Preventing Catastrophic Safety Incidents: Do We Have False Confidence In Our Metrics?

Traditional safety metrics often fail to reveal vulnerabilities in systems designed to prevent catastrophic events, creating a false sense of security.

Key Highlights

  • Traditional safety metrics mainly measure personal safety and may not reflect the integrity of systems preventing catastrophic events.
  • Organizations often confuse strong safety performance with effective risk control, overlooking vulnerabilities in critical safeguards.
  • A shift in leadership focus from outcome-based metrics to the health and verification of safety barriers is essential for high-reliability operations.
  • Key questions for leaders include understanding high-consequence hazards, defining and prioritizing controls, and verifying their effectiveness in real conditions.
  • Proactive detection of degraded safeguards and operational deviations requires field-level validation and a culture that encourages speaking up about failures.

Total Recordable Incident Rate (TRIR) is low. Audits are complete. Culture surveys are strong. The dashboards look good, the numbers are trending in the right direction, and by all appearances, safety is under control.

And yet, major incidents or significant near misses continue to surprise the team. Not in failing organizations, but in ones that believed they were performing well. Sites with strong safety cultures, engaged leadership and years of positive metrics still find themselves at the center of high-consequence events that “shouldn’t have happened.”

So the question is hard, but unavoidable: Are we actually monitoring and measuring what prevents catastrophic events?

Across the industry, the pattern is becoming difficult to ignore. The indicators we celebrate most often tell us very little about whether the systems designed to prevent rare, high-consequence events are intact, functioning and effective where it matters most. We are not lacking effort, investment, or intent. What we may be lacking is visibility into the conditions that truly determine risk.

The uncomfortable reality is that many organizations have become exceptionally good at measuring safety activity while remaining uncertain about whether their highest-consequence risks are actually under control.

The Disconnect: Good Safety Metrics vs. Catastrophic Risk

Most organizations operate within two very different safety realities, often without fully recognizing the distinction.

The first is personal safety: high-frequency, lower-consequence events such as slips, trips and minor injuries. These are visible, measurable and respond well to traditional safety management systems. The second is catastrophic risk: low-frequency, high-consequence events where failures in systems, controls, or decision-making can lead to significant harm to people, assets and communities.

The problem is not that organizations are managing personal safety poorly. In many cases, they are doing it exceptionally well. The problem is that strong performance in one domain is often assumed to reflect strength in the other. It does not.

Organizations with low injury rates, strong audit results and positive cultural indicators can still be exposed to significant, unmanaged catastrophic risk. The metrics most commonly used to demonstrate safety performance can overlook how necessary, critical safeguards are functioning as intended, and if they are effective under real operating conditions. In this context, absence of injuries is not evidence of control of major risks.

History (and the US Chemical Safety Board’s investigation reports) repeatedly demonstrate this pattern. Organizations involved in major accidents often reported strong traditional safety performance before the event occurred. The lesson is not that those metrics are unimportant, but rather that they were never designed to measure catastrophic risk exposure.

This disconnect creates a dangerous form of false confidence. A site may report excellent safety performance while key safeguards are degraded, bypassed, or misunderstood. The indicators look good, but the conditions that actually determine risk are moving in the wrong direction.

Shift the Lens: From Outcomes to Barrier Health

If traditional safety metrics don’t reliably indicate exposure to catastrophic risk, then the question becomes: What should leaders be looking at instead? The answer is not another layer of metrics; it is a shift in perspective.

High-consequence events do not simply occur because indicators turn red. They occur when the controls designed to prevent them are absent, degraded, or ineffective under real conditions. Those failures are often developing long before any incident occurs, but they remain largely invisible if the organization is focused primarily on outcomes rather than conditions.

This requires a different lens—moving from “How are we performing?” to “How healthy are the barriers that prevent catastrophic events?”

Barrier health is observable in the field through how critical safeguards perform under real operating conditions and how consistently they can be relied upon when needed most.

For leaders, this represents a subtle but important shift. It moves the conversation away from reported performance and toward understanding whether the conditions required for failure are quietly accumulating. It requires asking different questions—ones that test assumptions, validate controls where work occurs, and expose vulnerabilities before they escalate.

The Five Questions Leaders Should Be Asking

If catastrophic risk is not reliably visible through traditional metrics, then leaders need a different set of questions—ones that test understanding, validate assumptions, and expose what is actually happening where work occurs.

These are not technical audit questions. They are leadership questions that drive clarity, alignment and focus on the conditions that determine risk.

1. Do we clearly understand our highest-consequence hazards?

At the foundation of catastrophic risk management is clarity. Not everything is equally consequential, and organizations that fail to distinguish their highest-consequence hazards often dilute focus across too many priorities.

Leaders should be able to articulate, in simple terms, what hazards have the potential to cause severe outcomes—and where they exist in the operation. This understanding should be consistent across functions, not confined to technical specialists.

What to look for:

·       Clear, prioritized identification of major hazards.

·       Alignment between operations, engineering and safety teams.

·       A shared understanding of what “catastrophic” means in context.

What often goes wrong:
Over time, hazard lists expand, priorities blur and “everything” becomes critical. When that happens, real risk fades into the background

2. Are our critical controls defined and risk-ranked?

Identifying hazards is only the first step. The real question is whether the organization has clearly defined the controls that prevent those hazards from leading to severe outcomes, and understands which of those controls matter most.

Critical controls should be explicitly identified, linked to major accident hazards, and prioritized based on their role in preventing catastrophic outcomes.

What to look for:

·       Clear linkage between hazards and specific controls.

·       Understanding of which controls are truly “critical.”

·       Defined expectations for control performance.

What often goes wrong:
Controls are implied rather than defined. Organizations rely on layered systems without clarity on which safeguards are essential, and which are simply supportive.

3. Do we know if those controls are working where the work occurs?

A control that exists on paper is not the same as a control that is functioning under the conditions where it is relied upon.

This is where many organizations lose visibility. Audits, procedures and system checks may indicate that controls are in place, but they do not always confirm that those controls perform as intended in real operating conditions. Avoiding a bias for being “safe on paper” is key as operational conditions are reviewed in real time to detect issues.

What to look for:

·       Field-level verification of control effectiveness.

·       Evidence that controls function under normal and stressed conditions.

·       Direct observation of how work is performed.

What often goes wrong:
There is overreliance on documentation and audit completion. The assumption becomes that if a control is defined, it is working—without direct validation of exposure control.

4. Where are people exposed when controls fail?

No control is perfect. The question is not whether failure is possible; it is where and how exposure occurs when it does.

Understanding exposure requires looking beyond static risk assessments and examining how work actually unfolds: the tasks, the deviations, the interfaces, and the moments where safeguards are bypassed or degraded.

What to look for:

·       Identification of high-exposure tasks and conditions.

·       Understanding of how deviations occur in practice.

·       Visibility into simultaneous operations and system interactions.

·       Reliance on behavioral perfection without allowance for human performance error.

·       Missing fail-safes or redundant systems.

What often goes wrong:
Risk is treated as static. Exposure is assumed to be controlled because the system is designed that way, without examining how people and processes interact under real conditions.

5. Can our leadership team, and our board, distinguish between strong safety performance and good catastrophic risk management?

This is ultimately a leadership clarity question. At the executive and board level, major decisions are made based on how safety performance is framed, reported and understood. If the distinction between personal safety outcomes and catastrophic risk exposure is not clear at that level, the organization is vulnerable—regardless of how strong its overall safety metrics appear.

What to look for:

·       Clear differentiation in reporting between personal safety metrics and catastrophic risk indicators.

·       Executive-level visibility into the status and reliability of critical controls.

·       Discussions that focus on potential exposure and barrier health, not just performance outcomes.

·       Candor in reporting leading metrics highlight emerging gap errors rather than a bias toward  “green or vanity metrics” as illusionary control.

What often goes wrong:
Leadership discussions center on lagging indicators and positive trends, reinforcing confidence without testing underlying assumptions. Over time, this creates a gap between what leaders believe is under control and what is actually happening in the field.

The challenge is rarely a lack of commitment from leadership. Boards and executive teams generally want to understand catastrophic risk and ensure appropriate resources are directed toward prevention. The difficulty is that many organizations do not routinely provide leaders with information that clearly distinguishes between strong safety performance and effective control of major hazards. When that distinction is absent, strategic decisions may be based more on false confidence without evidence of barrier health and control effectiveness.

Effective governance of catastrophic risk requires more than reviewing injury rates, audit completion statistics and cultural indicators. It requires visibility into the status, reliability and verification of the critical controls that stand between normal operations and a high-consequence event.

Why Organizations Miss These Signals

If these questions are so fundamental, why are they so often overlooked?

The answer is not a lack of capability or intention; it’s the reality of how organizations operate under pressure. Production demands, cost constraints and operational complexity continuously compete for attention. Over time, the focus shifts toward what is easiest to measure, report and manage day-to-day. Catastrophic risk, by its nature, does not demand attention in the same way—until it does.

Another factor is organizational drift. Small deviations and workarounds often emerge gradually in response to operational pressures. Over time they can erode safety margins and weaken critical controls without attracting attention, increasing risk exposures while confidence remains high.

Structural factors also play a role. Information related to hazards, controls, maintenance and operations is often fragmented across functions. No single view clearly reflects whether critical safeguards are intact and effective. As a result, leadership decisions are made based on partial visibility, even when data exists somewhere within the organization. Without declarative statements clearly announcing emerging or acute risk elevation, action sometimes is delayed or does not occur to close serious gaps.

There is also a more subtle dynamic at work. Reporting systems tend to reinforce positive performance, and organizations naturally become more comfortable sharing what is going well than what may be degrading beneath the surface. Over time, this creates a gap between reported performance and actual conditions. Organizations are wise to engage in human machine interface evaluation to understand how pSIF and catastrophic risk within critical tasks are truly being managed. A focus on maturing a psychologically safe culture to speak up on failures, sharing bad news, or presenting contrary opinions on risk perspectives is essential for high reliability performance.

A Better Question for the Next Incident

When a major incident occurs, the question that inevitably follows is: “Why didn’t we see this coming?”

Investigations work to reconstruct the sequence of events, identify contributing factors and assign lessons learned. Organizations do not need to wait for the next incident, or the final investigation report, to begin asking these questions.

A more useful question—one that leaders can ask today—is simpler: “What signals might we be overlooking right now?”

Catastrophic events rarely occur without warning. The indicators are almost always present in some form—degraded safeguards, increasing exposure, assumptions that have gone untested. The challenge is not the absence of information, but whether the organization is focused on the conditions that truly matter.

This is ultimately a leadership choice. Organizations can continue to rely on performance indicators that provide comfort, or they can shift attention toward the health of the systems that prevent high-consequence events. The difference is not in effort, but in where that effort is directed.

Leaders do not prevent catastrophic events by asking whether performance is improving. They prevent them by asking whether the barriers that matter most are healthy, verified and capable of performing when needed. Catastrophic events are rare. The warning signs of eroding rigor rarely are.

About the Author

Mike Snyder

Mike Snyder

vice president of operational risk management

Mike Snyder is vice president of operational risk management at DEKRA North America, a provider of comprehensive testing, inspection, certification and consulting services, where he serves as a thought leader in risk-based decision-making and an advisor in chemical hazard evaluation and risk management.

Sign up for our eNewsletters
Get the latest news and updates

Voice Your Opinion!

To join the conversation, and become an exclusive member of EHS Today, create an account today!