What Makes A Critical Control Effective?
Having a critical control and having an effective one aren’t the same thing. Here’s what “effective” means in this context – and why the distinction matters.
What An “Effective” Critical Control Means
Key takeaway: A critical control is only effective if it’s both in place and working. That’s a two-part test – and a critical control can pass the first part while failing the second. Understanding what effectiveness requires is the foundation of good critical risk management.
Most organisations that manage critical risks have controls in place. Procedures written, equipment specified, roles assigned. They can point to documentation that says: this is how we manage this critical risk.
The question that’s harder to answer – and more important – is whether those critical controls are in place and working as intended.
It’s a distinction that’s easy to gloss over until something goes wrong. And when it does, the gap between “we had a critical control” and “the critical control was effective” is often where the investigation lands.
What “effective” means
An effective critical control is one that is both in place and working.
That’s a two-part test – and both parts matter equally.
In place means the critical control exists in practice, not just on paper. The required action is being applied – which means the person responsible knows what they’re supposed to do and is doing it. The equipment is installed and functioning. A control that’s documented but not being applied isn’t in place – it’s recorded.
Working means the control is preventing the harm it’s designed to prevent. It’s doing the job. A control can be in place and still not be working – if it’s been bypassed, degraded over time, applied inconsistently, or simply isn’t adequate for the actual conditions of the work.
Both tests have to pass. A critical control that’s documented but not applied fails the first test. A critical control that’s applied but not achieving its protective purpose fails the second. Either way, the critical risk isn’t being managed.
Why this is harder than it sounds
The assumption many organisations are operating on – consciously or not – is that having a critical control documented is roughly equivalent to having it in place and working. That’s what the risk register implies. That’s what an annual audit tends to confirm. And in some cases, for some lower-level risks, it’s close enough.
For critical risks, it isn’t.
The consequence of a critical control failing is a fatality or significant permanent disability. That’s precisely why critical risks require a different standard – not just evidence that a critical control was designed and recorded, but ongoing confirmation that it’s doing what it’s supposed to do in real-world conditions.
Those conditions change. Work environments aren’t static. Procedures that were adequate when they were written may not account for how work has evolved. Equipment wears. People develop workarounds – not through carelessness, but because work as it happens rarely matches work as it was imagined. The critical control that looked right on paper may not be the critical control that’s operating on the ground.
This is the gap the Port of Auckland conviction turned on. The Port had systems. It had procedures. The Court found that the critical controls around crane exclusion zones – though documented – weren’t being applied as intended in practice. The CEO was convicted among other things, for failing to verify critical controls were in place and working. The distinction between documented and effective was, in that case, the difference between a functioning safety system and a fatal incident.
The three ways your team can support effective critical controls
Across organisations and industries, there are three key characteristics that make it more likely your critical controls will pass the effectiveness test.
They’re understood by the people who apply them. A critical control that exists in a procedure manual but isn’t understood by the people doing the work isn’t a functioning critical control. Effectiveness requires that the people responsible for applying the critical control know what it is, why it matters, and what doing it correctly looks like in practice.
They’re designed for work as it happens. Critical controls are designed at a point in time, based on how work is expected to be done. Work changes. If a critical control hasn’t been reviewed against how work is being done – not how it was imagined – there’s a real possibility it’s no longer adequate. Effective critical controls are tested against reality, not just against the original design.
They’re maintained over time. Effectiveness isn’t a static state. Equipment degrades. Conditions change. People turn over. A critical control that was genuinely effective at the point it was implemented needs ongoing attention to remain so. Effectiveness needs to be sustained, not just established.
None of this is complicated in principle. In practice, it requires a deliberate approach – one that goes beyond establishing critical controls and documenting them, to actively maintaining visibility of whether they’re doing their job.
What this means for how you manage critical risk
If effectiveness is a two-part test – in place and working – then managing critical risk well means having a way to answer both parts, on a regular and ongoing basis.
Most organisations have reasonable visibility of the first part. They know what controls they’ve put in place. What’s harder is the second: knowing, at any given point, whether those controls are in place and working as intended across their operations.
That’s not a question you can normally answer with an annual audit. By the time an audit confirms a control has degraded or drifted from how it was designed, the exposure may have existed for months. And it’s not a question the risk register answers – the risk register tells you what controls you’ve decided you need, not whether they’re functioning.
Answering that question – continuously, not periodically – is what verification is for. How you verify a critical control is in place and working is the next piece in this series.
Frequently asked questions
What does it mean for a critical control to be effective? It means that it’s both in place and working.
What’s the difference between a critical control being in place and working? “In place” means the critical control exists in practice, not just on paper; “working” means it’s preventing the harm it’s designed to prevent.
What makes critical risk controls different from general risk controls? The consequence of a critical control failing is a fatality or significant permanent disability – which is why their real-world effectiveness should be treated as a priority.
Critter is built by IMPAC – New Zealand’s leading health and safety company, with 27 years of experience guiding organisations through complex critical risk challenges. Learn more about IMPAC.
