WHS Management System Requirements — Mandatory Elements Under Australian WHS Law

The requirement for a WHS management system derives from the primary duty of care imposed by Section 19 of the WHS Act. This section requires every person conducting a business or undertaking to ensure, so far as is reasonably practicable, the health and safety of workers while they are at work in the business or undertaking, and that the health and safety of other persons is not put at risk from work carried out as part of the conduct of the business or undertaking. The courts have consistently interpreted this duty as requiring a systematic approach to identifying, assessing, and controlling risks rather than an ad hoc or reactive response to individual hazards. A WHS management system is the documented framework through which a PCBU demonstrates systematic risk management. While the WHS Act does not prescribe a specific management system structure or require certification to any particular standard, the absence of a documented, implemented management system is treated as evidence that the PCBU has failed to take the systematic approach that a reasonable person in the same position would have taken. The WHS Regulation 2025 supplements the primary duty with specific obligations that generate management system requirements. These include the obligation to identify hazards and manage risks under Part 3.1, the obligation to prepare emergency plans under Part 3.2, the obligation to provide health monitoring under Part 7.2, the obligation to manage hazardous chemicals under Part 7.1, and numerous obligations relating to specific hazard categories including plant, manual handling, falls, confined spaces, and electrical safety. Each of these obligations requires documented procedures, records, and review mechanisms that collectively constitute the management system.

While there is no statutory checklist of management system elements, the obligations imposed by the WHS Act and WHS Regulation 2025 create de facto mandatory elements that every PCBU must address. A WHS policy signed by the most senior officer that commits the organisation to compliance with applicable WHS legislation, consultation with workers, and continual improvement of health and safety performance. Hazard identification and risk assessment procedures that specify how hazards are identified, who conducts risk assessments, what methodology is used, how controls are selected using the hierarchy of controls, and how often assessments are reviewed. A risk register that maintains a current record of all identified hazards, their risk ratings, the controls in place, and the residual risk rating. Incident reporting, investigation, and corrective action procedures that ensure all incidents, including near misses and hazard observations, are reported, investigated to determine root causes, and addressed through corrective and preventive actions tracked to completion. Consultation arrangements that comply with Part 2 of the WHS Regulation 2025 including the establishment of health and safety committees or the election of health and safety representatives where requested, and documented processes for consulting with workers on matters affecting their health and safety. Emergency plans that address reasonably foreseeable emergency scenarios, specify roles and responsibilities, include evacuation procedures, and are tested through regular drills with outcomes documented. Training and competency management that identifies the training requirements for each role, tracks completion of required training, and ensures workers are competent to perform their duties safely.

The WHS Regulation 2025 creates extensive documentation and record keeping requirements that the management system must address. Risk assessments must be documented and retained. The regulation does not specify a minimum retention period for risk assessments, but best practice is to retain them for the life of the risk plus a reasonable period for regulatory review. Incident records must be maintained and made available to the regulator on request. Notifiable incidents must be reported to the regulator immediately by the fastest possible means, and the PCBU must ensure the incident site is preserved until an inspector arrives or directs otherwise. Incident investigation reports should be retained for at least five years. Training records must demonstrate that workers have received the training required for their role and exposure profile. Records should include the training topic, date, duration, trainer qualifications, assessment results if applicable, and the worker's signature or electronic acknowledgement. Health monitoring records under Part 7.2 must be retained for at least 30 years for substances associated with long-latency diseases such as asbestos and silica. The hazardous chemical register under Part 7.1 must be maintained at the workplace and include current safety data sheets for all hazardous chemicals. Plant registration records must be maintained for registered plant under Part 5.1. Workplace exposure monitoring records must be retained and made available to the regulator. Emergency plan documents must be maintained in a current state with evidence of regular review and drill testing. Inspection and audit records provide evidence that the PCBU is actively monitoring workplace conditions and management system performance. All of these records must be organised, accessible, and retrievable. A management system that generates the required records but cannot locate them when needed by a regulator, auditor, or court is functionally deficient.

ISO 45001:2018 provides an internationally recognised framework for occupational health and safety management systems that aligns well with the requirements of Australian WHS legislation. The standard follows the high-level structure common to all ISO management system standards with ten clauses covering scope, normative references, terms and definitions, context of the organisation, leadership and worker participation, planning, support, operation, performance evaluation, and improvement. Mapping WHS Act and WHS Regulation 2025 requirements to ISO 45001 clauses demonstrates significant overlap. The Section 19 primary duty aligns with the leadership commitment requirements of Clause 5. The hazard identification and risk assessment obligations align with the planning requirements of Clause 6. The training, consultation, and documentation obligations align with the support requirements of Clause 7. The operational control requirements including hierarchy of controls, change management, and procurement align with Clause 8. The monitoring, measurement, analysis, and internal audit requirements align with Clause 9. The incident investigation and corrective action requirements align with Clause 10. Organisations that build their management system to ISO 45001 structure automatically address most WHS Regulation 2025 requirements, though some Australian-specific requirements such as notifiable incident criteria, approved code of practice compliance, and the specific obligations for psychosocial hazards under Regulation 55C and 55D must be explicitly incorporated. Certification to ISO 45001 is not a legal requirement but provides external validation of the management system and is increasingly required by principal contractors, government procurement agencies, and industry prequalification schemes.

A management system that is documented and implemented but not reviewed and improved will progressively diverge from the organisation's actual risk profile, regulatory requirements, and operational context. Management review is the formal mechanism through which senior leadership evaluates the management system's performance and makes decisions about changes, resources, and improvement priorities. Management review should occur at defined intervals, typically quarterly for operational review and annually for strategic review. The review should consider input data including results of internal and external audits, incident investigation findings and corrective action status, WHS performance metrics including leading and lagging indicators, results of risk assessments and the status of the risk register, results of health monitoring and exposure monitoring programmes, regulatory changes including new or amended legislation and approved codes of practice, feedback from workers and health and safety representatives, results of workplace inspections and compliance assessments, and progress against WHS objectives and targets set in the previous review. The review outputs should include decisions about changes to the management system, resource allocation for identified improvement priorities, updated objectives and targets for the next review period, and assignments of responsibility for specific improvement actions. Management review minutes should be documented and retained as evidence of senior leadership engagement with WHS performance. Under Section 27 of the WHS Act, officers must exercise due diligence to ensure the PCBU complies with its WHS duties. Active participation in management review is one of the primary mechanisms through which officers demonstrate due diligence. An officer who does not participate in or receive reports from management review processes will struggle to demonstrate that they have taken reasonable steps to understand and manage the organisation's WHS risks.