Risk Control Measures: Types, Hierarchy & Implementation

Share with

Contents

Every workplace carries some level of risk. The goal of a health and safety management system is not to eliminate all activity but to manage risks so they do not cause harm. Risk control measures are the actions, systems, and safeguards put in place to reduce or eliminate identified hazards before they lead to incidents or injuries.

Getting risk control right means understanding what types of controls exist, how to apply them in order of effectiveness, and how to keep them working over time. This page covers all of that in practical terms.

What Are Risk Control Measures?

Risk control measures are steps taken to reduce the likelihood or severity of harm from a workplace hazard. Once a hazard has been identified and assessed through a process like HIRA, the next step is selecting the right control to manage it.

Controls can be physical, procedural, behavioral, or administrative. The right mix depends on the nature of the hazard, the work environment, and the people involved.

The Hierarchy of Risk Controls

The hierarchy of controls is a globally recognized framework for choosing risk control measures. It ranks controls from most to least effective, guiding safety professionals to apply the strongest protection possible.

The Hierarchy of Risk Controls

1. Elimination

Elimination removes the hazard entirely. It is the most effective control because the risk no longer exists. For example, discontinuing a hazardous chemical process removes all related exposure risk.

2. Substitution

When elimination is not possible, substitution replaces the hazard with something less dangerous. Switching from a solvent-based cleaner to a water-based one is a common example.

3. Engineering Controls

Engineering controls change the physical environment to reduce exposure. Ventilation systems, machine guards, noise enclosures, and automated material handling all fall into this category. These controls work independently of human behavior, making them more reliable than procedural measures.

4. Administrative Controls

Administrative controls change how work is done. Job rotation to reduce repetitive strain, written safety procedures, restricted access to hazardous areas, and safety training programs are all administrative controls. They depend on people following rules consistently, which means they require ongoing monitoring.

5. Personal Protective Equipment

PPE is placed at the bottom of the hierarchy because it does not remove the hazard - it only reduces the impact if exposure occurs. Gloves, helmets, respirators, and eye protection are examples. PPE is often used alongside other controls rather than as a standalone measure.

Understanding this hierarchy helps safety teams avoid the common mistake of defaulting to PPE when stronger controls are available and practical.

Types of Risk Control Measures

Beyond the hierarchy, risk controls are often grouped by function.

Preventive controls stop a hazard from causing an incident. Lockout/tagout procedures, pre-work inspections, and equipment maintenance schedules are preventive in nature.

Detective controls identify when something has gone wrong so it can be addressed before harm occurs. Monitoring systems, safety inspections, and automated alarms are examples.

Corrective controls reduce the impact after an incident has started. Spill containment systems, emergency stop buttons, and fire suppression systems fall here.

A sound occupational health and safety management system will typically use a combination of all three types, since no single control category is sufficient on its own.

How to Select the Right Risk Control Measures

Choosing risk control measures is not guesswork. It follows directly from the risk assessment findings. The selection process should consider:

The severity of the potential harm
How frequently workers are exposed
Whether the control can be practically maintained
Cost relative to risk reduction achieved
Legal and regulatory requirements

A useful starting point is to ask whether the hazard can be eliminated first. If not, work down the hierarchy systematically. Document the rationale for the controls selected, as this supports compliance with standards like ISO 45001 and demonstrates due diligence to regulators and auditors.

Organizations should also involve workers in the selection process. People doing the work often have the clearest view of what controls are practical and where existing ones are falling short.

Implementing Risk Control Measures Effectively

Selecting a control is only the first step. Implementation determines whether it actually works.

Key steps in implementation include:

Implementing Risk Control Measures Effectively

Assign clear ownership. Each control measure should have a responsible person who ensures it is in place and functioning.

Set a timeline. Where new controls need to be installed or procedures updated, set a deadline and track progress.

Communicate changes. Workers need to understand what has changed, why, and what is expected of them. Poor communication is one of the most common reasons controls fail in practice.

Train where needed. If a control involves a new procedure or equipment, health and safety training is essential before the control goes live.

Document everything. Records of what controls were selected, when they were implemented, and who is responsible create accountability and support audit readiness.

Monitoring and Reviewing Risk Control Measures

Why Controls Need Regular Review

Risk control measures can become ineffective over time. Equipment wears out. Work processes change. New hazards emerge. A control that worked well two years ago may not be adequate today.

Scheduled safety inspections, incident investigations, and management reviews all serve as checkpoints for control effectiveness. When an incident or near miss occurs, it is usually a signal that a control has failed or was never adequate in the first place.

Linking Controls to Continuous Improvement

The review process should feed into your broader improvement cycle. When a control is found to be inadequate, that finding should trigger a corrective action. Tracking these actions systematically - rather than relying on memory or emails - is where health and safety management software adds real value.

Effivity's HSMS module helps teams log hazards, link them to controls, assign ownership, and track review dates - all in one place. Try Effivity for Free and see how it simplifies control management across your sites.

Free Trial →

Risk Control Measures and Legal Compliance

Most occupational health and safety regulations require employers to identify hazards and apply appropriate controls. The specific requirements vary by jurisdiction, but the underlying principle is consistent: employers must do what is reasonably practicable to protect workers.

Failure to implement adequate risk control measures is one of the most cited reasons for regulatory enforcement action and workplace liability claims. Having documented, reviewed, and updated controls is therefore not just good safety practice - it is a legal obligation in most operating environments.

For organizations working toward ISO 45001 certification, control measures are a core part of clause 8 (operational planning and control). Auditors will look for evidence that controls are linked to assessed risks and that they are being monitored.

Managing risk control measures across multiple sites or teams gets complex quickly. Get a Free Personalized Demo to see how Effivity helps you stay organized, compliant, and audit-ready.

Free Demo →

Frequently Asked Questions

Risk assessment identifies and evaluates hazards, while risk control measures are the actions taken to reduce or eliminate the risks found during that assessment.

Elimination is the most effective because it removes the hazard entirely, unlike lower-tier controls that only reduce exposure or protect against harm.

Controls should be reviewed after any incident, significant process change, or at least annually as part of routine safety management reviews.

Yes, ISO 45001 requires organizations to plan and implement controls for identified risks and maintain documented information as evidence of their effectiveness.

Share with