Critical Risk Controls: The Difference Between Documented and Verified
Documenting a critical risk control and verifying it’s working are two different things. Here’s why the distinction matters – and what verification actually requires in practice.
Documented isn’t the same as working. Here’s the difference that matters.
Key takeaway: Most organisations in high-risk industries have documented their critical risk controls. Far fewer can demonstrate that those controls are working right now, today. The gap between the two is where serious incidents happen – and where the HSWA Amendment Bill is placing an explicit officer obligation.
Most organisations operating in high-risk industries have documented their critical risk controls. They’ve written them down, built them into procedures, included them in induction programmes, and referenced them in board reports. If you asked a senior leader whether their critical controls were in place, they’d say yes – and they’d be able to point to the paperwork to prove it.
What they’d often struggle to tell you is whether those controls are working right now, today, in the way they’re supposed to.
That gap – between what’s documented and what’s verifiably true – is where serious incidents tend to happen. And it’s the gap that the current legal and regulatory environment is increasingly asking boards and officers to close.
Why documentation isn’t enough
Documentation serves an important purpose. It records what a control is, who’s responsible for it, and what compliance looks like. Without it, you can’t manage critical risks systematically or demonstrate that you’ve turned your mind to them. But documentation describes intent, not reality. It captures what should be happening at the time it was written, not what’s actually happening on the ground today.
The distinction matters because critical risk controls can fail silently. A procedure might be documented but not followed, because workers have found a more efficient way to do the job. A piece of equipment might be listed as inspected but the inspection record reflects a tick-box exercise rather than a genuine check. A control that was functioning six months ago might have degraded as personnel changed, workloads increased, or supervision became less consistent. None of these failures necessarily show up in documentation. They show up in incidents.
The Port of Auckland case made this concrete. Exclusion zones around operating cranes were documented in policy but workers routinely didn’t comply with them. The documentation was accurate; the practice wasn’t. Tony Gibson was convicted in part because he hadn’t taken adequate steps to verify that the control was functioning in reality, not just on paper.
What verification actually means
Verification, in the context of critical risk controls, means having evidence – not assumption – that a control is in place and working as intended, at the time you need to know.
That’s a more demanding standard than most organisations currently apply to their H&S governance. It requires more than checking that a procedure exists or that an audit was completed. It requires some form of active confirmation: an observed practice, a completed check performed by someone with relevant knowledge, or a system that surfaces the status of a control in real time rather than after the fact.
The Health and Safety at Work Amendment Bill makes this explicit for officers. One of the named due diligence obligations in the amended Act will be that officers must verify that the resources and processes they’re responsible for are actually being provided and used. Not documented, not audited annually – but verified on an ongoing basis, with a frequency that reflects the severity of the risk.
That’s a different kind of governance question than most boards are currently set up to answer.
Documentation vs. verification at a glance
| Documentation-based approach | Verification-based approach | |
|---|---|---|
| What it confirms | The control exists and has been recorded | The control is functioning as intended, right now |
| How it works | Procedures written, training recorded, audits scheduled | Observed practice, active checks, real-time control status |
| Frequency | Updated when procedures change; audited periodically | Ongoing, with frequency calibrated to risk severity |
| What it misses | Silent failures, workarounds, degraded compliance | Nothing – deviations are surfaced before they accumulate |
| Officer obligation met? | Under current Act: arguably yes. Under Amendment Bill: no | Yes – meets the explicit verification duty |
| Example | “Workers have been trained on the isolation procedure” | “The isolation procedure was observed being followed correctly on 9 April 2026” |
The difference in practice
It helps to make this concrete. Consider a critical control like an isolation procedure for high-energy equipment – the kind of control where a failure can be immediately fatal.
A documentation-based approach to this control would confirm that the isolation procedure exists, that workers have been trained on it, and that the training records are up to date. It would note any incidents or near-misses involving isolation failures and include this in a periodic report.
A verification-based approach would go further. It would confirm that the procedure is being followed in practice – through observed checks, scheduled verifications, or real-time reporting from the people doing the work. It would distinguish between “workers have been trained” and “workers are applying the training correctly.” And it would surface deviations from the expected practice before they accumulate into something serious.
The difference isn’t just administrative. It’s the difference between knowing that a control has been documented and knowing that it’s working. In a high-risk environment, those are not the same thing.
Governance questions worth raising
For H&S leads, the practical challenge is shifting the governance conversation from documentation to verification – which requires changing the questions boards ask, not just the answers you provide.
A board that asks “do we have controls in place for our critical risks?” will get a documentation-based answer. A board that asks “how do we know our critical controls are working?” is asking a verification question, and it’s a much harder one to answer well without the right information.
Some questions worth introducing into your board’s H&S governance:
- For each of our critical controls, what does verification look like? Not auditing, not reporting – actual confirmation that the control is functioning today. If the answer is unclear, the control isn’t being verified.
- How frequently are critical controls verified, and does that frequency reflect the severity of the risk? A control that could prevent a fatality warrants more frequent verification than one managing a minor hazard. Is your current schedule calibrated accordingly?
- What’s the lag between a control failing and us knowing about it? If the answer is “we’d find out at the next audit” or “we’d find out when something goes wrong,” that’s the gap the current regulatory environment is asking you to close.
- Are the people responsible for verifying controls equipped to do it meaningfully? There’s a difference between a verification process that confirms a form has been completed and one that confirms a control is actually working. Which one do you have?
A more honest picture
The shift from documentation to verification isn’t about distrust or bureaucracy. It’s about having an accurate picture of your actual risk exposure rather than your intended one. Documentation tells you what you planned. Verification tells you what’s true.
In a high-risk industry, the gap between those two things is worth knowing about – ideally before an incident makes it visible.
Critter is built by IMPAC – 27 years of health and safety expertise, purpose-built for the critical risk governance challenge. Learn more about IMPAC.