Why Long Lists of Controls Aren't Effective

1 day ago
4 min read

When reviewing a risk register or investigating an incident, it’s common to find a long list of risk controls associated with a single hazard. But a long list of controls does not mean the hazard is being effectively managed. In fact, many of those listed controls may do very little to prevent harm.

Let’s unpack what risk controls are, how they work, and where we commonly go wrong.

Types of Risk Controls

There are different types of risk controls used to manage workplace hazards. Each serves a different purpose and varies in effectiveness:

Elimination Controls: Remove the hazard completely. This is the most effective control, but not always practicable.
Substitution Controls: Replace with something less hazardous.
Isolation Controls: Isolating people from energy sources or processes such as isolation devices, lockout / tagout procedures.
Engineering Controls: While these are sometimes lumped with physical controls, engineering controls can also involve design changes to isolate people from hazards.
Administrative Controls: These reduce exposure by altering the way work is organised. Examples include rosters, permits to work, job rotation, work scheduling.
Personal Protective Equipment (PPE): PPE does not reduce the hazard itself but provides a layer of protection for the worker. It relies heavily on correct use and maintenance.
Behavioural Controls: These include rules and expected behaviours. They are often the weakest controls because they rely on individuals doing the right thing every time.
Physical Controls: These include barriers, guards, interlocks, isolation systems and automated shutdowns. These are some of the most effective because they reduce reliance on human behaviour.
Documented Controls: Policies, procedures, safe work method statements (SWMS), checklists and protocols. These support other controls but do not prevent harm on their own.
Monitoring Controls: Devices such as gas detectors, smoke alarms, CCTV and temperature sensors. They provide early warning but require action to be effective.
System Controls: Includes embedded systems, automated controls, design standards and workflow approvals that reduce risk or ensure processes are followed.
Alerting and Warning Controls: Alarms, flashing lights, horns, and warning messages that signal danger or abnormal conditions. These provide cues for action but must be responded to.
Training and Competency Controls: Ensures workers understand the hazards and know how to work safely. While essential, these controls support safe work rather than prevent exposure directly.
Risk Management Controls: Tools such as risk assessments, Job Safety Analysis (JSA), SLAMs and Take 5's help identify hazards and controls however they are not controls themselves.
Verification Controls: Activities such as audits, critical control verifications and field-based assurance help confirm that controls are in place and working as intended. Like monitoring controls, these do not prevent harm directly, but without them you don't know if your controls are working effectively.

But even the most well-intended list of controls can fail if they're misunderstood, unsupported, or not working as intended.

Documents Are Not Controls

We often see policies, procedures and documents listed as the primary controls in a risk register.

Unless that document can:

physically monitor work,
communicate in real time with exposed workers, and
physically intervene to stop harm

It is not a control. It's guidance. Valuable, yes. But not a barrier to risk on its own.

This is one of the biggest myths in risk management. Documentation supports controls. It doesn't replace them.

Monitoring Is Not the End Point

Another area we see misunderstood is the role of monitoring. Take inspections for example. Conducting a daily inspection is not the control.

The act of collecting data or noting a condition is a supporting activity.
The real control is what happens next.
If the condition is outside the expected standard, you must act on it.
That means communicating the risk, fixing the condition, escalating the issue, and following up.

Monitoring without action is like seeing smoke and not reaching for the extinguisher.

Why Behavioural Controls Need Supervision

Controls that rely on behaviour (rules, procedures, wearing PPE, following signs) are among the weakest on the hierarchy. That doesn’t mean they aren’t useful – it means they need backup.

Supervision, coaching, and reinforcement become essential layers when behaviour-based controls are used.

In incident investigations, we rarely find that a worker's lack of training was the issue. More often:

The system allowed unsafe work to proceed
Monitoring didn’t pick up the issue (or wasn’t acted on)
Warning signals were ignored or misunderstood
Behavioural expectations were unclear or inconsistently enforced

Key Preventing Controls Must Work Together

To truly manage risk, you need to combine layers of controls:

A physical barrier might prevent access.
A monitoring device might detect change.
A system trigger might automate a response.
A warning alarm might alert others.
A trained worker might respond appropriately.

It’s about building a system that prevents harm even when one layer fails. That’s the foundation of critical control thinking.

Final Thoughts

A wall of documents, a spreadsheet of training records, or a box ticked on a checklist won’t stop someone from being injured. Risk control is about acting in the real world.

Ask yourself why your long lists of controls aren't effective:

Does this control actually stop exposure to the hazard?
Is it visible, functioning and effective?
Who verifies that it’s working?

Because when it comes to managing risk, effectiveness trumps volume.

Before you list another policy as your main risk control – ask yourself: would this stop someone getting hurt?

Have you ever wondered if your risk controls are actually doing what you think they are?

Now's the time to review your controls. We offer audits, workshops and critical control packages to help you cut through the noise and get real about risk.