Risk governance and risk-based regulation(4): Frameworks for high-occurrence/low-impact risks, the precautionary principle, and benefit-cost analyses

In the previous blog post, I have addressed the holistic framework of the International Risk Governance Council (IRGC) as a blueprint for regulators interested in this approach to regulation, or as a check-list for those who already have risk governance in place. Here I discuss frameworks that focus on high-occurrence but low-impact risks; and, frameworks that build on the precautionary principle, benefit-cost-analyses, or both.

High-occurrence, low impact risks and low-occurrence, high impact risks

One of the issues the IRGC framework does not address, for example, is the difference between regulating and attending to high-occurrence low-impact risks (Ho/Li) such as car break-ins, tax fraud by households, and unhygienic practices in restaurants; and, regulating and attending to low-occurrence high-impact risks (Lo/Hi) such as the British BSE crisis in the late 1990s, the 9/11-terrorist attacks in New York City in 2001, and the crashes of two Boeing 737 Max airplanes within a year in the late 2010s. There is a tendency in regulatory policy and practice to focus risk attention particularly on the latter (Lo/Hi risks) at the expense of the attention given to the former (Ho/Li risks).

Of course, it is understandable that Lo/Hi risks tend to get more attention in risk governance than Ho/Li ones. If they materialise or enter the public debate as a possible reality, they result in much media attention, heightened levels of public fear, and calls on policymakers to act. It is also in this space where we are experiencing many of today’s systemic risks that ‘are at the crossroads between natural events (partially altered and amplified by human action, such as the emission of greenhouse gasses), economic, social and technological developments, and policy-driven actions, all at the domestic and international level’ [1].

When too little attention is given to Ho/Li risks, they may, over time, accumulate and then gain the ‘capacity to produce both significant harms and political contention’ [2]. Perhaps more interestingly, from a regulatory perspective, is that it in regulating an attending to Ho/Li risks lessons from other regulatory theories become highly useful. After all, it is in this area that we see many regulatees who are likely engaged in one-off encounters with regulators (such as ‘mums-and-pops’) rather than the small number of regulatees who professionally and repeatedly interact with regulators (‘repeat players’ such as corporations). For these specific risks (Ho/Li) and group of regulatees, the Good Regulatory Intervention Design (GRID) framework developed by Professors Julia Black and Robert Baldwin (both London School of Economics, UK) provides guidelines [2, 3].

GRID framework

The GRID framework builds on insights from regulatory studies that people and organisations have different motivations and capacities to comply and introduces three innovations to risk governance. First, it moves away from considering subjects to risk governance and risk-based regulation as a homogenous group. The GRID framework distinguishes them in four types: (1) regulatees who are well motivated to comply and have the capacity to do so, (2) regulatees who are well-motivated but lack capacity, (3) regulatees who are less motivated but have the capacity to comply, and (4) regulatees who are less motivated and lack capacity.

Second, the framework distinguishes between risks resulting from an activity or event that a regulatee engages in (‘inherent risk’) and risks resulting from the management of that activity or event by a regulatee (‘net risk’). Thus, a regulator may seek to regulate an activity or event directly or may seek to regulate the engagement of a regulatee with that activity or event. This challenges regulators to think of the various aspects of risky events and behaviours and think of the best interventions to address them. For example, safety belts in a car are means to regulate the risk related to driving a car, whereas alcohol checks around holidays are a means to regulate how well regulatees ‘manage’ the risk related to driving a car.

Third, the framework challenges regulators to carefully think about whether a risk is stable (within a set time-frame) or whether it is volatile. Volatile risks may accumulate over time if not attended to. This could be simply because regulatees engage in more risky events and activities, or because they manage existing risky events and activities less well. Combining these three insights allows for highly detailed risk matrices. For example, sophisticated risk matrices could indicate that a specific volatile net Ho/Li risk is low for well motivates regulatees with a high capacity to comply, but that the same risk is high for those regulatees that are less motivated and lack capacity to comply.

The precautionary principle

Another aspect that the IRGC framework does not explicitly touch on is the precautionary principle. The precautionary principle can best be understood as an ethical principle ‘saying that if the consequences of an activity [or event] could be serious and are subject to scientific uncertainties, then precautionary measures should be taken or the activity should not be carried out at all’ [4]. Discussions on the precautionary principle quickly turn toxic. Critics argue that it gives policymakers and regulators a motive for far-reaching, intrusive regulatory interventions, in which the costs of regulation outweigh its benefits [5]. Advocates argue that it is the most sensible approach to regulating possible harm when lacking sound knowledge of the possible occurrence or impact of risk [6].

Debates over the precautionary principle often boil down to risk appetite. When facing a situation of uncertainty and risk, one can either err on the side of Type I errors (false positives) or err on the side of Type II errors (false negatives). The former implies that a non-existent harm triggers regulation to, for example, block safe products to enter the market; the latter implies that existing harm will not trigger regulation to, for example, block unsafe products to enter the market.[1]

Globally, governments appear unstructured in when and why they err on the side of which error. For example, it is often argued that, across the board, Europe is more precautionary (i.e., erring on the side of safety at the cost of opportunity) than the US. No evidence is found, however, to support this argument in direct comparisons of regulation in various policy areas in Europe and the US. Even within single countries such as the UK and the US, scholars find it difficult to trace patterns of systematic application of the precautionary principle.

Rather than marrying the precautionary principle to a specific type of public administration or political philosophy one adheres to or opposes [7], it is more fruitful to think of it as a ‘continuous variable to measure the degree of relative precaution’ of a policy or regulatory intervention [8]. Such thinking allows for implementing a transparent, systematic, and defensible framework for applying or not applying the precautionary principle. A brief reflection on the application of the precautionary principle in Europe and the significant-risk doctrine in the US provide for illustrations.

Application of the precautionary principle in Europe

The development of the precautionary principle can be traced back to the 1970s but has become influential in European regulatory systems (at EU and member state level) since the early 2000s. Over time, the role of the precautionary principle has changed. It is ‘now more accurately understood as an element of risk management; a measure invoked temporarily, pending further scientific information. This is crucial, for it anticipates in the regulatory process not a lowering of the evidentiary bar, but its elevation: an absence of a scientific consensus (uncertainty) offers not an opportunity to invoke precaution … but forms the basis from which to resist regulatory intervention’ [6].

The application of the precautionary principle in Europe can best be understood as a sliding scale of four levels: (1) ‘non-preclusion measures’, which specify action that can be taken to control risk-generating activities; (2) ‘safety measures’ to establish certain cautious limits to actions or events; (3) prescribed criteria for activities or products such as the Best Available Technology Not Entailing Excessive Cost (BATNEC); and (4) ‘prohibitory measures’, which asks to not undertake presumably risky activities unless there is no appreciable risk[6, 9]. Because of this broad variety of how the principle can be applied, it ‘has not been as aggressive as its advocates urge and its critics fear’ [8].

Scholars sometimes distinguish between ‘weak’ and ‘strong’ versions of the precautionary principle. The weak version places the burden of proof on those advocating precautionary action; the strong version places it on those who argue that the proposed activity or event does not cause significant harm [4]. Others consider how early the decision is made in the knowledge collection process, as well as how stringently it restricts a risk as a measure for how strong the precautionary principle is applied: ‘Earliness is a measure of precaution because it measures the willingness to act in the face of greater uncertainty about future outcomes and understanding. Stringency is a measure of precaution because it measures the degree of aggressiveness, weight, or sacrifice that society is willing to bear to prevent the risk’ [8].

Application of the significant-risk doctrine in the US

The development of risk governance in the US is sometimes described as a long-term learning process, that started in the 1960s. An early approach to risk governance, the ‘least-feasible risk approach’, comparable to the precautionary principle, was considered too strict by US courts and regulators in the 1980s and 1990s. In response, a ‘significant-risk doctrine’ emerged in which some sort of quantification of costs and benefits is required [5]. There is considerable discretionary space for regulatory agencies in developing risk governance and risk-based regulation, but they must follow a ‘statutory trigger’ or ‘statutory standard’.

Statutory triggers establish ‘the evidentiary burden that an agency has to meet in order to regulate [an anticipated risk]’ [10]. Four levels are specified for the threshold of the minimum evidence required: (1) ‘no threshold’ that requires the agency to demonstrate there is a risk without setting a particular threshold when to consider an activity or event a risk; (2) ‘risk-based threshold’ that requires the agency to demonstrate that the risk exceeds some threshold; (3) ‘significant risk threshold’ that requires the agency to prove that the risk is unacceptable; and (4) ‘unreasonable risk threshold’ that requires the agency to prove that the risk is unacceptable when comparing costs and benefits.

Statutory standards establish ‘the level or stringency of regulation [and] what factors an agency is to take into account in setting the level of regulation’ [10]. Five types of standards exist: (1) ‘risk- or ambient quality-based standard’, for these, the cost of achieving the standards is considered irrelevant for its establishment; (2) ‘phaseout’, which is a phaseout ban that takes into account the cost of the phaseout; (3) ‘constraint balancing standard’, which is based on a benefit-cost analysis, but agencies are allowed to regulate beyond the point where benefits and costs are equivalent; (4) ‘open-ended balancing’, which stipulates benefit-cost evaluation and evaluation of economic other values in which the agency can choose how to put weight on each value in its final decision; and (5) ‘benefit-cost standard’, which requires an agency to directly compare the economic benefits and costs of the regulatory intervention.


1.            Renn, O., Risk Governance: Coping with Uncertainty in a Complex World. 2008, London: Earthscan.

2.            Black, J. and R. Baldwin, When risk-based regulation aims low: Approaches and challenges. Regulation & Governance, 2012. 6(1): p. 2-22.

3.            Black, J. and R. Baldwin, When risk-based regulation aims low: A strategic framework. Regulation & Governance, 2012. 6(1): p. 131-148.

4.            Aven, T., Misconceptions of Risk. 2010, Chichester: Wiley & Sons.

5.            Majone, G., The evolution of the regulatory state: From the law and politics of antitrust to the politics of precaution, in Routledge Handbook of Risk Studies, A. Burgess, A. Alemanno, and J.O. Zinn, Editors. 2016, Routledge: London. p. 2016-228.

6.            Taylor, G., Understanding risk and regulatory reform. Policy Studies, 2018. 39(5): p. 465-478.

7.            Fisher, E., Risk Regulation and Administrative Constitutionalism. 2010, Portland: Hart Publishing.

8.            Wiener, J.B., et al., eds. The Reality of Precaution: Comparing Risk Regulation in the United States and Europe. 2011, RFF Press: London.

9.            Tosun, J., Risk Regulation in Europe: Assessing the Application of the Precautionary Principle. 2013, New York: Springer.

10.          Shapiro, S.A. and R.L. Glicksman, Risk Regulation at Risk: Restoring a Pragmatic Approach. 2003, Stanford: Stanford University Press.

[1] The framing of Type I and Type II errors as errors of commission or omission, or as errors of risk-appetite or risk-avoidance strongly affects the perception that people have of the type of action that needs to be taken. This relates directly to insights from the behavioural sciences that people, generally speaking, struggle with processing complex data and probabilities. See the first State of the Art in Regulatory Governance Research Paper on behavioural insights for a more extensive discussion: van der Heijden, Jeroen (2019). Behavioural Insights and Regulatory Practice: A Review of the International Academic Literature. State of the Art in Regulatory Governance Research Paper – 2019.01. Wellington: Victoria University of Wellington/Government Regulatory Practice Initiative.

2 thoughts on “Risk governance and risk-based regulation(4): Frameworks for high-occurrence/low-impact risks, the precautionary principle, and benefit-cost analyses

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s