RIIO-3 and the safety imperative: what energy, utilities, and oil & gas leaders need to know

The UK’s energy landscape is being rewired in how safety performance is measured, reported, and ultimately paid for. Ofgem’s RIIO-3 price control framework, which came into force in April 2026, formally links the revenue that network operators can earn to demonstrable operational outcomes.

Safety sits at the centre of that accountability model. And while the regulatory mechanism of RIIO-3 applies directly to electricity and gas network licence holders, its logic (that safety performance is financially material and must be evidenced, not assumed) resonates across every corner of the energy sector.

If you lead health and safety for a utility, an oil and gas operator, or a water company, RIIO-3 matters to you whether or not your organisation is a regulated network. Here is why.

Table of contents

Click on a specific section below to navigate to that area:

• 1. What RIIO-3 actually demands from a safety perspective
• 2. The safety data problem that RIIO-3 exposes
• 3. Moving from reactive to proactive. What it actually takes
• 4. Building the foundation that RIIO-3 and Ofgem expect

What RIIO-3 actually demands from a safety perspective

RIIO-3 continues the fundamental principle that Revenue = Incentives + Innovation + Outputs. Safety is baked into the Outputs dimension. Network operators must demonstrate performance against safety output measures, and where they fall short, revenue can be clawed back. Where they exceed expectations, incentive mechanisms reward it.

Ofgem has approved around £28.1 billion of core funding for electricity and gas networks over the 2026–2031 period, with a total investment pipeline potentially reaching £90 billion when in-period mechanisms are considered. That is an enormous volume of capital work being executed across UK energy infrastructure covering construction, maintenance, asset replacement, and new build. Much of it in live operational environments. Much of it involving complex contractor workforces on sites.

The H&S implications are not abstract. More capital works means more exposure. More contractors on site means more governance complexity. More new energy assets, means novel hazards that existing safety systems may not be designed to manage.

For network operators directly subject to RIIO-3, demonstrating safety outcomes is now a financial obligation as much as a moral one. For oil and gas operators, water companies, and energy services businesses working within or alongside that infrastructure, the standard being set by RIIO-3 is the direction of travel for the whole sector.

Three areas are emerging as focal points for leaders preparing for this period: fatigue management across complex workforces, safety culture and public safety – particularly as network assets increasingly intersect with communities, agriculture, and public spaces.

If those three priorities feel familiar, they should. Ultimately, they’re the longstanding hard problems of running infrastructure at scale, now with a formal regulatory accountability attached.

The safety data problem that RIIO-3 exposes

Here’s what most senior EHS leaders already know… even if the regulatory framework has not always forced the issue: compliance reporting and genuine safety performance are not the same thing.

Organisations across utilities, oil and gas, and water have invested in EHS systems that can capture incidents, produce audit trails, and satisfy regulatory obligations. Yet the sticking point is what happens when those systems don’t talk to each other.

You can demonstrate compliance. But can you spot patterns?

You have robust reporting. You might have thousands of hazard observations, audits, and near-miss records flowing into your systems every year. The data exists. But can you see the signals?

Telematics showing shift-pattern anomalies. Near-misses logged in isolation. Audit observations about overtime at a specific depot. Each one unremarkable alone. Together, they told a story that could have prompted an intervention weeks earlier.

The gap between data held and data used is what RIIO-3 accelerates the pressure on. Because ‘we think we’re performing well’ is no longer a sufficient answer when a regulator asks why your recordable injury frequency improved while your high-potential incident rate moved in the opposite direction. The audit trail has to hold up. The data has to connect.

Water companies face a parallel version of this through their own regulatory context – Ofwat’s PR24 and the Environmental Performance Assessment framework place similar accountability demands on operators.

For oil and gas operators, the dynamic is the same but the stakes are potentially even higher. The gap between improving Total Recordable Rates and deteriorating Tier 1 process safety event performance  – you can be reducing injuries while simultaneously accumulating the conditions for a catastrophic event.

If your data is fragmented, you might not see it coming.

Moving from reactive to proactive. What it actually takes

The ambition is clear: understand what your data is telling you about where risk is building, before something goes wrong.

So, how are you actually using the data you already have?

EHS teams are producing reports. Leaders are reading summaries. But the underlying patterns are likely not surfacing in the way that financial or operational risk data does for other parts of the business. Finance teams can see their risk picture in near real time. Operational continuity teams have the same. EHS, in too many organisations, is still a step behind.

Closing that gap requires two things:

• 1. Discipline to consolidate data that is currently fragmented.
• 2. Appetite to treat compliance as the starting point rather than the destination.

The shift from compliance to genuine visibility of risk is where the compounding value starts. And visibility, built on connected data over time, is what creates the conditions for something more significant: the ability to see where risk is accumulating before it materialises.

Think about how airlines manage safety. The bowtie methodology of mapping the controls that prevent a hazard from escalating and the mitigations that limit consequences if it does. Itworks precisely because it connects data from multiple sources into a coherent risk picture. Fatigue, shift patterns, training currency, incident history, near-misses, operational anomalies: each one a data point, the risk emerging from the relationship between them.

Energy and utilities have access to the same data.

Building the foundation that RIIO-3 and Ofgem expect

The organisations making progress on this are not necessarily the ones with the most sophisticated technology. They’re the ones that have been consistent about building connected, reliable data foundations and that understand compliance is the floor, not the goal.

ENGIE found this when they moved from a fragmented, SharePoint-and-spreadsheet approach to a centralised, connected compliance and environmental reporting system with EcoOnline. The shift gave them consistent, reliable data across a complex, distributed operation for the first time — the kind of visibility that allows leaders to know with confidence what’s actually happening across the business rather than what the latest extract suggests. That visibility directly supported their first successful achievement of the Carbon Trust’s carbon and waste standards. Read the ENGIE case study.

E-CO Energi faced the same problem with chemical safety data. Hundreds of substances across multiple plant locations, tracked in ring binders, with safety data sheets manually chased and exposure assessments run from incomplete records. The operational risk was real due to the accumulation of small exposures and compliance gaps that only become visible when you can see the whole picture at once. With a connected platform, that picture became available: which chemicals were in active use, which documentation needed refreshing, where exposure risk was concentrating. The move from paper-based compliance to live, integrated data changed what the team could see and act on. Read the E-CO Energi case study.

Both are energy organisations that started where most start – with compliance as the primary objective. What changed was the recognition that the data they were collecting had more to offer than a report. They found the patterns.

That shift from compliance, to visibility, to building the conditions for predictive risk management is the journey EcoOnline supports.

Find out how we help to build predictability

Multiple sites, multiple teams, multiple systems gives you plenty of data, but never the full picture. The gap in multisite safety programs isn’t effort or resources. It’s visibility. EcoOnline’s EHS software and chemical manager gives you a full picture of risk. So when you sit in front of an executive, regulator, or the board, you’re not hoping the data from your sites align, you know they do. EHS software brings your entire safety program into one view: incidents, inspections, risk assessments, chemical approvals standardized across every region. You know where your program stands, and so does your leadership. Chemical Manager provides a live, accurate inventory, SDS documentation that’s always current, exposure records that exist before anyone asks for them, and storage risks surfaced before they escalate. When something changes like an updated SDS, a new site or regulatory shift, you need solutions that adapt, not scramble. Because the best EHS directors aren’t reacting less. They’re seeing more and reacting to what matters most. Book a demo and know your program holds up at every site for every stakeholder.

See EHS software built for enterprise

Access demo library