Safety Risk Register: 7 Fields Leaders Need

ISO 45001:2018 expects organizations to determine hazards, OH&S risks, opportunities and actions, yet many safety risk registers still behave like static spreadsheets prepared for audit day. This article shows the seven fields that turn a register into a leadership instrument for fatal-risk visibility, capital allocation and operational discipline.

Why a safety risk register fails when it only records hazards

A safety risk register fails when it stores hazards without forcing a decision about exposure, control strength, ownership and review frequency. The document may satisfy a procedural expectation, but it does not help a plant manager decide whether a shutdown, engineering change or temporary stop is justified.

On the Headline Podcast, Andreza Araujo and Dr. Megan Tranter often return to the gap between declared safety and real safety, because leaders can approve beautiful systems while workers still face uncontrolled energy, poor isolation or weak supervision at the job face. A register that does not make that gap visible becomes one more artifact of compliance.

The practical test is simple enough for a monthly review. If the executive team cannot use the register to identify the top 10 uncontrolled scenarios, the next capital decision, the overdue control verification and the owner of each exposure, the register is not a risk-management tool yet.

1. Field: credible unwanted event

The first field should name the credible unwanted event, not only the hazard, because leaders manage scenarios rather than labels. A hazard such as stored energy is too broad, while a credible event such as unexpected energization during conveyor maintenance gives the EHS manager a decision unit.

ISO 45001:2018 clause 6.1 requires planning for risks and opportunities, but the market often translates that requirement into generic hazard inventories. What most templates miss is that a leadership team cannot prioritize against a noun. It prioritizes against an event whose consequence, exposure and control quality can be challenged.

Use one sentence with an actor, an energy source and a consequence. For example, maintenance technician exposed to unexpected restart during belt replacement is stronger than mechanical hazard, because it points directly to isolation, verification and supervision duties.

This field also connects naturally with FMEA for safety, where failure modes become useful only when they are specific enough to reveal how the work can actually fail.

2. Field: SIF potential and consequence boundary

The second field should identify whether the scenario has SIF potential, because serious injuries and fatalities do not follow the same management logic as minor first-aid events. A register that ranks all events with the same color scale can hide low-frequency, high-consequence exposure behind tidy averages.

As Andreza Araujo argues in her co-host work and in *Muito Além do Zero* (Far Beyond Zero), zero-accident narratives can reward silence when the organization treats low recordable rates as proof of control. The risk register must therefore separate consequence boundary from injury history, since no previous fatality is not the same as no fatal potential.

The field should use a small set of values: fatality credible, life-altering injury credible, serious injury credible or no SIF potential under credible conditions. The EHS manager should require evidence for downgrading a scenario, especially when contractors, stored energy, confined space, height, vehicle movement or process safety interfaces are involved.

4 consequence bands are enough for executive use, because the goal is not mathematical elegance. The goal is to force the leadership conversation that a normal 5-by-5 matrix often avoids.

3. Field: control type and control health

The third field should distinguish the type of control from the current health of that control, because a listed barrier is not necessarily a working barrier. Engineering control, administrative control and PPE do not carry equal reliability, and even a strong barrier decays when inspection, training or maintenance stops.

This is where a safety risk register becomes more useful than a risk matrix with blind spots. The matrix may tell leaders that a scenario is high or medium, but the register should show whether the control depends on memory, physical separation, interlock, procedure, permit approval or personal protective equipment.

For each scenario, require the owner to record the critical control and a health status: verified, degraded, unverified or absent. Across 250+ cultural transformation projects, Andreza Araujo has observed that leaders often discover the truth late, because the system says the control exists while the field shows that it no longer performs.

A useful review question is whether the organization can prove the control worked in the last 30 days. If not, the register should show uncertainty rather than comfort.

4. Field: decision owner, not document owner

The fourth field should name the decision owner, because the person who updates the spreadsheet is often not the person who can fund, stop or redesign the work. Risk registers die when ownership stays trapped inside EHS administration.

On a recent Headline Podcast conversation about influence in safety leadership, the core problem was not whether safety professionals care enough. It was whether they can bring executives, operations and engineering into the same decision before the weak signal becomes an event.

Assign three roles where needed: risk owner, control owner and action owner. The risk owner accepts exposure on behalf of the business, the control owner proves that the barrier works, and the action owner closes the gap by a date that leadership can see.

3 owner fields prevent EHS from becoming the false owner of operational risk, especially in plants where maintenance, production and engineering control the real levers.

5. Field: trigger for review

The fifth field should define what triggers a review, because annual updates are too slow for work that changes weekly. A register that waits for the next audit cannot follow contractor mobilization, abnormal operation, equipment change or a near miss with high potential.

ISO 31000:2018 treats monitoring and review as part of risk management, not as a clerical afterthought. In safety, this matters because risk changes when the work changes, even if the procedure number and job title remain the same.

Use trigger language that supervisors recognize: after temporary modification, after first contractor shift, after near miss with SIF potential, after bypass request, after failed critical-control verification or before restart after shutdown. These triggers help the register behave like a living system rather than an archive.

This also protects leaders from false stability. A scenario that looked acceptable during normal production may become intolerable during maintenance, night shift or a rushed restart.

6. Field: escalation threshold

The sixth field should state when the scenario must move from local management to executive escalation. Without a threshold, teams normalize degraded controls until the risk becomes part of the routine.

James Reason's work on latent failures helps explain why this field matters. Serious events rarely depend on one frontline choice alone, because organizational decisions about staffing, design, pressure, maintenance and supervision create conditions in which the final act occurs.

Define escalation rules before pressure arrives. Escalate when a fatality-credible scenario has an absent or unverified critical control, when action closure passes 30 days, when the same weak signal repeats in two areas or when a temporary control becomes permanent by habit.

The escalation field also connects to Bow-Tie barrier questions, because both methods ask whether prevention and mitigation barriers are still credible under real operating conditions.

7. Field: next decision date

The seventh field should set the next decision date, because risk management without a calendar becomes intention rather than governance. The date should not be the next time someone edits the cell, but the next time a leader must decide whether to accept, reduce, transfer or stop the exposure.

*Antifragile Leadership* (Araujo) describes the leader's responsibility to grow from pressure rather than merely survive it. In risk-register language, that means every high-potential scenario should create a better decision rhythm, not only a corrective action line.

For fatality-credible scenarios with degraded controls, use weekly or biweekly review until the barrier is verified. For medium-risk scenarios with stable controls, monthly may be enough. For low-risk scenarios, quarterly review can work if there is no change trigger.

Each month without decision dates allows degraded controls to become invisible, while leaders keep reporting risk status from documents that no longer reflect the work.

Comparison: paper register vs decision register

The same logic can be strengthened with LOPA questions for leaders when the organization needs to test whether protection layers are independent enough for a high-consequence scenario.

Conclusion

A safety risk register becomes useful when it stops describing hazards and starts forcing leadership decisions about credible events, SIF potential, control health, ownership, review triggers, escalation and timing.

Headline Podcast exists as the space where leadership and safety come together to shape better workplaces and better lives. If your register is still a document for audit week, bring this conversation to your next executive safety review and ask which field would change the decision.