6. Risk-based regulation

Risk (and specifically public risk), in addition to its growing use in industry and business, as well as in safety management overall, has over the last couple of decades become increasingly used in a regulatory context (Burgess, 2009[1]). Indeed, in the perspective of trying to improve regulations’ ability to achieve their intended outcomes, and of minimising the burden and unintended side-effects they create, risk is a key tool. It allows to better formulate what it is that a given regulation is trying to address (reducing or managing a risk), to better design the contents and mechanisms of the regulation (based on the causes and characteristics of the risks being addressed), to target enforcement and implementation efforts more efficiently (on the areas, sectors, businesses etc. that pose the highest risk). Thus, risk helps to improve the effectiveness and efficiency regulation at every step of the regulatory policy cycle, including ex post assessment (have the risks been effectively managed?) – and also improves accountability, as it allows to formulate in a clear and often measurable way what the regulation or regulator is supposed to achieve (and what are its limits).

In recent years, overall, much progress has been done in extending risk-based regulation to new countries, sectors, regulatory areas etc. – and in applying innovative practices and tools to improve the understanding and assessment of risk (e.g. data integration and Machine Learning), and use it more consistently from the strategic level to the “regulatory frontline”. This chapter seeks to reflect such progress, and particularly practices that involve novel applications of digital technologies, and incorporation of behavioural insights.

Over time, “risk and regulation” and “risk-based regulation” have become complementary aspects of an increasingly well-established topic, studied by several important academic and practitioners’ networks,1 referenced in numerous pieces of legislation,2 covered by major international publications3 with gradual development over close to 40 years (National Research Council, 1983[2]); (IRGC, 2017[3]) – including previous work by the OECD (OECD, 2010[4]). Still, in spite of risk, risk-focus, risk-proportionality, and risk-management all being referenced in studies and guidance that apply or relate to specific areas of regulation4 (Khwaja, Awasthi and Loeprick, 2011[5]), there is no consolidated guidance on “risk and regulation” as such at the international level. Risk-proportionality is central to international agreements such as the World Trade Organization’s (WTO) Technical Barriers to Trade Agreement (TBT), Sanitary and Phyto-Sanitary Measures Agreement (SPS) and more recent Trade Facilitation Agreement, with relevant clauses5 requiring applied trade-restricting “measures” to be based on risk, and indicating fundamental elements of such an approach, but interpretation and implementation are far from undisputed (Goldstein and Carruth, 2004[6]); (Wagner, 2016[7]); (Russell Graham and Hodges Christopher, 2019[8]); (Russell Graham and Hodges Christopher, 2019[8]). While addressing this “interpretation gap” goes beyond the scope of this chapter, it is important to acknowledge it, as it helps explain some of the implementation difficulties.

Indeed, notwithstanding the considerable progress over time, the remain a significant implementation gap in risk-based regulation – even in some jurisdictions and regulatory areas where apparently binding legislation exists, and/or where official proclamations of being “risk-based” exist. If adequate understanding and assessment of risks, and consistent application of risk-focus and risk-proportionality, are to deliver their expected benefits in regulation, it is essential to more systematically assess the current situation, and spread best practices. The application of “risk assessment, risk management, and risk communication”, point 9 of the OECD 2012 Recommendation on Regulatory Policy and Governance,6 is thus being given increased attention in this edition of the Regulatory Policy Outlook – with results of a series of pilot questions administered along the iREG survey, and an overview of prominent initiatives in the area of risk-based regulation, as well as preliminary findings from research on the application of risk-based methods in regulatory delivery.

Data from the pilot questions collected with the iREG survey confirms this general finding of uneven and incomplete diffusion and uptake of risk-based approaches – but also of their slowly taking root in the regulatory landscape. Out of the 39 countries (with the EU being included as a country) surveyed and responding overall to the questionnaire, only 32 provided a response on the new “pilot” risk-based regulation questions, potentially indicating some perplexity and/or lack of awareness or interest about the topic. For some countries, the respondents left some questions unanswered or with a negative reply, even though the OECD team independently had information that some practice existed at the sectoral level, suggesting that knowledge about risk-based approaches is insufficiently shared across the government and even within ministries (since respondents queried other ministries, and some evidently did not reply or replied “no” in spite of risk-based approaches existing within their own ministry).

Moreover, the answers suggest that risk-based regulation is often a perspective that is “confined” to some aspects of regulation and regulatory policy, rather than forming a strong framework for the whole of regulatory functions. Indeed, while relatively few countries responded positively on the question of whether they had “a ‘whole-of-government’ strategy on “risk and regulation” (9 out of 39 surveyed) or a “sector-specific one” (16 positive answers for sector-specific strategy, and 17 in total having either a ‘whole-or-government’ or sector-specific strategy, or both), a significantly larger number indicated that risk assessment was “required when developing regulation” (either for all regulatory areas, or for some only – 28 countries in total having such a requirement for at least some regulations). However, only a subset of these (14 countries) required risk assessment to involve quantitative analysis, meaning that the level of rigour required in the assessment remains often relatively light. Overall, only 5 countries responded “yes”at all 3 key “risk” questions, i.e. whether a “whole-of-government” risk-based regulation exists, whether risk-assessment is required when developing regulations, and whether this assessment has to involve quantitative analysis (see Figure 6.1).

The term “risk” can be confusing, because of its different meanings (both in different contexts, and even within the same context), but also of the different ways in which it can be assessed. “Risk” is often used interchangeably with “hazard” or with “probability (of harm)”. Overall, however, the prevailing consensus when it comes to discussing “public risk” broadly considered, and specifically risk in a regulatory context, is that it is distinct both from “hazard” and from “probability/likelihood”. In this usage, “hazard” is used to refer to the existence of possible harm and its potential severity, but does not convey any information on how likely it is that harm will be materialised. On the other hand, “probability” and “likelihood” refer only to how likely it is that something (e.g. a regulatory violation) happens, without consideration to the severity or scope of this adverse event.

The definition of “risk” as the combination of the likelihood and potential magnitude and severity of harm, as used here, reflects also its use in previous OECD work on the issue, and in many relevant international, scholarly, and national documents and legislation (OECD, 2010[4]); (BRDO, 2012[9]); (Blanc, 2013[10]); (OECD, 2015[11]); (IRGC, 2017[3]). While, inside some countries and institutions, use occasionally diverge (officially or in practice only) from these definitions, consensus is now broad and established for the use of the following definitions in this chapter and elsewhere in this edition of the Regulatory Policy Outlook (Rothstein et al., 2017[12]):

  • Risk is defined as the combination of the likelihood and potential magnitude and severity of harm. This can also be expressed as the combination of the likelihood and degree of hazard. Thus, risk combines a) probability, b) scope of the harm (number of people affected etc.) and c) degree of harm (type of damage).

  • Hazard is used as the potential type, magnitude and severity of harm, but without taking into account the likelihood of harm actually happening.

  • Harm is any form of damage done to people (their life, health, property etc.), the environment (natural and human), or other public interests (e.g. tax fraud harms state revenue). Not all types of harm are of the same nature, and some harm is irreversible (e.g. death), whereas other (e.g. financial) can be corrected once identified.

  • Unpredictability and uncertainty are distinct from risk and from estimations of probability of harm. They are inherent limitations in the process of risk assessment and thus likewise limitations of risk-based regulation, that should be acknowledged as such. Approaches on how to handle unpredictability and uncertainty are not always explicitly stated or consistent, which is an issue discussed further in this chapter.

Regulations address a number of different potential harms (bodily, environmental, financial etc.), not all of which are of equal seriousness – in particular, reversibility or its absence creates a key difference. Likewise, regulation addresses many hazards – industrial pollution and explosions, food poisoning, building fires and collapses, marketing fraud, tax evasion etc. Again, not all of these are of the same severity, and the likelihood of each of these actually happening varies greatly. Thus, comparing the level of priority of regulating different, but also different economic sectors or establishments, based on the harm caused, is inherently difficult.

Risk can allow to consider allocation of resources at a strategic level (between different domains such as environmental protection, food safety, state revenue, technical safety etc.), even though this is rarely done – as well as to prioritise regulatory interventions in a given domain, between different economic sectors and establishments, which is a much more frequent practice. In this way, risk can function as a kind of common measurement unit, allowing easy conversion and comparison of the relative “value” of different regulatory interventions in terms of lives saved, environmental impact, economic impact etc. – but this is only possible if a common approach to risk assessment across regulatory domains and sectors exists.

Comparing the relative levels of risk, and deciding on the appropriate type and intensity of regulatory response, requires having gone through risk assessment – i.e. estimating the relative level of different risks in terms of combined probability and severity of harm. To allow full comparison across different regulatory domains, not only should there be a unified approach for risk assessment – but also a method to convert different types of harm. While this is theoretically possible (there exist many approaches in law and economics to estimate the economic value of life, health, the environment etc.), it is rarely done in practice with that level of precision. Most often, comparisons of risk levels are done within a given category of harm – e.g. potential losses of life, or potential financial losses. In any case, regardless of the level and scope to which risk is applied, it is an instrument of comparison, and thus prioritisation.

Finally, while risk prioritisation done solely by sector or type of activity can be a useful first step of improvement in situations where risk assessment is starting “from scratch” and with limited or no data to support the exercise, it is not optimal, and insufficient in the longer run. In advanced economies, and where data needed for risk analysis and prioritisation are available to regulatory delivery authorities, a more differentiated approach to risk assessment and targeting can be expected – e.g. so as to be applied to each business entity or object (facility, establishment) individually, based on inherent characteristics and track record.

Risk-assessment is thus a useful instrument to prioritise regulatory efforts. While the OECD 2012 Recommendation, and the entire set of regulatory good practices starting from the use of regulatory impact assessment, all emphasise the importance of cost-benefit analysis and selectivity in regulation, risk provides a key instrument to exercise these and also to assess which regulatory instrument to use, given the specific characteristics of each risk. While risk-based prioritisation looks specifically at focusing resources where the highest risk level is, risk-proportionality considers both the level and the characteristics of the risk to determine the most suitable content for regulations (level of standards, degree of prescriptiveness, etc.) and the choice of regulatory instruments (e.g. ex ante permitting, ex post controls, certification, registration, etc.). However, some may contend that regulation should not prioritise and rather (following the requests of a number of different stakeholders) try to regulate all potential hazards, regardless of e.g. likelihood or actual prevalence of harm.

Regulating every hazard may be possible on paper (though it leads to massive inflation of the volume of legislation), but allocating resources to control and implement these regulations can only be done within limits set by state budgets and levels of economic activity. Staff numbers and material resources (transport, testing etc.) needed for inspections conducted by state agencies are limited by budget resources, and competing against many other demands. Even when control over regulatory compliance is delegated to third parties (e.g. through requirements for mandatory third-party certification a.k.a. “conformity assessment”), these have a cost. While such controls are not anymore constrained by state budget size, they impose a direct cost to business operators (which, were possible, will seek to recover it from consumers). Thus, such use of third-party controls is also inherently limited – because of the costs it creates to consumers and businesses, and the negative effect it can have on competitiveness and growth.

An excessive number and range of rules means that it ends up being impossible in practice for most economic operators to know about all of them, and to comply with all. An excessively large scope of regulation thus can be setting itself for failure, and in turn harming the rule of law because it is widely accepted that full compliance is impossible (Baldwin, 1990[13]); (Hampton, 2005[14]); (Anderson, 2009[15]). An excessive number of rules and controls means that regulators may be “submerged” by an excessive amount of data – even with the help of modern data analytics tools and increased computing power, over-abundance of information makes effective decision making more difficult (Roetzel, 2018[16]).

Crucially, it has been found through repeated studies that levels of control that are perceived as “excessively high” actually end up decreasing compliance (Kirchler, 2006[17]), in addition to the perceived control burden creating disincentives to investment and growth. Instead of responding to increased controls by higher compliance, businesses and citizens can end up “resisting” when they face very high burden, that they perceive as unfair, thus reducing voluntary compliance. Such effect is predicted by “procedural justice” compliance models (Tyler, 2003[18]), which have also shown that people react negatively to processes where they feel disrespected, where they do not think decisions are being taken in a manner that is understandable and ethical. Excessively broad regulation tends to produce such effects because it is often practically impossible to comply fully with it, and it imposes restrictions in situations where actors do not see any meaningful risk or actual harm. As a result, excessively broad regulation can increase the overall level of risk in a jurisdiction because it reduces compliance (Blanc, 2018[19]).

At the outer limit, such an excessively risk-averse regulatory approach can have a negative impact on the aggregate risk level even if it manages to achieve compliance, if the negative economic impact is particularly high, while the direct positive safety impact is low. Indeed, as life expectancy is related to income and to overall GDP levels, the negative aggregate impact on life expectancy may exceed whatever gains are achieved through the regulation (Helsloot, 2012[20]). While this corresponds to extreme cases, they are documented and not fictional. More broadly, these findings indicate that risk-based regulation should not be seen as an approach that trades-off safety for economic growth. While, of course, trade-offs in regulation exist and should be properly acknowledged, for a given chosen level of protection and regulation, risk-based design and enforcement of regulation will, based on available research, achieve better outcomes both in terms of safety and in economic and social terms (Coglianese, 2012[21]).

While there are many pieces of legislation that mandate a risk-based approach, and a number of institutions that claim to be using one, the level to which risk-based regulation is effectively implemented is not easy to assess – be it in breadth (across jurisdictions and regulatory functions) or in depth (in terms of how consistent and rigorous the approach is). While some elements of good regulatory practices are, to an extent, directly observable relatively easily (e.g. the existence and level of uptake of a consultation mechanism), it typically requires more expert investigation to assess the degree to which risk is actually and rigorously taken into account in regulatory policy. Looking into the application of risk at the regulatory delivery stage is even more painstaking, for high-level statements of delivery institutions do not necessarily match practices “on the ground”, and the number and variety of institutions involved is considerable. Still, in this edition of the Regulatory Policy Outlook, we attempt a first, preliminary and tentative stock-taking of the current uptake of risk-based regulation, both at the regulatory design and delivery stages.

To this aim, the OECD Secretariat developed pilot questions on “risk and regulation” that were sent to participating countries along with the iREG survey that forms the core basis of this Outlook. While limited in details, and not reflecting an in-depth assessment, they provide a first glimpse of the degree to which different countries acknowledge the importance of risk in the regulatory process, and effectively follow-up at least for some areas of regulation. The survey questions also look into the application of risk assessment and management in the COVID-19 context. In this initial pilot, the survey looks primarily at the breadth of application of risk-based approaches, i.e. at whether they exist and are applied in a given country and, if so, across all of government or only in some sector(s). Looking at the depth of implementation would require additional research work, and the chapter will only provide some snapshots of specific cases.

In addition, to provide an initial view of the “delivery” stage, the Secretariat gathered data on regulatory inspections and enforcement staffing resources in as many OECD member countries as possible, focusing on selected regulatory functions that are particularly prominent in terms both of public perceptions and of actual share resources. These provide a first indication, not only of the importance of the issue including in terms of public expenditure, but of the degree to which regulatory delivery systems differ in the relative weight given to different risks (ratios of resources between different functions vary from country to country), and in the overall importance they give to regulatory enforcement (ratios of enforcement resources to population, businesses, etc.). Again, this is by no means an in-depth research of the variety of regulatory delivery practices in regard to risk, but reflects the broad situation at the strategic level (resource allocation).

As reported in the opening section of this chapter, responses to the iREG survey provide a first glimpse of the uptake of risk-based regulatory approaches, and overall show that less than half of the surveyed countries report having any form of risk and regulatory strategy, while around ¾ of them use risk assessment in some way during regulatory drafting, but only around 1/3 have a requirement to quantify risk in such a process. Such high-level survey data is limited to formal rules and processes, and does not allow to assess implementation of risk-based approaches.

Properly assessing whether risk-based approaches are reflected at different levels and steps of regulatory delivery requires an in-depth investigation of each institution or service, and of the applicable regime for approvals and licensing, inspections and enforcement, etc. While the OECD’s Toolkit for Regulatory Inspections and Enforcement (OECD, 2018[22]) provides a framework for conducting such work, it would require considerable resources to systematically conduct in each country included in this Outlook, even were we to research only selected regulatory areas. Instead, in this section we briefly report the preliminary results from an analysis of available data on regulatory inspections and enforcement resources. Indeed, such work has the first benefit to highlight the importance of the regulatory enforcement function in terms of public administration staff (and thus of budgetary resources). In addition, it allows to compare both between regulatory areas (how different risks are “weighted” against each other at the strategic level of resource allocation), and between countries (how much “intensity” of regulatory enforcement is deemed adequate to deal with a given set of risks).

In spite of data on employment in public administrations being generally public, many countries, institutions or services do not keep specific track of inspectors or staff with inspection powers and functions, or do not have consolidated information on all the institutions involved in a given regulatory field. This is made particularly complex because, in a number of countries, general and/or specialised police and law enforcement bodies also have inspection powers and mandates, though only a part of their staff is actively involved in such activities. Obtaining precise data on this point is sometimes impossible, and doing estimates is not always possible. The complexity of regulatory delivery systems where national/federal, state/regional, local/municipal services all can be simultaneously active in a given field makes the task even more challenging. So does the fact that a given regulatory area can be covered by several services, but also that one given service or institution can be, in some countries, active across more than one regulatory field – in which case estimates of resource allocation between these different mandates is not always available.

The preliminary results of this work (see Table 6.1) show several important points. First, the resources at stake are often considerable, representing quite a significant share of overall state employment and resources, and deserve more systematic attention than has often been the case. Second, the allocation of resources can differ sharply between different regulatory fields, without clarity on whether this reflects a proportional difference in the supervision workload or in the underlying risks. Third, there are sharp variations in “intensity” of supervision in terms of number of inspectors by inhabitant, worker, or enterprise, even between neighbouring and otherwise comparable data. This all shows the importance not only of continuing such research and covering more countries and regulatory fields, as well as obtaining more detailed data, but also for countries to conduct such exercises periodically and systematically to review whether the institutional framework and resources are still fit-for-purpose.

For these reasons, the study has so far been unable to present full data for all OECD members, and even when data is available in some areas, it is not always present for all. To make the research more realistic in scope, the focus has been on food safety, occupational safety and health (OSH), and environmental protection. If we set aside revenue agencies (which have been largely covered through research and OECD literature), these are typically the most important regulatory fields from a “delivery” perspective, be it in terms of number of controls conducted, enterprises regulated, staffing, financial resources – or public perceptions (Blanc, 2012[23]).

As seen below, the allocation of resources can differ sharply between different regulatory fields, without clarity on whether this reflects a proportional difference in the supervision workload or in the underlying risks (e.g. there are from 2.5 to over 20 times more food safety than environmental inspectors, depending on the country). In addition, there are sharp variations in “intensity” of supervision in terms of number of inspectors by inhabitant, worker, or enterprise, even between neighbouring and otherwise comparable countries (Austria has significantly more than Germany, Italy has way more than Germany and France, etc.). This all shows the importance not only of continuing such research and covering more countries and regulatory fields, as well as obtaining more detailed data, but also for countries to conduct such exercises periodically and systematically to review whether the institutional framework and resources are still fit-for-purpose.

This situation, combined with other research on specific countries, regulatory areas, etc., suggests that path dependency is important, and that there is a lack of regular, systematic reconsideration of the risks addressed by regulatory delivery structures and resources (Blanc, 2012[23]); (Blanc, 2018[19]). This has contributed to extremely complex, convoluted institutional landscapes (as directly observed when collecting the data, the difficulty of which came precisely from the vast number of institutions with overlapping or mixed functions, frequent unavailability of precise numbers on inspecting staff, etc.), and made resource allocation and expenditure very difficult to track and assess, and mostly unrelated to risk analysis or assessment. From this perspective, the path towards truly risk-based, risk-focused, and risk-proportional regulatory delivery is still a very long one. Nonetheless, important progress has been made, and major initiatives taken in recent years to improve the situation, which are detailed in the following section of this chapter.

There are many reasons why the uptake of risk-based regulation principles in policy making and regulatory delivery is far from universal, and implementation often incomplete. This is due to a variety of factors, including resource and capacity constraints (changing regulatory approaches requires expertise and skills), but also public perceptions, and legal systems (Rothstein, Borraz and Huber, 2012[24]); (Rothstein et al., 2017[12]). Public perceptions (both those of the “general public”, of the media, and of decision-makers in the political and economic spheres) can create considerable difficulties for risk-based approaches – both in terms of accepting the idea of “less-than-complete” protection from harms, of assessing and weighing risks, and of accepting proportionality in risk-response. This has been covered extensively in important publications, including on the risk of “knee-jerk” responses to major accidents or emerging hazards (Blanc, 2015[25]); (Balleisen et al., 2017[26]), the psychological determinants of the risk response (Tversky and Kahneman, 1974[27]); (Weyman, 2016[28]); (Burgess, 2019[29]), the variations in risk perception between experts and general population (Fischhoff, Slovic and Lichtenstein, 1982[30]); (Slovic, 1986[31]); (Flynn, Slovic and Mertz, 1993[32]), and the possibility to engage the public to try and make risk perceptions and response more “nuanced” (Helsloot and Groenendaal, 2017[33]).

While engaging with public perceptions and opinion requires a complex and longer-term approach, there are shorter-term issues that governments can try and address to “unlock” the potential benefits of risk-based regulation. In particular, there are useful examples of how governments can work to overcome doubts and resistance from regulatory institutions to risk-based approaches (Box 6.1). Indeed, many institutions may be reluctant to adopt these or even downright hostile, because of a variety of issues: cultural resistance in institutions with a strong “risk-averse” or “safety at any cost” culture, public pressure (or fear of public pressure) making regulators wary of being seen as at risk of “regulatory capture” or “softness”, path dependency and scepticism towards change (sometimes driven by past, disappointing experience), lack of tools and resources. Simply “legislating from above” to promote risk-based regulation, while important, does not usually succeed in achieving practical change if such engagement work with regulators is not done effectively.

Beyond working on perceptions and culture change through engagement with regulators, it is also often indispensable to establish legal foundations for risk-based regulation through enabling legislation. In some cases, existing legislation and constitutional principles may make risk-based approaches difficult or impossible to apply without specifically authorising clauses in law (Rothstein, Borraz and Huber, 2012[24]); (OECD, 2015[11]); (Rothstein et al., 2017[12]). In others, such “horizontal” legislation is used not so much to make risk-proportionality possible as to push it further, introducing directly applicable provisions or mandating regulators to introduce e.g. risk-based targeting or risk-proportional enforcement, etc. Box 6.2 presents some diverse examples of “enabling” legislation for risk-based regulation.

The uneven and less-than-fully-consistent spread and application of risk-based regulation does not mean, far from it, that there has not been significant progress in recent years, or that there are no worthwhile innovations to report on. In fact, there are many important initiatives that can provide very useful examples of how to apply risk-based approaches concretely and effectively, how to facilitate their use, and how to apply them in innovative ways. Moreover, there also has been a consolidation in knowledge, with increased sharing of experiences, an increased number of good-practice examples, and further development of international guidance (in particular (OECD, 2018[22])). Significant advances in computing power (and decrease in computing costs) have also made the application of risk-based analysis and planning far easier, compared e.g. to a decade ago.

In this section, we thus look successively at improvements in the use of data for risk-based regulation and specifically regulatory delivery, at the use of risk as a guiding principle to make regulation more outcomes-focused, and at the application of risk in the COVID-19 context (including the actual and potential application of digital technologies e.g. for remote surveillance and inspections).

The very foundation of risk-based regulation is the reliance on data, because risk should be assessed in an objective, data-driven way, as much as possible. In past years, availability of data has often been issue for more systematic and thorough risk analysis, in particular when it came to applying risk-based planning to regulatory inspections. Indeed, detailed data on entities and establishments under supervision was often not available, or not digitised, or not updated, etc. Different services held parts of the relevant data, and were not communicating. Findings from inspection records were frequently impossible to analyse systematically to update risk assessment methods because they were paper- or text-based, or insufficiently detailed, etc. Digital government developments, progress in computing power and methods, spread of technology and skills, evolution of systems in public administration etc. have led to a situation where these constraints are much reduced, and both “already known” good practices can be taken up more widely, and new, innovative practices can be implemented successfully.

Earlier reviews of international practice had already allowed to define objectives for information systems to enable risk-based inspections and enforcement (OECD, 2014[37]), and to establish desirable key elements for inspections information management systems, as well as essential implementation requirements etc. (Wille, 2013[38]); (OECD, 2015[11]); (Mangalam, 2020[39]). Ideally, such systems should provide updated data needed for risk assessment and planning on facilities, businesses and activities, and allow targeting and prioritising the selection of businesses subject to inspection in line with their risk level. They should enable recording of inspection results in a way that makes further analysis and follow-up easy and automatable. They should also either rely on a single data repository for multiple services, or enable and facilitate data exchanges between them, and offer support for reporting, performance monitoring, etc.

Recently, several jurisdictions have introduced or further developed information systems which address all or several of these requirements, in ways that correspond to the applicable context and constraints. A selection of such systems is presented in Box 6.3.

Another way, in which data management and use can be considerably improved by technology, and lead to improved regulation of risk, is the analysis of existing data. While revenue agencies had long started to systematically use data analysis techniques to identify risk indicators and their relative importance, this had until recently been difficult to replicate for non-revenue inspections (Khwaja, Awasthi and Loeprick, 2011[5]). Data was insufficiently digitalised, too complex, or on the contrary too narrow – or historical records were insufficiently long, as new systems had been introduced too recently. In some cases, data systems with historical inspection records existed earlier, but their scope was narrow. Specific staff competences and capacity were also often missing. The rising understanding of risk-based regulation and of the importance of accurate risk-assessment (as opposed to relying on “traditional” assessments of where priorities lay) have opened the way for a more systematic, data-driven approach. In spite of remaining challenges in terms of assessing the “severity” dimension of risk, recent Machine Learning applications are very promising in terms of significantly improving the understanding of which characteristics of businesses and establishments are the best predictors of risk, and thus considerably improve the effectiveness of risk-based targeting (see Box 6.4).

Beyond the definition of risk indicators and risk assessment algorithms, up-to-date and reasonably comprehensive data on supervised entities is essential to ensure that targeting of regulatory control measures (inspections and enforcement) is really based on risks, and that regulators can react in a timely and effective way when new risks appear or accidents occur. To this aim, it is essential that regulatory agencies have adequate data management tools, and that they share data with each other as much as possible. Data sharing between regulators and other entities (non-regulatory, such as e.g. health-care providers or private certifiers) is likewise important to improve the effectiveness and efficiency of the entire regulatory system. In a number of countries, such improvements in data-sharing are made difficult by privacy regulations, or by the way in which they are interpreted and enforced. Given the importance of the issue in terms both of efficiency and effectiveness, it appears crucial to promote further research and experience sharing on good practices that allow to effectively protect individual privacy, but allow essential information to be shared by regulatory services, particularly about economic entities (and not relating to private persons). Furthermore, much of the information, which is important to improve risk analysis and assessment and might have privacy implications (like, say, health care or accidents data) can be anonymised fully before any analysis, as what matters for studying risk in that case are not the individual cases but the patterns.

New technologies make such data sharing and effective analysis increasingly easy, and some initiatives can be used as particularly valuable examples (see Box 6.5). These can include the use of a centralised database and common system by a number of regulators and possibly by health-care providers too, or tools to exchange information in an automated way between different systems. Sharing information between different regulatory agencies allows them to ensure that data on supervised entities is as up-to-date and comprehensive as possible, and also to avoid duplication of control activities. Information sharing with the healthcare system allows regulatory agencies to better assess the emergence of new risks and evolution of known ones, and thus target their interventions better, both in terms of which establishments they visit, and which industries, products, etc. they focus on. For instance, systematic reporting from health care institutions on accidents due to failures in product safety, or food-borne contaminations, can greatly improve the ability of regulatory agencies to target their activities (and does not need to convey any personal, sensitive data – as what matters for risk assessment are patterns of cases, not individual specifics).

In addition, data sharing agreements e.g. with private certifiers active in areas of interest to regulators (for instance food safety) can likewise allow to have more comprehensive and updated information on sectors with vast numbers of operators (like food). Finally, the use of “non-traditional” data sources such as social media or reviews from e-commerce sites can help assess food safety or product safety risks. Using such sources requires automation to handle vast amounts of data (machine learning), but can be both effective and cost-efficient,7 and provides information that is broader and more timely than regulatory bodies themselves can obtain through traditional methods such as inspections.

Although increasing work is being carried out in institutions, processes and methods that aim to administer, control, and implement regulations so as to better realise risk-based approaches, differences in regulatory delivery styles between one country and another, but also between regulatory delivery agencies within the same country, are still considerable8 (Blanc, 2012[23]); (Hadjigeorgiou et al., 2013[43]); (OECD, 2015[11]). The way their goals are devised – some stressing control of legal compliance and punishment of non-compliance, whereas others focus on risk mitigation or improvement of public welfare – are among the most ubiquitous differences. The latter aim at meeting public outcomes rather than processes and/or formal conformity. Outcome-focused regulation is another aspect of risk-based regulation – because risk is the indicator through which outcomes can be defined and measured, and thus the criterion used to prioritise actions and take decisions, rather than focusing on rigid processes.

While the use of outcome-oriented approaches has gained a growing profile, work is still needed to change what still seems to be the prevailing perception that these approaches are an alternative to traditional command and control schemes, rather than something that should be used in delivering regulations. This is an overly restrictive perspective of what outcome-focused approaches, and regulatory delivery, are about. In fact, approaches, methods, and tools focused on achieving regulatory outcomes are at the core of efforts to make regulatory delivery more effective, and efficient.

In practice focusing on outcomes entails an actual paradigm shift from a traditional conception of regulatory enforcement based on finding and punishing violations towards a understanding of regulatory delivery where the primary and ultimate purpose is the protection of safety, health, the environment, and other key elements of the public good. Implementing this approach relies heavily in promoting meaningful compliance – i.e. compliance that actually helps achieve regulatory goals – including by regularly using behavioral insights. It also requires i.a. effective risk communication and information to regulated subjects, development of, and investment in, methods and tools focused on delivering expected outcome, and adequate measurement of the level of protection of the relevant public welfare good. Regulated subjects should not be expected to know everything about what to do and how, but are to be guided, advised and informed. Finally, focusing on outcomes is inherently connected to having the right performance indicators and metrics – not measuring outputs or sanctions, but tracking the outcomes in terms of improved performance, reduced risks etc. (Blanc, 2018[44]); (Blanc, 2021[45]).

Some regulatory delivery agencies see as one of their main functions to support regulated subjects as risk creators in managing the risks they generate. This involves working in partnership with all stakeholders able to produce sustained change. Inspectors in Britain’s Health and Safety Executive have long relied on an approach where law is the last resort and whereby they seek to engage with regulated businesses and push them towards safer practices through a variety of behavioural tools (i.e. personal relations, advice, comparisons with others, indication of potential risks and costs, hints at possible sanctions etc.) (Hawkins, 2003[46]). Results show better outcomes (in terms e.g. fatal and major accidents) than before the change of approach and/or in other sectors not using this new approach to the same extent.9

A decade ago, Britain’s Health and Safety Executive issued the Enforcement Management Model, a detailed guidance of how inspectors should take enforcement decision based on risk assessment, compliance record of economic operator, specificity of rules etc.10 A number of other inspection and enforcement services in various countries have developed and adopted principles or guidelines regarding their enforcement approach. Guidelines of this sort will be essential, going forward, to enable regulatory systems to cope with complexity and change, and situations “on the ground” that may be increasingly be difficult to fully forecast at rulemaking-stage. In a positive development, some countries are seeking to make such approaches and guidelines more consistently used across regulatory areas (see Box 6.6).11

Because the implementation of a more outcomes-, risk-focused approach entails important technical and professional dimensions, many prominent and successful initiatives are made in a specific sector or regulatory agency, rather than in a cross-cutting programme of reform. Some of the most interesting examples are presented below in Box 6.7, and typically include a variety of complementary tools and interventions to make the regulatory delivery work more effective and efficient.

Compliance with regulations, and subsequent reduction in risks, has been found to be strongly related to the level of understanding of applicable rules and their rationale, as well as to the perceived consistency, fairness, coherence and decision-making transparency of authorities (Tyler, 1990[49]); (Tyler, 2003[18]); (Yapp and Fairman, 2006[50]); (Gunningham, 2015[51]). In addition, day-to-day work in businesses is dictated primarily by the internal rules, procedures and culture, rather than by external regulations, and it is largely to the extent that these internal procedures and culture align with regulation, that the latter is really effectively followed in this day-to-day work (Hodges, 2015[52]); (Hodges, 2018[53]). For all these reasons, regulatory delivery systems that try and increase coherence and consistency of decision making, embedding of regulatory objectives within internal processes and culture of businesses, and understanding of rules by business operators, can deliver important improvements in compliance and significantly improved management of risks. An interesting example is provided by the UK’s “Primary Authority” scheme (see Box 6.8). In spite of constitutional and regulatory arrangements being very different, the approach has been considered with high interest by a variety of jurisdictions, for it combines a number of features relevant to most contexts: need to ensure greater consistency between different regions, to provide more predictability to businesses, to “embed” better regulatory objectives in business internal systems, etc.

There has been long-standing interest in the use of new technologies in regulation, and the “risk and regulation” perspective is particularly important here – both because these emerging technologies can help regulation become more risk-targeted and risk-proportional, but also because in the absence of a risk-based approach, there is a possibility of such technologies being misused in ways that result in regulatory overreach and intrusiveness. This can happen e.g. when remote surveillance tools are used too broadly or permanently, rather than strictly in conditions where the risk-level (high) and the risk characteristics (difficult to otherwise control or monitor) warrant it. There is also an additional link between technological regulatory solutions and the COVID-19 crisis, as the need to avoid risk of contagion has led to many regulatory and third-party inspections being suspended, with only the highest-risk controls still to be performed. This has put the onus both on the quality of risk-assessment, and on the potential for developing and using “remote audits”, i.e. using technology to “inspect” without a site-visit.

Remote, “virtual” inspections can potentially save time and resources for regulatory supervision, increasing its efficiency, and its ability to reach remote locations or operate even in difficult circumstances (e.g. during lockdown situations such as imposed by the COVID-19 pandemic). Such virtual inspections involve inspectors reviewing documentary evidence and discussing with operators, but also observing sites through video streams. They are being considered or piloted in a number of jurisdictions and regulatory domains, and raise great interest because they could enable to save transport and staff costs (and environmental impact and time lost from transport), and reduce contamination risks, be it specifically in an epidemic context, or even in normal times for “sensitive” facilities where every extra visitor creates an added risk (see Box 6.9 for some examples). Nonetheless, they also present a considerable number of challenges and pitfalls.

Though they offer interesting potential, virtual inspections are neither without problems, nor a panacea. Effectively assessing compliance and safety of a facility often involves being able to look around and spot “hidden” issues, observing how staff is working over a certain time-span, discussing with different employees, and a host of other observations that would be very difficult or impossible to replicate remotely. Moreover, even assuming situations where most of the risk elements can be readily observed remotely, an effective remote inspection still requires competent and trustworthy operators “on site”, who are able (and willing) to go, film and transmit the aspects relevant for the inspection. This means that authorities need to identify qualified and competent persons from the inspected business to move ahead, and that trust is essential, since virtual inspections may give room for violations that will not be detected if operators intend to misinform inspectors. Finally, authorities need to be quite precise on what data to ask for, which elements, activities etc. should be observed and streamed, etc. On balance, virtual inspections appear to be an interesting new tool, that can be applied in certain well-defined circumstances in terms of need (remoteness/costs, contagion risks etc.), for certain industries and types of risks, and preferably in situations where the authority has grounds to hold the operator for “generally trustable”, i.e. the inspection is more to check that previous positive findings are holding, rather than investigate an unknown or problematic situation. Overall, before such techniques of “remote inspections” can be used more widely, there needs to be further research on the conditions in which they can be applied, on what good practices exist to ensure they are properly risk-based (e.g. applied in lower- or medium-risk settings only, and also designed in ways that ensure potential risk areas “on site” are not missed) etc.

Technological improvements (e.g. remote sensors, drones, satellite imaging etc.) also provide possibilities to conduct surveillance of economic activities and/or of their impact remotely and constantly, without having to conduct on-site or even virtual inspections. This may be extremely useful where the vastness of territory to supervise is an issue, or for cases where damage may be considerable and impossible to prevent otherwise, e.g. to look at air and water pollution (remote monitoring), or conduct remote surveillance of illegal logging, overfishing, poaching etc. This can also be used to provide permanent supervision of key elements of particularly high-risk objects (e.g. structural stability of hydroelectric dams). Such approaches and tools, however, also should be used in the appropriate way, acknowledging their limits and potential problems.

There can be a temptation, based on recent progress in technology, to believe that "total control" is in fact possible - and desirable. This would lead to regulation that would not anymore try to be focused based on risk analysis and assessment, and rely on understanding of behaviour, trust and co-operation with good operators etc. Rather, in this vision of "automated total control", regulatory authorities would exert permanent surveillance using remotes, automated, connected devices. There are several reasons why such an approach is to be avoided, and why - on the contrary - new technologies should be used to make regulation more risk-based and targeted, not less:

  • Technically, most regulatory areas cover a host of issues of considerable complexity, most of which do not lend themselves readily to remote surveillance (see above on virtual inspections). In this, they are very different from e.g. driving rules compliance, where remote surveillance has rapidly developed in the past couple of decades.

  • Widespread reliance on remote sensors inside private companies would create huge information safety vulnerabilities.

  • Large-scale, intrusive surveillance is intolerable from a human rights and civil liberties perspective.

  • Crucially, given the intent of making regulation more effective, excessively heavy-handed supervision has been shown to backfire because it reduces voluntary compliance and induces resistance on the site of those subjected to it (see Box 6.10).

The COVID-19 crisis, both in its health and its economic and social dimensions, has been fundamentally about risk assessment, uncertainty, and risk management. At every step, governments have had to balance different types of risks. First, and most visibly, the direct health risk posed by the pandemic, and the negative economic and social impact (including other negative health risks) generated by “strong” responses such as lockdowns. Here again, accurately estimating the two sides of the risk equation is difficult, because predicting the negative effect of a lockdown may be possible (and measuring it ex post certainly is), but the comparison should not be made with an ideal baseline of “business as usual”, but against the economic crisis created by aggregated individual reactions in a “laissez faire” approach to managing the pandemic (Goolsbee and Syverson, 2020[59]).

In addition, one of the many difficulties of responding to the COVID-19 pandemic has lain in assessing the real extent of the pandemic spread and impact in different countries. Because of the significant percentage of asymptomatic cases, assessing incidence and prevalence is problematic. Very few countries have been able to have a testing coverage and approach (and/or a successful epidemic suppression response) that make the official number of cases likely to be close to the real number. The reported number of COVID-19 deaths is also problematic because of various degrees of under-reporting (deaths at home are typically not recorded, and deaths in care homes often are not – even deaths in hospital may not be recorded homogeneously between jurisdictions). To compensate for this, it is possible to look at the difference in mortality between the relevant months of 2020 and the previous years’ average (Banerjee et al., 2020[60]). Thus, even estimating the most “visible” part of the COVID-19 risk (deaths) is difficult – not to speak of the long-term health effects for non-fatal cases, which will become clear only over time (Halpin et al., 2020[61]); (Mitrani, Dabas and Goldberger, 2020[62]). Thus, in spite of its salience, the pandemic poses a first challenge to risk-based regulatory approaches – through the very high level of uncertainty.

The crisis also highlighted difficulties linked to the public procurement system (OECD, 2020[63]), including linked to co-operation and competition between jurisdictions. From a risk perspective, what is striking is that many public procurement regulatory systems have been built on very strong “risk averse” premises, aiming at excluding corruption risks, or at least mounting strong legal defenses against corruption accusations. Whether such systems have been effective or not at combating corruption is another question, but in a crisis context their rigidity created major problems for many countries – with normal procurement rules being far too slow and burdensome, emergency procurement provisions being either absent or inadequate, etc. (OECD, 2016[64]). In other words, regulations and regulatory processes created to combat one risk (corruption) can end up decreasing resilience and responsiveness in crisis situations and thus worsen the vulnerability to other risks (e.g. health). This is a strong illustration of the importance of designing rules and procedures that are focused, proportional, and tackle risks in the most efficient way possible, to minimise unintended negative consequences (OECD, 2020[65]).

The crisis has also been marked by the difficulty to manage health risks in situations where each side of the possible regulatory decision leads to increasing different elements of risk – rather than being a clean trade-off between costs and safety. The use of virtual inspections to address certain situations where the inspection may be both a way to control risks, and a risk factor (contagion risk) in itself, has been discussed in the previous section (see also Box 6.11) on their use to conduct food safety inspections in crisis context). Beyond this, and with much larger impact, approval and control procedures, created to minimise risks from health-care supplies (such as face-masks or hand sanitizer), or from faulty devices or tests, became at the same time elements of increased risk because they sometimes increased shortages or delayed testing. Managing the uncertainty involved in preparing for potential crises, or in developing the response to a new threat that is incompletely understood, is always difficult. Significant expenditure and measures for a threat that turns out to be disappointing can make it harder to convince citizens of the need to prepare future, and this highlights the need to nurture more “mature” public conversations about risk and resilience, so that broader support can be mobilised and maintained. Insufficient work has been done so far on how to move the public discourse beyond a pendulum swing between “cut wasteful spending” and “panic and blame”. Important contributions were made as part of the Dutch Risk and Responsibility Programme in 2010-15 (Helsloot and Schmidt, 2012[66]); (Trappenburg and Schiffelers, 2012[67]). Public perceptions and attitudes towards risk, preparedness, government expenditure etc. are hard and slow to change – hence the importance of engaging in a risk-based regulatory approach in a long-term and transparent way.

Thus, on the positive side, the COVID-19 emergency has served as an opportunity for many regulators to demonstrate remarkable agility and flexibility in introducing frameworks or adjusting regulations12 (see Box 6.12 for examples in two regulatory areas). In the post-COVID era it will be necessary to learn from the best practices that have emerged in adopting agile regulatory approaches and demonstrating flexibility in applying requirements, managing procedures and enforcing rules.13 As indicated in the opening chapter of this Outlook, “agility” is a key element of adapting regulatory frameworks to the combination of new technologies, increased transnational flows, and emerging risks. The innovative and flexible implementation of risk-based regulatory approaches seen in this crisis context can provide some useful examples in this regard.

Regulation and risk is a central topic – because a considerable amount of regulation is designed and adopted, at least notionally, to prevent or mitigate risks, both empirically measured and subjectively perceived. Risk-based regulation, which aims at making the regulatory response tailored to the specifics of each risk, and proportional to the relative importance of different risks, thus holds the potential to make regulatory systems more efficient, more effective, more resilient and responsive in times of crisis, and also better able to communicate meaningfully about their objectives, capacity, and results.

While the uptake from risk-based approaches is far from universal across jurisdictions and regulatory fields, and often less-than-thorough, there has been significant progress over the past few years, including through the development of innovative projects and programmes, leveraging emerging technologies, co-operation, information sharing, insights from behavioural insights, etc. There is much to learn from, and implementation of risk-based regulatory delivery, in particular, is easier than it used to be because of computing advances.

The “how” of risk-based approaches to regulation is increasingly well known, in spite of challenges linked to uncertainty in many areas, and a range of tools, examples, methods etc. exist that can be relatively easily adapted or adopted to make technical requirements, procedures, processes, inspections and enforcement more targeted and proportional to risk.

A point that remains more problematic is enabling risk-based approaches and ensuring their sustainability, not so much on legal grounds (where good examples exist), as in terms of public perceptions and support. Risk-based approaches can be difficult to understand and accept for a number of reasons: conflicts between risk perceptions and scientific risk assessments, reluctance to accept risk and relinquish a promise of “total protection” (even if it never was a promise that could actually be kept), difficulty to manage expectations when risks are only potential (and may not be realised), etc. Still, the fact that engaging on risk-based regulation with the public is difficult does not mean it should not be done – in fact, it makes such engagement all the more necessary and urgent (Burgess, Burgess and Leask, 2006[70]); (Chilvers and Burgess, 2008[71]).

The importance of transparent engagement with the public on risk (i.e. going beyond just risk communication, but also inviting and responding to public input) is linked to the broader issue of public trust in government and legislation, which has become particularly acute in recent years (De Benedetto, 2021[72]). Regulatory approaches that are not risk-based and risk-proportional, i.e. that strive for an ideal “zero risk” through rigid and highly burdensome requirements and procedures, appear according to recent research to contribute to reducing public trust instead of reinforcing it (De Benedetto, 2018[73]); (Blanc, 2021[74]).

Technological advances provide major opportunities for the broader, more systematic, more accurate and effective application of risk-based principles. This is particularly the case with more integrated, better managed data systems, and modern tools for analysis (e.g. Machine Learning), which can give far better insights on the most relevant risk factors, their relative importance, the emergence of new risks, the locations to focus on, etc.

Given a topic with so many ramifications and factors, this chapter can only provide a first overview, the start of a discussion, and tentative findings. Still, the issue matters enough that even such a provisional conclusion can potentially contribute to starting to solve this “crisis of confidence”. The gist of the argument is that regulations and regulatory systems are established, or at least so it is assumed and/or proclaimed, in order to strengthen, enable, (re)establish trust – but that they may sometimes be worse than failing at the task, but even actively increasing distrust.

Risk-based approaches to regulation and regulatory delivery appear as the most effective way to avoid the twin pitfalls of excessive rigidity and excessive discretion (Baldwin, 1990[13]). Properly understood and defined risk and proportionality offer instruments to adequately found and bound regulatory discretion, and modulate regulatory enforcement responses. Embedding risk-proportionality at the core of regulatory systems thus appears to be the most effective way to give them the adequate legitimacy, resilience, agility and effectiveness.


[56] Ali, S., O. Al-Saleh and P. Koushki (1997), “Effectiveness of Automated Speed-Monitoring Cameras in Kuwait”, Transportation Research Record: Journal of the Transportation Research Board, Vol. 1595/1, pp. 20-26, https://doi.org/10.3141/1595-04.

[15] Anderson, S. (ed.) (2009), The Good Guidance Guide: taking the uncertainty out of regulation, UK Better Regulation Executive, https://webarchive.nationalarchives.gov.uk/20090609052836/http://www.berr.gov.uk/files/file49881.pdf.

[13] Baldwin, R. (1990), “Why Rules Don’t Work”, The Modern Law Review, Vol. 53/3, pp. 321-337, https://doi.org/10.1111/j.1468-2230.1990.tb01815.x.

[26] Balleisen, E. et al. (eds.) (2017), Policy Shock, Cambridge University Press, Cambridge, https://doi.org/10.1017/9781316492635.

[60] Banerjee, A. et al. (2020), “Estimating excess 1-year mortality associated with the COVID-19 pandemic according to underlying conditions and age: a population-based cohort study”, The Lancet, Vol. 395/10238, pp. 1715-1725, https://doi.org/10.1016/s0140-6736(20)30854-0.

[19] Blanc, F. (2018), From Chasing Violations to Managing Risks: Origins, Challenges and Evolutions in Regulatory Inspections, Edward Elgar Publishing.

[44] Blanc, F. (2018), “Tools for Effective Regulation: Is “More” Always “Better”?”, European Journal of Risk Regulation, Vol. 9/3, pp. 465-482, https://doi.org/10.1017/err.2018.19.

[25] Blanc, F. (2015), Understanding and addressing the Risk Regulation Reflex - Lessons from international experience in dealing with risk, responsibility, and regulation, https://www.government.nl/binaries/government/documents/reports/2015/01/21/understanding-and-addressing-the-risk-regulation-reflex/understanding-and-addressing-the-risk-regulation-reflex-v2.pdf.

[10] Blanc, F. (2013), Introducing a risk-based approach to regulate businesses, World Bank Group, https://documents.worldbank.org/en/publication/documents-reports/documentdetail/102431468152704305/undefined.

[23] Blanc, F. (2012), Inspections Reforms: Why, How and with What Results?, OECD.

[9] BRDO (2012), Common Approach for Risk Assessment, UK Better Regulation Delivery Office, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/263921/risk-assessment-paper.pdf.

[29] Burgess, A. (2019), Routledge Handbook of Risk Studies, Routledge.

[28] Burgess, A. (ed.) (2016), Heuristics and Biases in Decision Making About Risk, Routledge.

[1] Burgess, A. (2009), An introduction to public risk, https://webarchive.nationalarchives.gov.uk/20100104184739/http://www.berr.gov.uk/files/file53402.pdf.

[70] Burgess, D., M. Burgess and J. Leask (2006), “The MMR vaccination and autism controversy in United Kingdom 1998–2005: Inevitable community outrage or a failure of risk communication?”, Vaccine, Vol. 24/18, pp. 3921-3928, https://doi.org/10.1016/j.vaccine.2006.02.033.

[71] Chilvers, J. and J. Burgess (2008), “Power Relations: The Politics of Risk and Procedure in Nuclear Waste Governance”, Environment and Planning A: Economy and Space, Vol. 40/8, pp. 1881-1900, https://doi.org/10.1068/a40334.

[21] Coglianese, C. (ed.) (2012), Oversight in Hindsight: Assessing the U.S. Regulatory System in the Wake of Calamity, University of Pennsylvania Press.

[74] De Benedetto, M. (ed.) (2021), Regulation, regulatory delivery, trust and distrust – avoiding vicious circles, Bloomsbury, https://www.bloomsburyprofessional.com/uk/the-crisis-of-confidence-in-legislation-9781509939855/.

[72] De Benedetto, M. (ed.) (2021), The Crisis of Confidence in Legislation, Hart Publishing, https://www.bloomsburyprofessional.com/uk/the-crisis-of-confidence-in-legislation-9781509939855/.

[73] De Benedetto, M. (2018), “Effective Law from a Regulatory and Administrative Law Perspective”, European Journal of Risk Regulation, Vol. 9/3, pp. 391-415, https://doi.org/10.1017/err.2018.52.

[17] Elffers, H. (ed.) (2006), Modelling Taxpayers’ Behaviour as a Function of Interaction between Tax Authorities and Taxpayers, Boom Legal Publishers.

[30] Fischhoff, B., P. Slovic and S. Lichtenstein (1982), “Lay Foibles and Expert Fables in Judgments about Risk”, The American Statistician, Vol. 36/3b, pp. 240-255, https://doi.org/10.1080/00031305.1982.10482845.

[32] Flynn, J., P. Slovic and C. Mertz (1993), “Decidedly Different: Expert and Public Views of Risks from a Radioactive Waste Repository”, Risk Analysis, Vol. 13/6, pp. 643-648, https://doi.org/10.1111/j.1539-6924.1993.tb01326.x.

[6] Goldstein, B. and R. Carruth (2004), “The Precautionary Principle and/or Risk Assessment in World Trade Organization Decisions: A Possible Role for Risk Perception”, Risk Analysis, Vol. 24/2, pp. 491-499, https://doi.org/10.1111/j.0272-4332.2004.00452.x.

[59] Goolsbee, A. and C. Syverson (2020), Fear, Lockdown, and Diversion: Comparing Drivers of Pandemic Economic Decline 2020, National Bureau of Economic Research, Cambridge, MA, https://doi.org/10.3386/w27432.

[51] Gunningham, N. (2015), “Compliance, Deterrence and Beyond”, SSRN Electronic Journal, https://doi.org/10.2139/ssrn.2646427.

[43] Hadjigeorgiou, A. et al. (2013), “National Food Safety Systems in the European Union: A Comparative Survey”, International Journal of Food Studies, Vol. 2/1, https://doi.org/10.7455/ijfs.v2i1.136.

[61] Halpin, S. et al. (2020), “Postdischarge symptoms and rehabilitation needs in survivors of COVID‐19 infection: A cross‐sectional evaluation”, Journal of Medical Virology, https://doi.org/10.1002/jmv.26368.

[14] Hampton, P. (ed.) (2005), Reducing administrative burdens: effective inspection and enforcement, HM Treasury, https://web.archive.org/web/20090704105121/http://www.hm-treasury.gov.uk/d/bud05hamptonv1.pdf.

[53] Hart/Beck (ed.) (2018), Ethical Business Practice and Regulation.

[46] Hawkins, K. (2003), Law as Last Resort: Prosecution Decision Making in a Regulatory Agency, Oxford University Press.

[20] Helsloot, I. (2012), Veiligheid als (bij)product: Over beleidsontwikkeling in interactie tussen bestuurders, adviseurs en narrige burgers, https://crisislab.nl/wordpress/wp-content/uploads/Oratie_Ira_Helsloot_21-09-2012.pdf.

[33] Helsloot, I. and J. Groenendaal (2017), “It’s meaning making, stupid! Success of public leadership during flash crises”, Journal of Contingencies and Crisis Management, Vol. 25/4, pp. 350-353, https://doi.org/10.1111/1468-5973.12166.

[66] Helsloot, I. and A. Schmidt (2012), “The Intractable Citizen and the Single-Minded Risk Expert – Mechanisms Causing the Risk Regulation Reflex Pointed Out in the Dutch Risk and Responsibility Programme”, European Journal of Risk Regulation, Vol. 3/3, pp. 305-312, https://doi.org/10.1017/s1867299x0000221x.

[52] Hodges, C. (2015), Law and Corporate Behaviour, Hart/Beck.

[3] IRGC (2017), Introduction to the IRGC Risk Governance Framework, revised version, EPFL International Risk Governance Center, https://infoscience.epfl.ch/record/233739/files/IRGC.%20%282017%29.%20An%20introduction%20to%20the%20IRGC%20Risk%20Governance%20Framework.%20Revised%20version..pdf.

[48] Kauffmann, C. and C. Saffirio (2020), “Study of International Regulatory Co-operation (IRC) arrangements for air quality: The cases of the Convention on Long-Range Transboundary Air Pollution, the Canada-United States Air Quality Agreement, and co-operation in North East Asia”, OECD Regulatory Policy Working Papers, No. 12, OECD Publishing, Paris, https://dx.doi.org/10.1787/dc34d5e3-en.

[5] Khwaja, M., R. Awasthi and J. Loeprick (eds.) (2011), Risk-Based Tax Audits, The World Bank, https://doi.org/10.1596/978-0-8213-8754-2.

[57] Kirchler, E., E. Hoelzl and I. Wahl (2008), “Enforced versus voluntary tax compliance: The “slippery slope” framework”, Journal of Economic Psychology, Vol. 29/2, pp. 210-225, https://doi.org/10.1016/j.joep.2007.05.004.

[58] Lind, E., R. Kanfer and P. Earley (1990), “Voice, control, and procedural justice: Instrumental and noninstrumental concerns in fairness judgments.”, Journal of Personality and Social Psychology, Vol. 59/5, pp. 952-959, https://doi.org/10.1037/0022-3514.59.5.952.

[39] Mangalam, S. (2020), Use of New Technologies in Regulatory Delivery, https://www.enterprise-development.org/wp-content/uploads/DCED-BEWG-Use-of-New-Technologies-in-Regulatory-Delivery.pdf.

[62] Mitrani, R., N. Dabas and J. Goldberger (2020), “COVID-19 cardiac injury: Implications for long-term surveillance and outcomes in survivors”, Heart Rhythm, https://doi.org/10.1016/j.hrthm.2020.06.026.

[2] National Research Council (1983), Risk Assessment in the Federal Government, National Academies Press, Washington, D.C., https://doi.org/10.17226/366.

[36] OECD (2020), Implementing Technical Regulations in Mexico, OECD Publishing, Paris, https://dx.doi.org/10.1787/4e919492-en.

[63] OECD (2020), Public integrity for an effective COVID-19 response and recovery, http://www.oecd.org/coronavirus/policy-responses/public-integrity-for-an-effective-covid-19-response-and-recovery-a5c35d8c/.

[65] OECD (2020), Public procurement and infrastructure governance: Initial policy responses to the coronavirus (Covid-19) crisis, http://www.oecd.org/coronavirus/policy-responses/public-procurement-and-infrastructure-governance-initial-policy-responses-to-the-coronavirus-covid-19-crisis-c0ab0a96/.

[68] OECD (2020), Regulatory quality and COVID-19: The use of regulatory management tools in a time of crisis, http://www.oecd.org/coronavirus/policy-responses/regulatory-quality-and-covid-19-the-use-of-regulatory-management-tools-in-a-time-of-crisis-b876d5dc/.

[69] OECD (2020), Removing administrative barriers, improving regulatory delivery, http://www.oecd.org/coronavirus/policy-responses/removing-administrative-barriers-improving-regulatory-delivery-6704c8a1/.

[22] OECD (2018), OECD Regulatory Enforcement and Inspections Toolkit, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264303959-en.

[35] OECD (2018), OECD Regulatory Policy Outlook 2018, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264303072-en.

[64] OECD (2016), Preventing Corruption in Public Procurement, https://www.oecd.org/gov/public-procurement/publications/Corruption-Public-Procurement-Brochure.pdf.

[11] OECD (2015), Regulatory Policy in Lithuania: Focusing on the Delivery Side, OECD Reviews of Regulatory Reform, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264239340-en.

[37] OECD (2014), Regulatory Enforcement and Inspections, OECD Best Practice Principles for Regulatory Policy, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264208117-en.

[47] OECD (2013), International Regulatory Co-operation: Case Studies, Vol. 1: Chemicals, Consumer Products, Tax and Competition, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264200487-en.

[4] OECD (2010), Risk and Regulatory Policy: Improving the Governance of Risk, OECD Reviews of Regulatory Reform, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264082939-en.

[42] OECD (2009), Managing and Improving Compliance: Recent Developments in Compliance Risk Treatments, https://www.oecd.org/tax/forum-on-tax-administration/publications-and-products/hnwi/42490764.pdf.

[41] OECD (2004), Compliance Risk Management - Managing and Improving Tax Compliance, https://www.oecd.org/tax/administration/33818656.pdf.

[40] OECD (2021, forthcoming), Data-Driven, Information-Enabled Regulatory Delivery, OECD Publishing,.

[54] OECD (2021, forthcoming), Using Digital Technologies to Improve Regulatory Delivery Activities, OECD Publishing,.

[55] Pilkington, P. and S. Kinra (2005), “Effectiveness of speed cameras in preventing road traffic collisions and related casualties: systematic review”, BMJ, Vol. 330/7487, pp. 331-334, https://doi.org/10.1136/bmj.38324.646574.ae.

[16] Roetzel, P. (2018), “Information overload in the information age: a review of the literature from business administration, business psychology, and related disciplines with a bibliometric approach and framework development”, Business Research, Vol. 12/2, pp. 479-522, https://doi.org/10.1007/s40685-018-0069-z.

[24] Rothstein, H., O. Borraz and M. Huber (2012), “Risk and the limits of governance: Exploring varied patterns of risk-based governance across Europe”, Regulation & Governance, Vol. 7/2, pp. 215-235, https://doi.org/10.1111/j.1748-5991.2012.01153.x.

[12] Rothstein, H. et al. (2017), “Varieties of risk regulation in Europe: coordination, complementarity and occupational safety in capitalist welfare states”, Socio-Economic Review, Vol. 17/4, pp. 993-1020, https://doi.org/10.1093/ser/mwx029.

[8] Russell Graham and Hodges Christopher, E. (2019), Regulatory Delivery, Hart/Beck.

[31] Slovic, P. (1986), “Informing and Educating the Public About Risk”, Risk Analysis, Vol. 6/4, pp. 403-415, https://doi.org/10.1111/j.1539-6924.1986.tb00953.x.

[67] Trappenburg, M. and M. Schiffelers (2012), “How to Escape the Vicious Circle: The Challenges of the Risk Regulation Reflex”, European Journal of Risk Regulation, Vol. 3/3, pp. 283-291, https://doi.org/10.1017/s1867299x00002191.

[27] Tversky, A. and D. Kahneman (1974), “Judgment under Uncertainty: Heuristics and Biases”, Science, Vol. 185/4157, pp. 1124-1131, https://doi.org/10.1126/science.185.4157.1124.

[18] Tyler, T. (2003), “Procedural Justice, Legitimacy, and the Effective Rule of Law”, Crime and Justice, Vol. 30, pp. 283-357, https://doi.org/10.1086/652233.

[49] Tyler, T. (1990), Why People Obey the Law, Yale University Press.

[45] van Rooij, B. (ed.) (2021), Using outcomes to measure compliance: Justifications, challenges, and practices, Cambridge University Press.

[7] Wagner, M. (2016), “Interpreting the SPS Agreement: Navigating Risk, Scientific Evidence and Regulatory Autonomy”, SSRN Electronic Journal, https://doi.org/10.2139/ssrn.2887361.

[38] Wille, J. (2013), Implementing a Shared Inspection Management System - Insights from recent international experience, http://documents1.worldbank.org/curated/en/190851468152706158/pdf/907550BRI0Box30ment0System0apr02013.pdf.

[34] World Bank Group (2021), Approaches to Integrated Inspections Reforms - Selected Case Studies.

[50] Yapp, C. and R. Fairman (2006), “Factors affecting food safety compliance within small and medium-sized enterprises: implications for regulatory and enforcement strategies”, Food Control, Vol. 17/1, pp. 42-51, https://doi.org/10.1016/j.foodcont.2004.08.007.


← 1. In particular the Society for Risk Analysis https://www.sra.org/ but also a number of regional or subject-specific networks, specialised academic journals etc.

← 2. Among these, the fundamental legislation for the EU Single Market such as the Industrial Emissions Directive (EU Dir. 75/2010), the Food Hygiene Package (Reg. EU 852-853-854/2004) and related Official Controls Regulation (Reg. EU 625/2017), the recent Market Surveillance Regulation (Reg. EU 1020/2019) – but also in major US legislation (Food Safety Modernization Act 2011) and of course brought to the fore largely through pioneering work by the US EPA in the 1980s (see https://www.epa.gov/risk/about-risk-assessment#tab-2).

← 3. See for instance: https://irgc.org/publications/core-concepts-of-risk-governance/.

← 4. See e.g. Codex Alimentarius principles: http://www.fao.org/3/a0247e/a0247e04.htm#:~:text=The%20risk%20analysis%20should%20follow,to%20the%20overall%20risk%20analysis and http://www.fao.org/3/Y4800E/y4800e0o.htm - FAO guidance: http://www.fao.org/3/i0096e/i0096e00.htm.

← 5. SPS Art. 5 and Annexes A and B, available at: https://www.wto.org/english/tratop_e/sps_e/spsagr_e.htm – TBT Art. 2 and 5, https://www.wto.org/english/docs_e/legal_e/17-tbt_e.htm.

← 6. Available at: https://www.oecd.org/gov/regulatory-policy/49990817.pdf.

← 7. See Food Safety STL Project, summary available at: https://dash.harvard.edu/bitstream/handle/1/34492285/5540821.pdf?sequence=1 and report on Nevada nEmesis project available at: https://www.nsf.gov/news/news_summ.jsp?cntn_id=137848.

← 8. For concrete examples, see the whole range of country profiles of food safety control systems prepared by the European Commission DG SANTE, available at: https://ec.europa.eu/food/audits-analysis/country_profiles/index.cfm.

← 9. See for example Health and Safety Executive (HSE) (2016), The effectiveness of HSE’s regulatory approach: The construction example (Prepared by Frontline Consultants for the Health and Safety Executive in 2013).

← 10. Enforcement Management Model, available at: https://www.hse.gov.uk/enforce/emm.pdf.

← 11. See for example Greece through art. 149 of law 4512/2018 reforming inspections and licensing.

← 12. See for instance regulatory COVID response of Canada: https://www.fintrac-canafe.gc.ca/COVID19/flexible-measures-eng and https://www.inspection.gc.ca/about-cfia/acts-and-regulations/forward-regulatory-plan/targeted-regulatory-review/eng/1558026225581/1558026225797.

← 13. See also pre-COVID policies to make regulation more agile and responsive in Canada: https://www.canada.ca/en/treasury-board-secretariat/news/2018/09/canada-revamps-its-directive-on-regulations---more-agile-transparent-and-responsive-so-businesses-can-thrive.html and https://www.canada.ca/en/health-canada/services/drugs-health-products/public-involvement-consultations/drug-products/enabling-advanced-therepeutic-products-modernizing-regulation-clinical-trials.html.

Metadata, Legal and Rights

This document, as well as any data and map included herein, are without prejudice to the status of or sovereignty over any territory, to the delimitation of international frontiers and boundaries and to the name of any territory, city or area. Extracts from publications may be subject to additional disclaimers, which are set out in the complete version of the publication, available at the link provided.

© OECD 2021

The use of this work, whether digital or print, is governed by the Terms and Conditions to be found at http://www.oecd.org/termsandconditions.