I like this idea. It reminds me of what used to happen in the early days of the ACC - WSMP programme. I'm referring to the difference between the controls that were supposedly (imagined to be) in place with regards to the hazards listed in the hazard (risk) register; compared to the actual controls (or complete absence of) that the auditor found. That was after ACC insisted that auditors verify that what was actually being done, matched what the documentation said was being done.

Hi Chris,
Sounds interesting, I will email you.
Pete