Safety Decision Rights: 5 Cracks That Turn Ownership Into a Label

A site can say that ownership sits with supervisors, engineers, and managers. In practice, ownership exists only when one person can change the control, see the evidence, and answer for the result. When those three things are split apart, ownership becomes a label, not a function.

Across 25+ years of executive EHS work, Andreza Araujo has seen the same pattern repeat: a clear form, a polished matrix, and a weak decision line. In Safety Culture: From Theory to Practice, the test is not whether the site can name an owner, but whether the owner can act when production, cost, or schedule presses back. James Reason's latent failures help explain why the risk often sits several layers away from the person who signs the form. Patrick Hudson's maturity view points in the same direction, because a mature site does not depend on heroics or memory. It depends on roles, thresholds, and evidence that survive pressure.

Why decision rights fail when ownership is ceremonial

Ownership fails when the site treats responsibility as a signature instead of a decision line. A line supervisor can be told to own the task, but if engineering still controls the layout, maintenance still controls the backlog, and production still controls the pace, the supervisor owns exposure rather than control. That is a distinction the board can miss easily and the field cannot afford.

The problem is not abstract. A person who can acknowledge risk but cannot change staffing, stop the job, re-sequence the work, or force a repair is carrying accountability without the authority needed to reduce exposure. The result looks orderly on paper and fragile in the field. In A Ilusao da Conformidade, Andreza Araujo warns that a clean form is not proof of a controlled workplace, and this is exactly the failure mode that keeps decision rights cosmetic.

That table is the real test. If the declared owner cannot alter the condition that creates harm, the site has a naming system, not an ownership system. James Reason would call that a latent failure chain. Patrick Hudson would call it a maturity gap. Workers call it something simpler: the form says one thing and the job says another.

Crack 1: the person closest to the hazard does not control the control

The first crack appears when the site asks the person closest to the work to own a hazard that the site has not redesigned. The supervisor sees the shortcut, the mechanic sees the bypass, and the operator sees the time pressure, but none of them can change the layout, the task sequence, the staffing level, or the equipment state without another approval line. That is not ownership. That is delegated exposure.

Across more than 250 cultural transformation projects supported by Andreza Araujo, the sites that improved did not ask the frontline to compensate for upstream design flaws with better attitude. They changed the control point, then clarified who could change it again when conditions drifted. That is why a critical-risk owner map is useful only when the mapped owner can act on the risk, not just record it.

The practical question is simple: if the hazard worsens today, who can change the control before the shift ends? If the answer is a chain of escalation emails, the owner is ceremonial. If the answer is a named person with clear authority and a short route to act, the role has operational meaning.

Crack 2: temporary exceptions become permanent without a fresh decision

Temporary exceptions are where weak decision rights hide best. A bypass is approved for one shift, then the shift changes, then the next supervisor inherits the same exception, and soon the site no longer remembers which risk was accepted, by whom, or until when. The matrix still shows control, although the field is running on memory and optimism.

This is where risk appetite, risk tolerance, and risk acceptance need to be separated. Appetite belongs to strategy. Tolerance belongs to thresholds. Acceptance belongs to a specific decision with a named owner and a review date. When those lines collapse, people sign for a temporary deviation as if it were a permanent condition, and the exception becomes the rule by attrition rather than by design.

Andreza Araujo's Sorte ou Capacidade is useful here because it rejects the comforting idea that a good week proves a sound system. A site that runs a temporary deviation for thirty days is not becoming capable. It is normalizing drift. The only fair test is whether the exception was reopened, re-evaluated, and either removed or formally extended with evidence.

Crack 3: cross-functional risks are split until nobody owns them

Contractor work, line breaks, maintenance shutdowns, shared areas, and mixed crews all create a familiar governance trap. Operations says the contractor controls it, the contractor says the site set the schedule, maintenance says engineering owns the redesign, and procurement says it only bought the service. By the time the issue reaches the field, the hazard has three paper owners and zero operational owners.

This is where the article on owner vs EPC vs contractor safety governance becomes relevant. The lesson is not that every function should own everything. The lesson is that a cross-functional hazard needs one decision point, one evidence trail, and one person who can answer for the control state when the work changes. Without that, each function protects its own boundary while the risk moves through the seam.

James Reason's latent failures matter here because the visible error is usually the last step in a longer chain. The real failure sits in the split between functions, in which everyone contributes a little authority and nobody carries enough to stop the exposure. Leaders often call that collaboration. In practice, it is diffusion.

Crack 4: leaders reward closure numbers, not control proof

A dashboard can show 100 percent closure while the same exposure returns the next shift, because closing an action is not the same as changing the condition that produced it. This is one of the easiest ways for ownership to become decorative. The action tracker turns green, the audit file looks complete, and the field keeps working around the same weak point.

That is why control assurance needs evidence, not just completion status. A repair should be verified in the field. A procedural change should be tested in the task. A training record should not be mistaken for a control. When leaders praise the speed of closure but never inspect whether the hazard changed, they teach the site to optimize paperwork rather than risk.

Andreza Araujo's books are direct on this point. In Safety Culture: From Theory to Practice, what matters is what the system does under pressure. In A Ilusao da Conformidade, what matters is whether the visible symbol matches the operated reality. Those are not motivational lines. They are diagnostics for a site that is tempted to confuse status with substance.

Crack 5: committees record decisions after the decision has already moved

Many committees are built to keep the record, not to keep the decision line. They meet after production has already chosen the shortcut, after the contractor has already mobilized, or after the risk has already been accepted in a hallway conversation. At that point the committee can document what happened, but it cannot claim to have owned the decision.

This is why a safety decision rights matrix should be a living control, not a polite appendix. The matrix has to answer who decides, who verifies, who can pause the task, who can spend the money, and who must be consulted before the work starts. If the matrix cannot answer those questions, it is not a governance tool. It is a filing system for shared uncertainty.

Patrick Hudson's maturity model helps here because maturity is not the number of meetings. It is the degree to which the site can keep ownership stable when pressure rises. A mature system still has committees, but the committee does not replace the decision owner. It exposes whether the owner actually exists.

What real decision rights look like in the field

Real decision rights are visible because they are specific. The owner knows what can be changed, when it can be changed, and which evidence is required before the change is accepted. The owner also knows where the limit sits. A good matrix does not make everyone responsible for everything. It gives each person a narrow but real zone of control.

• Who can stop the work without asking for permission.
• Who can re-sequence the job when conditions change.
• Who can approve a temporary deviation and set the review date.
• Who must verify the control in the field before the next shift.
• Who owns the decision when contractor, maintenance, and operations collide.

That list sounds basic because it is basic. The difficulty is not writing it. The difficulty is keeping it true when schedule pressure rises and the organization tries to trade authority for speed. In those moments, the site reveals whether decision rights are lived or merely described.

How a plant manager can reset decision rights in 30 days

Start with the ten most repeated decisions that affect serious risk. Assign each one to a single owner, not a committee, and write down what that owner can change without waiting for another signature. If the answer is unclear, the decision is not yet owned.

1. Map the highest-risk recurring decisions and the current sign-off path.
2. Remove sign-off from any role that cannot change the control.
3. Give temporary deviations a review date and a named decision owner.
4. Verify one closed item each week in the field, not just in the tracker.
5. Escalate any cross-functional hazard to one accountable owner, not three observers.

Then audit the gap between declared and operated ownership. If a supervisor can sign but not stop, if a manager can approve but not verify, or if a committee can record but not decide, the site still has cosmetic control. The fix is not a new slogan. It is a narrower and clearer decision line.

If your team needs a deeper reset, start with Andreza Araujo's safety decision rights matrix, then use the thinking in Safety Culture: From Theory to Practice and A Ilusao da Conformidade to test whether the matrix survives actual work. For leaders who need to see how risk governance should sit across functions, the next useful read is the broader article on critical-risk ownership.

For a site-level reset, Andreza Araujo's work is the right place to start because it connects culture, authority, and field evidence instead of treating them as separate conversations. Visit Andreza Araujo for the broader body of work and the book titles that anchor this approach.