ALARP vs SFAIRP vs Risk Appetite: Which Fits?

Executives often use risk appetite language to accept safety exposure that still needs an ALARP or SFAIRP test. This comparison shows when each concept fits, how to document the decision, and why the wrong label can turn serious injury and fatality risk into boardroom comfort.

Why this comparison matters for safety governance

ALARP, SFAIRP, and risk appetite are three different decision languages, although they often appear in the same risk committee pack. ALARP and SFAIRP focus on whether a safety risk has been reduced far enough, while risk appetite expresses how much risk leadership is prepared to retain across objectives, projects, and operations.

HSE explains ALARP as a proportionality test in which risk reduction is pursued unless the sacrifice is grossly disproportionate to the benefit. ISO describes ISO 31000 as guidance for managing risk through principles, framework, and process. Those references point to the same board problem from different directions, since one asks whether enough was done and the other asks how risk decisions are governed.

Across 25+ years leading EHS in multinationals, Andreza Araujo has observed that weak safety decisions rarely announce themselves as negligence. They usually arrive as acceptable residual risk, insufficient budget, delayed action, or a color-coded matrix that looks orderly enough to end debate. In A Ilusao da Conformidade, translated as The Illusion of Compliance, that pattern appears as the gap between a declared system and the way risk is actually accepted.

1. What question does ALARP answer?

ALARP answers whether a specific safety risk has been reduced as low as reasonably practicable. The key number is not a score such as 12 or 16 on a matrix, but the comparison between further risk reduction and the sacrifice required in money, time, effort, technical feasibility, and operational disruption.

The common mistake is treating ALARP as permission to keep any risk that feels expensive to reduce. That reverses the test. The organization must first identify credible additional controls, then explain why a rejected control is not reasonably practicable, especially when the possible consequence includes fatality, permanent disability, major release, or multiple-person exposure.

For an EHS manager, ALARP works best in high-hazard scenarios where additional controls are possible but contested. Examples include a second layer of isolation before line break, fixed segregation for vehicle routes, engineered access for work at height, or process-safety safeguards that compete with production cost.

The board should see the evidence in 4 parts: the hazard scenario, current controls, rejected additional controls, and the reason each rejected control was not reasonably practicable. A risk matrix alone cannot carry that argument.

2. When does SFAIRP change the decision?

SFAIRP answers the same practical question as ALARP in many UK-style safety contexts, but the wording matters because it is closer to statutory duty language. It asks whether the duty holder has reduced risk so far as is reasonably practicable, which makes evidence and proportionality central to the decision record.

HSE states in its HID approach to ALARP decisions that SFAIRP and ALARP call for the same tests to be applied. That does not make the words decorative. In a legal or regulator-facing document, the exact phrase used by the relevant jurisdiction, permit, or standard should be preserved.

The trap is semantic confidence. Teams debate whether ALARP or SFAIRP is the correct label, while the control evidence remains thin. A useful SFAIRP argument should show that leaders understood the risk, reviewed alternatives, challenged cost objections, and kept high-severity scenarios visible until control verification was complete.

As Andreza Araujo argues in Safety Culture: From Theory to Practice, culture is revealed in repeated decisions. A company that says safety is a value but accepts weak evidence for a severe scenario has not solved the problem by choosing the legally accurate acronym.

3. What question does risk appetite answer?

Risk appetite answers how much and what type of risk leadership is prepared to pursue, retain, or avoid in pursuit of objectives. In safety governance, the useful version turns executive intent into thresholds, escalation rules, investment priorities, and non-negotiable boundaries for SIF exposure.

Risk appetite belongs at a different altitude from ALARP. It is not the proof that a specific machine, process, contractor activity, or chemical task is safe enough. It is the leadership policy that tells managers when residual risk must be escalated and when a local manager is not authorized to accept it.

The danger appears when companies borrow financial-risk language and apply it to safety without translation. A statement such as moderate appetite for operational risk may be acceptable for inventory variance, but it becomes dangerous if it lets a plant retain unresolved fatality exposure because the business case is inconvenient.

A practical safety appetite statement should include at least 3 limits: no unverified critical control for SIF exposure, no overdue high-severity corrective action beyond a defined threshold, and no local acceptance of fatality-potential risk without executive review. That structure connects naturally to risk trigger thresholds for safety decisions.

4. Where does ISO 31000 fit?

ISO 31000 fits as the management framework for risk governance, not as a substitute for ALARP or SFAIRP evidence. It gives leaders a common process for establishing context, assessing risk, treating risk, monitoring, reviewing, recording, and communicating decisions across the organization.

ISO presents ISO 45001 as the occupational health and safety management system standard, while ISO 31000 speaks to risk management across objectives. In practice, an EHS function often needs both languages because ISO 45001 anchors the OHS system and ISO 31000 helps connect safety risk to enterprise decision-making.

The board-level failure happens when ISO 31000 language makes risk acceptance sound mature before the safety controls are verified. Risk governance should not soften the technical question. If the scenario could kill someone, the appetite statement must send the issue toward stronger scrutiny, not away from it.

Andreza Araujo's work in Safety Culture Diagnosis: Learn how to do your own is relevant because the diagnostic question is not whether the framework exists. The harder question is whether managers use the framework when production, budget, and reputation place pressure on the decision.

5. How should executives compare the three?

Executives should compare ALARP, SFAIRP, and risk appetite by the decision each one authorizes. ALARP and SFAIRP support a judgment about a specific risk reduction duty, while risk appetite supports governance boundaries across decisions, portfolios, and escalation levels.

The strongest safety committees do not choose one term and discard the others. They stack them. Risk appetite says which risks cannot be accepted locally. ALARP or SFAIRP then tests whether the specific hazard has been reduced far enough. Control verification confirms whether the chosen protection exists where work happens.

The weak version appears in a board paper that says residual risk is within appetite without explaining whether the highest-consequence controls were tested. That is how the language of enterprise risk can conceal physical exposure. The decision looks strategic, although the field condition remains unchanged.

The comparison below is the simplest executive filter.

6. Which one should govern SIF exposure?

SIF exposure should be governed by risk appetite at the threshold level and by ALARP or SFAIRP at the scenario level. Risk appetite should prevent local acceptance of fatality-potential risk, while ALARP or SFAIRP should test whether the specific exposure has been reduced far enough.

This distinction matters because serious injuries and fatalities are often hidden by low-frequency data. A site can have a clean TRIR, a stable dashboard, and a severe exposure that is waiting for one failed barrier. That is why safety margin decisions before risk escapes belong in the same conversation.

Across more than 250 cultural transformation projects, Andreza Araujo has observed that leaders tend to underreact when the indicator is clean and overreact after the event becomes visible. A good governance model reverses that timing by escalating weak controls before injury proves the weakness.

The practical rule is direct: no SIF-potential risk should be accepted only because it is within a color band. It needs a named owner, verified critical controls, review frequency, and a documented statement of why further reduction is or is not reasonably practicable.

7. What evidence belongs in the decision record?

The decision record should make the risk acceptance logic auditable in 6 months. It should show the scenario, credible consequence, current controls, additional controls considered, evidence of practicability, owner, review date, and escalation trigger if the control degrades.

HSE describes risk assessment as a process for controlling health and safety risks caused by workplace hazards. That plain sequence matters because executive language can become detached from the basic duty to identify hazards, assess harm, control risk, record findings, and review controls.

Decision records fail when they document approval rather than reasoning. A signed form that says accepted by leadership does not explain what leadership accepted, which alternatives were rejected, or what evidence would reopen the decision.

EHS should require 4 minimum fields for any high-severity retained risk: control verification date, control owner, escalation threshold, and next review trigger. Those fields force the organization to treat acceptance as a monitored condition rather than a one-time permission.

8. How do these terms change a risk matrix?

ALARP, SFAIRP, and risk appetite should sit above the risk matrix rather than inside one cell. The matrix can visualize severity and likelihood, but these concepts decide what the organization does with high-consequence uncertainty after the color is assigned.

A red cell may require immediate action, but the important question is whether the action reduces exposure or only improves paperwork. A yellow cell with fatality potential may still require executive review if the consequence is irreversible and the controls have not been verified.

This is where risk appetite versus risk tolerance becomes operational. Appetite says what the company will not casually retain. Tolerance defines the specific boundary. ALARP or SFAIRP then challenges whether enough was done for that hazard.

A useful matrix should include a severity override, an ALARP or SFAIRP evidence field for severe scenarios, and a rule that unresolved critical controls trigger escalation regardless of color. Without those 3 features, the matrix can become a comfort device.

9. Which framework fits which executive decision?

ALARP fits decisions about further risk reduction, SFAIRP fits regulator-facing duty evidence, and risk appetite fits board-approved boundaries for retention and escalation. The executive task is not to pick a favorite term, but to connect the right term to the right governance question.

In a capital project, risk appetite may state that fatality-potential exposure cannot be accepted to protect schedule. ALARP then tests whether additional guarding, isolation, access design, or automation is reasonably practicable. SFAIRP may become the exact legal framing in a UK-influenced duty record.

In a multi-site operation, appetite sets the enterprise rule, while each site must still demonstrate control over its specific exposures. That difference protects leaders from a common governance error: assuming that a policy position has reduced field risk.

The table below can guide the first pass.

Each quarter that a board accepts safety risk with appetite language alone, unresolved severe exposure can move from operational detail to enterprise liability without any visible change in the dashboard.

Risk language should make acceptance harder, not easier

ALARP, SFAIRP, and risk appetite are useful only when they force leaders to make risk acceptance more explicit, better evidenced, and easier to challenge. The wrong use of these terms makes dangerous decisions sound sophisticated, while the right use makes weak control logic harder to hide.

The next practical move is to audit the 10 highest-severity retained risks in the current register. For each one, ask whether it has an appetite boundary, an ALARP or SFAIRP argument when needed, a named control owner, and field evidence that the critical control works. If your organization needs help connecting safety culture, executive governance, and control verification, start through Andreza Araujo.