ALARP: 7 Tests Before Accepting Residual Risk

ALARP fails when it becomes a polite signature under a risk matrix that nobody wants to challenge. This guide gives EHS managers seven evidence tests before accepting residual risk as low as reasonably practicable.

Why ALARP is not a permission slip

ALARP means risk has been reduced as low as reasonably practicable, with further reduction rejected only when the sacrifice is grossly disproportionate to the safety benefit. The Health and Safety Executive's tolerability model made this principle famous, but many companies apply the acronym without the discipline behind it.

The weak version of ALARP asks whether the risk rating moved from red to yellow. The stronger version asks whether the organization has exhausted practicable controls, verified that those controls work in the field, and documented why the remaining exposure is tolerable for workers, supervisors, and senior leaders.

As Andreza Araujo argues in Safety Culture: From Theory to Practice, culture is visible in the gap between what the procedure says and what the operation actually rewards. ALARP sits exactly inside that gap, because residual risk is not a number on a form. It is the exposure someone accepts on behalf of another person.

1. Test whether the hazard is still intolerable

An ALARP review starts by asking whether the residual risk is still too high to tolerate, even after the current controls. If a credible fatality scenario remains, the answer cannot be hidden inside a medium score on the risk matrix blind spot.

What most safety programs miss is that severity does not disappear because likelihood was negotiated downward. A low-frequency event can still deserve executive attention when the consequence is death, permanent disability, or a multi-person loss scenario.

The practical test is simple enough to use in a risk review meeting, although it requires discipline. Ask whether the same residual risk would be accepted if the exposed person were named, the task were being performed tonight, and the board had to sign the decision before the work started.

2. Test whether alternatives were genuinely studied

ALARP requires proof that safer alternatives were considered before the organization accepts remaining exposure. ISO 31000:2018 treats risk treatment as a choice among options, not as a ritual update to a register.

Across 25+ years leading EHS in multinational operations, Andreza Araujo has seen that teams often call a control impracticable after checking only the fastest option. That is not ALARP. It is preference disguised as risk reasoning.

The EHS manager should ask for at least three alternatives when the scenario involves high energy, hazardous substances, confined spaces, lifting, mobile equipment, or electrical isolation. One option should reduce exposure by design, one should strengthen the barrier, and one should change execution or supervision.

3. Test whether critical controls are verified

A residual risk judgment is weak when the listed controls have not been verified under real operating conditions. A bow-tie may name barriers, but the ALARP question is whether those barriers are present, effective, independent, and maintained.

This is where ALARP connects directly with barrier questions in Bow-Tie analysis. A paper barrier should not carry the same confidence as an engineered interlock, a tested relief system, a verified permit condition, or a competent rescue capability.

For each critical control, require evidence from the last field verification, not only from the procedure owner. Evidence can include inspection records, functional tests, maintenance backlogs, competency checks, supervisor observations, and abnormal-condition drills.

4. Test the cost argument for gross disproportion

The cost argument in ALARP is not a normal business case, because life-safety benefit receives more weight than ordinary productivity gain. A measure is not rejected merely because it is inconvenient, late in the project, or absent from the original budget.

Companies often understate benefit by counting only expected injury reduction and ignoring reputation, downtime, prosecution exposure, labor relations, and trust after a serious event. They also overstate cost by treating temporary disruption as permanent loss.

Ask the decision owner to separate capital cost, downtime, engineering feasibility, staffing impact, and schedule impact. If the argument is only that the safer option is expensive, the ALARP demonstration is incomplete because it has not shown gross disproportion.

5. Test whether design controls were considered first

Residual risk is less credible when the team skipped design controls and moved directly to training, PPE, signs, or supervision. The hierarchy of controls remains the fastest way to detect a weak ALARP claim.

In Antifragile Leadership, Araujo describes how leaders create resilience when they redesign conditions instead of asking people to compensate forever for a fragile process. That logic applies to ALARP because permanent exposure should not be normalized when design choices can remove or reduce the energy source.

Use prevention through design decisions as a review lens before accepting residual risk. If a guard, layout change, interlock, automation step, substitution, or isolation improvement is available and practicable, ALARP has not been reached through administrative controls alone.

6. Test whether change has reopened the risk

An ALARP decision expires when the task, asset, crew, environment, or production pressure changes enough to alter exposure. Residual risk accepted last quarter may no longer be tolerable after a shutdown, contractor change, equipment modification, or staffing reduction.

This is why ALARP must be connected to management of change safety tests. A risk decision that is not linked to MOC becomes a frozen assumption, and frozen assumptions are exactly where serious incidents gain room to develop.

Require a revalidation trigger in every ALARP record. The trigger should state what change forces review, who owns the review, what evidence must be refreshed, and whether work stops while the review is incomplete.

7. Test whether the exposed team understands the decision

Workers and supervisors must understand the residual risk they are being asked to manage, because ALARP cannot live only in an office file. If the exposed team cannot explain the hazard, controls, stop criteria, and escalation path, the decision has not translated into safe execution.

In more than 250+ cultural transformation projects, Andreza Araujo observes that risk acceptance often becomes invisible at the field level. Leaders believe a decision has been communicated because a document was issued, while operators experience only a changed task with the same pressure to deliver.

The practical test is a field conversation with the people doing the job. Ask what could kill or seriously injure them, which control must never fail, what would make them stop, and who will support the stop if production pressure is high.

Comparison: weak ALARP versus defensible ALARP

Each month without a disciplined ALARP review allows old residual-risk decisions to survive new production pressure, contractor changes, equipment aging, and leadership turnover.

Conclusion

ALARP is credible only when leaders can show that residual risk was challenged through alternatives, verified controls, design thinking, change review, cost reasoning, and worker understanding.

If your organization accepts residual risk through forms but rarely tests the evidence behind those decisions, Andreza Araujo's safety culture and risk-management work can help turn the acronym into an accountable operating practice. Start with a focused diagnosis at Andreza Araujo.