• Regulations are risk management tools. Regulators are risk managers.

• There is little guidance or basic understanding in the EU on how to manage risks.

• To have better regulation in the EU, we need a White Paper on Risk Management to provide a toolkit and standards for regulators.

What is regulation? What does a regulator do? These may be simple questions but if you want better regulation or regulatory reform, this definition needs to be clear.

Stakeholders look at regulations differently. Industry often sees regulations as obstructive legislation that interferes with innovations, markets and business objectives (or they use it to obstruct their competition). Civil society (NGO) groups see regulations as a means to protect consumers, vulnerable populations and the environment. Policymakers see regulations as their principal tool of governance. But these don’t tell us what a regulation is, only on how stakeholders use them.

Regulations are developed or implemented when there is a potential risk or exposure to a harm or hazard. If a product or activity is perceived as to not cause harm, there is no need for a regulation. In other words, regulations are implemented to manage risks and a regulator is a risk manager.

There are many types of risks: financial, environmental, health, social, trade, economic, consumer, operational… and the myriad of regulations reflect these risks. As risk equals hazard times exposure, regulations must reduce or prevent exposures.

• A financial regulator needs to reduce exposure to market risks

• a consumer regulator protects the public from exposure to bad business practices or faulty products

• environmental regulators reduce emissions that could harm nature.

But regulators should only intervene in situations where there are potential exposures to risks.

Take, for example, traffic laws. In areas where there are many accidents or jams (consequences of poor risk management), regulators come in and introduce the best measures to reduce risk exposures. If there are no risk issues, there is no need for regulations. At times though, regulators overemphasize certain harms and extend their boundaries, introducing unnecessary laws that stifle optimum operations. When this becomes excessive, calls for deregulation become louder.

Asleep at the Wheel

From the basis that all regulators are risk managers, reforming the regulatory process then becomes a question of implementing the best risk management tools and processes. And here is the issue. European regulators have a very poor understanding of the risk management process. Some examples:

• Regulators confuse the precautionary principle (uncertainty management) with risk management. Precaution means intervening to stop processes or ban substances until authorities can be certain they are safe (certainty and safety are emotionally-charged concepts, terms that scientific risk managers never use). Any benefits from products and technologies matter little with this attractive regulatory tool where “Better safe than sorry” means decision-makers are never wrong when invoking the precautionary principle … just very often not right.

• European regulators often confuse hazard and risk. Risk equals hazard times exposure, but the hazard-based policy approach ignores exposure levels and identifies hazards with risks. This defies basic scientific rationality. A shark is a hazard, for example, but if I am on the beach and not exposed to it, then it is not a risk. EU regulators may try to ignore this simple rule for political purposes (and some have admitted that much to me). If the exposure evidence does not reflect the regulator’s political ambitions, they may choose to take the hazard-based approach. The EU’s Sustainable Use of Pesticides Directive, a hazard-based regulation, is a good example of the willful misuse of basic risk management principles for political objectives.

• Certain EU Green Deal measures (Farm2Fork, Fit for 55…) to reduce CO2 emissions fell into the risk-risk trap (where the consequences from such politicized regulations are actually increasing CO2 emissions).

• The political objectives behind the Green Deal left no room for reflection or dialogue and no obligation to conduct impact or risk assessments. But even if they did, there is no clear guidance for what an impact assessment needed to examine (see, for example, the failed, politically biased EU risk assessment on e-cigarettes).

• The risk management process has a series of steps from hazard identification, risk assessments and communications, risk reduction measures, impact assessments, refinement of exposure reductions to as low as reasonably achievable, and if the exposure to the hazard is still too high, only then would the precautionary principle be invoked. In most EU policies today, the precautionary principle is the immediate go-to reflex, regardless of the lost benefits or social consequences.
  
  The worst example of the precaution reflex was during the COVID-19 pandemic. From January to March, 2020, EU regulators should have been developing risk reduction measures to protect vulnerable populations as the coronavirus was spreading across Asia. They did nothing until the virus got out of control in Europe and then immediately locked down the entire population and stopped all economic activity (precaution). And when the first vaccines were being developed, there was a question over whether the Astra-Zeneca vaccine increased the risk of blood clots (it didn’t). This didn’t stop an EU Commissioner, Paolo Gentilone, from rushing to invoke the precautionary principle, needlessly destroying public trust in that vaccine.

If the European Commission is serious about making EU regulations more efficient and proportionate, then they need to impose strict measures and guidelines for the risk management process. They need a White Paper on Risk Management.

White Paper on Risk Management

Since the COVID-19 regulatory debacle, I have been calling for a White Paper on Risk Management (see here and here). Such a guidance document would establish guidelines for all risk management approaches (for all regulatory situations). While certain officials in the European Commission prefer a vague, ad hoc approach to risk management to make their job easier, this does not provide the basis for a sound, predictable, rational policy process. This regulatory process should not be malleable and beholden to the political whims of some regulator dictating a policy at the time but, rather, it should be anchored to the scientific, evidence-based risk management process. Only then will such political abuses of the regulatory process be limited.

As risk management is the key tool in the regulatory process, it is inconceivable to have better regulations without clear guidelines on the risk management process. The White Paper on Risk Management should address the following elements.

• What should be in a risk management toolkit (ie, what tools and concepts should and should not be used in the regulatory process).

• A clear definition of precaution (the Rio Triple Negative or the EEA reversal of the burden of proof) and its situation within the risk management process (ie, at what place in the risk management process that it should or shouldn’t be invoked).

• A distinction of the hazard-based approach from the risk-based approach and their roles within the risk management toolkit.

• Articulation of the risk management process, moving from hazard identification to risk assessment to scenario building to risk communication to hazard reduction measures to risk-benefit analyses … and only if this process fails to provide protection, the conditions for invoking the precautionary principle.

• Guidance on the types of questions provided to risk assessors and impact assessors and follow-up best practices (as well as the extent to which risk assessors can widen or narrow the scope).

• Timeline for publishing risk assessments, reports, studies and risk communication guidelines. Obligations for regulators to receive and publish these findings in a timely manner.

• Clarification of the role of science, evidence and research within the EU policy process.

• As technologies evolve, a clear process for when regulations can be re-opened, revised or amended.

• A communications strategy for reducing European risk aversion (tied to an EU innovation strategy).

Without any official guidance document from such a White Paper, EU regulations would remain ad hoc and ambiguous. While this is ideal for lawyers, activists and politically motivated EU officials who benefit from a system that can be misused, the present vagaries undermine the interests of European researchers, consumers, investors, traders and businesses.