Critical risk governance and managementWhat boards and H&S leads need to know

Critical risk has always mattered. What's changing is the standard being applied to it in New Zealand.

The conviction of former Port of Auckland CEO Tony Gibson in November 2024 – the first of its kind against a chief executive of a large, complex organisation – made it clear that officer liability for critical risk failures is no longer theoretical. 

The Health and Safety at Work Amendment Bill 2026 – which passed its third reading in July 2026 – makes this requirement even more explicit.

For boards and executives, the question has shifted from “do we have critical controls in place?” to “can we demonstrate that those critical controls are in place and working?” For H&S managers and risk leads, that shift changes what good looks like – not just in what you manage, but in what you surface upward and how you frame it.

This series covers the governance and management landscape in full: the legal context, the gap between documentation and verification, the blind spots in contractor supply chains, and the practical tools H&S leads need to brief boards more effectively.

What the Port of Auckland conviction means for every board with critical risk obligations

Tony Gibson wasn’t convicted because Port of Auckland lacked safety systems. He was convicted because nobody had verified those systems were working. This post unpacks what the case established – and what it means for every board with critical risk obligations.

Critical risk is no longer just implied. Here's what the Health and Safety at Work Amendment Bill means in practice.

The Health and Safety at Work Amendment Bill doesn’t create new obligations for boards and officers – it makes existing ones impossible to misread. This post explains what’s changing, what the timeline looks like, and the questions H&S leads should be raising now.

Your quarterly H&S report isn't telling your board what they think it is

A quarterly report is a snapshot – assembled after the fact, filtered through what people chose to report, describing work as imagined rather than work as done. This post makes the case for a different kind of visibility, and gives H&S leads the questions to raise it with their boards.

Your controls stop at your boundary. Your liability doesn't.

For organisations in high-risk industries, the greatest exposure is often in the contractor supply chain – where critical controls are hardest to see and easiest to assume are working. This post explains where the duty of care sits, and what genuine supply chain visibility requires.

Documented isn't the same as working. Here's the difference that matters.

Documenting a critical control and verifying it’s functioning are two different things. Most organisations have the former. The current legal environment is asking for the latter. This post defines the distinction and makes it concrete.

How to brief your board on critical risk – and why most H&S presentations miss the mark

There’s a difference between reporting and briefing. Reporting tells the board what happened. Briefing shapes how the board thinks. This practical guide gives H&S leads a framework for presenting critical risk governance in a way that changes the questions boards ask – and the standard they hold the organisation to.

Why Critter exists: built from 27 years of H&S practice

Critter wasn’t built by a software team that researched the problem. It was built by IMPAC — New Zealand’s leading health and safety company — after 27 years of guiding organisations through critical risk challenges and seeing the same gap appear every time.

What is a critical risk? Definition and why it matters

Critical risks aren’t just serious hazards – they’re a specific category that demands a different level of attention. This post explains what puts a risk in that category, and why the distinction changes how you manage H&S.

What makes a critical control effective

Having a critical control and having an effective one aren’t the same thing. This post unpacks what “in place and working” really requires – and why it’s harder to achieve than most organisations assume.

How to verify critical controls are working

Verification isn’t a method – it’s a question: is this control in place and working under actual operating conditions? This post covers what that means in practice, and why it needs to happen at both an operational and governance level.

How to set critical control verification frequency

Verification frequency shouldn’t default to audit cycles. This post covers how to set a cadence based on activity volume – and how to adjust it as controls prove reliable.