Compliance guide

Corrective actions and risk registers: the quiet backbone of audit-ready compliance

A corrective action register and risk register are the systems that turn incidents, defects, and audit findings into documented, closed-out evidence that satisfies NHVAS auditors and HVNL duty holders. Without them, operators cannot demonstrate they are managing CoR obligations in practice.

corrective action registertransport compliance audit softwarerisk management transport
A transport compliance manager reviews audit documents and risk registers at a desk inside an Australian heavy vehicle depot office, with prime movers and trailers visible through the window in the yard beyond.
GPT-generated CoRGuard article image
Published 24 June 2026/Corrective actions and risk management

What are corrective actions and risk registers in heavy vehicle compliance?

A corrective action register is a structured log that records every identified non-conformance, defect, hazard, incident, or audit finding, assigns responsibility for fixing it, tracks the fix through to completion, and retains evidence of closure. A risk register is the companion document that lists identified risks across your transport operation—mass, loading, fatigue, maintenance, speed, and Chain of Responsibility (CoR) duties—along with their assessed likelihood, consequences, and control measures. Together, these two registers form the operational backbone of a defensible safety management system (SMS) under the Heavy Vehicle National Law (HVNL) and the NHVAS accreditation framework.

When the NHVR or an approved auditor reviews your operation, they are not just checking whether you have policies on paper. They want to see that when something went wrong—a defect was found, a driver exceeded work hours, a load shifted, a breach was detected—your business identified the issue, recorded it, took corrective action, verified the fix, and updated its risk controls. That cycle of detect-record-correct-verify is what a corrective action register proves.

Key takeaways

  • A corrective action register is mandatory evidence for NHVAS accreditation and demonstrates that your SMS is functioning, not just existing on paper.
  • The HVNL imposes primary duties on operators and other CoR parties (s26C); documented corrective actions are how you prove you have taken "reasonable steps" to discharge those duties.
  • Risk registers must cover all HVNL-regulated risk areas: mass, dimension, loading, speed, fatigue, and vehicle standards—not just maintenance.
  • The NHVAS Audit Framework requires that non-compliances identified during an audit result in a Corrective Action Request (CAR), and operators must close these out within specified timeframes.
  • Transport compliance audit software centralises corrective actions and risk registers so that evidence is retrievable, timestamped, and audit-ready at any time.

How does the HVNL create the obligation to maintain corrective actions and risk registers?

The Heavy Vehicle National Law (Queensland), as applied across participating jurisdictions, establishes a framework of shared responsibility under Part 1A.1. Section 26A sets out the principle of shared responsibility—that every party in the transport chain has a duty to ensure the safety of transport activities. Section 26C imposes the primary duty: each duty holder must ensure, so far as is reasonably practicable, the safety of the party's transport activities.

This duty is not abstract. It means that when a risk is identified—whether through a pre-departure check, a driver diary review, a mass check at a weighbridge, or an internal audit—the duty holder must act on it. If the operator does not record the risk and document what was done about it, there is no evidence that the duty was discharged. In enforcement proceedings, the absence of documented corrective action is treated as the absence of reasonable steps.

Section 26B sets out the principles applying to duties, including that the level of risk must be managed proportionately. This is where the risk register becomes essential: it demonstrates that your business has assessed the level of risk for each identified hazard and applied controls that match the risk's severity. A risk register that is reviewed and updated is direct evidence that you are meeting the s26B proportionality principle.

What does the NHVAS audit framework require for corrective actions?

The NHVAS Audit Framework and Auditor Code of Conduct, published by the NHVR, sets out how approved auditors assess operator compliance. When an operator does not meet a standard during an audit, a non-compliance is recorded on the NHVAS Audit Summary Report, and a Corrective Action Request (CAR) is prepared. The operator must then address the CAR within a specified timeframe.

This means that even if your internal systems are strong, the audit itself generates corrective actions. If your business already maintains a corrective action register, closing out audit CARs is simply another entry in an existing workflow. If you do not have one, each CAR becomes an ad hoc, disconnected task that is easily lost—especially between audit cycles.

The NHVAS modules that most commonly generate CARs are:

  • Mass Management: incorrect load documentation, exceedances recorded at weighbridges, or lack of mass calculation records.
  • Maintenance Management: missing defect reports, overdue inspections, or vehicles operating with unrectified defects.
  • Fatigue Management: work diary breaches, missing roster records, or failure to verify driver compliance under the relevant work and rest option.

For each of these, the corrective action must show what went wrong, why it went wrong, what was changed to prevent recurrence, and when the fix was verified. A register that captures these four elements consistently is the difference between a clean audit outcome and a cascading non-compliance finding.

What should a transport risk register include under the HVNL?

A risk register for a heavy vehicle operation must cover every risk area regulated by the HVNL. Based on the structure of the Law, the following risk categories should be included:

Risk areaRelevant HVNL referenceExample risk register entry
MassPart 4.2, s96–100Vehicle exceeds prescribed mass limits due to incorrect loading at consignor premises
DimensionPart 4.3, s101Vehicle exceeds dimension limits on a restricted route
LoadingPart 4.4, s111–114Load shifts during transit due to inadequate restraint
SpeedPart 4.6Driver exceeds speed limiter threshold or posted limit
FatigueChapter 6, s220–285Driver exceeds maximum work hours or fails to take minimum rest under standard hours, BFM, or AFM
Vehicle standardsPart 3.2, s84–88Vehicle operates with unapproved modification or unrectified defect
Transport documentations186–187False or misleading transport documentation or container weight declaration

For each entry, the register should record:

  • The identified risk or hazard
  • Its source (e.g., internal inspection, driver report, near-miss, audit finding)
  • The likelihood and consequence rating
  • Current control measures in place
  • Any additional controls needed
  • The person responsible for implementing controls
  • The review date

This register should be a living document, not an annual checkbox. When a corrective action is completed, the risk register should be updated to reflect the new control state. This creates a traceable link between corrective actions and risk reduction.

How do corrective actions connect to Chain of Responsibility duties?

Under the HVNL, CoR parties include the operator, consignor, packer, loader, consignee, scheduler, driver, and executive of a legal entity. Each has a duty under s26C to ensure the safety of their transport activities. Section 26D extends this to executives, who must exercise due diligence to ensure the business complies with its primary duty.

Corrective actions are the evidence that due diligence is occurring. For example:

  • If a consignor provides incorrect mass information and a vehicle is overloaded, the operator's corrective action should address the communication failure with that consignor and implement a verification step for future loads. This demonstrates the operator took reasonable steps.
  • If a driver's work diary shows a fatigue breach under the standard hours rules (s250–252), the corrective action must address both the individual breach and the scheduling system that allowed it. Section 264 places a duty on the employer, prime contractor, operator, and scheduler to ensure driver compliance—so the corrective action must reach upstream to the scheduler, not just downstream to the driver.
  • If a maintenance inspection identifies a recurring defect across multiple vehicles, the corrective action should not just fix the individual vehicle but also examine whether the maintenance schedule or parts supplier needs to change.

The Master Code: turning Chain of Responsibility controls into daily workflow provides the framework for translating these duties into operational controls. The corrective action register is where you prove those controls are working.

What happens when operators do not track corrective actions?

Operators who fail to maintain corrective action records face several specific consequences:

  1. NHVAS accreditation risk: Unclosed CARs or repeated non-compliances can lead to accreditation suspension or cancellation, removing the operator's ability to operate under alternative compliance schemes.
  2. Enforcement exposure: Without documented corrective actions, the operator cannot mount a "reasonable steps" defence if charged with a Category 1 or Category 2 offence under s26F or s26G of the HVNL. Category 1 offences carry the highest penalties and apply where a person's conduct exposes an individual to a risk of death or serious injury.
  3. Executive liability: Under s26D, executives who cannot demonstrate due diligence—including that they monitored compliance and responded to known risks—may be personally liable.
  4. Audit cascade: One uncorrected issue often leads auditors to dig deeper. A missing defect report on one vehicle triggers a review of the entire maintenance system. A single uncorrected finding can multiply into a system-wide non-compliance.

The practical reality is that NHVR enforcement officers and approved auditors treat the absence of evidence as evidence of absence. If you cannot show that you identified a risk, acted on it, and verified the fix, the regulator assumes you did not.

How does transport compliance audit software support corrective action and risk register workflows?

Transport compliance audit software centralises the entire detect-record-correct-verify cycle. Rather than relying on spreadsheets, email chains, or paper files scattered across depots, a software-based system ensures that every corrective action is:

  • Logged at the point of discovery: When a defect is recorded during a fatigue and driver diary check or a maintenance inspection, the system generates a corrective action entry automatically.
  • Assigned and tracked: Each action has a named owner, a due date, and a status (open, in progress, verified, closed). Overdue actions are flagged.
  • Linked to the risk register: When a corrective action closes a gap, the corresponding risk register entry is updated, creating a traceable audit trail.
  • Evidence-ready: Supporting documents—photos of defects, copies of work diary pages, maintenance invoices, training records—are attached to the action, so an auditor can review the complete file in one place.
  • Reportable: When an NHVAS audit or NHVR investigation occurs, the operator can produce a report of all corrective actions over a defined period, sorted by risk area, status, or module.

CoRGuard's Features include corrective action and risk register workflows designed for heavy vehicle operators. The system supports the connection between daily compliance activity—such as NHVAS compliance software modules for maintenance and fatigue—and the overarching risk register that an auditor will want to see.

For operators transitioning from NHVAS to the new Heavy Vehicle Accreditation (HVA) framework, the evidence requirements are expected to become more stringent. The NHVAS to HVA transition means that maintenance evidence, in particular, will need to be more granular and more readily retrievable. A software-based corrective action register ensures that historical actions are preserved and searchable across accreditation cycles.

What should a corrective action entry contain to satisfy an auditor?

An NHVAS-approved auditor or NHVR investigator reviewing your corrective action register will look for the following elements in each entry:

  1. Identification: What was the non-conformance, defect, hazard, or breach? When was it detected, and by whom?
  2. Root cause analysis: Why did it occur? Was it a system failure, a human error, an equipment failure, or a communication breakdown?
  3. Corrective action taken: What was done to fix the immediate issue? For example, the defective vehicle was repaired, the driver was retrained, the load was re-weighed.
  4. Preventive action: What was changed to prevent recurrence? This is the critical step—fixing the one-off issue is not enough; the system or process must be updated.
  5. Verification: How was the fix confirmed? Who checked it, and when?
  6. Closure: When was the action closed out, and by whom?
  7. Risk register update: Did the corrective action result in a changed risk rating or new control measure in the risk register?

If any of these elements are missing, the auditor may determine that the corrective action is incomplete and issue a further CAR.

How does the 2026 HVNL transition affect corrective action obligations?

The HVNL is scheduled for comprehensive reform, with updates due to take effect from 1 August 2026. While the current HVNL remains active until that date, operators should understand that the direction of reform is toward stronger evidence requirements and a more integrated safety management system approach.

The 2026 HVNL changes are expected to place greater emphasis on risk-based compliance and documented safety management. This means that the corrective action register and risk register—not as optional internal tools but as core compliance instruments—will become even more central to demonstrating that an operator is meeting its primary duty.

Operators who build robust corrective action and risk register workflows now, before the transition, will be better positioned to adapt to the new framework. Those who continue to rely on ad hoc, undocumented processes will face a steeper compliance climb.

Practical next steps: building an audit-ready corrective action and risk register system

If you are an operator, CoR manager, or duty holder, here is a practical sequence to strengthen your corrective action and risk register processes:

  1. Audit your current state: Review the last 12 months of defects, incidents, driver diary breaches, and audit findings. Were they all recorded in a single register? Were they all closed out with verification evidence?

  2. Map your risk register to HVNL duty areas: Ensure your risk register covers mass, dimension, loading, speed, fatigue, vehicle standards, and transport documentation. If any area is missing, add it. Use the HVNL chapter structure as your checklist.

  3. Standardise your corrective action template: Every entry must capture identification, root cause, corrective action, preventive action, verification, and closure. If you are using software, configure the workflow to enforce these fields.

  4. Connect corrective actions to the risk register: When an action is closed, update the relevant risk register entry. This creates the link between operational activity and systemic risk management that auditors and regulators expect.

  5. Centralise evidence in audit-ready systems: Move from分散 spreadsheets and paper files to a single platform where corrective actions, risk registers, and supporting evidence are stored together and retrievable on demand.

  6. Schedule regular reviews: The risk register should be reviewed at least quarterly, and the corrective action register should be reviewed monthly for overdue items. Document these reviews.

  7. Engage expert support where needed: For complex CoR gaps—particularly around executive due diligence, multi-party supply chain risks, or NHVAS accreditation issues—consider engaging specialist advisory support through Chain of Responsibility compliance software and advisory pathways.

CoRGuard provides the software infrastructure to make these steps operational. The platform is designed to support the daily compliance workflows that generate the evidence an auditor or regulator will expect to see. To understand how it fits your operation, review the Use Cases or contact the team through Contact.

Frequently asked questions

Is a corrective action register legally required under the HVNL?

The HVNL does not use the exact phrase "corrective action register," but it imposes a primary duty under s26C to ensure the safety of transport activities, and it provides for Category 1 and Category 2 offences where this duty is breached. To demonstrate that reasonable steps were taken to comply with the duty, operators need documented evidence of identifying risks, acting on them, and verifying corrective outcomes. A corrective action register is the standard mechanism for producing that evidence. NHVAS accreditation also requires that non-compliances identified during audits be addressed through Corrective Action Requests, which are managed through a corrective action process.

What is the difference between a corrective action and a preventive action?

A corrective action fixes an issue that has already occurred—a defect, a breach, a non-conformance. A preventive action changes the system or process to stop the same issue from recurring. For example, if a driver exceeds standard work hours, the corrective action is addressing that specific breach (e.g., stand-down, re-training). The preventive action is updating the scheduling system so that the same rostering error does not happen again. Both must be documented in the corrective action register, and the preventive action should trigger a risk register update.

How long should corrective action records be retained?

While the HVNL does not specify a single retention period for corrective action records, NHVAS accreditation cycles and general limitation periods for enforcement action mean that operators should retain corrective action and risk register records for at least seven years. This aligns with typical record-keeping expectations for safety management systems and ensures that historical evidence is available if the NHVR initiates an investigation into past compliance.

Can transport compliance audit software replace the need for an auditor?

No. Transport compliance audit software supports the operator's internal compliance management and evidence generation, but it does not replace the role of an NHVAS-approved auditor or NHVR enforcement officer. The software ensures that when an auditor arrives, the records they need are complete, organised, and retrievable. It also helps ensure that corrective actions from previous audits have been closed out. However, the audit itself must be conducted by an approved auditor under the NHVAS framework.

What happens if a corrective action is not closed out before an NHVAS audit?

If a corrective action from a previous audit or internal process is still open when the next audit occurs, the auditor will likely record this as a non-compliance. Unclosed corrective actions suggest that the operator's SMS is not functioning effectively—that issues are identified but not resolved. This can lead to a new CAR, escalation of the non-compliance rating, or in serious cases, suspension of accreditation. The corrective action register should be reviewed and cleared of overdue items before any scheduled audit.

How does a risk register differ from a corrective action register?

A risk register is forward-looking: it identifies hazards, assesses their likelihood and consequence, and documents the controls in place. A corrective action register is backward-looking: it records what went wrong, what was done about it, and whether the fix was verified. The two are connected—when a corrective action closes a gap, the risk register should be updated to reflect the improved control state. Together, they show the regulator that your business is both managing current risks and learning from past failures.

Frequently asked questions

Practical answers

Is a corrective action register legally required under the HVNL?
The HVNL does not use the exact phrase "corrective action register," but it imposes a primary duty under s26C to ensure the safety of transport activities, and it provides for Category 1 and Category 2 offences where this duty is breached. To demonstrate that reasonable steps were taken to comply with the duty, operators need documented evidence of identifying risks, acting on them, and verifying corrective outcomes. A corrective action register is the standard mechanism for producing that evidence. NHVAS accreditation also requires that non-compliances identified during audits be addressed through Corrective Action Requests, which are managed through a corrective action process.
What is the difference between a corrective action and a preventive action?
A corrective action fixes an issue that has already occurred—a defect, a breach, a non-conformance. A preventive action changes the system or process to stop the same issue from recurring. For example, if a driver exceeds standard work hours, the corrective action is addressing that specific breach. The preventive action is updating the scheduling system so that the same rostering error does not happen again. Both must be documented in the corrective action register, and the preventive action should trigger a risk register update.
How long should corrective action records be retained?
While the HVNL does not specify a single retention period for corrective action records, NHVAS accreditation cycles and general limitation periods for enforcement action mean that operators should retain corrective action and risk register records for at least seven years. This aligns with typical record-keeping expectations for safety management systems and ensures that historical evidence is available if the NHVR initiates an investigation into past compliance.
Can transport compliance audit software replace the need for an auditor?
No. Transport compliance audit software supports the operator's internal compliance management and evidence generation, but it does not replace the role of an NHVAS-approved auditor or NHVR enforcement officer. The software ensures that when an auditor arrives, the records they need are complete, organised, and retrievable. The audit itself must be conducted by an approved auditor under the NHVAS framework.
What happens if a corrective action is not closed out before an NHVAS audit?
If a corrective action from a previous audit or internal process is still open when the next audit occurs, the auditor will likely record this as a non-compliance. Unclosed corrective actions suggest that the operator's SMS is not functioning effectively. This can lead to a new CAR, escalation of the non-compliance rating, or in serious cases, suspension of accreditation. The corrective action register should be reviewed and cleared of overdue items before any scheduled audit.
How does a risk register differ from a corrective action register?
A risk register is forward-looking: it identifies hazards, assesses their likelihood and consequence, and documents the controls in place. A corrective action register is backward-looking: it records what went wrong, what was done about it, and whether the fix was verified. The two are connected—when a corrective action closes a gap, the risk register should be updated to reflect the improved control state. Together, they show the regulator that your business is both managing current risks and learning from past failures.

See how CoRGuard handles your compliance workflow

Book a short demo and we will map CoRGuard to your fleet, depots, drivers, contractors, NHVAS obligations, and Chain of Responsibility risk points.