Dreamworld: A risk and compliance case study - Wolters Kluwer CCH
Workplace Law

Dreamworld: A risk and compliance case study

By Michelle Bradshaw, Special Counsel, Governance, Compliance & Regulation, Ash St. Legal & Advisory

Executive Summary

In October 2016, four people died in a tragic accident on the Thunder River Rapids Ride at Dreamworld. The Office of the Work Health and Safety Prosecutor in Queensland has now laid three charges against the operator of the Dreamworld theme park.

From a risk and compliance perspective, the Coroner’s report lays bare the widespread and serious risk, compliance and governance failings at Dreamworld including:

  • a failure to set the right tone at the top;
  • a failure to undertake and refresh risk assessments;
  • poor incidents management;
  • inappropriate controls;
  • inadequate training;
  • poorly drafted policies and procedures;
  • inadequate assurance; and
  • poor record keeping.

With charges having been laid under Queensland’s work health and safety legislation and class actions now being prepared,[1] the next question is whether ASIC will consider legal action against the directors and officers of the company for a breach of section 180(1) of the Corporations Act 2001 (Cth) which requires directors and officers to exercise appropriate care and diligence when carrying out their duties.


The Queensland Coroner’s report into the Dreamworld tragedy was released in February 2020.[2] For those who have enjoyed a day out at a Gold Coast theme park with friends and family, the Dreamworld tragedy must have really hit home. I have driven past the Dreamworld site frequently over the last few years but never felt any desire to return, such is the reputational damage that these types of events can trigger.

The Coroner’s report was lengthy and detailed. The report found that on the basis of expert evidence, the design and construction of the Thunder River Rapids Ride (TRRR) posed a significant risk to the health and safety of patrons at the time of the tragedy[3] and had probably done so for some time.[4] Unsurprisingly, the Office of the Work Health and Safety Prosecutor in Queensland has now laid three charges against Ardent Leisure Limited. The charges allege that the company failed to comply with its health and safety duty under the Work Health and Safety Act 2011 (Qld). The charges carry a maximum penalty of $4.5 million in fines.[5]

Given all we have learnt through various and recent royal commissions, prudential inquiries, regulatory enforcement action and now this tragedy, the Australian public could be forgiven for being left with serious concerns over the quality of risk management, compliance and governance in Australia today.

Although this particular case deals with complex and high-risk systems, the lessons from the Coroner’s report are equally applicable to organisations operating in other industries.

What went wrong?

After reading the report, the more appropriate question may well be what actually went right? The report details a litany of issues, and these issues are themes that keep repeating in different situations and in different organisations.

Failing to set the right tone from the top

The Board’s main role is to decide the strategy for the organisation, set the level of risk that will be accepted when pursuing the chosen strategy and oversee management to ensure it operates within the boundaries set by the Board. In addition, the Board is expected to lead a robust risk culture within the organisation.

The Coroner was highly critical of the leadership at Ardent Leisure Limited stating that:

“Such a culpable culture can exist only when leadership from the Board down are careless in respect of safety”.[6]

Despite having a sub-committee of the Board focused on safety, sustainability and environment,[7] the Board and senior management were unable to identify and address serious safety failings. The questions that come to mind are:

  1. Did the committee members both individually and as a collective possess the appropriate skills?
  2. Did the committee members understand the business they were overseeing to a sufficient level of detail?
  3. Were the committee members sufficiently engaged and applying an inquisitive mind to question and challenge management?

For example, the Coroner questioned the decision to rely solely on one individual to ensure the safety of Dreamworld’s amusement devices which he considered irresponsibly and dangerously inadequate given the level of responsibility associated with such a task and the individual’s other commitments.[8] Possibly just one of the areas which would have benefited from further challenge at the sub-committee and Board level.

Failing to undertake and refresh risk assessments

Risk management is not a new concept and AS ISO 31000:2018 Risk management – Guidelines sets out the established process for risk management. Key to the process of risk management is establishing the context and identifying risks. Dreamworld failed to undertake a risk assessment on the TRRR or refresh such a risk assessment despite significant modifications to the ride over the years.[9] In addition, no formal risk register was kept by the Safety Department.[10]

“It can be concluded beyond doubt that in the 30 years prior to this tragedy, Dreamworld failed to undertake, either internally or via an external auditor, a holistic examination of the TRRR by a suitably qualified engineer, so as to ensure its safe operation through the identification of the high and low probability risks and hazards present.”[11]

Poor incidents management

Incidents management is a core feature of a well-functioning risk management approach. Incidents need to be identified, assessed, managed and reported internally and potentially externally. The focus needs to include actual incidents and “near misses”, all of which provide valuable insight into the operation and adequacy of internal controls.

Despite the high-risk nature of its activities, Dreamworld failed to implement and maintain a robust incidents management process. Incidents in 2001 and 2014 did not trigger a thorough risk and hazard assessment of the TRRR or consideration of the plant and engineering measures available to address those risks and hazards.[12] Incidents were remedied at a superficial level without reference to the root cause.[13]

Failing to build risk management into automated systems

After the identification, analysis and evaluation of risks, an appropriate risk treatment option needs to be chosen. The purpose of the risk treatment stage is to select and implement options for addressing the risk. Controls in particular may be implemented to either eliminate the source of the risk or lower the likelihood or consequence of the risk occurring.[14]  The performance of a control will depend on the people involved, the environment within which the control is operating and the systems/processes relevant to the control.

In terms of the appropriateness of the controls used for the TRRR, the Coroner noted that there was a heavy and unreasonable reliance on administrative controls[15] to ensure the safety of patrons and the lack of engineering controls given the risk was unjustifiable.[16] The Human Factors Report provided by an expert witness confirmed that the “very high ratio of signals/tasks/checks to elapsed time would be difficult to achieve fully, and difficult to sustain fully”.[17]

“It is clear that the 38 signals and checks to be undertaken by the Ride Operators was excessive particularly given the failure to carry out any one could potentially be a factor which would contribute to a serious incident.”[18]

In addition, there was a failure to implement inexpensive safety features which would have substantially reduced the risk including safety features to stop the conveyor belt from working in the event of a pump failure, water level detection devices which would have warned of a pump failure and a single emergency stop capable of initiating a complete shutdown.[19]

The Coroner consistently rejected the notion that ride operators, who would have been a convenient scape goat for a poorly designed and implemented risk management system, were to blame.[20]

Inadequate training

The primary objective of training is to ensure that representatives of the organisation are competent to fulfil their role in a manner consistent with the organisation’s objectives. Given people are an important factor in the ongoing performance of controls, it is important that they understand the “what, why, when and how” of the tasks for which they are responsible.

The Coroner considered Dreamworld’s training to be inadequate and this inadequacy led to extensive and necessary “on the job” learnt behaviour with regards to how to operate the TRRR effectively.[21] In addition, emergency drills were not carried out which would have better prepared employees to successfully complete emergency procedures in a high-pressure real-life situation.[22]

Poorly drafted policies and procedures

Policies and procedures play a critical role in supporting risk and compliance management frameworks within an organisation. Implementing high quality policies and procedures should (i) support a robust risk culture, (ii) clearly identify roles and responsibilities, (iii) encourage a higher quality and more consistent response to the management of the risk, (iv) reduce wasted time or rework and (v) avoid the loss of corporate knowledge. In addition, all relevant stakeholders should be consulted to ensure policies and procedures are fit for purpose and, once adopted, policies and procedures should be kept up-to-date and constantly refined based on experience.

The Coroner noted that Dreamworld’s procedures were poorly drafted, did not incorporate feedback from key stakeholders (such as the Safety Department), left important terms undefined and conflicted with other supplemental material. It was difficult at times to even identify who drafted the procedures.[23]

“[P]rocesses and procedures in place at Dreamworld seem to have been created by unknown persons, who it is safe to assume, lacked the necessary expertise”.[24]

Inadequate assurance

The risk management process set out in AS ISO 31000:2018 Risk management – Guidelines incorporates a step devoted to monitoring and review. The purpose of monitoring and review is to assure and improve the quality and effectiveness of process design, implementation and outcomes.[25] AS/NZS ISO 31000:2009 previously noted that monitoring and review should (i) ensure controls are effective and efficient in both design and operation, (ii) provide further information to improve risk assessments, (iii) analyse and provide lessons from events (including near misses), (iv) detect changes in the external/internal context and (v) identify emerging risks.[26]

Where a business area owns a material risk and implements controls to address it, the business area should be undertaking controls testing on a regular basis. To provide sufficient comfort that material risks have been adequately addressed and are being appropriately managed, independent assurance should also be undertaken.

In the case of Dreamworld, the Coroner described a reactionary approach to maintenance, inspection and repair where issues were accidentally and arbitrarily identified.[27] Taking into account the reference to poor incidents management, record keeping and reporting, the report does not give the impression that controls testing had been well thought out. Unfortunately, where external auditing was undertaken, it was not completed by reference to appropriate standards. The external auditing focused on relatively superficial aspects of the TRRR, rather than engineering, design and safety.[28] Again, this raises questions about the oversight provided by the sub-committee and Board.

Poor record keeping

The ability of poor record keeping to undermine the operation and management of an organisation is drastically underestimated. Poor record keeping not only impacts an organisation’s ability to achieve its operational goals, it also impacts its ability to defend itself when things go wrong.

The Coroner’s report noted that poor record keeping impeded risk and incidents management[29] at Dreamworld and had continued in this poor state for decades.[30]

“What is clear from the records produced, and the difficulties Ardent Leisure had locating the requested information, is that the record keeping, document management and interdepartmental communication at Dreamworld was dire.”[31]

“The manner in which the documentation was provided during the course of the coronial inquiry and inquest further demonstrates the frighteningly unsophisticated ‘systems’ in place at Dreamworld intended to ensure the safety of patrons and staff.”[32]

The impact of poor record keeping will no doubt have impeded the Board in carrying out its oversight function and senior management in effective decision-making. Critical regulatory reporting was also consequently incomplete.[33]

Poor record keeping is a material risk for an organisation and deserves serious attention in risk registers, controls testing and management action plans. It is a drain on efficiency often triggering unnecessary rework and wasting the organisation’s resources.

Failure to commit to best practice in a changing environment

There has been a tendency for organisations to consider best practice standards as optional. An attitude of “if we can we do it, but if it is hard we don’t worry about it”. The Coroner and expert witnesses poured cold water on this interpretation.

“Whether these requirements are mandatory or not is largely irrelevant. Those Standards are the minimum practice that is required. It is the responsibility of those that own and operate high risk plant to ensure that the most up to date safety standards, risks and requirements known to the industry are considered and instituted if possible.”[34]

An expert witness also noted that deviating from best practice for safety standards would be at the owner’s own peril.[35]

Best practice standards should be embraced. It is necessary to take into account the nature, size and complexity of an organisation when designing policies, procedures and processes, however, when things go wrong, being able to prove that the organisation was operating within best practice guidelines helps to support a due diligence defence. Organisations need to aim for best practice and, where they consider there is a reasonable justification for deviating from best practice, make sure they are able to justify their decision to do so.

Most concerning aspect

One of the most concerning aspects of the report is where the Coroner states “this reliance by Dreamworld on the operation history of the ride as to whether a risk or hazard was present is clearly unsound and dangerous.”[36]

“From the accounts provided during the course of the investigation and inquest hearing, it is evident that only a scant amount of knowledge was held by those in management positions at Dreamworld, including … the General Manager of Engineering…”[37]

“The resounding message of the General Managers responsible for the Departments at Dreamworld was that, as such risks and hazards had never been identified to them, they were unaware and therefore unable to take any action. Given no steps were ever taken to properly identify these risks by qualified people, it is unsurprising that such issues were not raised with management. This general ignorance of proper safety and adequate assessments was a recurring theme…and reflects a systemic failure to ensure the safety of patrons and staff…”[38]

Are we to understand from the Coroner’s words and the findings in the report that the Board and senior management failed to actively seek out and understand the safety situation at their organisation and then relied on that lack of information to reassure themselves everything was fine?


This case is a timely reminder of the importance of getting risk management, compliance and governance right. The lessons are applicable to all organisations whether or not failings in other industries can potentially lead to the same heartbreaking outcomes. Directors and senior management need to walk the floor, understand their business and strive for best practice in all aspects of their organisation’s operations.

There needs to be an honest examination of the relentless focus on short term profit and dividends and an acknowledgement of the long-term damage management decisions driven primarily by these types of considerations can have on an organisation. Often these kinds of events occur in an environment where business areas responsible for risk and compliance have been seriously underfunded for a long period of time.

Unfortunately, no customer attending Dreamworld or investor in Ardent Leisure Group Limited, would have had any idea of the systemic nature of the failings and that these failings had persisted for decades. Given charges have now been laid against Ardent Leisure Limited, the next question is whether ASIC will now consider commencing legal action against the directors and officers of the company for a breach of section 180(1) of the Corporations Act 2001 (Cth) which requires directors and officers to exercise appropriate care and diligence when carrying out their duties.

In light of the Dreamworld case, organisations should consider:

  • reviewing the operation, skills and knowledge of the Board and its individual members to ensure they are well equipped to undertake their oversight responsibilities and provide effective challenge to senior management;
  • ensuring there is a thorough understanding of the organisation’s material risks at all levels of the organisation;
  • encouraging a high level of commitment to the management of material risks including with regard to ongoing risk assessments, management of incidents, types of controls adopted, training and assurance;
  • expressly recognising the important role that properly documented policies and procedures as well as record keeping plays in sound risk management; and
  • continuously reviewing the organisation’s management of material risks against best practice standards.

This case study was first published on the Ash St. website and has been reproduced with permission.

[1] https://www.abc.net.au/news/2020-07-29/dreamworld-ardent-leisure-thunder-rapids-ride-death/12499476.

[2] Coroners Court of Queensland, Inquest into the deaths of Kate Goodchild, Luke Dorsett, Cindy Low & Roozbeh Araghi at Dreamworld October 2016, Findings and Recommendations, February 2020 https://www.courts.qld.gov.au/__data/assets/pdf_file/0004/641830/10545784-final-dreamworld-draft-6-forupload.pdf (Coroner’s report).

[3] Coroner’s report at [988].

[4] Coroner’s report at [995].

[5] https://www.owhsp.qld.gov.au/news-and-media/charges-laid-dreamworld-referral.

[6] Coroner’s report at [1050].

[7] Dreamworld’s missing accountability, Australian Financial Review, 25 February 2020, https://www.afr.com/chanticleer/dreamworld-s-missing-accountability-20200224-p543vy.

[8] Coroner’s report at [999].

[9] Coroner’s report at [990].

[10] Coroner’s report at [1002].

[11] Coroner’s report at [1005].

[12] Coroner’s report at [991] and [994].

[13] Coroner’s report at [330].

[14] AS ISO 31000 Risk management – Guidelines at [6.5].

[15] Coroner’s report at [994].

[16] Coroner’s report at [1024].

[17] Coroner’s report at [951].

[18] Coroner’s report at [1022].

[19] Coroner’s report at [864], [1015] and [1016].

[20] Coroner’s report at [1025], [1035] and [1042].

[21] Coroner’s report at [1031].

[22] Coroner’s report at [1034].

[23] Coroner’s report at [1026].

[24] Coroner’s report at [1033].

[25] AS ISO 31000:2018 Risk management – Guidelines at [6.6].

[26] AS/NZS ISO 31000:2009 Risk management – Principles and guidelines at [5.6].

[27] Coroner’s report at [1008].

[28] Coroner’s report at [993].

[29] Coroner’s report at [1010].

[30] Coroner’s report at [1007].

[31] Coroner’s report at [1008].

[32] Coroner’s report at [1006].

[33] Coroner’s report at [990].

[34] Coroner’s report at [997].

[35] Coroner’s report at [997].

[36] Coroner’s report at [994].

[37] Coroner’s report at [1004].

[38] Coroner’s report at [1003].