Redefining “Control” in Risk Management: A Necessary Shift for Critical Control Environments

Across the mining and quarrying industry, we routinely state that we “manage risk.” We conduct WRACs, complete JHAs, and populate control columns in risk registers and management plans. These processes are well established and widely applied.

However, an uncomfortable question must be asked: are we consistently defining controls accurately?

In many cases, what is recorded as a “control” is not, in fact, a control. It is a supporting activity, an administrative process, or a verification step. While these elements are important within a safety management system, they are not the safeguards that directly prevent harm. In a Critical Control Management environment, that distinction is fundamental.

Under contemporary guidance, including QGN35, a control is a measure that either prevents a material unwanted event from occurring or mitigates the consequences if it does. A control must directly interrupt the pathway between hazard and harm. If it does not materially reduce the likelihood or severity of an event, it is not functioning as a control.

When reviewing WRACs and JHAs across operations, common entries under “Controls” often include statements such as: the presence of a piece of equipment e.g. wheel chocks, procedure in place, pre-start completed, supervision provided, or toolbox conducted. These activities contribute to risk management, but they do not, in themselves, physically prevent a vehicle collision, stop a fall from height, or eliminate exposure to stored energy.

If such a measure were to fail tomorrow, would the unwanted event still be prevented? If the answer is yes, it was never the primary control.

This practice can also create confusion in the workforce as to what is an acceptable level of risk or what to actually check for or implement during the daily tasks.

This is not a criticism of past practice. It reflects a long-standing habit within the industry of blending safeguards, administrative processes, and verification activities into a single “controls” column. Under a Critical Control Management framework, however, that blending obscures what truly protects people from catastrophic outcomes.

The shift required is not procedural; it is conceptual.

It requires separating three distinct elements:

• The control itself: the safeguard that prevents or mitigates the event.

• Supporting activities: such as training, procedures and supervision, which strengthen the environment around the control.

• Verification activities: inspections, testing and reviews that confirm the control is functioning as intended.

For example, in managing vehicle interaction risk, true controls may include engineered separation, physical exclusion zones, or implemented collision avoidance systems. Training, traffic management plans and pre-start checks support and verify those controls, but they are not the barrier that physically interrupts the event pathway.

When everything is labelled a control, nothing is truly critical.

This definitional imprecision also creates challenges in how controls are recorded. Risk assessments often contain vague or bundled statements, lack clear linkage to the specific unwanted event, or fail to define measurable performance standards. Without clarity of description, assignment of accountability, and defined verification requirements, a control cannot be effectively managed as critical.

The transition to Critical Control Management demands greater precision. It compels us to ask not whether we have listed enough controls, but whether we have accurately identified the few safeguards that genuinely prevent catastrophic outcomes.

This shift can be uncomfortable. It may reveal that some risk assessments rely heavily on administrative measures rather than engineered or physical barriers. It may require rewriting long-standing documentation. It may expose gaps that were previously hidden by generic wording.

That discomfort, however, is a sign of clarity.

As site leaders and safety professionals, the responsibility extends beyond completing forms.It includes ensuring that risk assessments — from formal WRACs to daily JHAs — accurately reflect the controls that truly protect our workforce.

Precision in defining controls is not an academic exercise. In a critical risk environment, it is the difference between managing paperwork and managing prevention.

At SSE Co, we are working with operations across exploration, coal and quarrying to help teams rethink how they identify, define and record controls within their risk assessments and management systems. The objective is not to increase complexity, but to increase clarity — ensuring that critical controls are explicitly defined, owned, and verified.

The industry is entering a phase where Critical Control Management is no longer optional. As that transition occurs, the question is not whether we have controls documented, but whether we have defined them correctly.