Risk Management

Risk register vs control register vs decision log: which one stops drift in a live operation?

An F3 comparison for plant leaders, EHS managers, and risk owners who need to separate exposure tracking, barrier verification, and decision memory.

By 7 min read
risk management scene on risk register vs control register vs decision log which one stops drift in a — Risk register vs cont

Key takeaways

  1. 01The risk register, control register, and decision log solve different problems, so one sheet should not be forced to do all three jobs.
  2. 02The risk register belongs to exposure ranking, the control register belongs to live barrier verification, and the decision log belongs to tradeoff memory.
  3. 03A control that is not verified is only a hope with a label, which is why the control register must stay close to the field.
  4. 04A decision log becomes valuable when it records why a tradeoff was accepted, who owns the next move, and when the decision expires.
  5. 05Plant leaders and EHS managers should connect the three records with clear ownership instead of merging them into a single blurred tracker.

A live operation does not drift because it has too few documents. It drifts when one document tries to carry three jobs, and the team stops noticing that exposure, barrier ownership, and decision memory are not the same thing. The risk register, the control register, and the decision log each answer a different question, which is why mixing them creates a slower, blurrier operation.

Across more than 25 years in multinational EHS and more than 250 cultural transformation projects, Andreza Araujo has seen the same failure repeat. Leaders ask one spreadsheet to do the work of governance, field control, and retrospective justification. The result looks tidy, but the work keeps changing faster than the record. In Safety Culture: From Theory to Practice, the point is that repeated decisions reveal culture. In The Illusion of Compliance, the warning is sharper still. Paper can look complete while the field stays exposed.

This article is for plant managers, EHS managers, and risk owners who need a clean choice. If you know which record should hold the risk, which one should hold the barrier, and which one should hold the decision, you can stop arguing about format and start improving control.

Evaluation criteria

Before comparing the three tools, use the same criteria for each one. The first criterion is purpose. The second is owner. The third is review cadence. The fourth is the type of evidence it must hold. The fifth is the failure mode when it is confused with something else. The sixth is the audience that actually needs it. If a document cannot pass those six tests, it is probably carrying someone else's job.

Criterion What good looks like What goes wrong when the document is misused
Purpose One clear decision question The team starts filing information that nobody can act on
Owner One accountable role with update authority The record becomes a shared folder with no real owner
Cadence Review frequency that matches risk movement The record updates after the work has already changed
Evidence Facts that support a decision or verify a barrier The document turns into commentary, not control
Audience The people who can change the next step Too many readers, not enough decision power
Failure mode Fast correction when the field changes Paperwork survives while operating logic drifts

Risk register

The risk register belongs to the question, "What could hurt us, and how serious is it?" It is the memory of exposure. It belongs close to portfolio review, enterprise risk, and leadership discussion because it helps the organization rank what matters and decide where attention should go first. That is why the article Risk Register Explained is useful as a companion. It covers the structure of the record, while this comparison focuses on the decision boundary.

A strong risk register describes the risk, the cause, the consequence, the current controls, and the residual concern in plain language. It should help a senior leader understand whether the business is facing a severe exposure, a shifting exposure, or a local nuisance. It should not try to prove that a barrier works on every shift. That is a different job.

James Reason's work on latent conditions helps here. A risk register is strongest when it keeps the organization honest about the conditions that make failure more likely. It becomes weak when it is treated as a static list that nobody uses after the annual review. In that state, the register still exists, but it no longer influences the next decision.

Use the risk register when the question is strategic or cross-functional. Use it when you need to compare hazards across sites, rank investments, or decide which exposure deserves senior attention. Do not use it as the place to log every control check or every temporary exception. That overload hides the signal.

Control register

The control register answers a different question. It asks, "Which barriers must stay alive for this risk to remain under control?" It belongs closer to the line of work, because barrier failure is usually local, specific, and time bound. The article Critical Control Register goes deeper on that point, and Critical Control Handover shows why control continuity breaks when ownership is vague.

A control register should identify the control, the owner, the check that proves it still works, and the consequence if it fails. A control that is not verified is just a hope with a label on it. That is why this record matters most where the risk is serious, the energy source is high, or the consequence of one missed step is severe.

Across more than 250 cultural transformation projects supported by Andreza Araujo, the recurring problem is not that teams lack words for control. It is that the site cannot say who checks the control, when the check happens, and what the team does when the evidence is missing. In Safety Culture: From Theory to Practice, culture becomes visible in repeated decisions. A control register makes those decisions concrete.

Use the control register when the question is operational and immediate. If a barrier is missing, degraded, bypassed, or unverified, this is the record that should show it. If a supervisor can read the register and know what must be checked before work continues, the document is doing its job.

Decision log

The decision log answers the question, "What did we decide, why did we decide it, who owns the next move, and when does the decision expire?" It is the memory of governance. It matters when the team accepts temporary risk, changes scope, approves a deviation, or chooses one option over another under time pressure. The article Safety Decision Log is the natural companion here.

This record becomes valuable when the business is forced to make tradeoffs. A shutdown may be delayed because a critical part has not arrived. A permit may be revalidated because the condition changed. A temporary workaround may be accepted with a short expiry and a named owner. If those decisions live only in memory, the operation loses accountability as soon as the shift changes.

Andreza Araujo has seen in many multinational settings that unclear decisions create hidden drift. People think the choice was made, but the reason was never recorded, the expiry was never stated, and the next owner was never told. The result is predictable. The same issue returns on the next shift with a new face and the same exposure.

Use the decision log when the organization must defend why it accepted a condition, postponed a fix, or changed the plan. It is not a substitute for the risk register, because it does not rank all exposure. It is not a substitute for the control register, because it does not prove the barrier. It is the place where the organization records the judgment call.

Decision matrix

The three tools become easier to use when you put them beside one another. The risk register handles exposure. The control register handles barriers. The decision log handles tradeoffs. That division looks simple on paper, yet it changes the whole rhythm of a meeting because each artifact now has one job instead of three.

Decision question Primary document Why that one fits
What could hurt us most? Risk register It ranks exposure and keeps enterprise attention on the biggest threats
Which barrier must stay working today? Control register It links the hazard to the live control and the person who verifies it
Why did we accept or delay this change? Decision log It records the judgment, the owner, and the expiry date
What should the board review monthly? Risk register plus a short control summary The board needs exposure context, not a detailed barrier checklist
What should the supervisor review before the task starts? Control register plus recent decisions The field needs the current barrier state and any exception that changed it

Which one fits which role

A board needs the risk register most, because the board should understand exposure, trend, and priority. A plant manager needs the risk register and the decision log, because strategy becomes real only when tradeoffs are visible. An EHS manager needs all three, because the role sits between enterprise memory, barrier verification, and exception control. A supervisor needs the control register first, because the task lives or dies on what is actually in place before work starts.

The trap is to assume that one document can serve every role equally well. That assumption creates two bad outcomes. First, the board sees detail without direction. Second, the field sees direction without enough detail to act. The best system keeps one core record per decision type and connects them with a shared ID, a clear owner, and a short review rhythm.

If you want to see how those connections behave in practice, pair this comparison with Risk Owner Critical Control. That article shows why ownership becomes real only when the register leads to a live check, and the check leads to a decision.

What to do next

Start by mapping your current files into the three buckets. If a line in the sheet says "hazard," "likelihood," "consequence," or "priority," it belongs in the risk register. If it says "critical control," "verification," "owner," or "test," it belongs in the control register. If it says "approved," "accepted," "deferred," or "temporary," it belongs in the decision log. Many operations already have all three. The problem is that they are mixed together, which makes each one weaker.

Then give each record one owner and one cadence. The risk register can move monthly or quarterly. The control register should move with the work, because barriers drift faster than strategy. The decision log should move whenever a tradeoff is made, because governance loses value the moment the reason disappears. James Reason would call that a latent weakness. Andreza Araujo would call it a culture signal.

If you want the method behind that split, return to Safety Culture: From Theory to Practice and The Illusion of Compliance. They are useful precisely because they show why paperwork only matters when it changes the next decision. For a more direct next step, explore the books and tools at Andreza Araujo's store, then apply the same logic to one live register this week.

Topics risk-management risk-register control-register decision-log critical-controls risk-owner c-level ehs-manager

Frequently asked questions

What is the main difference between a risk register and a control register?
A risk register ranks exposure, while a control register tracks the barriers that must stay working. The first helps leaders decide what matters most, and the second helps the field verify what must not fail.
When should a decision log be updated?
Update it whenever the organization accepts a temporary deviation, changes scope, delays a fix, or approves a tradeoff. If the decision changes the risk picture, it should be recorded the same day.
Can one spreadsheet hold all three?
It can, but only if the columns stay separate and the owner is clear. The risk register, control register, and decision log should still behave like different records, even if they sit in one file.
Which document should a supervisor use first before the task starts?
The supervisor should start with the control register, then check any recent decision that changed the task, permit, or barrier state. That sequence keeps the pre-job review tied to the live risk.

About the author

Andreza Araújo

Safety Culture Expert | Senior EHS Executive

Andreza Araújo is a safety culture expert and senior EHS executive with more than 25 years of experience in environment, health and safety. She is a Civil Engineer and Occupational Safety Engineer from Unicamp, holds a Master's degree in Environmental Diplomacy from the University of Geneva, and completed sustainability studies at IMD Switzerland. Andreza has served in Global Head of EHS roles in Fortune 500 environments, leading cultural transformation programs across multinational operations. She has represented Brazil as a speaker at the United Nations in Paris and has spoken at the International Labour Organization in Turin. She is the author of more than 16 books on safety culture in Portuguese, Spanish, English and German. Her work has earned more than 10 EHS awards, including two recognitions from Indra Nooyi, former PepsiCo CEO.

  • Civil & Safety Engineer (Unicamp)
  • M.A. Environmental Diplomacy (University of Geneva)
  • Sustainability Cert (IMD Switzerland)
  • People Management & Coaching (Ohio University)
  • UN Paris speaker representative for Brazil
  • ILO Turin speaker
  • LinkedIn Top Voice
  • Indra Nooyi PepsiCo CEO recognition (2x)

Documentaries

Watch Andreza's documentaries

Three productions on safety culture, organizational failure and the human lessons behind major disasters.

Podcasts

Listen to Andreza's podcasts

She hosts three shows on safety leadership, EHS and organizational culture, in English and Portuguese.

Summarize with AI