Pre-Mortem Safety Review: 7 Questions Before High-Risk Work Starts

A pre-mortem safety review starts with an uncomfortable assumption: the job has already failed. Someone was hurt, a critical control did not work, production stopped, and the investigation is now asking why the warning signs were visible but ignored.

That thought experiment is useful because most serious events are not born in the final seconds before harm. They are built earlier, when the work plan accepts weak assumptions, when supervisors inherit pressure without authority, and when leaders approve residual risk without seeing how the field will execute the control.

This article is written for EHS managers, operational leaders, and supervisors who authorize high-risk work. The thesis is simple enough to test in the next planning meeting. A pre-mortem is not another form before work starts. It is a decision review that asks whether the organization is about to rely on controls that look stronger on paper than they are in the field.

Why high-risk work needs a pre-mortem

High-risk work often enters the day with a complete set of documents. The permit exists, the JSA exists, the contractor has been inducted, the isolation plan has signatures, and the supervisor believes the team is ready. Those records matter, although they can also create a false sense of readiness when nobody tests the assumptions behind them.

James Reason's Swiss Cheese Model remains useful here because serious harm usually travels through several weakened layers, not through one bad choice at the end of the job. A pre-mortem asks where those layers are already thin before energy is released, equipment is opened, people enter the space, or the contractor starts the task.

Across 25+ years of executive EHS work, Andreza Araujo has repeatedly identified a gap between declared safety systems and routine execution. The pre-mortem targets that gap. It gives leaders a disciplined way to ask what the work system will do under schedule pressure, missing information, fatigue, contractor turnover, or abnormal conditions.

The method is especially valuable when the team has become familiar with the risk. Familiarity lowers suspicion. If the operation has performed similar jobs for years without a serious injury, the planning conversation can become a ritual of confirmation rather than a search for weak controls.

1. What would make this job fail despite the paperwork?

The first question prevents the review from becoming a document check. A complete file does not prove that the work is ready, because paperwork can describe the intended control while the field still lacks the conditions needed to execute it.

Ask the group to name the most plausible failure pathway. For an energized electrical task, the answer may involve unclear boundaries, poor arc-flash labeling, or pressure to troubleshoot live. For lifting, it may involve ground conditions, poor exclusion, radio confusion, or a load path that changes after the lift starts.

This question connects directly with pre-task risk assessment, but it sits one level earlier. The pre-task check asks whether the crew understands the job in front of them. The pre-mortem asks whether the organization has set the crew up to succeed before the crew reaches the workface.

The trap is treating the absence of objections as agreement. In many teams, silence means that people are waiting for the senior person to move on. The facilitator should ask each function for one failure scenario, including the supervisor, the craft lead, the contractor, maintenance, operations, and EHS.

2. Which critical control must not fail?

Every high-risk job has many controls, but only a few carry the weight of preventing serious harm. A pre-mortem should identify the control whose failure would turn a manageable deviation into a severe event.

That control may be isolation verification, atmospheric testing, physical guarding, fall protection anchorage, exclusion-zone discipline, rescue readiness, bypass authorization, or mechanical integrity. The exact answer depends on the hazard, although the leadership question is always the same: which control deserves direct verification before work starts?

Linking the review to bow-tie analysis helps because the bow-tie forces the team to separate threats, preventive controls, recovery controls, and consequences. A pre-mortem uses that logic in a faster operational format, where the goal is not a perfect diagram but a sharper decision.

In more than 250 cultural transformation projects supported by Andreza Araujo's team, one repeated weakness is the tendency to treat all controls as equal. They are not equal. A poster, a toolbox talk, and an engineered barrier do not carry the same protective value when production pressure rises.

3. What assumption are we making about field conditions?

Plans usually assume stable conditions. The work area will be available, the drawings will match the equipment, the weather will cooperate, the contractor will bring the planned crew, and operations will keep the process in the agreed state. High-risk work becomes dangerous when those assumptions change and the plan does not change with them.

The pre-mortem should list the assumptions that would invalidate the plan. If one assumption is false, the team needs a pause point, not a heroic adjustment by the supervisor. This is where management of change before startup becomes relevant, because abnormal field conditions can create a change even when no project manager calls it one.

A practical test is to ask what new information would stop the job. If the answer is unclear, authority is unclear. If the job would continue despite missing drawings, blocked access, changed weather, wrong tools, or a replacement contractor crew, the pre-mortem has exposed a decision gap.

Andreza Araujo's work on safety culture emphasizes the distance between what the organization says and what the organization tolerates. Assumption testing makes that distance visible because it shows whether the plan contains real stop points or only polite language about caution.

4. Who has the authority to stop or redesign the work?

A pre-mortem fails when it identifies a serious weakness but leaves the supervisor without authority to act. High-risk work needs a clear answer to who can stop, redesign, escalate, or delay the job when the field contradicts the plan.

Authority should not depend on personality. A confident supervisor may stop the job, while a new contractor lead may keep going to avoid conflict. The system must remove that ambiguity before execution, especially where time pressure, contractor hierarchy, or production commitments can punish caution.

The review should name the decision owner for three situations: a control is missing, a condition changes, or the crew disagrees about whether the job remains safe. If each situation points to a different person, the team should write that down before work starts.

This is also where leadership discipline becomes visible. Safety is about coming home, but that sentence has operational meaning only when leaders protect the person who stops work before harm occurs.

5. What residual risk are we accepting?

Residual risk acceptance is often hidden inside job approval. The permit is signed, the risk assessment is filed, and the operation proceeds as if the remaining exposure has been consciously accepted. Many times it has only been administratively inherited.

A pre-mortem should force a direct statement of what risk remains after the planned controls are in place. The point is not to dramatize the work. The point is to prevent leaders from approving a job without understanding the exposure that still depends on human attention, supervision, timing, or emergency response.

The question pairs naturally with residual risk acceptance before sign-off. If the residual risk is still severe, the leader who owns resources and timing should be present, because EHS cannot quietly absorb a risk decision that belongs to operations.

A common trap is saying that risk is acceptable because the team has done the job before. Prior success is information, not proof. The review should ask what is different today, which controls were verified today, and whether the organization would defend the decision if the job failed.

6. How will we verify controls before and during the job?

Verification is where the pre-mortem becomes operational. The group should decide which controls need pre-start verification, which controls need live verification during the job, and which evidence will prove that the control held under real conditions.

For isolation, that may mean independent verification at the equipment. For confined space, it may mean atmospheric testing, rescue equipment readiness, communication checks, and attendant competence. For lifting, it may mean exclusion-zone walkdown, rigging inspection, ground condition confirmation, and an agreed communication protocol.

This section should link to control effectiveness metrics because the logic is the same. A control is not effective because it appears in a procedure. It is effective when it can be observed, tested, and trusted under the pressure of actual work.

Do not assign every verification to EHS. If only EHS verifies controls, operations can treat safety as an external inspection service, which weakens ownership precisely when the work owner, supervisor, contractor lead, and technical specialist should each verify the controls that fit their authority.

7. What early warning would tell us the job is drifting?

The final question asks what signal will tell the team to pause before the risk pathway becomes irreversible. Drift rarely announces itself as danger. It often appears as a small deviation that feels manageable at the time.

Useful early warnings include a missing crew member, an unexpected alarm, a changed weather condition, a late material delivery, radio confusion, simultaneous operations, a permit handover gap, a contractor substitution, a tool that does not fit the task, or a supervisor pulled away to solve another problem.

Connecting those signals to SIF precursor metrics makes the pre-mortem stronger. The team is not only asking whether the job can start. It is defining the weak signals that should interrupt the job before the event chain gains speed.

The facilitator should close this section by asking what the crew will do when the first warning appears. If the answer is "use judgment," the plan is still too vague. Name the pause point, the escalation path, and the person who decides whether work resumes.

Pre-mortem versus common safety reviews

How EHS can run the review without creating another bureaucracy

Keep the pre-mortem short, selective, and decision-oriented. Use it for work where severe harm is credible, not for every small task. The fastest way to kill the method is to turn it into a universal checklist that people complete without thinking.

A practical format has four moves. First, name the worst credible outcome. Second, ask each function what could make that outcome happen. Third, choose the controls and assumptions that must be verified. Fourth, decide who can stop, redesign, or escalate the work if conditions change.

Document only what matters for execution. A strong record should show the failure pathway discussed, the critical controls selected, the verification owners, the residual risk decision, and the pause points. It does not need ten pages of generic hazards copied from a previous job.

For companies that want to turn safety planning into real risk reduction, Andreza Araujo and ACS Global Ventures support safety culture diagnostics, leadership alignment, and high-risk work system redesign. The pre-mortem is one useful tool inside that broader discipline because it forces leaders to test whether the work can be done safely before the organization asks people to prove it in the field.