ALARP Decisions: 4 Blind Spots That Keep Risk Alive

HSE's ALARP guidance traces its public decision model to R2P2 in 2001, yet many industrial operations still treat reasonably practicable as a cost argument after the risk has already been accepted. This article shows 4 blind spots that keep residual risk alive and gives EHS managers a sharper way to challenge ALARP decisions before they become SIF exposure.

Why do ALARP decisions fail even when the paperwork looks complete?

ALARP decisions fail when the organization records a risk as tolerable before it proves that additional controls are grossly disproportionate to the benefit. HSE explains in its inspector guidance that its ALARP principles help inspectors judge whether duty holders have reduced risks as low as reasonably practicable, a decision model linked to R2P2 from 2001 and refreshed on HSE's website in 2025.

The common failure is not ignorance of the term. It is the sequence. A team fills the risk matrix, decides that the residual rating is acceptable, and only then writes an ALARP paragraph to defend the decision. That sequence is backwards because ALARP is supposed to pressure-test the remaining options before acceptance, not decorate an acceptance that was already politically convenient.

As Andreza Araújo argues in A Ilusão da Conformidade, translated as The Illusion of Compliance, formal compliance can hide weak control logic when leaders confuse evidence of a meeting with evidence of a barrier. In risk-management language, that means the ALARP record must show which additional controls were rejected, who had authority to reject them, and why the rejection did not leave a credible fatality path open.

1. Blind spot one: treating cost as the first filter

Cost becomes a blind spot when the ALARP discussion starts with budget pain instead of risk severity, control effectiveness, and the possibility of irreversible harm. HSE describes reasonably practicable as weighing risk against the trouble, time, and money needed to control it, but that weighing only has meaning after the hazard and potential consequence have been characterized with enough technical depth.

In practice, EHS managers often inherit a capital spreadsheet where engineering controls were removed before safety entered the room. The remaining analysis then compares PPE, training, and administrative checks, which makes the cheapest answer look reasonable because the stronger options were never documented. That is not ALARP. It is procurement history disguised as risk logic.

Across 25+ years leading EHS at multinationals, Andreza Araújo has seen that serious risk is rarely created by one missing document. It grows when leaders accept a small exception, then another, until the operating model depends on human vigilance to compensate for a weak design. The fix is to require a rejected-controls register for every high-risk ALARP decision, with elimination, substitution, engineering, administrative controls, and PPE considered in that order.

The practical test is direct: if the ALARP note cannot name at least 3 rejected options and the reason each was rejected, the decision is not ready for approval.

2. Blind spot two: accepting residual risk without authority

Residual risk acceptance becomes unsafe when the person signing the decision does not control the resources, schedule, or operational choices needed to change the risk. ISO states that ISO 31000:2018 provides risk management guidelines for identifying, analyzing, evaluating, treating, monitoring, and communicating risk across an organization, and that governance link matters because acceptance is a management decision, not a clerical act.

This is where many ALARP files collapse. The supervisor signs because the work must start at 6 a.m., the EHS adviser signs because the procedure exists, and the plant manager never sees the unresolved exposure. When the consequence could be a SIF, signature level must rise with consequence potential, not with the residual color on a matrix.

The existing article on safety risk acceptance authority expands this governance problem, but ALARP adds a sharper requirement. The approver must be able to say yes to additional controls. If the approver can only say yes to the job going ahead, the organization has created approval theater.

3. Blind spot three: using the risk matrix as proof

A risk matrix is a screening tool, not proof that a risk has been reduced as far as reasonably practicable. When a team turns a red box into an amber box, it has changed a rating, but it has not necessarily changed the physical controls that prevent energy release, loss of containment, vehicle strike, fall, or exposure.

The problem is amplified when likelihood is estimated from the absence of recent accidents. A site can go 3 years without a fatal event because exposure is rare, luck held, or reporting is weak. That history does not prove that the next confined-space entry, crane lift, energized intervention, or process upset is tolerable.

Andreza Araújo's work on safety culture diagnosis repeatedly separates declared systems from operated systems. The same distinction applies here. A risk matrix may declare that residual risk is medium, while field verification shows that the critical control is unavailable, bypassed, misunderstood, or dependent on a contractor who was briefed for 10 minutes.

Use the risk matrix distortions as a challenge list before any ALARP approval. If the rating changed but the control set did not, the decision has probably moved numbers rather than risk.

4. Blind spot four: confusing legal defensibility with operational defense

Legal defensibility asks whether the organization can explain its decision after an event, while operational defense asks whether the control set can interrupt the event before harm occurs. ALARP requires both, because a file that reads well after the fact is still inadequate if the field barrier cannot survive normal production pressure.

OSHA recommends hazard prevention and control practices that include selecting controls through the hierarchy of controls, implementing them according to a hazard control plan, and evaluating whether existing controls continue to protect workers. Those 3 verbs matter for ALARP because they move the conversation from written rationale to field performance.

During the PepsiCo South America tenure, where the accident ratio fell 50% in six months according to Andreza Araújo's public professional profile, the lesson was not that documentation became more elegant. The lesson was that leaders had to verify whether controls changed behavior, supervision, maintenance, and operating discipline in the first 180 days.

Each month that ALARP files stay detached from field verification, the organization accumulates accepted residual risk that may look defensible in a meeting but remain fragile in the work area.

How should EHS managers challenge an ALARP file before approval?

EHS managers should challenge an ALARP file with a 4-part sequence: consequence first, rejected controls second, acceptance authority third, and verification evidence fourth. This sequence prevents the team from jumping straight to cost, because the file must show what could happen, which controls were considered, who accepted the remainder, and how the site will confirm that controls work.

The first challenge is consequence credibility. Ask whether the worst credible outcome includes fatality, permanent disability, multiple casualties, environmental release, or business interruption beyond 24 hours. If the answer is yes, the decision needs stronger evidence than a routine permit attachment.

The second challenge is control comparison. The site should compare the current controls with the hierarchy of controls, then explain why any higher-order control is not reasonably practicable. This does not mean every risk needs a major capital project. It means the decision must show that stronger options were examined before lower-order controls became the default.

The third challenge is verification. EHS should require a field check within 30 days for any high-risk ALARP approval, because control drift appears quickly when production pressure, maintenance backlog, or contractor turnover changes the real operating environment.

5. Make the rejected-controls register mandatory

A rejected-controls register is the simplest way to stop ALARP from becoming a single paragraph at the end of a risk assessment. It records each feasible control option, the expected risk reduction, the reason for rejection, the accountable decision maker, and the review date, which gives auditors and executives a traceable decision path.

This register should not be a dumping ground for weak excuses. If engineering ventilation, fixed guarding, remote isolation, or automatic shutdown was rejected, the file should distinguish technical infeasibility from budget preference. A budget constraint may be real, but it should trigger escalation when the consequence is severe.

In more than 250 cultural-transformation projects supported by Andreza Araújo's team, one recurring pattern is the gap between what leaders believe has been decided and what frontline teams understand. A rejected-controls register narrows that gap because it turns hidden risk exchanges into visible management choices.

A useful ALARP register can stay compact. For each option, capture 6 fields: control option, hazard path interrupted, capital or operating constraint, residual exposure, approving role, and next review date.

6. Connect ALARP to critical control verification

ALARP decisions remain incomplete until the organization verifies the controls that justify the residual risk. A file may say that a safeguarding system, LOTO step, gas test, rescue arrangement, or exclusion zone reduces risk, but the ALARP argument depends on that control being present, understood, maintained, and used in the moment of exposure.

This is why ALARP should connect to LOPA protection layers and critical control thinking in high-hazard work. The stronger the consequence, the less comfortable leaders should be with controls that exist only as instructions. Independent, verifiable layers deserve more confidence than administrative controls that depend on memory under time pressure.

4 verification questions should sit beside every high-risk ALARP approval: is the control available, is it effective, is it used correctly, and is there evidence from the last 30 days? If one answer is missing, the risk acceptance should be conditional rather than final.

The transition from ALARP file to verification plan is where many organizations improve quickly. They stop asking whether the document is complete and start asking whether the barrier would still work on night shift, during maintenance, with a new contractor, and under production delay.

7. Use ALARP as a leadership conversation, not only an EHS artifact

ALARP works better when operational leaders treat it as a live decision about people, assets, and reputation. A manager who approves residual risk should understand the hazard path, the controls rejected, the exposure frequency, and the field evidence, not only the final rating.

In Safety Culture: From Theory to Practice, Andreza Araújo argues that culture appears in repeated leadership choices. ALARP is one of those choices because it shows whether leaders spend real attention on risk reduction or outsource the moral weight of risk acceptance to a template.

The leadership conversation should include operations, maintenance, engineering, EHS, and finance when the control decision affects capital, schedule, or production. That does not slow every job. It protects the few decisions where a wrong risk choice can create irreversible harm.

25+ years of multinational EHS leadership taught Andreza Araújo that the strongest safety systems make risk choices visible before they become incidents. ALARP should serve that same function.

Declared ALARP vs structural ALARP

Declared ALARP is a statement inside a file, while structural ALARP is an operating discipline that proves how risk was reduced, who accepted what remained, and how controls will be verified. The difference matters because serious events rarely respect the wording of a document when the field system is weak.

The structural version is harder, but it is also more honest. It forces leaders to decide whether they are truly reducing risk or simply accepting the cost of not reducing it.

Conclusion

ALARP decisions protect people only when they expose risk choices, test stronger controls, assign real authority, and verify whether the selected controls still work in the field. If the file only proves that someone signed after the risk matrix changed color, the organization may have accepted risk without understanding it.

For EHS managers ready to strengthen risk acceptance, Andreza Araújo's work connects safety culture, executive decision quality, and critical control verification across 30+ countries. To apply this discipline in your operation, talk to ACS Global Ventures through Andreza Araújo.