Risk Register Cleanup: How to Rebuild It in 30 Days

HSE describes risk management as a step-by-step process for controlling workplace hazards, yet many EHS risk registers still become archives of old concerns instead of live decision tools. This guide shows how to rebuild a stale risk register in 30 days so leaders can see ownership, control strength, escalation thresholds and serious-injury exposure before the next management review.

A risk register is a structured record of hazards, risk scenarios, existing controls, residual exposure, owners, deadlines and verification evidence. In occupational safety, its value is not the number of rows it contains, but whether it helps supervisors, EHS managers and operational leaders decide what must be eliminated, controlled, escalated or monitored within a defined review cycle.

What you need before starting

A 30-day cleanup needs three inputs before anyone edits the spreadsheet: the current register, the last 12 months of incidents or near misses, and the list of high-risk tasks where a single failed control could produce a serious injury or fatality. Without those inputs, the register cleanup becomes formatting work, although the business problem is exposure visibility.

HSE explains that risk management at work includes identifying hazards, assessing risks, controlling risks, recording findings and reviewing controls. ISO states that ISO 31000:2018 gives principles and guidelines for managing risk, and that matters because the register should support decisions at every level, not sit as a compliance attachment.

As Andreza Araujo argues in Sorte ou Capacidade, risk is not something a serious organization simply takes on. It is managed with method. The practical implication is direct: the risk register must show what method is being applied, who owns the decision, and what evidence proves the control still works.

A cleaned register should also point back to the design decisions that created or reduced the exposure, otherwise the next review inherits ratings without context.

Step 1: Freeze the register and mark the decision date

Freezing the register creates a baseline version that can be audited later, especially when the cleanup changes ratings, owners or deadlines within the 30-day window. Use the date, version number and register owner in the file name because a register with 400 rows and no version control cannot prove what leaders knew before a decision.

The common trap is letting every department keep editing while EHS is trying to diagnose the problem. In more than 250 cultural-transformation projects supported by Andreza Araujo's team, one recurring pattern is that weak ownership hides inside collaborative files where everyone can change the row and no one owns the risk.

Export the file to read-only, create a working copy and add four columns before touching any rating: decision date, last field verification, accountable owner and escalation level. If the company already uses risk appetite and risk tolerance, add the tolerance reference in the same row so the register connects to governance rather than personal opinion.

Step 2: Remove duplicates and merge weak scenarios

Duplicate rows make risk look more controlled than it is because they spread one exposure across several weak entries. A useful first target is to reduce the register by 15 to 30 percent through consolidation, while preserving any scenario that has a different credible consequence, task condition or exposed group.

What most teams miss is that duplicate risk rows often reveal duplicate thinking. One line says "forklift impact," another says "pedestrian struck," and a third says "traffic route conflict," although all three may depend on the same segregation control whose weakness is already visible in the field.

Merge rows only when the initiating event, exposed population and existing controls are materially the same. Keep separate rows when maintenance, night shift, contractors or non-routine work change the exposure because those conditions often explain why the same hazard behaves differently in real work.

Step 3: Rewrite each row as a risk scenario

A risk scenario states the event, cause pathway, exposed person and consequence in one sentence, which makes the row testable. Instead of writing "chemical storage," write "operator exposed to incompatible chemical reaction during decanting because containers are stored without segregation labels, causing burn injury or toxic release."

Across 25+ years leading EHS at multinationals, Andreza Araujo has observed that vague rows protect bureaucracy more than people. A hazard name tells the reader what exists, while a scenario tells the reader what could happen if the current control fails under pressure.

Use this sentence structure for every material row: exposed person plus event plus condition plus consequence. If the consequence includes fatality, permanent disability, fire, explosion, toxic release or multiple casualties, tag the row as SIF potential even when the current likelihood is rated low.

Step 4: Separate inherent risk from residual risk

Inherent risk describes the exposure before controls, while residual risk describes what remains after controls have been applied and verified. A register that mixes the two gives managers a false sense of precision, especially when the same color scale is used for both the raw hazard and the controlled task.

The risk matrix can distort fatal exposure when likelihood is lowered because "nothing has happened recently." Andreza Araujo's Portuguese title A Ilusao da Conformidade, "The Illusion of Compliance," challenges this exact failure: documented control is not the same as operational control.

Build two adjacent fields for every scenario. The first records inherent consequence and credible maximum outcome; the second records residual risk after confirmed controls. If the residual rating changes because of a control, require the row to name that control and the evidence that it was inspected, tested or observed within the last 90 days.

Step 5: Attach each control to evidence

A control without evidence is only a claim, even when it appears in a certified management system. In a 30-day cleanup, each high-risk row should carry at least one fresh evidence item: inspection record, isolation test, interlock proof, training observation, maintenance record or field verification note.

This is where the cleanup becomes more than spreadsheet hygiene. As Andreza Araujo writes in Cultura de Seguranca: Da Teoria a Pratica, doing nothing is not an option once a risk has been identified. A row with no evidence is telling the organization that the control may exist only on paper.

Prioritize evidence for critical controls before administrative controls. For major hazards, connect the row to LOPA protection layers or to the chosen engineering-control verification method, because the register should not treat a toolbox talk and an automatic shutdown system as equivalent barriers.

Step 6: Assign one accountable owner per risk

Every material risk needs one accountable owner, not a department label or a generic "EHS" assignment. The owner is the manager who can change resources, work design, supervision, maintenance priority or operating rules within the agreed review period.

EHS can guide the method, but EHS cannot own every operational exposure. When a register assigns 80 percent of actions to the safety department, it usually proves that the business has converted line risk into administrative follow-up, which weakens real control.

Assign the owner by control authority. Maintenance owns equipment integrity, operations owns the work method, procurement owns contractor prequalification, engineering owns design changes and EHS owns the framework, audit method and escalation discipline. If two people seem to own a row, split the scenario or define a primary owner and a consulted role.

Step 7: Escalate serious-injury potential before rating debates

Serious-injury and fatality potential should trigger escalation even when the calculated likelihood is low. In practice, one low-frequency exposure with weak isolation, traffic separation, confined-space rescue or energy-control verification can matter more than 20 minor ergonomic rows rated in orange.

ILO identifies occupational safety and health as a core element of decent work, which reinforces the point that fatal-risk visibility is not a cosmetic reporting choice. During the PepsiCo South America tenure, where the accident ratio fell 50 percent in six months, Andreza Araujo learned that leadership cadence must focus attention on the exposures that can change a family forever.

Create a SIF-potential flag, an escalation owner and a review frequency for each critical row. Use ALARP decisions only after the team has documented which additional controls were considered, rejected or approved, because "reasonably practicable" cannot become a polite label for delay.

Step 8: Set a monthly review rhythm that tests controls

A cleaned register decays unless it has a review rhythm whose purpose is testing controls, not updating colors. A practical rhythm is weekly cleanup during the first 30 days, monthly review for high-risk rows, and quarterly governance review for trends, overdue actions and escalation quality.

The strongest register is the one supervisors recognize from the field. If the monthly review never asks whether workers see the same risk, whether procedures match real work, or whether controls still function under production pressure, the register becomes a second version of the procedure manual.

Close the 30-day project with a management-review pack showing rows removed, scenarios rewritten, SIF-potential rows escalated, controls verified and overdue decisions by owner. Where complex analysis is needed, connect the row to the right method, such as HAZOP, Bow-Tie or FMEA selection, instead of forcing every exposure through the same spreadsheet logic.

Comparison: stale register vs decision register

Each month spent maintaining a stale register leaves supervisors debating colors while unverified controls continue to age in the field, which is why the first 30 days should focus on ownership, evidence and SIF-potential escalation.

Conclusion

A risk register cleanup works when it converts static hazard labels into owned decisions with evidence, dates, escalation rules and verified controls. The point is not to make the file cleaner, but to make the next operational decision harder to approve when the risk is still unmanaged.

For practitioners who need to connect risk perception, leadership cadence and control verification, Andreza Araujo's books and ACS Global Ventures consulting work offer a practical path from diagnosis to implementation. Start with the register, then use it to ask better questions before the work begins at Andreza Araujo.