Risk Register Decay: 8 Signals That Expose Stale Controls

Risk register decay is the gradual loss of decision value in a risk register after hazards, controls, owners, assumptions, or exposure conditions change faster than the file is reviewed. The register still looks official, although the operational picture underneath has moved.

A risk register can fail while every field is filled in. The hazard is named, the rating is approved, the owner is assigned, and the review date is not yet overdue. Yet the task has changed, contractors have entered the work, temporary controls have become normal, and the person who owns the line item has not walked the exposure in months.

The thesis is blunt: a risk register is not a memory bank for last year's assessment. It is a live decision instrument, and when it stops changing after work changes, leaders begin using old certainty to approve new exposure. Across 25+ years in executive EHS roles and more than 250 cultural transformation projects, Andreza Araujo has seen this pattern in companies that are careful on paper but slow to notice when the file no longer describes the job.

Key takeaways

• Risk register decay happens when the file remains tidy while work, controls, people, or exposure have changed.
• The strongest warning signals are stale owners, repeated temporary controls, unchanged ratings, and weak links to field verification.
• An annual review is too slow for high-risk tasks affected by shutdowns, contractors, process changes, or recurring deviations.
• Leaders should treat register age, evidence age, and control age as separate questions.
• A decayed risk register can make an operation look governed while critical controls are already drifting.

Why a current risk register can still be wrong

A current risk register can still be wrong because the review date proves administrative attention, not field truth. A risk review may confirm that a line item exists, while nobody confirms whether the control still performs under the conditions that now shape the work.

ISO 45001:2018 expects organizations to identify hazards, assess risks, plan controls, evaluate performance, and respond to change. The standard's logic matters here because risk information has to move with the operating system. If the register does not absorb change, it becomes a compliance archive rather than a management tool.

In The Illusion of Compliance, the English gloss of Andreza Araujo's A Ilusao da Conformidade, the central warning is useful for risk management: formal evidence can create comfort while the workplace has already left the evidence behind. Risk register decay is exactly that kind of comfort.

1. The same owner appears beside too many high-risk items

The first signal is owner overload. When one EHS manager, maintenance planner, or operations leader appears beside 20 high-risk items, ownership has become symbolic. The person may be accountable in the file, but the span is too wide for meaningful verification, challenge, and escalation.

Owner overload often hides a weak decision rule. The organization wants every risk to have a name, so it assigns the person who is closest to the system rather than the person who can change the exposure. A line manager who controls staffing, work sequencing, access, or equipment condition may be absent from the register, while EHS carries the visible accountability.

Use a simple test. For each high-risk item, ask what decision the named owner can make without asking permission. If the answer is unclear, the register has an accountability label rather than a control owner. The Headline guide on building a critical control verification calendar is useful because calendar ownership forces the name in the file to meet the field condition.

2. Risk ratings do not change after incidents, near misses, or deviations

The second signal is rating immobility. A serious near miss occurs, a permit exception is accepted, a temporary field change appears, or a control fails during inspection, yet the register keeps the same likelihood, severity, and residual risk rating. That stability may look mature, although it often means nobody is allowing fresh evidence to disturb the old judgment.

James Reason's work on latent failures helps explain why this matters. The visible event is often only the last expression of design, planning, maintenance, supervision, purchasing, and leadership decisions. When an event does not change the register, the company may be treating the event as a local failure rather than as evidence about the control system.

The practical rule is to create review triggers that are not tied only to the calendar. Any serious near miss, repeated deviation, critical-control failure, contractor interface change, or unplanned shutdown condition should force a register check. The check may confirm that the rating is still valid, but that confirmation should be argued, not assumed.

3. Temporary controls stay in the register without an expiry decision

The third signal is temporary permanence. A spotter, manual watch, extra sign, barricade, portable detector, supervisor approval, or additional checklist enters the register as a short-term control, then remains there for months because nobody has decided whether it should become engineered, procedural, or removed.

Temporary controls are not weak by definition. They can protect people during repairs, shutdowns, trials, and abnormal operations. They decay when the register stops showing why the temporary control exists, who reviews it, what condition ends it, and what stronger control is being pursued.

This pattern sits close to the Headline article on screening temporary field changes before work continues. The same discipline belongs inside the register. A temporary control should carry an expiry date, an escalation threshold, and a named decision about whether work can continue if the control becomes unavailable.

4. The register names controls that no one has verified in the field

The fourth signal is evidence age. The register says machine guarding, gas testing, isolation verification, traffic separation, ventilation, or supervisor approval is in place, but the evidence behind that statement is old, generic, or purely documentary. The control exists in language before it exists in proof.

Evidence age is different from register age. A register line reviewed last week can still depend on a control photo from 9 months ago or a procedure that was never tested on night shift. That gap matters because the file may be fresh while the evidence is stale.

For high-risk items, require the register to name the last verification method and date. A field walk, functional test, permit sample, observation, maintenance record, or supervisor interview may all count, but the evidence should match the control being claimed. If the register cannot show how the control was verified, leaders should treat the line item as unproven.

5. New contractors enter the work without changing the risk assumptions

The fifth signal is contractor blindness. The register assumes a stable crew, known supervisors, routine communication, and familiar plant rules, while the work now includes new contractor teams, subcontractors, language differences, different tools, or short-term supervision. Exposure changes because the social and operational system changes.

Many organizations update contractor onboarding files without updating the risk register. That separation is dangerous because the register still carries assumptions about competence, access, supervision, handover, and emergency response that may no longer be true. The file describes a workforce that is not the workforce doing the task.

Use contractor mobilization, scope expansion, new subcontractor use, and night-shift contractor work as automatic review triggers. The related Headline comparison of contractor prequalification, onboarding, and field oversight shows why the gate has to match the exposure stage.

6. Controls are listed without failure modes

The sixth signal is control optimism. The register says guarding, interlock, training, ventilation, permit, barrier, alarm, or inspection, but it does not say how that control can fail. A control without a failure mode is treated as present or absent, which is too crude for serious risk management.

Alarms can be ignored, bypassed, misunderstood, or lost in noise. Barriers can be moved, damaged, or placed too late. Permits can be copied from yesterday. Training can be forgotten when the task is rare. The risk register becomes stronger when it names those failure paths because the review can then ask whether the organization is testing the right weakness.

Andreza Araujo's Safety Culture: From Theory to Practice argues that culture appears in repeated decisions under pressure. A register that only lists controls misses those pressure points. It should ask where the control is most likely to be traded away, rushed, normalized, or left unchallenged.

7. The register cannot show which risks changed after management review

The seventh signal is meeting invisibility. Leaders review the risk register, minutes are produced, and the dashboard shows completion, but no one can say which risk changed because the meeting happened. A management review that leaves no trace in risk decisions may be governance theater.

This is not an argument for constant rating changes. Some risks should remain stable after review because the evidence supports the existing judgment. The problem appears when every meeting confirms the register and none of the meetings changes ownership, escalation, funding, verification frequency, or the stop-work threshold.

Ask one question after every risk review: what decision changed because we looked at this evidence? If the answer is none for several cycles, the process may be reporting risk rather than managing it. The Headline article on verification pass rate versus closure rate offers a useful metric lens for this distinction.

8. The highest risks are written in language too vague to test

The eighth signal is vague risk language. Phrases such as inadequate supervision, poor communication, unsafe behavior, lack of awareness, or failure to follow procedure may sound familiar, but they do not tell a leader what exposure exists, which control failed, or what field test would prove improvement.

Vague language keeps a risk alive because nobody can falsify it. A sharper line item names the task, the hazard, the control expectation, the failure mode, the owner, and the verification method. Instead of poor communication during maintenance, write missed isolation-status handover between maintenance and production before restart, verified by shift handover sample and lock record review.

The rewrite may feel slower, yet it prevents a much larger delay later. When a serious event occurs, vague register language makes investigation harder because the team cannot see what the organization thought it was controlling before the event.

Comparison: healthy register vs decayed register

What leaders should do in the next 30 days

Start with the top 15 high-risk line items, not the full register. For each one, check owner authority, last field verification, temporary-control expiry, incident or deviation history, contractor assumptions, and language clarity. This gives leaders a fast diagnostic without turning the review into a clerical clean-up project.

Then separate three dates: the date the line item was reviewed, the date the evidence was collected, and the date the control was last tested under real operating pressure. If those dates tell different stories, listen to the oldest one. That is often where decay has started.

FAQ

What is risk register decay?

Risk register decay is the loss of decision value that happens when a risk register stops matching current work, controls, owners, assumptions, or exposure conditions. The file may still look current while the underlying risk picture has changed.

How often should a risk register be reviewed?

High-risk items should be reviewed when meaningful change occurs, not only on an annual schedule. Serious near misses, repeated deviations, contractor changes, temporary controls, and control failures should all trigger review.

What is the difference between register age and evidence age?

Register age is the time since the line item was reviewed. Evidence age is the time since the claimed control was verified in the field. A line item can be reviewed recently while relying on old evidence.

Who should own a high-risk register item?

The owner should be the person with authority to change the exposure, control, staffing, work method, or escalation threshold. If the named owner can only remind others or update the file, ownership is probably too weak.

What is the fastest way to find stale controls?

Review the top 15 high-risk items and ask for the last field verification method, date, owner decision, temporary-control expiry, and related incident or deviation history. Missing answers point to stale controls.