How to Set Safety Risk Acceptance Authority

The ILO estimates that nearly 3 million people die each year from work-related accidents and diseases, yet many companies still let residual safety risk be accepted by whoever owns the deadline. This guide shows EHS managers how to set safety risk acceptance authority in 30 days, so decisions about serious exposure move to the right level before work starts.

Why risk acceptance authority fails in safety

Risk acceptance authority defines who is allowed to approve residual risk after controls have been selected, verified, and challenged. ISO 31000 published in 2018 treats risk evaluation as a comparison between analysis results and risk criteria, but the standard does not name the plant manager, project director, EHS manager, or board committee who must own the final decision.

That gap matters because occupational safety risk is not only a technical calculation. As Andreza Araujo argues in Safety Culture: From Theory to Practice, culture appears in repeated choices, which means the real authority line is visible when production, maintenance, engineering, and EHS disagree about whether work can continue.

The practical thesis is simple enough to test: a risk matrix without an authority table becomes a negotiation tool. The organization may have a documented risk register, but if a supervisor can accept a high-consequence exposure because the shift is late, the register is recording risk rather than governing it.

Step 1: name the decisions that require acceptance

Safety risk acceptance authority starts with a defined list of decisions that cannot be approved informally. Examples include starting work with an interim control, accepting a residual high risk after an engineering review, extending a permit condition, restarting after a failed safeguard test, or continuing a task where the safe method conflicts with production flow.

Across 25+ years leading EHS at multinationals, Andreza Araujo has seen that vague escalation rules create two opposite failures. Low-risk decisions rise to executives and slow the system, while high-consequence field decisions remain with the person under the most schedule pressure.

Build the first list from the last 12 months of high-risk permits, incident investigations, near misses, management of change records, audit findings, and stop-work events. Mark any decision where the phrase "approved by operations" appears without a named role, date, evidence file, and verification method.

Step 2: separate risk ranking from authority level

A risk matrix ranks exposure, while an authority table assigns who may accept the remaining exposure after treatment. The two tools must connect, but they are not the same decision because a red cell, yellow cell, or high-severity scenario does not automatically prove who understands the tradeoff.

What many procedures miss is the difference between calculating risk and carrying accountability. A technician may be best placed to identify the hazard, a supervisor may understand task sequence, an engineer may understand safeguard reliability, and a senior leader may be the only person with authority to pause production or fund a design change.

Use four levels at first: frontline supervisor, area manager, site leadership, and executive or board-level delegate. Keep the model small enough to apply in 30 days, then map each risk band and consequence class to the lowest role that has enough authority to remove the exposure, approve resources, or stop the activity.

Step 3: create a consequence override for fatal risk

A consequence override prevents low-likelihood language from hiding fatal exposure. If the credible worst consequence includes one or more fatalities, permanent disabling injury, or uncontrolled major energy release, the acceptance level should rise even when the matrix score looks moderate.

This is where the common risk matrix fails field reality. A rare event with catastrophic consequence may sit below the escalation threshold, especially when the team discounts likelihood because "we have always done it this way" or because the last 24 months had no recordable event in that task.

Write the override as a rule, not as advice. Any credible SIF exposure moves at least one authority level higher, and any task with missing or failed critical controls cannot be accepted by the same leader who owns the production deadline.

Step 4: define evidence before approval

Risk acceptance should require evidence that controls exist, work, and have an owner. HSE guidance on workplace risk control emphasizes doing what is reasonably practicable, and that principle becomes operational only when the approver sees the rejected options, the remaining exposure, and the reason stronger controls were not selected.

During the PepsiCo South America tenure, where the accident ratio fell 50% in six months, Andreza Araujo learned that leadership routines improve safety when they force evidence before permission. A signature without control proof can create confidence while leaving the hazard unchanged.

Require five evidence fields for each acceptance: hazard scenario, rejected higher-order controls, installed controls, field verification result, and expiration date. Link the decision to critical control verification when the exposure can cause a serious injury or fatality.

Step 5: assign authority by control power, not hierarchy alone

The right approver is the lowest role with enough power to change the condition that creates the risk. A site director may approve capital, but the maintenance manager may control equipment isolation, the engineering manager may control design change, and the procurement leader may control contractor competence.

In more than 250 cultural-transformation projects supported by Andreza Araujo's team, a repeated pattern is that companies confuse seniority with control ownership. The senior leader signs the exception, while the person who can actually change tooling, staffing, access, or sequence is absent from the decision.

For each decision category, name the required approver and the required technical challenger. The approver carries accountability for accepting residual risk; the challenger confirms that the risk analysis, hierarchy of controls, and verification evidence are credible.

Step 6: set expiration dates and revalidation triggers

Accepted risk must expire because work conditions change faster than governance documents. A temporary risk acceptance for a missing guard, reduced separation, interim barricade, or substitute procedure should have an end date, a revalidation trigger, and a named owner for permanent correction.

The trap is treating acceptance as closure. In The Illusion of Compliance, Andreza Araujo's Portuguese work on compliance culture challenges the belief that documented permission equals operational safety, and risk acceptance authority is one place where that illusion becomes dangerous.

Set maximum durations by risk band. Low residual risk may be reviewed in 90 days, moderate risk in 30 days, high risk before the next shift or next job cycle, and SIF-related interim acceptance before every restart until the permanent control is installed.

Step 7: build the 30-day implementation cadence

A 30-day rollout should begin with one site, one high-risk work family, and one approval table rather than a corporate policy rewrite. The fastest useful scope is often maintenance intervention, contractor work, energized work, work at height, confined space, or restart after abnormal operation.

Andreza Araujo's safety culture work consistently points to one operating lesson: leaders change culture when they change repeated decisions. A 30-day cadence works because it forces the company to test authority lines in real work, where delays, missing controls, and unclear ownership become visible.

Use week one to map decision types, week two to draft authority levels, week three to test five live or recent cases, and week four to approve the table, train approvers, and attach it to permit-to-work, management of change, and pre-mortem safety review routines.

Step 8: audit whether the authority table changed behavior

The authority table only matters if it changes who pauses work, who funds controls, and who challenges weak evidence. Measure its first month through escalation quality, rejected acceptances, overdue temporary approvals, repeated risk scenarios, and the percentage of accepted risks closed with permanent controls.

Counting approvals can mislead the leadership team. A mature system may show fewer acceptances because higher-order controls remove the need for exceptions, while an immature system may show many approvals because every operational workaround receives a signature.

Audit at least 10 decisions after the first month. For each one, ask whether the approver had authority to change the condition, whether the technical challenger had enough independence, whether rejected controls were documented, and whether the expiration date led to action or drift.

Risk matrix vs risk acceptance authority

A risk matrix and an acceptance authority table answer different questions, and the operation needs both if residual risk is going to be governed rather than negotiated.

The best systems connect the three. The matrix identifies priority, the control plan reduces exposure through the hierarchy of controls, and the authority table prevents residual risk from being accepted below the level where real change can happen.

What to do when leaders resist escalation

Leader resistance usually appears when the authority table makes hidden tradeoffs visible. A plant that has relied on informal exceptions may discover that many accepted risks were actually unfunded design problems, staffing gaps, or planning failures.

Do not sell the table as bureaucracy. Position it as a decision-rights tool that protects supervisors from carrying risks they cannot control, protects executives from false confidence, and protects workers from the quiet transfer of organizational risk onto individual behavior.

Each month without clear risk acceptance authority allows temporary exceptions to become normal work, while the organization loses evidence about which leaders repeatedly accept residual exposure instead of removing it.

When resistance persists, compare the proposed rule with residual risk acceptance cases already in the system. The gap between what leaders say they would never approve and what records show they already accepted is usually enough to restart the conversation.

Conclusion

Safety risk acceptance authority works when the company names the decision, separates ranking from accountability, escalates fatal-risk scenarios, requires evidence, sets expiration dates, and audits whether behavior changed after approval.

If your operation needs to turn risk matrices into disciplined decisions, Andreza Araujo's safety culture diagnostics and ACS Global Ventures consulting can help define the authority table, test it in live work, and connect it to the controls that keep people coming home.