Grey fleet risk assessment: a practical guide for Australian employers

If your employees ever drive their own vehicles for work, you have a grey fleet — and you have risk to manage.

A grey fleet risk assessment is how you get that risk visible, controllable, and documented, without turning it into a heavy compliance exercise.

This guide walks through what a grey fleet risk assessment is, the legal responsibilities sitting behind it, how to run one, and what it should cover.

It’s written for the people who usually end up with the work in their lap — fleet managers, HR leads, CFOs, bookkeepers, operations directors and team admins — so you can see what’s expected and what a sensible process looks like.

Why a grey fleet risk assessment matters

Under Australia’s model Work Health and Safety (WHS) Act 2011 — adopted by the Commonwealth, NSW, QLD, ACT, NT, SA, TAS, plus WA’s WHS Act 2020 and Victoria’s OHS Act 2004 running in parallel — a vehicle used for work is treated as a workplace. That means your duty of care as an employer extends to work-related driving, regardless of who owns the car.

Kilometre tracking made easy

Trusted by millions of drivers

Automate your logbook Automate your logbook

Claim your deductions

Reclaim your time

Automatic mileage tracking and ATO-compliant reporting.

Get started for free Get started for free

What this actually requires

Your duty of care is to ensure the health and safety of workers “so far as is reasonably practicable” while they’re driving for work. In practice, that means:

• Verifying driver credentials — confirming workers hold a valid, current licence for the vehicle class they’re driving
• Ensuring vehicle safety — checking the vehicle is registered, roadworthy, fit for purpose, and maintained
• Confirming insurance — making sure the driver’s policy covers business use (standard private cover usually doesn’t)
• Providing information and training — giving drivers the guidance they need to drive safely for work, including on fatigue, journey planning and distraction
• Monitoring conditions — keeping an eye on how work-related driving is actually happening and adjusting when patterns change

👉 Open the risk assessment checklist

Can an employer be liable if something goes wrong?

Yes. If an employee has an incident while driving for work and the business hasn’t taken reasonably practicable steps to manage the risk, the organisation can face enforcement action — including prosecution under WHS law, civil claims, and workers’ compensation exposure. That’s true whether the vehicle is a company car or a personal one.

Penalties under the model WHS Act are significant and regularly indexed, with category 1 offences for corporations reaching into the millions of dollars. Several states have also introduced industrial manslaughter laws with higher maximum penalties where a breach of duty results in a worker’s death.

The flip side — and the reason a risk assessment matters — is that a documented, repeatable process is the clearest evidence that you’ve taken reasonably practicable steps. Done well, it’s your protection as much as your compliance obligation.

What is a grey fleet risk assessment?

A grey fleet risk assessment is a structured way to review the risks associated with employees driving their own vehicles for work and to put sensible controls in place.

It helps you:

• Identify common hazards in how work-related driving is organised
• Understand where those hazards create real risk
• Put practical controls in place
• Review whether your approach is working over time

It usually follows a standard risk management cycle (identify → assess → control → review), but it doesn’t need to become heavy admin. Most businesses already have parts of this in place. The value comes from bringing it together into one consistent process.

Why grey fleet risk is easy to miss

A grey fleet is easy to overlook because the vehicles aren’t owned by the business, even though the driving is still happening for work. That disconnect creates a false sense of separation between the employer and what happens on the road.

The result is a set of common blind spots that tend to show up together:

• Limited visibility over who’s actually driving for work
• Inconsistent mileage tracking and record-keeping
• Unclear or unverified checks for licences, registration and insurance
• No simple way to spot changes in travel patterns over time
• Reliance on manual reporting or employee self-declaration

In many organisations, grey fleet activity is larger than people think. A National Road Safety Partnership Program (NRSPP) case study found that one organisation’s grey fleet — covering around 30% of staff — accounted for over one million kilometres of work-related travel each year. That scale is exactly why visibility is the first problem to solve.

Get the checklist as an editable Google Doc or PDF below.

How to run a grey fleet risk assessment

The NRSPP Grey Fleet Safety Management Guide sets out a structured approach that works for organisations of any size. The six steps below follow that framework, adapted for day-to-day use by Australian employers.

1. Identify the main hazards

Start with the conditions around work-related driving, not just the act of driving itself. In a grey fleet context, hazards are usually about how travel is organised and overseen, rather than individual driver behaviour.

Common hazards include:

• No clear grey fleet policy or driving expectations
• Poor visibility over who’s driving for work and how often
• Vehicles that may not be roadworthy or suitable for the task
• Missing or unclear business-use insurance
• Long-distance travel, fatigue, weather, or unfamiliar routes
• Manual mileage logs that create gaps or errors in records

2. Understand the risks behind those hazards

Once the hazards are named, trace them forward. What could actually go wrong, how could it happen, and who could be affected?

For example:

• Unclear insurance can lead to coverage gaps after an incident
• Poor vehicle oversight increases safety risk
• Inconsistent mileage records weaken your compliance evidence
• Time pressure on journeys increases fatigue and unsafe decisions

Working through those connections shows which hazards deserve the most attention.

3. Assess likelihood and impact

With the risks mapped, prioritise them. Most grey fleet risk assessments focus on two dimensions: how likely an issue is, and how severe the outcome could be.

A simple risk matrix is enough to structure the thinking.

You don’t need perfect data to do this well. A realistic view of how employees actually travel for work is enough to get started.

4. Put practical controls in place

The best controls are the ones people will actually follow — keep them proportionate to the risk and straightforward to run.

For most businesses, that looks like:

• Replacing unnecessary trips with video calls where appropriate
• Setting clear expectations for safe and lawful driving
• Verifying licences, registration, and business-use insurance on a schedule
• Confirming basic vehicle suitability for work use
• Giving drivers practical guidance on fatigue and journey planning
• Standardising how mileage is tracked and reviewed

Improving mileage tracking is often one of the highest-leverage changes, because cleaner records make everything else — reimbursement, FBT reporting, audit trails — easier to manage.

5. Review the process regularly

Grey fleet risk changes as teams grow, travel patterns shift, and work volumes move. A one-off assessment goes stale quickly. Build in a simple review rhythm:

• Check mileage trends for unexpected increases
• Review any incidents or near misses
• Refresh records when licences, insurance, or vehicle details change
• Update the policy when the business does

It doesn’t need to be a formal exercise every time. The goal is just to keep the picture accurate.

6. Assign ownership

For any of this to work, ownership needs to be explicit. The responsibility may sit with HR, finance, operations, WHS, or fleet management, depending on how the business is structured. Without clear ownership, a grey fleet can drift out of view.

What should a grey fleet risk assessment cover?

A practical grey fleet risk assessment looks across six areas: the organisation, the driver, the vehicle, insurance and documentation, the journey, and the environment. Use the table below as a starting point — it’s not exhaustive.

Working through these questions will usually surface the areas that need the most attention. Some will already be well managed. Others may have gaps worth addressing — and those gaps are where your controls should go first.

Keeping the process simple

A grey fleet risk assessment doesn’t need to be complicated to be useful. For most businesses, the biggest improvement comes from pulling scattered checks and travel data into one consistent process.

Once you have visibility, everything else gets easier — risk goes down, reimbursement gets cleaner, records hold up to scrutiny, and managers can actually see what’s happening across the team. Consistent mileage tracking is often where that visibility starts, because it turns self-reported estimates into data you can work with.

Also read: Grey fleet policy template

FAQ