
Critical risk managementFrequently asked questions
On this page
- What is a critical risk?
- What is a critical control?
- What does “critical control verification” mean?
- What’s the difference between a critical risk and a general H&S risk?
- What’s the difference between documenting and verifying a critical control?
- What are NZ organisations legally required to do about critical risks?
- What makes a critical control effective?
- How do you identify critical risks in your organisation?
- How often should critical controls be verified?
- Who is responsible for verifying critical controls?
- What should boards be asking about critical risk?
- What’s the difference between a H&S report and critical risk governance?
- What does “work as done vs. work as imagined” mean?
What is a critical risk?
A critical risk is any hazard that could cause death or significant permanent disability if it isn’t properly controlled. That consequence – a fatality or life-altering injury – is what puts it in a different category from other risks you manage.
The definition doesn’t depend on how likely the event is. A risk can be statistically rare and still be critical if the potential outcome is severe enough. Working at height, confined space entry, the operation of mobile plant and equipment – these are examples of critical risks across many industries because the consequence of a control failure can be immediately fatal.
For a more detailed treatment of the definition and what it means in practice, see What Is A Critical Risk? Definition And Why It Matters.
What is a critical control?
A critical control is a measure that either prevents a critical risk from materialising or limits its consequences if it does. It’s the thing that stands between a hazard and a fatality.
Not every control is a critical control. A critical control is specific: it directly addresses a critical risk, its absence or failure would significantly increase the likelihood or severity of harm, and its effectiveness can be observed and verified. A documented procedure is not automatically a critical control – it only functions as one if it’s being followed in the way it was intended.
The distinction matters because critical controls warrant a different level of attention than general risk management measures. If a critical control fails, the consequence could be fatal.
What does "critical control verification" mean?
Critical control verification is the process of confirming – on an ongoing basis – that a critical control is in place and working as intended. Not that it was put in place when the procedure was written or that it passed an audit six months ago, but that it’s functioning correctly right now.
Verification is active, not passive. It involves someone with relevant knowledge checking that the control is operating as designed – an observed practice, a completed inspection, a real-time confirmation – rather than assuming the control is effective because the documentation says it should be.
This is distinct from documentation, which records what a control is and how it should work. It’s also different from periodic auditing, which checks compliance at a point in time rather than on an ongoing basis. Verification regularly asks a different question: is this control in place and working today?
Learn more in How To Verify Critical Controls Are Working.
What's the difference between critical risk and general health and safety risk?
The core difference is consequence. A general health and safety risk is managed because it could cause harm – but the range of potential harm spans everything from a minor injury to a serious incident. A critical risk is specifically one where the potential outcome, if controls fail, is death or significant permanent disability.
That difference in consequence justifies a difference in how you manage it. With general risks, organisations reasonably distribute attention across a broad risk register. With critical risks, the potential severity is serious enough to warrant focused, ongoing verification that controls are in place and working – not just documented.
It’s also worth noting that focusing on critical risks isn’t a fundamentally different management philosophy – it’s a resource prioritisation decision. You can’t verify everything with the same rigour. Critical risks are the ones where the consequence of getting them wrong is too serious to treat them like any other risk.
What's the difference between documenting and verifying a critical control?
Documentation records what a critical control is: what it requires, who’s responsible for it, and what compliance looks like. It’s a point-in-time record – accurate when it was written, but unable to tell you what’s happening in the field today.
Verification confirms that the critical control is in place and working. It goes beyond paperwork: it involves active checking, observed practice, or real-time reporting that gives you evidence – not assumptions – about the current state of the critical control.
The gap between documentation and verification is where serious incidents can happen. A critical control can be documented in full and still fail without anyone realising – because a procedure isn’t being followed, because personnel have changed, or because supervision has become inconsistent. Documentation doesn’t surface those failures – verification does.
For further details on this distinction, see Verifying Critical Controls: The Difference Between Documented and Verified.
What are New Zealand organisations legally required to do about critical risks?
Under the Health and Safety at Work Act 2015 (HSWA), officers – the people who exercise significant influence over how an organisation is managed, including CEOs, directors, and most board members – have a personal duty of due diligence. That duty includes an explicit requirement to verify that the organisation’s health and safety systems are operating as intended, not just established on paper.
The Port of Auckland conviction made this concrete. In November 2024, the former CEO of Port of Auckland was convicted for failing to meet this duty – specifically for not verifying that critical controls around crane exclusion zones were being followed in practice. The High Court upheld the conviction in April 2026. He wasn’t convicted because Port of Auckland lacked systems – he was convicted because those systems hadn’t been verified as in place and working.
For the detail on what the law requires and what the conviction established, see What the Port of Auckland Conviction Means for Every Board with Critical Risk Obligations and What the Health and Safety at Work Amendment Bill Means in Practice. Note that these articles are not legal advice.
What makes a critical control effective?
An effective critical control is one that prevents a critical risk from causing harm in the way it was designed to – reliably, in the conditions where the risk exists, and by the people who are doing the work.
Three things tend to determine whether a critical control is genuinely effective:
- It addresses the hazard. The control targets the specific mechanism by which the critical risk could cause harm – not a related issue or a general precaution.
- It works in practice, not just on paper. The people responsible for the control understand it, are equipped to follow it, and are doing so – in normal conditions and under pressure.
- Its effectiveness can be checked. If there’s no way to confirm whether the control is operating as intended, it can’t be verified. An effective critical control is one where someone can observe or confirm its status.
For more on what separates an effective critical control from one that only appears to be working, see What Makes A Critical Control Effective?
How do you identify critical risks in your organisation?
Identifying critical risks means working through your operations and asking: where could something go fatally wrong if the right protections weren’t in place? The answer is specific to your industry, your sites, your equipment, and how your people work.
In practice, most organisations approach this by:
- Reviewing the hazards present in their operations and filtering for those with potential fatality or permanent disability outcomes.
- Drawing on industry-specific guidance. Many high-risk industries – like construction, mining, energy, and manufacturing – have established lists of common critical risks.
- Engaging the people closest to the work, who often understand where the real exposures are better than any risk register does.
- Benchmarking against WorkSafe guidance and industry practice to confirm they haven’t missed something significant.
The number of critical risks in any organisation is finite – not every hazard qualifies, and that’s the point. Identifying them is the first step toward managing them with the rigour they warrant.
How often should critical controls be verified?
Who is responsible for verifying critical controls?
What should boards be asking about critical risk?
- What are our critical risks, and what are the specific critical controls we rely on to manage them?
- How do we know those critical controls are in place and working right now – not at the last audit, but today?
- What’s the lag between a critical control failing and us knowing about it?
- Are our critical controls verified across our contractor supply chain, or just within our direct operations?
- What does our verification data show – are there controls that are consistently not being verified, or patterns of non-compliance we should be asking about?
What's the difference between a health and safety report and critical risk governance?
What does "work as done vs. work as imagined" mean?
“Work as imagined” is how a process looks when it’s designed: the procedure as written, the training as delivered, the control as documented. “Work as done” is what happens on the ground – how workers do the job in real conditions, under real pressures, with the resources they have.
The gap between the two is normal. Workers adapt and shortcuts get taken – sometimes because they’re genuinely more efficient, sometimes because the documented approach is impractical. Equipment behaves differently from how it was specified. Supervision is inconsistent. The way work was designed and the way work is done are rarely identical.
This gap matters most for critical risks, because it’s precisely where controls can fail without anyone noticing. A critical control might be documented in full and still not be operating as intended – because the people doing the work have drifted from the procedure in ways that the wider organisation doesn’t know about, and that haven’t yet caused an incident.
The phrase “work as done vs. work as imagined” became central to the Port of Auckland conviction, because the Court found that the failures in that case reflected a consistent pattern of not understanding work as done.
For any board or executive with critical risk obligations, it’s a useful prompt: do we know what’s happening in the field, or do we know what we’ve been told should be happening?
