compliance/chain-of-responsibility) as the part of the HVNL that makes parties other than drivers responsible for the safety of heavy vehicle transport activities. A chartered risk lens operationalises that definition by identifying where each party's control is weakest and where enforcement is most likely.
Who are the Chain of Responsibility duty holders under the HVNL?
The HVNL identifies multiple parties in the transport supply chain, each with specific duties. Under the principle of shared responsibility (s26A), every party in the chain must take all reasonable steps to prevent breaches related to mass, dimension, loading, speed, fatigue, and vehicle standards.
The key duty holders are:
- **Consignor** — the entity sending goods. Responsible for ensuring mass, loading, and vehicle standards are compliant before dispatch.
- **Consignee** — the entity receiving goods. Must not create incentives or contracts that encourage breaches.
- **Packer** — responsible for how goods are packed and declared, including container weight declarations under s187–190.
- **Loader** — must ensure loads are restrained, mass is within limits, and the vehicle is not overloaded.
- **Driver** — must comply with fatigue management, work diary, mass, dimension, loading, and speed requirements.
- **Operator** — the entity operating the vehicle. Bears broad responsibility across all six CoR areas.
- **Scheduler** — must not schedule journeys that are impossible to complete within legal fatigue limits.
- **Executive of a legal entity** — under s26D, executives have a personal due diligence duty.
For a deeper breakdown of what each duty holder must understand, see [Chain of Responsibilities: what Australian duty holders need to understand](/resources/chain-of-responsibilities-duty-holders-australia/).
What are the primary duties and offence categories under the HVNL?
The HVNL establishes a tiered duty and offence framework. Understanding the structure is essential because it determines how a chartered risk assessment prioritises gaps.
Primary duty (s26C)
Every party in the transport chain has a primary duty to ensure, so far as is reasonably practicable, the safety of heavy vehicle transport activities. This is not a narrow obligation — it covers vehicle standards, mass, dimension, loading, speed management, and fatigue.
Executive duty (s26D)
Executives of entities that carry out transport activities must exercise due diligence to ensure the entity complies with its primary duty. If an executive knows — or ought reasonably to know — that a breach is occurring or is likely, and fails to take reasonable steps to prevent it, they are personally liable.
Prohibited requests and contracts (s26E)
A person must not make a request or enter a contract that requires or encourages another party to breach the HVNL. This is the provision that catches consignors who set unrealistic delivery schedules and consignees who impose penalties for late delivery that incentivise speeding or fatigue breaches.
Offence categories (s26F, s26G)
Breaches are categorised by risk level:
- **Category 1** — the most serious, involving exposure to risk of death or serious injury or illness. These carry the highest penalties and are where executive liability is most acute.
- **Category 2** — serious breaches involving significant risk but without the immediate exposure to death or serious harm characteristic of Category 1.
Mass and loading breaches are further classified as minor risk, substantial risk, or severe risk breaches (Part 4.2 and Part 4.4 of the HVNL). A chartered risk lens maps each operational gap to these categories to determine remediation priority.
How does a chartered risk lens identify CoR gaps that audits miss?
A standard compliance audit checks whether documents exist. A chartered risk assessment goes further by asking whether the documents are sufficient evidence that risk is actually being managed. The distinction matters because the NHVR and courts look at substance, not just form.
The chartered risk process typically involves:
1. **Duty mapping** — identifying which HVNL duties apply to your business based on your role(s) in the supply chain. A business may be consignor, packer, loader, and operator simultaneously.
2. **Control gap analysis** — for each duty, assessing whether controls exist, whether they are implemented, and whether they are evidenced.
3. **Risk classification** — rating each gap against the HVNL breach categories (minor, substantial, severe) and the potential enforcement response.
4. **Executive due diligence review** — checking whether executives can demonstrate they have taken reasonable steps, as required by s26D.
5. **Evidence assessment** — reviewing whether your SMS, NHVAS records, work diary records, and transport documentation would survive an NHVR investigation.
Common gaps that chartered risk identifies include:
- **Fatigue management** — work diary records (s293) that are incomplete, not checked, or not reconciled against rosters. MAEZ currently uses fatigue and driver diary checks for this capability; Electronic Work Diary is not yet live.
- **Transport documentation** — false or misleading transport documentation (s186) or container weight declarations (s187) that are not verified before dispatch.
- **Speed management** — no documented system to prevent drivers from being pressured to exceed speed limits to meet schedules.
- **Mass and loading** — no pre-departure mass check, no load restraint verification, and no record of who loaded the vehicle.
- **Executive due diligence** — no documented evidence that executives have reviewed CoR performance, identified risks, or directed remediation.
How does NHVAS accreditation fit with a chartered risk approach?
NHVAS accreditation is the National Heavy Vehicle Regulator's formal recognition that an operator has systems in place to manage mass, dimension, loading, fatigue, or vehicle standards. It is a strong compliance signal — but it is not a substitute for a chartered risk assessment.
The relationship works like this:
| Element | What it does | What a chartered risk lens adds |
|---|---|---|
| NHVAS accreditation | Demonstrates systems exist for specific CoR areas | Tests whether those systems actually reduce risk in practice |
| NHVAS audit | Verifies records against the Master Code | Identifies gaps between what is documented and what is happening operationally |
| Safety Management System | Structures how the business manages safety | Prioritises SMS controls by severity and likelihood of HVNL breach |
A chartered risk assessment can be conducted before, during, or after NHVAS accreditation. Before accreditation, it identifies what needs to be in place. During accreditation maintenance, it checks that the accredited systems remain effective. After a breach or enforcement event, it identifies what failed and why.
For operators pursuing or maintaining [NHVAS accreditation](/), a chartered risk lens ensures the systems are not just paper exercises but genuinely reduce the risk of HVNL breaches.
How does a Safety Management System support Chain of Responsibility compliance?
A Safety Management System (SMS) is the operational framework that documents how a transport business identifies, manages, and reviews safety risks. Under the HVNL, an SMS is not explicitly mandated for every operator, but it is the most practical way to demonstrate that the primary duty (s26C) is being met.
An effective SMS for CoR should cover:
- **Risk identification** — mapping CoR duties across all transport activities and roles.
- **Controls** — documented procedures for mass, dimension, loading, speed, fatigue, and vehicle standards.
- **Training** — evidence that all duty holders, including executives, understand their obligations.
- **Monitoring** — checks, audits, and reviews that verify controls are working.
- **Reporting and investigation** — a system for capturing near-misses, breaches, and corrective actions.
- **Executive oversight** — documented evidence that executives are exercising due diligence under s26D.
CoRGuard, our SaaS SMS platform at [chainresponsibility.au](https://chainresponsibility.au/resources/chartered-risk-chain-of-responsibility-gap-review), is where the evidence from these controls lives. MAEZ advisory identifies the gaps; CoRGuard provides the structured, auditable home for the controls that close them. Software does not remove liability or guarantee compliance — but a well-structured SMS platform makes it far easier to demonstrate that reasonable steps were taken.
For training that supports your SMS, [Chain of Responsibility Training for Australian Operators](/chain-of-responsibility-training/) builds the knowledge base across your team.
What are the most common Chain of Responsibility gaps a chartered risk review finds?
Across Australian transport operations, the same gaps appear repeatedly. A chartered risk lens helps operators see these not as isolated administrative oversights but as systemic exposures that map directly to HVNL offence categories.
Gap 1: No documented executive due diligence
Many operators have CoR policies but no evidence that executives have reviewed them, understood the risks, or directed remediation. Under s26D, this is a direct exposure. Executives who cannot demonstrate due diligence face personal liability, particularly for Category 1 offences.
Gap 2: Unrealistic contracts and schedules
Consignors and consignees frequently set delivery windows that are physically impossible to meet within legal fatigue and speed limits. Under s26E, this is a prohibited request. A chartered risk review examines contracts and scheduling practices for implicit pressure to breach.
Gap 3: Work diary records not checked
The HVNL requires drivers of fatigue-regulated heavy vehicles to carry and maintain a work diary (s293). But many operators do not systematically check work diary entries against rosters, time records, or fuel data. A chartered risk assessment flags this as a fatigue management gap.
Gap 4: Load restraint and mass not verified
Loaders and packers often rely on experience rather than documented verification. Under the HVNL's loading requirements (Part 4.4), breaches are categorised as minor, substantial, or severe risk. A chartered risk review checks whether there is evidence of pre-departure mass checks and load restraint inspection.
Gap 5: Transport documentation and container weight declarations
False or misleading transport documentation (s186) and container weight declarations (s187) are specific offences. A chartered risk review verifies whether declarations are accurate, complete, and retained.
How does MAEZ close CoR gaps using a chartered risk approach?
MAEZ's [Chain of Responsibility Consulting](/cor-consulting/) follows a structured, evidence-driven process:
1. **Scoping** — we identify your roles in the transport chain and the HVNL duties that apply to each.
2. **Gap assessment** — we map controls against duties, classify gaps by breach category, and prioritise by risk severity.
3. **Executive briefing** — we brief your leadership team on exposures, personal liability under s26D, and remediation priorities.
4. **Remediation plan** — we develop a practical, sequenced plan to close each gap with evidence-backed controls.
5. **SMS implementation** — where software evidence is needed, controls are built into CoRGuard at chainresponsibility.au.
6. **Training** — we deliver targeted [Training](/training/) to duty holders, including executives, managers, drivers, and schedulers, so each person understands what they must do and why.
7. **Review and maintenance** — we schedule periodic reviews to ensure controls remain effective and evidence stays current.
This process is designed for Australian transport operators who cannot afford to treat CoR as a paperwork exercise. The HVNL is enforced by the NHVR across participating jurisdictions (Queensland, NSW, Victoria, Tasmania, South Australia, and the ACT), and the penalties for Category 1 and Category 2 offences are severe.
For more context on how MAEZ approaches this work, see [About Chain of Responsibility](/about-chain-of-responsibility/).
Practical next steps: closing your CoR gaps
If you are an operator, manager, or CoR duty holder, here is what to do next:
1. **Identify your roles** — are you a consignor, consignee, packer, loader, operator, scheduler, or executive? Each role carries different duties.
2. **Assess your current evidence** — do you have documented controls for mass, dimension, loading, speed, fatigue, and vehicle standards? Can you prove executives have exercised due diligence?
3. **Map your gaps** — where are controls missing, incomplete, or not evidenced? Which gaps map to substantial or severe risk breaches?
4. **Get a chartered risk assessment** — [Contact MAEZ](/contact-us/) to schedule a gap assessment that prioritises exposures by HVNL breach category.
5. **Implement controls** — use MAEZ advisory to design the controls and CoRGuard to house the evidence.
6. **Train your team** — ensure every duty holder, from executive to driver, understands their obligations through [Chain of Responsibility training for executives and managers](/resources/chain-of-responsibility-training-executives-managers/) and broader operator-level programs at [cortraining.com.au](https://cortraining.com.au).
7. **Review regularly** — schedule periodic chartered risk reviews to ensure your controls and evidence remain current.
The goal is not perfection. The HVNL requires reasonable steps, not absolute certainty. But reasonable steps must be documented, defensible, and proportionate to the risk. That is what a chartered risk lens delivers.
For ongoing insights and updates on CoR, NHVAS, and transport compliance, visit [MAEZ Insights](/blog/).
Frequently asked questions
What is Chain of Responsibility under the HVNL?
Chain of Responsibility is the part of the Heavy Vehicle National Law that makes every party in the heavy vehicle transport supply chain — consignor, consignee, packer, loader, driver, operator, scheduler, and executive — responsible for safety. Each party must take all reasonable steps to prevent breaches related to mass, dimension, loading, speed, fatigue, and vehicle standards. The principle of shared responsibility is set out in s26A of the HVNL, and the primary duty is in s26C.
What is a chartered risk lens and why is it different from a compliance audit?
A chartered risk lens applies professionally credentialed risk management methodology to CoR obligations. A compliance audit checks whether documents and procedures exist. A chartered risk assessment goes further by evaluating whether those controls actually reduce risk, whether they are evidenced, and whether executives can demonstrate due diligence under s26D. It prioritises gaps by the severity of potential HVNL breach categories.
What are the HVNL offence categories and what do they mean for duty holders?
The HVNL classifies breaches into Category 1 (most serious, involving risk of death or serious injury) and Category 2 (serious but lower immediate risk). Mass and loading breaches are further classified as minor, substantial, or severe risk. Executive officers face personal liability under s26D if they know or ought to know about a breach and fail to act. Category 1 offences carry the heaviest penalties.
Does NHVAS accreditation protect me from Chain of Responsibility liability?
NHVAS accreditation demonstrates that you have systems in place to manage specific CoR areas such as mass, fatigue, or vehicle standards. It is a strong compliance signal but it does not create immunity from enforcement. If the systems are not actually implemented or evidence is incomplete, the NHVR can still take action. A chartered risk review ensures your accredited systems are genuinely effective and properly evidenced.
What is CoRGuard and how does it support compliance?
CoRGuard is a SaaS Safety Management System platform available at chainresponsibility.au. It provides a structured, auditable home for CoR controls, records, and evidence. MAEZ advisory identifies gaps and designs controls; CoRGuard houses the evidence. The platform does not remove legal liability or guarantee compliance, but it makes it significantly easier to demonstrate that reasonable steps were taken.
Who needs Chain of Responsibility training in my business?
Every duty holder needs CoR training, but the content should be tailored to the role. Executives and managers need to understand their personal due diligence obligations under s26D. Schedulers need to understand fatigue and prohibited requests under s26E. Drivers need to understand work diary, mass, loading, and speed requirements. Loaders and packers need to understand loading requirements and container weight declarations. Training is available at cortraining.com.au.
How often should I review my Chain of Responsibility systems?
CoR systems should be reviewed at least annually, and whenever there is a material change in your transport activities, supply chain arrangements, or regulatory requirements. A chartered risk review is also recommended after any breach, near-miss, enforcement event, or change in executive personnel. The HVNL updates due 1 August 2026 will introduce future-effective changes, so operators should plan a review in advance of that date.
Frequently asked questions
Practical answers
- What is Chain of Responsibility under the HVNL?
- Chain of Responsibility is the part of the Heavy Vehicle National Law that makes every party in the heavy vehicle transport supply chain — consignor, consignee, packer, loader, driver, operator, scheduler, and executive — responsible for safety. Each party must take all reasonable steps to prevent breaches related to mass, dimension, loading, speed, fatigue, and vehicle standards. The principle of shared responsibility is set out in s26A of the HVNL, and the primary duty is in s26C.
- What is a chartered risk lens and why is it different from a compliance audit?
- A chartered risk lens applies professionally credentialed risk management methodology to CoR obligations. A compliance audit checks whether documents and procedures exist. A chartered risk assessment goes further by evaluating whether those controls actually reduce risk, whether they are evidenced, and whether executives can demonstrate due diligence under s26D. It prioritises gaps by the severity of potential HVNL breach categories.
- What are the HVNL offence categories and what do they mean for duty holders?
- The HVNL classifies breaches into Category 1 (most serious, involving risk of death or serious injury) and Category 2 (serious but lower immediate risk). Mass and loading breaches are further classified as minor, substantial, or severe risk. Executive officers face personal liability under s26D if they know or ought to know about a breach and fail to act. Category 1 offences carry the heaviest penalties.
- Does NHVAS accreditation protect me from Chain of Responsibility liability?
- NHVAS accreditation demonstrates that you have systems in place to manage specific CoR areas such as mass, fatigue, or vehicle standards. It is a strong compliance signal but it does not create immunity from enforcement. If the systems are not actually implemented or evidence is incomplete, the NHVR can still take action. A chartered risk review ensures your accredited systems are genuinely effective and properly evidenced.
- What is CoRGuard and how does it support compliance?
- CoRGuard is a SaaS Safety Management System platform available at chainresponsibility.au. It provides a structured, auditable home for CoR controls, records, and evidence. MAEZ advisory identifies gaps and designs controls; CoRGuard houses the evidence. The platform does not remove legal liability or guarantee compliance, but it makes it significantly easier to demonstrate that reasonable steps were taken.
- Who needs Chain of Responsibility training in my business?
- Every duty holder needs CoR training, but the content should be tailored to the role. Executives and managers need to understand their personal due diligence obligations under s26D. Schedulers need to understand fatigue and prohibited requests under s26E. Drivers need to understand work diary, mass, loading, and speed requirements. Loaders and packers need to understand loading requirements and container weight declarations. Training is available at cortraining.com.au.
- How often should I review my Chain of Responsibility systems?
- CoR systems should be reviewed at least annually, and whenever there is a material change in your transport activities, supply chain arrangements, or regulatory requirements. A chartered risk review is also recommended after any breach, near-miss, enforcement event, or change in executive personnel. The HVNL updates due 1 August 2026 will introduce future-effective changes, so operators should plan a review in advance of that date.