Risk Review Cadence: How to Build It in 30 Days

ISO 31000:2018 defines risk management as a discipline for decisions under uncertainty, yet many safety risk registers still get reviewed only when an audit is scheduled. This guide shows how an EHS manager can build a 30-day risk review cadence that turns static records into decisions, owners, evidence, and control restoration.

Why does a risk review cadence matter?

A risk review cadence is the recurring management rhythm that checks whether the risk picture has changed, whether controls still work, and whether the right person owns the next decision. Without that rhythm, the risk register becomes a historical archive, even when the operation has changed during the last 30 days.

As Andreza Araújo argues through the Portuguese title Sorte ou Capacidade, translated as Luck or Capability, well-managed risk is calculated and mitigated with method, not absorbed through courage or habit. Across 25+ years leading EHS in multinationals, she has seen that risk quality depends less on the template and more on the discipline of revisiting decisions before weak signals become incidents.

The practical test is simple. If a supervisor cannot say which 5 risks changed this month, which owner restored a weak control, and which decision needs escalation, the organization does not yet have risk management. It has a file.

Step 1: Define the decision the review must produce

The first step is to make the review produce a decision, because a meeting that only reads the register does not manage anything. For a 30-day cadence, the decision should fit one of 4 outcomes: accept with evidence, reduce through new action, escalate to a higher authority, or close because the risk is no longer active.

This is where many systems fail. They confuse risk description with risk governance, although ISO 31000:2018 expects risk management to support decision-making, not just documentation. A useful review question is not "is this line updated?" but "what decision would be irresponsible to postpone for another 30 days?"

Begin with a one-page decision rule. Link the rule to the existing risk criteria workshop so severity, likelihood, exposure, and authority are not negotiated from scratch each month. The owner should know, before the meeting starts, which threshold forces escalation.

Step 2: Which risks need monthly review?

Monthly review should focus on risks whose exposure, controls, or context can change within 30 days. High-severity static hazards, temporary deviations, critical controls, management-of-change items, contractor interfaces, SIMOPS, and unresolved field escalations normally deserve this cadence.

The trap is trying to review the whole register every month. In more than 250 cultural-transformation projects supported by Andreza Araújo's team, one recurring weakness is excessive volume with weak ownership. When 80 lines receive 90 seconds each, the review creates the appearance of control while nobody has time to test the evidence.

Build a monthly slice with 10 to 20 active risks, selected by exposure change, control weakness, event history, and leadership concern. If a temporary deviation is active, connect the discussion to the existing method for a temporary deviation risk review, because that type of risk cannot wait for quarterly governance.

Step 3: Assign one accountable owner per risk

A risk without one accountable owner usually becomes a shared concern that nobody changes. The monthly cadence needs one named owner, one backup, and one decision authority for every active line, with the distinction written into the register before the review.

Andreza Araújo's work in Safety Culture: From Theory to Practice connects culture to observable leadership habits, and ownership is one of those habits. If the same risk appears in 3 meetings with 3 different owners, the issue is not lack of awareness. The issue is weak decision architecture.

Assign the owner closest to the control, not the person with the most senior title. A maintenance manager may own isolation quality, an operations manager may own exposure scheduling, and an EHS manager may own the method. The authority rule matters because escalation must be structural, not personal pressure.

Step 4: Set evidence rules before the meeting

Evidence rules prevent the monthly review from becoming a discussion of impressions. For each active risk, require at least 1 field verification, 1 control-status update, and 1 change note from the last 30 days, unless the owner can justify why the exposure stayed fully static.

The most common weak evidence is the green status that nobody checked at the point of risk. During Andreza Araújo's PepsiCo South America tenure, where accident ratio fell 50% in six months, the lesson was not that dashboards save people by themselves. The lesson was that data needs field discipline, visible leadership, and fast correction when the field contradicts the report.

Use photos only when they add proof, not decoration. Pair them with dates, location, control owner, and action status. Where control quality is uncertain, use the existing field risk escalation matrix so the reviewer can decide whether the issue belongs with the supervisor, plant manager, or executive sponsor.

Step 5: Build the 30-day agenda

The agenda should fit 45 to 60 minutes because the point is decision quality, not endurance. A workable rhythm is 10 minutes for new exposures, 20 minutes for changed risks, 15 minutes for overdue controls, and 10 minutes for escalation decisions.

What most safety teams underplay is the order of discussion. If the meeting starts with overdue action lists, leaders spend their attention on administration before the most dangerous changes are visible. Start with material risk movement, then move to control restoration, then close with accountability.

Send the agenda 48 hours in advance. Owners must update their lines before the meeting, not during it. The chair should refuse "no update" as a status because unidentified change is itself a risk signal.

Step 6: What evidence proves the risk changed?

A risk changed when exposure increased, a control weakened, a new activity was introduced, an incident or near miss revealed a gap, or the operating assumptions behind the assessment no longer hold. Those 5 triggers should be written into the review protocol.

In A Ilusão da Conformidade, translated as The Illusion of Compliance, Andreza Araújo's position is that compliance is never enough when the system only proves that paperwork exists. A risk review cadence must therefore ask whether the work changed, whether people adapted informally, and whether the official control still fits the real condition.

Use a short change note for every movement. It should state what changed, why it matters, what control was affected, who owns the decision, and whether the residual risk remains tolerable under the agreed criteria. If this paragraph cannot be written, the team probably has not understood the change.

Step 7: Escalate decisions that exceed local authority

Escalation is not failure. It is the sign that the risk has exceeded the authority of the local team, which means the next decision needs budget, schedule relief, engineering support, or senior operational ownership.

The failure mode is informal escalation, where a supervisor raises a concern verbally and the system treats silence as approval. A monthly cadence should define 3 escalation levels, field owner, site leader, and executive sponsor, with response times tied to severity and exposure.

For critical work, connect monthly review to a pre-job decision point. The existing pre-mortem workshop for critical work can test whether the planned controls survive realistic failure scenarios before the exposure begins.

Step 8: Close the loop with action aging

The review is incomplete until action aging is visible. Track how many actions are open beyond 30, 60, and 90 days, which risk level they protect, and whether any overdue item keeps a serious exposure active.

Action closure should not mean typing "done" into a register. The owner must show evidence that the control was restored, the new condition was communicated, and the affected supervisors know how to verify it. When closure is administrative, the next review inherits the same exposure with a cleaner spreadsheet.

End each meeting by naming the 3 decisions made, the 3 actions that cannot slip, and the 1 issue that needs leadership attention before the next cycle. That final minute creates memory, because people leave knowing what changed and what cannot wait.

Risk review cadence compared with a static register

Conclusion

A 30-day risk review cadence works because it forces risk management to produce decisions, evidence, ownership, and escalation before the register becomes a museum of old assumptions.

For leaders who want to apply this beyond the template, Andreza Araújo's Safety School and ACS Global Ventures support diagnostics, leadership routines, and implementation roadmaps that connect ISO 31000, ISO 45001, field verification, and safety culture. Start the conversation at Andreza Araújo.