Management of Change Risk Management Mining Construction Safety

Management of Change: How to Assess Risk Before Implementing Changes

RiskSight Team

Most incidents involving new equipment, modified processes, or organisational changes trace back to the same failure: the change was made without a formal assessment of the risks it introduced. The hazard was created by the change. The risk assessment happened after the incident — in the investigation.

Management of change (MOC) is the process that prevents this. It requires that changes be assessed for their risk implications before they are implemented, that new or changed controls be in place before the change takes effect, and that the risk register and operating procedures reflect the new state of the operation.

MOC is required not only for major capital projects. The changes most likely to produce incidents are often minor in scope — a temporary bypass, a modified sequence, a procedure change that seemed inconsequential — precisely because they do not attract the scrutiny that a large project does.

What a Management of Change Process Is Required to Do

An MOC process has four obligations:

Identify that a change is occurring. This requires a mechanism for capturing proposed changes before they happen, not after. Changes that are implemented without notification cannot be assessed. The notification obligation must extend to all levels of the operation — a supervisor who reroutes a process line without notifying the HSEQ team has bypassed the MOC process, regardless of whether the MOC process exists on paper.

Assess the risk implications of the change. What new hazards does the change introduce? What existing controls does it affect or remove? What is the residual risk of the changed state? This assessment must be done by people who understand both the change and the risk framework of the affected area.

Implement required controls before the change takes effect. New controls that are identified in the MOC assessment must be in place before the changed work begins — not planned for installation, not in progress, but operational. A change that is implemented before its controls are ready transfers the protection gap from the document to the workplace.

Update the risk register, procedures, and training. A change that has been assessed and controlled but not reflected in the risk register leaves the documented risk picture inconsistent with reality. The next risk assessment, audit, or incident investigation will work from incorrect information.

What Changes Must Go Through the MOC Process

The most common failure in MOC implementation is defining the scope of the process too narrowly. When MOC applies only to major capital changes, the minor changes that produce most incidents are unmanaged.

The MOC process must cover:

Physical changes: New equipment, modified equipment, changes to plant layout, installation of temporary facilities, changes to materials or chemicals used. This includes changes that are intended to be temporary — a temporary bypass of a safety interlock is not less dangerous because it has an end date. Temporary changes often carry higher risk because they operate outside normal design parameters and attract less monitoring.

Process changes: Revised procedures, changed sequences of operation, new operating parameters, modifications to permit-to-work requirements. A procedure change that is implemented by distributing a revised document without a risk assessment has changed the controls without assessing whether the change is safe.

Organisational changes: Changes to supervision ratios, reporting structures, key personnel, or contractor arrangements. An organisational change that removes a role responsible for critical control verification, without assigning that responsibility elsewhere, is a change to the critical control system. It must be assessed accordingly.

Regulatory or standard changes: When a new regulation, code of practice, or industry standard changes the requirements for a control or a hazard management approach, the risk register and MOC process must reflect the new obligation.

Temporary and emergency changes: Changes made under time pressure — bypasses to maintain production during equipment failure, temporary personnel arrangements during leave periods, emergency modifications — must be assessed even when the timeline is compressed. A compressed assessment is better than no assessment. The change must be reversed or formalised at the end of the temporary period.

What the MOC Risk Assessment Must Cover

An MOC risk assessment is not a generic risk assessment applied to the change. It must address the specific risk implications of this specific change in this specific context.

New hazards introduced: What hazards exist in the changed state that did not exist before? New equipment brings new energy sources, new failure modes, and new interfaces with existing systems. New chemicals bring new exposure pathways. New processes bring new sequences in which errors can compound.

Existing controls affected: Which controls currently in the risk register are affected by the change? A change to a process sequence may invalidate a procedure that an existing control relies on. A change to equipment may render a physical safeguard obsolete. Every control that the change touches must be reassessed.

Competency and training requirements: Who needs to be trained before the change takes effect? Not informed — trained, with verified competency. Workers who operate changed equipment without understanding how it differs from its predecessor are an unmanaged risk.

Monitoring during the change period: What additional monitoring is required while the change is being implemented and bedded in? New equipment and modified processes often behave differently in practice than they do in design. Increased supervisory presence and more frequent verification checks during the initial period reduce the risk of undetected problems.

Communication: Who needs to know about the change before it takes effect? Adjacent work areas, maintenance teams, emergency response personnel, contractors — all may be affected by a change that appears to be contained within one area.

What Common MOC Failures Look Like

The change happens first. The most common MOC failure is retrospective — the change is implemented, and the MOC documentation is completed afterwards. This inverts the purpose of the process. The assessment should determine whether the change can proceed safely, not confirm that it already has.

The assessor is the implementer. An MOC risk assessment conducted only by the person or team implementing the change is not independent. The people with the strongest interest in the change proceeding quickly are the least likely to identify reasons why it should not. An independent review — by HSEQ, by a technical authority, or by the area responsible for the affected controls — is not optional for significant changes.

Temporary changes become permanent. A bypass is installed with a defined end date. The end date passes. The bypass remains in place because the problem it was addressing has not been resolved. It is no longer tracked as a temporary change. Six months later, it is treated as a normal part of the system. The risk register still shows the original control as operational.

The risk register is not updated. The change is assessed, the controls are implemented, and the MOC is closed out. The risk register is not updated to reflect the new control state. The next review works from a document that describes the pre-change operation. The risk register review cannot be substantive if the register does not reflect current reality.

What MOC Requires From the Broader Risk System

An MOC process that operates in isolation — as a separate form in a separate document management system — cannot fulfil its purpose. The outputs of an MOC assessment must connect to the risk management system.

When an MOC identifies a new hazard, that hazard must be added to the risk register. When an MOC changes a control, the control record in the register must be updated. When an MOC introduces a new critical control, a verification schedule must be created. When a temporary change ends, the original controls must be restored and re-verified.

These connections require that the MOC system and the risk register share data — not through manual transfer, but through integration. An MOC that closes out in one system without updating the risk record in another leaves a gap that will not be visible until the next audit, or the next incident.


For a breakdown of how RiskSight connects MOC outputs to risk registers, control records, and verification schedules, see Risk Management Software for Mining, Construction & Heavy Industry.

Start a 30-day free trial with demo data included. No credit card required.

Ready to modernise your risk management?

Start your 30-day free trial. No credit card required.

Start free trial