Risk, regulation and rules…


One of the perennial issues in regulating the safety of technological systems is how prescriptively one should write the regulations. At one end of the spectrum is a rule based approach, where very specific norms are imposed and at least in theory there is little ambiguity in either their interpretation or application. At the other end you have performance standards, which are much more open-ended, allowing a regulator to make circumstance specific determinations as to whether the standard has been met.

Both rules and standards introduce uncertainty, but do so in different forms. Standards, because they must be interpreted as to application introduce uncertainty over future judgements, in contrast rules admit of no ambiguity of interpretation, instead uncertainty is introduced in circumstances where one is uncertain that you have complied with a rule. The first is about predicting an uncertain future while the second is about postdicting an uncertain past.

Classically there’s been much focus on different the economic and compliance costs of these differing styles of regulation. For example rules cost a lot to establish but are relatively easy to comply with (in principal). Standards on the other hand cost less to establish, but cost more in terms of application as they involve a regulator (and industry) in greater efforts to interpret their effective application.

However because uncertainty exists over compliance there exists two types of risk and as it turns out human beings do not look at these two different types of risk in the same way. When we consider risk perception in the context of past versus future events, the evidence indicates that people significantly prefer to take risks about events that may occur in the future, rather than events that have occurred in the past even though the probability of the events are exactly the same.

So from a regulatory compliance perspective rule based regulations have a greater degree of deterrence because the risk is perceived as greater. Further the more complex the rule set the greater the generated uncertainty and the greater the degree of risk aversion and deterrence (Guttel, Harel 2007).

All this suggests that performance based safety strategies, such as the SFAIRP principal enshrined within current WHS legislation, may not be as effective as we think in comparison to an equivalent rule based approach.


Guttel, E. & Alon Harel, A., Uncertainty Revisited: Legal Prediction and Legal Postdiction,  (Working Paper 54) American Law & Economics Association Annual Meetings 2007.


1.  This may be due to illusion of control where we believe that we have more control over future events than we do in actuality or the perception of uncertainty about past events as personalised and subjective e.g as ‘ignorance’..

4 responses to Risk, regulation and rules…


    The problem here is that there may be errors with the rules approach and unintended consequences. That’s one good reason why voluntary standards are better, more efficient, more resilient, more robust and with much lower risk. Australia is fast becoming the regulatory capital of the world. Expect a whole new set of rules to emerge from the current Sydney bushfires with little or no implications for environmental and National Park management, the practices of which may have played a significant part in the disaster. The rules approach quite deliberately sets out to achieve this because it transfers risk from the public sector regulator to the private sector.


      Matthew Squair 18/10/2013 at 4:34 pm

      I make no claims as to efficiency, that’s a whole other story.

      Some industries manage within a co-regulatory approach and that seems to work where industry and societal interests align, and that’s where you usually see voluntary standards or rule sets emerging. See the RISSB organization for Australian rail.

      Rule sets don’t tend to work well in fast evolving technology driven industries but then where the maturity of the industry is low performance standards don’t work well either.

      Then there’s John Downers perspective that (to paraphrase) for high technology high consequence industries we end up regulating the social (people) in lieu of the technical because regulators simply can’t get close enough to the technical issues.

      In the US regulators must assess the compliance burden with each new regulation. I’d settle for that in Australia for a start…



        I agree that assesment of the compliance burden arising from regulations would be a positive step forward in this unchallenged regulatory capital of the world. In addition, risk based regulation would be a step forward. The Victorian State Government had a go at this a few years ago (not sure what happened to it) but I dont think anyone else has.

        The problem here is that governments judge their performance on how many items of regulation and legilation they can get through ecah Parliamentary session. I have yet to see an Australian government at any level with a target of removing regulations and legislation and even when they do have a target for a particular piece it’s often very difficult to get supprt from both Houses. So regulations are rachetted up. Sooner or later the whole thing grinds to a halt.


        Matthew Squair 18/10/2013 at 5:34 pm

        See the post ‘On regulating the un-regulatable’ for some of the ways we fudge regulatory relief.

        Given the increasingly risk averse nature of western society I’m becoming more and more convinced that ‘risk’ is a very problematic construct in social decision making and responsible for a lot of wasteful safety and security theatre. I notice it especially when traveling overseas.