Post-Incident Action Plan: 7 Controls After RCA

A post-incident action plan fails when it turns a serious event with post-traumatic stress exposure into a list of reminders, toolbox talks, and retraining records. This article shows seven controls EHS managers should use so RCA findings change the work system, not only the file.

The central thesis is direct: an action plan is credible only when it changes the condition that made the incident possible and proves that the new control works under normal production pressure.

Why most action plans close the report but leave the exposure

A post-incident action plan is the bridge between investigation and prevention, although many organizations treat it as the administrative ending of the investigation. The report is signed, the corrective actions receive due dates, and the same exposure quietly returns when the next shutdown, night shift, contractor job, or production peak creates pressure.

James Reason's work on latent conditions helps explain the failure. If the investigation finds only the active error and the action plan trains the person again, the organization may close the visible finding while leaving the planning, design, supervision, maintenance, or leadership condition unchanged.

Across 25+ years leading EHS at multinationals, Andreza Araujo identifies a repeated pattern after serious events. Leaders want closure quickly because uncertainty is uncomfortable, but the safest organizations slow down enough to separate closure of paperwork from closure of risk.

This article builds on ICAM controls before naming causes. The next discipline is action planning, where the investigation either becomes prevention or becomes evidence that the company learned very little.

1. Translate each finding into the failed control

Every action plan should start by naming the failed control, absent control, degraded control, or conflicting control behind each finding. A finding such as worker bypassed guard is not yet actionable because it still points mainly to the person.

The stronger translation asks which control should have made bypass impossible, unnecessary, visible, or unacceptable. The answer may sit in machine guarding design, interlock integrity, maintenance access, production targets, supervisor verification, spare parts, or Management of Change.

As Andreza Araujo argues in Safety Culture: From Theory to Practice, culture appears in repeated decisions under pressure. If a machine can only be cleaned by defeating the guard, the culture problem is not only the operator's choice. It is the decision chain that accepted an unsafe method as normal work.

Use a simple rule during action planning. No finding enters the action log until the team can name the control that should change. That rule keeps the plan from becoming a collection of awareness actions that sound useful but leave the exposure intact.

2. Separate immediate containment from permanent correction

Immediate containment protects people while the organization designs the permanent correction. It should never be confused with the correction itself because temporary barriers often decay once attention moves elsewhere.

Containment may include stopping a task, isolating equipment, adding a supervisor, removing a tool from service, changing access, or requiring a second approval for a high-risk job. Permanent correction may require engineering redesign, revised sequencing, procurement changes, competence criteria, inspection frequency, or budget approval.

OSHA recordkeeping and enforcement practice make one lesson clear: the fact that an employer reacted after an incident does not prove the hazard was controlled. EHS should therefore show both timelines in the plan, with 24 to 72 hours for containment decisions and a separate governed path for permanent controls.

This distinction also protects credibility with workers. If leaders announce that the problem is solved after a temporary instruction, the field learns that management prefers reassurance over control integrity.

3. Rank actions by SIF potential, not by convenience

Action plans should prioritize by potential severity and control weakness, not by which task is easiest to close. A low-cost training item may close in one week, while an engineering action linked to SIF prevention waits for months because it is harder.

That sequence is backwards. SIF, meaning Serious Injuries and Fatalities, requires a different urgency lens because a low-frequency exposure can still carry fatal potential. The organization should ask which action prevents the next high-consequence event, even when the action is politically or financially uncomfortable.

In more than 250 cultural transformation projects supported by Andreza Araujo's team, a common weakness is the action register that looks busy but avoids the decision that matters. Many minor actions move to green while the critical barrier remains weak, unfunded, or dependent on memory.

Connect the prioritization with SIF precursor metrics. If the incident exposed a precursor pattern, the action plan should treat it as material risk, not as another corrective action competing for attention in a crowded spreadsheet.

4. Assign owners with authority, budget, and field access

An action owner should be the person with enough authority to change the condition, not the person most available to update the spreadsheet. Ownership without authority creates delay, negotiation, and cosmetic closure.

For each action, define the decision owner, execution owner, verification owner, and escalation owner. In small operations one person may hold more than one role, although the plan should still name the difference because design, execution, and verification require different questions.

What most action logs miss is field access. The owner must be able to inspect the work as performed, speak with the crew, compare the procedure with the actual task, and test whether the correction survives the condition that produced the event.

During the PepsiCo South America tenure, where the accident ratio fell 50% in six months, Andreza Araujo learned that leadership rhythm matters. Corrective actions accelerate when leaders review barriers, decisions, and escalation weekly rather than waiting for a monthly status slide.

5. Replace retraining defaults with hierarchy-of-controls decisions

Retraining is valid only when lack of knowledge or skill is the verified cause of the exposure. When the work design makes the safe action difficult, retraining often becomes a polite way to blame the worker.

The hierarchy of controls gives the action plan a stronger decision order. Eliminate the exposure where possible, substitute the hazard, add engineering controls, improve administrative controls, and use PPE as the last layer rather than the first answer.

This is the same logic behind Prevention through Design before PPE becomes the plan. If the post-incident action plan starts with another training session while the task still depends on awkward access, weak guarding, rushed permits, or poor lighting, the organization has not solved the exposure.

Use retraining as a support action, not as the main correction, unless the evidence proves competence was the real gap. The plan should document why the selected control level is sufficient for the severity potential.

6. Verify effectiveness in the field, not in the meeting

Effectiveness verification proves that the corrective action works where the work happens. Closing an action because a procedure was updated, a course was completed, or a purchase order was issued does not prove risk reduction.

A field verification should test the corrected control during normal pressure. Observe the task, review the permit or JSA, ask workers what changed, inspect the physical barrier, check whether supervisors challenge the right point, and compare the new routine with the original failure mode.

Andreza Araujo's Portuguese title A Ilusao da Conformidade, translated as The Illusion of Compliance, is useful here because action plans often create perfect evidence of completion while the field still performs the same workaround. The record may close before the risk closes.

Use the approach in control effectiveness metrics. An action is complete when the control is present, understood, used, maintained, and challenged under realistic operating conditions.

7. Add a learning review after the first operating cycle

A learning review checks whether the action plan still works after the operation has returned to routine. The first review should occur after the corrected task has been performed enough times to reveal pressure, drift, and unintended consequences.

The review should ask five questions. Did the action remove or reduce the exposure? Did it create another risk? Did workers use the new control without workaround? Did supervisors verify the right point? Did any related near miss, observation, maintenance issue, or stop-work event appear after implementation?

This is where many plans fail. They treat due-date completion as the end, although the real test starts when production pressure returns and people decide whether the new control is practical enough to keep.

For serious events, schedule a second review at 30, 60, or 90 days depending on exposure frequency. A critical control connected to fatal risk deserves more than one administrative closure event.

Weak action plan versus risk-changing action plan

The difference between a weak action plan and a risk-changing action plan is whether the plan changes the work system that produced the incident. The table below gives EHS managers a practical audit lens before closing RCA findings.

Each incident action plan that closes without field verification teaches the organization that paperwork can substitute for prevention, while the same exposure waits for the next shift, contractor, or abnormal condition.

Conclusion

A post-incident action plan is not a list of tasks after RCA. It is a governed safety decision process that translates findings into control changes, prioritizes SIF potential, assigns real authority, tests effectiveness in the field, and returns after implementation to see whether the correction survived routine work.

If your organization keeps closing investigations with retraining, reminders, and repeated findings, request an incident investigation and safety culture diagnostic with Andreza Araujo. Safety is about coming home, and action plans should prove that the work system became safer after the incident.