Risk Based Regulation

There is a growing demand around the corporate world for risk based regulation and regulators. Its rising popularity can be partly attributed to the fact that the ‘risk-based’ concept can be interpreted differently by different people.

For instance, a regulator would be adopting a risk based approach while responding to the risks associated with economic activity (risks arising from accidents, the environment, commercial transactions and so on). But to avoid ambiguity, it is imperative that risk based regulation be defined in a detailed, clear and consistent manner.

Business entities usually adopt risk based regulation when trying to fortify regulatory decisions with a rigorous framework for analysis. Today, regulators can organize their decision making and forecast the outcome of different regulatory options through regulatory impact assessments and benefit-cost analyses. While managing risks, regulators back their decisions by using advanced tools that assess the likelihood and negative impact of risky regulated activities. By carefully assessing risks, regulators can gain an in-depth understanding of the risks involved in different tasks and thereby organize regulatory resource allocations based on priority which in turn facilitates better risk management. Regulators using risk based regulation depend highly upon rigorous risk analyses that in turn facilitate evidence based decision making.

Despite a regulator’s dependence on detailed risk analyses in order to achieve risk based regulation, risk assessments only provide an auxiliary tool, never a comprehensive framework for risk management decision making.

Risk management decisions include:

• The type and number of controls that need to be implemented in a new regulation
• The type of regulatory instrument that should be employed
• The facilities that need to be examined during inspections
• The type and severity of penalties to be levied for non-compliance

Risk assessment on the other hand describes the possibilities of risks and their distribution. However, it does not provide policy principles or normative reasons that aid in making decisions related to regulating or managing the risks associated with hazards.

Sample Scenario

Let us consider a sample business scenario where a regulator has multiple available options to manage five possible hazards. Each hazard impacts the company differently in terms of damages and losses incurred.  The benefits and costs associated with each of the risk management options also vary.

Although all the hazards and their related data collectively aid in making an informed decision, they don’t assist the regulator in choosing the most relevant option. The regulator decides on a course of action based on policies that have already been outlined. For instance, priority can be given to:

The hazard with the highest probability of occurrence

The hazard with the greatest impact on business  

The least expensive risk mitigation strategy

The risk mitigation option that provides the maximum benefit

Data pertaining to each of the above factors are gathered through rigorous risk assessment exercises. However, these insights don’t advise the regulator on the most suitable option. The regulator arrives at this decision based on the company’s policies and norms that are beyond the scope of the risk assessment exercise.

Besides selecting the most relevant response from multiple choices, regulators also have to efficiently manage limited available resources. Adopting a risk based regulation methodology requires a seasoned regulator who is clear on the strategy based on which decisions should be taken.

The organization could decide on an option that

• Targets the biggest risks,
• Minimizes expenses,
• Maximizes benefits by simultaneously addressing multiple risks, for instance, by including minor risks that can be managed inexpensively, and excluding risks that although expensive to manage, occur very rarely.

Conclusion

Risk based regulation goes beyond just technical enterprise and competence. It emphasizes clearly outlined decision making policies, principles and fact based inferences. Today in the business arena, as risks become increasingly commonplace and expensive, risk based regulation can bring about a paradigm shift in an organization’s responses to operational hazards.