What to Do When You Have Too Many Critical Controls

TL;DR: Managing Too Many Critical Controls in Risk Management – 2025

‍

• Many organisations struggle with an excessive number of critical controls due to unclear Critical Risk Management (CRM) frameworks.

• The ideal benchmark: no more than five critical controls per critical risk — fewer for smaller sites.

• To streamline controls without compromising safety:

• Use a Control Selection Flowchart – Apply a structured decision process to test if each control truly qualifies as critical.
• Eliminate Non-Controls – Remove verification, monitoring, and training activities that are support systems, not true controls.
• Assess Control Effectiveness – Exclude controls that are weak, poorly designed, or ineffective on their own.
• Contextualise Risks – Adjust controls based on operational context and risk severity.
• Strategically Consolidate – Group similar controls only if they remain measurable and auditable.
• Downgrade Low-Likelihood Pathways – Keep them as standard controls rather than critical.
• Monitor Borderline Controls – Reassess them periodically to maintain confidence.

• Key takeaway: It’s not about quantity — it’s about having the right critical controls that are specific, effective, and auditable. Fewer, stronger controls lead to safer, more manageable risk systems.

‍

One of the most common questions I get is:

‍
“What should I do if we have too many critical controls?”

‍

This usually comes from organisations that haven’t yet implemented a clear Critical Risk Management (CRM) framework — and as a result, the control list has ballooned out of proportion.

My recommendation?

‍

‍

‍Set a maximum of five critical controls per critical risk.

‍
That’s for large-scale operations. Smaller sites may need fewer.

If your list exceeds this threshold, here’s a simple way to regain control without compromising safety:

1. Use a Control Selection Flowchart

Start by reviewing how your critical controls were chosen. Was there a structured decision process in place?
If not, implement one. We use a proven flowchart that asks a series of challenge questions to test whether a control truly qualifies as critical.

2. Eliminate Non-Controls

Strip out anything that isn’t an actual control like:

• Verification activities
• Monitoring actions
• Training, competency, and maintenance

These are supporting systems, not true controls.

3. Assess Control Effectiveness

Even if a control qualifies as “critical,” is it actually effective on its own?
Poorly designed or weakly implemented controls should be removed or downgraded.

4. Contextualise Your Risks

A hazard like vehicle loss-of-control looks very different at a city-based workshop than at a remote mine site.
Context matters. Reassess risk levels and adjust the number of controls accordingly.
You might trade one control from a low-risk hazard to strengthen coverage on a higher-risk one.

5. Be Strategic With Consolidation

If multiple similar controls exist (e.g. behavioural controls in confined space permits), grouping them under one control can work but only if they remain measurable, specific, and auditable.

6. Downgrade Low-Likelihood Pathways

In Bowtie analysis, not every causal or consequence pathway is equal.
For lower likelihood scenarios, downgrade the controls to standard rather than critical but don’t remove them entirely.

7. Monitor the "Borderline" Controls

Some controls sit on the fence. They could be critical, or not.
Downgrade them, but implement a periodic check (e.g. every 6 months) to ensure they’re still functioning as intended. This isn’t verification — it’s confidence building.

Key Takeaway:

‍
It’s not about having more controls, it’s about having the right ones. Focus on those that are specific, effective, and auditable. Everything else either supports them or should be reclassified.

Feel free to reach out and share what’s worked for you.