Risk-based regulation has become somewhat of a buzzword over the past few years. At its core, the idea of risk-based regulation is simple and logical: regulators should identify, analyze, and prioritize the risks in their regulated industries and focus their efforts on mitigating the most serious ones. As technological advances enable more data collection that can support decision-making, and the public continues to demand greater accountability from industry and regulators, regulatory agencies all over the world are endeavoring to adopt a risk-based approach.

But what does it take for a regulator to truly be “risk-based”? While there is no universal answer that will apply to every regulator, regulatory expert Malcolm Sparrow, a professor of the Practice of Public Management at Harvard University’s John F. Kennedy School of Government and faculty chair of the school’s “Strategic Management of Regulatory and Enforcement Agencies” executive program, provides valuable insights on this question.

Malcolm Sparrow on what it might mean to be a risk-based regulator

Sparrow has written and taught extensively on regulatory design, risk management, and harm reduction, and offers seven suggestions on how regulators can take a risk-based approach:

1. Focus on the “expert” rather than the “legal” model of regulation

In the “legal” (traditional) model of regulation, resources are focused on reducing harms that are against the rules. However, the “expert” model goes beyond focusing just on compliance to also target things that may not be against the rules but are still harmful. Examples include harms related to natural disasters, pandemics, and structural instabilities (such as those in the financial markets that caused the 2008 crisis).

The “expert” model uses all methods of changing behavior rather than just enforcement, which can include education, guidance, naming/shaming in the press, and mobilizing lawsuits. It requires broader data gathering and analytics techniques because reporting will encompass more complex measurements beyond just compliance rates. Sparrow also emphasizes that good communication is essential for the “expert” model, as regulators need to be clear about why they’re controlling the risks they target to avoid accusations of regulatory overreach.

2. Focus more on identifying and reducing “bads,” (risks/harms) and less on defining and promoting “goods”

To prevent a particular harm from occurring, regulators and governments can target negative behaviors/activities that lead to that harm (i.e., focus on reducing the “bads”), or encourage actions that lead to the preferred outcome (i.e., focus on achieving “goods”). In his 2008 book, “The Character of Harms: Operational Challenges in Control,” Sparrow argues that the best way for decision-makers to tackle the complex problems facing society (such as crime, pollution, poverty, terrorism, etc.) is to explicitly focus on controlling or mitigating the “bads” rather than promoting the general good – an operational approach he calls “the sabotage of harms.”

3. Practice “Regulatory Craftsmanship”

Sparrow defines craftsmanship as being a master of all available tools. He emphasizes that regulators should utilize all of the tools available to them (beyond enforcement), organized around specific tasks, in their risk management efforts. He believes regulatory craftsmanship is the antidote to the swinging of the regulatory pendulum, where the regulatory approach to controlling risk swings back and forth between heavy-handed and “light-touch” regulation according to the public’s reaction.

Sparrow further notes that regulatory craftsmanship can fix the problem posed by ideological camps, where people within a regulatory organization prefer one type of tool (e.g., enforcement over voluntary compliance) and can’t agree on an approach. He cautions against having a tool-centric rather than a task-centric focus, saying that the regulatory response to any risk must be based on the nature of the specific problem. Regulators need to understand the chronology of the risk and identify the appropriate intervention points before deciding on the best tool (or combination of tools) to control it. Some problems require a big, broad, and early intervention, whereas others require a more targeted approach.

4. Master new organizational methods (be less program-centric, more problem-centric)

Sparrow identifies four different types of work for regulators: functional-based work, process-based work, problem-based work, and crisis response. When taking a program-centric approach to controlling a particular risk, regulators create programs/processes based on a general understanding of the problem. An example of program-centric work is decreasing worker injury rates through the use of experience-related premium-setting for employers in workers’ compensation insurance. According to Sparrow, the common property of program-centric work is that it is clearer on what the preferred solution is, but much more vague about the problem that’s being solved.

In contrast, problem-centric work takes a nuanced rather than one-size-fits-all approach. Regulators “parse the risk” to fully understand the causes and nature of the problem before developing and testing different interventions. Problem-centric work is much more complex because it doesn’t start with a preferred solution, and it often involves data-mining and identifying trends and patterns to get a full picture of the nuanced/indirect causes.

Sparrow says that a problem-centric approach isn’t inherently better than a program-centric approach, but that regulators need to find the right balance. The risks most likely to need a problem-centric approach are catastrophic risks, emerging risks that are novel and unfamiliar, invisible risks, risks involving conscious opponents or adversaries, boundary-spanning risks (those not adequately addressed through single-agency programs), and persistent risks (those that have not responded to traditional treatments).

5. Fit different regulatory structures to different classes of risk (structural versatility)

For any risk to be controlled, regulators need to locate responsibility for three primary tasks: risk identification, analysis and design, and implementation. Assignment of these responsibilities varies according to regulatory structure. Sparrow explores the assignment of risk-related tasks in four models of regulation (structures): prescriptive regulation, principle-based regulation, self-regulation, and industry self-regulation.

In the prescriptive regulation model, regulators identify the risk and create the rules for industry to follow (analysis and design), and industry is responsible for complying (implementation). However, in the principle-based model, regulators identify the risk but delegate analysis and design to the regulated industry. In the self-regulation model, responsibility for all three tasks is delegated to industry, but the regulator approves the risk management plan to make sure it’s fit for purpose and conducts periodic audits. And in the industry self-regulation model, risk identification and analysis and design are delegated to an industry association and industry is responsible for implementation.

Different regulatory structures can be used simultaneously, and Sparrow notes that most regulators will do this. But he stresses that the way regulators allocate structures shouldn’t be based on politics or the specific industry – they need to figure out what model is safe for each type of risk. The self-regulation model, which is favored by the EU Better Regulation movement, is best suited to risks that pass four tests: the regulated industry must have strong knowledge of the risk (they can see it); they must have an interest in controlling the risk (their business interests are aligned with the public good); they are willing and happy to disclose the risk; and they have the capacity to control the risk.

For risks that industry can’t see, the principle-based model is appropriate. If they have no interest in controlling the risk or are unable to, the prescriptive model is best. For risks that industry is unlikely to disclose (for example, those related to corruption or fraud), Sparrow says that regulators should conduct additional detection and verification.

6. Use risk-mitigation as the foundation for partnerships

According to Sparrow, the relationship between regulators and the regulated industry can be either adversarial or have a customer service orientation. An adversarial relationship, which is more common in the legal model of regulation, is described as aggressive or untrusting. It primarily focuses on enforcement tools, and metrics are focused on enforcement outputs.

In contrast, a customer-service relationship is trusting and assumes that the regulated industry has positive motivations. This relationship style emphasizes approval of the regulator’s conduct by the regulated industry and de-emphasizes enforcement or presents it as a tool of last resort. Taking a customer-service approach is favorable for forming partnerships with good players based on mutual respect and advantage, but it can raise the prospect of regulatory capture.

Regardless of the approach taken, Sparrow emphasizes that regulators should maintain a clear focus on risk control/harm mitigation as the goal in its relationship with industry and use the full range of tools available to them in the spirit of regulatory craftsmanship.

7. Understand types of risk that pose special challenges

In Part 2 of “The Character of Harms,” Sparrow delves into several special categories of harms that, although less common, regulators need to be aware of. Invisible harms are not manifest, or only partially manifest, in routine processes. They have low rates of reporting and detection, and the scope of the harm is often uncertain because of the bulk of the problem is invisible. Catastrophic harms have a very low probability of occurring but have a highly destructive impact when they do.

Conscious opponents, who seek to undermine systems with intent, can also cause harm by circumnavigating existing controls, resulting in a back-and-forth game where the regulator responds with new regulations and the adversary adapts. Harms of equilibrium resist incremental treatment because forces at work tend to resist change and preserve the status quo. Progress requires an initial “big shove” followed by navigation towards the new (preferred) equilibrium. Finally, performance-enhancing risks involve resistance to control efforts where the motivation for risk-taking derives from an organization’s performance goals, rather than from the personal agendas of individuals or groups.

Risk-based regulation is complex work for regulators

Risk-based regulation aligns with the standards of good regulation – that regulation should be proportionate, consistent, targeted, transparent, accountable, and agile – as well as the core elements of right-touch regulation, which stress that regulators need to properly understand the problem at hand before developing a solution and properly quantify and qualify the risks involved. However, like the right-touch regulation framework, Sparrow’s insights on what it might mean to be a risk-based regulator aren’t meant to be a prescriptive method for regulators to follow in order to “achieve” risk-based regulation. In practice, the way that regulators approach risk management will be highly individual based on the specific risks they face. As Sparrow and other experts emphasize, while the core idea of risk-based regulation is simple, the work of identifying, prioritizing, and addressing risks can be extremely complex and require difficult decision-making for regulators.