Risk governance and risk-based regulation(1): A review of the international academic literature

Previously, the use of insights from the behavioural sciences in regulatory practice had a central focus on this blog. This has resulted in a series of blog posts (episode 1, episode 2, episode 3, and episode 4) and a research paper discussing the core insights from the international academic literature on this topic published between 2008 and 2018.

From January until June 2019, the Chair in Regulatory Practice will focus on risk governance and risk-based regulation. Over the next weeks, a series of four to six blog posts will appear here. By June 2019, a second paper in the State of the Art in Regulatory Governance Research Papers series will be available on risk governance and risk-based regulation. The review builds on over 125 peer-reviewed academic articles and over 25 academic books published between 2008 and 2018.

A series of blog posts to understand ‘risk’ as an approach to regulatory governance and practice

In this blog post, I will introduce ‘risk’ as a specific approach to regulatory governance and practice. The blog posts that follow over the next weeks will address (1) the evolution of thinking about risk, risk governance and risk-based regulation, (2) examples of risk governance in a regulatory environment and risk-based regulation, (3) evidence of the performance of risk governance in a regulatory environment and risk-based regulation, and (4) ethical challenges and epistemic challenges.

Risk: much talked about, but poorly understood

In regulatory governance and regulatory practice, ‘risk’ is probably one of the topics most talked about and least understood. The notion of risk is like the notion of time or happiness: we all perfectly well know what it is, until we try to explain it to others (or ourselves, for that matter). Risk is intangible and becomes somewhat unreal when we try to discuss and unpack it.[1]

To give an example: does a huge boulder that may fall off a cliff always pose a risk, or does it only pose a risk if it could damage or destroy something that is of value to humans? Is it enough to know the objective probabilities of the boulder falling to estimate the risk, or are other forms of knowledge (say, the political and societal consequences of the boulder falling) also required to estimate the risk? Whose knowledge is going to be used in this estimation, that of a professional boulder expert, that of the humans directly affected by the boulder falling, that of others, or a combination of their knowledge?

Two broad ontological answers

The first question yields two broad answers. On the one hand, there are those who argue that the danger or of the rock falling with the uncertainty of harm is real, but that only in human or societal experience there is a risk. They can be considered as holding a constructivist ontology of risk. That is, they argue that risk is a social construct and only exists in human perception. On the other hand, there are people saying that risk is a state of the world and whether or not a specific risk is experienced by humans, risks are real. They can be considered as holding a realist ontology of risk (Rosa, Renn, & McCright, 2014).[2]

Two broad epistemological answers

The second question also yields two broad answers. Again, we see on the one hand those who argue that risks and their consequences can only be known subjectively and that our understanding of risk is a social process. This reflects a constructivist epistemology of risk. On the other hand, we see those who argue that the probability of a risk to materialize as well as its consequences can be objectively known. This reflects a realist epistemology. To them risks can be objectively mapped, and therefore ‘perfectly’ governed and regulated.

Two broad ‘practical’ answers

The third question, finally, again yields two broad answers. On the one hand, there are those who consider that only quantitative, technical knowledge, collected by experts and professionals, and economical benefit-cost analysis should be relied on when estimating risks. This reflects a reductionist approach to risk estimations. On the other hand, there are those who consider that besides such ‘hard’ data and knowledge, also other forms of data and knowledge should be included in risk estimations. Other forms of data and knowledge may include the perspective that lay-people or policymakers hold of the risk, or the non-economic impacts it may have would the risk materialize. This reflects a systemic approach to risk estimations.[3]

Risk: all but easy

In sum, relatively easy questions about the risk of a boulder falling, quickly yield a set of complex answers. These questions are at the core of every process of risk governance and risk-based regulation. They are, however, all too often skimmed over too quickly in regulatory governance and practice. Pressured by superiors or society at large, policymakers and regulatory practitioners want to get going and solve a risk. They are on the look for risk governance models and risk-based regulation tools that have proven effective in the past or elsewhere and apply those to the problem in the here and now.

The interest in using risk governance and risk-based regulation in regulatory governance and practice has grown in New Zealand since the 1990s, as it has elsewhere. Yet, the foundations of this approach to regulatory governance and practice, its application, and performance is not always well understood by those who are keen to implement it in regulatory policy and practice. That is why I pay specific attention to risk governance and risk-regulation in the blog posts to come.

Into the risky deep

As per the introduction to this blog post, before delving into the nitty-gritty bits of risk governance and risk-based regulation, it makes sense to briefly explore the limits of what is meant by ‘risk’ in the context of regulatory governance, and particularly regulatory practice in the blog posts that will follow.

From the above, it is clear that it is not easy to ‘simply’ say what risk governance and risk-based regulation is all about. In the blog posts, it is not so much risk as a problem or situation to be solved that has a central focus, but risk as an encapsulating a way of governing and regulating those problems and situations, and the processes, techniques and instruments applied in doing so. Within the blog posts, we will move back and forward between considering it in a narrow and broad sense.

Risk in a narrow and broad sense

In a narrow sense, the central premise behind risk governance and risk-based regulation is the ‘adoption of apparently rational, objective, and transparent ways of prioritizing work, and the deployment of limited regulatory resources’.[4] In a broad sense, the central premise behind risk governance and risk-based regulation is that it is a ‘paradigm of administrative constitutionalism [that] promotes a model of public administration that is designed to address the factual and normative complexities of … risk evaluation by granting to public administration substantial and ongoing problem-solving discretion in relation to particular issues. This power is needed so that the processes of … risk evaluation can adapt to the [technical, political, economic, societal and other] uncertainties and issues involved in relation to specific … risks’.[5]

In a narrow sense, risk governance and risk-based regulation is ‘an “aspiration to control” future events [and] regulation is one manifestation of a modern belief that risks can be anticipated and controlled’. [6] In a broad sense, risk governance and risk-based regulation is open to acknowledging that fully reducing risk to zero is impossible and ‘work to instil processes and practices – training programmes, regular simulations, audits, crisis management units – that help prepare public and private organisations to recognise and manage these potentially catastrophic events’.[7]

Nine risk definitions: the breadth and depth of the topic

Likewise, in regulatory governance and regulatory practice, ‘risk’ has been defined in a variety of ways. Again, in this series of blog posts, we will move back and forward between narrow and broad definitions and conceptualisations. Some are:

• Risk is the product of the probability of an event occurring and the consequences of that event.[8]
• Risk is a situation or event where something of human value (including humans themselves) is at stake and where the outcome is uncertain.[9]
• Risk is the probability of an adverse effect in an organism, system or population caused by exposure to an agent.[10]
• Risk is a situation when circumstances may turn out in a way that we do not wish for.[11]
• Risk is an uncertain, generally adverse consequence to something that humans value resulting from an event or an activity.[12]
• Risk is uncertainty about and severity of the consequences of an activity concerning something that humans value.[13]
• Risk is, objectively, the probability of exposure to harm or loss over time, and should at the same time be subjectively defined based on experience and context.[14]
• Risk = Hazard x Dose (Exposure).[15]
• Risk is the effect of uncertainty on objectives.[16]

With this in mind, let us now turn to the problem risk governance, and risk-based regulation seek to address: to what extent and how can risk be regulated and reduced? The next blog post seeks to address this question by exploring the evolution of our understanding of risk. Stay tuned.

---

[1] Beck, U. (1992). Risk Society. Towards a New Modernity. London: Sage Publications.

[2] Rosa, E., Renn, O., & McCright, A. (2014). The Risk Society Rivisited: Social Theory and Governance. Philadelphia: Temple University Press.

[3] Ansell, C., & Baur, P. (2018). Explaining Trends in Risk Governance: How Problem Definitions Underpin Risk Regimes. Risk, Hazards & Crisis in Public Policy, 9(4), 397-430.

[4] Hutter, B. (2017). A Risk Regulation Perspective on Regulatory Excellence. In C. Coglianese (Ed.), Achieving Regulatory Excellence (pp. 101-114). Washington, D.C.: Brookings Institution Press.

[5] Fisher, E. (2010). Risk Regulation and Administrative Constitutionalism. Portland: Hart Publishing.

[6] Hutter, B. (2017). A Risk Regulation Perspective on Regulatory Excellence. In C. Coglianese (Ed.), Achieving Regulatory Excellence (pp. 101-114). Washington, D.C.: Brookings Institution Press.

[7] Boin, A. (2010). Preparing for future crises: lessons from research. In B. M. Hutter (Ed.), Creating space for engagement? Lay membership in contemporary risk governance (pp. 231-248). Cambridge: Cambridge University Press.

[8] Kaplan, S., & Garrick, J. (1981). On the Quantitative Definition of Risk. Risk Analysis, 1(1), 11-27.

[9] Rosa, E. (1998). Metatheoretical foundations for post-normal risk. Journal of Risk Research, 1(1), 15-44.

[10] IPCS and OECD. (2003). Descriptions of selected key generic terms used in chemical hazard/risk assessment. Geneva: International Programme on Chemical Safety and Organization for Economic Cooperation and Development.

[11] Steele, J. (2004). Risk and Legal Theory. Oxford: Hart Publishing.

[12] IRGC. (2005). Risk governance: Towards an integrative approach. Geneva: International Risk Governance Council.

[13] Aven, T., & Renn, O. (2010). Risk Management and Governance: Concepts, Guidelines and Applications. Dordrecht: Springer

[14] Clark, L. F. (2013). Framing the uncertainty of risk: Models of governance for genetically modified foods. Science and Public Policy, 40(4), 479-491.

[15] Burgess, A. (2016). Introduction. In A. Burgess, A. Alemanno, & J. O. Zinn (Eds.), Routledge Handbook of Risk Studies (pp. 1-14). London: Routledge.

[16] ISO. (2018). ISO 31000 – Risk management. Geneva: International Organization for Standardization.