Critical Control Register vs Risk Register vs Bow-Tie
Compare critical control registers, risk registers, and bow-tie models so EHS managers choose the right tool for fatal-risk governance.
Key takeaways
- 01Diagnose the decision first, because portfolio visibility, scenario logic, and control assurance require different tools and different review rhythms.
- 02Use a risk register for broad exposure mapping, but avoid treating a risk score as evidence that fatal-risk controls still work.
- 03Build a critical control register for the few controls whose failure can allow fatality, permanent disability, major fire, or toxic exposure.
- 04Apply bow-tie analysis when one serious scenario needs threat logic, barrier mapping, escalation factors, and recovery controls before leaders decide.
- 05Lead the integration through Andreza Araújo's safety culture method, which turns documents into operating routines that leaders can test.
ISO 31000 asks leaders to make risk decisions with criteria, controls, owners, and review cycles, yet many EHS dashboards still treat every open risk as if it deserves the same managerial attention. This comparison shows when to use a risk register, a critical control register, or a bow-tie model so fatal exposure does not disappear inside a long spreadsheet.
Why the tool choice matters
A risk tool is never neutral, because it decides what the organization sees, who owns the next action, and how quickly weak controls reach leadership. When an EHS manager uses the wrong tool, the team may still hold meetings, update cells, and close actions, while the actual fatal scenario remains poorly governed.
The common mistake is to ask one artifact to do three different jobs. A broad risk register is useful for portfolio visibility, a critical control register is useful for assurance, and a bow-tie model is useful for scenario logic. When they are collapsed into one document, leaders get volume instead of judgment.
Organizations often confuse documentation with control. The stronger question is not whether the risk was recorded, but whether the barrier that keeps a serious event from happening was defined, owned, tested, and restored when weak.
1. Evaluation criteria for choosing the right risk tool
The first criterion is decision level. A plant manager needs a different view from a process engineer, because the manager decides priorities and resources, while the engineer tests whether a control can actually stop a release, fall, crush point, or ignition source.
The second criterion is scenario specificity. A general hazard such as working at height belongs in a register only at first; a credible fatal fall scenario needs control logic, degradation triggers, and verification evidence. That is where a critical-control plan becomes more useful than another risk score.
The third criterion is update cadence. A bow-tie may stay stable for months if the process does not change, while a critical control register can change every week as inspections, bypasses, overdue actions, and failed tests appear. A risk register sits between them, since it should reflect shifts in exposure without becoming a daily maintenance log.
The last criterion is accountability. If the tool cannot tell you who owns the control, what proof counts, and when failure escalates, it will not protect decision quality in a board meeting or after an incident.
2. Risk register works best for portfolio visibility
A risk register is the broadest of the three tools. It captures hazards, causes, consequences, current controls, ratings, owners, and action status, which makes it useful when an EHS manager needs to compare many exposures across departments, contractors, or sites.
The weakness appears when the register becomes a graveyard of medium ratings. As Andreza Araújo argues in Safety Culture: From Theory to Practice, safety culture becomes visible in the habits leaders repeat, and a monthly review that scrolls through 80 rows without challenging control quality teaches the organization that classification matters more than risk reduction.
A risk register should therefore answer portfolio questions. Which 10 exposures are materially above appetite? Which owners have overdue actions? Which risks changed because production volume, workforce mix, maintenance backlog, or contractor activity changed? If the discussion moves into how a specific isolation, guard, interlock, permit, or inspection works, the register has reached its limit.
The register is still essential. It gives leaders a single map, especially when linked to risk register cleanup rules that remove duplicate entries, stale ratings, and vague owners.
3. Critical control register works best for fatal-risk assurance
A critical control register is narrower and more demanding. It lists the controls whose failure can allow a fatality, permanent disability, major fire, toxic exposure, or high-consequence release, then defines performance requirements, verification frequency, accountable owners, and escalation rules.
This tool exists because the most serious risks rarely need more description; they need proof that the decisive controls still work. James Reason's work on latent failures helps explain why this matters, since serious events often emerge when several weak conditions align, not when one operator suddenly makes a surprising mistake.
For an EHS manager, the critical control register should be short enough to govern. A plant with 300 listed controls has usually renamed its inspection checklist, while a site with 20 to 40 genuinely critical controls can review failed verifications, overdue restorations, bypasses, and temporary controls with discipline.
The trap is cosmetic assurance. A green dashboard means little when the verification question is weak, because asking whether a guard exists is not the same as testing whether the guard prevents access during hazardous motion.
4. Bow-tie works best for scenario logic
A bow-tie model maps one top event, the threats that can cause it, the preventive controls that should stop it, the consequences that can follow, and the mitigating controls that limit damage. It is strongest when the organization needs to understand how a serious scenario unfolds.
Its value is visual reasoning. A bow-tie makes it harder for teams to hide behind a single generic label such as chemical safety, machine safety, or contractor risk, because the model forces a conversation about threats, barriers, escalation factors, and recovery measures.
Bow-tie also exposes false comfort in risk scoring. A risk may be rated medium in a risk matrix, yet still contain one weak preventive barrier and one overstated emergency response measure. The diagram makes that imbalance visible in a way a score rarely does.
The limitation is maintenance. If nobody owns the bow-tie after the workshop, it becomes a good-looking poster. The model should feed either the critical control register, the risk register, or both, otherwise the insight does not become governance.
5. Decision matrix for EHS managers
The practical choice depends on the question being asked. An executive asking where to invest needs a portfolio tool, while a supervisor preparing high-risk work needs a control tool, and an investigation team reconstructing a serious near miss needs scenario logic.
The table below summarizes the decision. It should not be read as a ranking, because each tool wins in a different decision context.
| Decision need | Risk register | Critical control register | Bow-tie |
|---|---|---|---|
| Best use | Portfolio view across many hazards and sites | Assurance of controls tied to fatal and severe risks | Scenario logic for one high-consequence event |
| Main owner | EHS manager with business risk owners | Risk owner, maintenance, operations, and EHS | Process owner, technical specialist, and EHS |
| Review rhythm | Monthly or quarterly | Weekly to monthly, depending on control criticality | After change, incident, audit, or scheduled review |
| Failure signal | Stale ratings, overdue actions, vague ownership | Failed verification, bypass, overdue restoration | Missing barrier, weak escalation factor, unclear recovery |
| Wrong use | Trying to prove control effectiveness from a score | Listing every routine control as critical | Drawing diagrams that never enter operating rhythm |
The matrix matters because it moves the conversation from preference to function. When a leader asks for one single tool, the EHS answer should be that the business needs one integrated system, not one overloaded artifact.
6. Recommendation for executives and senior managers
Executives should start with the risk register, but they should not end there. The register tells them where exposure sits across the business, while the critical control register tells them whether the controls preventing serious harm are still alive in the field.
A strong executive review uses 3 layers. First, the portfolio view shows the top risks and changes since the last review. Second, the critical control view shows failed verifications, bypasses, overdue restorations, and temporary controls. Third, selected bow-ties explain the few scenarios whose logic is complex enough to deserve deeper discussion.
This sequence prevents two leadership errors. One error is drowning in detail, where the meeting becomes a technical audit. The other is staying at altitude, where executives approve action plans without seeing whether the controls match the scenario.
The recurring leadership gap is not lack of safety language. It is weak conversion of language into operating routines, especially routines that test whether declared priorities survive production pressure.
7. Implementation sequence for one high-risk site
Start by cleaning the risk register before building anything new. Remove duplicates, rewrite vague hazards, assign real owners, and separate ordinary EHS actions from risks that can produce a fatal or permanently disabling outcome.
Then select 5 to 10 top serious-risk scenarios for bow-tie work. This number is small enough to allow proper discussion and large enough to expose whether the site understands its major exposure patterns. Each bow-tie should identify threats, preventive controls, mitigating controls, escalation factors, and recovery actions.
After the bow-ties are stable, extract the controls that are genuinely critical and build the critical control register. Each control needs a performance standard, field-verification question, frequency, owner, failure response, and escalation path.
The final step is to connect the three tools to the safety dashboard. A useful dashboard should show not only open actions, but also failed critical-control tests, overdue restorations, and scenarios whose controls have deteriorated since the previous review.
8. Traps that make all three tools fail
The first trap is rating inflation. Teams keep changing likelihood or consequence scores until the risk feels acceptable, although the underlying control has not changed. ISO 31000 is useful here because it reminds leaders that criteria must guide decisions, not decorate a spreadsheet.
The second trap is owner fiction. A cell that says operations, maintenance, or EHS does not create accountability. A named owner must have authority, resources, and review rhythm, otherwise the tool only records organizational ambiguity.
The third trap is treating verification as inspection volume. One sharp test of a decisive control is better than 30 low-value checks. This is why layer of protection analysis can help senior teams challenge whether a claimed protection layer is independent, effective, and available when demand occurs.
The fourth trap is isolation. A risk register that does not feed the critical control register, a bow-tie that does not update the dashboard, and a control register that does not change work planning are all signs that the management system is producing documents faster than risk reduction.
Conclusion
The risk register shows the portfolio, the bow-tie explains the scenario, and the critical control register proves whether the decisive barriers are still working.
If your organization needs to move from documented risk to governed control, Andreza Araújo's consulting work and the book Safety Culture: From Theory to Practice can help leaders redesign the review rhythm. Talk to the team at Andreza Araújo.
Frequently asked questions
What is a critical control register?
What is the difference between a risk register and a bow-tie?
When should EHS use a critical control register instead of a risk register?
Can bow-tie analysis replace LOPA or FMEA?
How does safety culture affect risk tool quality?
About the author
Andreza Araújo
Safety Culture Expert | Senior EHS Executive
Andreza Araújo is a safety culture expert and senior EHS executive with more than 25 years of experience in environment, health and safety. She is a Civil Engineer and Occupational Safety Engineer from Unicamp, holds a Master's degree in Environmental Diplomacy from the University of Geneva, and completed sustainability studies at IMD Switzerland. Andreza has served in Global Head of EHS roles in Fortune 500 environments, leading cultural transformation programs across multinational operations. She has represented Brazil as a speaker at the United Nations in Paris and has spoken at the International Labour Organization in Turin. She is the author of more than 16 books on safety culture in Portuguese, Spanish, English and German. Her work has earned more than 10 EHS awards, including two recognitions from Indra Nooyi, former PepsiCo CEO.
- Civil & Safety Engineer (Unicamp)
- M.A. Environmental Diplomacy (University of Geneva)
- Sustainability Cert (IMD Switzerland)
- People Management & Coaching (Ohio University)
- UN Paris speaker representative for Brazil
- ILO Turin speaker
- LinkedIn Top Voice
- Indra Nooyi PepsiCo CEO recognition (2x)
Documentaries
Watch Andreza's documentaries
Three productions on safety culture, organizational failure and the human lessons behind major disasters.
Podcasts
Listen to Andreza's podcasts
She hosts three shows on safety leadership, EHS and organizational culture, in English and Portuguese.
