What-If Analysis: 7 Questions Before Controls Fail

What-If Analysis is one of the simplest risk assessment methods, which is exactly why it is often underestimated. A supervisor can run it before a task, an EHS manager can use it in a workshop, and a plant leader can apply it when a formal HAZOP would be too slow for the decision window.

The problem is not the method. The problem is the shallow version of the method: a room asks a few generic questions, records obvious hazards, assigns training as the control, and leaves the real failure modes untouched. In high-risk work, that version creates confidence without control.

The thesis of this article is direct. What-If Analysis works when each question tests a barrier, a decision, a human interface, or a degraded condition. It fails when the team uses it as a brainstorming ritual detached from authority, verification, and follow-up.

What-If Analysis is a structured challenge to the plan

What-If Analysis asks how a task, process, or change could fail before people are exposed to the failure. The method sounds informal, although the useful version is disciplined: define the scope, name the credible deviations, test existing controls, assign ownership, and verify whether the control can actually stop the event.

IEC 31010 describes What-If Analysis as a recognized risk assessment technique, often used when teams need broad scenario coverage without the detail level of HAZOP. That makes it practical for maintenance work, temporary operations, startups, contractor activities, and operational changes where waiting for a heavy study would leave the organization blind.

Across 25+ years leading EHS in multinationals, Andreza Araujo has seen that simple methods only protect people when leaders respect their discipline. A weak What-If session is not harmless because it can persuade the organization that the job has been challenged when the most serious assumptions were never touched.

1. Start with the decision that could hurt someone

The first useful question is not what could go wrong in general. The better starting point is which decision, if wrong, could put a person inside the line of fire, release energy, expose a worker to a toxic substance, or remove a critical control.

This matters because many workshops drift into lists of hazards that everyone already knows. The team writes slips, trips, manual handling, and PPE, while the real exposure sits in a production decision, a bypass approval, a late isolation, or a supervisor accepting a degraded condition to protect schedule.

Ask the room to name the decision point. Who can stop the job? Who can approve deviation from the plan? Who decides whether the equipment is clean, isolated, depressurized, guarded, or ready to restart? Once the decision is visible, the What-If question becomes sharper because it tests authority, not only hazard awareness.

As Andreza Araujo argues in Safety Culture: From Theory to Practice, safety culture appears in repeated leadership behavior. A What-If session reveals that behavior when the team asks whether managers will protect the control after the meeting, especially when production pressure returns.

2. Test degraded conditions instead of perfect execution

What-If Analysis becomes valuable when it assumes the job will not run under perfect conditions. The weather changes, the permit is late, the experienced technician is absent, the spare part is different, the contractor crew is new, and the shift handover loses context.

Most paper controls are designed for the planned job. Serious events often form when the job drifts from the plan while everyone still believes the original controls are valid. That is why the team should ask what happens if the job starts two hours late, if lighting is poor, if the isolation point is mislabeled, if two teams work in the same area, or if a temporary platform is moved.

The existing article on pre-task risk assessment explains the supervisor checks that happen immediately before work begins. What-If Analysis should feed those checks, because a workshop that does not change the field conversation has not reached the people who control exposure.

25+ years of Andreza Araujo's executive EHS experience point to a repeated weakness: organizations often plan for nominal work while injuries emerge from abnormal work that became normal through repetition.

3. Separate safeguards from wishes

A safeguard is something that can be observed, tested, assigned, and maintained. A wish is a sentence that sounds protective but cannot stop energy, exposure, motion, pressure, heat, violence, fatigue, or error from reaching the worker.

Training, awareness, and attention may support performance, but they are rarely sufficient answers to a serious What-If scenario. If the question is what happens when a valve is opened in the wrong sequence, the safeguard cannot be only remind operators to follow procedure. The team has to ask whether there is interlock, physical separation, independent verification, labeling, lockout, supervision, or another control that can be checked before the step.

The article on risk matrix failures is relevant here because many teams lower the risk score after writing an administrative control that has no proof of effectiveness. A What-If session should resist that comfort and ask how the control would fail.

James Reason's work on latent conditions helps frame this without blaming the operator. If the system leaves ambiguous labels, conflicting procedures, weak supervision, or inaccessible isolation points, the active error at the end is only the visible piece of a larger design problem.

4. Ask what would make the control unavailable

The strongest What-If questions challenge the control itself. A team should not stop after asking what happens if a hazard appears. It should ask what happens if the control expected to manage that hazard is missing, bypassed, degraded, misunderstood, or unavailable at the moment of need.

For energized work, what if the verification meter is not tested before and after use? For confined space, what if the rescue team is off-site? For lifting, what if the exclusion zone is broken because the load path crosses the only walkway? For chemical transfer, what if the compatible hose is unavailable and the crew substitutes another one?

This line of questioning connects directly with critical control verification, because the issue is not whether the control exists in the risk assessment. The issue is whether someone can prove it is ready before the exposure begins.

In more than 250 cultural transformation projects supported by Andreza Araujo, one pattern appears often: teams speak confidently about controls that no one has verified in the field. What-If Analysis can break that pattern if the facilitator refuses to accept control names without evidence.

5. Put the right people in the room

What-If Analysis fails when the people who understand the work are absent. A manager may know the procedure, an engineer may know the design intent, and EHS may know the method, but the operator and maintainer often know where the plan becomes awkward, rushed, ambiguous, or physically difficult.

The session should include people with operating knowledge, maintenance knowledge, supervision authority, engineering support when relevant, and EHS facilitation. Contractor work should include contractor supervision, not only the host company, because the crew's equipment, language, experience, and fatigue profile can change the risk picture.

The facilitator should also protect dissent. If the newest technician says the valve order is confusing, the room should not turn that into a competence debate. The better question is what makes the order confusing and whether the system can be changed before the job starts.

Andreza Araujo's Make The Difference: Be a Leader in Health & Safety is useful here because operational leaders influence whether frontline knowledge becomes prevention or stays silent. The method only learns from reality when leaders make it safe to contradict the plan.

6. Convert each scenario into an owner and a proof point

A What-If finding is unfinished until it has an owner, a due date, and a proof point. Without those three elements, the session may generate a useful conversation and still produce no change in the field.

Use a simple action logic. For each credible scenario, record the existing control, the gap, the owner who can close it, the verification evidence, and the decision rule for starting or stopping the job. If no one has authority to close the gap before the exposure, the job is not ready.

The existing article on risk register fields explains how ownership and update cadence keep controls alive after the workshop. What-If Analysis should not become a disconnected worksheet when the finding belongs in the risk register, maintenance plan, permit system, or management of change process.

50% accident-ratio reduction in six months at PepsiCo South America came from disciplined execution under Andreza Araujo's leadership, not from slogans. The lesson for What-If Analysis is that a question has value only when the organization follows it into execution.

7. Know when What-If Analysis is not enough

What-If Analysis is flexible, but it should not be used as a substitute for every method. Complex process hazards, toxic releases, interdependent safeguards, and high-consequence chemical scenarios may need HAZOP, LOPA, Bow-Tie, FMEA, or another method whose structure fits the decision.

The comparative guide on HAZOP, FMEA, and Bow-Tie helps EHS managers choose the right method when the scenario requires deeper analysis. What-If Analysis is often the right first challenge, but it is not always the final study.

A practical rule is to escalate when the scenario involves SIF potential, multiple failed barriers, regulatory exposure, unfamiliar technology, major change, or uncertainty that the team cannot resolve with available knowledge. Escalation is not bureaucracy. It is intellectual honesty about method limits.

What a good What-If record should include

A good record is short enough to use and specific enough to audit. It should show the scope, participants, assumptions, scenarios, existing controls, control gaps, owners, due dates, verification evidence, and the decision rule for whether work can proceed.

Each repeated job that begins with an untested What-If assumption teaches the organization to accept uncertainty as normal, while the crew carries the exposure in real time.

The leadership trap to avoid

The biggest trap is using What-If Analysis to prove that work can proceed rather than to discover whether it should proceed. When leaders enter the room with the decision already made, the method becomes a permission exercise.

A stronger leader asks the uncomfortable question and accepts the operational consequence. If the answer reveals that isolation is unclear, rescue is not ready, the contractor crew is not aligned, or a critical control cannot be verified, the correct outcome may be delay, redesign, escalation, or cancellation.

That is the difference between paperwork and safety culture. The worksheet records the question, but the culture is revealed by what the organization does when the answer is inconvenient.