What Does Risk-Based Regulation Mean?

Font Size:

Risk-based regulation requires regulators to choose which decision-making principles to apply.

Font Size:

It is almost universally recommended today that regulators and regulation become “risk-based.” The widespread enthusiasm for risk-based regulation may be partly a function of the ambiguity of the “risk-based” concept: it can mean different things to different people. At one level, any regulator with a mission to address risks of economic activity—accident risks, environmental risks, financial risks, and so forth—will be inherently “risk-based.” But risk-based surely must mean something more. An excellent regulator will need to define its approach to risk clearly and consistently.

Interest in risk-based regulation often grows from a larger commitment to incorporating rigorous analysis into regulatory decisions. Regulators around the world now use regulatory impact assessment or benefit-cost analysis to structure decision-making and anticipate the consequences of different regulatory options. For regulators that manage risks, decision-making depends as well on a range of sophisticated techniques to analyze the probabilities and harmful effects associated with risky regulated activities. With the benefit of careful risk assessments, regulators can understand more precisely (i.e., with less uncertainty) what the true risks of different activities might be, thereby enabling them to make better decisions about how to prioritize the allocation of regulatory resources and ultimately how to manage the risks. The more that a regulator conducts and relies upon risk analysis, and the more rigorous that analysis is, the more “risk-based” the regulator can be said to be. Excellent regulators—those that exhibit stellar competence—will rely extensively on careful, evidence-based decision-making and therefore will be, in this sense, highly risk-based.

Although an excellent regulator’s consistent reliance on high-quality risk analysis allows it to be considered risk-based, suggesting that a regulator’s decisions can be based on risks is not the same as saying that rigorous risk assessments determine the regulator’s risk management decisions. At most, risk assessments inform regulators’ decisions; they do not provide a full basis for them. Risk management decisions—whether about how stringent to make a new regulation, what kind of regulatory instrument to use, what facilities to target with inspections, or how many penalties to impose on non-compliers—are normative or policy decisions. Risk assessment provides scientific or empirical answers about probabilities, hazards, and their distribution; it does not supply the policy principle or normative reason needed to make regulatory or risk management decisions about these hazards.

Table 1: An Illustrative Risk-Informed Choice Set

OptionProbHazardBenefitsCostsNet Benefits


To see how this is so, consider a highly simplified and hypothetical choice scenario reflected in the table above. Let us assume for sake of illustration that a regulator can choose only one of the four mutually exclusive risk management options labeled A through D. Let us further assume that the benefits and costs of each option affect the same people and that thorough analysis has yielded a high level of certainty in the numbers shown in the table. Although these numbers clearly can inform the regulator’s decision between these options, nothing about them can determine which option the regulator should choose. The regulator actually might choose any of the options depending on the decision-making principle it selects. For example, the regulator could:

  • Target the biggest hazard, in which case it would choose Option A.
  • Target the biggest risk, in which case it would choose Option C.
  • Avoid excessive costs (sometimes called a “feasibility” principle), in which case, if we stipulate that costs greater than $35 are excessive, it could choose either Options C or D.
  • Avoid unacceptable risk (sometimes called a “safety” principle), in which case, if risks lower than -$20 are stipulated to be unacceptable, Options B, C, or D would pass muster.
  • Act on a “Hippocratic” principle of avoiding making things worse, in which case it could choose between Options C and D.
  • Maximize net benefits, in which case it would choose Option D.

Whichever of these options the regulator selects will be risk-based in the sense that it is “based” in part on the results of rigorous risk analysis, the numbers shown in the table on the previous page. But nothing in the risk analysis that generated these numbers will dictate which decision-making principle the regulator should apply. That principle must be grounded in policy or normative considerations that fall outside the scope of risk assessment.

Although highly simplified, this illustration reveals much more than merely that “risk-informed regulation” is the more apt terminology than “risk-based regulation.” It also illustrates the need for an excellent regulator to be clear about which decision-making principle it chooses when making risk management decisions. Although perhaps regulators will not always have to choose just one option from among four, they nevertheless will almost always face many more risks than their limited resources can target, so they must choose among them on some basis. They will thus need a decision-making principle as much as they need the results of sound risk assessment.

A regulator could reasonably target the biggest hazards or the biggest risks, based on what is sometimes called a “worst-first” principle. But that is not the only principle that could be used to decide which option to select. A principle that maximizes efficiency would favor targeting a mix or portfolio of risks that maximizes net benefits. This portfolio could include smaller hazards if they have risk management costs that are correspondingly small, and it might well exclude some larger hazards if they have extremely low probabilities or are impossible or disproportionately costly to manage.

When the U.S. Federal Trade Commission undertook a review of its performance some years ago, its Chairman recommended precisely such a portfolio approach: “The agency should view all of its matters as part of a portfolio that should be balanced across low-, medium-, and high-risk activities.” From an efficiency standpoint, of course, the balancing of risks per se is not what matters; the key is to balance the benefit-to-cost returns of regulating them, so as to maximize overall net benefits across the full suite of the regulator’s actions. The precise balance that will be efficient for any given regulator will vary based on the actual costs and benefits due to the types of problems and economic circumstances the regulator confronts.

Risk-based regulation—like regulatory excellence more generally—is not a merely technical enterprise. It requires not only technical competence, but also principled decision-making, transparency, careful attention to empirical evidence and on-the-ground implementation. In a world where risks are omnipresent, complex, and potentially extremely costly, taking a risk-based approach to regulation is essential.


Cary Coglianese

Cary Coglianese is the Edward B. Shils Professor of Law and Political Science at University of Pennsylvania Law School, where he is also the director of the Penn Program on Regulation and faculty advisor to The Regulatory Review.