6. Risk-based regulation
Risk-focus and risk-proportionality have been increasingly used by governments and regulators when designing and delivering regulation. Risk helps improve the effectiveness and efficiency of regulation. It is crucial in the perspective of achieving public outcomes at every step of the regulatory policy cycle, while minimising burden and unintended side effects of regulation and rules. The use of risk is however unequally spread across countries and regulatory area. Also, many impediments to its utilisation exist, ranging from resistance in institutions to the over-estimation of the effectiveness of “non-risk-based” regulation. The COVID-19 crisis has shown the obstacles that regulation can pose to response needs when it is not in line with a risk-based approach, nor flexible enough. The chapter discusses how risk prioritisation, objective and data-driven risk assessment, use of new technologies to improve data sharing and analysis, and adequate flexibility/agility can dramatically improve regulatory outcomes.
Designing and delivering regulation in a risk-focused and risk-proportional way is an essential approach to improving efficiency, strengthening effectiveness, and reducing administrative burden.
“Risk” is understood as the combination of the likelihood of harm of any kind, and the potential magnitude and severity of this harm. Risk-based regulation is, crucially, about focusing on outcomes rather than specific rules and process as the goal of regulation.
Adoption of risk-based regulatory approaches is unequally spread across countries and regulatory functions, and is often limited to phases of the regulatory policy cycle, sectors, etc. This is confirmed by data collected from the pilot questions in the iREG survey.
Risk-assessment can serve to prioritise regulatory efforts and tailor the choice and design of regulatory instruments – within and across regulatory domains. It is not only about understanding the level of risk, but the characteristics of each risk so as to design the adequate regulatory response.
Obstacles to uptake of risk-based regulation include resistance in institutions with a “risk-averse” culture, public pressure, path dependency, lack of necessary tools and resources etc. A number of these stem from misconceptions about risk-based regulation, as well as an over-estimation of how effective “non-risk-based” regulation actually is.
As a first (useful) step, risk prioritisation can be done by sector or by type of activity, –but when data for risk analysis and prioritisation is available, a more differentiated, data-driven approach to risk assessment and targeting is essential.
Risk should be assessed in an objective and data-driven way. Significant advances have been made in recent years including through the use of Machine Learning to improve data analysis, and many jurisdictions and services have introduced new risk-based tools and practices, including in the Covid-19 context.
Specifically, the Covid-19 crisis has shown the obstacles that regulation can pose to crisis response when it is not proportionate to risk, or when trade-offs between different risks are not adequately foreseen. It also has shown the importance of allowing and managing regulatory flexibility in emergency situations, and to leverage new technologies.
New technologies can facilitate data sharing and improve analysis, including through the use of a combination of private and public data, but this requires to adequately manage issues of trust and privacy.
Risk (and specifically public risk), in addition to its growing use in industry and business, as well as in safety management overall, has over the last couple of decades become increasingly used in a regulatory context (Burgess, 2009[1]). Indeed, in the perspective of trying to improve regulations’ ability to achieve their intended outcomes, and of minimising the burden and unintended side-effects they create, risk is a key tool. It allows to better formulate what it is that a given regulation is trying to address (reducing or managing a risk), to better design the contents and mechanisms of the regulation (based on the causes and characteristics of the risks being addressed), to target enforcement and implementation efforts more efficiently (on the areas, sectors, businesses etc. that pose the highest risk). Thus, risk helps to improve the effectiveness and efficiency regulation at every step of the regulatory policy cycle, including ex post assessment (have the risks been effectively managed?) – and also improves accountability, as it allows to formulate in a clear and often measurable way what the regulation or regulator is supposed to achieve (and what are its limits).
In recent years, overall, much progress has been done in extending risk-based regulation to new countries, sectors, regulatory areas etc. – and in applying innovative practices and tools to improve the understanding and assessment of risk (e.g. data integration and Machine Learning), and use it more consistently from the strategic level to the “regulatory frontline”. This chapter seeks to reflect such progress, and particularly practices that involve novel applications of digital technologies, and incorporation of behavioural insights.
Over time, “risk and regulation” and “risk-based regulation” have become complementary aspects of an increasingly well-established topic, studied by several important academic and practitioners’ networks,1 referenced in numerous pieces of legislation,2 covered by major international publications3 with gradual development over close to 40 years (National Research Council, 1983[2]); (IRGC, 2017[3]) – including previous work by the OECD (OECD, 2010[4]). Still, in spite of risk, risk-focus, risk-proportionality, and risk-management all being referenced in studies and guidance that apply or relate to specific areas of regulation4 (Khwaja, Awasthi and Loeprick, 2011[5]), there is no consolidated guidance on “risk and regulation” as such at the international level. Risk-proportionality is central to international agreements such as the World Trade Organization’s (WTO) Technical Barriers to Trade Agreement (TBT), Sanitary and Phyto-Sanitary Measures Agreement (SPS) and more recent Trade Facilitation Agreement, with relevant clauses5 requiring applied trade-restricting “measures” to be based on risk, and indicating fundamental elements of such an approach, but interpretation and implementation are far from undisputed (Goldstein and Carruth, 2004[6]); (Wagner, 2016[7]); (Russell Graham and Hodges Christopher, 2019[8]); (Russell Graham and Hodges Christopher, 2019[8]). While addressing this “interpretation gap” goes beyond the scope of this chapter, it is important to acknowledge it, as it helps explain some of the implementation difficulties.
Indeed, notwithstanding the considerable progress over time, the remain a significant implementation gap in risk-based regulation – even in some jurisdictions and regulatory areas where apparently binding legislation exists, and/or where official proclamations of being “risk-based” exist. If adequate understanding and assessment of risks, and consistent application of risk-focus and risk-proportionality, are to deliver their expected benefits in regulation, it is essential to more systematically assess the current situation, and spread best practices. The application of “risk assessment, risk management, and risk communication”, point 9 of the OECD 2012 Recommendation on Regulatory Policy and Governance,6 is thus being given increased attention in this edition of the Regulatory Policy Outlook – with results of a series of pilot questions administered along the iREG survey, and an overview of prominent initiatives in the area of risk-based regulation, as well as preliminary findings from research on the application of risk-based methods in regulatory delivery.
Survey results: risk-based regulation is unevenly and incompletely applied
Data from the pilot questions collected with the iREG survey confirms this general finding of uneven and incomplete diffusion and uptake of risk-based approaches – but also of their slowly taking root in the regulatory landscape. Out of the 39 countries (with the EU being included as a country) surveyed and responding overall to the questionnaire, only 32 provided a response on the new “pilot” risk-based regulation questions, potentially indicating some perplexity and/or lack of awareness or interest about the topic. For some countries, the respondents left some questions unanswered or with a negative reply, even though the OECD team independently had information that some practice existed at the sectoral level, suggesting that knowledge about risk-based approaches is insufficiently shared across the government and even within ministries (since respondents queried other ministries, and some evidently did not reply or replied “no” in spite of risk-based approaches existing within their own ministry).
Moreover, the answers suggest that risk-based regulation is often a perspective that is “confined” to some aspects of regulation and regulatory policy, rather than forming a strong framework for the whole of regulatory functions. Indeed, while relatively few countries responded positively on the question of whether they had “a ‘whole-of-government’ strategy on “risk and regulation” (9 out of 39 surveyed) or a “sector-specific one” (16 positive answers for sector-specific strategy, and 17 in total having either a ‘whole-or-government’ or sector-specific strategy, or both), a significantly larger number indicated that risk assessment was “required when developing regulation” (either for all regulatory areas, or for some only – 28 countries in total having such a requirement for at least some regulations). However, only a subset of these (14 countries) required risk assessment to involve quantitative analysis, meaning that the level of rigour required in the assessment remains often relatively light. Overall, only 5 countries responded “yes”at all 3 key “risk” questions, i.e. whether a “whole-of-government” risk-based regulation exists, whether risk-assessment is required when developing regulations, and whether this assessment has to involve quantitative analysis (see Figure 6.1).
Defining and understanding “risk” in a regulatory context
The term “risk” can be confusing, because of its different meanings (both in different contexts, and even within the same context), but also of the different ways in which it can be assessed. “Risk” is often used interchangeably with “hazard” or with “probability (of harm)”. Overall, however, the prevailing consensus when it comes to discussing “public risk” broadly considered, and specifically risk in a regulatory context, is that it is distinct both from “hazard” and from “probability/likelihood”. In this usage, “hazard” is used to refer to the existence of possible harm and its potential severity, but does not convey any information on how likely it is that harm will be materialised. On the other hand, “probability” and “likelihood” refer only to how likely it is that something (e.g. a regulatory violation) happens, without consideration to the severity or scope of this adverse event.
The definition of “risk” as the combination of the likelihood and potential magnitude and severity of harm, as used here, reflects also its use in previous OECD work on the issue, and in many relevant international, scholarly, and national documents and legislation (OECD, 2010[4]); (BRDO, 2012[9]); (Blanc, 2013[10]); (OECD, 2015[11]); (IRGC, 2017[3]). While, inside some countries and institutions, use occasionally diverge (officially or in practice only) from these definitions, consensus is now broad and established for the use of the following definitions in this chapter and elsewhere in this edition of the Regulatory Policy Outlook (Rothstein et al., 2017[12]):
Risk is defined as the combination of the likelihood and potential magnitude and severity of harm. This can also be expressed as the combination of the likelihood and degree of hazard. Thus, risk combines a) probability, b) scope of the harm (number of people affected etc.) and c) degree of harm (type of damage).
Hazard is used as the potential type, magnitude and severity of harm, but without taking into account the likelihood of harm actually happening.
Harm is any form of damage done to people (their life, health, property etc.), the environment (natural and human), or other public interests (e.g. tax fraud harms state revenue). Not all types of harm are of the same nature, and some harm is irreversible (e.g. death), whereas other (e.g. financial) can be corrected once identified.
Unpredictability and uncertainty are distinct from risk and from estimations of probability of harm. They are inherent limitations in the process of risk assessment and thus likewise limitations of risk-based regulation, that should be acknowledged as such. Approaches on how to handle unpredictability and uncertainty are not always explicitly stated or consistent, which is an issue discussed further in this chapter.
Regulations address a number of different potential harms (bodily, environmental, financial etc.), not all of which are of equal seriousness – in particular, reversibility or its absence creates a key difference. Likewise, regulation addresses many hazards – industrial pollution and explosions, food poisoning, building fires and collapses, marketing fraud, tax evasion etc. Again, not all of these are of the same severity, and the likelihood of each of these actually happening varies greatly. Thus, comparing the level of priority of regulating different, but also different economic sectors or establishments, based on the harm caused, is inherently difficult.
Risk can allow to consider allocation of resources at a strategic level (between different domains such as environmental protection, food safety, state revenue, technical safety etc.), even though this is rarely done – as well as to prioritise regulatory interventions in a given domain, between different economic sectors and establishments, which is a much more frequent practice. In this way, risk can function as a kind of common measurement unit, allowing easy conversion and comparison of the relative “value” of different regulatory interventions in terms of lives saved, environmental impact, economic impact etc. – but this is only possible if a common approach to risk assessment across regulatory domains and sectors exists.
Comparing the relative levels of risk, and deciding on the appropriate type and intensity of regulatory response, requires having gone through risk assessment – i.e. estimating the relative level of different risks in terms of combined probability and severity of harm. To allow full comparison across different regulatory domains, not only should there be a unified approach for risk assessment – but also a method to convert different types of harm. While this is theoretically possible (there exist many approaches in law and economics to estimate the economic value of life, health, the environment etc.), it is rarely done in practice with that level of precision. Most often, comparisons of risk levels are done within a given category of harm – e.g. potential losses of life, or potential financial losses. In any case, regardless of the level and scope to which risk is applied, it is an instrument of comparison, and thus prioritisation.
Finally, while risk prioritisation done solely by sector or type of activity can be a useful first step of improvement in situations where risk assessment is starting “from scratch” and with limited or no data to support the exercise, it is not optimal, and insufficient in the longer run. In advanced economies, and where data needed for risk analysis and prioritisation are available to regulatory delivery authorities, a more differentiated approach to risk assessment and targeting can be expected – e.g. so as to be applied to each business entity or object (facility, establishment) individually, based on inherent characteristics and track record.
Why risk matters: the importance of prioritisation, and proportionality
Risk-assessment is thus a useful instrument to prioritise regulatory efforts. While the OECD 2012 Recommendation, and the entire set of regulatory good practices starting from the use of regulatory impact assessment, all emphasise the importance of cost-benefit analysis and selectivity in regulation, risk provides a key instrument to exercise these and also to assess which regulatory instrument to use, given the specific characteristics of each risk. While risk-based prioritisation looks specifically at focusing resources where the highest risk level is, risk-proportionality considers both the level and the characteristics of the risk to determine the most suitable content for regulations (level of standards, degree of prescriptiveness, etc.) and the choice of regulatory instruments (e.g. ex ante permitting, ex post controls, certification, registration, etc.). However, some may contend that regulation should not prioritise and rather (following the requests of a number of different stakeholders) try to regulate all potential hazards, regardless of e.g. likelihood or actual prevalence of harm.
Regulating every hazard may be possible on paper (though it leads to massive inflation of the volume of legislation), but allocating resources to control and implement these regulations can only be done within limits set by state budgets and levels of economic activity. Staff numbers and material resources (transport, testing etc.) needed for inspections conducted by state agencies are limited by budget resources, and competing against many other demands. Even when control over regulatory compliance is delegated to third parties (e.g. through requirements for mandatory third-party certification a.k.a. “conformity assessment”), these have a cost. While such controls are not anymore constrained by state budget size, they impose a direct cost to business operators (which, were possible, will seek to recover it from consumers). Thus, such use of third-party controls is also inherently limited – because of the costs it creates to consumers and businesses, and the negative effect it can have on competitiveness and growth.
An excessive number and range of rules means that it ends up being impossible in practice for most economic operators to know about all of them, and to comply with all. An excessively large scope of regulation thus can be setting itself for failure, and in turn harming the rule of law because it is widely accepted that full compliance is impossible (Baldwin, 1990[13]); (Hampton, 2005[14]); (Anderson, 2009[15]). An excessive number of rules and controls means that regulators may be “submerged” by an excessive amount of data – even with the help of modern data analytics tools and increased computing power, over-abundance of information makes effective decision making more difficult (Roetzel, 2018[16]).
Crucially, it has been found through repeated studies that levels of control that are perceived as “excessively high” actually end up decreasing compliance (Kirchler, 2006[17]), in addition to the perceived control burden creating disincentives to investment and growth. Instead of responding to increased controls by higher compliance, businesses and citizens can end up “resisting” when they face very high burden, that they perceive as unfair, thus reducing voluntary compliance. Such effect is predicted by “procedural justice” compliance models (Tyler, 2003[18]), which have also shown that people react negatively to processes where they feel disrespected, where they do not think decisions are being taken in a manner that is understandable and ethical. Excessively broad regulation tends to produce such effects because it is often practically impossible to comply fully with it, and it imposes restrictions in situations where actors do not see any meaningful risk or actual harm. As a result, excessively broad regulation can increase the overall level of risk in a jurisdiction because it reduces compliance (Blanc, 2018[19]).
At the outer limit, such an excessively risk-averse regulatory approach can have a negative impact on the aggregate risk level even if it manages to achieve compliance, if the negative economic impact is particularly high, while the direct positive safety impact is low. Indeed, as life expectancy is related to income and to overall GDP levels, the negative aggregate impact on life expectancy may exceed whatever gains are achieved through the regulation (Helsloot, 2012[20]). While this corresponds to extreme cases, they are documented and not fictional. More broadly, these findings indicate that risk-based regulation should not be seen as an approach that trades-off safety for economic growth. While, of course, trade-offs in regulation exist and should be properly acknowledged, for a given chosen level of protection and regulation, risk-based design and enforcement of regulation will, based on available research, achieve better outcomes both in terms of safety and in economic and social terms (Coglianese, 2012[21]).
While there are many pieces of legislation that mandate a risk-based approach, and a number of institutions that claim to be using one, the level to which risk-based regulation is effectively implemented is not easy to assess – be it in breadth (across jurisdictions and regulatory functions) or in depth (in terms of how consistent and rigorous the approach is). While some elements of good regulatory practices are, to an extent, directly observable relatively easily (e.g. the existence and level of uptake of a consultation mechanism), it typically requires more expert investigation to assess the degree to which risk is actually and rigorously taken into account in regulatory policy. Looking into the application of risk at the regulatory delivery stage is even more painstaking, for high-level statements of delivery institutions do not necessarily match practices “on the ground”, and the number and variety of institutions involved is considerable. Still, in this edition of the Regulatory Policy Outlook, we attempt a first, preliminary and tentative stock-taking of the current uptake of risk-based regulation, both at the regulatory design and delivery stages.
To this aim, the OECD Secretariat developed pilot questions on “risk and regulation” that were sent to participating countries along with the iREG survey that forms the core basis of this Outlook. While limited in details, and not reflecting an in-depth assessment, they provide a first glimpse of the degree to which different countries acknowledge the importance of risk in the regulatory process, and effectively follow-up at least for some areas of regulation. The survey questions also look into the application of risk assessment and management in the COVID-19 context. In this initial pilot, the survey looks primarily at the breadth of application of risk-based approaches, i.e. at whether they exist and are applied in a given country and, if so, across all of government or only in some sector(s). Looking at the depth of implementation would require additional research work, and the chapter will only provide some snapshots of specific cases.
In addition, to provide an initial view of the “delivery” stage, the Secretariat gathered data on regulatory inspections and enforcement staffing resources in as many OECD member countries as possible, focusing on selected regulatory functions that are particularly prominent in terms both of public perceptions and of actual share resources. These provide a first indication, not only of the importance of the issue including in terms of public expenditure, but of the degree to which regulatory delivery systems differ in the relative weight given to different risks (ratios of resources between different functions vary from country to country), and in the overall importance they give to regulatory enforcement (ratios of enforcement resources to population, businesses, etc.). Again, this is by no means an in-depth research of the variety of regulatory delivery practices in regard to risk, but reflects the broad situation at the strategic level (resource allocation).
Risk and regulation implementation: challenges in data collection, large variations in approaches
As reported in the opening section of this chapter, responses to the iREG survey provide a first glimpse of the uptake of risk-based regulatory approaches, and overall show that less than half of the surveyed countries report having any form of risk and regulatory strategy, while around ¾ of them use risk assessment in some way during regulatory drafting, but only around 1/3 have a requirement to quantify risk in such a process. Such high-level survey data is limited to formal rules and processes, and does not allow to assess implementation of risk-based approaches.
Properly assessing whether risk-based approaches are reflected at different levels and steps of regulatory delivery requires an in-depth investigation of each institution or service, and of the applicable regime for approvals and licensing, inspections and enforcement, etc. While the OECD’s Toolkit for Regulatory Inspections and Enforcement (OECD, 2018[22]) provides a framework for conducting such work, it would require considerable resources to systematically conduct in each country included in this Outlook, even were we to research only selected regulatory areas. Instead, in this section we briefly report the preliminary results from an analysis of available data on regulatory inspections and enforcement resources. Indeed, such work has the first benefit to highlight the importance of the regulatory enforcement function in terms of public administration staff (and thus of budgetary resources). In addition, it allows to compare both between regulatory areas (how different risks are “weighted” against each other at the strategic level of resource allocation), and between countries (how much “intensity” of regulatory enforcement is deemed adequate to deal with a given set of risks).
In spite of data on employment in public administrations being generally public, many countries, institutions or services do not keep specific track of inspectors or staff with inspection powers and functions, or do not have consolidated information on all the institutions involved in a given regulatory field. This is made particularly complex because, in a number of countries, general and/or specialised police and law enforcement bodies also have inspection powers and mandates, though only a part of their staff is actively involved in such activities. Obtaining precise data on this point is sometimes impossible, and doing estimates is not always possible. The complexity of regulatory delivery systems where national/federal, state/regional, local/municipal services all can be simultaneously active in a given field makes the task even more challenging. So does the fact that a given regulatory area can be covered by several services, but also that one given service or institution can be, in some countries, active across more than one regulatory field – in which case estimates of resource allocation between these different mandates is not always available.
The preliminary results of this work (see Table 6.1) show several important points. First, the resources at stake are often considerable, representing quite a significant share of overall state employment and resources, and deserve more systematic attention than has often been the case. Second, the allocation of resources can differ sharply between different regulatory fields, without clarity on whether this reflects a proportional difference in the supervision workload or in the underlying risks. Third, there are sharp variations in “intensity” of supervision in terms of number of inspectors by inhabitant, worker, or enterprise, even between neighbouring and otherwise comparable data. This all shows the importance not only of continuing such research and covering more countries and regulatory fields, as well as obtaining more detailed data, but also for countries to conduct such exercises periodically and systematically to review whether the institutional framework and resources are still fit-for-purpose.
For these reasons, the study has so far been unable to present full data for all OECD members, and even when data is available in some areas, it is not always present for all. To make the research more realistic in scope, the focus has been on food safety, occupational safety and health (OSH), and environmental protection. If we set aside revenue agencies (which have been largely covered through research and OECD literature), these are typically the most important regulatory fields from a “delivery” perspective, be it in terms of number of controls conducted, enterprises regulated, staffing, financial resources – or public perceptions (Blanc, 2012[23]).
As seen below, the allocation of resources can differ sharply between different regulatory fields, without clarity on whether this reflects a proportional difference in the supervision workload or in the underlying risks (e.g. there are from 2.5 to over 20 times more food safety than environmental inspectors, depending on the country). In addition, there are sharp variations in “intensity” of supervision in terms of number of inspectors by inhabitant, worker, or enterprise, even between neighbouring and otherwise comparable countries (Austria has significantly more than Germany, Italy has way more than Germany and France, etc.). This all shows the importance not only of continuing such research and covering more countries and regulatory fields, as well as obtaining more detailed data, but also for countries to conduct such exercises periodically and systematically to review whether the institutional framework and resources are still fit-for-purpose.
This situation, combined with other research on specific countries, regulatory areas, etc., suggests that path dependency is important, and that there is a lack of regular, systematic reconsideration of the risks addressed by regulatory delivery structures and resources (Blanc, 2012[23]); (Blanc, 2018[19]). This has contributed to extremely complex, convoluted institutional landscapes (as directly observed when collecting the data, the difficulty of which came precisely from the vast number of institutions with overlapping or mixed functions, frequent unavailability of precise numbers on inspecting staff, etc.), and made resource allocation and expenditure very difficult to track and assess, and mostly unrelated to risk analysis or assessment. From this perspective, the path towards truly risk-based, risk-focused, and risk-proportional regulatory delivery is still a very long one. Nonetheless, important progress has been made, and major initiatives taken in recent years to improve the situation, which are detailed in the following section of this chapter.
There are many reasons why the uptake of risk-based regulation principles in policy making and regulatory delivery is far from universal, and implementation often incomplete. This is due to a variety of factors, including resource and capacity constraints (changing regulatory approaches requires expertise and skills), but also public perceptions, and legal systems (Rothstein, Borraz and Huber, 2012[24]); (Rothstein et al., 2017[12]). Public perceptions (both those of the “general public”, of the media, and of decision-makers in the political and economic spheres) can create considerable difficulties for risk-based approaches – both in terms of accepting the idea of “less-than-complete” protection from harms, of assessing and weighing risks, and of accepting proportionality in risk-response. This has been covered extensively in important publications, including on the risk of “knee-jerk” responses to major accidents or emerging hazards (Blanc, 2015[25]); (Balleisen et al., 2017[26]), the psychological determinants of the risk response (Tversky and Kahneman, 1974[27]); (Weyman, 2016[28]); (Burgess, 2019[29]), the variations in risk perception between experts and general population (Fischhoff, Slovic and Lichtenstein, 1982[30]); (Slovic, 1986[31]); (Flynn, Slovic and Mertz, 1993[32]), and the possibility to engage the public to try and make risk perceptions and response more “nuanced” (Helsloot and Groenendaal, 2017[33]).
While engaging with public perceptions and opinion requires a complex and longer-term approach, there are shorter-term issues that governments can try and address to “unlock” the potential benefits of risk-based regulation. In particular, there are useful examples of how governments can work to overcome doubts and resistance from regulatory institutions to risk-based approaches (Box 6.1). Indeed, many institutions may be reluctant to adopt these or even downright hostile, because of a variety of issues: cultural resistance in institutions with a strong “risk-averse” or “safety at any cost” culture, public pressure (or fear of public pressure) making regulators wary of being seen as at risk of “regulatory capture” or “softness”, path dependency and scepticism towards change (sometimes driven by past, disappointing experience), lack of tools and resources. Simply “legislating from above” to promote risk-based regulation, while important, does not usually succeed in achieving practical change if such engagement work with regulators is not done effectively.
Political support
International experience shows that policy makers’ commitment and support is essential to adopt the legal and institutional changes needed to introduce risk-based regulations. A paramount example is the first phase of the inspections reform in Lithuania (2008-2012), where the Prime Minister at the time, as well as the Ministries of Economy and Justice, provided strong political support. Similar examples on the need to have champions with strong political clout in public administration can be found during the regulatory reform process in Mexico (Comisión Nacional de Reforma Regulatoria, CONAMER, and Agencia de Seguridad, Energía y Ambiente, ASEA) and in Bogotá (Inspección Vigilancia y Control, IVC system), or in the Netherlands with regard to the preparation and adoption of an Internal regulation on the position of inspectorates.
Capacity-building
Experience demonstrates that training enables understanding and adherence to risk-based enforcement systems into inspections’ models with positive outcomes for regulatory delivery. When inspectors adopt a risk-based approach and start providing advice to businesses, the number of non-conformities and incidents decreases. Well-educated and well-trained inspectors are capable of providing useful advice to businesses and ultimately promote compliance and risk-management. Training in, and improvement of, the inspectors’ social competencies is considered as an essential dimension of reform experiences in Australia, Bogotá, the Netherlands and the United Kingdom.
In Bogotá, Colombia, an initiative to promote world-class practices on inspections was launched between 2016 and 2019 in order to boost public confidence in the government. The initiative comprises in particular risk-based inspections planning, the establishment of an IT platform and a capacity-building programme on the following topics: risk-based methods, decent treatment of entrepreneurs, service to citizens, resolution of conflicts, transparency, rights and duties of inspected subjects and technical processes during the conduct of inspection activities.
In the Netherlands, the set-up of the Academy for Supervision aims at introducing a generic training programme for inspectors to strengthen the harmonisation of inspection practices. Risk-based enforcement lays at the core of the training. The philosophy of the approach is to concentrate on understanding of risks and on how to respond to, and handle them.
Source: (World Bank Group, 2021[34]).
In the United Kingdom the 2008 and 2014 Regulators Codes provided the legal basis for the so-called “Primary Authority” scheme (see Box 6.8), which enables businesses to receive advice from inspectorates on how to meet regulation through a single contact authority. The whole approach underlying Primary Authority relies on a high level of professionalism of inspectors, and in particular on them having fully internalised (and being fully proficient) in risk assessment and management. It also requires inspectors to know how to work with businesses in a co-operative way, how to explain and convince – but also how to investigate and spot hidden problems. The foundation of this approach is that inspectors (regulators) need a set of “core skills” (related to risk-based regulation and regulatory delivery) in addition to specific technical skills depending on their domain of activity. These core skills are organised in several groups, including “risk assessment”, “understanding those you regulate”, “planning activities”, “checking compliance”, “supporting compliance”, “responding to non-compliance” and “evaluation”.
Source: OECD Secretariat interviews and research.
Beyond working on perceptions and culture change through engagement with regulators, it is also often indispensable to establish legal foundations for risk-based regulation through enabling legislation. In some cases, existing legislation and constitutional principles may make risk-based approaches difficult or impossible to apply without specifically authorising clauses in law (Rothstein, Borraz and Huber, 2012[24]); (OECD, 2015[11]); (Rothstein et al., 2017[12]). In others, such “horizontal” legislation is used not so much to make risk-proportionality possible as to push it further, introducing directly applicable provisions or mandating regulators to introduce e.g. risk-based targeting or risk-proportional enforcement, etc. Box 6.2 presents some diverse examples of “enabling” legislation for risk-based regulation.
Lithuania: Law on Administrative Procedures 2012
An inspection reform towards a risk-based approach was implemented in Lithuania since 2008, which involved changes to adopt strong and legally binding instruments to inspections’ practices. The amendments to the framework law included a risk-based approach to inspections, the means to make it possible, and a balance between inspectors and inspected subjects, by foreseeing their respective rights and duties.
Three key documents were adopted: i) Amendments to the Law on Public administration; ii) Governmental Decree 511 on the inspection reform; iii) Guidelines on various tools of the reform (on development of guidance tools, of performance indicators for inspectorates, etc.). The legal foundations for the reform were set first by a Government Resolution of May 2010 (subsequently amended and strengthened in 2011 and 2012), and by the adoption of a set of amendments to the Law on Public Administration at the end of 2010 – in particular the introduction a new chapter on “Supervision of Activities of Economic Entities”. The provisions of the chapter on supervision are considered as best practice, as they apply to all regulatory areas and emphasise provision of guidance and of assured advice to regulated subjects. One of the innovations of the law is the concept of “supervision”, which comprises provision of consultations, inspection visits, analysis of available information (for risk assessment etc.), and enforcement measures. The amended Law on Public Administration provides for risk assessment and risk focus as foundations for inspections. In addition, the law includes guiding principles such as strict proportionality of inspection and enforcement measures, neutrality and transparency, inspectorates’ obligation to provide advice and assistance to inspected subjects, among others.
Source: (World Bank Group, 2021[34]).
Mexico: National Commission of Regulatory Improvement (Comisión Nacional de Mejora Regulatoria, CONAMER)
Following a constitutional reform establishing that authorities at all levels of government must implement regulatory improvement policies to promote the simplification of formalities, regulations, procedures, and services, among others, the General Law on Regulatory Improvement enabled the transformation of the Mexican Federal Commission on Regulatory Improvement (COFEMER, for its acronym in Spanish) into the National Commission on Regulatory Improvement (CONAMER) as the Regulatory Improvement Authority in 2018. CONAMER’s main mandate is to promote transparency in the process of issuing and implementing regulations, with the ultimate goal of ensuring that regulations create benefits for society that outweigh their costs (OECD, 2018[35]).
In 2019, through the “AC-004-08/2019 Agreement” CONAMER approved an updated regulatory policy for the following years. Regarding inspections, the Agreement foresees that new mechanisms should be implemented to enhance greater co-operation between citizens and authorities. Likewise, it was stated that new tools should be introduced enhance the rationalisation and legality of inspections by means of rigorous risk-based regulatory methodologies, the implementation of better regulation principles and the strengthening of public trust (Source: Acuerdo CONAMER 004-08/2019).
In January 2020, a “New Law for the Promotion of Citizen Trust” was approved to introduce the bases for the development of a risk-based inspection system. According to the law, CONAMER must assure that risk-based planning methods are developed so as to determine the purpose and frequency of inspections based on risk analysis. The law specifically foresees that risk analysis must consider both intrinsic risks and the business ‘trajectory’. CONAMER is working on the development of an information system to support the implementation of the risk-based approach (OECD, 2020[36]).
Slovenia: Inspection Act 2014
In 2002 Slovenia adopted two framework laws, the Civil Servants Act (CSA) and the Inspection Act (IA), accompanied by specific laws regulating each regulatory delivery area. The IA provided common rules to be applied by all inspection bodies and specific principles of the new approach to inspections – in particular proportionality (selecting the measures to be applied against the objectives being pursued), preventive approach, transparency (informing in a timely fashion the public on findings and measures applied during inspections), the possibility to conduct extraordinary inspections to businesses when needed based on risk, and efficiency of inspections. In 2014 a number of amendments to the IA were adopted to enable a more rational (evidence-based, risk-based etc.) inspection system. Based on IA and on the principles introduced through it, specific inspection acts were further adopted to regulate different inspection areas. The Inspection Act provides now for additional/complementary elements needed to strengthen the foundation for a risk-based approach to regulatory delivery: risk identification, efficiency of inspection bodies, risk-based inspection planning, among others.
Source: (World Bank Group, 2021[34])
United Kingdom: 2014 Regulators Code
In Great Britain, the 2014 Regulators Code (which replaced the 2008 Regulators Compliance Code) sets a number of key principles for regulators to follow, including risk-focus and risk-proportionality, the emphasis on providing guidance and advice to promote compliance, the need to always consider the social and economic effects of regulatory decisions and to look for the enforcement decision that will help businesses grow. Among other elements, the 2014 Code (and the 2008 Code before this) also provides the legal basis for the “Primary Authority” scheme, which enables businesses to receive advice from inspectorates on how to meet regulation through a single contact authority (see Box 6.8). The scheme is based on a risk-based approach that allows inspectorates to promote regulatory compliance. The code also included the common inspiration for the way such Authority scheme works and empowers the Office for Product Safety and Standards to manage it.
Source: OECD Secretariat desk research.
The uneven and less-than-fully-consistent spread and application of risk-based regulation does not mean, far from it, that there has not been significant progress in recent years, or that there are no worthwhile innovations to report on. In fact, there are many important initiatives that can provide very useful examples of how to apply risk-based approaches concretely and effectively, how to facilitate their use, and how to apply them in innovative ways. Moreover, there also has been a consolidation in knowledge, with increased sharing of experiences, an increased number of good-practice examples, and further development of international guidance (in particular (OECD, 2018[22])). Significant advances in computing power (and decrease in computing costs) have also made the application of risk-based analysis and planning far easier, compared e.g. to a decade ago.
In this section, we thus look successively at improvements in the use of data for risk-based regulation and specifically regulatory delivery, at the use of risk as a guiding principle to make regulation more outcomes-focused, and at the application of risk in the COVID-19 context (including the actual and potential application of digital technologies e.g. for remote surveillance and inspections).
Implementing risk-based regulation through better use of data
The very foundation of risk-based regulation is the reliance on data, because risk should be assessed in an objective, data-driven way, as much as possible. In past years, availability of data has often been issue for more systematic and thorough risk analysis, in particular when it came to applying risk-based planning to regulatory inspections. Indeed, detailed data on entities and establishments under supervision was often not available, or not digitised, or not updated, etc. Different services held parts of the relevant data, and were not communicating. Findings from inspection records were frequently impossible to analyse systematically to update risk assessment methods because they were paper- or text-based, or insufficiently detailed, etc. Digital government developments, progress in computing power and methods, spread of technology and skills, evolution of systems in public administration etc. have led to a situation where these constraints are much reduced, and both “already known” good practices can be taken up more widely, and new, innovative practices can be implemented successfully.
Earlier reviews of international practice had already allowed to define objectives for information systems to enable risk-based inspections and enforcement (OECD, 2014[37]), and to establish desirable key elements for inspections information management systems, as well as essential implementation requirements etc. (Wille, 2013[38]); (OECD, 2015[11]); (Mangalam, 2020[39]). Ideally, such systems should provide updated data needed for risk assessment and planning on facilities, businesses and activities, and allow targeting and prioritising the selection of businesses subject to inspection in line with their risk level. They should enable recording of inspection results in a way that makes further analysis and follow-up easy and automatable. They should also either rely on a single data repository for multiple services, or enable and facilitate data exchanges between them, and offer support for reporting, performance monitoring, etc.
Recently, several jurisdictions have introduced or further developed information systems which address all or several of these requirements, in ways that correspond to the applicable context and constraints. A selection of such systems is presented in Box 6.3.
United Kingdom: “Find it”
The Health and Safety Executive (HSE) is a regulatory delivery agency which conducts inspections and promote inspections with a risk-based approach and methodology (see Box 6.7). In order to improve its regulatory targeting capability, so as to secure the greatest impact on reducing work-related risk, HSE developed a web application called Find-It, which enables authorities to make better use of data, demonstrate accountability, deploy resources optimally and improve their overall efficiency (Source: Find-It flyer, HSE). Inspectors no longer have to self-select sites – i.e. spending time looking at lots of different data from various sources to identify high-risk premises which they will inspect. A variety of algorithms match: GIS information about the site location, the numerous names used by a business, regulatory and administrative data about a business kept in various databases within and across organisations. The risk for facilities is calculated, whenever needed, based on indicators, such as past enforcement measures, time since last inspection, accident records, etc. Decision-making on targeting is partly centralised by HSE intelligence officers. One such officer provides directions to around 350 inspectors to choose the best options for actions in areas and with facilities posing the highest risk. It also enables choosing when to combine HSE inspections with those of other inspectorates.
Source: (World Bank Group, 2021[34]).
Italy: information systems for regional inspection services
At the core of Campania Region’s reform on food safety inspections lays a risk-based IT System called GISA (Gestione Integrata Servizi e Attività, see http://www.gisacampania.it/). Currently, it supports risk assessment of businesses and locations/facilities for the purposes of inspection planning. It automatically calculates risk levels based on risk models using the results of controls and checklists. Risk levels are periodically reviewed depending on the type of activity and “surveillance” inspections. ‘Surveillance’ means a technical method of examination that focuses of the structural, managerial, and contextual aspects in order to assign a risk level to the business and facility/location. Non-compliances found in inspection visits are also recorded into the System, and used as an additional indicator in “surveillance” inspections when determining risk levels. GISA is used not only by the food safety and veterinary services of the region, but also by the Carabinieri units in charge of sanitary surveillance, providing a first step at data integration. The system is “free to reuse” for all Italian public institutions, and its adoption is considered both by other regions for food safety inspections (Valle d’Aosta and Liguria), but also by both national and regional services for environmental protection.
In the Autonomous Province of Trento, a unified platform to register and plan inspections has been developed over the past 3 years, called the RUCP (Registro Unico Controlli Provinciali, Unified Registry of Provincial Controls). Right now, the RUCP is operational for a couple of services only, but provides early support for “mobile inspections” (pre-defined check-lists used on tablets). At its core is a single database where, eventually, the results of all inspections will be accessible to all services, at least in aggregated form, and help them avoid duplication and increase their “intelligence” on establishments, thus updating and refining their risk analysis. In addition, a module is under development to support risk-based analysis and rating of establishments, and support risk-based planning, which will start being operational in 2021.
Source:; (OECD, 2021, forthcoming[40]).
Netherlands: creating an interface and interconnection between all inspection systems
Inspection View, initiated in 2013 and developed for different sectors, designates a virtual platform in which inspectors can consult information on inspection objects. Such information is available in data systems of other inspectorates they use to conduct inspections and record inspection outcomes, and Inspection View is an integration platform which enable data exchange and horizontal co-ordination between the inspectorates. The leading idea behind the solution is that inspection and enforcement should be carried out from the perspective by government as a whole, and not by individual inspectorates. Inspection View enables national, regional and local inspectors to consult each other’s data on inspection objects, being now used by over 500 inspectors. It is developed as a government-owned platform, with outsourced maintenance and support.
The external information systems are used to support conducting risk assessment, inspection scheduling and collecting inspection outcomes. Than the information from all external sources is presented to the user of Inspection View in an integrated file. Since no data is duplicated, the user always gets the most recent set of data. With Inspection View inspection results can be analyzed for a particular object, or can be exported as a bulk data to be analyzed using some external software (e.g. Excel). Two versions of Inspection View are being developed: a generic version, accessible to all inspectors, and specific versions for inspectors in co-operative networks, with access only for participants in those networks. Until today, three versions of Inspection View have been developed: Companies, Environment and Inland Shipping Inspection View. The Inland Shipping Inspection View has proven to be very successful, as all inspection authorities participate in the System.
Source: World Bank Group (forthcoming 2021), Publication on Integrated Inspections Reforms; https://www.ilent.nl/onderwerpen/toegang-tot-inspectieview/documenten/publicaties/2019/1/31/gebruikershandleiding-inspectieview.https://www.ilent.nl/onderwerpen/toegang-tot-inspectieview/documenten/publicaties/2019/1/31/gebruikershandleiding-inspectieview.
Slovak Republic: The Financial Reliability Index
The Slovak Financial Administration was created in 2012 through the merger of the former Tax Administration and Customs Administration. In 2018, the Administration has started to use a new “Financial Reliability Index” to support risk assessment. The conditions for the functioning of the Index were created in 2018 through an amendment to Act No. 563/2009 Coll. on tax administration. The risk assessment of supervised entities is based on an internal automatic analytical tool. It allows to identify “reliable” tax entities for which the periodicity of tax controls is reduced, and improve targeting of excise tax controls.
Source: research by the OECD Secretariat.
Another way, in which data management and use can be considerably improved by technology, and lead to improved regulation of risk, is the analysis of existing data. While revenue agencies had long started to systematically use data analysis techniques to identify risk indicators and their relative importance, this had until recently been difficult to replicate for non-revenue inspections (Khwaja, Awasthi and Loeprick, 2011[5]). Data was insufficiently digitalised, too complex, or on the contrary too narrow – or historical records were insufficiently long, as new systems had been introduced too recently. In some cases, data systems with historical inspection records existed earlier, but their scope was narrow. Specific staff competences and capacity were also often missing. The rising understanding of risk-based regulation and of the importance of accurate risk-assessment (as opposed to relying on “traditional” assessments of where priorities lay) have opened the way for a more systematic, data-driven approach. In spite of remaining challenges in terms of assessing the “severity” dimension of risk, recent Machine Learning applications are very promising in terms of significantly improving the understanding of which characteristics of businesses and establishments are the best predictors of risk, and thus considerably improve the effectiveness of risk-based targeting (see Box 6.4).
While defining risk abstractly is relatively straightforward, developing robust methods to predict the level of risk of different businesses or establishments is far more difficult. Until recently, challenges in data availability and methods for analysis meant that defining risk criteria and their relative weights based on “data mining” or similar mathematical approaches was mostly reserved to tax and customs inspections (where the objects of regulation and control are inherently numerical, and computerisation was done earliest and in the most systematic way) – in technical, safety and similar fields, risk identification and weighting was done through a combination of scientific and technical findings, regulators’ experience and “trial-and-error”, but in a much less systematic and precise way.
The spread of information management systems to record inspection results, and thus the increasing availability of detailed historical data, combined with advances in data processing power and analytical tools (e.g. machine learning) now make it increasingly possible. In Italy, the regions of Trento, Lombardy and Campania are currently piloting the use of Machine Learning for risk assessment. Based on historical data analysis, the system can identify which characteristics are the best predictors of risks, which helps make risk-based planning of inspections far more precise and reliable. In Lombardy, the work focuses on occupational safety and health, in Trento the analyses covers labour law inspections, and in Campania food safety controls.
In addition to such work to better assess “operational-level” risk, work at the “strategic level” is also increasingly data-driven. In 2017, Canada’s CFIA launched a review of its risk management model in order to ensure the allocation of resources where it can have the greatest impact on reducing risks. The first challenge of the model is to enable comparison among different kinds of risks, which entails converting different types of risks into comparable data. Based on this, the Agency is able to consider trade-offs among all of them, across different organisational levels This work has entailed considerable efforts to gather and consolidate data from all parts of CFIA’s work.
Along similar lines, the Risk Assessment Directorate of Environment and Climate Change Canada has developed the Threat-Risk Assessment (TRA) model, based on a large review of available data to estimate the probabilities and potential impact of known sources of harms for the environment. Data is gathered from the industry, government partners and, international actors. Outcomes from the strategic risk assessment are used by the Climate Change and Environment of Canada for project planning and allocation of resources. Likewise, it is shared with enforcement officers to inform their work.
Notes: on the experience in tax inspections targeting see (Khwaja, Awasthi and Loeprick, 2011[5]) (OECD, 2004[41]) (OECD, 2009[42])
Source: (OECD, 2021, forthcoming[40]), direct interviews with and presentations from CFIA and Environment and Climate Change Canada.
Beyond the definition of risk indicators and risk assessment algorithms, up-to-date and reasonably comprehensive data on supervised entities is essential to ensure that targeting of regulatory control measures (inspections and enforcement) is really based on risks, and that regulators can react in a timely and effective way when new risks appear or accidents occur. To this aim, it is essential that regulatory agencies have adequate data management tools, and that they share data with each other as much as possible. Data sharing between regulators and other entities (non-regulatory, such as e.g. health-care providers or private certifiers) is likewise important to improve the effectiveness and efficiency of the entire regulatory system. In a number of countries, such improvements in data-sharing are made difficult by privacy regulations, or by the way in which they are interpreted and enforced. Given the importance of the issue in terms both of efficiency and effectiveness, it appears crucial to promote further research and experience sharing on good practices that allow to effectively protect individual privacy, but allow essential information to be shared by regulatory services, particularly about economic entities (and not relating to private persons). Furthermore, much of the information, which is important to improve risk analysis and assessment and might have privacy implications (like, say, health care or accidents data) can be anonymised fully before any analysis, as what matters for studying risk in that case are not the individual cases but the patterns.
New technologies make such data sharing and effective analysis increasingly easy, and some initiatives can be used as particularly valuable examples (see Box 6.5). These can include the use of a centralised database and common system by a number of regulators and possibly by health-care providers too, or tools to exchange information in an automated way between different systems. Sharing information between different regulatory agencies allows them to ensure that data on supervised entities is as up-to-date and comprehensive as possible, and also to avoid duplication of control activities. Information sharing with the healthcare system allows regulatory agencies to better assess the emergence of new risks and evolution of known ones, and thus target their interventions better, both in terms of which establishments they visit, and which industries, products, etc. they focus on. For instance, systematic reporting from health care institutions on accidents due to failures in product safety, or food-borne contaminations, can greatly improve the ability of regulatory agencies to target their activities (and does not need to convey any personal, sensitive data – as what matters for risk assessment are patterns of cases, not individual specifics).
In addition, data sharing agreements e.g. with private certifiers active in areas of interest to regulators (for instance food safety) can likewise allow to have more comprehensive and updated information on sectors with vast numbers of operators (like food). Finally, the use of “non-traditional” data sources such as social media or reviews from e-commerce sites can help assess food safety or product safety risks. Using such sources requires automation to handle vast amounts of data (machine learning), but can be both effective and cost-efficient,7 and provides information that is broader and more timely than regulatory bodies themselves can obtain through traditional methods such as inspections.
A number of Italian regions and institutions have, in recent years, worked on improving data sharing, analysis, and usage, to reduce the burdens and inefficiencies created by duplications and lack of co-ordination between different services, and better support regional economies.
In Lombardy, the Mo.Ri.Ca system for risk monitoring in construction sites uses data emerging from notifications, surveillance and accidents (collected via Impres@BI) and estimates the risk level of a given site on this basis. Risk criteria and weights, previously defined empirically, are now being improved through Machine Learning (cf. Box 6.4). The key strength of the system is that it integrates data from a number of sources, including notifications from the health care system, and considerably improves risk management at a very limited cost.
In Campania, in addition to the existing GISA system to plan and manage all food safety inspections, the region partnered with the University of Naples Parthenope to develop MytiluSE, a system to predict the quality of waters so as to secure safety of mussels produced in the bay of Naples. Rather than expending large resources on ex post controls to find potential contamination, the system works pre-emptively, enabling to know which days the harvesting of mussels would be unsafe. Once fully operational, it can both inform producers and guide inspectors’ work. Developing the system involved investigating the currents of the bay of Naples, mapping contamination sources, and developing a reliable predictive model, but it is potentially completely transformative for regulatory delivery. It was also adapted to predict air pollution by fumes, which can affect feed for bovine herds. The predictive approach for mussels is not only better for the economy and public service efficiency, but it also avoids health hazards far more effectively, because microbiological testing and sampling takes time, and results can come too late (leading to potential contaminations from other products harvested the same day).
Source: Montella R, Riccio A, di Luccio D, Mellone G, de Vita, C G (2020), MytiluSE: Modelling mytilus farming System with Enhanced web technologies, Università degli Studi di Napoli Parthenope, Sciences and Technology Dipartiment, commissioned by Campania Region, Unità Operativa Dirigenziale Prevenzione e Sanità Pubblica Veterinaria (presentation) – for other cases: (OECD, 2021, forthcoming[40]).
Outcomes-focused instead of process-focused regulation
Although increasing work is being carried out in institutions, processes and methods that aim to administer, control, and implement regulations so as to better realise risk-based approaches, differences in regulatory delivery styles between one country and another, but also between regulatory delivery agencies within the same country, are still considerable8 (Blanc, 2012[23]); (Hadjigeorgiou et al., 2013[43]); (OECD, 2015[11]). The way their goals are devised – some stressing control of legal compliance and punishment of non-compliance, whereas others focus on risk mitigation or improvement of public welfare – are among the most ubiquitous differences. The latter aim at meeting public outcomes rather than processes and/or formal conformity. Outcome-focused regulation is another aspect of risk-based regulation – because risk is the indicator through which outcomes can be defined and measured, and thus the criterion used to prioritise actions and take decisions, rather than focusing on rigid processes.
While the use of outcome-oriented approaches has gained a growing profile, work is still needed to change what still seems to be the prevailing perception that these approaches are an alternative to traditional command and control schemes, rather than something that should be used in delivering regulations. This is an overly restrictive perspective of what outcome-focused approaches, and regulatory delivery, are about. In fact, approaches, methods, and tools focused on achieving regulatory outcomes are at the core of efforts to make regulatory delivery more effective, and efficient.
In practice focusing on outcomes entails an actual paradigm shift from a traditional conception of regulatory enforcement based on finding and punishing violations towards a understanding of regulatory delivery where the primary and ultimate purpose is the protection of safety, health, the environment, and other key elements of the public good. Implementing this approach relies heavily in promoting meaningful compliance – i.e. compliance that actually helps achieve regulatory goals – including by regularly using behavioral insights. It also requires i.a. effective risk communication and information to regulated subjects, development of, and investment in, methods and tools focused on delivering expected outcome, and adequate measurement of the level of protection of the relevant public welfare good. Regulated subjects should not be expected to know everything about what to do and how, but are to be guided, advised and informed. Finally, focusing on outcomes is inherently connected to having the right performance indicators and metrics – not measuring outputs or sanctions, but tracking the outcomes in terms of improved performance, reduced risks etc. (Blanc, 2018[44]); (Blanc, 2021[45]).
Some regulatory delivery agencies see as one of their main functions to support regulated subjects as risk creators in managing the risks they generate. This involves working in partnership with all stakeholders able to produce sustained change. Inspectors in Britain’s Health and Safety Executive have long relied on an approach where law is the last resort and whereby they seek to engage with regulated businesses and push them towards safer practices through a variety of behavioural tools (i.e. personal relations, advice, comparisons with others, indication of potential risks and costs, hints at possible sanctions etc.) (Hawkins, 2003[46]). Results show better outcomes (in terms e.g. fatal and major accidents) than before the change of approach and/or in other sectors not using this new approach to the same extent.9
A decade ago, Britain’s Health and Safety Executive issued the Enforcement Management Model, a detailed guidance of how inspectors should take enforcement decision based on risk assessment, compliance record of economic operator, specificity of rules etc.10 A number of other inspection and enforcement services in various countries have developed and adopted principles or guidelines regarding their enforcement approach. Guidelines of this sort will be essential, going forward, to enable regulatory systems to cope with complexity and change, and situations “on the ground” that may be increasingly be difficult to fully forecast at rulemaking-stage. In a positive development, some countries are seeking to make such approaches and guidelines more consistently used across regulatory areas (see Box 6.6).11
The RAC project in Italy, funded by the European Commission and implemented by the OECD, aims at supporting regional and national governments in improving the business environment and investment climate and the efficiency of the use of public funds through improved regulatory predictability and confidence, and reduced burden on lower-risk activities. To achieve better outcomes in regulatory delivery, inspection methods and practices on the ground are being transformed, consistency of inspections improved, and efforts towards clearer and more understandable regulatory requirements for business operators undertaken.
One key tool to achieve this goal is work on risk-based checklists for inspections, which are being prepared in different regulatory areas so as to ensure development and consistency in methods, and to make a valuable contribution to improving matters in terms of outcomes. New checklists are being adapted to regional realities. They include a risk-based scoring system, and their results are being linked to an update in risk rating. By including the “static” risk of the establishment, its “dynamic” risks (actual risk management, such as the use of HACCP in food safety), and its compliance history (including measures imposed by inspectors because of violations leading to immediate risks), they yield a comprehensive picture of the establishment in terms of actual level of risk, and of most significant elements that need to be addressed to achieve the desired outcomes in terms of regulatory goals.
Source: internal OECD research – (OECD, 2021, forthcoming[40]).
Because the implementation of a more outcomes-, risk-focused approach entails important technical and professional dimensions, many prominent and successful initiatives are made in a specific sector or regulatory agency, rather than in a cross-cutting programme of reform. Some of the most interesting examples are presented below in Box 6.7, and typically include a variety of complementary tools and interventions to make the regulatory delivery work more effective and efficient.
United Kingdom: Health and Safety
The Health and Safety Executive (HSE) is a non-departmental (i.e. not directly part of the Ministry’s services, but autonomous) public body reporting to the Department for Work and Pensions with the core purpose to reduce work related injuries and ill-health. The HSE collaborates with a range of stakeholders in UK involved in health and safety and share responsibilities for regulatory control with local authorities. The HSE is both a regulator in the rule-setting sense, and a “regulatory delivery” agency, conducting inspections, investigations, developing and providing guidance and advice, and co-operating intensively with the industries it supervises so as to proactively manage and reduce risks. Internationally, the HSE has long been at the forefront of innovation in regulatory delivery methods, in particular in terms of compliance promotion (through guidance, collaboration with industry, long-term engagement etc.), risk-based targeting and risk-proportional enforcement. Risk-based targeting and planning methods are mainly enabled by “Find-it” application, an IT tool developed by HSE to enhance its regulatory delivery task.
Campania Region, Italy: Food safety
Between 2007 and 2010, Campania Region undertook a reform of the food safety inspection system, moving from a regulatory delivery regime mostly focused on deterring non-compliant behaviours to a risk-based system based on the requirements set in the EU Hygiene Package. The reform initiative took place based on a specific regulatory demand, following some major accidents and a breakdown of trust of the private sector and the public (due to insufficient official communication on risks and to the lack of effectiveness of the control activities related to risk management). The underlying systemic problems that prompted the reform initiative were, among others, the lack of a planning system of controls based on risk categorisation.
In order to address these problems, the initiative included a variety of elements supporting risk-based regulatory delivery, i.a. risk-based decision-making (including both risk-based enforcement and inspections planning), inspections processes and procedures, tools (checklists, IT system, etc.), Key Performance Indicators, human resources management, and vertical co-ordination. A main tool towards strengthening a risk-based approach introduced with the reform was the IT System.
As a result, the reform has led to the following: i) classification of economic operators in risk categories and planning of inspection frequency commensurate with the risk level; ii) Improvement of quality and quantity of information provided to the Ministry of Health and the EU, in accordance with applicable rules; iii) Systematic distribution of inspection visits over the territory of the Region; iv) Identification of emerging risks; v) Number of activities performed as defined by relevant objectives; vi) Better human resources management.
Canada and EU Mutual Recognition Agreement on drugs and medicinal products
A Mutual Recognition Agreement (MRA) is a legally binding treaty between the regulatory authorities of the two countries that are part of the agreement. It aims at enhancing international regulatory co-operation and maintaining high standards of product safety and quality, while facilitating the reduction of the regulatory burden for industries.
By the development of MRAs different countries accept the regulatory system of each other as equivalent for a certain type of goods, meaning that products in this category that are cleared for sale in one country will be accepted in the other. This typically applies to goods of a certain level of risk, i.e. for which pre-market approvals (or at least conformity assessment procedures) exist. Pharmaceuticals are one such high-risk area, where MRAs can significantly facilitate reciprocal market access, and thus the development of the sector.
The MRA between Canada and the EU on drugs and medicinal products is built, among other pillars, on the components of the Good Manufacturing Practices (GMP) Compliance Programmes. These components are used to determine the equivalence of the relevant regulatory programmes of both parties. A special chapter is devoted to the “inspection procedures” component, where inspections are grounded on a risk-based approach. This approach ensures that inspections focus on high-priority products in terms of risk posed. Thanks to the use of the risk-based approach and the mutual recognition mechanism, there is no need to duplicate inspections on the same products, and inspections can concentrate on higher priority products. As a result, inspection expenses and resources are reduced, while high standards and high-quality compliance programmes in international co-operation are maintained. This case shows the relevance of risk-based approaches also in a multilateral context and in the perspective of international regulatory co-operation.
Note: see also (OECD, 2013[47]) and (Kauffmann and Saffirio, 2020[48]).
Source: (World Bank Group, 2021[34]).
Compliance with regulations, and subsequent reduction in risks, has been found to be strongly related to the level of understanding of applicable rules and their rationale, as well as to the perceived consistency, fairness, coherence and decision-making transparency of authorities (Tyler, 1990[49]); (Tyler, 2003[18]); (Yapp and Fairman, 2006[50]); (Gunningham, 2015[51]). In addition, day-to-day work in businesses is dictated primarily by the internal rules, procedures and culture, rather than by external regulations, and it is largely to the extent that these internal procedures and culture align with regulation, that the latter is really effectively followed in this day-to-day work (Hodges, 2015[52]); (Hodges, 2018[53]). For all these reasons, regulatory delivery systems that try and increase coherence and consistency of decision making, embedding of regulatory objectives within internal processes and culture of businesses, and understanding of rules by business operators, can deliver important improvements in compliance and significantly improved management of risks. An interesting example is provided by the UK’s “Primary Authority” scheme (see Box 6.8). In spite of constitutional and regulatory arrangements being very different, the approach has been considered with high interest by a variety of jurisdictions, for it combines a number of features relevant to most contexts: need to ensure greater consistency between different regions, to provide more predictability to businesses, to “embed” better regulatory objectives in business internal systems, etc.
“The Primary Authority scheme is firmly rooted in the Better Regulation principles that aim to reduce the administrative burden placed on businesses while promoting risk-based regulation. This involves: targeting inspection resources on high-risk enterprises reflecting local needs and national priorities; offering consistent (in advice and actions) and proportionate (to the risk) enforcement action; performing inspections in a transparent manner where businesses know what is expected of them and the local authority; and promoting accountability so regulatory activities stand up to public scrutiny.”
In the United Kingdom, the majority of inspection and enforcement activities are carried out by local authorities, in some cases in addition to, or in parallel with, national agencies. In a context where vertical and horizontal co-ordination is sometimes missing – in spite of efforts at harmonisation within certain regulatory domains, in particular with national authorities ensuring unified guidance on risk-based regulatory implementation – businesses operating in several parts of the country faced a significant level of variation in interpretation and enforcement of regulations between the different local authorities. The Primary Authority’s is a unique arrangement developed to tackle challenges stemming from the fact that inspections and enforcement were primarily under the local government’s jurisdiction. This arrangement was aimed at reducing complexity, unpredictability (e.g. divergent approaches to risk) and costs for the private sector for firms operating in several locations. The solution pursued to tackle these challenges was to authorise select local authorities with a prevailing (“primary”) role over others. This new governance framework better ensures that Primary Authorities had adequate competence in regulatory work, since only authorities with sufficient skills and resources can become “primary” in a given field.
The scheme has been developed further as a way not only to reduce local variations and ensure nationwide consistency for a given business, but also in order to provide more in-depth, specific guidance to business operators to comply with regulations (assured advice). From the beginning, agreements can cover broad or specific areas of environmental health, fire safety, licensing and trading standards legislation, and the scheme has progressively been extended to cover new areas of regulation.
Source: Excerpt of World Bank (n.d.), The Future of Business Regulation: Case Study: Promoting compliance – and going beyond. Evaluating the primary authority scheme report, prepared for the Local Better Regulation Offices, 2011.
Emerging technologies and risk-based regulation
There has been long-standing interest in the use of new technologies in regulation, and the “risk and regulation” perspective is particularly important here – both because these emerging technologies can help regulation become more risk-targeted and risk-proportional, but also because in the absence of a risk-based approach, there is a possibility of such technologies being misused in ways that result in regulatory overreach and intrusiveness. This can happen e.g. when remote surveillance tools are used too broadly or permanently, rather than strictly in conditions where the risk-level (high) and the risk characteristics (difficult to otherwise control or monitor) warrant it. There is also an additional link between technological regulatory solutions and the COVID-19 crisis, as the need to avoid risk of contagion has led to many regulatory and third-party inspections being suspended, with only the highest-risk controls still to be performed. This has put the onus both on the quality of risk-assessment, and on the potential for developing and using “remote audits”, i.e. using technology to “inspect” without a site-visit.
Remote, “virtual” inspections can potentially save time and resources for regulatory supervision, increasing its efficiency, and its ability to reach remote locations or operate even in difficult circumstances (e.g. during lockdown situations such as imposed by the COVID-19 pandemic). Such virtual inspections involve inspectors reviewing documentary evidence and discussing with operators, but also observing sites through video streams. They are being considered or piloted in a number of jurisdictions and regulatory domains, and raise great interest because they could enable to save transport and staff costs (and environmental impact and time lost from transport), and reduce contamination risks, be it specifically in an epidemic context, or even in normal times for “sensitive” facilities where every extra visitor creates an added risk (see Box 6.9 for some examples). Nonetheless, they also present a considerable number of challenges and pitfalls.
In Finland, the Safety and Chemicals Agency (“Tukes”) has been testing different types of inspections such as Skype inspections. The feedback has been positive and the Agency has plans to further digitise its Seveso inspections. Other authorities participated in the Skype inspection and this gives signs for broader use in the future. While the total duration of the Skype inspection did not differ much from a traditional inspection, travelling costs and time were not needed and the overall process was more efficient (e.g. sending and agenda of the inspection to the operator in advance, compiling the inspection report faster). Further work is needed to investigate whether Skype inspections should be kept for operators with generally good compliance records to prevent misinformation and potential dissimulation of problems that could happen when controls are exclusively remote.
With new urgency because of the constraints on movement and the need to minimise contagion risks in the COVID-19 context, virtual audits and inspections are under consideration or discussion in a number of countries and institutions, or being piloted to test their reliability and applicability. This is particularly important in food safety, because food production and supply are essential activities that cannot be suspended fully, and food safety inspections are both important to prevent food contamination, but also sources of potential risks of contagion. Challenges in doing such checks remotely include the difficulty to spot “hidden” problems, assurance against fraud, requirements for equipment, training and competence of staff in the facility to provide a “remote view”, and of inspecting staff to analyse and challenge the results, etc. In addition, other risks (such as occupational safety and health) cannot be easily observed from outside, and even though they may not strictly belong to “food safety”, they nonetheless can have a major negative impact if left unchecked. Such remote audits or inspections are being discussed or trialled e.g. in Canada and Italy. On the side of private certification, the Global Food Safety Initiative (GFSI) has decided to allow the use of remote audits in certain specific cases and situations (https://mygfsi.com/blog/gfsi-remote-auditing-benchmarking-requirements-updates/): both auditor and audited must agree to use it, the technical conditions must be met, and remote auditing can only apply to a part of the audit but not the entirety of it (thus, it reduces contact while not eliminating it).
Source: (OECD, 2021, forthcoming[54]); direct interviews with regulators in Italy and Canada – GFSI website.
Though they offer interesting potential, virtual inspections are neither without problems, nor a panacea. Effectively assessing compliance and safety of a facility often involves being able to look around and spot “hidden” issues, observing how staff is working over a certain time-span, discussing with different employees, and a host of other observations that would be very difficult or impossible to replicate remotely. Moreover, even assuming situations where most of the risk elements can be readily observed remotely, an effective remote inspection still requires competent and trustworthy operators “on site”, who are able (and willing) to go, film and transmit the aspects relevant for the inspection. This means that authorities need to identify qualified and competent persons from the inspected business to move ahead, and that trust is essential, since virtual inspections may give room for violations that will not be detected if operators intend to misinform inspectors. Finally, authorities need to be quite precise on what data to ask for, which elements, activities etc. should be observed and streamed, etc. On balance, virtual inspections appear to be an interesting new tool, that can be applied in certain well-defined circumstances in terms of need (remoteness/costs, contagion risks etc.), for certain industries and types of risks, and preferably in situations where the authority has grounds to hold the operator for “generally trustable”, i.e. the inspection is more to check that previous positive findings are holding, rather than investigate an unknown or problematic situation. Overall, before such techniques of “remote inspections” can be used more widely, there needs to be further research on the conditions in which they can be applied, on what good practices exist to ensure they are properly risk-based (e.g. applied in lower- or medium-risk settings only, and also designed in ways that ensure potential risk areas “on site” are not missed) etc.
Technological improvements (e.g. remote sensors, drones, satellite imaging etc.) also provide possibilities to conduct surveillance of economic activities and/or of their impact remotely and constantly, without having to conduct on-site or even virtual inspections. This may be extremely useful where the vastness of territory to supervise is an issue, or for cases where damage may be considerable and impossible to prevent otherwise, e.g. to look at air and water pollution (remote monitoring), or conduct remote surveillance of illegal logging, overfishing, poaching etc. This can also be used to provide permanent supervision of key elements of particularly high-risk objects (e.g. structural stability of hydroelectric dams). Such approaches and tools, however, also should be used in the appropriate way, acknowledging their limits and potential problems.
There can be a temptation, based on recent progress in technology, to believe that "total control" is in fact possible - and desirable. This would lead to regulation that would not anymore try to be focused based on risk analysis and assessment, and rely on understanding of behaviour, trust and co-operation with good operators etc. Rather, in this vision of "automated total control", regulatory authorities would exert permanent surveillance using remotes, automated, connected devices. There are several reasons why such an approach is to be avoided, and why - on the contrary - new technologies should be used to make regulation more risk-based and targeted, not less:
Technically, most regulatory areas cover a host of issues of considerable complexity, most of which do not lend themselves readily to remote surveillance (see above on virtual inspections). In this, they are very different from e.g. driving rules compliance, where remote surveillance has rapidly developed in the past couple of decades.
Widespread reliance on remote sensors inside private companies would create huge information safety vulnerabilities.
Large-scale, intrusive surveillance is intolerable from a human rights and civil liberties perspective.
Crucially, given the intent of making regulation more effective, excessively heavy-handed supervision has been shown to backfire because it reduces voluntary compliance and induces resistance on the site of those subjected to it (see Box 6.10).
As indicated in previous sections, interesting experimentations are being done or considered in a number of fields – such as environmental protection, energy networks and mining, food safety etc. In such examples, remote surveillance aims at identifying emerging harms, assessing outcomes and risks, and monitoring critical infrastructure. In the same way, remote sensors can be used to monitor strains on high-risk objects such as bridges, tunnels, or dams. When used as a tool to assess and provide early warning of risks, and cover areas, which are difficult to reach, remote surveillance appears to be a promising and precious tools.
In some fields, however, remote surveillance is used as a direct enforcement tool – e.g. automated cameras for speeding or compliance with other driving rules. Automated, remote surveillance is increasingly used in monitoring compliance with rules for long-distance trucking (particularly international shipments). While these developments can provide interesting ways to improve safety in sectors, where traditional “human” supervision is difficult (transportation being a prime example), they are not without downsides. Indeed, taking automated speed cameras (the most widespread type of remote regulatory surveillance) as example, the impact on compliance and safety appears positive, but to a degree that is highly variable (Pilkington and Kinra, 2005[55]), so that they should be understood as only one element of a broader system, and certainly not a “silver bullet” solution that can work on its own (Ali, Al-Saleh and Koushki, 1997[56]).
In recent years, systems have been developed to measure not only the instantaneous speed of cars, but also their average speed, and thus possibly allow to enforce speed limits on closed roads (motorways) very effectively. The increasing availability and decreasing costs of remote, connected sensors could potentially allow to control remotely cars' speed in a permanent way - but also many other parameters and activities. For instance, a network of surveillance cameras could check who works in a given establishment, whether all workers wear e.g. safety equipment, whether at least some simple safety measures are complied with. Remote sensors could conceivably check at all times whether temperature parameters are complied with.
Increasing reliance on remote surveillance for enforcement purposes rests on the assumption not only that technology will not fail and that it will not be hacked. Both assumptions are very fragile. Thus, it remains in fact just as important to promote voluntary compliance so as to minimise the amount of fraud and enable to focus enforcement efforts on criminal behaviour, while fostering voluntary compliance as much as possible. Relying on a very large number of connected devices linked to the regulator's network also creates major security vulnerabilities. The potential for hacking and misuse of the 'internet of things' is indeed well known and abundantly documented. Another issue is the major negative effect of intrusive technological control and "automated enforcement" on trust, legitimacy of authorities and regulations, and voluntary compliance. As already indicated above, enforcement that is perceived as overly burdensome or hostile leads to a net reduction in compliance, e.g. as observed in tax compliance studies (Kirchler, Hoelzl and Wahl, 2008[57]). Because automated enforcement (particularly if the imposition of sanctions is automatic) is very much at odds with key dimensions of procedural fairness (such as the possibility of the regulated person to have a “voice” in the process, an explanation of the principles of the decision, and a demonstrated attention to circumstances) (Lind, Kanfer and Earley, 1990[58]). The feeling of unfairness experienced, even in minor cases, can be a negative driver of future compliance, and automated surveillance and enforcement eventually weaken the overall regulatory compliance level.
Source: (OECD, 2021, forthcoming[54]); (Mangalam, 2020[39]).
The COVID-19 crisis, both in its health and its economic and social dimensions, has been fundamentally about risk assessment, uncertainty, and risk management. At every step, governments have had to balance different types of risks. First, and most visibly, the direct health risk posed by the pandemic, and the negative economic and social impact (including other negative health risks) generated by “strong” responses such as lockdowns. Here again, accurately estimating the two sides of the risk equation is difficult, because predicting the negative effect of a lockdown may be possible (and measuring it ex post certainly is), but the comparison should not be made with an ideal baseline of “business as usual”, but against the economic crisis created by aggregated individual reactions in a “laissez faire” approach to managing the pandemic (Goolsbee and Syverson, 2020[59]).
In addition, one of the many difficulties of responding to the COVID-19 pandemic has lain in assessing the real extent of the pandemic spread and impact in different countries. Because of the significant percentage of asymptomatic cases, assessing incidence and prevalence is problematic. Very few countries have been able to have a testing coverage and approach (and/or a successful epidemic suppression response) that make the official number of cases likely to be close to the real number. The reported number of COVID-19 deaths is also problematic because of various degrees of under-reporting (deaths at home are typically not recorded, and deaths in care homes often are not – even deaths in hospital may not be recorded homogeneously between jurisdictions). To compensate for this, it is possible to look at the difference in mortality between the relevant months of 2020 and the previous years’ average (Banerjee et al., 2020[60]). Thus, even estimating the most “visible” part of the COVID-19 risk (deaths) is difficult – not to speak of the long-term health effects for non-fatal cases, which will become clear only over time (Halpin et al., 2020[61]); (Mitrani, Dabas and Goldberger, 2020[62]). Thus, in spite of its salience, the pandemic poses a first challenge to risk-based regulatory approaches – through the very high level of uncertainty.
The crisis also highlighted difficulties linked to the public procurement system (OECD, 2020[63]), including linked to co-operation and competition between jurisdictions. From a risk perspective, what is striking is that many public procurement regulatory systems have been built on very strong “risk averse” premises, aiming at excluding corruption risks, or at least mounting strong legal defenses against corruption accusations. Whether such systems have been effective or not at combating corruption is another question, but in a crisis context their rigidity created major problems for many countries – with normal procurement rules being far too slow and burdensome, emergency procurement provisions being either absent or inadequate, etc. (OECD, 2016[64]). In other words, regulations and regulatory processes created to combat one risk (corruption) can end up decreasing resilience and responsiveness in crisis situations and thus worsen the vulnerability to other risks (e.g. health). This is a strong illustration of the importance of designing rules and procedures that are focused, proportional, and tackle risks in the most efficient way possible, to minimise unintended negative consequences (OECD, 2020[65]).
The crisis has also been marked by the difficulty to manage health risks in situations where each side of the possible regulatory decision leads to increasing different elements of risk – rather than being a clean trade-off between costs and safety. The use of virtual inspections to address certain situations where the inspection may be both a way to control risks, and a risk factor (contagion risk) in itself, has been discussed in the previous section (see also Box 6.11) on their use to conduct food safety inspections in crisis context). Beyond this, and with much larger impact, approval and control procedures, created to minimise risks from health-care supplies (such as face-masks or hand sanitizer), or from faulty devices or tests, became at the same time elements of increased risk because they sometimes increased shortages or delayed testing. Managing the uncertainty involved in preparing for potential crises, or in developing the response to a new threat that is incompletely understood, is always difficult. Significant expenditure and measures for a threat that turns out to be disappointing can make it harder to convince citizens of the need to prepare future, and this highlights the need to nurture more “mature” public conversations about risk and resilience, so that broader support can be mobilised and maintained. Insufficient work has been done so far on how to move the public discourse beyond a pendulum swing between “cut wasteful spending” and “panic and blame”. Important contributions were made as part of the Dutch Risk and Responsibility Programme in 2010-15 (Helsloot and Schmidt, 2012[66]); (Trappenburg and Schiffelers, 2012[67]). Public perceptions and attitudes towards risk, preparedness, government expenditure etc. are hard and slow to change – hence the importance of engaging in a risk-based regulatory approach in a long-term and transparent way.
Restriction of on-site inspections to critical situations and issues only
Widespread restrictions on travel and mobility together with workplace social distancing rules and temporary closure of business created specific obstacles to in-person inspections, a critical tool for surveillance of compliance with food safety regulations. As a direct result, some countries and regulators chose to scale-back or halt in-person inspections or other compliance activities, prioritising controls of high-risk situations focusing exclusively on critical safety issues – so as to minimise possible virus exposure for inspectors and workers.
For example, the Canadian Food Inspection Agency (CFIA) continuity business plan prioritised critical activities and suspended more low-risk visits and checks such as food inspections and sampling activities not related to food safety. The US FDA postponed most foreign facility inspections and all domestic routine surveillance facility inspections while maintaining only all mission-critical assignments (for instance, domestic for-cause inspection).
Uptake of remote food safety inspections and audits
New technology, modernisation of systems, and new smarter strategies helped increase enforcement capacity during the crisis. The adoption of new methods as an attempt to overcome the mobility restrictions and social distancing rules accelerated the introduction of services that simplified processes and increased operational efficiency. As on-site inspections were rendered impracticable due to numerous mobility, access, or packaging restrictions, countries started devising strategies to design and adopt remote tools to ensure the continuation of inspection activities.
For example, in Canada, the CFIA received funds for the purpose of hiring and training staff to conduct critical inspections and to carry out enforcement activities through the use of digital tools. The CFIA also developed criteria for remote audits of the certification bodies to reduce on-site activities under Canada’s Organic Regime.
The US FDA adopted remote inspections under its Foreign Supplier Verification programs (FSVP), applicable to importers of food for humans and animals, which shifted to electronic review of records and a limited number of on-site inspections, prioritising the inspections of FSVP importers of food from foreign suppliers whose onsite food facility or farm inspections were postponed due to the health emergency.
Source: (OECD, 2020[68]); (OECD, 2020[69]); Temporary Policy Regarding Certain Food Labeling Requirements During the COVID-19 Public Health Emergency: Minor Formulation Changes and Vending Machines Temporary Policy Regarding Certain Food Labeling Requirements During the COVID-19 Public Health Emergency: Minor Formulation Changes and Vending Machines; U.S. Department of Health and Human Services Food and Drug Administration (2020), Temporary Policy Regarding Packaging and Labeling of Shell Eggs Sold by Retail Food Establishments During the COVID-19 Public Health Emergency Temporary Policy Regarding Packaging and Labeling of Shell Eggs Sold by Retail Food Establishments During the COVID-19 Public Health Emergency; U.S. Food and Drug Administration (2020), Temporary Policy Regarding Nutrition Labeling of Certain Packaged Food During the COVID-19 Public Health Emergency Temporary Policy Regarding Nutrition Labeling of Certain Packaged Food During the COVID-19 Public Health Emergency; Canadian Food Inspection Agency (2020), Information regarding certain labelling requirements for foodservice products during the COVID-19 pandemic. Information regarding certain labelling requirements for foodservice products during the COVID-19 pandemic; Danish Veterinary and Food Administration (2020), Coronavirus and food - retail, supermarkets and manufacturing companies Coronavirus and food - retail, supermarkets and manufacturing companies.
Thus, on the positive side, the COVID-19 emergency has served as an opportunity for many regulators to demonstrate remarkable agility and flexibility in introducing frameworks or adjusting regulations12 (see Box 6.12 for examples in two regulatory areas). In the post-COVID era it will be necessary to learn from the best practices that have emerged in adopting agile regulatory approaches and demonstrating flexibility in applying requirements, managing procedures and enforcing rules.13 As indicated in the opening chapter of this Outlook, “agility” is a key element of adapting regulatory frameworks to the combination of new technologies, increased transnational flows, and emerging risks. The innovative and flexible implementation of risk-based regulatory approaches seen in this crisis context can provide some useful examples in this regard.
Regulatory easing measures in food safety: the example of food labelling requirements
Facing the COVID-19 crisis, regulators across countries adopted temporary administrative and regulatory flexibilities to help ease operations of business and industries while safeguarding sustained compliance. The pandemic brought particular challenges to authorities responsible for food safety regulation, sector that saw additional obstacles from shocks in all segments of the food supply chains and shifts in demand from food supplied to retail businesses in lieu of restaurant or other food service establishment. In response, a number of food safety regulators adjusted food-labelling requirements to limit the impact of supply chain disruptions on product availability:
The United States Department of Health and Human Services Food and Drug Administration (FDA) issued guidance allowing for temporary labelling flexibilities under certain circumstances, permitting manufacturers to make minor formulation changes without reflecting them on the package label. To meet increased demand for eggs, the FDA issued temporary flexibility guidance on certain packaging and labelling requirements for eggs sold in retail establishments. Additional guidance on labelling easements was issued to allow restaurants to sell packaged food to consumers.
The Canadian Food Inspection Agency (CFIA) also provided flexibility for labelling requirements for foodservice packaged products deemed to have no or limited impact on food safety as part of a broader temporary suspension of some low-risk suspended activities.
The Danish Veterinary and Food Administration temporarily waived labelling requirements of country of origin and accepted the retail sale of pre-packaged food not labelled in Danish provided that it complied with the requirements of the Food Information Regulation.
Source: CFIA (2020), Government of Canada provides $20 million to safeguard Canada’s food supply by supporting critical food inspection services; U.S. Food and Drug Administration (2020), Coronavirus (COVID-19) Update: FDA Focuses on Safety of Regulated Products While Scaling Back Domestic Inspections; FDA (2020), FDA To Temporarily Conduct Remote Importer Inspections Under FSVP Due to COVID-19.
Flexible regulation in health and social care – a new strategy for the English Care Quality Commission
The Care Quality Commission (CQC), the independent regulator of health and social care in England, has issued a new draft strategy for consultation built on four themes:
People and Communities: new ways to gather experiences, record and analyse them will be identified. This way, changes in the quality of care can be more easily detected, facilitated by a new assessment framework, designed to enhance trust among the public.
Smarter Regulation: the intent is to regulate in a more dynamic and flexible way to reflect the anticipated – and non-anticipated – changes.
Safety though learning: Stronger safety and learning cultures are prioritised and at the centre of a better quality service delivery in health and care. The CQC particularly wants to focus on types of settings with greater risk of a poor safety culture being unrevealed to understand, address and improve safety. Services will have to respond to targeted concerns on the measures taken to learn and improve safety. This information will be shared with the public.
Accelerating improvement: The new strategy aims at the establishment and facilitation of national sector-wide improvement coalitions with a broad spectrum of partners (including representatives of services users) to collaboratively work on better policies and practices to ensure better availability of support, both nationally and at a local system level.
Source: https://www.cqc.org.uk/get-involved/consultations/world-health-social-care-changing-so-are-we ; https://soundcloud.com/carequalitycommission/cqc-strategy-2021-our-public-consultation; https://carequalitycomm.medium.com/changing-how-we-regulate-to-improve-care-for-everyone-7accf34d30c1 https://www.cqc.org.uk/get-involved/consultations/world-health-social-care-changing-so-are-we.
Regulation and risk is a central topic – because a considerable amount of regulation is designed and adopted, at least notionally, to prevent or mitigate risks, both empirically measured and subjectively perceived. Risk-based regulation, which aims at making the regulatory response tailored to the specifics of each risk, and proportional to the relative importance of different risks, thus holds the potential to make regulatory systems more efficient, more effective, more resilient and responsive in times of crisis, and also better able to communicate meaningfully about their objectives, capacity, and results.
While the uptake from risk-based approaches is far from universal across jurisdictions and regulatory fields, and often less-than-thorough, there has been significant progress over the past few years, including through the development of innovative projects and programmes, leveraging emerging technologies, co-operation, information sharing, insights from behavioural insights, etc. There is much to learn from, and implementation of risk-based regulatory delivery, in particular, is easier than it used to be because of computing advances.
The “how” of risk-based approaches to regulation is increasingly well known, in spite of challenges linked to uncertainty in many areas, and a range of tools, examples, methods etc. exist that can be relatively easily adapted or adopted to make technical requirements, procedures, processes, inspections and enforcement more targeted and proportional to risk.
A point that remains more problematic is enabling risk-based approaches and ensuring their sustainability, not so much on legal grounds (where good examples exist), as in terms of public perceptions and support. Risk-based approaches can be difficult to understand and accept for a number of reasons: conflicts between risk perceptions and scientific risk assessments, reluctance to accept risk and relinquish a promise of “total protection” (even if it never was a promise that could actually be kept), difficulty to manage expectations when risks are only potential (and may not be realised), etc. Still, the fact that engaging on risk-based regulation with the public is difficult does not mean it should not be done – in fact, it makes such engagement all the more necessary and urgent (Burgess, Burgess and Leask, 2006[70]); (Chilvers and Burgess, 2008[71]).
The importance of transparent engagement with the public on risk (i.e. going beyond just risk communication, but also inviting and responding to public input) is linked to the broader issue of public trust in government and legislation, which has become particularly acute in recent years (De Benedetto, 2021[72]). Regulatory approaches that are not risk-based and risk-proportional, i.e. that strive for an ideal “zero risk” through rigid and highly burdensome requirements and procedures, appear according to recent research to contribute to reducing public trust instead of reinforcing it (De Benedetto, 2018[73]); (Blanc, 2021[74]).
Technological advances provide major opportunities for the broader, more systematic, more accurate and effective application of risk-based principles. This is particularly the case with more integrated, better managed data systems, and modern tools for analysis (e.g. Machine Learning), which can give far better insights on the most relevant risk factors, their relative importance, the emergence of new risks, the locations to focus on, etc.
Given a topic with so many ramifications and factors, this chapter can only provide a first overview, the start of a discussion, and tentative findings. Still, the issue matters enough that even such a provisional conclusion can potentially contribute to starting to solve this “crisis of confidence”. The gist of the argument is that regulations and regulatory systems are established, or at least so it is assumed and/or proclaimed, in order to strengthen, enable, (re)establish trust – but that they may sometimes be worse than failing at the task, but even actively increasing distrust.
Risk-based approaches to regulation and regulatory delivery appear as the most effective way to avoid the twin pitfalls of excessive rigidity and excessive discretion (Baldwin, 1990[13]). Properly understood and defined risk and proportionality offer instruments to adequately found and bound regulatory discretion, and modulate regulatory enforcement responses. Embedding risk-proportionality at the core of regulatory systems thus appears to be the most effective way to give them the adequate legitimacy, resilience, agility and effectiveness.
References
[56] Ali, S., O. Al-Saleh and P. Koushki (1997), “Effectiveness of Automated Speed-Monitoring Cameras in Kuwait”, Transportation Research Record: Journal of the Transportation Research Board, Vol. 1595/1, pp. 20-26, https://doi.org/10.3141/1595-04.
[15] Anderson, S. (ed.) (2009), The Good Guidance Guide: taking the uncertainty out of regulation, UK Better Regulation Executive, https://webarchive.nationalarchives.gov.uk/20090609052836/http://www.berr.gov.uk/files/file49881.pdf.
[13] Baldwin, R. (1990), “Why Rules Don’t Work”, The Modern Law Review, Vol. 53/3, pp. 321-337, https://doi.org/10.1111/j.1468-2230.1990.tb01815.x.
[26] Balleisen, E. et al. (eds.) (2017), Policy Shock, Cambridge University Press, Cambridge, https://doi.org/10.1017/9781316492635.
[60] Banerjee, A. et al. (2020), “Estimating excess 1-year mortality associated with the COVID-19 pandemic according to underlying conditions and age: a population-based cohort study”, The Lancet, Vol. 395/10238, pp. 1715-1725, https://doi.org/10.1016/s0140-6736(20)30854-0.
[19] Blanc, F. (2018), From Chasing Violations to Managing Risks: Origins, Challenges and Evolutions in Regulatory Inspections, Edward Elgar Publishing.
[44] Blanc, F. (2018), “Tools for Effective Regulation: Is “More” Always “Better”?”, European Journal of Risk Regulation, Vol. 9/3, pp. 465-482, https://doi.org/10.1017/err.2018.19.
[25] Blanc, F. (2015), Understanding and addressing the Risk Regulation Reflex - Lessons from international experience in dealing with risk, responsibility, and regulation, https://www.government.nl/binaries/government/documents/reports/2015/01/21/understanding-and-addressing-the-risk-regulation-reflex/understanding-and-addressing-the-risk-regulation-reflex-v2.pdf.
[10] Blanc, F. (2013), Introducing a risk-based approach to regulate businesses, World Bank Group, https://documents.worldbank.org/en/publication/documents-reports/documentdetail/102431468152704305/undefined.
[23] Blanc, F. (2012), Inspections Reforms: Why, How and with What Results?, OECD.
[9] BRDO (2012), Common Approach for Risk Assessment, UK Better Regulation Delivery Office, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/263921/risk-assessment-paper.pdf.
[29] Burgess, A. (2019), Routledge Handbook of Risk Studies, Routledge.
[28] Burgess, A. (ed.) (2016), Heuristics and Biases in Decision Making About Risk, Routledge.
[1] Burgess, A. (2009), An introduction to public risk, https://webarchive.nationalarchives.gov.uk/20100104184739/http://www.berr.gov.uk/files/file53402.pdf.
[70] Burgess, D., M. Burgess and J. Leask (2006), “The MMR vaccination and autism controversy in United Kingdom 1998–2005: Inevitable community outrage or a failure of risk communication?”, Vaccine, Vol. 24/18, pp. 3921-3928, https://doi.org/10.1016/j.vaccine.2006.02.033.
[71] Chilvers, J. and J. Burgess (2008), “Power Relations: The Politics of Risk and Procedure in Nuclear Waste Governance”, Environment and Planning A: Economy and Space, Vol. 40/8, pp. 1881-1900, https://doi.org/10.1068/a40334.
[21] Coglianese, C. (ed.) (2012), Oversight in Hindsight: Assessing the U.S. Regulatory System in the Wake of Calamity, University of Pennsylvania Press.
[74] De Benedetto, M. (ed.) (2021), Regulation, regulatory delivery, trust and distrust – avoiding vicious circles, Bloomsbury, https://www.bloomsburyprofessional.com/uk/the-crisis-of-confidence-in-legislation-9781509939855/.
[72] De Benedetto, M. (ed.) (2021), The Crisis of Confidence in Legislation, Hart Publishing, https://www.bloomsburyprofessional.com/uk/the-crisis-of-confidence-in-legislation-9781509939855/.
[73] De Benedetto, M. (2018), “Effective Law from a Regulatory and Administrative Law Perspective”, European Journal of Risk Regulation, Vol. 9/3, pp. 391-415, https://doi.org/10.1017/err.2018.52.
[17] Elffers, H. (ed.) (2006), Modelling Taxpayers’ Behaviour as a Function of Interaction between Tax Authorities and Taxpayers, Boom Legal Publishers.
[30] Fischhoff, B., P. Slovic and S. Lichtenstein (1982), “Lay Foibles and Expert Fables in Judgments about Risk”, The American Statistician, Vol. 36/3b, pp. 240-255, https://doi.org/10.1080/00031305.1982.10482845.
[32] Flynn, J., P. Slovic and C. Mertz (1993), “Decidedly Different: Expert and Public Views of Risks from a Radioactive Waste Repository”, Risk Analysis, Vol. 13/6, pp. 643-648, https://doi.org/10.1111/j.1539-6924.1993.tb01326.x.
[6] Goldstein, B. and R. Carruth (2004), “The Precautionary Principle and/or Risk Assessment in World Trade Organization Decisions: A Possible Role for Risk Perception”, Risk Analysis, Vol. 24/2, pp. 491-499, https://doi.org/10.1111/j.0272-4332.2004.00452.x.
[59] Goolsbee, A. and C. Syverson (2020), Fear, Lockdown, and Diversion: Comparing Drivers of Pandemic Economic Decline 2020, National Bureau of Economic Research, Cambridge, MA, https://doi.org/10.3386/w27432.
[51] Gunningham, N. (2015), “Compliance, Deterrence and Beyond”, SSRN Electronic Journal, https://doi.org/10.2139/ssrn.2646427.
[43] Hadjigeorgiou, A. et al. (2013), “National Food Safety Systems in the European Union: A Comparative Survey”, International Journal of Food Studies, Vol. 2/1, https://doi.org/10.7455/ijfs.v2i1.136.
[61] Halpin, S. et al. (2020), “Postdischarge symptoms and rehabilitation needs in survivors of COVID‐19 infection: A cross‐sectional evaluation”, Journal of Medical Virology, https://doi.org/10.1002/jmv.26368.
[14] Hampton, P. (ed.) (2005), Reducing administrative burdens: effective inspection and enforcement, HM Treasury, https://web.archive.org/web/20090704105121/http://www.hm-treasury.gov.uk/d/bud05hamptonv1.pdf.
[53] Hart/Beck (ed.) (2018), Ethical Business Practice and Regulation.
[46] Hawkins, K. (2003), Law as Last Resort: Prosecution Decision Making in a Regulatory Agency, Oxford University Press.
[20] Helsloot, I. (2012), Veiligheid als (bij)product: Over beleidsontwikkeling in interactie tussen bestuurders, adviseurs en narrige burgers, https://crisislab.nl/wordpress/wp-content/uploads/Oratie_Ira_Helsloot_21-09-2012.pdf.
[33] Helsloot, I. and J. Groenendaal (2017), “It’s meaning making, stupid! Success of public leadership during flash crises”, Journal of Contingencies and Crisis Management, Vol. 25/4, pp. 350-353, https://doi.org/10.1111/1468-5973.12166.
[66] Helsloot, I. and A. Schmidt (2012), “The Intractable Citizen and the Single-Minded Risk Expert – Mechanisms Causing the Risk Regulation Reflex Pointed Out in the Dutch Risk and Responsibility Programme”, European Journal of Risk Regulation, Vol. 3/3, pp. 305-312, https://doi.org/10.1017/s1867299x0000221x.
[52] Hodges, C. (2015), Law and Corporate Behaviour, Hart/Beck.
[3] IRGC (2017), Introduction to the IRGC Risk Governance Framework, revised version, EPFL International Risk Governance Center, https://infoscience.epfl.ch/record/233739/files/IRGC.%20%282017%29.%20An%20introduction%20to%20the%20IRGC%20Risk%20Governance%20Framework.%20Revised%20version..pdf.
[48] Kauffmann, C. and C. Saffirio (2020), “Study of International Regulatory Co-operation (IRC) arrangements for air quality: The cases of the Convention on Long-Range Transboundary Air Pollution, the Canada-United States Air Quality Agreement, and co-operation in North East Asia”, OECD Regulatory Policy Working Papers, No. 12, OECD Publishing, Paris, https://dx.doi.org/10.1787/dc34d5e3-en.
[5] Khwaja, M., R. Awasthi and J. Loeprick (eds.) (2011), Risk-Based Tax Audits, The World Bank, https://doi.org/10.1596/978-0-8213-8754-2.
[57] Kirchler, E., E. Hoelzl and I. Wahl (2008), “Enforced versus voluntary tax compliance: The “slippery slope” framework”, Journal of Economic Psychology, Vol. 29/2, pp. 210-225, https://doi.org/10.1016/j.joep.2007.05.004.
[58] Lind, E., R. Kanfer and P. Earley (1990), “Voice, control, and procedural justice: Instrumental and noninstrumental concerns in fairness judgments.”, Journal of Personality and Social Psychology, Vol. 59/5, pp. 952-959, https://doi.org/10.1037/0022-3514.59.5.952.
[39] Mangalam, S. (2020), Use of New Technologies in Regulatory Delivery, https://www.enterprise-development.org/wp-content/uploads/DCED-BEWG-Use-of-New-Technologies-in-Regulatory-Delivery.pdf.
[62] Mitrani, R., N. Dabas and J. Goldberger (2020), “COVID-19 cardiac injury: Implications for long-term surveillance and outcomes in survivors”, Heart Rhythm, https://doi.org/10.1016/j.hrthm.2020.06.026.
[2] National Research Council (1983), Risk Assessment in the Federal Government, National Academies Press, Washington, D.C., https://doi.org/10.17226/366.
[36] OECD (2020), Implementing Technical Regulations in Mexico, OECD Publishing, Paris, https://dx.doi.org/10.1787/4e919492-en.
[63] OECD (2020), Public integrity for an effective COVID-19 response and recovery, http://www.oecd.org/coronavirus/policy-responses/public-integrity-for-an-effective-covid-19-response-and-recovery-a5c35d8c/.
[65] OECD (2020), Public procurement and infrastructure governance: Initial policy responses to the coronavirus (Covid-19) crisis, http://www.oecd.org/coronavirus/policy-responses/public-procurement-and-infrastructure-governance-initial-policy-responses-to-the-coronavirus-covid-19-crisis-c0ab0a96/.
[68] OECD (2020), Regulatory quality and COVID-19: The use of regulatory management tools in a time of crisis, http://www.oecd.org/coronavirus/policy-responses/regulatory-quality-and-covid-19-the-use-of-regulatory-management-tools-in-a-time-of-crisis-b876d5dc/.
[69] OECD (2020), Removing administrative barriers, improving regulatory delivery, http://www.oecd.org/coronavirus/policy-responses/removing-administrative-barriers-improving-regulatory-delivery-6704c8a1/.
[22] OECD (2018), OECD Regulatory Enforcement and Inspections Toolkit, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264303959-en.
[35] OECD (2018), OECD Regulatory Policy Outlook 2018, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264303072-en.
[64] OECD (2016), Preventing Corruption in Public Procurement, https://www.oecd.org/gov/public-procurement/publications/Corruption-Public-Procurement-Brochure.pdf.
[11] OECD (2015), Regulatory Policy in Lithuania: Focusing on the Delivery Side, OECD Reviews of Regulatory Reform, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264239340-en.
[37] OECD (2014), Regulatory Enforcement and Inspections, OECD Best Practice Principles for Regulatory Policy, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264208117-en.
[47] OECD (2013), International Regulatory Co-operation: Case Studies, Vol. 1: Chemicals, Consumer Products, Tax and Competition, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264200487-en.
[4] OECD (2010), Risk and Regulatory Policy: Improving the Governance of Risk, OECD Reviews of Regulatory Reform, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264082939-en.
[42] OECD (2009), Managing and Improving Compliance: Recent Developments in Compliance Risk Treatments, https://www.oecd.org/tax/forum-on-tax-administration/publications-and-products/hnwi/42490764.pdf.
[41] OECD (2004), Compliance Risk Management - Managing and Improving Tax Compliance, https://www.oecd.org/tax/administration/33818656.pdf.
[40] OECD (2021, forthcoming), Data-Driven, Information-Enabled Regulatory Delivery, OECD Publishing,.
[54] OECD (2021, forthcoming), Using Digital Technologies to Improve Regulatory Delivery Activities, OECD Publishing,.
[55] Pilkington, P. and S. Kinra (2005), “Effectiveness of speed cameras in preventing road traffic collisions and related casualties: systematic review”, BMJ, Vol. 330/7487, pp. 331-334, https://doi.org/10.1136/bmj.38324.646574.ae.
[16] Roetzel, P. (2018), “Information overload in the information age: a review of the literature from business administration, business psychology, and related disciplines with a bibliometric approach and framework development”, Business Research, Vol. 12/2, pp. 479-522, https://doi.org/10.1007/s40685-018-0069-z.
[24] Rothstein, H., O. Borraz and M. Huber (2012), “Risk and the limits of governance: Exploring varied patterns of risk-based governance across Europe”, Regulation & Governance, Vol. 7/2, pp. 215-235, https://doi.org/10.1111/j.1748-5991.2012.01153.x.
[12] Rothstein, H. et al. (2017), “Varieties of risk regulation in Europe: coordination, complementarity and occupational safety in capitalist welfare states”, Socio-Economic Review, Vol. 17/4, pp. 993-1020, https://doi.org/10.1093/ser/mwx029.
[8] Russell Graham and Hodges Christopher, E. (2019), Regulatory Delivery, Hart/Beck.
[31] Slovic, P. (1986), “Informing and Educating the Public About Risk”, Risk Analysis, Vol. 6/4, pp. 403-415, https://doi.org/10.1111/j.1539-6924.1986.tb00953.x.
[67] Trappenburg, M. and M. Schiffelers (2012), “How to Escape the Vicious Circle: The Challenges of the Risk Regulation Reflex”, European Journal of Risk Regulation, Vol. 3/3, pp. 283-291, https://doi.org/10.1017/s1867299x00002191.
[27] Tversky, A. and D. Kahneman (1974), “Judgment under Uncertainty: Heuristics and Biases”, Science, Vol. 185/4157, pp. 1124-1131, https://doi.org/10.1126/science.185.4157.1124.
[18] Tyler, T. (2003), “Procedural Justice, Legitimacy, and the Effective Rule of Law”, Crime and Justice, Vol. 30, pp. 283-357, https://doi.org/10.1086/652233.
[49] Tyler, T. (1990), Why People Obey the Law, Yale University Press.
[45] van Rooij, B. (ed.) (2021), Using outcomes to measure compliance: Justifications, challenges, and practices, Cambridge University Press.
[7] Wagner, M. (2016), “Interpreting the SPS Agreement: Navigating Risk, Scientific Evidence and Regulatory Autonomy”, SSRN Electronic Journal, https://doi.org/10.2139/ssrn.2887361.
[38] Wille, J. (2013), Implementing a Shared Inspection Management System - Insights from recent international experience, http://documents1.worldbank.org/curated/en/190851468152706158/pdf/907550BRI0Box30ment0System0apr02013.pdf.
[34] World Bank Group (2021), Approaches to Integrated Inspections Reforms - Selected Case Studies.
[50] Yapp, C. and R. Fairman (2006), “Factors affecting food safety compliance within small and medium-sized enterprises: implications for regulatory and enforcement strategies”, Food Control, Vol. 17/1, pp. 42-51, https://doi.org/10.1016/j.foodcont.2004.08.007.
Notes
← 1. In particular the Society for Risk Analysis https://www.sra.org/ but also a number of regional or subject-specific networks, specialised academic journals etc.
← 2. Among these, the fundamental legislation for the EU Single Market such as the Industrial Emissions Directive (EU Dir. 75/2010), the Food Hygiene Package (Reg. EU 852-853-854/2004) and related Official Controls Regulation (Reg. EU 625/2017), the recent Market Surveillance Regulation (Reg. EU 1020/2019) – but also in major US legislation (Food Safety Modernization Act 2011) and of course brought to the fore largely through pioneering work by the US EPA in the 1980s (see https://www.epa.gov/risk/about-risk-assessment#tab-2).
← 3. See for instance: https://irgc.org/publications/core-concepts-of-risk-governance/.
← 4. See e.g. Codex Alimentarius principles: http://www.fao.org/3/a0247e/a0247e04.htm#:~:text=The%20risk%20analysis%20should%20follow,to%20the%20overall%20risk%20analysis and http://www.fao.org/3/Y4800E/y4800e0o.htm - FAO guidance: http://www.fao.org/3/i0096e/i0096e00.htm.
← 5. SPS Art. 5 and Annexes A and B, available at: https://www.wto.org/english/tratop_e/sps_e/spsagr_e.htm – TBT Art. 2 and 5, https://www.wto.org/english/docs_e/legal_e/17-tbt_e.htm.
← 6. Available at: https://www.oecd.org/gov/regulatory-policy/49990817.pdf.
← 7. See Food Safety STL Project, summary available at: https://dash.harvard.edu/bitstream/handle/1/34492285/5540821.pdf?sequence=1 and report on Nevada nEmesis project available at: https://www.nsf.gov/news/news_summ.jsp?cntn_id=137848.
← 8. For concrete examples, see the whole range of country profiles of food safety control systems prepared by the European Commission DG SANTE, available at: https://ec.europa.eu/food/audits-analysis/country_profiles/index.cfm.
← 9. See for example Health and Safety Executive (HSE) (2016), The effectiveness of HSE’s regulatory approach: The construction example (Prepared by Frontline Consultants for the Health and Safety Executive in 2013).
← 10. Enforcement Management Model, available at: https://www.hse.gov.uk/enforce/emm.pdf.
← 11. See for example Greece through art. 149 of law 4512/2018 reforming inspections and licensing.
← 12. See for instance regulatory COVID response of Canada: https://www.fintrac-canafe.gc.ca/COVID19/flexible-measures-eng and https://www.inspection.gc.ca/about-cfia/acts-and-regulations/forward-regulatory-plan/targeted-regulatory-review/eng/1558026225581/1558026225797.
← 13. See also pre-COVID policies to make regulation more agile and responsive in Canada: https://www.canada.ca/en/treasury-board-secretariat/news/2018/09/canada-revamps-its-directive-on-regulations---more-agile-transparent-and-responsive-so-businesses-can-thrive.html and https://www.canada.ca/en/health-canada/services/drugs-health-products/public-involvement-consultations/drug-products/enabling-advanced-therepeutic-products-modernizing-regulation-clinical-trials.html.