The illusion of control, or how questions we ask change the due diligence conversations for the better

Many governance groups I've encountered have similar dashboards. Audits completed, checklists signed, agreed controls verified by observation, training attendance and leadership walks undertaken. The data is accurate, trends look positive, and the board can see that safety is being well managed. There are red lights, green lights and trendlines. 

What the dashboard doesn't reveal is whether the verification activity is improving the work.

There is a version of this problem hiding in plain sight on every road you've ever driven on. A white line painted down the middle of the carriageway is, by any reasonable definition, an administrative control. It is an abstract visual signal that communicates a rule, even though it lacks the physical ability to compel road users to comply. It works if every driver sees it, understands it, and chooses to follow it, including when they are tired, distracted, or running late. It also allows us to decide to, I think, for legitimately defensible reasons, to break the rule in certain circumstances. If a child runs out in front of you, crossing the line to avoid collision is something most of us would agree is the right thing to do, even if it goes against normal protocols. If a warehouse manager proposed separating pedestrian and vehicle routes with a painted line on the floor and an incident occurred, a health and safety regulator would rightly ask why physical barriers had not been installed. Applied to a public road at 50km/h, the same reasoning produces a very different response. Not because the logic is different, but because the institutional accountability is.

We regularly make safety decisions in workplaces using different and often contradictory sets of guidelines. I have seen organisations promote one mode of transport for commuting to the workplace while at the same time prohibiting its use during working hours. 

The hierarchy that gets skipped

Health and safety law asks organisations to minimise risk ‘so far as is reasonably practicable’ (SFARP). It even provides us with a hierarchy of activities to help them comply. First, eliminate the hazard. Can’t do that, don’t panic, we’ll accept a substitute for something less hazardous. Still can’t get rid of the pesky hazard, engineer a barrier. If none of these options is possible without making the task impossible to perform, implement administrative controls, rules, procedures, training, and signage. Only as a last resort, after all other measures have been exhausted, should workers be asked to protect themselves, often through specialised, less than fashionable, clothing.

You can't skip to a lower rung on the hierarchy because it's cheaper, easier or less hassle. You need to be able to demonstrate why those controls at the top of the ladder can’t work in your context. The burden of proof lies with the organisation.

Verification, the act of providing assurance that a safety activity is taking place, doesn’t appear anywhere in the hierarchy of control. It's not a control, it's a way to check whether your controls are working. It is, what is known as, a due diligence activity. Many governance groups dedicate a huge amount of their limited time and resources here. Reviewing evidence that controls are being applied.

A governance group that reviews completed checklists and signed inspection records is receiving information about step four in the process. It receives almost no information about whether steps one, two, and three were genuinely considered.

Did you drive today?

Workplace traffic management is an effective way to test this, as it makes the gap visible in a manner that's difficult to ignore.

A worker drives to the site on public roads, separated from oncoming traffic and pedestrians by a series of administrative controls. At the gate, they're told that a painted line alone is insufficient and that physical separation is required. From where they're standing, the rule seems arbitrary. The standard applied at work is stricter than the one the state enforces on the road they just travelled on. The context is measurably less complex, and yet the level of compliance needed to operate ‘safety’ has multiplied.

This is defensible from an SFARP perspective: workplace vehicle movements are a leading cause of fatalities. This fact alone justifies higher controls. However, based on our lived experience of the public road network, the workplace rules don’t match our perception. It can feel like unnecessary bureaucracy and a reduction in our ability to act autonomously.

Tom Tyler spent decades studying why people comply with rules, and his conclusion? People follow rules primarily because they believe those rules are legitimate, not because they fear being caught (Tyler, Why People Obey the Law, 1990). Voluntary compliance, grounded in genuine understanding, is more reliable than compliance produced by enforcement. Further to that, enforcement pushed too hard actively erodes the internalised commitment that produces real, rather than performed, compliance.

Multiple studies have confirmed that traditional deterrence levers, such as certainty, severity and speed of punishment, do not reliably improve compliance with traffic rules (Armstrong et al., 2018; Bates (no relation!) et al., 2020; Freeman et al., 2016). Research published in the Journal of Safety Research found that when rules seem inconsistent with a person's view of the world, compliance declines regardless of the consequences of noncompliance (Varet et al., 2024). If workers cannot see why a workplace rule exists when the standard on public roads does not match it, the only way to increase compliance (without changing the context) is through continuous supervision, which will create a whole new set of issues you really don’t want.

The checklist that ate the outcome

There is a pattern that Hale and Borys identified in safety rule compliance research that organisations rarely acknowledge: when monitoring becomes the main method for safety management, workers adapt their behaviour to satisfy the monitoring system rather than to achieve the real safety outcome (Hale and Borys, Safety Science, 1998). The record appears healthy. The risk doesn't necessarily follow.

This isn't a cynical comment about workers manipulating the system. It is a normal way that humans, yes, that includes you, behave. It is one of the reasons that we are successful as a species. It’s also a predictable reaction to any incentive structure. If the measure is the completion of the activity, then finishing the activity becomes the aim. Whether the activity served its purpose is a different matter, which the measurement system often isn't set up to assess.

Challenger, Deepwater Horizon, Grenfell. None of these disasters were preceded by missing documentation. The compliance records were mainly complete. What the records didn't show was the gap between what was documented and what was actually happening, a gap that the governance groups overseeing those organisations did not ask questions capable of uncovering.

The question governance groups miss.

The usual governance question is: did this activity take place?

The question SFARP actually requires is: why does this safety activity still need to occur?

These lead to very different conversations.

Ask whether a safety inspection happened, and you'll find out whether the inspection happened. That's it. Ask why the inspection still needs to exist, and you'll find out whether anyone ever seriously evaluated whether the inspection process could have been made unnecessary. The questions look similar. They produce entirely different conversations.

The same gap runs through many reports. Knowing that checklists are being completed indicates that workers are signing off on them. It tells you almost nothing about whether the hazard the checklist was designed to manage could have been designed out instead. If you are really honest with yourself, it only tells you that the checklist was completed. The question as to why the checklist exists should be your first thought, and why that fact needs to be documented is the second.  Pilots complete checklists all the time, but very few of them are physically documented or reviewed.

Knowing that compliance is being recorded tells you something, but it doesn't tell you whether that control was the right one to choose, or whether anyone ever asked that question.

The SFARP duty requires organisations to show that higher controls were genuinely evaluated. So many verification activities don't touch on that question at all.

What legitimate governance looks like in practice

I want to be really clear here: I do not think we should abandon verification processes. They are a critical part of any risk management process. Controls that remain after genuine consideration of higher options are appropriate and need to be monitored in a meaningful way that goes beyond just accepting that a box is being ticked. The issue is what questions are asked before, during and after verification processes, and the methods of control are designed.

For any significant (what is often called critical) control, organisations should be able to show that elimination, substitution, and engineering controls were considered, with reasoning proportionate to the risk level. "We use a procedure because hiring staff with the appropriate level of skills, knowledge and experience is too expensive”  is SFARP reasoning that is going to be very hard to justify in court. It's a cost preference.

Governance groups need to periodically require evidence that the safety outcome is being achieved and that controls are continually reevaluated in search of improvement, not just that the safety activity is being recorded. For workplace traffic management, that means asking whether a vehicle-pedestrian collision is still physically possible, not whether the traffic management plan has been signed off. Deciding on the best course of action without safe-to-fail experimentation and a period of review and feedback will not provide the level of assurance needed to demonstrate that a meaningful verification process is in place.

There is also something in the research worth noting regarding worker involvement. Work by Tyler and Blader found that workers who participate in designing controls understand and accept them differently from workers who are simply given controls (Tyler and Blader, Academy of Management Journal, 2005). A worker who helped design, test and review the physical layout of vehicle and pedestrian routes is less likely to see the traffic rule as arbitrary, because they already know why it exists.

The thing verification signals without meaning to

Verification carries an implicit message. Your word isn't enough. At a systemic level, that's appropriate. At a human level, it accumulates, and beyond a certain point, it can corrode the voluntary commitment that enables genuine safety compliance.

Research on workplace compliance revealed that when monitoring is used solely to identify failures rather than to acknowledge successes, workers' personal commitment to safety standards diminishes (Tyler and Blader, 2005). People do only what's minimally required by the system. Safety shifts from being a genuine concern to merely a performance requirement.

The organisations that manage to maintain both verification and genuine worker engagement tend to do one thing differently. When verification confirms that safety activities have become part of workers’ intrinsic motivations, that is recognised. People want and need to be seen. We want to be recognised as valuable, not just as a point of system weakness.

More than that, organisations that recognise value signal something else. That they are working to improve the work through consultation and design, and that they are open to ideas and challenge. The move from "we are watching you,” to "we're working to make this unnecessary, and we need your help in the meantime” isn’t a simple one, but it is necessary.

The prior question

Before questioning whether a safety activity is being verified, governance groups should ask a more difficult question. 

Have we done everything reasonably practicable to make this verification unnecessary? 

If the answer is yes, if the hierarchy was genuinely applied, engineering controls were evaluated and either implemented or formally rejected with documented reasoning, then verifying the remaining administrative controls is appropriate, and the record has meaning. 

If the answer is no, if administrative controls exist because they were cheaper or less disruptive, and nobody seriously evaluated whether higher controls could even be used, then the verification record isn't evidence of SFARP compliance. It's a detailed record of the gap between what the law requires and what the organisation actually did. 

No audit trail protects against that.

Sources

Armstrong, K.A., Watling, C.N., & Davey, J.D. (2018). Deterrence theory and traffic compliance. Journal of Safety Research.

Bates, L., Watson, B., & Davey, J. (2020). Understanding the role of deterrence in traffic law compliance. Accident Analysis and Prevention.

Freeman, J., et al. (2016). The self-reported impact of legal and non-legal sanctions on recidivist drink drivers. Transportation Research Part F.

Frontiers in Public Health (2023). Safety leadership, safety climate, psychological contract of safety, risk perception, safety compliance, and safety outcomes.

Hale, A.R., & Borys, D. (1998). Working to rule, or working safely? Safety Science, 26(3), 293–315.

Tyler, T.R. (1990). Why People Obey the Law. Yale University Press.

Tyler, T.R., & Blader, S.L. (2005). Can business effectively regulate employee conduct? Academy of Management Journal, 48(6), 1143–1158.

Varet, F., et al. (2024). Exploring the perceived effectiveness and strictness of penalties for traffic offences. Journal of Safety Research.