A construction or factory worker in a white hard hat, high-visibility yellow and black jacket, and gloves is intently looking at and typing on a silver laptop. The background shows industrial equipment and a clean manufacturing/processing environment, suggesting he is using the laptop for on-site risk assessment or management with risk register software.
Health & Safety Updates

Are Your Risk Controls Actually Working?

Banner for the blog "Are Your Risk Controls Actually Working?"

If incidents aren’t linked to the right risk and control, you’ll never uncover which controls are failing or which ones are quietly doing their job. Closing this loop is at the heart of effective health and safety management.

In this article, we’ll break down how to reliably connect incidents, hazards and your risk register so you can finally test control effectiveness and make defensible, data-driven decisions.

Why linking incidents to your risk register matters

Many organisations treat their risk register as a static document, useful during audits but not embedded in daily operations. The problem? If an incident comes in and isn’t linked back to the correct risk and associated controls, patterns stay hidden.

Accurate linking helps you:

  • Reveal repeating failures: If the same control keeps breaking, you’ll see it in your incident trends.

  • Focus resources: Instead of spreading effort thin, you invest in the controls with the greatest impact on residual risk.

  • Improve defensibility: When regulators or insurers ask, you can show exactly how risks and incidents connect.

This is where risk register software, especially platforms that integrate incident management, becomes invaluable.

Map each incident to the correct risk in your register

Every incident report should capture the metadata that anchors it back to your risk management framework. At minimum, ensure your process includes:

  • Risk ID: The unique risk identifier from your register.

  • Relevant controls: Which control(s) were supposed to be in place at the time? Were they present? Were they bypassed?

  • Residual risk rating: This lets you compare actual outcomes against expected performance.

  • Context: Conditions, location, contractor involvement and contributing factors.

In SiteConnect, incident reporters can select the relevant risk directly from your risk register, ensuring consistent categorisation and enabling automated trend analysis. You can also capture which specific controls were active, crucial for later effectiveness testing.

How to test whether your controls are effective

Control effectiveness isn’t a guess, it’s evidence. Once you’ve linked incidents to risks and controls, evaluate whether those controls are functioning as intended. Effective testing methods include:

1. Spot checks

Quick, on-the-ground verifications. Are guards installed? Are exclusion zones maintained? Is PPE being used?

2. Short-form audits

Targeted audits focused on one control or a cluster of related controls. These are perfect for high-risk tasks or recurring issues.

3. Sampling

For high-volume or repetitive tasks (e.g., contractor inductions, plant inspections), sample a portion for review and compare to acceptance criteria.

4. Define acceptance criteria

Before testing, document what “effective” looks like. For example:

  • Control applied correctly 95% of the time

  • Zero bypasses without formal approval

  • Training completed within a 12-month cycle

If results don’t meet your criteria, the control is ineffective, even if no incident has occurred… yet.

When to escalate: risk triggers you shouldn’t ignore

There are clear signals that a control or risk needs escalation:

  • Repeat failures: If the same control is linked to multiple incidents, it’s no longer reliable.

  • Control bypasses: Voluntary or habitual bypasses are high-risk red flags.

  • Regulatory triggers: Under New Zealand’s Health and Safety at Work Act, a notifiable event automatically requires a review of associated risks and controls.

  • Major changes: New equipment, processes, contractors or legislation should trigger a review cycle.

Escalation doesn’t always mean increasing the risk rating but it always means re-examining your assumptions.

Update your risk register: review, close, change

A modern risk register isn’t static it’s versioned, trackable and auditable. When you identify control failures or changes, follow a clear cycle:

  1. Review: Assess incident data, audit results and stakeholder feedback.

  2. Evaluate: Do existing controls still reduce residual risk to acceptable levels?

  3. Change: Modify controls, add new ones or retire ineffective measures.

  4. Sign-off: Assign competent person approval, this creates a defensible record.

  5. Versioning: Maintain a history of changes for audit readiness.

SiteConnect’s risk register software supports full version control and sign-off workflows, making the update process transparent and traceable.

Don’t forget suppliers and contractors

Third-party work is one of the biggest blind spots in health and safety systems. You may have strong internal controls, but are your contractors’ controls equally effective?

Key steps:

  • Verify their controls before work begins, not just accept documentation.

  • Check alignment with your risks – do their controls actually manage your hazards?

  • Request evidence of their effectiveness (e.g., maintenance logs, inductions, certifications).

In SiteConnect, contractor pre-qualification and control requirements can be linked directly to risks, ensuring they’re not treated as an afterthought.

Make defensible decisions with evidence

When insurers or regulators ask, “Why did you make this decision?” your answer must be backed by:

  • Incident data

  • Risk assessments

  • Control verification results

  • Version histories

  • Sign-off records

The stronger your evidential trail, the safer (and more defensible) your organisation becomes.

Leadership visibility: risk-incident heatmaps and trends

Leaders don’t need pages of text they need clarity. Visuals that resonate include:

  • Risk-incident heatmaps: Show where most incidents cluster relative to risk ratings.

  • Residual risk over time: Demonstrates whether controls are improving or degrading.

  • Incident trends by control: Highlights which controls are failing most frequently.

These insights help leaders make smarter resource and investment decisions.

Portfolio approach: property and asset management

For organisations managing multiple sites or properties, apply a building-by-building review cadence:

  • Monthly for high-risk properties

  • Quarterly for medium-risk

  • Annually for low-risk

Portfolio-level oversight ensures that no site is left behind, and systemic risks are caught early.

How SiteConnect closes the loop

With SiteConnect, you can:

  • Link incidents directly to risks and controls

  • Visualise incident trends and residual risk

  • Support defensible decision-making with audit-ready records

If you want true visibility into control effectiveness (not just paperwork) integrated risk register software is the key.

Book a demo

Leave a Reply