One of the most common questions I get is:

‍
“What should I do if we have too many critical controls?”

‍

This usually comes from organisations that haven’t yet implemented a clear Critical Risk Management (CRM) framework — and as a result, the control list has ballooned out of proportion.

My recommendation?

‍

‍

‍Set a maximum of five critical controls per critical risk.

‍
That’s for large-scale operations. Smaller sites may need fewer.

If your list exceeds this threshold, here’s a simple way to regain control without compromising safety:

1. Use a Control Selection Flowchart

Start by reviewing how your critical controls were chosen. Was there a structured decision process in place?
If not, implement one. We use a proven flowchart that asks a series of challenge questions to test whether a control truly qualifies as critical.

2. Eliminate Non-Controls

Strip out anything that isn’t an actual control like:

• Verification activities
• Monitoring actions
• Training, competency, and maintenance

These are supporting systems, not true controls.

3. Assess Control Effectiveness

Even if a control qualifies as “critical,” is it actually effective on its own?
Poorly designed or weakly implemented controls should be removed or downgraded.

4. Contextualise Your Risks

A hazard like vehicle loss-of-control looks very different at a city-based workshop than at a remote mine site.
Context matters. Reassess risk levels and adjust the number of controls accordingly.
You might trade one control from a low-risk hazard to strengthen coverage on a higher-risk one.

5. Be Strategic With Consolidation

If multiple similar controls exist (e.g. behavioural controls in confined space permits), grouping them under one control can work but only if they remain measurable, specific, and auditable.

6. Downgrade Low-Likelihood Pathways

In Bowtie analysis, not every causal or consequence pathway is equal.
For lower likelihood scenarios, downgrade the controls to standard rather than critical but don’t remove them entirely.

7. Monitor the "Borderline" Controls

Some controls sit on the fence. They could be critical, or not.
Downgrade them, but implement a periodic check (e.g. every 6 months) to ensure they’re still functioning as intended. This isn’t verification — it’s confidence building.

Key Takeaway:
It’s not about having more controls, it’s about having the right ones. Focus on those that are specific, effective, and auditable. Everything else either supports them or should be reclassified.

Feel free to reach out and share what’s worked for you.