top of page
Search

Give Your Risk Register a Voice

  • Apr 19
  • 7 min read

How AI Can Strengthen the HSE Waterfall


In every effective health and safety system, guidance flows downward.


It starts with the Health and Safety at Work Act, then moves into the supporting regulations. From there, it flows into Approved Codes of Practice, Good Practice Guidelines, industry guidance, training, company manuals, and finally into the documents and controls that shape work on the ground.


The risk register, waterfall, and AI.

That is the HSE waterfall.


For companies operating in higher-risk environments such as cranes, lifting, rigging, precast concrete, and working at heights, this flow matters. It is how legal duties become practical controls. It is how broad obligations are turned into clear steps that people can apply in real work.


At the bottom of that waterfall sits one of the most important tools in any business - the risk and hazard register.

This is where the legal framework meets operational reality.


From legislation to work as done


A typical HSE waterfall looks something like this:

  • Health and Safety at Work Act

  • Regulations

  • Approved Codes of Practice

  • Good Practice Guidelines

  • Industry guidance and reference documents

  • Training and competency requirements

  • Company HSE manuals and systems

  • Risk and hazard registers

  • SOPs, TAs, JSAs, and SWMS

  • Work execution and verification


In practice, this includes documents and guidance across areas such as:

  • cranes

  • load lifting and rigging

  • precast concrete

  • working at heights


It also includes industry reference material such as the Crane Safety Manual and similar supporting documents used across the sector.


For years, companies have worked to ensure this information flows properly. The challenge has always been consistency. Even when the source material is sound, there is often a gap between what the law or guidance requires, what the risk register says, and what operational documents actually contain.


That is where AI becomes powerful.

Why the risk register matters so much


A risk register should not be treated as a static compliance document.


It should define the company's view of its key hazards, risks, and controls. It should help answer basic but critical questions:

  • What can seriously harm people?

  • What controls are meant to prevent that harm?

  • Which of those controls are critical?

  • How do we know those controls are working?


If the risk register does not clearly connect to procedures, task planning, training, and verification, then the system is weaker than it appears.


Many businesses have good information. What they often lack is a reliable way to connect it all.

The knowledge burden is part of the risk


One of the practical challenges in building a strong HSE system is the sheer volume of knowledge involved.


To develop sound risks, controls, procedures, and verification activities, a business may need to consider:

  • legislation

  • regulations

  • Approved Codes of Practice

  • Good Practice Guidelines

  • industry manuals

  • technical guidance

  • manufacturer information

  • training requirements

  • company experience

  • incident learnings

  • site-specific conditions


That is a substantial body of knowledge. In higher-risk industries, it is not realistic to expect one person to hold all that information in their head, consistently connect it, and apply it evenly across every part of the system.


This is where risk can develop.


Not because people do not care or are not competent, but because the volume of relevant material is large, scattered, and constantly changing. Important guidance can be missed. Controls can become inconsistent between documents. Procedures can drift away from the intent of the risk register. Verification can focus on what is visible rather than what is critical.

That knowledge burden is itself a system risk.


This is where AI can help pull its weight.


When grounded in the right legal, regulatory, industry, and company source material, AI can ingest, organise, compare, and surface relevant information far more quickly than a manual review process alone. It can help identify gaps, inconsistencies, overlaps, and missed connections across the HSE framework.


That does not remove the need for human expertise. It supports it.


The value of AI lies not in replacing humans, but in assisting them to manage the vast amount of knowledge needed to develop and sustain improved systems and controls.


What changes in an AI-enabled environment


When a risk register is connected through MCP to an AI system grounded in legislation, regulations, ACOPs, GPGs, and industry guidance, the register becomes far more useful.

Instead of sitting in isolation, each risk can be reviewed in the context of the company's actual work, actual procedures, and actual control framework.


That means the AI can help test whether the waterfall is working as intended.


For example, it can review whether:

  • company risks reflect the duties and guidance that sit above them

  • controls in the risk register are properly reflected in SOPs and task documents

  • JSAs and TAs address the hazards and controls that matter most

  • SWMS align with the control expectations set by the business

  • training content supports the controls the company relies on

  • verification activities are focused on critical hazards and critical controls


This turns the waterfall into a connected system of documents.


A human stays in the middle


This part matters.


AI should not be positioned as replacing professional judgement, operational experience, or formal review. It should support the system, not become the system.

Where AI identifies a possible update, inconsistency, missing control, or gap between documents, a competent human must sit in the middle of that process. The role of the AI is to surface issues, compare documents, trace controls, and present relevant guidance. The role of the human is to review, assess, and decide what should change.


That means:

  • AI can suggest that a risk register entry may need review

  • AI can flag that a procedure does not appear to reflect a control in the register

  • AI can identify that a JSA or SWMS may not align with company expectations

  • AI can point to changes in source guidance or related industry material


But a person must still determine:

  • whether the issue is real

  • whether the suggested change is valid in the company context

  • whether the wording, control, or risk rating should actually be amended

  • whether the update should be approved and implemented


This human checkpoint is essential. It keeps accountability where it belongs and ensures the system remains practical, proportionate, and suited to the real work environment.


Ensuring controls flow down


One of the biggest practical advantages of linking AI to a risk register is the ability to trace control.


Controls should not stop at the register. They need to flow down into the documents and behaviours that shape work on site.

If a company identifies a critical control for suspended loads, crane setup, exclusion zones, rigging method, or work at height, that control should also appear in the places where work is planned, briefed, checked, and verified.


AI can help test that flow.


It can compare the risk register against SOPs, JSAs, SWMS, and training documents to identify where controls are present, missing, inconsistent, or weakly stated. It can also highlight where the language used in operational documents does not reflect the seriousness of the risk being managed.


But again, any proposed update still needs human review. AI can identify the gap. A competent person must confirm the change and decide how it should be addressed.

That kind of review is difficult to do well at scale using manual methods alone.


Verification becomes stronger too


The value does not stop with procedures and planning documents.


A connected risk register can also support verification.


Officers and leaders are expected to verify that controls are in place and working. In many organisations, that verification process becomes too generic. Checklists are completed, but they are not always tied directly to the most significant hazards.


With AI connected to the risk register, verification can become more targeted.

Critical hazards and their associated controls can flow into field verification activities, assurance checks, and leadership reviews. That creates a stronger line between what the company says matters and what leaders actually test.


In other words, it helps organisations verify the controls that matter most, not just the ones that are easiest to inspect.

Where verification findings suggest that a control is not working as intended, AI can help surface that pattern. A human then needs to assess the finding, investigate the cause, and decide whether the register, procedure, training, or field practice needs to change.


Turning the waterfall around


This is where the model becomes even more useful.


Traditionally, the HSE waterfall flows downward:


Act -> Regulations -> ACOPs and GPGs -> company systems -> operational documents -> work execution


With AI and MCP, it can also flow upward.

Information from SOPs, TAs, JSAs, SWMS, verification records, field observations, and frontline feedback can be reviewed and returned to the risk register.


That means the register can evolve based on actual work, not just periodic desktop review.

If task documents repeatedly introduce controls not captured in the register, that is worth reviewing. If verification findings show a control is often misunderstood or inconsistently applied, that should inform the register and the wider control framework. If procedures show a recurring hazard that is not well represented at the register level, that can be escalated with supporting context.


Again, the key point is that this is not an automatic rewrite. AI can help bring the issue forward, supported by the relevant source material and document comparison. A human reviewer still decides whether the register should change.


This is the uphill flow that AI makes more practical.

From static document to live system


The real shift is this: a risk register connected to an MCP server and an AI skill is no longer just a document.


It becomes a live system that helps connect:

  • legal obligations

  • regulatory requirements

  • industry guidance

  • company controls

  • operational procedures

  • training content

  • verification activities

  • continuous improvement


That is a significant step forward for HSE.

It does not remove the need for competent people, sound judgment, or disciplined field leadership. It does not replace safety professionals, managers, or workers. What it does is help them manage the sheer volume of knowledge required across legislation, guidance, company systems, and operational documents. It improves visibility, traceability, and consistency across the system while making it easier to build and maintain controls aligned with the real risks.


It helps organisations see whether their controls are truly flowing from principle into practice, while keeping human judgement at the centre of any update or decision.


Give your risk register a voice


For many companies, the risk register is still treated as something reviewed occasionally and referenced when needed.


It should be more than that.

With the right structure, industry grounding, and MCP connection, the risk register can become a central intelligence hub within the HSE system. It can help drive better procedures, stronger task planning, more focused verification, and better alignment between guidance and real work.


Most importantly, it can create a two-way flow - down from legislation and guidance into work, and back up from work into better risk management.

AI helps make that possible. Human judgment ensures it is done properly.

That is where AI begins to add real value.


Give your risk register a voice.

Learn More:


For those who manage to read this far. I’m happy to share how. Just reach out to me on LinkedIn.


Scott McLeod


bottom of page