What Is A Critical Risk? Definition And Why It Matters

Critical risks aren’t just serious hazards – they’re a specific category that demands a greater focus of resource and effort. Here’s what that means in practice.


Key takeaway: The standard definition of a critical risk is any hazard that could cause death or significant permanent disability if released – which is what happens if there are no controls or the wrong controls in place, or the right controls aren’t in place and working. That puts it in a different category from general H&S risks – not just more serious but also requiring a greater focus of resource and effort. Understanding the distinction is the starting point for managing this well.


If you’ve spent any time in health and safety, you know the feeling of looking at a risk register that’s grown beyond anyone’s ability to meaningfully engage with it. Dozens of entries. Colour-coded likelihood-consequence matrices. Rows of controls that someone documented, reviewed annually, and mostly left alone.

There’s a reason that approach feels unsatisfying – and it’s not because you haven’t been thorough enough. It’s because not all risks are the same, and treating them as if they are creates a system that’s simultaneously overwhelming and inadequate.

The concept of critical risk exists to cut through that. And once you understand what it means, it changes how you think about H&S management more broadly.


The standard definition of a critical risk is any hazard that could cause death or significant permanent disability if released – which is what happens if there are no controls or the wrong controls in place, or the right controls aren’t in place and working. 

That’s the definition – and the key phrase above is if the controls aren’t in place and working. Critical risks aren’t uncontrollable. Most organisations that work with them have identified them, documented what’s required to prevent them causing harm, and put processes in place. The problem isn’t usually identification of the risk or the critical controls. It’s verification. 

But we’ll come to that. First, it’s worth understanding what distinguishes critical risks from the rest of the risk landscape. 

The distinction is about consequence, not likelihood. Most risk management frameworks ask you to consider both: how likely is this to happen, and how bad would it be? For general risks, that trade-off makes sense. A critical risk is different because the potential consequence – a death, or a significant permanent disability – is so severe that it belongs in a separate category with a higher level of prioritisation.  

Critical risks are finite and identifiable. For any given organisation, the number of critical risks isn’t infinite. They’re specific to your operations, your equipment, your work environment. In construction, they might include working at height, excavation, and mobile plant and equipment. In manufacturing, it might be fixed plant and machinery, hazardous substances, and confined space entry. The list is bounded – which means it’s manageable. 

Critical risks require controls that are verified, not just documented. A control is only effective if it’s in place and working. Recording a control doesn’t mean it’s in place and working forever – and that’s what it needs to be when the consequence of a critical control failing is fatal.


Most organisations that work with critical risks are already doing something to manage them. They have H&S systems, they have documented controls, they conduct audits, and they report incident rates to the board.

The issue isn’t the absence of effort. It’s that the effort is often distributed across every risk on the register – with critical risks getting proportionally similar attention to risks that, if they materialised, would result in a bruise rather than a fatality.

When everything is a priority, nothing is. A risk register that treats a critical risk the same as a housekeeping issue isn’t giving you meaningful information – it’s giving you the appearance of it.

This is increasingly being recognised at a regulatory level. WorkSafe’s enforcement attention has always gravitated toward organisations with critical risk problems – that’s where the serious harm happens, and where serious consequences for leaders follow.

The recent High Court Appeal decision for the Maritime NZ vs Gibson case makes it clear that officers (i.e. boards and executives) must verify that critical risk systems are working, not just establish them. That obligation exists now, regardless of organisation size or industry. The Health and Safety at Work Amendment Bill, currently progressing through Parliament, signals continued legislative focus on critical risk – but the obligation to manage it rigorously is already there.


Getting clear on your critical risks involves three things:

  • Identifying them specifically – not just acknowledging that serious hazards exist, but naming the specific risks in your specific operations that could cause a fatality or permanent disability if controls failed
  • Identifying the right critical controls and putting them in place – not just procedures on paper, but controls that are genuinely preventing harm in the way they’re intended to
  • Verifying those critical controls are in place and working – on a regular and ongoing basis, not just at the point of an annual audit.

That third element is where most organisations have the most ground to cover. Identification is usually done and documentation is usually done. Verification – ongoing, regular, real-time confirmation that critical controls are operating as intended – is where the gap sits.

What makes a critical control effective, and how you verify one, are worth posts of their own. Those are coming next in this series.


Critter is built by IMPAC – New Zealand’s leading health and safety company, with 27 years of experience guiding organisations through complex critical risk challenges. Learn more about IMPAC.