Risk Register: 7 Fields That Keep Controls Alive

ISO 31000:2018 treats risk management as an integrated and iterative discipline, yet many safety risk registers are updated once a year and forgotten until an audit. This article shows seven fields that make a risk register prove control ownership, residual risk, and action discipline.

Why a risk register fails when it becomes a list

A risk register is a management tool whose value depends on whether leaders use it to decide, verify, and fund controls. When it becomes a spreadsheet of hazards, likelihood scores, and generic actions, it creates the appearance of control while the actual exposure remains unchanged in the field.

As Andreza Araújo argues in Safety Culture: From Theory to Practice, declared culture and operated culture are not the same thing. A register can declare that a critical control exists, although operated culture is revealed only when the supervisor can prove the control worked before exposure began.

The practical test is simple. If an EHS manager cannot open the register and answer who owns the control, when it was last verified, what residual risk remains, and what decision was made about that residual risk, the register is not controlling risk. It is storing risk language.

1. Define the risk event, not only the hazard

The first field should describe the risk event because a hazard name alone does not tell leaders what could actually happen. A row that says "forklift" is weak. A row that says "pedestrian struck by forklift during blind-corner reversal in dispatch lane" gives the team a real event to prevent.

What most templates miss is that vague hazard labels make every later field weaker. The likelihood score becomes guesswork, the control list becomes generic, and the owner can claim progress without changing the exposure. This is why a risk matrix that hides serious risk often begins with a poorly written event statement.

Write the event as condition, exposure, and consequence. For a 320-employee distribution center, the row should identify where the exposure appears, who is exposed, and which consequence would trigger a Serious Injury or Fatality review. That discipline forces the register to connect with real work, not only with audit vocabulary.

A useful target is that 100% of high-risk rows name the exposed group and the credible severe consequence. Without those two elements, the row cannot guide control selection.

2. Separate existing controls from planned actions

Existing controls are barriers that are already in place, while planned actions are promises that may or may not be delivered. Mixing them in the same field makes the register look stronger than the operation really is.

Across 25+ years leading EHS at multinationals, Andreza Araújo has seen that organizations often confuse intention with protection. A planned guard, a future training, or a procedure under review does not reduce exposure today, because workers are still facing the risk before that action exists.

The register should use one field for verified existing controls and another field for open actions. Existing controls must be written in observable language, such as interlocked gate tested weekly, physical segregation barrier installed, or permit issuer verifies isolation at the workface. Planned actions should carry a due date, owner, and funding decision.

3. Add a control owner who can act

A control owner is the person with enough authority and proximity to keep a control working. Listing the EHS department as owner usually fails because EHS can advise, audit, and challenge, although it often cannot redesign the line, release maintenance hours, or discipline production shortcuts.

The ownership field should name an operational role, not a committee. For example, the maintenance manager owns the interlock inspection schedule, the warehouse manager owns forklift-pedestrian segregation, and the plant manager owns funding for engineering controls when residual risk remains unacceptable.

In more than 250 cultural-transformation projects supported by Andreza Araújo's team, weak ownership appears as one of the earliest signs of compliance theater. Everyone agrees that the risk is serious, but no one has the budget, authority, or meeting cadence to remove the condition.

4. Record the verification method and cadence

A risk register becomes operational when each critical control has a verification method and cadence. The field should say how the organization knows the control is working, not merely that the control exists.

This is where many registers break down. A row may say "procedure in place" for years, even though the procedure was not observed in the field, the lock was missing, or the supervisor signed a permit without seeing the job. For high-hazard work, the register must connect with pre-mortem safety review before high-risk work, because verification before exposure is more useful than explanation after injury.

Use concrete verification language. Weekly field observation, monthly interlock test, daily pre-use inspection, quarterly rescue drill, and annual engineering review are different controls with different confidence levels. The cadence should reflect severity and control vulnerability, not calendar convenience.

For SIF-related rows, a practical rule is to verify the critical control at least once within the 30 days before management review. A severe exposure should not reach the agenda with evidence from last year's audit.

5. Track residual risk as a decision, not a score

Residual risk is the risk that remains after existing controls are applied, and it requires a management decision. Treating residual risk as only a color on a matrix hides the question leaders must answer, which is whether the remaining exposure is acceptable, tolerable with action, or unacceptable until redesigned.

Andreza Araújo's Portuguese title A Ilusão da Conformidade, or The Illusion of Compliance, is useful here because a register can be formally complete and still culturally weak. The presence of a residual score does not prove that anyone accepted the risk consciously.

Document the decision behind the score. The field should state who accepted the residual risk, what evidence supported that decision, what control gap remains, and when the decision expires. If the answer is unclear, the row should link to residual risk acceptance before sign-off rather than pretending that a color code is enough.

6. Link each row to the hierarchy of controls

The hierarchy of controls keeps the register honest because it shows whether the organization reduced risk structurally or simply added another administrative layer. Elimination, substitution, engineering controls, administrative controls, and PPE do not carry the same reliability.

The market often treats a completed action as a completed control, but a toolbox talk and a physical barrier are not equivalent. If the row still depends mainly on memory, attention, and PPE after repeated deviations, the register should show that weakness rather than hide it under the word "mitigated."

For each risk, add a field that classifies the strongest current control by hierarchy level. Then add a second field that identifies the next feasible higher-order control. This connects the register with Prevention through Design before PPE becomes the plan, especially in projects where design decisions can remove exposure before operations inherit it.

7. Close the loop with review date and decision history

A living risk register needs review dates and decision history because risk changes when work changes. A new contractor, layout change, production target, staffing gap, or equipment modification can make last quarter's assessment obsolete.

During the PepsiCo South America tenure, where the accident ratio fell 50% in six months, disciplined follow-up mattered because controls had to survive operational pressure. The same lesson applies to the register. A row without a review date invites drift, while a row with decision history shows whether leaders learned from weak signals.

Keep a short decision history for high-risk rows. Record when the risk increased, when a control failed, when funding was approved or denied, when a stop-work decision occurred, and when the residual risk was reaccepted. This turns the register into management memory, which is far more useful than a static audit artifact.

Each quarter without a risk-register review allows changes in work, people, equipment, and contractor activity to outgrow the assumptions behind the last assessment.

Risk register fields that separate paperwork from control

A stronger risk register does not need dozens of columns. It needs the few fields that force leaders to confront exposure, control reliability, ownership, and residual risk decisions.

Conclusion

A safety risk register earns its place only when it drives decisions about controls, not when it stores a polished list of hazards.

If your organization needs to turn its register into control assurance, review Andreza Araújo's work on culture diagnosis and request a safety culture diagnostic through Andreza Araújo.