Risk-Based Regulatory Regimes

Font Size:

Julia Black explains how regulatory regimes focused on risk can lead to greater coherence.

Font Size:

In a recent discussion with The Regulatory Review, Julia Black, strategic director of innovation and professor of law at the London School of Economics and Political Science (LSE), offers insight into various kinds of regulatory regimes, including risk-based regimes. She also discusses the impact of third-party stakeholders on regulatory systems and discusses regulatory measures that aided jurisdictions during the COVID-19 pandemic.

In addition to teaching at LSE, Black serves as an external member of the Bank of England’s Prudential Regulation Committee and its Financial Markets Infrastructure Committee. She serves as a member of the U.K. Prime Minister’s Council for Science and Technology, and as a director of Zinc, a social sciences-based incubator. Black also serves as president of the British Academy, U.K.’s national academy for the social sciences.

From 2016 to 2017, she served as the Interim Director of LSE. She has also held a British Academy/Leverhulme Trust Senior Research Fellowship, served as a visiting fellow at the University of Sydney and at All Souls College, and served as the Sir Frank Holmes Visiting Professor in Public Policy at the Victoria University of Wellington. In September, she will leave LSE to become head of Nuffield College, Oxford.

Black’s research focuses on regulatory issues and regulatory systems and their dynamics and legitimacy. The Regulatory Review is pleased to share the following interview with Professor Julia Black.

The Regulatory Review: When you compare the regulatory landscape in the United Kingdom—where you teach—with that of the rest of the world, what aspects of the U.K. regulatory regime strike you as being among the most distinctive?

It’s hard to compare to the whole of the rest of the world! That said, there are standard characterizations, or perhaps caricatures, of regulation and regulators in different countries. The U.S. is seen as being highly litigious, for example, with a generally antagonistic relationship between firms and regulators. The European Union system of regulation, particularly since the financial crisis, is characterized by having quite detailed requirements in primary legislation as it seeks to forge a common regulatory framework across all 27 member countries, with maximum levels of harmonization and discomfort with high degrees of regulatory discretion. The U.K. is probably seen as being the most comfortable with a rule system in which legislation sets out the objectives and high-level rules but gives independent regulators powers to draft more detailed rules and guidance and to use approaches which are more principles-based or outcomes-focused. In terms of how regulators operate, there are possibly broad similarities in the regulatory cultures of the U.K., Australia, Canada, and New Zealand, for example—certainly each is comfortable with using risk-based systems in varying contexts—but I wouldn’t want to push the comparisons too far!

TRR: You have written about the regulation of risk. What does a risk-based approach to regulation entail?

Risk-based regulation means targeting regulation and regulatory effort on things which pose the greatest risks to society or to regulatory objectives. So risk-based regulation operates at two levels—in the design of regulatory systems and in their operationalization.

Designing regulation based on risk informs where to draw the regulatory perimeter—what falls within and what falls outside—and how to calibrate regulatory requirements so that more onerous requirements are placed on those activities which are thought to pose the greatest risk to society, including the deployment of technologies. Risk-based regulation at the operational level means targeting regulatory resources on those organizations or activities which pose the greatest risk to the regulator’s objectives, which are usually legally defined.

TRR: What are the alternatives to risk-based regulation?

The alternatives in terms of regulatory design are to apply a broad-brush approach, making many activities subject to regulation. Or it could be to apply the same requirement regardless of context—the usual example is of speed limits which do not vary with the road conditions. There are advantages in such approaches—they are clear and cost little to write or to enforce. But they are inevitably under- or over-inclusive—they include things that do not really pose a risk and can exclude things that do.

In more complex environments, greater differentiation is often required. In terms of day-to-day implementation, for example, in inspection or supervision, the alternative to a risk-based approach is again uniformity—to apply the same level of regulatory resource to every organization or activity. For example, to inspect every premises annually as opposed to inspecting some every six months, some every year, and others every two years.

TRR: What are the pros and cons of a risk-based approach? What should regulators consider when implementing a risk-based regulatory approach?

Those who oppose risk-based approaches, particularly in the implementation of regulation, argue that they are not strict enough, as they treat some firms more lightly than others, or that they involve too much regulatory discretion. But the reality is that regulators are usually resource constrained and so inevitably they have to prioritize. Sometimes those priorities are based on a sound rationale, other times not. I recall one legal services regulator telling me that, when they started looking closely at patterns of inspection, they discovered that staff spent most of their time during the summer months inspecting firms by the seaside. So, adopting a risk-based approach accepts the reality of prioritization but can make those decisions more coherent, more aligned with regulatory objectives, and more explicit.

But putting risk-based regulation into practice is challenging. Each division within a regulator is likely to argue that what they are responsible for is high risk, as that attracts more resources. Fear of something going wrong on their watch can also make regulators very risk averse, again driving up risk classifications and associated resources. Furthermore, while no one would argue with the need to target high risks, the challenge is what level of resource to spend on low risks, which fall within the regulators’ responsibilities and cumulatively could have a reasonably high impact over time.

TRR: You also discuss the risks that third parties may bring to regulatory systems. What are some of these potential risks? How should regulators manage these risks?

We often focus just on the relationship between the regulator and the regulated, but in practice, third parties play an important role, for example, as certifiers, insurers, auditors, or other forms of gatekeepers, or in providing further guidance on compliance. In those cases, third parties can reinforce aspects of the regulatory system and indeed be enrolled by regulators to enhance their own capacity, particularly through roles they might have in inspection and assurance.

But third parties can be a source of risk. Reliance on third party suppliers can impact operational resilience—for example, the external provision of an IT system. It may be that the risks are idiosyncratic to a firm, but where many firms, and indeed much of the industry, is reliant on just a few providers, then this concentration could be a source of systemic risk.

A very good example is the concentration of cloud service providers. This has prompted the EU and the U.K. to introduce legislation to enable financial services regulators to regulate such “critical third parties” directly, rather than simply indirectly relying on firms to manage the relationship through contracts. Given the way the market for the development and supply of foundation or general purpose artificial intelligence models is developing, it may well be that they too could become a source of systemic risk in time.

TRR: Were any financial regulatory measures especially helpful while financial systems across the world were experiencing uncertainty during the COVID-19 pandemic?

One of the key issues which arose in the insurance sector was whether or not the contractual terms of insurance policies covered business interruptions which were caused by the pandemic. In the U.K., the Financial Conduct Authority (FCA) took a test case to the Supreme Court in 2020 in order to get legal clarity on a representative sample of policy wordings. The FCA argued for interpretations which would favor policy holders, and in January 2021, the U.K.’s Supreme Court upheld the majority of those interpretations. The case provided much needed legal certainty in a short time frame, which enabled thousands of businesses to claim on their insurance policies. The cases did not cover all policy wordings and litigation is still ongoing, but it provided much needed certainty at a critical time.

TRR: In your discussion of constitutional governance systems, you argue that constitutions should be analyzed from a regulatory perspective. What does that kind of analysis entail? How can this “flipped perspective” benefit regulatory governance? How does it benefit constitutional governance?

In essence, my argument is that we should do two things. First, we should set the relationship between regulators and the wider set of constitutional actors—courts, legislators, and executive officials—in a broader context than one which focuses solely on accountability, and one which recognizes that regulatory discretion and tensions between independence and accountability are features, not bugs, of contemporary regulatory states. The second is that the ways regulatory scholars have developed to analyze regulatory systems, particularly those analyses which emphasize that they are complex, adaptive systems, can fruitfully be used to analyze constitutional systems, or at least the interaction between constitutional and regulatory systems, in new and productive ways.

TRR: If you could craft the ideal regulatory system in any country over any set of policy issues, what are some of the essential components you would include?

It would have a clear set of objectives and be principles-based and outcomes-focused. In terms of its design, it would comprise a tiered set of rules in which primary legislation would be used to set out objectives, define the perimeter, define criminal offenses—ideally a limited number— and set out core elements of the regime. In order to enable the regulatory system to adjust over time, however, independent regulators would have clearly defined powers to produce more detailed rules and guidance.

In terms of its operation, the system would be risk-based, making prioritization decisions which are clearly articulated. The system should be dynamic, and regulators should engage with and be responsive to the social, economic, political, and, indeed, technological context in which they are operating—while being transparent about the trade-offs this might involve. Regulators would have the powers and resources to do the jobs they have been given to do. They would be independent but accountable to a wide range of stakeholders, recognizing that there are multiple groups, or communities, on whom the regulator relies for its legitimacy. And politicians wouldn’t use regulators as scapegoats for their own policy failures. But now we really are in the land of dreams!

The Sunday Spotlight is a recurring feature of The Regulatory Review that periodically shares conversations with leaders and thinkers in the field of regulation and, in doing so, shines a light on important regulatory topics and ideas.