Inspired by the insights from risk studies, governments around the world have begun to develop and implement risk governance and risk-based regulation. Following these developments, scholars have begun to map, explore and interrogate risk governance models and strategies, risk-based regulatory approaches and instruments, and their performance. There appears no area where governments have not trialled this approach to regulation.

It is beyond the scope of this series of blog posts review this approach to regulation on a sector-by-sector basis. The discussion that follows maps some of the frameworks for risk governance and risk-based regulation that are broadly considered ‘good practices’ by scholars, or that are dominant in some parts of the world. In this blog post, I discuss the holistic framework of the International Risk Governance Council (IRGC). In the next one, I will address frameworks that focus on high-occurrence but low-impact risks; and, frameworks that build on the precautionary principle, benefit-cost-analyses, or both.

Holistic frameworks

Around the turn of the millennium, risk-scholars began to point out that ‘a strict separation between risk assessment and risk management is counterproductive’ in governing and regulating risk [1]. More and more, a vision is presented of integration between them. Likewise, regulatory scholars began to argue that while there was much debate about standard setting in risk-based regulation, information gathering and behaviour modification had received too little attention, and even less attention was paid to ‘linking those three components together—which is often the Achilles heel of control systems’[2].

These debates have resulted in suggestions for holistic risk governance frameworks. The most elaborate holistic framework that has emerged is that of the International Risk Governance Council (IRGC). It builds on four phases of risk assessment and management, and a set of cross-cutting aspects. The four phases build on and inform each other.


This phase includes risk identification and framing. In this first phase, early warnings or (periodic) monitoring may point to deviations from the norm in activities or events. Perception, interpretations, heuristics, biases, and framing affect what is considered a risk and what risk is worth considering. Likewise, how people think of risk (ontologically and epistemologically—see the first instalment of this series on risk governance and risk regulation) affects what they will consider a risk that requires attention and what not. Finally, various forms of data may point at such deviations from the norm, but not all forms of data are necessarily given equal attention. In this early phase, there is a danger that science-technocratic data will be given more attention than socio-political data [3].


This phase includes the assessment of technical and other causes of the risk and its consequences. Ideally, risk estimation consists of: ‘(1) risk assessment: producing the best estimate of the physical harm that a risk source may induce; and (2) concern assessment: identifying and analysing the issues that individuals or society as a whole link to a certain risk’ [4]. Here, the challenge is to deal with often incomplete data [5], and to balance ‘hard’ technical data with ‘soft’ public and political perceptions [6]. Specific dangers in this phase are missing, ignoring or exaggerating early signals of risk; lack of adequate knowledge about a hazard, including probabilities and consequences; failure to consider variables that influence risk appetite and risk acceptance; lack of appreciation or understanding of the potentially multiple dimensions of a risk; and a failure to reassess in a time manner fast and/or fundamental changes in risk systems  [7].

Characterisation and evaluation

This phase includes the making of judgements about the risk and the need to manage it. Often this phase will result in a risk-matrix in which risks are classified according to their urgency for intervention. A distinction can then made between risks that need to be addressed, and those that need not to—or at least, not now. It is suggested to classify risks on a sliding scale, rather than as a dichotomy. For example, when using a “traffic light” model of ‘acceptable’, ‘tolerable’, and ‘intolerable’ risks, it is immediately clear that the first need little engagement and the latter need to be addressed as soon as possible [8]. Highlighting risks that are tolerable now but may slide into the intolerable category over time, helps to keep track of them and to develop and implement preventive risk management measures. For example, ‘actions that render these [tolerable] risks either acceptable or sustain that tolerability in the longer run by introducing risk reduction strategies, mitigation strategies or strategies aimed at increasing societal resilience’  [4]. In this phase, the same dangers hold as in the previous one.


This phase includes decision-making and implementation of risk management options. Actions to reduce, pool, mitigate or prevent risks will have to be tailored to the specific situation at hand—the literature, unfortunately, does not present one-size-fits-all solutions. Herein, however, lie the core dangers of this phase: failure to design risk management strategies that adequately balance alternatives or consider a reasonable range of options; inability to reconcile the time frame of the risk with those of decision-making and incentive schemes; inappropriate management of conflicts of interests, beliefs, values and ideologies; failure to muster the necessary will and resources to implement risk management policies and decisions; failure to build or maintain an adequate organisational capacity to manage risk; and failure of the multiple departments or organisations for a risk’s management to act cohesively [7].

Cross-cutting aspects

These include the involvement of stakeholders, ongoing communication with stakeholders, and consideration of the regulatory context in all the above phases. They ask regulatory policymakers and practitioners to remain vigilant of biases they may themselves be subject to in risk assessment and management[1], and of changes in the political and physical environment of the risk. But perhaps most important is to ensure a high level of communication throughout the risk assessment and management process: ‘The crucial task of risk communication runs parallel to all phases of handling risk: it assures transparency, public oversight and mutual understanding of the risks and their governance’ [8].


It is best to consider IRGC framework as a blueprint for regulators interested in this approach to regulation, or as a check-list for those who already have risk governance in place. The IRGC framework challenges regulators to think beyond a strategy of ‘pick the biggest problem and fix it’ and develop and adhere to transparent, legitimate and accountable processes of both the ‘picking’ and ‘fixing’ of problems. The IRGC framework does not spell out how this needs to be done but provides helpful starting points for thinking through important choices.


1.            van Asselt, M. and O. Renn, Risk governance. Journal of Risk Research, 2011. 14(4): p. 431-449.

2.            Hood, C., H. Rothstein, and R. Baldwin, The Government of Risk. Understanding risk regulation regimes. 2001, Oxford: Oxford University Press.

3.            Nygaard, F. and T. Aven, On the link between risk perspectives and risk regulation—A comparison between two cases concerning base stations and wireless networks. Reliability Engineering & System Safety, 2010. 95(6): p. 689-697.

4.            Renn, O. and A. Klinke, Risk governance: Concept and application to technological risk, in Routledge Handbook of Risk Studies, A. Burgess, A. Alemanno, and J.O. Zinn, Editors. 2016, Routledge: London. p. 204-215.

5.            Shapiro, S.A. and R.L. Glicksman, Risk Regulation at Risk: Restoring a Pragmatic Approach. 2003, Stanford: Stanford University Press.

6.            Renn, O., Three decades of risk research: accomplishments and new challenges. Journal of Risk Research, 1998. 1(1): p. 49-71.

7.            Aven, T., On risk governance deficits. Safety Science, 2011. 49(6): p. 912-919.

8.            Aven, T. and O. Renn, Risk Management and Governance: Concepts, Guidelines and Applications. 2010, Dordrecht: Springer.

[1] See the first State of the Art in Regulatory Governance Research Paper on behavioural insights for a more extensive discussion: van der Heijden, Jeroen (2019). Behavioural Insights and Regulatory Practice: A Review of the International Academic Literature. State of the Art in Regulatory Governance Research Paper – 2019.01.
Wellington: Victoria University of Wellington/Government Regulatory Practice Initiative. Available online: (13.05.2019).