Risk Owner in 90 Days: Critical-Control Plan
A 90-day role plan for new risk owners who must turn registers, ALARP decisions and field verification into visible critical-control discipline.
Key takeaways
- 01Define the risk owner's mandate before reviewing scores, because responsibility without authority creates cosmetic governance.
- 02Rebuild the first risk story from field evidence, since registers often hide how work is actually performed under pressure.
- 03Verify critical controls with observable proof, not with policies that merely state the barrier should exist.
- 04Escalate missing controls, repeated temporary fixes and weak ALARP reasoning before the organization normalizes exposure.
- 05Use Andreza Araujo's books, Safety School and ACS Global Ventures when risk ownership needs to become visible field discipline.
A new risk owner does not inherit a spreadsheet. They inherit decisions that can keep people alive or leave exposure politely documented. The first 90 days should prove whether the role can turn risk registers, ALARP decisions and field verification into control discipline.
This article is written for EHS managers, operational leaders and risk professionals who have just been assigned ownership of a critical risk. The thesis is direct: risk ownership fails when the owner becomes a custodian of records, because the real job is to make sure critical controls are known, funded, verified and escalated before production pressure weakens them. A practical way to do that is to review the 4 safety-margin buffers before declaring a control healthy.
Across 25+ years leading EHS in multinational operations, Andreza Araujo has seen that mature risk management depends less on the elegance of the matrix and more on the authority to interrupt weak controls. In Sorte ou Capacidade, glossed as Luck or Capability, Andreza argues that well-managed risk is calculated and mitigated with method, not absorbed through bravado.
1. What a risk owner needs to understand before starting
A risk owner is accountable for the health of a risk control system, not only for the line item in a register. That means the owner must know the hazard, the credible worst case, the critical controls, the people who execute them and the evidence that shows whether those controls still work under normal production pressure.
The common trap is treating ownership as an administrative label. A manager is named beside a risk, the action column receives dates, and the site claims governance. What most templates do not say is that the named owner may have no budget authority, no field access and no right to stop a job when a control is missing. In that case, the register has documented weakness rather than controlled it.
The first question should be practical: what can this owner actually decide? If the answer is unclear, fix the mandate before reviewing the risk score. A weak mandate produces delayed escalations, cosmetic closures and arguments after the event, when the organization asks why a known exposure was allowed to continue.
2. First week: confirm the top risk and the decision mandate
The first week should produce one short mandate note. It names the risk, the boundary of ownership, the decisions the owner can make, the decisions that require escalation and the executive who will remove blockers. Without that note, the risk owner enters the role with responsibility but not power.
Start with one priority risk instead of reviewing the whole register. Pick the risk whose credible consequence could cause a fatality, permanent disability, major environmental harm or operational shutdown. The choice may come from incident history, near-miss reports, process safety reviews, audit findings or risk register cleanup work that exposed stale ownership.
Andreza Araujo's safety culture work keeps returning to this point: the real measure of a system is what happens when no one is watching. A risk owner should therefore check whether the mandate survives night shift, contractors, maintenance windows and production recovery, because those are the moments in which informal authority often replaces declared governance.
3. First 30 days: rebuild the risk story from the field
The first 30 days should rebuild the risk story from the task, not from the meeting room. Walk the area, interview operators and supervisors, check recent permits, examine maintenance delays and ask what would have to align for the worst credible event to occur. The owner is looking for exposure pathways, not for reassurance.
A useful field review asks four questions. Which control prevents the event from starting? Which control reduces severity if the first control fails? Who verifies each control before work starts? What makes the control hard to execute during pressure? These questions are close to the logic used in What-If Analysis, because they test credible scenarios before the organization waits for an incident to explain them.
The owner should document the story in plain language. If a mechanic, operator or contractor cannot understand the risk pathway in two minutes, the description is too abstract. Risk ownership improves when the story can be repeated at the work front, where choices are made with tools, time pressure and incomplete information.
4. Month 2: define critical controls and verification evidence
Month 2 is where the owner separates important controls from critical controls. A critical control is a barrier whose failure can materially increase the chance or severity of a serious event. For high-risk work, examples may include lockout verification, machine guarding, atmospheric testing, lifting exclusion zones, confined-space rescue readiness, interlocks, pressure relief, permit authorization or emergency shutdown capability.
The hard part is evidence. A policy that says a control exists is not evidence that the control worked today. Verification evidence may include field observations, test records, isolation checks, inspection photos, calibration status, supervisor sign-off, permit quality review or maintenance proof. Where the site uses LOPA protection layers, the owner should check whether each claimed layer is independent, available and credible in the specific operating mode.
As Andreza Araujo argues in Safety Culture: From Theory to Practice, culture is built through repeated habits, not declared values. Critical-control verification is one of those habits. It tells the workforce that the organization does not admire risk management as a concept while tolerating weak barriers in the field.
5. Month 3: set ALARP rules and escalation thresholds
By month 3, the owner should define when risk is acceptable, tolerable with controls, or unacceptable until redesigned. That distinction matters because many organizations use risk matrices as if color alone were a decision. A yellow risk may still be unacceptable if the control is fragile, unverified or dependent on perfect human performance.
The owner needs escalation thresholds that trigger action before harm. Escalate when a critical control is missing, when the same temporary control has been extended twice, when verification evidence is absent, when a supervisor cannot explain the barrier, when a contractor works outside the agreed method, or when ALARP reasoning has become a phrase rather than a documented decision. The related article on ALARP decisions expands the blind spots that keep risk alive after it has been accepted on paper.
This is also where senior leadership must show up. If the risk owner escalates and the organization delays because the fix is expensive, the decision should be visible. Hidden toleration is one of the most dangerous forms of governance because it allows everyone to believe someone else accepted the exposure.
6. Month 4 onward: keep ownership alive after the launch
After the first 90 days, risk ownership becomes cadence. The owner should review control health monthly, test field evidence quarterly and refresh the credible worst-case scenario whenever work changes. Management of change, contractor turnover, equipment aging, staffing gaps and production campaigns can all weaken controls without changing the risk title.
The owner should maintain a one-page control health view with five fields: risk, critical controls, latest verification evidence, open weaknesses and escalation status. This page is not a substitute for the formal register. It is the operating view that helps supervisors, engineers and leaders see whether the risk is controlled today.
Andreza Araujo often connects safety leadership with visible felt leadership, which means leaders must be seen asking about the controls that protect life. A risk owner can support that habit by giving plant leaders field questions, not only dashboard colors.
7. Risk ownership compared
The difference between paper ownership and control ownership becomes obvious when the role is tested by pressure. The table below gives the new owner a fast diagnostic for the first quarter.
| Weak ownership | Control ownership | Field result |
|---|---|---|
| Named beside the risk but unclear on authority | Mandate defines decision rights and escalation path | Blockers move before exposure becomes normalized |
| Risk score reviewed in meetings | Risk pathway tested in the work area | Controls are judged against real work |
| Controls listed as existing | Critical controls verified with evidence | Paper barriers are separated from working barriers |
| ALARP accepted as a phrase | ALARP decision recorded with assumptions and owners | Residual risk has a named decision behind it |
If most answers sit in the weak column, the owner should not start with training. They should first repair the governance of the role, because training does not compensate for unclear authority, missing evidence or delayed escalation.
8. Common mistakes a new risk owner should avoid
The first mistake is chasing every open action. A new owner who tries to close the entire register may become busy without improving the controls that matter most. Start with the credible severe event, then move outward to lower-consequence items once the critical-control routine is working.
The second mistake is accepting inherited language. Phrases such as "procedure in place", "operator awareness" and "supervisor monitoring" hide weak controls when nobody can show how the barrier is executed. Replace vague language with observable evidence, named owners and a verification frequency.
The third mistake is confusing absence of incidents with proof of control. In Far Beyond Zero, Andreza Araujo challenges the idea that a clean number proves capability. A risk owner should ask whether the site is safe because controls are working or merely lucky because the exposure has not yet aligned with a trigger.
9. Resources to deepen the role
For risk owners working inside operational leadership, Make The Difference: Be a Leader in Health & Safety is the most practical starting point because it treats safety leadership as visible action. For culture and maturity, Safety Culture: From Theory to Practice helps connect control discipline with the daily habits that shape decisions.
Andreza Araujo's Portuguese titles also give useful grounding for this role. Sorte ou Capacidade, or Luck or Capability, is especially relevant when a site mistakes good fortune for control. A Ilusao da Conformidade, or The Illusion of Compliance, helps the owner challenge the gap between documented compliance and lived safety culture.
Teams that need a structured path can use Andreza Araujo's Safety School for leadership development and ACS Global Ventures for safety culture diagnostics, risk governance and field routines. The best next step is not a larger spreadsheet. It is a sharper habit of asking which control protects life today.
10. Make risk ownership visible
A risk owner earns credibility when the role changes decisions, not when it stores risk information more neatly. In 90 days, the owner should be able to show a mandate, a field-tested risk story, verified critical controls, escalation thresholds and a monthly control-health routine.
If your organization needs help turning risk ownership into safety culture rather than paperwork, Andreza Araujo and ACS Global Ventures support diagnostics, leadership alignment and field implementation. Start with the risk that could hurt someone most severely, then prove that ownership can make the control stronger before the unlucky day arrives.
Frequently asked questions
What should a new risk owner do first?
How is a risk owner different from an action owner?
Which critical controls should a risk owner verify?
How often should risk owners review control health?
Why does risk ownership fail in mature companies?
About the author
Andreza Araújo
Safety Culture Expert | Senior EHS Executive
Andreza Araújo is a safety culture expert and senior EHS executive with more than 25 years of experience in environment, health and safety. She is a Civil Engineer and Occupational Safety Engineer from Unicamp, holds a Master's degree in Environmental Diplomacy from the University of Geneva, and completed sustainability studies at IMD Switzerland. Andreza has served in Global Head of EHS roles in Fortune 500 environments, leading cultural transformation programs across multinational operations. She has represented Brazil as a speaker at the United Nations in Paris and has spoken at the International Labour Organization in Turin. She is the author of more than 16 books on safety culture in Portuguese, Spanish, English and German. Her work has earned more than 10 EHS awards, including two recognitions from Indra Nooyi, former PepsiCo CEO.
- Civil & Safety Engineer (Unicamp)
- M.A. Environmental Diplomacy (University of Geneva)
- Sustainability Cert (IMD Switzerland)
- People Management & Coaching (Ohio University)
- UN Paris speaker representative for Brazil
- ILO Turin speaker
- LinkedIn Top Voice
- Indra Nooyi PepsiCo CEO recognition (2x)
Documentaries
Watch Andreza's documentaries
Three productions on safety culture, organizational failure and the human lessons behind major disasters.
Podcasts
Listen to Andreza's podcasts
She hosts three shows on safety leadership, EHS and organizational culture, in English and Portuguese.
