If you asked most safety officers in Malaysia to show you their risk management system, they would open a spreadsheet.
The spreadsheet is real. The hazards are listed. The risk ratings are there. The control measures are documented. The document exists.
But the document is not the system. And the gap between those two things is where most risk management in Malaysia breaks down.
What a Risk Register Is
A risk register — whether it is a HIRARC document, a risk assessment spreadsheet, or a formal register — is a record.
It records:
- The hazards that have been identified
- The risk rating associated with each hazard at the time of assessment
- The control measures that were identified as applicable to each hazard
A risk register tells you what was known about the risks at the time the document was produced. Nothing more.
It does not tell you whether the controls are still in place. It does not tell you whether the hazards have changed since the last review. It does not tell you whether anyone is responsible for ensuring the controls function. It is a snapshot — not a live picture.
What a Risk Management System Is
A risk management system is the set of processes that keeps the risk register accurate, relevant, and acted upon.
It answers questions the document cannot:
Are the controls currently in place? Not as of the last HIRARC review — today.
Have the risks changed? Since the production line was modified, since the new contractor started work, since the chemical was substituted — do the risk assessments still reflect what is actually happening?
Who is responsible for each control, and how do we know they are fulfilling that responsibility?
What happens when a control fails or is found to be absent? Who finds out? How quickly? What is the response?
These are process questions. They cannot be answered by a document — they require an operating system.
The Test: How Long Would It Take You to Find Out?
Here is the most direct test of whether your organisation has a risk register or a risk management system.
Imagine that three of the controls listed in your HIRARC for your highest-consequence hazards stopped being applied today. No engineering failure — just a gradual drift in practice. Controls that exist on paper but are no longer being reliably implemented on the ground.
How long would it take your organisation to find out?
If the answer is “when the next HIRARC review is due” or “when something goes wrong” — you have a risk register. The only mechanism by which the gap between your document and your site is detected is an audit on a fixed schedule, or an incident.
A risk management system would detect the gap before the audit and before the incident — because monitoring is built into the system.
The Three Elements a Risk Management System Requires
1. A monitoring process
Someone physically verifies that controls are in place, on a defined schedule. Not as part of an annual HIRARC review — as a routine operational activity. The frequency of monitoring should be proportional to the consequence severity of the hazard and the reliability of the control.
Engineering controls — physical guards, interlocks, secondary containment — may be verified monthly or quarterly. Administrative controls — permit systems, supervisor sign-off requirements — may be verified through observation during operations.
2. A review trigger independent of the calendar
Most organisations review their risk assessments annually. An annual review cycle means that a significant operational change — a new process, a new contractor, a new chemical, a facility modification — can introduce new hazards that go unassessed for up to twelve months.
A risk management system includes a trigger for review that is independent of the calendar: any significant change to operations, equipment, or personnel that could affect the risk profile initiates a review. Not the next annual cycle.
3. Named accountability for each control
Every control measure in the risk register should have a named owner — a specific individual whose responsibility includes ensuring that control is in place and functional. Not the safety department as a whole. Not “the supervisor.” A named person.
Without named accountability, controls are everyone’s responsibility and no one’s. When a control is found to be absent during an incident investigation, the finding is almost always that “no one was responsible for checking.”
Moving From Register to System
The practical path from a risk register to a risk management system does not require starting over. It requires adding three things to the document you already have: a monitoring schedule, a change-trigger procedure, and a named owner for each control.
None of these additions are complex. All of them require management commitment — because monitoring, reviewing, and being accountable are operational activities, not documentation exercises.
The register is the map. The system is the journey. Without the system, the map tells you where you planned to go, not where you are.
Want a team that can produce risk assessments that actually drive safety management — not just compliance documents? Cikgu Barrier’s Risk Assessment That Works program builds the skills to identify hazards accurately, rate risks consistently, and select controls that can be monitored and owned. Available as a half-day or full-day public workshop and in-house training across Malaysia.