Critical Controls – a useful concept or the latest fad in risk management?

10 years ago, a well-known international mining company asked me to look at their work relating to operational risks.

I was shown a list of their top ten operational risks. I asked, what lay behind this list? What analysis had they carried out, and what were their assumptions?

Two things stuck out. Firstly, the sheer number of “controls” identified. There were somewhere between 60 and 90 controls on each risk bowtie. Secondly, they had discounted some risks because they had never eventuated in the history of the company. They were dismissed because they were considered very low likelihood (although the consequences could be serious), despite them having occurred in other companies. Blindness to very low likelihood but high consequence events is a topic for another day.

I asked how they managed all these controls. Who was accountable for implementing them? How was their performance checked? What was the governance over these top ten operational risks, noting that some significant low probability but high consequence ones were excluded? In my opinion there were too many controls to manage in detail. Further investigation showed that some controls were so general, as to only have the slightest impact on risk control in practice. The company “induction process” for new recruits, was but one example and I found that the performance of many other controls was not effectively checked.

Are some controls more important than others, and can you have too many controls? Guidance on managing risk, particularly in complex engineered systems, often refers to the importance of “defence in depth[1]” drawing on Reason’s famous Swiss cheese model. This explains the importance of having more than one control for each threat or cause to increase redundancy and reduce dependence on any one control. Quite so, but when does “more” become less? More and more controls may seem to make the risk management system better. But can it over-complicate the system too.

In connection with the 2010 BP Macondo/Deepwater Horizon disaster in the US Gulf of Mexico, it was observed:

“… that an ever-increasing number of effective barriers [controls] would [seem to] equate to an improvement in … risk management. Unfortunately, … additional …[controls] can increase the complexity of the … system… An example of the additional …complexity … is a feeling of complacency about the health of the …system … The extent of this complacency can range from a slight easing in the intensity of the risk management effort through to the firm belief that these extra [controls] render the organization immune to the occurrence of [these risks]. So more can be less[2].”

Partly in reaction to these ideas, some have asked if all risk controls have the same importance. Consciously or otherwise, people were making judgments on the relative merit of different risk controls. But on what basis were these decisions made? What was the rationale for what was put on the bowtie? Guidance was needed. Several organisations were thinking along the same lines. An early mover was Energy Safety Canada, (formerly Enform) who published guidance on how to determine the relative significance of controls[3]. At much the same time the International Council on Mining and Metals (a global peak body for the mining industry), embarked on a similar exercise and published a detailed guide to implementing critical controls.[4] In 2019, the Australian Institute on Health and Safety published guidance on Prevention and Intervention in its Book of Knowledge series[5] which refers to the critical control approach. More recently still the Risk Management Institute has embraced the concept and offers training in this idea[6].

So, is it a passing fad? I don’t think so. The critical control approach is used, with variations in different parts of the world by diverse organisations including some major corporations. The critical control approach provides a decision support tool to help allocate our effort to identify, manage and measure the efficacy of our risk control strategy by focusing on what matters most.

To learn more about how the Critical Controls approach can help ensure leadership have the right Risk information, join us with RMIA – Risk Management Institute of Australasia for this interactive online course. Click here to register.

[1] Defence in depth is the idea that more than one defence or control is needed, because each defence is fallible. Professor Andrew Hopkins. http://www.processsafety.com.au/defense-in-depth, accessed 24/09/24

[2] The barrier-based system for major accident prevention: a system dynamics analysis by Ian Hoffman and Peter Wilkinson, Proceedings of the 29^th International Conference of the Systems Dynamics Society, July 24 – 28, 2011, Washington, DC, USA

[3] International Council on Mining & Metals, Critical Control Management: Implementation Guide, International Council on Mining & Metals, London, 2015.

[4] ICMM guidance on implementing critical controls

[5] AIHS (Australian Institute of Health and Safety). (2019). The Core Body of Knowledge for Generalist OHS Professionals. 2nd Ed. Tullamarine, VIC: Safety Institute of Australia. https://www.ohsbok.org.au/wp-content/uploads/2019/10/34.1-Prevention-and-Intervention.pdf

[6] Dannya Hu, Managing Critical Controls: From ‘Ticking the Box’ to Effective Risk Management, Risk Management Institute of Australia, Virtual, 2020.