Updated: Jul 22
In recent years many in the compliance industry have observed a shift in regulation from prescriptive to performance and outcome-based designs. What we are seeing is only the beginning of a trickle down effect emerging from regulatory reform over the last few decades across regulatory jurisdictions and across the world.
During this time an increasing number of regulatory bodies have started to modernized the function of regulation, its processes and practices, and how regulation itself is regulated (meta-regulation). Most of this transformation has centered around the adoption of risk-based: strategies, operations, and tactics.
There are many reasons for why this is happening. However, what is perhaps more important is that it is happening bringing with it continued changes for those who operate under regulation and to the role of compliance.
In this article we will take a look at:
Why is this happening?
What is risk-based regulation?
What might it mean to be a risk-based regulator?
The regulation of regulators
What this all means
Why Is This Happening?
Risk regulation is a relatively recent phenomenon and is an expression of what many social scientists call a "risk society." This is defined as a society in which there is an orientation to the future and a belief that we can control and manage risk. Some have said this is a shift from believing in fate to an "aspiration to control" future events. In many ways present-day changes to regulation can be seen as an outworking of this belief that risks can be anticipated and controlled. It is this notion that has invaded the public but also private sectors.
The anticipation and control of risks affects the traditional notion of regulation. Dr. Malcolm K. Sparrow, a leading expert in the regulatory field, suggests that this change to risk-based approaches is a necessary manifestation when one considers the coverage of the problem space itself.
Traditional regulation has focused on protecting public safety by means of delivering prescriptive obligations, compliance and enforcement functions primarily seen through a legal lens. This legal focus often results in many "paper violations" that are not necessarily harmful to the public. However, many of the risks that do affect the public are in the domain of legal and permissive behaviors which require a different approach than enforcement and strict compliance.
The question that regulatory agencies are asking themselves is not which of these domains to focus on but rather how should resources be divided between them. They understand that to better protect (or create) public safety they will need to extend their focus to include illegal and harmful things.
This shift requires that definitions exist for what "harm" means. Harms are similar to the notion of "hazards". They are complex, multi-dimensional problems that have the potential to negatively impact the public or the environment. The identification and solving of harms requires different skills, capacity, and organizational culture than what may exist within an agency and therefore will require the need for a transformational change. Perhaps, the most significant change in dealing with "harms" will be the introduction of risk management capabilities.
What is Risk-based Regulation?
At a high level, risk-based regulation, is a set of guiding principles to rationalize the regulatory process. It does this by prioritizing regulatory actions based on an assessment of the risk to the achievement of its objectives. Risk-based regulation is more than the technical implementation of risk assessment and risk management techniques. These practices are used in conjunction with and part of the development of an agency's risk-based operating framework regarding its functions and processes.
One of the appealing benefits of risk-based regulation is that is helps to address institutional risk; the threat of not achieving objectives by the regulatory agency. This is accomplished not only by an analysis of economic costs and benefits, but also the concepts of uncertainties and impacts . This provides, among other things, an integrated decision making framework applicable to all levels of risk and organization.
For a risk-based regime it is desirable to regulate all firms according to their particular risk, instead of simply prioritizing the supervision of the riskiest ones. Julia Black (London school of Economics), discusses and presents a remedy concerning the problems with ignoring the lowest risks and only focusing on high-risk firms. Black also makes the following reflections regarding risk-based regulation:
the danger of focusing more on diagnosis than cure;
the importance of organizational culture in implementing risk based regulation;
risk based frameworks can create risks;
the danger of inappropriate reliance on firms’ internal controls is reduced but not removed in risk based approaches; (see models below)
in making it clear what issues are not regulatory priorities, risk based regulation can have a potentially contentious political message.
Changes driven by a "risk society" and modernization will continue to impact regulatory regimes. One of the ways is how risk itself is delegated between regulators and the organizations that are under regulation.
Malcolm Sparrow suggests that to better understand the way that risk-based regulation might manifest itself we can consider how three broad elements of risk management: risk identification, risk analysis and design, and risk implementation, might be delegated between regulators and the regulated industry:
According to Sparrow, the traditional model for regulators is "Model 1." This is where government retains responsibility of risk identification, analyzing them, and developing (or selecting) an intervention design. This model produces prescriptive regulation typified by inspectors showing up with a tape measure to see how close you are to specified limits.
In recognition of the diversity in the regulatory industry (along with levels of trust and assurance) regulators will allow firms greater flexibility (Model 2) in terms of the means by which risk is controlled. This creates "ends-based" instruments often referred to "performance-based" or "outcome-based" regulation.
Large companies in highly technical industries may be delegated all three risk elements in the form of self-regulation (Model 3). This does not mean that the regulator has no responsibilities but may be in the form of "light-touch" regulation (this is different than right-touch regulation discussed below).
Finally, Model 4, is a variant of the previous model where the companies under regulation are too small to afford or do not want to build out comprehensive risk-control systems on their own. They also do not want to be burdened with "going back" to "Model 1" and under the tutelage of prescriptive regulation. Instead, they form an industry association made up of representative members who will take on the self-regulation function.
What Might It Mean To Be A "Risk-based Regulator?"
A risk-based regulator will look different from those that focus only on enforcement and compliance. They will utilize the full set of regulatory instruments as needed to address the risks within their scope. Sparrow suggests that risk-based regulators will:
Focus on the "Expert" rather than the "Legal" model of regulation
Focus more on identifying and reducing "bads" (risk/harms), less on defining and promoting "goods"
Practice "Regulatory Craftsmanship" (utilizing a broader range of tools, organized around specific tasks)
Master organizational methods (less program-centric, more problem-centric)
Fit different regulatory structures to different classes of risk (structural versatility)
Use risk-mitigation as the foundation for partnerships
Understand types of risk that pose special challenges
These characteristics apply to all of Sparrow's regulatory models along with private sector risk management functions.
The Regulation of Regulators
In cases of self-regulation the idea of meta-regulation becomes necessary. There are two kinds of meta frameworks which often get confused: Light-touch regulation and Right-touch regulation.
This form of regulation refers to policy strategies that rely on private markets more than regulation. The light-touch narrative in a sense is the story about the Internet's regulatory journey. In many ways it is a policy of non-regulation. The primary role of government is to monitor the management of risk by the private sector and be prepared to adopt a different regulatory model if and when necessary.
Right-touch has its roots in the regulation of professional organizations. This form of regulation concerns itself with setting up the conditions by which self-regulatory bodies conduct themselves with respect to their responsibilities related to public safety or public interest.
Right-touch regulation is in the formative stage and differs in its implementation. However, a common purpose of the right-touch approach is to strike the right balance between regulatory force and effective impact on risk. The UK Professional Standards Association (2015) defines six principles of the right-touch approach :
Proportionate: regulators should only intervene when necessary. Remedies should be appropriate to the risk posed, and costs identified and minimized
Consistent: rules and standards must be joined up and implemented fairly
Targeted: regulation should be focused on the problem, and minimize side effects
Transparent: regulators should be open, and keep regulations simple and user friendly
Accountable: regulators must be able to justify decisions, and be subject to public scrutiny
Agile: regulation must look forward and be able to adapt to anticipate change.
The right-touch approach has been adopted by many professional associations and serves as an example for a "common-sense" manifesto for risk-based regulation across all sectors.
What This All Means
Regulatory bodies fundamentally exist to contend with public risk. Historically, the primary way that this has been done is by creating obligations, verification of compliance, and enforcement. However, this has now changed and will continue to do so as more regulatory agencies adopt risk-based approaches to their functions, processes, and specific problems they are responsible to address. This will drive continued change for those under regulation and specifically the role of compliance:
The regulatory transformation currently underway has already created a change in how regulation and standards are designed and more change is expected. This will have continued impacts on organizations under regulation foremost of which will be for them to have clear objectives along with the capability to identify, analyze and implement effective risk controls.
Regulatory agencies may offer the private sector unique insights into how a risk-based operating framework perform. As the sole purpose of a regulatory agency is to effect public risk they will have non-competing opportunities to develop risk management excellence.
The concept of uncertainty and risk will continue to evolve and harmonize across risk disciplines. This will help to advance risk excellence to the benefit of both the public and private sector.
Compliance will also evolve to become for those under regulation a "risk-based operational system" to meet obligations ex. Obligation Management System (OMS).
Governance within both the public and private sector may benefit from further developments in meta-regulation with respect to internal policies, and voluntary obligations.
 Dr. Malcolm K. Sparrow, "The Regulatory Craft – Controlling Risks, Solving Problems, and Managing Compliance"
 Dr. Malcolm K. Sparrow, "The Character of Harms – Operational Challenges in the Control"
 Julia Black, "The Development of Risk Based Regulation in the Financial Services: Canada, UK and Australia", 2004
 UK Professional Standards Association, "Right-touch Regulation", 2015