What to Do When You Have Too Many Critical Controls

‍

This usually comes from organizations that already have a well-established critical risk management framework and process in place but over time, things have gotten a little out of control. They’ve identified too many critical controls and are now trying to dial it back.

Here’s how I approach it.

Start with a Benchmark: No More Than Five

As a guiding principle, I personally believe that organizations should have a maximum of five critical controls per critical risk and that’s for large-scale operations.

For smaller organizations or individual sites, you might even consider fewer. Once you go beyond five, the process becomes difficult to manage and verify effectively.

So, if your organization has exceeded that number, there are a few ways to bring things back into line.

1. Review Your Critical Control Selection Process

First, ask yourself:
Do we have a clear flowchart or decision process for identifying critical controls?

You should be able to trace each control through a series of structured challenge questions. A“selection test” that determines whether something truly qualifies as a critical control.

If you don’t already have a process like this, that’s your starting point. Develop one.
If you do, take your existing list of critical controls back through that process and challenge whether each one still meets the criteria.

2. Remove Non-Control Activities

A common issue I see is organizations mistakenly treating activities like verification, monitoring, training, competency, or maintenance as “controls.”

These are important supporting activities but they’re not controls in themselves. They should be removed from your list of critical controls.

Filtering them out is often a quick way to clean up an overinflated list.

3. Assess Control Effectiveness

Next, make sure that the controls that remain are genuinely effective. A control that doesn’t work well — or can’t be verified — shouldn’t be classified as critical.

It’s also important that your critical risks have clear hazard descriptions that contextualize them for your specific operation.

For example:

• A small manufacturing plant in the Brisbane CBD faces different vehicle-related risks than a large open-cut coal mine in Central Queensland.
• Defining these differences helps you compare risks accurately making sure you’re not comparing apples to oranges.

4. Compare and Rebalance Across Risks

Once your risks are clearly defined, look across your entire set of critical risks and ask:

• Are all these risks truly equal in potential consequence?

For example, a snake bite or fauna interaction might not be on the same level as a loss of control of a vehicle that could lead to multiple fatalities.

If that’s the case, you can rebalance:

• Reduce the number of controls on lower-consequence risks (maybe one or two).
• “Trade” those back to higher-consequence risks that might need six or seven.

I call this control trading — recognizing that not all critical risks are equally critical.

5. Consider Grouping or Consolidation (With Caution)

In some cases, you might group related controls together.

For example, if your critical risk is exposure to toxic or irrespirable atmospheres in confined spaces, and you have several behaviour-based controls listed on the permit, you could consolidate them under one broader critical control: “Confined Space Permit Process.”

This approach can reduce numbers but it’s not my preferred option.
I prefer controls to remain specific, measurable, and auditable. Grouping should only be done where it makes sense and doesn’t weaken your verification strategy.

6. Review Likelihood Pathways in Your Bow-Tie Analysis

When you revisit your bow-tie analysis, look at the different causal and consequence pathways. Not all are equally likely or severe.

If a control is primarily associated with a low-likelihood pathway, consider downgrading it to a standard control.
You’re not removing the control entirely just adjusting its classification.

This can help reduce your overall critical control count while maintaining coverage across all pathways.

7. Downgrade and Monitor Borderline Controls

Sometimes you’ll find controls that are on the fence they could be critical, but you’re not quite sure.

In those cases, it’s perfectly acceptable to downgrade them, but supplement that with a monitoring activity.

For example, if you’re unsure about a control’s reliability, you might introduce a six-monthly check to verify that it’s still performing effectively.
This isn’t a “critical control verification,” but it gives you confidence that you’re not losing control integrity.

In Summary

If you’ve got too many critical controls, don’t panic. The key is to:

1. Revisit your selection process.
2. Filter out non-controls like training or maintenance.
3. Assess effectiveness and context for each risk.
4. Rebalance or trade controls between higher- and lower-consequence risks.
5. Group or consolidate carefully where it makes sense.
6. Use your bow-tie analysis to focus on the most likely and severe pathways.
7. Downgrade and monitor borderline cases.

By taking these steps, you’ll streamline your framework, improve focus, and ensure your critical controls remain truly critical the ones that make the biggest difference in managing fatal and catastrophic risks.

‍