**SpringerBriefs in Applied Sciences and Technology** Safety Management

**Jean-Christophe Le Coze · Benoît Journé Editors**

# **The Regulator–Regulatee Relationship in High-Hazard Industry Sectors** New Actors and New Viewpoints in a Conservative Landscape

### SpringerBriefs in Applied Sciences and Technology

## **Safety Management**

#### **Series Editors**

Eric Marsden, FonCSI, Toulouse, France Caroline Kamaté, FonCSI, Toulouse, France Jean Pariès, FonCSI, Toulouse, France

The *SpringerBriefs in Safety Management* present cutting-edge research results on the management of technological risks and decision-making in high-stakes settings.

Decision-making in high-hazard environments is often affected by uncertainty and ambiguity; it is characterized by trade-offs between multiple, competing objectives. Managers and regulators need conceptual tools to help them develop risk management strategies, establish appropriate compromises and justify their decisions in such ambiguous settings. This series weaves together insights from multiple scientific disciplines that shed light on these problems, including organization studies, psychology, sociology, economics, law and engineering. It explores novel topics related to safety management, anticipating operational challenges in high-hazard industries and the societal concerns associated with these activities.

These publications are by and for academics and practitioners (industry, regulators) in safety management and risk research. Relevant industry sectors include nuclear, offshore oil and gas, chemicals processing, aviation, railways, construction and healthcare. Some emphasis is placed on explaining concepts to a non-specialized audience, and the shorter format ensures a concentrated approach to the topics treated.

The *SpringerBriefs in Safety Management* series is coordinated by the Foundation for an Industrial Safety Culture (FonCSI), a public-interest research foundation based in Toulouse, France. The FonCSI funds research on industrial safety and the management of technological risks, identifies and highlights new ideas and innovative practices, and disseminates research results to all interested parties. For more information: https://www.foncsi.org/

Jean-Christophe Le Coze · Benoît Journé Editors

## The Regulator–Regulatee Relationship in High-Hazard Industry Sectors

New Actors and New Viewpoints in a Conservative Landscape

*Editors*  Jean-Christophe Le Coze French National Institute for Industrial Environment and Risk (INERIS) Verneuil-en-Halatte, France

Benoît Journé Département Gestion et Conseil (GESCO) Nantes Université Nantes, France

ISSN 2191-530X ISSN 2191-5318 (electronic) SpringerBriefs in Applied Sciences and Technology ISSN 2520-8004 ISSN 2520-8012 (electronic) SpringerBriefs in Safety Management ISBN 978-3-031-49569-4 ISBN 978-3-031-49570-0 (eBook) https://doi.org/10.1007/978-3-031-49570-0

© The Editor(s) (if applicable) and The Author(s) 2024. This book is an open access publication.

**Open Access** This book is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this book are included in the book's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the book's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.

The publisher, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

Paper in this product is recyclable.

## **Contents**



## **Chapter 1 The Unfolding Regulator–Regulatee Relationship**

**Jean-Christophe Le Coze** 

**Abstract** The regulator–regulatee relationship in the context of safety-critical systems is under constant evolution. It changes with epochs. Our current epoch is one faced with increasingly global challenges. It has not always been so, but increasingly is. In this introduction, the presentation of the chapters of this book is preceded by a historical perspective which situates the advent of many important regulatory innovations and trends (e.g., polycentric, smart, meta, or risk-based regulations). These innovations and trends are variously interpreted, from either practical, critical, or more neutral angles. This introduction explains the rationales of these different points of view. Next, an example of regulation of hazardous organisations in France is shortly described to illustrate the trends discussed. It provides a short empirical case study. The chapters of the book are then summarised, covering a diversity of related themes, from polycentric to responsive regulations, through an attention to social interactions to the game-changing reality of global warming.

**Keywords** Safety-critical systems · Governance · Regulatory innovation · Risk regulation regime

#### **1.1 The Advent of Safety-Critical Systems**

What can we say about the regulator–regulatee relationship in the context of safetycritical systems in the 2020s? The concept of 'safety-critical systems' remains a recent analytical category from a research point of view. It is thirty to forty years old. Perrow (1984) played an important role in this new interest by scholars for these systems when he published his iconic book '*Normal Accidents*'. The book had a subtitle '*Living with high-risk technologies*' (Perrow 1984). Its genesis was directly connected to Three Mile Island in 1979, the accident of the nuclear power plant in Harrisburg, USA. This event triggered several lines of investigation by the

© The Author(s) 2024 J.-C. Le Coze and B. Journé (eds.), *The Regulator–Regulatee Relationship in High-Hazard Industry Sectors*, SpringerBriefs in Safety Management, https://doi.org/10.1007/978-3-031-49570-0\_1

J.-C. Le Coze (B)

Ineris, France e-mail: jean-christophe.lecoze@ineris.fr

social sciences (Sills et al. 1982), including by scholars of public administration and public policy who studied the conditions for fruitful relationships between private companies and authorities (regulator–regulatee) in the aftermath of this event, based on self-regulatory schemes (Rees 1994; Gunningham and Rees 1997). The concepts of 'high-risk systems' or 'safety-critical systems' were thus born in the 1980s. They existed for a longer period, but their increasing presence was strongly felt in societies, challenging our sense of remaining in control in a technologically shaped world. This new notion discriminated a diversity of organisations which shared their potential for acute negative externalities (e.g., explosions, radiation, toxicity, crash, derailment, and spill). Nuclear weapons, chemical plants, aircraft, mines, railways, air traffic control, space, and maritime were some of the most visible cases of systems to be

contrasted with other kind of organisations (e.g., universities, manufactures). Of course, the nuclear disaster of Chernobyl in 1986 or Piper Alpha in 1988 (the explosion of an offshore platform in the North Sea), not to mention other major events of that period in other industries (e.g., Bhopal, Challenger, Herald of Free Enterprise), reinforced the importance of this topic. New concepts were introduced, developed, and debated as part of this trend. The 1980s and 1990s were fruitful years in this respect with important concepts such as human error (Reason 1990; Rasmussen 1990; Woods et al. 1994), safety culture (Turner and Pidgeon 1997, Reason 1997), and high-reliability organisation (Roberts 1993; Weick et al. 1999), addressing several core topics of a multifaceted problem: understanding, managing, and regulating such systems. The role of states, of civil society, of agencies, and of inspections have also been at the heart of this endeavour for several decades, along with these other important concepts. The introduction of the idea of enforced self-regulation (Ayres and Braithwaite 1992) with mining—a typical safety-critical system—as one of the original case studies (Braithwaite 1985) is an illustration. It was a critique and an alternative to the prescriptive style, also described as commandand-control, of regulating. Another is the concept of risk regulation regime (Hood et al. 1999) with Beck's thesis on the 'risk society' in the background, translated from German to English in the early 1990s (Beck 1992).

This interest in safety-critical systems has only kept growing over the years, reflecting the diversity of existing research traditions (e.g., engineering, sociology, cognitive engineering, psychology, public administration, and management), and the need for adapted research strategies to explore their inner working considering their multidimensional facets (Le Coze 2019; Pettersen-Gould and Macrae 2021). One important thread across the traditions is the realisation that their operating landscapes have profoundly changed, reformulating our analytical lenses inherited from the 1980s. Changes over the past forty years have indeed reconfigured the operating landscape of safety-critical systems across countries, across continents and require us to revisit our mindset, including Perrow's seminal contribution (Le Coze 2020). These major shifts are easily identified retrospectively. In the 1980s, Internet was in its infancy, financial capitalism was only taking off, the ecological crisis was slowly materialising, and globalisation (as an increase of flows across nations and continents) was building up. In the 2020s, these trends are now in full force, along with geopolitical shifts. With these changes in mind, Fukushima Daïchi (2011) or Deepwater Horizon (2010), mirroring the Chernobyl and Piper Alpha accidents of the 1980s, are interesting events of the early twenty-first century for safety-critical systems and for the regulator–regulatee relationship. Fukushima is an example of a vulnerable high-risk system in its natural environment combined with a critical lack of independence between the Japanese state and private interests, what is known as the risk of 'regulatory capture' (Carpenter et al. 2014). It questions, in a context of ecological crisis, the ability of societies to protect critical infrastructures such as nuclear power plants from the effects of the Anthropocene, and the role of states and regulations in this developing picture. The explosion of the offshore platform Deepwater Horizon represents the failure of the financialised multinational, BP, embracing globalisation and operating as a network organisation across the world, but insufficiently regulated, at least in the USA (Bergin 2011). It challenges the ability of states to deal with powerful multinationals operating across the world.

#### **1.2 Regulating in Evolving Contexts**

In public administration, public policy, and regulatory studies, the move from statecentric to polycentric contexts (as exemplified by the BP case, Mills and Koliba 2015) has been described as an essential trend associated with the increasingly globalised world at the turn of the century. The concept of governance captured this change by addressing the move from verticality (hierarchy) to horizontality (heterarchy), by addressing a shift towards networks, towards decentred, hybrid, or post-regulatory states with their consequences for administrations and regulations (Black 2001; Kettl 2002). A mix of new public management initiatives (Hood 1991), shaped by 'less state' neoliberal ideologies and privatisation, combined with deregulation of markets (e.g., aviation, energy, telecoms) and a push by multinationals pressing states to relieve them from the burdens of stringent regulations in the harsh competition of global capitalism, is one explanation. It came with fuzzy boundaries (Kettl 2002), namely with states and administrations cooperating with private or non-governmental entities, with standardisation gaining ground to translate the role of such entities through 'soft law' (e.g., process safety management systems), with 'safety cases' to be produced by companies as part of self-regulatory schemes or of audits, certification, and accreditation to ensure standard compliance (Power 1997). In the critical version of this trend, states are no longer able to play a strong role in curbing the negative externalities of private interests, at the expense of societies (Grabosky 2013; Perrow 2015).

A distinct explanation of the evolution of the regulatory governance context is the practical approach for states to move away from the command-and-control style of regulating. The command-and-control approach with its prescriptive perspective on regulation was criticised for failing to keep up with the diversity of situations and changes in technology. It also failed to harness the intrinsic motivation for compliance work of regulated entities, but additionally exposed the state to liability issues because of its commitment to define the rules precisely. The cost and burden of using prescriptive rules led to the development, experimentation, and promotion of alternative pragmatic options. Exploring the potentialities of self-regulatory philosophies, ideas such as principles-based regulation, responsive or smart regulations, outcome versus management-based regulation, meta-regulation, or risk-based regulation concretely translated this pragmatic approach. While Fukushima Daïchi or Deepwater Horizon provided opportunities to reflect on problems associated with such new regulatory instruments in the context of safety-critical systems (Downer 2013; Mills and Koliba 2015), the financial crisis of 2008 was also an important event for exploring the value, relevance but also drawbacks and limits of such new regulatory strategies (Black 2010; Baldwin and Black 2010). Indeed, if the practical approach to reform regulations was a proposition to replace the failure of commandand-control style, how and why did this practical move equally fail to prevent major events such as the financial crisis or Deepwater Horizon? This has led authors to diagnose a crisis of confidence in institutions (Coglianese 2012).

A third, alternative and complementary proposition, more descriptive than critical or practical, is to understand the evolution of regulations as a dynamic between problem formulation by societies and states' responses (Ansell and Baur 2018). In this interpretation, risk regulation regimes depend on the way risks are framed or constructed and strategies of control deployed in relation to them (Hood et al. 2001). Major events and their analysis often play an important role because they open window of opportunity in shaping policies (Birkland and Warnement 2017). In this respect, the argument of the authors is that many threats associated with our contemporary era (many of which come from safety-critical systems), have expanded in scope and scale. Along with a shift from a reductionist to a systemic view of risks, the changes in the way regulatory governance operates through evolving strategies (e.g., self-regulation, meta-regulation, risk-based regulation) reflect the changing nature of threats, the evolving characteristics of risks.

One illustration is food safety. Considering that food is increasingly produced and circulating across continents through expanding global capitalism, it necessitates proper instruments to regulate its scope and scale. For these authors, instruments such as audits, certification, and HACCP are regulatory tools to cope with a change of risk profile which comes with increased globalisation which represents the increased connections between continents and the networks made of many different organisations. Another side of this approach by the authors is the recognition that many problems cannot be reduced to a simplistic model, such as when disasters are considered only as technical failures or triggered by front-line human errors. Disasters are systemic events (as mentioned in the first paragraph with notions such as safety culture, high-reliability organisations) and must include organisational, strategic, and regulatory failures, going beyond simplistic narratives (Hopkins 2022). The trends affecting regulation over the past decades are therefore the translation of the changing nature of risks.

#### **1.3 An Illustration: The Regulation of Hazardous Plants in France**

One example of an evolving regulatory landscape of safety-critical systems over several decades is the regulation of major accident hazards in France. It evolved from a very prescriptive approach (such as checking the thickness of vessels, which is still in use) to become more fundamentally based on the principle of risk analysis and assessment. Risk analysis is regulated through the production of a 'safety case' for an industrial site with hazardous processes. A safety case is a document which shows how a company handles, reduces, and prevents its process risks to attain a certain level of safety. Hazardous processes are distinguished in the headings of a nomenclature which sets the expected requirements and associated administrative processes depending on the type of industrial facility, kind of products, and quantities. These safety cases are very often produced by external experts, by consulting firms. Most companies subcontract this activity even if some of them have internal expertise to deliver these safety cases. They must send the safety case to inspectors of control authorities (working on behalf of the prefect) which scrutinise it. These reports are analysed, discussed, and criticised by inspectors. Inspectors work at the regional level, within what is described as territorial unit of the local administration.

Inspectors have the possibility of requiring a third-party review, i.e., an additional critical analysis by another expert (often a consulting company) regarding the content and quality of the safety case, if necessary. The operating company selects and contracts out this third-party expertise. Ineris (the national institute for the industrial environment and risks), in this context, plays a role at the interface between research, support for public authorities and services to companies on technological risk issues. It can also play this role of third-party expert. This technical and scientific expertise produced by Ineris supports the administration and produces knowledge in various fields (e.g., explosion, fire, resistance of structures, human factors) and provides strong inputs to the training of inspectors as well as the production of regulations, in national and European contexts (including the so-called Seveso directives since 1982). This regulatory activity is managed at the state level by the General Directorate for Risk Prevention (DGPR) within the Ministry of Ecological Transition, which now also hosts the accident investigation board for the process industries (created following a large fire at Lubrizol and Normandie Logistique in 2019, in the city of Rouen).

The regulatory process for producing a safety case also includes a territorial dimension with entities that punctuate its validation, in which representatives of local authorities as well as civil society sit. There are also structured consultation approaches for organising the relationship between private companies and civil society in the vicinities of sites, such as local information and monitoring committees (CLIS), particularly in the context of the implementation of technological risk prevention plans (PPRT), required by the Bachelot law of 2003, drafted following the Toulouse accident in 2001. These various bodies and councils constitute strong dimensions of the regulation of technological risks in relation to their territorial anchoring and to civil society, to which the themes of acceptability and risk perception are often associated.

It is also at this level that the fire and rescue services (SDIS), at the intersection of civil society, local authorities, the state, and businesses, prepare and intervene in emergency situations. Civil society is also of course represented at the national level by the activity of the parliament and the government which decides on regulatory changes as well as the orientations and budgetary resources for the activity of the central (DGPR) and regional administrations (DREAL), as well as Ineris and the regional governments, in their decentralised prerogatives. Safety cases also serve as a framework to produce prefectural orders that the inspectors of classified installations use to inspect the compliance of companies with these regulatory requirements. They thus visit the facilities according to a frequency that is defined according to the level of risks, but also according to priorities given each year by the central administration. These orientations depend on current events (for instance, "fire in warehouses") and the issues that they raise. It is also at the level of the central administration that the evolutions of the nomenclature are decided, in interactions between companies, the expertise of the state (Ineris), and the professional associations.

It is also at this level of activity that professional guides are produced and serve as a benchmark for the development of safety cases according to industrial sectors. These guides make it possible to better frame the exercise to allow strong benchmarks and harmonisation of approaches within a profession (e.g., in oil and gas, chemicals, warehouses, or agro-business). It should also be noted that insurers play a role through their fire risk prevention activity with companies. This principle of harmonisation is also at the heart of the important activity of standardisation, certification, and accreditation in the field of risks. This facet of prevention in industry and regulation has been playing an increasing role for many years. The standards, established by consortia bringing together states, private companies, and experts at the French (AFNOR), European (CE), and global (ISO or IEC) levels are at the origin of an important source of framing practices as well as achieving reliability and safety of industrial installations. The certification of technology suppliers (including the role of COFRAC as accreditor of certifying bodies) used for the prevention of accident scenarios identified by the safety cases thus makes it possible to guide and reinforce companies in their choice (e.g., for equipment in a flammable zone which must not produce static electricity, for the reliability of a sensor in its action of detecting a gas). These certifications can also be voluntary (equipment reliability) or regulatory (ATEX for example). Ineris plays a certification role on several risk management topics.

In the area of process safety, the operating standards have thus provided principles which have been used to define the expectations and content of the safety cases, in relation to the calculations of probabilities, levels of confidence in the measures of control of the risks following regulatory changes to PPRTs. Standardisation is therefore not always associated with certification and can serve as an international reference. This non-state normative production has thus been the subject of intense expertise, advice, and audit activity for many years. It is combined with legal normativity, as with the example of safety management system standards which are the subject of private audits for certification (ISO 18000), which are close to regulatory requirements for safety management systems, which are also subject to inspection. This requirement expands the technical view of safety risks to an organisational one. Multinational companies, in their activities of supervision and centralisation of multiple entities or subsidiaries, grouped within headquarters (or corporate), also have recourse to this standardisation work for their industrial sites, which they also apply to their contractors.

As this brief description of the French regulatory framework for the process industries shows, regulation and the regulator–regulatee relationships have evolved to become a hybrid, decentred, polycentric, and network reality which combines a great number of actors shaping the operating landscape of safety-critical systems across the world. The transformations of the past decades have been shaped by the trends introduced in the previous sections. Despite relying on a state which plays a strong role, it exhibits some of these polycentric dimensions of regulations with the presence of European levels of policymaking but also regional levels of translation of policies. It shows the regulatory tools of risk-based regulation (i.e., safety case) performed by consultants, of meta or management-based principles (i.e., safety management system) which are combined in France, and not exclusive. It also illustrates the importance of standardisation, certification, and accreditation (i.e., equipment, management standards) which connect the national regulations to multinational corporate influences and international organisations (CE, ISO). It also illustrates the public presence in the regulatory process which has increased following a major event in France in 2001 (Toulouse) and the introduction of an investigation board following another more recent event (Lubrizol 2019), while introducing other actors such as insurers. The complexity of the regulatory governance of hazardous installations in France illustrates what has been described so far in this introduction.

#### **1.4 The Chapters of This Book**

With this background, each author of this book provides a unique and specific angle of analysis regarding this complex, new operating landscape and regulatory governance of safety-critical systems, starting with an overview of the work at the Center for Analysis of Risk and Regulation at the London School of Economics (LSE) over several decades. In the first chapter, Lodge and Hood look back on thirty years of intellectual development and argue that the question of limiting 'regulatory capture', which triggered their research agenda, remains as central as ever.… However, the contemporary context provides new problems to this regulatory problem. They write "*LSE's debates of thirty years ago mainly concerned UK and US national regulation (…) with much less attention paid to transboundary coordination in the handling of the risk issues and of national regulatory decisions than applied today*".

One feature of this new context is the increasingly polycentric dimension of regulation, something that Black describes in her chapter based on the financial industry, distinguishing the range of third parties involved, introducing them with the help of five categories (1) auditors, assurers, accreditors, certifiers; (2) knowledge and compliance intermediaries; (3) gatekeepers; (4) measurers and modellers; and (5) market-based standards setters (supply chain/production networks). She warns that "*it is critical that regulators identify where there are dependencies on third parties; whose third parties are; the nature and extent of the dependencies; and the risk associated with them*".

This complexity of the financial sector and this polycentric view of the problem are also described in the medical sector in Brathwaite's contribution, with another emphasis. Seeing the healthcare regulatory ecosystem as a complex adaptive system (CAS), Braithwaite describes the multilayered diversity of regulations which frame the context of medical professionals, patients, and regulators. Considering this complexity, he calls for a new paradigm based on a more realistic contribution of people to safe practices. He explains that "*top-down forms of regulation are not the full picture (…) healthcare do not merely respond to regulation, but also self-regulate*", and he adds "*It may not seem obvious to say so, but so do patients*".

In a different context of safety-critical system, the oil and gas industry, two chapters, one by Lindøe and the other by Forseth discuss one specific case of polycentric regulatory systems, the tripartite regime of Norway. In this regime, unions play a strong role between the state and industry in an enforced self-regulation scheme, with changes over time, described as a learning process. Lindøe explains that "*an asymmetrical power relation and legally binding rules will lead to 'command-andcontrol' behaviours. If the regulator shifts towards the role of pedagogue in guiding the industry in implementing 'legal standards' embedded in laws and regulations, the power relations become more symmetrical*".

At the heart of this tripartite regime based on a philosophy of enforced selfregulation and leading to a more symmetric approach described by Lindøe, one finds indeed what Forseth describes as a dialogue. She shows that the dialogue, a continuous conversation maintained between the actors in the tripartite "regulatory space", is the favoured strategy of the regulator in Norway, as opposed to the commandand-control style. She makes it clear, though, that there are conditions required for this to happen. "*The dialogue is formalised, restricted and ritualised and the regulator and the regulatee have their particular roles to play*". Forseth's analysis is one which conveys the importance of thinking social relationships when it comes to the regulator–regulatee relationships, a topic which is developed by Pautz.

To pay attention to social interactions in the context of regulation, such as a dialogue, is also to give credit to the active role played by both the regulator and the regulatee in the concrete, pragmatic, and contextualised translation of regulations at the front-line. Regulation appears, in this light, very much as the social fabric that it is when seen from these micro-levels of description. Pautz is very clear about the importance of thinking about regulations from this angle, indeed "*all too often, the regulatory actors, whose actions constitute the implementation of regulation are overlooked*". One could add that our view of regulation is distorted when such descriptions are missing, when they are not available. This goes for the trend which accompanied the move towards polycentric, global, and multilayered governance: standardisation.

Thus, one powerful trend which was part of the research agenda of the LSE in the 1990s as introduced by Lodge and Hood in their chapter is the 'audit society' thesis by Power (1997). Both Galland and Størkersen provide insights into the mechanisms and consequences of this trend from a regulatory point of view. With a different meaning than the tripartite regime in Norway described by Lindøe and Forseth in their chapters, Galland introduces the tripartite standardisation regime (TSR) based on standardisation, certification, and accreditation developed for consumer safety in Europe in the 1990s. Its logic is one of the production of standards, standards which are certified by auditors while auditors are accredited to provide these certifications. This is one typical mode of operating by the third parties identified by Black, and Galland is equally cautious. "*Although these risk regulation regimes seem, at first glance, globally successful and fit for purpose, they are opaque in their day-to-day functioning, are transformed or grow outdated without anyone noticing, and may sometimes lead to completely unexpected failure*".

One such problem is what Størkersen's chapter precisely addresses: auditism. By relying on safety management systems which have become standards in the industry in the context of new regulatory regimes, the risk of decoupling between these standards, professionals' practices and auditors' scrutiny and certification is real. The extreme case is when "*the core tasks go on outside the managed part of the organisation, undocumented and often despite the safety management system. This creates a gap between formal rules and informal practices, which may be overlooked in audits*". This reintroduces the importance of rules and their relationship with reality, and the centrality of this issue.

Coglianese exposes in this respect the different options for regulators when it comes to rules and their relevance in high-hazard contexts. His chapter is an invitation to think about rule design, crossing the micro- and macro-categories with a decomposition of means-based or ends-based rules. Four options in rule design are discussed, micro-means rules (prescriptive); micro-ends rules (performance-based rules); macro-means rules (management-based regulation); and macro-ends rules (general duty clauses). He concludes with a statement for the regulators who *"also need to remain vigilant. They must continuously monitor how their rules*' *designs are working in practice. They need ongoing engagement with and attentiveness to their regulatees—that is, effective relationships*".

In his chapter, Bernard provides an example in the nuclear industry of a relationship between the regulator and regulatee mediated through a regulatory assessment tool, safety culture. Bernard sees the use of this tool as an example of a practice supporting the development of responsive regulation and fostering cooperation and trust. In his own words, "*at the core of the relationship between the regulator and the regulatee, the results of the safety culture assessment aid indeed at stimulating self-regulation and encouraging a regulated entity to a proactive reflection about its performance*".

One wonders, in the context of global warming, about such regulatory tools to be developed. Julien Etienne argues that global warming is the end of the world as we knew it and that it comes with radical consequences for risk regulatory regimes. Many of the safety-critical systems covered by such regulations are involved in what is described as a "double materiality". They are both exposed to the effects of global warming (droughts, heatwaves, extreme events such as storms, floods, or rising sea levels) and producers of global warming through their carbon emissions. In this pressing context, Julien asserts that "*business as usual is a self-defeating strategy, whether one thinks of regulation as a solution to market failure, a way of making hazardous industries acceptable, or a way of ensuring the safe operation of industries that deliver core services and products to society*".

Overall, from the description of regulatory governance configurations in polycentric contexts to the analysis of the active processes of translation at the front-line through social interactions, the chapters of this book cover a range of perspectives which shed light on the regulator–regulatee relationships. The new local and global challenges to come, from regulating digital societies which include issues of cybersecurity and artificial intelligence to building responses to global warming, ecosystems' collapse, and pollution's effects on health will require inventive modes of regulating safety-critical systems in future...

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Chapter 2 The Risk of Risk Regulation: A Thirty-Year LSE Perspective**

**Martin Lodge and Christopher Hood** 

**Abstract** Drawing on the analytic themes that featured in LSE's teaching and research in the field since the early 1990s, this paper takes a 'then and now' threedecade perspective on the regulation of high-hazard industries. It argues there are some clear continuities in the underlying regulatory dilemma (namely, the costs and benefits of 'togetherness' versus social distance between regulators and regulatees) and in the recurring recipes for the handling of major risks. But it also shows that there have been shifts in the saliency of the various hazards in debate, new epistemic players (notably ethicists) figuring more prominently on the regulatory scene, and more awareness of political constraints on alternatives to classic regulation, such as enforced self-regulation and safety cultures in high-reliability organisation.

**Keywords** Risk regulation · Historical trends · Social dynamics

#### **2.1 The Dilemma of Risk Regulation: How Much Togetherness Between Regulators and Regulatees and How Much Information Asymmetry?**

How socially close or distant should regulators and regulatees be in high-hazard industries (defined as systems or processes where malfunctions can create serious societal harm)? Closeness and high interdependence between regulators and regulatees can enable regulators to overcome otherwise disabling information asymmetry and draw on the technical and operational expertise of the regulatees, while the latter can rely on regulators to provide them with formal and informal authorisation for their continued 'social licence' to operate. But any such social closeness runs the risk of

M. Lodge (B)

C. Hood Oxford University, Oxford, UK

© The Author(s) 2024 J.-C. Le Coze and B. Journé (eds.), *The Regulator–Regulatee Relationship in High-Hazard Industry Sectors*, SpringerBriefs in Safety Management, https://doi.org/10.1007/978-3-031-49570-0\_2

London School of Economics and Political Science, London, UK e-mail: m.lodge@lse.ac.uk

'regulatory capture' by producer interests (by creating close-knit policy communities that may include revolving doors between regulator and regulatee positions or shared conceptual or cultural outlooks).1 Such relationships typically lead to charges of lack of regulatory independence from alternative industries, from social movements challenging what they see as inherently unsafe activities, and from political parties and advocacy groups committed to the outright prohibition of certain technologies (such as nuclear energy, GM foods or human gene-editing) rather than regulation.

So is there an ineluctable policy dilemma between risk regulation that is wellinformed but lacks credible independence and regulation that is socially distanced from producer interests but hampered by significant information asymmetry? This question represents one of the fundamental issues in the study of risk and regulation and this chapter consequently identifies a set of broad recipes for limiting capture that have been debated over the past thirty years. It does so by reflecting in particular on the intellectual journey in teaching and research on the subject in the London School of Economics and Political Science (LSE) over the past three decades. What does that journey reveal about what were considered to be high-hazard industries and what were the most salient recipes for regulating them? Accordingly, we revisit the start of the journey by giving a brief account of the 'state of the art' as viewed in the early 1990s. We then turn to four recurring recipes for dealing with regulatory capture in high-hazard industries, noting variations within these recipes that emerged as the journey went on. We conclude by considering the state of the art as viewed in the early 2020s and the extent to which there has been change in perspectives over the past 30 years.

#### **2.2 Where the Journey Began: The Risk Regulation World of the Early 1990s**

Three decades ago, the discussion of high-hazard industries was particularly shaped by the aftermath of the 1986 meltdown of Reactor No. 4 in the Chernobyl nuclear power plant in Ukraine which preceded the collapse of the Soviet Union and, from the mid-1990s, by rising concern over the spread and transmissibility of 'mad cow disease' (BSE) first identified in the late 1980s and reaching its peak in the early 1990s. In debates over how to handle such hazards, much attention was paid to Perrow's (1984) work on 'normal accidents', which called for the abandonment of some high-hazard industries (notably nuclear power, following the 1979 meltdown at the Three Mile Island nuclear plant in Pennsylvania). But along with Perrow's abolitionist approach, alternative ideas developed about how to institutionalise safety and 'high-reliability organisations' (La Porte 1991; Sagan 1993; Weick 1989) rather

<sup>1</sup> On the variety of 'capture' perspectives, using the 'original sin' account set out by George Stigler rather than Bernstein's 'life-cycle' account, see Carpenter/Moss (2013).

than abandoning or outlawing high-hazard processes. Many studies exploring such issues followed prominent 'man-made' disasters of that time, of which some of the leading cases were the methyl isocyanate leak at the Union Carbide Bhopal chemical plant in 1984 (resulting in over 15,000 deaths on some estimates), the launch disaster of the Challenger space shuttle in 1986, the sinking of the ferry Herald of Free Enterprise in 1987 and the Piper Alpha oil-rig fire of 1988. Other high-hazard industries that were explored through safety-culture lenses included air traffic control systems, drug approval processes, and the application of pesticides. More generally, a central and much-discussed contribution was Ulrich Beck's Risk Society (1992), written in the aftermath of Chernobyl, that explored the changing nature of risk and underlying anxieties about its management.

LSE responded to and helped to shape the risk regulation debate in the 1990s in several ways, including an interdisciplinary seminar on the handling of risk that led to a social science contribution to the Royal Society's second publication on risk management in the early 1990s (Royal Society 1992); an interdisciplinary master's programme on regulation (comprising elements of economics, law, sociology, and political science) that developed in the mid-1990s; and various research projects that led up to the formation of LSE's interdisciplinary Centre for the Analysis of Risk and Regulation at the end of the decade. Those developments reflected at least three academic concerns that reflected on the broader themes of risk regulation noted above:


an all-out challenge to that 'objective' view of risk in the early 1980s, and it was arguably that element that made the social science contribution to the 1992 Royal Society report on risk (orchestrated by LSE) so controversial to the Royal Society's distinguished engineers that it was downgraded to a publication that was not an official report.

(c) The related development of other new ideas about how organisations and societies handled risk, particularly in Michael Power's 'Audit Society' work (1994, 1997) that offered an account of the social dynamics that led to the rise of 'audit' as a dominant programmatic idea and set of technical practices for administrative control based on ideas and practices of financial audit. By offering such a perspective on the 'explosion' of audit-based approaches to risk regulation that were developing at that time and by emphasising the likely negative consequences of audit-related 'rituals of verification', the work of Michael Power and his followers highlighted some of the possible unintended consequences of regulation and thereby provided a new angle on a classical theme in social science (Merton 1936) for the analysis of regulation.

#### **2.3 Four Recurring Recipes for Limiting Regulatory Capture in High-Hazard Industries**

None of those concerns or analytic approaches that animated the LSE's explorations of risk and regulation at the outset of its journey thirty years ago have wholly disappeared. The interest in the 'audit explosion' moved to a broader concern with the rise of risk management (Power 2007, 2016) and there continues to be interested in (the construction of) technologies that seek to establish the risk appetite and enforcement strategies of regulators ('risk-based regulation', Baldwin and Black 2016) or seek to make risks 'calculable' (Mennicken and Espeland 2019), processes of institutional risk 'attenuation' (Rothstein 2003) as well as continued interest in cross-sectoral and cross-national variation. Attention continued to be paid to the prerequisites and limitations of 'responsive regulation' and other models of enforced self-regulation. Further, there has been underlying continuity in the kinds of recipes on offer for handling or overcoming the dilemma of 'distance' versus 'togetherness' in regulators' relationships with regulatees. Those recipes are:

(a) *'Techno-regulation'*: This recipe rests on using physical and digital architecture to reduce opportunities for deviant or unsafe conduct and supplement official rules, as in the case of medical equipment that can only be used in prescribed ways (e.g., in single-use products or apparatus that cannot be disconnected). There is nothing new about the basic idea of fail-safe systems (a traditional example is the so-called dead man's handle in electric trains, dating back to the late nineteenth century), and there were some antecedents for what is now called 'nudge' (following the title of Thaler and Sunstein's 2008 best-seller) to denote the changes of behaviour that can be produced by careful framing of choices in IT architecture. But technological development since the 1990s has

#### 2 The Risk of Risk Regulation: A Thirty-Year LSE Perspective 17

changed that techno-regulatory risk landscape not only in creating new potential hazards but also in new potential for using robots, algorithms (based on big data and machine learning), and other non-human elements in regulatory processes to check, supplement or even replace human discretion (see Yeung and Lodge 2019).


(d) *'Strict liability' and Tort versus Criminal Law*: A fourth recurring recipe for dealing with the dilemmas associated with regulator–regulatee relationships is based on the design of legal processes, notably over rules of evidence relating to culpability and the use of criminal rather than civil law (and consequent imposition of fines and penalties), to offset regulatory capture or similar producerdominated behaviour. The imposition of strict liability on producers of defective or unsafe products or services (i.e., penalties and liability that do not require evidence of intention or mental state (*mens rea*) on the part of the risk producers) is a long-running issue in risk regulation. A related issue concerns the rules of evidence for proof of negligence, for example in the field of medical risks, where the decision of judges in some state supreme courts in the USA in the 1960s removed the necessity for testimony from other medical practitioners in proving medical negligence, thereby heralding a new era of 'defensive medicine' with its associated costs and benefits. Similar issues repeatedly arise over the handling of culpability over the handling of financial risk, for instance in efforts to impose strict liability on senior managers in financial firms for regulatory misconduct on the part of their subordinates. It is in this context, as well as, arguably even more prominently, in the field of competition law, where across jurisdictions there has been a growing emphasis on deterrence by linking individual accountability for wrongdoing to criminal sanctions rather than relying primarily on tort law or on sanctions on businesses that were seen as simply 'costing in' potential fines.

None of those four broad recipes have gone away thirty years later. Variants of each of them keep emerging, whether in the idea of criminalising actions previously only regulated by tort law, new 'fail-safe' mechanisms based on technologies intended to complement if not replace human judgement, the call for new super-regulators, or new variations on the 'people power' theme.

#### **2.4 From Mad Cows to Corona: So Where Are We Now?**

We suggested earlier that LSE's approach to risk regulation three decades ago was shaped by events such as the Chernobyl disaster, and concerns about the regulation of food safety in view of the 'mad cow disease'. Thirty years later, concerns with nuclear risks and other disasters produced by corporate and regulatory failings are still central to risk regulation debates, particularly in the aftermath of the 2012 Fukushima disaster ('t Hart 2013), though risks associated with genomics have not (yet) attracted the attention that was anticipated three decades ago in connection with the sequencing of the human genome. A decade into the LSE's risk regulation journey, the overnight collapse of one of the largest corporations in the USA (Enron in 2001) highlighted the importance of financial risks emerging from accounting scandals. Similar themes emerged in the context of the German payment processor Wirecard in 2020. More generally, financial transactions have increasingly been defined as 'high-hazard' operations, especially following the bank collapses in the 2008 global financial crisis. In recent years another major new risk of concern has been the 'weaponising' of the cyber-world and broader concerns with the future development and deployment of artificial intelligence that create interdependent large technical systems far beyond the network technologies of the past in telecommunications, power, or transport (Hughes 1983). And the COVID-19 pandemic brought other high-hazard processes and regulations into contention, for example in the interface between hospitals and care homes and the trade-off between healthcare system collapse and keeping basic supply lines open (Hood 2022).

Such developments suggest that new hazards of risk regulation will keep emerging into view, along with new adaptations of the recipes for handling the associated regulatory dilemmas.

Despite the tendency in the literature to scale new heights of hyperbole (for instance in phrases such as 'mega-crises' (Helsloot et al. 2012) and 'super-wicked issues' (Levin et al. 2012)), none of the issues that preoccupied LSE debates over risk and regulation three decades ago have altogether disappeared from view, and the same goes for the four recurring recipes for dealing with the regulatory capture/ information asymmetry issues in the handling of risk. It is not so much that the debate has fossilised as that the basic recipes for dealing with regulatory capture have to be set into an ever-changing political and technological context. Part of that change in context relates to alterations in the 'epistemic community' of risk regulation scholars themselves. The stark social divide between the UK Royal Society's engineers and social scientists over risk perception and management in the early 1990s is arguably much less prominent today, with much more acceptance of culturally constructed risk perceptions (Kahan 2012), although it has by no means completely disappeared. The geographic focus has shifted too: LSE's debates of thirty years ago mainly concerned UK and US national regulation (e.g., in Hood et al.'s (2001) work on the institutional fragmentation of risk regulation regimes), with much less attention paid to transboundary coordination in the handling of the risk issues and of national regulatory decisions than applies today (Cabane and Lodge 2022).

In conclusion, the dilemma between regulatory independence and the capacity to penetrate information asymmetry in handling high-hazard industries and processes seems unlikely to be resolved over the next thirty years. Nor are the four recurring recipes for coping with that dilemma likely to disappear. Rather, the challenge will be to develop and adapt those recipes to changing conditions, as new high-hazard industries and processes emerge and new opportunities develop for rebalancing political authority and regulatory expertise.

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Chapter 3 The Role of Third Parties in Regulatory Systems: Examples from Financial Services Regulation**

**Julia Black** 

**Abstract** Regulatory systems can include a variety of third-party intermediaries, performing a variety of roles, with variable capacities, motivations, strategic position, and authority. Third parties may be deliberately 'enrolled' in the regulatory system, or they may be 'enrolled' de facto, due to the business model/activities/markets of the regulated firms. Such third parties can be a benefit to the regulator, expanding its capacity. But as well as introducing unintended consequences, they can also introduce key dependencies, with associated risks to which the regulator needs to be alert, and which it needs to mitigate where possible through a range of formal and informal strategies.

**Keywords** Third-party intermediaries · Regulatory systems · Multilevel governance · Enrollment

#### **3.1 Introduction**

While the primary focus of any regulator, and indeed many scholars of regulation, is on the relationship between regulators and those they regulated, it is a long time since either group thought that regulated firms were the only other actors in a regulatory system and therefore that the regulator–regulatee relationship is the only one which matters. In the late 1990s, scholars were talking about the 'regulatory space' and of the role of multiple actors in a regulatory system, including self-regulators or hybrid forms of public/private regulation. With the growth of the EU as a regulatory actor, multilevel governance systems came more prominently into focus. The challenges of managing issues which cross jurisdictional boundaries brought the question of international regulatory cooperation to the fore in the early 2000s, enhanced by the global

© The Author(s) 2024

J. Black (B)

London School of Economics and Political Science, London, UK e-mail: j.black@lse.ac.uk

J.-C. Le Coze and B. Journé (eds.), *The Regulator–Regulatee Relationship in High-Hazard Industry Sectors*, SpringerBriefs in Safety Management, https://doi.org/10.1007/978-3-031-49570-0\_3

financial crisis. The role of private actors in constituting and collaborating in regulatory regimes has attracted the attention of scholars of sociology, law, international political economy, and international relations who share an interest in the dynamics of transnational regulatory systems and various forms of international regulatory engagement or disengagement (Baldwin et al. 2012 for review).

So we know that regulation involves multiple actors interacting at multiple levels in multiple ways. This paper focuses on the role of intermediaries within a statebased regulatory regime. The first part asks five questions, answering in generic terms: who are they, what do they do, how are they enrolled or otherwise engaged in the regulatory system, what the implications may be for regulators in terms of the dependencies that arise due to the roles being performed by such intermediaries, and in turn for the resilience of the regulatory system. The second part looks at some specific examples from financial services regulation, particularly in the UK.

The discussion which follows is based on a polycentric conception or model of a regulatory system (Black 2001, 2008). In short, regulation, or regulatory governance, is understood here as a series of intentional, sustained, and focused attempts to influence the behaviour of others in order to pursue a collective purpose, using a range of techniques which often, but not always, include a combination of rules or norms and some means for their implementation and enforcement (Black 2001; Koop and Lodge 2017). Regulation can focus on any area of social or natural activity, from how wars are conducted to how buildings are constructed. Regulation may involve a high degree of state involvement, or none at all, or involve both state and non-state actors in various ways, each of whom may use legal and/or non-legal norms. Thus, regulation is a mode of governance not just of government, and the terms 'regulatory system' and 'regulatory governance system' will be used interchangeably.

Regulation is an activity which can be performed by a range of individuals and organisations. Those participating in that common regulatory project may be sufficiently interrelated to form a system, regime, or network which has some continuity over time, the boundaries of which are delineated by the definition of the project which they are engaged in pursuing. Regulatory systems can range in their polycentricity, i.e., in the degree of dispersal and fragmentation of actors in the system (regulators, regulatees, intermediaries, etc.), in their degree of internal coherence and connectivity, and in the extent to which they are clearly delineated. Importantly, both state-based and non-state-based systems are polycentric to varying degrees—it is not the case that 'centric = state', and 'polycentric = non-state'. Regulatory systems are dynamic, continuously evolving, and through reflexive interactions and feedback loops are constantly being reconstituted, redesigned, and reformulated in the process of their performance. Further, regulatory systems are embedded in different social, cultural, technical, political, legal, economic, and market systems with which they interact, and as such are characterised by complex internal and external interactions and interdependencies both within themselves and with other regulatory systems. They also vary in their relationships with other systems, with which they may compete, coordinate, cohabit, clash, or simply ignore (Eberlein et al. 2014). Finally, in order to function effectively, all regulators, even state-based ones, have actively to create their own legitimacy and trustworthiness.

Importantly for this discussion, those participating in, and thus constituting regulatory systems (as individuals or organisations) are independent agents, each with their own normative or value frameworks. They also have different cognitive frameworks and rely on different sources of knowledge. Importantly, they also have different capacities for action, in other words different levels of financial resources, information, expertise, and organisational capability. Further, their sources of social, political, legal, and economic capital will vary, which can affect their strategic position. Relatedly, they have different degrees of power, and/or authority and legitimacy to act. All of these features can affect their interests, incentives, motivations, views, cultures, and thus behaviours, including how they interact with others, and others with them.

As noted above, the actors who are the usual focus of analysis are regulators and regulated firms, either in themselves or in the dynamics of the relationship between them. But third parties can also play significant roles in the constitution and performance of regulatory systems. So who may they be, what may they be doing, and with what implications? (Noting that the focus here is on 'market-based' third parties, not other state-based regulators either in the same or another jurisdiction).

#### **3.2 Third Parties in Regulatory Systems: Some Examples**

The third parties in focus are those who are *in practice* performing some kind of regulatory function within a regulatory system, whether or not they have been allocated that function formally or not. Briefly, and crudely, those functions can include any of: setting goals and agendas, formulating or interpreting norms (including norms for models or measurement, design, and other forms of techniques), monitoring activities, and providing information on them and/or gaining compliance with respect to those norms (Black 2003; Abbot et al. 2017).

There are at least five groups of third parties who may be performing at least one of those roles within a regulatory system though whether by design or otherwise is a matter we will turn to below.

	- These are actors who provide assurance of the existence (or otherwise) of a state of affairs, e.g., the financial state of a company, or the compliance with standards of other standard setters, including those operating transnationally (e.g., ISO standards), or the standards/rules/norms of the regulatory system itself. In financial regulation, auditors and other assurers play a particularly significant role both in the performance of their general functions, but also as we will see below, in providing assurance on particular matters at the request of regulators.
	- Knowledge and compliance intermediaries are those who advise regulated organisations or individuals on the interpretation, implementation, and compliance with regulatory requirements, such as advisors, consultants, lawyers, and so forth. They may be advising on the interpretation of rules or the design and implementation of organisational processes to ensure compliance. More recently, they may be providing technologies for compliance—the 'reg tech' market is one which is growing rapidly in financial services, with both regulators and firms looking to technology to facilitate compliance through means such as smart rules, smart contracting, the automation of routine reporting, and enhanced data analytics, or in other ways.
	- Gatekeepers possess a key resource a firm needs to access or operate in a regulated market, such as registration, accreditation, insurance, audit. Their position is usually one created by the regulatory system (e.g., requirements to have audited accounts, or to have an ISO certification) or may be created by the market (e.g., supply chains insisting on certification or accreditation).
	- Measurers and modellers can be incredibly important providers of indices, models, risk assessments, and so forth which are relied on by regulators. They play a significant role in financial regulation, due to its reliance on calculative techniques as regulatory tools. Most notorious is the role played by credit rating agencies in the global financial crisis of 2008–2009. Rating agencies provide an assessment of credit risk of financial instruments, in this case securitised loans. Credit ratings are highly influential in pricing decisions within the market, but they are also 'hard-wired' into the financial regulatory system in a number of ways. Most particularly, in capital provisions (the amount of funds a financial institution has to set aside to cover potential losses on an asset). In many cases, regulatory capital rules require an uplift in capital if the rating of an asset goes down, and vice versa. Prior to the crisis, credit rating agencies and the calculative models they used were not regulated. The crisis revealed the dependency that financial regulatory systems around the world had on credit rating agencies, leading to their greater regulation and requirements that they publish the core elements of their models.
	- As AI and machine learning become more prevalent in financial markets, and indeed more widely in other high-hazard sectors, the transparency requirement imposed on the calculative models of ratings agencies, and indeed the regulation of calculative models more generally in financial regulation, is an interesting area to explore for examples of how AI algorithms might be regulated.
	- There may be other actors present in a market which set standards which regulated firms either have to adopt for business reasons or choose to adopt. Insurance is a standard example in risk and safety management: insurers will require various risk mitigations to be in place as a condition of insurance, or at least will incentivise risk mitigation through its pricing of insurance cover. As general insurance contracts tend to be written on an annual basis, this can be a dynamic mode of regulation in areas of emerging technology or rapidly changing risks, notably cyber-risk, and natural catastrophe insurance related to climate change. However, it's worth noting that who is a third party in one regime may be a regulated firm in another—so for financial regulators, insurers are both third parties (in, e.g., providing cyber insurance to banks) but also directly regulated by them. So on the one hand a financial regulator may want banks to be well covered for cyber-risk, but on the other will be closely watching the terms of the cover which insurers are writing to ensure that they are sufficiently well capitalised to withstand system-wide claims.

#### **3.3 How Many Third Parties Be Enrolled in Regulatory Systems?**

Third parties may be enrolled by design, or as a consequence of market practices. Further, their enrolment may be 'one off' or unique to a particular firm, or it may be pervasive.

Third parties may be actively enrolled by regulators to perform specific functions on a 'task and finish' basis. In UK financial services regulation, the legislation provides the ability for regulators to require firms to appoint a third party to perform an investigation or provide assurance; the terms of the task are set by the regulator, but the firm has to pay the costs of the third party. Termed 'Section 166' orders (the legislative provision), these are very useful ways for regulators to conduct 'deep dives' into an area of a firms' activity as a prelude to potentially taking supervisory action, and/or as a means of providing assurance that various compliance activities have taken place. They may be highly technical, for example be focusing on a particular aspect of firms' capital models, or be more focused on cross-cutting organisational matters such as risk management and governance. They are not cost-free for the regulator, who still has to engage with and follow up on the reports, but they are a very effective way for a regulator to bring in specialist skills, or expand its capacity in an existing skill for particular projects without having to carry those staff overheads on a permanent basis.

Alternatively, they may be (or become) actively enrolled into the regulatory system in a way which pervades the system. As discussed above, the incorporation of indices, measurements, assessments, models, or evaluations made by third parties into regulatory rules can be by design, as in the case of credit rating agencies. Other examples are requirements to have third-party accreditation, such as with ISO standards, or to have insurance. Such enrolment can have unintended consequences and indeed cut across the aims of the regulatory system itself. A current UK example comes from legal services regulation. In an attempt to liberalise the market for legal services in England and Wales, the regulator allowed those holding the professional title of solicitor to operate through different business models. However, anecdotally, insurance companies who provide the professional indemnity insurance (which legal services regulators require solicitors to have) are unwilling to grant insurance to those using these newly allowed business models. What the regulator gives, a third party takes away.

Third parties can also be relevant actors in the regulatory system through the outsourcing practices of regulated firms, or through regulatees' reliance on them as knowledge and compliance intermediaries, or because they are model providers, producing models on which firms (and regulatory systems) rely. Examples in financial services include reinsurance providers and rating agencies. Many financial institutions produce their models in house, but there are important third-party market providers, particularly for new or emerging risks. Newly emerging model markets are in AI and modelling of the financial impacts of climate risks. The role of such third-party providers may be fairly ad hoc, but certain providers may pervade the market, and thus the regulatory system. Such pervasiveness, or systemic presence, may arise from the nature of the markets in which firms are operating (including requirements of other regulators with respect to that market).

The systemic presence of particular third-party actors may also arise from concentration effects produced by the aggregated impact of firms' individual outsourcing decisions, which in turn can be exacerbated by concentrated market structure, i.e., small range of providers. A very live example is cloud services providers. The market is highly concentrated at present, with just three main providers, and they are hosting an increasing amount of both services for financial institutions and critical infrastructure for financial markets, as well as critical infrastructure for operators in other regulatory domains including energy systems and intelligence. Where there is significant reliance on a relatively small set of unregulated third parties who are providing models (or indeed physical as well as intangible infrastructure) at significant levels, such as cloud providers, they may themselves be a source of endogenous systemic risk—but one which regulators may not have powers to manage (note the draft EU Digital Operational Resilience Act is intended in part to address this risk).

#### **3.4 Third Parties in Regulatory Systems: Dependencies and Resilience**

As noted above, the activities of third parties in regulatory systems can produce unintended consequences. This should come as no surprise—each will have their own capacity and motivations/incentives, and their goals and motivations may not be aligned with those of the regulatory system. Their authority and legitimacy to perform different regulatory functions will also vary, though that point cannot be developed here.

One of the consequences can be that the regulatory system ends up dependent on the activities of various third parties. As discussed above, such dependency may arise either by design, or through the operations of regulatees. But even if incorporated by design, as were the ratings for credit rating agencies prior to the 2008 crisis, or index providers such as LIBOR, regulators can fall into the trap of assuming that the third parties producing such ratings, indices, assurance, etc., are doing so in a neutral, objective, expert manner—i.e., in a way which means that they can be relied upon. As the crisis showed (and as endless auditing failures have also demonstrated, most recently Wirecard), such an assumption can be baseless, or at least flawed.

It is critical that regulators identify: where there are dependencies on third parties; who those third parties are; the nature and extent of the dependencies; and the risks associated with them. That involves looking at the capacities and motivations of the third parties, and asking how they are likely to change over time. Regulators also need to ask: are those third parties themselves regulated? In which case, issues of interactions between regulatory systems are likely to arise.

*Mitigating the risks of dependencies, enhancing the resilience of reliance* **(1)**  Where the third party is not regulated at all by any regulator for its main business

functions, the regulator may need to consider a range of strategies to try to influence them. These may include:


Where the third party is regulated by another regulator, issues of inter-regulatory system dynamics arise. In such cases, in addition to the strategies outlined above for non-regulated third parties, the regulator may need to consider how to engage with the third party's regulator. However, such engagement can be inhibited by the lack of a forum or mechanism to enable engagement, including legal barriers to information sharing. Other, wider challenges of inter-regulator engagement may also come into play, notably potentially conflicting goals, priorities, and logics. A relevant example from financial services is the competing approach to loss accounting taken by accounting standard setters, the International Accounting Standards Board (IASB), and the aims of prudential supervisors to avoid pro-cyclicality. This issue is quite technical, but in essence IASB standards (post-2008 crisis) require firms to book losses in advance of them crystallising, which means that firms' financial positions are worse from an accounting point of view in a downturn. The interlinkage of financial statements and capital standards means that drives capital requirements up in a downturn, which is the point when, from a macro-economic point of view, regulators want those requirements to be (moderately) reduced to enable banks to be able to continue to provide finance into the economy and mitigate the downturn, facilitating financial stability in the long run. An emerging tension is also appearing with respect to the regulation of cloud service providers. They are currently unregulated, but competition regulators are looking at them closely. However, the logic of competition, which is to drive efficiency, can be at odds with that of resilience, which not only tolerates redundancies but actively requires them. So, while competition regulators may be concerned that the market for cloud services is competitive and not be overly concerned about resilience, financial regulators whose mandate is to protect the safety and soundness of financial systems will be much more concerned about financial and operational resilience. Clearly, the challenges are only enhanced when such inter-regulatory dynamics have to occur across national jurisdictional boundaries.

#### **3.5 Summary**

So in sum: Regulatory systems can include a variety of third-party intermediaries, performing a variety of roles, with variable capacities, motivations, strategic position, and authority. Third parties may be deliberately 'enrolled' in the regulatory system, or they may be 'enrolled' de facto, due to the business model/activities/markets of the regulated firms. Such third parties can be a benefit to the regulator, expanding its capacity. But as well as introducing unintended consequences, they can also introduce key dependencies, with associated risks to which the regulator needs to be alert, and which it needs to mitigate where possible through a range of formal and informal strategies.

3 The Role of Third Parties in Regulatory Systems: Examples … 31

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Chapter 4 The Healthcare Regulatory Ecosystem**

**Jeffrey Braithwaite** 

**Abstract** Healthcare is a complex adaptive system, with considerable fragmentation between healthcare institutions and medical specialisations. The regulation of safety in healthcare involves both formal (legislation, accreditation procedures, policies, procedures) and informal (professional standards, ethical principles, accepted modes of care) components. These instruments are complemented by self-regulation by clinicians and by patients who invest in understanding their ailments and selecting desired treatment modes. In recent years, the Safety-II approach is increasingly recognised as an important regulatory paradigm.

**Keywords** Patient safety · Regulation · Self-regulation · Regulatory paradigms · Safety-II

#### **4.1 Introduction**

At least as much as other safety environments and sectors discussed in this volume, healthcare is a complex adaptive system (CAS). This means that it exhibits certain features that challenge regulators and regulatees. CASs involve multiple stakeholders (individuals, organisations, institutions) interacting over time to create policy, treatment, and care. A CAS follows rules, some of which are self-directed, others which are formally enacted, and yet others which are externally regulated. The capacity of stakeholders to self-organise, exhibit emergent behaviour, learn, and adapt flexibly over time are inherent features of the healthcare CAS. Those who study such complex systems have observed common characteristics in examples from cities to markets to social networks to organisations (Axelrod and Cohen 2000; Waldrop 1992). Key features of complex adaptive healthcare systems are presented in the accompanying box (Box 4.1) (Braithwaite et al. 2018a, 2017).

J. Braithwaite (B)

© The Author(s) 2024

Australian Institute of Health Innovation, Macquarie University, Sydney, Australia e-mail: jeffrey.braithwaite@mq.edu.au

J.-C. Le Coze and B. Journé (eds.), *The Regulator–Regulatee Relationship in High-Hazard Industry Sectors*, SpringerBriefs in Safety Management, https://doi.org/10.1007/978-3-031-49570-0\_4

#### **Box 4.1. Key features of healthcare complexity**


In the healthcare CAS, it is not only the *characteristics* of complex care which stimulate the regulatory regime. It is also the tests of regulatory efficacy: the *public interest test* (how can we protect society?), the *economic benefits test* (how can we promote cost-beneficial care?), and the *patient safety test* (how can we keep patients safe?). In attempting to satisfy these tests, regulators must take account of the sheer complexity of the healthcare ecosystem. Essentially, they are seeking to ensure the integrity of the system and the quality of care provided across the plurality of healthcare markets and services.

With that introduction in mind, healthcare conceptualised as a CAS can now be defined. The healthcare CAS has multiple agents (e.g., patients, clinicians, and other professional and support personnel, managers and leaders, policymakers, politicians and agencies including those responsible for financing, standards-setting, assuring quality of care, assessing professional staff, and providing care). Healthcare is structured into sectors (acute care, primary care, aged care, rehabilitation, tertiary, and quaternary care). The numbers of patient types and conditions for which patients require treatment are very large, as are the range of drugs, procedures, treatments, and care protocols. Each of the sectors and their delivery organisations require differing levels and types of regulatory frameworks (Braithwaite et al. 2018b).

This means there is a vast range of markets and market considerations facing regulators. In the main, regulation is conducted through various types of enactment by authorised bodies and agencies, e.g., legislation and legislative instruments, policies, procedures, standards, and guidelines, and then inspecting, credentialing, authorising, and certifying against those enactments. Informal regulation emanates from professionally recognised standards, ethical principles, and accepted modes of practicing and caring for patients. There is also a great deal of choice exercised by clinicians on the front-lines of care and by patients on the ground.

#### **4.2 Literature Review**

A brief examination of some key healthcare regulation studies can help further with background understanding, illustrating how widespread regulation has become. There are examples ranging from society-level regulatory approaches, e.g., taxes on sugary drinks (Fenton 2019; Wilkinson 2019); through to medical device regulation (Vasiljeva et al. 2020; Kramer et al. 2012); regulation of clinical practice (Yang et al. 2021; Jovic et al. 2015); social regulation and bottom-up aspects of professional values (Bringedal et al. 2018); and a range of others including e-cigarette regulation (Rose et al. 2015); patient safety regulation (e.g., Oikonomou et al. 2019); clinical trial regulation (Knaapen et al. 2020); regulation of abortions in the US (Dodge et al. 2012); and regulation of home-based care (Daumit et al. 2019) (Table 4.1).

The table draws attention to the range of regulatory activities that have been researched. The landscape of regulation is thus fragmented. In the English NHS, for example, a study by Oikonomou and colleagues (Oikonomou et al. 2019) found that there were 126 organisations exerting some level of regulatory influence over providers of various kinds. Thus, healthcare complexity is being met by a propensity of complex regulatory activities. We turn to a more detailed examination of these activities.


**Table 4.1** Selected studies of regulation in healthcare

#### **4.3 Regulation of and in Healthcare**

There are extremely important public interest and health considerations in providing clinical care. Healthcare is high-tech and high-touch simultaneously and, although the benefits of providing good quality care to patients are considerable, things can go wrong. Harm befalling patients is estimated, depending on how it is measured, to run at about 1:10 admissions and encounters. Most of these incidents are minor in nature, but serious adverse events can and do occur in every health system. A proportion of all incidents, perhaps a third, is thought to be preventable.

Harm is in the mind of regulators, and healthcare quality and waste are also important. Some 60% of care is in line with level 1 evidence or consensus-based guidelines, up to 30% is waste, and 10% is related to some form of harm (Braithwaite et al. 2020) (see Fig. 4.1). This 60-30-10 idea is increasingly the focus of policymakers, clinical colleges and healthcare organisations as well as regulatory authorities and agencies.

This 60-30-10 paradigm is a systems view of the challenges facing healthcare: by raising the 60%, and reducing the 30 and 10%, the care provided by the system would be improved (Braithwaite et al. 2020). Amalberti et al., presaging this idea (e.g., Amalberti 1996; Amalberti et al. 2005), have also written on health systems. The systems approach he and Vincent have championed has been influential (Vincent and

**Fig. 4.1** 60-30-10 paradigm

Amalberti 2016). With colleagues, Amalberti has considered ultrasafe care (Amalberti et al. 2005), barriers to safety (Amalberti et al. 2005), and real-world strategies towards safer, higher-quality care (Vincent and Amalberti 2016). He advocates improving the system and its processes, which is especially challenging in an era of technological, sociological, political, and economic change.

These considerations bring us to the changing role of regulators in ensuring that high-quality, safe care is provided. Regulatory effort has traditionally been aimed at preventing, reducing, or eliminating harm at the societal level, or for specific patients and patient groups. This has been labelled Safety-I (Hollnagel et al. 2013). It involves regulatory prescribing or legislating to ensure practitioners act safely and provide acceptable standards of care. It assumes that things go wrong and that efforts should be made to reduce incidents and adverse events, such that the system gets as close as possible to zero harm.

Some experts think that in a system this complex, zero harm is not merely unattainable, but a misguided goal. Over the last eight years, approaches towards promoting a Safety-II paradigm, looking at how things go well, have been articulated (e.g., Wears et al. 2015). These approaches ask a powerful question—how does care go right so often, given the complexities of healthcare and the propensity for things to go wrong? The perspective here is to consider the extent to which the system exhibits resilient performance: can it sustain its operations while facing both expected and unexpected conditions, and doing so by making continual adjustments in response to changes, disturbances, opportunities, and threats. Such resilient performance for Hollnagel is feasible if four potentials are pursued: the potential to respond; to monitor; to learn; and to anticipate. These four potentials are collectively known as the resilience assessment grid (Hollnagel 2017).

Regulation and regulatory authorities have not completely caught up with this shift in mindset and the focus on how systems succeed and enhance the ability to succeed more often under complex variable conditions and circumstances. Nevertheless, some countries, e.g., the Netherlands, Australia, and the Scandinavian countries, are increasingly reflecting a Safety-II view in their regulatory responses.

#### **4.4 The Australian Health System as an Exemplar**

By way of providing a country-level example of the complexities of healthcare regulation, the next table (Table 4.2) summarises some of the main regulatory mechanisms of Australian healthcare (Australian Government Department of Health 2021). It is more extensive than this table depicts, as the direct and indirect effects of each regulatory initiative are felt across the macro-, meso- and micro-levels of the system. But these are some of the more prominent forms of regulatory structures and foci. These functions and roles are mirrored in other healthcare systems.

By way of responding to these formal regulatory agencies and bodies, for the most part healthcare organisations and private providers try to adhere to their requirements. This is because the majority of regulation has the force of law or comes with incentives


or penalties and also because of the public interest test, for which there are imperatives that providers must satisfy; but also because of the ensuing reputational damage if they fail to comply with relevant regulation. For instance, no pharmaceutical company or medical device provider wants to cause morbidity or mortality which could be attributed to their products, and hospitals or general practices with major adverse events or safety lapses occasioning patient harm or deaths must avoid causing such serious incidents as much as they are able to do so.

However, healthcare has not always been successful in complying with requirements, in contrast, say, with aviation. There are thousands of adverse events and violations annually, and inconsistent adherence to known measures to improve the quality and safety of care, such as the variable use of checklists in operating theatres.

#### **4.5 Self-Regulation on the Front-Lines of Care**

It follows that top-down forms of regulation such as those presented in Table 4.2 are not the full picture. Healthcare professionals do not merely respond to regulation, but also self-regulate. It may not seem obvious to say so, but so do patients.

Clinicians on the front-lines (e.g., surgeons, general practitioners, psychologists) have considerable degrees of autonomy as to the evidence they consult or treatments they provide, for example, and patients today have more agency and have a greater say in their care compared with past eras. Thus, providers (and, more frequently these days, patients) are able to self-regulate—professionals, by the treatment choices they make, and patients, by the decisions they make in accepting, rejecting, or adhering to clinical recommendations. Research associated with the 60-30-10 paradigm suggests that 40% of care does not follow the available level 1 evidence or current clinical guidelines (Braithwaite et al. 2018c). A proportion of such non-adherence is attributable to clinical choices and patients and relatives exercising their preferences.

There are also pressures within and across health professional teams to act appropriately and conform with professional standards. As well, although they are subject to formal regulation discussed above, clinicians nevertheless tend to act ethically, in the interests of patients, and with forethought most of the time (Bringedal et al. 2018). However, healthcare incentives can act perversely, and mean that volume and patient throughput can be privileged over value and outcomes, and celebrated regulatory lapses such as in the famous UK case of serial murderer Dr Harold Shipman (Jackson and Smith 2004), and when hospital cultures become toxic and usher in a major inquiry (e.g., The Bristol Royal Infirmary Inquiry ('Bristol Royal Infirmary Inquiry' 2002)) are illustrative of the limits of self-regulation, and showcase when clinicians fail patients or systems break down, or both.

#### **4.6 Theoretical Paradigms of Interest**

Regulation has also been subject to theoretical interest in healthcare. There are many theories of regulation, some of which are healthcare-specific and others which have been formulated elsewhere, and applied to healthcare. Examples include 'interest theories' (whereby the regulator attempts to maximise social welfare and acts for the benefit of society), 'toll booth theories' (whereby regulation is enacted for the benefit of governments and bureaucrats through which they can extract rent or votes) and 'principal-agent theories' (whereby the government-regulator acts as the principal and the regulatee as the agent in a contractual relationship) (Boehm 2007). Each of these theoretical considerations can play a role in understanding regulatory structures in healthcare. A key recent conceptual development is the regulation of the patient journey championed by Vincent and Amalberti (2016). They argue that regulation must broaden its approach to take account of the patient's journey, rather than be static, and mainly concerned to regulate individuals, care episodes, or organisations at a point in time:

Regulatory agencies face some major new challenges. Until now most regulation has focused on individual healthcare professionals or specific organisations and institutions. Regulation in its various forms now needs to extend to encompass new organisational forms and the complex series of transitions and interfaces along the patient journey … Traditional approaches … may have to be adapted considerably. To move from accreditation of structures and institutions to accrediting patient journeys across primary, secondary and home care is a huge challenge. (Vincent and Amalberti 2016, p. 155)

Such an approach may well signal future developments in healthcare regulation. Everyone (patients, clients, care recipients) is on a journey—from birth to death, and from being in the community to passing through the health system at multiple junctures, for example. To be focused on the person as they transition, interacting with healthcare in its myriad, changeable forms, and cope with technological and organisational change across time, shifts the very idea of regulation from a relatively passive, cross-sectional endeavour to a dynamic pursuit. Whether regulation can become more dynamic, and more longitudinally responsive in the way Vincent and Amalberti (2016) advocate is a practical question of consequence for the future.

#### **4.7 Discussion and Conclusion**

Regulation has permeated healthcare, particularly over the last three decades, in different ways, with wide-ranging applications, and at multiple systems levels. Despite the variety of regulatory authorities and types of regulation, ranging from accreditation standards, policy, enacted legislation, and taxation to name only a few, there have nevertheless been breaches, violations, accidental errors, and substandard care provided across healthcare systems and markets. These have caused considerable concern among regulators and regulatees and led to regulatory agencies and bodies to become more active. This has also created, across different healthcare systems, complex and often fragmented regulatory ecosystems.

Paradoxically, things go right far more than they go wrong and the Safety-II approach is increasingly recognised as an important regulatory paradigm. When they do go wrong, considerable risks and harm to patients ensue, with consequential effects including on providers themselves (the 'second victim') (Wu 2000). This has traditionally been a major stimulus for regulation. Self-regulation is also important in healthcare and relies on professional ethics, training, and ongoing education. Patient choice is another self-regulatory mechanism.

**Acknowledgements** Sincere appreciation goes to Ms Jackie Mullins for the literature scan and research for the presentation delivered to the Fondation pour une culture de sécurité industrielle (FonCSI) workshop on the regulator–regulatee relationship on 16th December 2021, and Ms Genevieve Dammery and Ms Lauren Ehrenfeld for research support in the development of this paper and the presentation.

#### **References**


Bristol Royal Infirmary Inquiry (London, England: The Stationery Office, Crown Copyright 2002)


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Chapter 5 The Tripartite System: A Key in Polycentric Risk Governance: Lessons from Norwegian Offshore Industry**

**Preben H. Lindøe** 

**Abstract** This chapter presents the Norwegian tripartite system within a polycentric perspective. Developing multiple arenas among the parties has been a crucial factor in developing a mechanism for learning and adaptation within the regulatory regime. In the face of internal disturbance, new technology, and changes in the socio-economic environment, the regime has developed its capacity to enrol new actors and redefine their roles and behaviour.

**Keywords** Polycentric governance · Nordic model · Tripartite system

#### **5.1 Introduction**

Assessing the regulator–regulatee relationship in high-hazard industries, one option is that regulatory bodies develop a *learning mechanism* to be integrated into their regulatory systems by investing in monitoring and data analysis, and evaluating performance with the involvement of the stakeholders. In their assessment of risk and regulation within oil spills, nuclear accidents, and financial crisis, the authors point at Norwegian offshore regulation as an example, "…with a proactive regulator who is constantly on the lookout for problems and mediates solutions as they arise" (Balleisen et al. 2017, p. 560).

The tripartite system in the Norwegian offshore regime, with collaboration between the regulator, industry, and unions, is based on the "Nordic model". The model often refers to economic and social policies as well as typical cultural practices

P. H. Lindøe (B)

University of Stavanger, Stavanger, Norway e-mail: preben.h.lindoe@uis.no

common to the Nordic countries (Dølvik et al. 2015). This includes a comprehensive welfare state and multilevel collective bargaining based on the economic foundations of social corporatism, with a high percentage of the workforce unionised and a sizable percentage of the population employed by the public sector such as healthcare, education, and government (Marklund 2017).

The purpose of this chapter is to assess the Norwegian tripartite system as a key factor in developing an adaptive and robust regulatory regime. The following two questions are used as guidelines: How does the tripartite system function within a polycentric context, (2) in what way does the tripartite system contribute to regulatory robustness?

The analysis and discussion are developed through the following four steps: (a) presenting polycentricity as a theoretical concept, (b) presentation of the Norwegian tripartite system, (c) highlighting tripartite arenas dealing with offshore risks and regulations, and finally (d) what are the lessons to be learnt.

#### **5.2 Polycentric Risk Governance**

The concept of polycentricity was initially introduced in an analysis of how most metropolitan areas in the United States are managed. Lacking a single dominant political leader, many local public authorities are involved, each of them pursuing their own aims in a seemingly uncoordinated manner. This situation was defined as polycentric governance, characterised as a self-organising system composed of (1) many autonomous units formally independent of one another, (2) choosing to act in ways that take others into account, and (3) through processes of cooperation, competition, conflict, and conflict resolution (Ostrom 1991, p. 225).

In the following years, polycentricity was adopted within political science and public administration as a concept of governing *collective goods*: "processes of selection, production, financing, and evaluation of collective goods, as well as the management of common-pool resources" (Stephan et al. 2019, p. 25). The late Elinor Ostrom (Nobel Laureate in 2009) used a similar concept, arguing that "Governing the Commons" (Ostrom 1990) can be seen as going beyond market failures and governmental regulations (Lam 2011; Ostrom et al. 2012).

The concept of polycentric governance includes multiple centres of decisionmaking, or multiple authorities, where no one has ultimate authority for making collective decisions, and the decision centres, to some extent, take each other into account (Carlisle and Gruby 2019). Stephan et al. sum up their understanding of the concept of polycentric governance in a paired definition (Stephan et al. 2019, p. 33):

*Polycentric*: connotes multiple centres of decision-making authority which are de jure independent or de facto autonomous of each other.

*Polycentric Governance*: governance that has polycentric attributes, where governance is a process by which the repertoire of rules, norms, and strategies that guide behaviour within a given realm of policy interactions are formed, applied, interpreted, and reformed.

Furthermore, the regime coexists with other national and subnational authorities, and international entities. Polycentric governance can be seen as an intrinsic feature of democracy and Western capitalism that often leads to adversarial, fragmented, or abandoned decision processes when the key decision centres fail to engage or compromise or reach consensus.

To address this concern about the polycentricity of governance without compromising its democratic value, it is useful to focus on the need for structuring the engagement of key decision centres and managing their engagement. In this context, the Norwegian tripartite system provides an example. Applied to the Norwegian offshore context, the risk regulation regime involves multiple independent entities in the public and private sectors, including regulators, industry and professional associations, labour unions, insurers, standardisation organisations, interest groups in civil society (Lindøe and Baram 2020).

#### **5.3 The Tripartite OHS Model in the Offshore Regime**

Within the framework of the Nordic Model (Dølvik et al. 2015; Marklund 2017)a "Nordic Occupational Health Model" was developed, genuinely different from those found elsewhere in Europe. The OHS model also encompasses the regulation of working environment and the occupational health and safety standards and practices as a subset. In such a perspective, it became more like the Anglo-Saxon model in terms of higher degree of flexibility based on collective framework accords, which allow for individual solutions at the company level (Karlsen and Lindøe 2006). A common feature of the "Nordic OHS model" is its use of an in-house "occupational health and safety organisation" offering three different collaborating structures: (1) working environment committees providing opportunities for employers and employees to meet and discuss important issues, (2) independent and autonomous "institutions" such as Safety Deputies elected by the workforce, and (3) experts on occupational health and safety to be called upon in disputes, either as an in-house service or external consulting expertise (Karlsen and Lindøe 2006, p. 19).

#### **5.4 Developing a New Regime**

In the early stage of developing the Norwegian Shelf, three major accidents helped shape the offshore regime. The Alpha accident in 1975 initiated a process with the implementation of the Working Environment Act in the regime. One and a half years after the major fire on the *Alpha* platform, the new *Working Environment Act* was applied to all permanent installations on the Norwegian shelf.

The blowout at the *Bravo* platform (1977) resulted in a major oil spill and exposed the environmental risk to the public, both in Norway and in Europe. The accident became an incentive for the operator, Phillips Petroleum, to develop an internal safety system primarily concerned with reducing accidents, not just with meeting government requirements. The *Alexander Kielland* accident where 123 lives were lost became a "point of reference" for all stakeholders. The regulator enforced a process of "enforced self-regulation" with new rules; Licensees' internal control (1981) and Regulation of Internal Control (1985) where the 'tripartite system' based on the Working Environment Act was adopted and implemented.

Developing the tripartite system within the offshore industry has not been a harmonious process. After a pioneering period (1966–1978) with foreign companies and strong anti-union attitudes, organised oil workers established themselves in a strong position (1978–1983). The state supported the workers, partly through regulation and partly by forcing foreign companies to join Norwegian employer associations. In the following years (1983–2000) the tripartite system was used both to improve safety and to discipline unions not to breach national wage level targets (Ryggvik 2018).

Around the millennium shift, controversies concerning safety threatened the existing tripartite collaboration. After a period of intensive cost-cutting, industry representatives still claimed that health, safety, and environment conditions had never been better, whereas union representatives claimed that these conditions had eroded. The latter view was strongly supported by the regulator, as stated by the director of the Norwegian Petroleum Directorate in their annual report: "… it seems that a culture has been established where breaches of regulations and procedures have been incorporated as normal practice and accepted" (Lindøe 2018, p. 238).

The metaphors of "boxing" and "dancing" can be used to characterise the shifting patterns of adversarial and cooperative modes of tripartite partnerships during the first three decades in the Norwegian petroleum industry (Rosness and Forseth 2014). After the intervention of the political and regulatory authorities, a more cooperative climate gradually emerged from mid-2000. The tripartite collaboration was revitalised, and several new tripartite arenas were established.

#### **5.5 New Tripartite Arenas**

**The Regulatory Forum** was established in 1986 with representatives from companies, unions, and government, then revitalised in 2000. That leads in turn to stronger ownership of and consensus on final proposals for regulatory development and the mechanism became a model for other tripartite institutions such as the Safety Forum. The forum contributes to clarifying rules related to onshore and offshore operation, as well as adaptation to the European Union/European Economic Area and other international and national norms and standards.

**The Safety Forum** was established in autumn 2000, shortly after the period of mistrust among the core stakeholders. The industry, represented by the. Norwegian Oil and Gas Associations, was not enthusiastic at all. However, once they were enrolled, they had committed themselves to contribute to a process leading to less antagonism and more intensive cooperation. Even as the parties continued to draw on the same discourses in their dispute about the safety level, they took tangible action to revitalise tripartite collaboration (Rosness and Forseth 2014).

**Regulatory Competence for the Petroleum Industry**, a basic training programme, was founded with the purpose of providing familiarity with the structure and content of the regulations. Until 2021 the programme has adapted its teaching to more than 16,000 participants.

**Working together for safety** was established in parallel with the Safety Forum, bringing together representatives from oil companies, suppliers, contractors, unions, and employers. The NPD—later the PSA—was involved as an observer. Much of the work was pursued through working parties preparing recommendations for the industry by promoting the agreed use of industrial standards and best practices with better transparency on incidents and safe production as an output. The programme has prepared and revised more than thirty recommendations in every area covered by the safety and working environment regulations.

**Risk level on the Norwegian Shelf** is a monitoring program, meant to obtain trustworthy information and analyses, as a means to build consensus between the parties and secure commitment to future efforts of improving safety. In collaboration with Norwegian research institutions, the program has established a methodology of assessing trends in the risk level with emphasis on the statistical risk in terms of near misses, actual incidents and perceived threats by identifying a compromised set of indicators (Skogdalen et al. 2011; Blakstad 2014).

#### **5.6 Lessons Learnt**

A "cybernetic perspective" with three control components, setting standards, getting information, and modifying behaviour, could be useful in order to analyse *lessons learnt from* the tripartite system (Hood et al. 2001, p. 23):

From such a perspective any control system in art and nature must by definition contain a minimum of the three control components… There must be some capacity for *standardsetting* to allow a distinction to be made between more or less preferred state of the system. There must be some capacity for *information-gathering* or monitoring to produce knowledge about current or changing states of the system. On the top of that there must be some capacity for *behaviour-modification* to change the state of the system.

**Information Gathering:** Over time the process of developing "Trends in risk level in the petroleum industry" has been an important collaborative network embracing research institutions, industry, employers and unions, and the government. The PSA

**Fig. 5.1** Bridging gaps in the hierarchy of rules

is responsible for day-to-day operation, and in 2007, it was expanded to embrace landbased petroleum plants. The annual status reports made an important contribution to a joint understanding of changes in risk levels, thereby identifying measures to improve the level of risk and analyse the effects of corrective actions taken by the responsible parties. Involving all the important stakeholders ensures consensus over working methods and ownership of the consensus-based conclusions (Bang et al. 2014). The significance and legitimacy of the gathering and use of data became instrumental to the Safety Forum and PSA in providing knowledge and influencing the agenda for safety work in the industry.

**Standard Setting:** From a legal perspective, rules can be presented as a pyramid, ranging from *legally enforceable laws* at the highest level to non-legally binding rules, ending up with company standards and guidance at the bottom as presented at the left part of Fig. 5.1.

With acts and subsidiary regulations as legally binding, the largest and its lessvisible part are the guidelines, industrial standards, performance-based rules pointing at "best practice". Other relevant company-wide standards and guidance, whose application is left to the discretion of the regulated entity, include those developed by each industrial actor for its operational purposes.

The right part of Fig. 5.1 illustrates a hybrid model, combining a harder approach with "command-and-control" from above with a softer bottom-up approach based on self-regulation (Lindøe and Baram 2020). With performance-based rules follow an ambiguity of purpose: on the one side such rules should not undermine governmental ability to hold a company legally accountable. On the other side, the regulator should provide aid in promoting non-legally binding rules within industries and companies involving complex evaluations and difficult decisions (Lindøe et al. 2014, p. 51):

…many of which will be contested by self-regulators, industrial associations, and diverse stakeholders unless there is a high degree of trust between these parties. Conflicts erode the credibility of the regulator and the accountability framework and revive the legitimacy issue.

The concept of legal standards refers to norms and practices tying the "word of the law" to the ever-changing implementation of the norms and ideas embedded in that law. One example is the ALARP principle, meaning "as low as reasonably practicable". These principles unify the different interests of stakeholders and increase legitimacy as an integrated part of developing regulating regimes. In this borderline or mix of hard and soft regulation, the role of standards plays an important role (Lindøe and Baram 2020).

**Behaviour Modification:** Combining different modes of regulation opens some leeway, where the actors are able to test compliance with rules and roles. These issues are further developed and discussed by Ulla Forseth in the chapter "Power of dialogue" in this volume.

In Fig. 5.2, the three components: information gathering (IG); standard setting (SS); and behaviour modification (BM) in the control system operate in a framework with a different mix of rules and roles: Horizontally asymmetrical and symmetrical power relations between regulator and the regulatee, and vertically the implementation of legally and non-legally binding rules.

**Fig. 5.2** Power relation between regulator and regulatee

Within this leeway, the pattern of behaviour between regulator and regulatee will work very differently. An asymmetrical power relation and legally binding rules will lead to "command-and-control" behaviours. If the regulator shifts towards the role of pedagogue in guiding the industry in implementing "legal standards" embedded in laws and regulations, the power relation became more symmetrical. This pattern becomes even clearer with a mutual dialogue on how to develop and use widely accepted standards and best practices. When the regulator engages in developing standards, they need to balance between different considerations where the outcome could be consensus as well as conflict (Engen 2020).

#### **5.7 Conclusion**

In his reflection on lessons learnt in advancing a robust regulatory regime, Andrew Hale concludes that the robustness of the Norwegian regime "has only happened because the regulator in particular, but also the other parties to the tripartite approach, have consciously managed that robustness in response to the challenges and made it a learning system" (Hale 2014, p. 421). A crucial factor in developing a mechanism for learning and adaption has been the tripartite arenas, providing new opportunities for behaviour modification where the parties have challenged each other with informal and pragmatic styles of interaction. Thereby, the regime has developed its capacity to enrol new actors and to redefine their roles and behaviour in the face of internal disturbance, new technology, and changes in the socio-economic environment.

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Chapter 6 The Power of Dialogue: The Regulator–Regulatee Relationship in the Norwegian Oil and Gas Industry**

**Ulla Forseth** 

**Abstract** The aim of this chapter is to investigate the regulator–regulatee relationship and dialogue as a policy instrument in the Norwegian oil and gas industry. Dialogue is used as a lens to shed light on power relations in encounters between regulator and regulatees. The empirical part draws on qualitative research and multiple data sets. Dialogue is the preferred supervisory strategy and is embedded in symmetrical and asymmetrical power relations. The dialogue is formalised, ritualised, and restricted during regulator–regulatee encounters, whereas regulatees call for more informal discussions. The use of dialogue as a policy instrument has contributed to leeway for creativity in operations, learning, feedback, shared understanding and, according to the regulator, innovation and solutions beyond minimum requirements of laws and regulation.

**Keywords** Regulator–regulatee relations · Dialogue · Tripartism · Power

#### **6.1 Introduction**

The aim of this chapter is to explore the regulator–regulatee relationship in the oil and gas industry considering power relations embedded in the Norwegian model of working life. As pointed out by Foucault (1976: 125), power is inevitably associated with resistance ("Là où il y a pouvoir, il y a résistance"), and Stephen Lukes suggests that "Power is at its most effective when least observable" (Lukes 2005: 1). These quotes bring centre stage power as a multifaceted concept. According to Max Weber, power is when somebody can make decisions that influence the action of others and contradicts the interests of them. In the traditional command-and-control model of regulation, the regulator exercises power by conducting inspections or audits, and

U. Forseth (B)

Department of Sociology and Political Science, Norwegian University of Science and Technology (NTNU), Trondheim, Norway e-mail: ulla.forseth@ntnu.no

<sup>©</sup> The Author(s) 2024

J.-C. Le Coze and B. Journé (eds.), *The Regulator–Regulatee Relationship in High-Hazard Industry Sectors*, SpringerBriefs in Safety Management, https://doi.org/10.1007/978-3-031-49570-0\_6

then issues formal sanctions in case of violations (Baldwin et al. 2012). The regulator relies on the force of law to prohibit certain forms of conduct and enforce other types of action.

Foucault elaborated on forms of disciplinary power and surveillance, but later highlighted power as a productive force to be found everywhere and not only wielded by specific actors or institutions (Foucault 1991), such as the regulator in this case. Rather, power resides in discourse, e.g., in interpretations, use of language and symbols, and there is constantly a struggle between different discourses. How the term 'regulation' is conceptualised, developed, and practised in different industries are therefore important areas for investigation. There exists a wide range of regulatory designs, but I limit the scope to a command-and-control model and a dialoguebased approach. Black (2002: 183) employed discourse analysis to analyse regulatory conversations, i.e., 'the communicative interactions that occur between all involved in the 'regulatory space". These regulatory conversations are sites for the discursive production of the identity of the regulatee and the regulator (Forseth and Rosness 2021). A critical report after an audit or an investigation report, for example, can jeopardise a company's identity and reputation as a responsible player.

The Petroleum Safety Authority Norway (PSA) presents dialogue as its preferred policy instrument because of its impacts on accountability, learning, innovation and improved health and safety. Discussing the Norwegian petroleum industry's regulatory regime with non-Nordics, however, they are perplexed as to how it works. From the vantage point of more traditional command-and-control approaches to regulation, they often find the Norwegian oil and gas regulatory regime 'too open-ended, the inspections are too few and the reactions to non-compliance are too soft' (Rosness and Forseth 2014: 309). To explore such issues, the following research questions are central:


I draw on a research portfolio on risk governance in the oil and gas industry conducted with Ragnar Rosness, SINTEF, and collaboration with scholars from the University of Stavanger and the University of Oslo.1 Rosness and I investigated tripartism and a controversy concerning the safety level on the Norwegian continental shelf around the millennium, analysing the voices of the regulator and dialogue as a policy instrument (Forseth and Rosness 2021; Rosness and Forseth 2014). The research design was explorative and qualitative, and the empirical material stems from the PSA website, a strategic sample of investigation reports, and two focus group interviews with a purposive sample of PSA officers in 2016 and 2018. In addition, we analysed anonymised raw data from 36 focus group interviews with the

<sup>1</sup> The projects were funded by the Norwegian Research Council (no. 183251 and 233,971).

PSA and other stakeholders conducted by the principal investigator and his team in an expert committee on health, work environment, and safety in the petroleum industry commissioned by the Ministry of Labour and Social Affairs (Engen et al. 2013). Although some of these data date back in time, they are still useful in investigating a specific, historical example of dialogue in the regulation of health, safety, and environment.

The chapter is organised as follows: After outlining key features of the Norwegian model of working life, the empirical part illustrates how these are practised in the regulatory regime in the oil and gas industry. The first part spells out how the PSA presents and makes sense of this regulatory regime. The second part deals with how dialogue is practised in regulatory encounters and includes how regulatees take sense. The analysis identifies ambiguities and tensions, and in the final part power relations embedded in this regulatory regime are discussed before concluding on the transferability of the results.

#### **6.2 Context: The Norwegian Model of Working Life**

Norway is described as a high-trust country (Skirbekk and Grimen 2012), and trust among the different stakeholders is important for how the 'Norwegian model' has developed. Participation and collaboration have a long history back to the 1930s and the agreement between the social partners. A former Norwegian Minister and sociologist described the Norwegian model of working life as a Chinese box (Hernes 2006): there are several layers encompassing bipartite and tripartite collaboration where management and shop stewards collaborate on the micro level in the companies and employers' organisations, while trade unions and the authorities collaborate on the macro level. This type of tripartite collaboration differs from the way Ayres and Braithwaite (1992: 26) defines tripartism as formal involvement of public interest groups in the regulatory process. In contrast to the antagonistic relationship often found in Anglo-American literature, the relationship between management and workers has been coined as a 'conflict partnership' (Dølvik et al. 2017) where the parties acknowledge both shared and conflicting interests. The metaphor *boxing and dancing* is illustrative when elaborating on how conflict partnership is practised over time (Rosness and Forseth 2014). The function of the safety representative is also unique, including the legal right to halt a work operation in case of immediate danger to the life or health of workers, without any risk of economic repercussions for the safety representative.

This brief introduction summarises some features of the Norwegian model of working life, and how it is a result of historical, structural, institutional, and cultural factors. It is an important backdrop for understanding the regulatory regime in the oil and gas industry.

#### **6.3 Dialogue as Policy Instrument**

When oil was discovered at the Ekofisk field in the North Sea in 1969, Norway had little competence in this area and had to rely on multinational oil companies. Until 1985, the government pursued a traditional regulatory model which relied on checklist-oriented inspections and government-based approvals (Bang and Thuestad 2014: 245). Several major accidents such as the Ekofisk Bravo blowout in 1977, and the Alexander L. Kielland disaster in 1980 which killed 123 persons, had great impact and led to administrative and political reforms. A new regulatory approach to safety and the working environment was introduced with functional regulation and the introduction of internal control (ibid.). This model of government-enforced self-regulation emphasised the importance of cooperation with those involved and that 'the regulator should establish a *dialogue* between employees, employers and government on the issues relating to development of regulations…' (White Paper no. 51 1992–1993) cited in Bang and Thuestad (2014) [my emphasis]. In the next section, I elaborate on how this was implemented in the regulatory regime.

On their website, the PSA spells out the fundamental principles of the petroleum regulations and their role as both 'guide dog' and 'watch dog'. They underscore that they pursue risk-based regulation but that it is the responsibility of the individual company to ensure that they follow the law, rules, and regulations: 'Each company is responsible for the safety of its own operations. This represents a fundamental principle in the petroleum regulations' (PSA 2018). The role of the regulator is to develop regulations, define parameters for the industry and monitor that activities are pursued in a prudent manner by the players and, in the event of regulatory breaches, make appropriate use of enforcement powers (ibid.). Regulation and enforcement are structured to emphasise trust in and support the sense of responsibility in the companies. A particular 'see to it' obligation (ibid.) comes in addition to each player's responsibility for complying with the regulations, ensuring that everyone doing work on their behalf complies with the requirements and conducts activities correspondingly.

Dialogue is a non-statutory policy instrument and the preferred supervisory strategy. The term dialogue is multifaceted and includes face-to-face encounters with regulatees, communication after incidents through investigation reports and cover letters, and tripartite interaction. The PSA will, however, make use of more severe instruments such as orders, coercive fines, halting, or administrative fines, if deemed necessary. Coercive power might be the outcome of dialogue, but it is not frequently used according to the PSA website or our interviews. One example dates back to 2017 when the PSA, after dialoguing, halted operation on Goliat, the largest offshore platform in the Norwegian sector of the Barents Sea operated by the Italian company ENI, because problems with the electricity system created a risk of a major accident. It has occurred that a company chose to shut down an operation after dialogue before the regulator acted.

The PSA flags up tripartite collaboration and dialogue as crucial for reaching the ambitious goal expressed by the government to be world-leading in safety, health, and environment on the Norwegian continental shelf. Tripartism is institutionalised in various arenas, such as the 'Regulatory Forum' and 'Safety Forum'—arenas for information sharing, discussions of key HSE challenges, how to develop parameters and implement measures to maintain a safe industry (see chapter by Lindøe in this volume). 'In these arenas, the parties can join forces in a constructive collaboration on improvements, including for safety and the working environment—an asset all the parties say they want to preserve and develop' (PSA 2016, The Norwegian Model). These structures are important because they facilitate dialogue and set in motion different aspects of power by the stakeholders such as definition power, agenda power, decision power, and implementation power (Falkum 2015). The introduction of an annual monitoring system to measure how the level of risk is developing, 'Trends in the risk level' in 1999, can be seen as a 'boundary object' (Star and Griesemer 1989). It facilitates cooperation between parties with different viewpoints and can reframe a local understanding. Institutionalisation of collaboration and power among stakeholders is a countermeasure against too close relations between regulator and regulatee, capture and corruption. Transparency is another factor and the result of audits, investigation reports and cover letters are published on the PSA website in line with the Act relating to the right of access to documents held by public authorities.

#### **6.4 Properties and Impacts of Regulatory Dialogue**

Officers, supervisor coordinators, and managers from the PSA underscored the importance of dialogue and explained why it is the preferred mode of working. When the goal is continuous improvement of HSE in the whole industry, inspection, control and fining individual companies fall short. It was mentioned that this differs from the command-and-control model of the Labour Inspection Authority due to different philosophy and different characteristics of the industry. The dialogue is *formalised, restricted, and ritualised,* and the regulator and the regulatee have their roles to play. The PSA refrains from proposing specific solutions to a problem raised by regulatees because this would imply taking responsibility away from the player. The PSA exercises power by setting the terms of collaboration. As I see it, it illustrates asymmetrical power relations between regulator and regulatee because when deemed necessary, dialogue is substituted by more coercive forms of power. Involving companies and people at the sharp end gives them leeway for innovation in operations and allows them to provide feedback to the regulator. Officers at the PSA gave examples of how regulatees had come up with new, creative solutions that went beyond minimum requirements. The outcome is better compliance and improved safety, health, and environment.

Overall, representatives from the companies appreciated this use of dialogue, but there were diverse interpretations of the term. Some managers called for more informal dialogue where they could discuss openly without risking issues coming back in a future audit, and participants from small companies called for more specific advice. It was also mentioned that there was a shift towards challenging the regulator and some shop stewards reported more pressure in the 'conflict partnership' with management. The context of the dialogue is important, and a safety representative mentioned how they prepared for encounters with the PSA and conducted window dressing before the visit. I interpret this as an example of impression management on the part of the regulatees where they try to appear in the best possible way to stand out and strengthen their reputation as a responsible player.

Tripartite arenas are institutionalised to strengthen dialogue and collaboration and help to build situational awareness and a shared vision of reality. These arenas can also be used to discuss controversial issues. In a particular case concerning a new well design, the PSA employed agenda power and invited the other parties to discuss the controversial case. The end result was a unanimous veto. Rosness and Forseth (2015) suggest that these tripartite arenas thrive on tensions and ambiguities due to their ability to shift between collaborative and antagonistic modes of interaction.

Through analysis of a strategic example of investigation reports after incidents and accidents, we found that event sequence descriptions were mostly 'de-individualised' as individuals did not function as grammatical subjects (Forseth and Rosness 2021). The PSA used rhetorical means to frame non-conformities as deficiencies of the safety management system rather than individual violations, thus counteracting the search for scapegoats.

According to the initial quote by Foucault, where there is power, there is resistance. Players had been known to request a combination of individual violations into larger categories, to reduce the number of violations to protect their reputation, but without any success. I propose that another way of demonstrating resistance was to postpone answers or be reluctant to share strategic documents when asked by the PSA.

#### **6.5 Concluding Remarks**

Dialogue as a policy instrument in this context is not spontaneous, frank and 'dominion-free', but stimulates communicative action. Besides, other types, properties and impacts of dialogue are likely to be found in other industries and countries. Some regulators might open up for more informal dialogue than in this case.

The regulatory regime has evolved since the beginning of the Norwegian oil adventure, and the environment and the circumstances have changed. Representatives from the PSA and the companies did not talk a lot about power, but the analysis identified both symmetrical and asymmetrical power relations in encounters with regulatees as well as examples of resistance on the part of the regulatees. The regulatory regime has institutionalised dialogue and collaboration as cornerstones, and this has reinforced situational awareness among stakeholders. In addition, it has contributed to space of manoeuvre on how to carry out operations, innovation and, according to PSA representatives, solutions beyond the minimum requirements of laws and regulations. Tensions and ambiguities, however, seem to play a double role, sometimes facilitating 'boxing and dancing' for improved health and safety among stakeholders, while in other cases inhibiting initiatives for further HSE improvement (Kringen 2014).

Trade unions raised concerns about an increasing number of incidents and accidents in the wake of cost-cutting in the industry, and whether the sanctions imposed by the PSA were sufficient. In response, The Office of the Auditor General in Norway (2018–2019) initiated an investigation. The report concluded that the PSA is too reluctant in using rigorous sanctions and could strengthen their follow-up but did not suggest changing the principles of the regulatory regime or the use of dialogue as a policy instrument and mode of working.

The case analysed in this chapter is influenced by historical, structural, institutional, and cultural factors and the model cannot be transferred as a blueprint. There are, however, some lessons to be learnt about the impacts of promoting health and safety through a dialogue-based approach.

**Acknowledgements** Thanks to Ragnar Rosness for inspiring discussions in preparing this chapter.

**Ethics Statement** Informants for the focus group interview data were treated as institutional informants, and the researchers did not register any personal details. All informants gave their informed consent for their statements to be used anonymously for research purposes and were invited to review transcripts. The Norwegian National Research Ethics Committee does not require independent ethics board approval for this type of study.

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Chapter 7 Recognising the Social Nature of Regulatory Compliance and Focusing on Front-Line Interactions**

**Michelle C. Pautz** 

**Abstract** In the swirling conversations about regulation and compliance, a fundamental aspect is often neglected: the fact that regulatory compliance is inherently a social process. Regulation requires individuals (and their organisations) to alter their behaviour and subject themselves to some sort of review or monitoring of that behaviour. Further, actions and involvement with one another are required by individuals on the front-lines of regulation, the regulators, and the regulatees, and not just the individuals at the highest levels of governments and organisations. This chapter will review how regulatory compliance is fundamentally a social process that is engaged in by key—but often overlooked—front-line actors, describe these interactions, and detail the implications for regulatory governance moving forward.

**Keywords** Regulatory compliance · Front-line · Organisational culture · Cooperation

#### **7.1 The Nature of Regulation**

The very essence of regulation is about changing the behaviour of individuals and organisations to align with some broader aim. Those aims might be preventing a chemical spill or ensuring the safety of drilling on an offshore platform, but those goals are the sum total of daily decisions and actions at an individual level. Accordingly, compliance with regulation is both an action or behaviour at a particular point in time and the accumulation of actions or behaviours over time. It is the decision of a wastewater treatment plant operator to halt discharge into a waterway when a piece of equipment is malfunctioning and it is the compliance culture in a factory that ensures that solvent-soaked rags are always placed in containers with lids to

M. C. Pautz (B)

University of Dayton, Dayton, OH, USA e-mail: mpautz1@udayton.edu

© The Author(s) 2024 J.-C. Le Coze and B. Journé (eds.), *The Regulator–Regulatee Relationship in High-Hazard Industry Sectors*, SpringerBriefs in Safety Management, https://doi.org/10.1007/978-3-031-49570-0\_7

mitigate the release of air pollutants. These behaviours constitute the implementation of regulation, and they are ultimately the actions of individuals on the front-lines of regulation: regulators and regulatees.

#### **7.2 Regulatory Actors**

All too often, the regulatory actors, whose actions constitute the implementation of regulation, are overlooked. Regulators, at least for purposes here, are not the heads of government agencies or politicians who set regulatory goals, but rather the individuals on the front-lines of ensuring that regulations are implemented and complied with by those who fall subject to them. In the USA, they might be state or local government environmental inspectors, or they might be inspectors with the federal Occupational Safety and Health Administration that endeavour to make workplaces safe, or they might be government officials operating at multiple levels of government that work with public school cafeterias to oversee the regulations of what public school students may or may not eat as part of their school breakfasts or lunches. To be effective in their jobs, regulators must have technical competence in a host of industrial areas that they regulate, they must have a sound understanding of the regulatory goals that are sought as well as the risks that those regulations strive to mitigate, and they must be able to engage with a wide range of regulatory counterparts, other regulators, and the general public. The work of these regulators day in and day out to ensure regulatory compliance and their regulatory interactions allows them to be categorised as "street-level bureaucrats," according to Lipsky (1980), or the more recently preferred term "front-line workers" (c.f. Maynard-Moody and Musheno 2003). These public servants are critical to implementation of regulation.

Regulators, however, cannot implement regulation alone as they are dependent on their counterparts in regulated firms, the regulatees. The term regulatees is not used to indicate the leaders of firms or organisations, but rather used to describe the individuals on the production floor, the drilling rig, or in a restaurant who make sure that applicable regulations are complied with, and they are the ones who meet with regulators during routine inspections and submit regulatory reports to regulators as required. Indeed, many regulatees engage with multiple regulators even from the same agency, as is often the case in the US context when it comes to environmental regulations as firms work with different regulators for air, water, and waste regulations. The primary job responsibilities of regulatees might be compliance, but compliance might also be one of many dimensions of their job. Much like regulators, regulatees must also be technically competent when it comes to their firm's operations, but they also must understand how regulations apply to their firm, they must navigate the regulatory environment with their corporate environment, and the demands of their clients or customers. These regulatees are essential to achieving regulatory compliance and are also considered front-line workers.

#### **7.3 The Regulatory Environment of These Actors**

Both regulators and regulatees are humans operating in a regulatory context that is far from simple—they are not regulatory automatons who implement regulation as written with complete consistency and accuracy. First, these individuals have their own motivations for the work they do. For instance, why did an individual become an aviation inspector? Was it a love of air travel that motivated that individual? While stopping to consider an individual's motivations may seem unimportant, understanding those motivations is the foundation of the work of the individual and how that work is approached. Pautz and Rinfret (2013) note the importance of these motivations and attitudes in their study of subnational environmental regulators in the USA. Pautz et al. (2018) also detail these attitudes of food service directors in American public school cafeterias. Second, regulators and regulatees have their own perceptions of the individuals they interact with to achieve regulatory compliance. An environmental inspector may be an environmentalist who loathes industry that pollutes the environment. The operator of a printing operation may detest government involvement in industry and find government regulations stifle the ability of the company to do its work. Here again, the attitudes that regulatory actors have about their regulatory counterparts will affect the implementation of regulation and their interactions. Third, regulators and regulatees exist in an organisational context and industrial sector(s) which will affect their work. All organisations have their own cultures (and likely numerous micro- or subcultures) and those dynamics will impact how regulators and regulatees approach regulation and compliance. For example, environmental inspectors in an American state environmental agency might find that their organisational culture changes dramatically when a new agency head, who is a political appointee, takes over the agency and completely upends the regulatory priorities. Additionally, a regulated firm may want to do the right thing and exceed its regulatory mandates, but it may lack the financial or technical capacity to do so and is seemingly always contending from outside pressures that it is a bad regulatory actor. These dimensions convey the complexity of the regulatory environment for these individual actors.

#### **7.4 Regulatory Actor Behaviours**

As a result of the human and social natures of regulatory compliance, attention must be paid to the individual behaviours of these actors, notably the exercise of discretion and the use of coping behaviours. Regulators and regulatees have ample opportunity to use discretion in their work. A landfill inspector may decide not to punish a landfill for erosion that is likely brought on by torrential rains and work with the landfill to mitigate the ill effects of erosion rather than formally sanction the landfill for non-compliance. A regulator may choose this course of action because of a broader goal of working with a regulated firm in an effort to pursue long-term positive regulatory outcomes. Additionally, a regulatee working in a public school cafeteria may opt to make soup from scratch and risk violating sodium requirements because students are more likely to eat the food than the commercially available, canned soup that students discard. While both a regulatory agency and a firm may endeavour to limit the exercise of discretion in the work of these individuals on the front-lines, it would be nearly impossible to script how a regulator should respond in every possible situation or offer standard operating procedures for every scenario a regulatee may encounter. The very nature of regulation itself will always entail some degree of administrative discretion.

Besides the use of discretion, coping behaviours are commonplace among frontline workers (c.f. Lipsky 1980; Maynard-Moody and Musheno 2003). Coping mechanisms are the ways that these individuals make what are often near-impossible jobs manageable. For an environmental regulator who is responsible for upwards of 200 firms in a wide range of industries to a health inspector who has more restaurants to visit than hours in the day, these regulators may figure out which firms need more time during a physical site inspection and which firms are likely complying on their own and do not need as rigorous surveillance to do so. This is not to say that these individuals are cutting corners but rather are human and often burdened by untenable workloads and taxed by the sheer volume of regulations that can often be complex and even contradictory; as a result, they have to make decisions about how to achieve the desired outcomes. Similar behaviours are undoubtedly found among regulatees who also have to make choices and prioritise their work in equally complex work environments.

#### **7.5 Regulatory Interactions**

The discussion thus far has largely focused on the regulators and regulatees as individuals, but it is their interaction with each other—whether during physical site visits, reviews of regulatory reports, or conversations between the two—that constitute regulatory compliance. Regulation cannot be implemented and achieved alone, it requires a regulatory relationship and is a social process in which both parties are dependent on one another. The interactions between regulators and regulatees require education and information exchange. The information needs and asymmetries subject the actors to risk, vulnerability, and uncertainty. Regulators are responsible for engaging with a variety of firms in different industries and may not be conversant in the latest technologies, processes, or even what it is like to work in that sector; therefore, they are reliant on the regulatee's expertise and willingness to share information. Conversely, regulatees are often in a position where they need assistance in understanding the regulations and what the regulatory agency is actually looking for in terms of implementation. Regulatees also seek to learn about the regulatory agency's prioritisation and what changes may be forthcoming. Here, the regulatees are dependent on the regulator providing this information. With this ongoing need for information and education, the regulator and regulatee need one another.

This information exchange (and dependence) imparts risk for both parties as they open themselves up to vulnerability and uncertainty when they share. A regulatee might seek help from a regulator about a situation that may demonstrate the firm is out of compliance. The regulatee might be earnestly trying to achieve the broad regulatory aim but uncovered a problem and is not sure how to respond given the lack of clarity in a particular regulation and its applicability to the firm. Accordingly, the regulatee may be forthright with their regulator about the situation, but that openness comes with risk and uncertainty about what the regulator may or may not do. Similarly, a regulator may not fully understand a particular production process and need the regulatee's assistance in understanding how a regulation might be implemented. Revealing that lack of understanding to a regulatee makes the regulator vulnerable to the regulatee who may not comprehend how the regulator does not understand these technical aspects and that could undercut the regulatee's view of the regulator, potentially having significant ramifications for their future work together. It is unlikely that in any regulatory situation, a regulator and a regulatee could do it alone. Regulators and regulatees come together through various situations to make sense and meaning of the regulations themselves and to solve problems, thereby making regulatory compliance a fundamentally social process (Van de Walle and Raaphorst 2019, p. 7).

Also, essential to these regulatory interactions is the extent to which respect, cooperation, collaboration, and even trust are present. To learn from one another, to share information, and to make sense of regulation together requires that each regulatory actor have respect for the other and endeavour to work together. Each party has to recognise the role that the other is filling and that they have to engage in dialogue and work together to achieve their professional obligations. Of course, the regulatory actors might not respect the other, but their work might be more easily pursued if there is at least respect for the other actor's regulatory role in the regulatory structure. As the previous discussion of coping mechanisms suggests, there are means for these regulatory actors to carry on without even this most basic level of respect, but research has demonstrated that in most cases, there is respect (Pautz 2013). Indeed, to manage the workloads that each regulatory actor encounters, it is hard to imagine interactions between a regulator and a regulatee that are not built around some degree of cooperation and collaboration (Fineman 1998). The desire to cooperate could be solely rooted in rational self-interest, but it could also be grounded in the recognition that cooperative working relationships lead to better outcomes (Posner 2000). Kagan et al. (2011) aptly summarise that "… effective regulation requires imaginative cooperation as much or even more than it requires government monitoring and legal coercion" (Kagan et al. 2011, p. 39).

This need for cooperation and its importance in regulatory interactions has precipitated conversations, both in the academic space and the practitioner space, about the need for trust in regulatory interactions. Pautz and Wamsley (2012) demonstrate the need—and even desire—for trust in the regulatory interactions between environmental regulators and regulatees. Acknowledging the role that trust plays in regulatory interactions helps advance understanding about how regulators approach their regulatory interactions with regulatees and the regulatory enforcement style that they utilise (c.f. Scholz 1998). Considering the need for cooperation and perhaps even trust in these interactions can also advance understanding about the multiple roles that regulators may personify and the variability of experiences of regulatees.

In their interactions with regulatees, regulators often embody multiple roles. Regulators are an essential part of a regulatory regime that monitors and assesses compliance, but the very nature of their interactions and the realities of being a regulator also leads to other roles. Regulators often need to be coaches and help regulated firms achieve compliance through encouraging, troubleshooting, and other means rather than just the role of a strict enforcer of the regulations. Regulators also routinely provide assistance—whether formally or informally—to regulatees to help the firms achieve compliance. To what extent a regulator embraces these coaching and assistance roles varies based on the individual but also on the organisational environment and legal environment. And the extent to which a regulator assists a firm is likely a function of their regulatory interactions.

The interactions regulatees have with regulators vary depending upon their experiences with regulators and the role that the regulator embraces. It is also important to note that regulatees regularly engage with multiple regulators, not only from different regulatory bodies, but perhaps also from the same regulatory agency. This variability also shapes how the regulatees approach their interactions with regulators and their perceptions of them.

This discussion of regulators, regulatees, and their interactions demonstrates that regulatory compliance is sought and achieved through the social interactions of these critical actors. Additionally, there can be great variation in these interactions and approaches, which is commonsensical given that this is fundamentally an exploration of individuals and their behaviour. Despite the importance and prominence of regulators and regulatees and their interactions, they continue to be understudied and are often negated when designing (or redesigning) regulatory schemes.

#### **7.6 Implications**

The inherently social nature of regulatory compliance demonstrates that acknowledging and understanding the interactions between the regulator and the regulatee is critical. Accordingly, there are a number of important implications for regulatory governance. First, the interactions between regulators and regulatees have to be considered in regulatory design. It is not enough to promulgate regulations and assume that those regulations will be implemented as written because it is up to individuals to implement them and there will always be variability. Second, and related to the first point, regulators and regulatees have to be engaged in regulatory processes in an intentional rather than in a passive way. It is insufficient and detrimental to assume that they will behave in a uniform and predictable way. Engaging these actors early and often in all phases of regulatory development not only acknowledges their critical role but is also likely to lead to better regulatory outcomes because implementation will be considered from the beginning. Third, there should be more intentional training and managing of these interactions to harness the positive dimensions of cooperation while keeping at bay concerns of regulatory capture. Given the front-line role of these actors and their positionality in organisational hierarchies, it would be advantageous to help equip regulators and regulatees for their interactions with one another and help them understand their central roles by setting them up for positive and cooperative interactions. Fourth, there must be allowances for cooperation, and cultivating cooperation, in these interactions and a recognition of the need for positive interactions. Too often, regulators and regulatees and their interactions are presumed to be adversarial, and the need for these actors to engage positively with one another has to be cultivated. Finally, and most fundamentally, there needs to be a recognition of the importance of these interactions and that attention must be paid to them because regulatory compliance is an inherently social process.

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Chapter 8 Standards, Certification, and Accreditation: Indispensable Tools for European Safety Regulations?**

**Jean-Pierre Galland** 

**Abstract** This chapter shows how standardisation, certification, and accreditation procedures are used for a few decades at the European level for ensuring consumers' safety against medium-risk products. Despite some regulatory failures, such as in the Medical Devices' sector, this way of regulating risks is becoming a European model which is both being superimposed on pre-existing older risk regulation regimes and being applied to new domains.

**Keywords** Tripartite Standard Regime · Certification · Accreditation · Safety regulation · EU new approach

#### **8.1 Introduction**

International trade has dramatically increased over the past decades and this tendency has been accompanied by a proliferation of standards (Brunsson and Jacobsson 2000). Regulators, be they public authorities or "non-state market-driven" actors (Auld et al. 2009), increasingly rely on standards to meet their regulatory goals, in this globalisation framework. Once a standard it desires is defined and set, a regulator must ensure that the products, processes, or organisations it wants to regulate conform with the desired standard. More and more in this purpose, conformity assessments procedures with standards are delivered by specific bodies which are supposed to be independent both of producers and consumers and are called third-party certifiers. Most of the time, third-party certifiers are private bodies which sell their services to regulatees, for these assessment tasks. Regulatees must pay for this service but may choose their certifier, meaning that third-party certifiers usually are in a competition against one another inside certification markets, each given standard tending theoretically to open a specific certification market. More recently, regulators discovered

© The Author(s) 2024

J.-P. Galland (B)

Ecole des Ponts ParisTech, Paris, France e-mail: jean-pierre.galland@enpc.fr

J.-C. Le Coze and B. Journé (eds.), *The Regulator–Regulatee Relationship in High-Hazard Industry Sectors*, SpringerBriefs in Safety Management, https://doi.org/10.1007/978-3-031-49570-0\_8

that this construction was incomplete: inorganised competition among third-party certifiers could lead to a "race to the bottom" and allow "black sheep" to obtain more business. That is why they pushed third-party certifiers to be themselves controlled by other independent entities called accreditation bodies, whose role is to verify the competencies and seriousness of third-party certifiers. This global construction, which answers nowadays to different regulators' goals (social or environmental ones, or safety ones), has been summed up as a Tripartite Standard Regime (standardisation, certification, accreditation) (Loconto and Busch 2010). To put it differently, alongside the traditional "two-way" relationship in which a (national) regulator regulates by law its own (national) regulatees, the past few decades have seen the emergence, at a transnational level, of some forms of "three-way" interactions (Levi Faur and Starobin 2014), where between regulators and regulatees stand also "intermediaries", such as standards makers, third-party certifiers, and accreditation bodies.

This relatively new kind of relationship between regulators and regulatees has not been studied much till now, especially when standards are oriented towards safety goals, although the emergence of Tripartite Standard Regimes (TSRs) in this purpose has been signalled for a few decades (Grundlach 2002).

In this chapter, I will first focus on a specific category or "family" of risk regulation regimes (Hood et al. 2001) invented by the European Community and the Member States a few decades ago, both for progressively opening industrial products markets at the European level and for ensuring European consumers safety. I have related (Galland 2013) the technical and political reasons which historically led to the so-called New Approach to technical harmonisation and standardisation (Council Resolution of May 7, 1985) and the Global Approach to assessing conformity (Council Resolution of May 28, 1989). Here, I will just sum up how this "family" of regulations is organised; then I will focus on a specific sector which is regulated by these means, the Medical Devices' one, with its main regulatory failure, the PIP scandal; and discuss some weaknesses of this architecture. In conclusion, I will question the success encountered by this family of risk regulation regimes in Europe and wonder whether the fact it has become a regulatory "standard" is always a guarantee of safety improvements.

#### **8.2 The "New Approach" Directives**


This complex framework is generally considered as a success. About 30 sectorbased "New Approach" directives and 1400 Notified Bodies are active now, both contributing to a general opening of the European or internal market. Nevertheless, a lot of problems and failures have arisen since 1985, most of them concerning Notified Bodies, the question of their competences and of differences in their conformity assessment procedures. The main response of the Commission to these problems was to invite Notified Bodies themselves and Member States to write soft law documents, such as guides of good practice. But it seems that this was not enough, at least in some sectors, especially in the Medical Devices' one.

#### **8.3 The Medical Devices Sector and Its Failures**

Medical Devices are non-pharmaceutical products which are used to help ill or disabled persons in their day-to-day life. This is a broad industry sector that ranges from white canes for blind people to hip prosthesis or pacemakers. It has been regulated in Europe since 1993 by New Approach Directives, which indicate that, for the riskiest Medical Devices (classes 2 and 3), conformity assessment certificates of products with essential safety requirements (or the corresponding harmonised standards) must be delivered by Notified Bodies. I have to add that in the USA, Medical Devices, at least the riskiest of them, are regulated by the Food and Drug Administration (FDA) which delivers (or not) premarket approval as it does for pharmaceuticals. The Medical Devices "New Approach" regulation, and the Notified Bodies' role in this sector, have been controversial for decades. For example, the British Medical Journal and The Daily Telegraph denounced in the 1990s the fact there were "black sheep" among Notified Bodies, and voices have always argued for the creation of a European Medical Devices Agency. Although they were aware of these problems, the Commission and Member States did not change their mind but began a revision process of the directives in the 2000s.

Then, at the beginning of the 2010s, came the Poly Implant Prosthesis (PIP) scandal in France. Public French Authorities discovered that a French producer had used for years an unauthorised silicone gel in its breast implants, although these Medical Devices were CE marked thanks to conformity assessment certificates delivered by a big and well-known German Notified Body, Tüv Rheinland. Thousands of women (around 400,000) had serious health problems in France, Europe, and other regions of the world: the non-conforming breast implants burst or leaked and required removal. PIP's owner was quickly judged and sent to jail, but interestingly another question arose: what about Tüv's own responsibilities in this regulatory failure?

This question is still open now. There have been several trials and court appeal judgments in France, Germany, and even a decision of the European Court of Justice (Court of Justice of the European Union 2017), but judges (and observers) still often disagree on this matter (van Leewen 2014). Here, I just go back to the first trial that took place in France (Tribunal de commerce de Toulon, 2013) and stress three main points that were pointed out by French judges at this time.


These three statements reveal a few weaknesses of the New Approach, in the Medical Devices sector and beyond. At least, they show how, in the long run, diverse stakeholders of the regulation regime use its inaccuracies or margins of appreciation for their own profit or interest. The main regulator (the EU) and secondary one (the standard setter, CEN) allow producers and Notified Bodies to choose between different procedures for the delivery of conformity assessment certificates. Most of the time and more and more, they choose management-based standards rather than technology or performance-based ones, because the first procedure is faster and cheaper for them. On another hand (second point above), the Notified Body certification markets have evolved since their respective emergence. Tüv Rheinland is not the only Big Third-Party Certifier which uses its own network of subsidiaries to develop its business; a few others in Europe have likewise expanded their activities during the past few decades (Galland 2017). And the relevance of outsourcing inside certification procedures, with its other possible pitfalls, is currently unclear. The third point which has been raised during the Tribunal de Toulon trial invites us to revisit the early discussions which led, in the 1980s, to the New Approach itself. At that time, stakeholders agreed on and underlined the necessity that essential safety requirements should be worded in precise terms so that harmonised standards (and conformity assessment procedures if needed) should depend automatically on them (Previdi 1997). A simple reading of New Approach Directives indicates that this is not the case (point 3). A further point is that the "accreditation solution", which was supposed to bring seriousness and reliability to the whole procedure, has not prevented anything in the PIP case.

#### **8.4 Discussion and Conclusion**

As already indicated, the New Approach and its successors are generally considered as a success for ensuring both the opening of markets at the EU level and the safety of "medium-risk" industrial products. New directives have been voted and implemented these last years, which concern new sectors. The CE Marking procedure is not costly for public authorities and seems to meet globally the regulators' goals. But the problems discussed in this chapter constitute a warning to European regulators, not only about the Medical Devices sector. A series of questions must be addressed, despite the a priori successful story of the New Approach family of risk regulation regimes.

Firstly, these risk regulation regimes are decentralised ones and involve a great number of (private) actors. These diverse actors are "loosely coupled", if I may borrow Charles Perrow's concept (Perrow 1984) and employ it in an unusual context, that is to say, that actors have margins of appreciation and may choose between diverse solutions for realising their own task (standard setting, certification, or accreditation). In this case, the fact that the different actors are "loosely coupled" leads them to choose the solutions that best fit their own economic interests. On another hand, some of these actors may be discreetly present and active at all three levels of these Tripartite Standard Regimes, although this is theoretically forbidden (Galland 2017). These characteristics make each of these regimes opaque in its real and day-to-day functioning and may lead, in the long run, to unexpected failures, such as in the PIP case. Following this affair, besides, a new directive was voted in 2017 which among other changes, strengthened the conditions for becoming a Notified Body in this sector and reduced their number. But a few years later, the number of Notified Bodies specialised in the Medical Devices sector, which had to restart from zero, has anew seriously increased (23 identified by the EU/NANDO website, 22 March 2022; 32 identified on 18 August 2022), certainly for political (rather than technical) reasons.

Secondly, although the New Approach risk regulation regimes are aimed to regulate "medium-risk" products, these regimes may play a role in the global regulation regimes of certain high-hazard industries. For example, some critical components inside chemical or nuclear plants, such as vessels, pipes systems, or turbines, are regulated in Europe by a New Approach "pressure equipment" Directive (last version, 2014/68/EU, 15 May 2014), with its own Notified Bodies in charge of checking those components. A similar example concerns railways: "interoperability constituents" have been added to railway systems so that trains could cross national borders in Europe and maintain their level of service despite remaining differences between Member States; these diverse interoperability constituents are presently regulated by a New Approach Directive (last version, 2016/797, 11 May 2016), with its own Notified Bodies in charge of delivering conformity assessments on those matters. In both cases, there are two ways of appreciating these circumstances: one can consider that the addition of safety procedures concerning specific components of high-hazard systems, guaranteed by an external eye (the third-party certifier or Notified Body), naturally improves the global safety of the whole; others would wonder about the complexity which has been added that way, and on the relationships between the set of actors then involved in safety issues (industrial firms, HSE engineers, public regulators, Notified Bodies …) and on everyone's respective responsibilities inside this framework.

Thirdly, for many European regulators, the "New Approach" and the subsequent Notified Bodies system, considered as a successful way of regulating markets and risks, are becoming a generic model in the EU for dealing with a series of new (safety or security) problems: this is the case with the question of General Data Protection (Lachaud 2018), with that of ongoing reflexions concerning artificial intelligence (Veale and Borgesius 2021), or even with the question of cybersecurity. In each of these emerging subjects, the existing or projected regulation relies at least partly on standardisation, certification, and accreditation procedures which are inspired by the New Approach family of risk regulation regimes described in the present chapter.

This chapter has shown that transnational risk governance relies increasingly on standards and certification/accreditation procedures, which is specifically remarkable in the EU construction case. Risk regulation regimes based on these principles are gaining more and more problems and sectors. This observation raises two levels of questions. Firstly, although these risk regulation regimes seem, at first glance, globally successful and fit for purpose—improving consumer safety regarding "mediumrisk" products—they are opaque in their day-to-day functioning, are transformed or grow outdated without anyone noticing, and may sometimes lead to completely unexpected failures. But the powerful introduction of standards and standardisation procedures inside pre-existing safety or security systems, such as inside high-hazard sectors, or when dealing with other new problems (such as artificial intelligence or cybersecurity) raises the global question of the standardisation of control (Demortain 2011), here through due standards and certification procedures. Standardisation and TSRs should not only be studied as such and as a means for reaching some safety goals but also as a ready-made solution to solve identified problems that are mobilised in an excessively systematic manner (Olsen 2020).

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Chapter 9 Auditism: Symptoms, Safety Consequences, Causes, and Cure**

**Kristine Vedal Størkersen** 

**Abstract** This text is a reflection on today's organisational management, through an imagined disease, *auditism*. The empirical material for this reflection is collected mainly in the shipping and aquaculture industries, but other type of data suggest auditism may be prevalent in other industries too. Auditism is diagnosed when and where the idea of audits shapes how work is structured, performed, or talked about in a working environment. Symptoms of auditism are related to organisations' management of quality and safety—safety clutter, illegitimate core tasks, and an experience of two realities in an organisation (one for 'real work' and the other for 'bullshit' tasks or administration). Causes are function-based regulations and shallow audit regimes, as well as societal trends of how to prove legitimacy, accountability, liability, and efficiency. A cure could come through improved methods for auditing and documentation, or through trust in professional judgement instead of audits. Still, the prognosis is that many organisations will suffer from auditism before prescribing to reliable remedies.

**Keywords** Safety management · Organisation · Safe work · Audits · Accountability

Have you ever felt naked because you did not document some work activities, although no regulation or procedure required such documentation? Have you been tempted to still record those activities, just in case? Have you found yourself writing a report or filling out a form that most certainly will never be read by anyone—for example, a project half-year report? In some situations, you may even have continued writing that report because you yourself, during project initiation, created a procedure stating that this is mandatory. Or, when performing operations, have you been irritated with a coworker who did not submit the before-work *safety talk* in writing, even though she did the talk in practice and the documentation was her responsibility?

© The Author(s) 2024

K. V. Størkersen (B)

SINTEF Ocean, Trondheim, Norway e-mail: kristine.storkersen@sintef.no

J.-C. Le Coze and B. Journé (eds.), *The Regulator–Regulatee Relationship in High-Hazard Industry Sectors*, SpringerBriefs in Safety Management, https://doi.org/10.1007/978-3-031-49570-0\_9

In moments of clarity or frustration, have you wondered: Are your activities and the operations performed good enough, without being documented? If they need to be documented just so they can be counted and checked in an audit—is it worth the time? But since you are surrounded by *auditism*, you have been convinced that: What we do at work must be documented. To prove that we did what we should have done. Because someone will audit the records. For the sake of quality or safety, right?

#### **9.1 Introduction (What Is Auditism and Why Try to Understand It?)**

Auditism emerges when and where *the idea of audits shapes how work is structured, performed, or talked about in a working environment*. This differs from the intention of auditing, that is to ensure the governing qualities of a system, through control using other eyes and perspectives than operating personnel (Jensen and Winthereik 2017; Power 1994). Since *auditism* only is a word that I invented after years of observing such a condition in organisational life, this text is an exploration of auditism, its symptoms, consequences, causes, and potential cure.

Audits have become central in the last thirty years because of several trends in society. Due to deregulation, regulations have become goal-based, with responsibilities transferred to the organisations. Governments and organisations must demonstrate that this is legitimate, which means they have to show that companies are accountable (Baram and Lindøe 2013). Accountability is demonstrated in audits, so tasks must be documented and standardised to become auditable (Power 1994; Hood 2007, 2011). This enormous focus on audits has thus laid the grounds for auditism.

The basis for the concept of auditism is a combination of literature and empirical data. Organisational theory, especially regarding *the audit society* and *audit explosion* (see Power 1994 and his further work) points in the same directions as safety science. In safety management, many have for years wondered why regulation and management fail in creating safety and instead result in wearisome safety management systems (Hale and Borys 2013; Dekker 2012, 2017; Bieder and Bourrier 2013). In empirical studies, key explanations for the problems are suggested to be *audits*  and how the organisations adapt to audits (Størkersen 2018; Størkersen et al. 2020).

This text includes examples from international and Norwegian shipping and aquaculture, since studies in these industries have provided much relevant data. See Størkersen et al. (2020) for descriptions of the studies from which we have extracted the interview quotes in this text.

Please note that audits and management systems have many benefits not discussed in this text. For the benefits of safety management, see e.g., Størkersen et al. (2017) and Lappalainen (2016).

#### **9.2 Symptoms (What Auditism Looks Like and Possible Consequences)**

Auditism is indicated by how organisations adapt to audits, and numerous examples exist. Here, I describe a few symptoms found in several industries. All are related to the growing of two parallel lines of work, one concerned with real work and another with 'bullshit' tasks, to adopt a provocative term famously used by Graeber, in the name of safety management (showed by safety clutter, apathy, or attention to decoys).1

#### **9.3 General Symptoms of Auditism: Two Streams of Tasks**

A root symptom is that tacit knowledge and work practices are transformed into standardised auditable tasks. The reasoning behind is that work must be made legible to be documented and controlled. Effective audits require quantifiable tasks that are standardised and objectified (Jensen and Winthereik 2017). Standard tasks that resemble the core work can nicely be documented in cells on the accountants' sheets and thus be counted and measured (Almklov 2008; Almklov et al. 2014)—even though these tasks may not contribute to the operations, and only constitute another layer of mandatory tasks to be performed.

A palpable side of this is that management implements such standardised tasks, and another is that many actors in the organisation perceive the tasks to be legitimate. Tasks implemented to be auditable are often related to reporting, documentation, or verification. Auditism is apparent when actors have internalised auditcentred thinking and throw away safety thinking to be auditable. As with other institutionalised organisational ideas (more in e.g., Czarniawska and Sevón 1996; DiMaggio and Powell 1983), audits for many have become natural solutions to problems, without questioning whether other measures might be better (Power 1994). The idea that auditing is an important part of work has spread so much that it has changed knowledge making (Jensen and Winthereik 2017). When auditing gets a central place in an organisation, it forms the creation of knowledge, which causes audit loops. Audit loops are "mutually shaping interactions between auditors and auditees that cross-organisational barriers in multiple directions, both 'downstream' and 'upstream'" (Jensen and Winthereik 2017). This means that audits construct the environments they operate in to make them more auditable, with failures leading to more auditing. Audits were supposed to be detached from core activities, following another set of rules than those activities, but auditism spreads as audits influence how many organisations operate and create knowledge.

A serious symptom is when it becomes difficult to see the meaning of auditable tasks, which may be viewed as nonsense and even 'bullshit', but still performed

<sup>1</sup> For more about safety management and bullshit tasks, please see Størkersen and Fyhn (2024).

(Graeber 2018; Størkersen and Fyhn 2020, 2024). Auditism is demonstrated clearly when organisations implement systems that are auditable, even if the system is not meeting its goals or supporting the core work.

#### **9.4 Symptoms Related to Safety Management: Safety Clutter and Illegitimate Core Tasks**

A well-studied symptom is ineffective safety management systems. In many industries, safety management systems are seen as too extensive, bureaucratic, and focused on documentation, thus creating a risk rather than ensuring safety (Bieder and Bourrier 2013; Antonsen et al. 2012). A one-sided focus and overreliance on safety management systems can suppress other organisational functions and thus increase risk in areas those systems do not examine (Power 2004). A symptom of auditism is to not recognise that ill-fitting management systems might work against the objective of the system.

In addition, *safe work*—how core tasks are done safely—is often difficult to put into a system and to audit (Størkersen et al. 2020; Almklov et al. 2014). Unpredicted risks require an approach opposite to following rules, as they demand practical experience and the ability to improvise (Hale and Borys 2013; Hohnen and Hasle 2011). The extra tasks associated with auditism have been called safety work, or safety clutter and may be perceived as the opposite of working safely (Rae et al. 2018). Many experience that these tasks increase over time, as the organisation often adds tasks after accidents and audits (Amalberti 2001). Some experience the systems to be made to "cover the backs" of the bosses. The auditable tasks (*safety work*) thus create a parallel trail of tasks, alongside the un-auditable core tasks. Or, as the organisations suffering from auditism would understand it: The core tasks go on outside the managed part of the organisation, undocumented and often despite the safety management system. This creates a gap between formal rules and informal practices, which may be overlooked in audits. As a Norwegian ship captain said when we interviewed him about what he emphasises in reports and audits:

*We answer what we know our parents want to hear. That's very smart to answer, it keeps us out of trouble*. Captain, general cargo vessel.

#### **9.5 Marine Examples: Apathy or Attention to Decoys**

In shipping and aquaculture, safety management systems are in general described as exaggerated, complicated, and featuring procedures that are excessively detailed. Several studies have found that many shipping companies implement safety management systems 'only on paper', as their actual safety measures are not improved (Størkersen 2018; Antonsen et al. 2012; Anderson 2003). Many companies buy generic, standardised safety management systems that are guaranteed to satisfy auditors. As a result, they often end up with an unwieldy system that is designed to cover all eventualities, and situations, but with several procedures that do not fit the situations on their vessels (Almklov et al. 2014). It is a common statement that safety management regulation does not necessarily lead to safer conditions; it only requires an auditable system (Anderson 2003). The increased administration in the name of safety can in the next step increase risk. Oversized systems require attention, and attention is a scarce resource. In an interview, this captain described how safety management formalities take the place of core work:

*The paperwork you have to sign out all the time, right. It consumes time that I should've spent to, eh, perhaps be a good sailor. And it brings more tasks for you to do, right. Instead, you sit writing reports and check lists ….* Captain, bulk vessel.

In general, there is widespread agreement that safety management systems should be simplified, updated, and useful (Hale and Borys 2013; Bieder and Bourrier 2013; Anderson 2003), and it is a symptom of auditism when they are added on as a reaction to audits.

#### **9.6 Causes for Auditism (Why Auditism Develops in Organisations)**

Auditism is a consequence of the characteristics of regulation and the expectations of organisations. The causes of auditism are thus directly related to the regulatory regime, but also to other values in society.

#### **9.7 Drivers for Auditism: Function-Based Regulations and Shallow Audit Regimes**

Most quality and safety management regulation and certification schemes are function-based. They call for management systems that fit a company's specific activities but must also be auditable and documented. These two requirements are often in conflict (Størkersen 2018). Since the main task of regulators is to ensure (most often through inspections or third-party audits) that industry companies comply with regulation, companies become deeply concerned with audits.

To audit effectively, there is a need for measurable tasks—standardised, objectified, and quantifiable (Jensen and Winthereik 2017). This is an easy basis for checking compliance (Hale and Borys 2013). However, audits are not equipped to verify that organisations have done enough, when the function-based regulations do not describe what is enough. Management fears being blamed for insufficient procedures, so they show they do 'all they can' through all-embracing safety management systems (Hood 2007). Auditing can therefore require reels of red tape at the expense of trust, dialogue, and autonomy (Power 2007).

*The quality management and auditing industry favour written procedures for these reasons of transparency, and hence create major incentives for companies to write weighty procedure manuals but tend then to be blind to the gap with reality which a paperwork-based system audit does not pick up.* (Hale and Borys 2013)

We can see that the 'shallow' auditing methods may cause auditism.2 Paper trails are supposed to give auditors the ability to ensure that rules are being followed without examining the actual work (Hood 2007). Audits are passed when tasks are systematically documented in a system that is known and transparent to auditors who are unfamiliar with the local setting (Almklov et al. 2014). This is one of the reasons why many companies prefer to buy off-the-shelf systems even though they do not match their operations:

*It's easy for the ship-owner company to get zero nonconformities and comply with what's to be complied with. And so it won't be adjusted [to our activity]. They just buy the product and are through with it. […] You bring apples to school to please your teacher, but you're not getting full yourself. You don't help yourself.* Chief officer, fodder vessel.

#### **9.8 Drivers for Auditism: Legitimacy, Accountability, and Liability**

The massive focus on audits is caused by not only the quality or safety management regulation directly, but also other expectations from organisations' surroundings. Companies need the verification to demonstrate accountability as a matter of legitimacy (as explained by Hohnen and Hasle 2011). In addition to audits from regulators, companies demonstrate accountability through the paper trails for financial supporters, insurance companies, and other stakeholders (Baram and Lindøe 2013). Within this logic, liability must also be covered by the management system. Liability law can result in extensive safety management systems because management wants to protect itself through detailed descriptions of task operations (Hood 2011). In many organisations, both managers and operational personnel have a similar understanding that procedures mainly are there for liability reasons and in practice can be ignored (Størkersen 2018).

*We need to have a procedure for every work task. If something went wrong during work and we didn't have a procedure for that task, one gets hung.* Operational manager, fish farm.

#### **9.9 Drivers for Auditism: Efficiency Virtues**

Auditism is also caused by the fast pace in organisations and society. This pace may exist because of capitalism and similar virtues, that aspire to ever-increasing production and continuous development. Deregulation, function-based rules, and

<sup>2</sup> see for example Dekker (2021) and Hutchinson et al. (2024).

system audits are caused by the same efficiency idea, since regulation and detailed inspections of real work require thorough and expensive processes.

So, when managers just want to pass an audit but lack knowledge of the regulations or resources for system design, they outsource the making of an auditable management system (Størkersen et al. 2017; Almklov et al. 2014). It appears worthwhile to seek support on how to implement compliant systems. Consultancies are hired to help companies become safe and legitimate and simultaneously allow managers to cover their backs (Hood 2011).

In practice, extensive systems are never fully implemented because many of their prescriptions are too general, abstract, and decontextualised. Therefore, these systems are not legitimate and should not protect companies from liability issues. This is rarely acknowledged formally by industry organisations or their auditors.

#### **9.10 Prevalence (Where Do We Find Auditism?)**

There are indications that auditism is prevalent in most organisations operating according to international quality and safety management regulation or certification (Jensen and Winthereik 2017; Hood 2007; Størkersen et al. 2020; Power 2007; Dekker 2021; Almklov and Antonsen 2014). Auditism is found on all levels of society, within policymakers, regulators, business management, staff, and operating personnel. In many organisations, auditism is institutionalised. Empirical anecdotes tell stories of an epidemic of auditism (Størkersen and Fyhn 2024).

However, some organisations or industries may have been able to protect some employees or levels against auditism. For example, in the maritime industry, we have seen that some vessel captains (managers) do all translations of procedures and reporting for their crew, so the crewmembers can concentrate on their work (Størkersen et al. 2017).

#### **9.11 Treatment or Cure (How to Get Rid of Auditism)**

Auditism might be cured by changed regulations or improved methods for auditing or documentation. There is room within current regulations to enforce quality and safety goals and reduce focus on auditing. The extra work associated with audits ('safety clutter', documentation, reporting, routines not considered vital to the 'core tasks') can even be avoided with technological innovation. In transport, instead of manual reporting, one could make use of pre-existing data from electronic voyage plans, engine logs, and satellite navigation systems. Perhaps, documentation could come in non-written forms, such as the CCTV recordings already introduced in many areas. Of course, this involves an essential discussion of data protection under automatic versus manual documentation.

An alternative to audits overall is trust. Trust between regulators and organisations is already important in a function-based regime. Regulators presently must rely on the industry giving correct, truthful information about its operations and internal control (Dekker 2012; Lindøe et al. 2013). Still, their systems must be audited. The audit requirements create a misunderstanding that trust is not there. Organisations implement impermeable rules and red tape, that potentially lead to auditism and cancel out existing trust. Still, at the same time, many organisations rely on parallel streams of informal undocumented work to get core tasks done. In these unaudited backstage streams, trust lives. Professional judgement is the control mechanism. This could potentially inspire new systems not infested by auditism (Størkersen and Fyhn 2020). Both trust and blame will be found in organisations either way, and it is proven that the present system is not improving the situation (Hood 2007). To build a new system on trust will demand effort and innovation, but it has been shown to be possible (e.g., Dekker 2017).

#### **9.12 Prognosis (What Happens Next?)**

This exercise of describing auditism has shown that it is in the present context challenging to prove accountability at the same time as providing an organisational environment for safe work. Also, it certainly seems difficult for organisations to counteract the extensive management systems when so many trends are drivers for auditism and thus the systems' development and persistence. Auditism is not leading to anything good. Organisations and researchers can unite to cancel auditism by improving audits or replacing them with trust in professional judgement.

**Ethical Statement** Informed consent was obtained from all informants interviewed for this work, and their identity has been anonymised. The study protocol was approved by the Norwegian Agency for Shared Services in Education and Research (Sikt reference 51197/3/LB).

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Chapter 10 Rule Design: Defining the Regulator–Regulatee Relationship**

**Cary Coglianese** 

**Abstract** Rules constitute a defining feature of the relationship between regulators and regulated entities. To succeed in fostering sound risk management for society, regulators need to choose carefully how they design their rules, taking into account both their own capacities and the capabilities of those that they regulate. This chapter describes a two-by-two framework for rule design based on means-end and micromacro dimensions. By adopting and applying this framework, regulators can identify the relative advantages and disadvantages of different regulatory approaches and better inform decision-making about how to define the regulator–regulatee relationship.

**Keywords** Regulation · Enforcement · Rule design · Socio-technical systems

The relationship between regulators and those they regulate is fundamentally constitutive of the regulatory endeavour. By making and enforcing of rules, and undertaking other related efforts, regulators seek to shape the behaviour of the managers and employees within regulated organisations so as ultimately to reduce risks and solve other regulatory problems.

At the base of the regulator–regulatee relationship lies the rules themselves. Regulators interact with regulatees, after all, by seeking "to constrain their behaviour by rules" (Rasmussen 1997). And just as engineers widely recognise that the design of equipment and technology can affect the safety of complex industrial systems, the design of rules affects safety too. The way rules are written—their design and content—establishes the foundation for the regulator–regulatee relationship by defining the regulator's expectations for the regulatee and by shaping the demands placed on the regulator for information and oversight.

© The Author(s) 2024

C. Coglianese (B)

University of Pennsylvania, Philadelphia, PA, USA e-mail: cary\_coglianese@law.upenn.edu

J.-C. Le Coze and B. Journé (eds.), *The Regulator–Regulatee Relationship in High-Hazard Industry Sectors*, SpringerBriefs in Safety Management, https://doi.org/10.1007/978-3-031-49570-0\_10

Regulators have unfortunately long lacked a clear and common taxonomy of rule design. This is not to say that rule design—or what is sometimes called regulatory instrument choice—has been overlooked. On the contrary, a substantial body of important research offers insights on different regulatory designs (Richards and van Zeben 2020). Existing research, though, has "more diversity than uniformity" in how varied rule designs are conceptualised and labelled (Richards 2000). The lack of a commonly accepted conceptual framework has impeded progress in both regulatory science and practical decision-making by regulators. This chapter presents a unifying framework on rule design that can offer clarity for both researchers and safety regulators alike.

#### **10.1 Rules and the Regulator–Regulatee Relationship**

At its core, the regulatory enterprise is relational. Regulators seek to influence the behaviour of those they regulate—and often these regulatees seek to shape the behaviour of regulators too. Ultimately, regulatees' behaviour determines the success of the regulator, as the latter's performance depends irreducibly on the actions within regulated organisations (Coglianese 2017a). For safety regulation to improve, the rules underlying the relationships between regulators and those they regulate must also improve.

Admittedly, the regulatory–regulatee relationship is only one part of a larger set of interconnected relationships that make up the overall "socio-technical system" managing risk in society (Rasmussen 1997). Clearly "[m]any levels of politicians, managers, safety officers, and work planners are involved in the control of safety by means of laws, rules, and instructions that are formalised means for the ultimate control of some hazardous, physical process" (Rasmussen 1997). Risk management depends on the behaviour of different actors operating at different institutional levels, with "threats to safety or accidents … usually caused by multiple contributing factors—relationships" (Vincente 2003).

Among these relationships, the ones between regulators and regulatees have an important role to play in risk management in the face of dysfunctional relationships operating in the economic marketplace—principally, those between buyers, sellers, investors, and employees. When market relations fail to deliver an optimal level of risk control, legislators and regulators adopt rules and establish the basic terms of the regulator–regulatee relationship.

Rules can be stringent and demand much of regulated firms. Or they can be lax and require little behavioural change. They can be specified with precision or articulated in terms of broader principles (Black 2008). They can be designed to give regulated firms more or less flexibility—and correspondingly to give more or less discretion to the regulator (Coglianese and Bennear 2012).

By making choices about the stringency and design of a rule, a regulator seeks to find the most optimal way to shape industry behaviour and ultimately achieve risk control objectives. The precise design of a rule will depend on the problem the regulator seeks to solve as well as the capabilities of the regulator and the incentives of the regulatees. And no single design will apply in all circumstances, for all problems, or for all time. Although rules are by nature intended to be static generalisations (Schauer and Zeckhauser 2007), they can be modified as circumstances change. In addition, waivers and exemptions can be granted when appropriate (Coglianese et al. 2021).

#### **10.2 A Framework for Rule Design**

Rule designs have been described using many labels: command-and-control regulation, prescriptive rules, design and performance standards, management-based regulation, market-based instruments, defaults and nudges, information disclosure, and more (Richards 2000). The varied nomenclature used to describe rule designs can be simplified into four categories based on two dimensions of rule design: means versus ends, and micro versus macro (Coglianese 2010; National Academy of Sciences 2018).

Means-based rules require regulated firms to take or avoid actions, while ends-based rules mandate that they achieve or avoid certain outputs or outcomes (Coglianese 2010). Macro versus micro rules differ in terms of where they focus attention on a causal chain leading to risk and other problems. Micro rules are focused on a "specific contributor or causal pathway to the ultimate problem," but macro rules place the regulatee's attention on the "ultimate problem itself" (National Academy of Sciences 2018). This framework is shown in Table 10.1.

Human factors researchers may see in this framework some similarities with task analysis and work domain analysis. Task analysis contains a similar means-end distinction, with a firm's managers instructing employees on either the "goals they should be trying to achieve or how they should be achieving them" (Vincente 2000). With task analysis, managers give their employees (i) detailed instructions akin to a micro-means rule, or, like a micro-ends rule, (ii) instead simply spell out a constraint or outcome, leaving it to employees to figure out how to attain or avoid that outcome (Vincente 2000).


**Table 10.1** Rule designs

Adapted from National Academy of Sciences (2018), used with the permission of the US National Academies Press. This content is excluded from our open access licence. A more detailed version of this table, also by this chapter's author, is available in Coglianese (2010).

Work domain analysis essentially presents workers with a system's structure so they can figure out their own actions to take. It has been said that, with work domain analysis, "we have to do the thinking ourselves to derive a particular set of actions … from where we are to where we want to be" (Vincente 2000). In this respect, work domain analysis bears certain affinities with macro-means rules, which have sometimes been viewed as tools for "making bureaucracies think" (Taylor 1984).

Two dimensions in work domain analysis—ends-means, and whole-part—bear affinities with the two dimensions in the rule design framework presented in Table 10.1 (Rasmussen et al. 1994). The means-end dimension used here, though, includes both actions and structures, whereas work domain analysis focuses on structures (with actions addressed by task analysis) (Vincente 1999). The macromicro dimension here is similar to but not identical to the whole-part dimension in work domain analysis, as the framework used here simply distinguishes between the endpoint on an event tree (macro) versus a node or pathway leading up to that endpoint (micro) (National Academy of Sciences 2018).

#### **10.3 Rule Designs: Advantages and Disadvantages**

Although the performance of any rule design will depend on the regulatory context, some generalisations about the relative advantages and disadvantages of each type can be suggested. Many of these advantages and disadvantages mirror those associated with instructions-based and constraints-based task analysis (Vincente 2000). The flexibility afforded by the two types of macro-based results in affinities with the qualities of work domain analysis (Rasmussen et al. 1994).

*Micro-means rules*. When a regulatory problem or risk is shared and relatively stable across regulated entities, a regulator may choose to specify the exact behaviours or actions that regulatees must take—that is, use a prescriptive or micro-means rule design. This design leaves little flexibility for regulatees. It can be justified when problems are understood and when a one-size-fits-all strategy will truly fit all (or most) firms. This is similar to the observation specifying concrete risk management actions will be "useful when behaviour is very tightly controlled by the control requirements of a technical system" (Rasmussen 1997).

The specificity of a micro-means design should also make compliance with the rules more readily verifiable and the regulator's role easier—but it may also potentially contribute to the disadvantage of creating a narrow "box-checking" mindset by the regulator (Bardach and Kagan 2002). Another disadvantage is micro-means rules' lack of cost-effectiveness in the face of heterogeneity among regulated entities. In some firms, the mandated means may not even be effective in controlling risk. Obligating firms to adopt a particular means may also discourage them from searching for more effective or less costly solutions (Goulder and Parry 2008).

*Micro-ends rules*. In contrast, micro-ends rules give regulated entities flexibility in their choice of risk control actions. These rules—also referred to as performancebased regulation—require regulatees to achieve or avoid specified outputs along the causal path leading towards a hazard or other problem (Coglianese 2017b). An emissions limit on air pollution from an industrial facility is an example because it does not mandate any means by which the facility must meet its mandated limitation.

Such output limitations for micro-ends rules can be the same for all regulated entities or they can sometimes vary from firm to firm in a market-based regulatory system. Under emissions trading systems, for example, different firms adhere to different pollution limits based on the number of permits each firm has obtained through market transactions (Newell and Stavins 2003).

Micro-ends rules allow for innovation and adjustment to varying circumstances. This flexibility, though, makes it imperative that the regulator can monitor compliance. Otherwise, regulated firms may exploit the rule's flexibility by simply satisfying a required output to the letter but by finding ways that evade the rule's overall spirit or create other untoward consequences (Coglianese 2017b).

*Macro-means rules*. An increasingly popular rule design in the context of regulating high-hazard industries seeks to steer firms' managers in the direction of improved risk control. For this reason, macro-means rules are sometimes referred to as management-based regulation (Coglianese and Lazer 2003).

This rule design is macro in orientation because it directs managers' attention to the ultimate risk problem. It mandates "internal planning and management practices" to compel managers to analyse the pathways that lead to risks within their operational settings and to identify and implement their own risk control solutions (Coglianese 2008). Internal analyses and plans must comply with criteria determined by the rule. Several examples illustrate:


Macro-means rules like these examples are generally thought to be appropriate whenever one-size-fits-all solutions do not exist and when outputs are difficult to measure (Coglianese and Lazer 2003).

Macro-means rules place responsibility for risk analysis and control in the hands of private sector managers who have more complete information than government officials (Braithwaite 1982; Hutter 2001), ensuring that the truly "detailed rule-making takes place at a level where the context is known" (Rasmussen 1997). This has important implications for the nature of the regulator–regulatee relationship because it essentially places the regulator in a "meta-regulatory" role of overseeing regulatees' own internal rulemaking (Coglianese and Mendelson 2010).

Of course, smaller firms often lack the capacity for the internal analysis and planning required of macro-means rules. In addition, macro-means rules may merely elicit "pencil-whipping" or "window dressing" behaviour—that is, efforts simply to go through the motions in engaging in risk management activities without taking these required planning and other management steps seriously (National Academy of Sciences 2018; Gray and Silbey 2014). To help ensure that firms take macro-means rules seriously, regulators need a workforce with skills to assess meaningful analysis and motivate robust planning by regulated firms (Vincente 2000).

*Macro-ends rules*. A final rule design is sometimes referred to as a "general duty clause" or, simply, liability for harm (Baram 1996). Macro-ends rules impose the obligation for the regulatee to avoid accidents or catastrophes—with firms paying a penalty if these hazards occur. These rules contain no requirements targeting any specific pathway to ultimate risk. Instead, the threat of penalties and liability after an incident occurs provides incentives for the regulatee to take preventive action. Although macro-ends rules are often part of a regulator's arsenal, typically this design operates as a backstop to rules of other designs.

#### **10.4 Implications for the Regulator–Regulatee Relationship**

The range of rules falling within these four main designs make up what can be thought of as the regulator's toolkit (Hood 1983). The challenge for regulators lies in "choosing the right regulatory tool and understanding which one to use when and with whom" (Hutton 2015). In this respect, not only does a rule's design set the terms of a regulator's relationship with regulated firms but the choice of that design will itself be relational.

The advantages and disadvantages of rule designs discussed in this chapter are relative and general ones. Their success will depend on the specific context within which they are applied. The nature of the regulatory problem will partly affect that success. Micro rules, for example, can work better for simple, well-understood problems than for complex and uncertain ones.

Sound rule design depends on more than just fitting a design to a risk or other problem; it also depends on fitting the design to the regulators and regulatees. Some regulatees—often because of their size—may need to be told exactly what to do. Others may have the capacity or well-earned trust to act responsibly under more flexible rules. Furthermore, regulators themselves will need to possess different capabilities for monitoring and enforcing rules depending on their design.

In tackling any given problem, regulators may wish to combine rules of different designs to address different facets of a problem or better manage the relationships with different types of regulatees. Combinations can occur when different rules target different causal pathways to a risk using different designs. They may also be appropriate for regulated sectors with highly varied regulatees, as more flexible designs could be available for larger firms that possess effective internal risk management capacities, while more prescriptive designs can be used to offer guidance to smaller firms that may need more direction. When combining rules—whether of the same or different designs—regulators obviously need to ensure that different rules avoid working at cross-purposes and that they do not simply accumulate costs without delivering corresponding benefits.

#### **10.5 Conclusion**

Ultimately, regulators must exercise careful judgement in making choices about rule design. These choices can be informed by risk assessment and benefit-cost analysis prior to adopting a new rule (OECD 2020). They can also benefit from research on how different rule designs fare after they are adopted (Bennear and Wiener 2019). Future research can be facilitated by a clear, common framework of rule design, which is the reason for presenting the typology offered in this chapter.

Regulators also need to remain vigilant. They must continuously monitor how their rules' designs are working in practice. They need ongoing engagement with and attentiveness to their regulatees—that is, effective relationships. After all, although safety outcomes can be affected in important ways by the content and design of rules, they are also affected by other aspects of the ongoing, dynamic relationships that make up the regulatory endeavour.

**Acknowledgements** I am grateful for helpful comments from the participants in a workshop organised by the Fondation Pour Une Culture de Sécurité Industrielle, especially Eric Marsden and Jean Pariès. I acknowledge excellent research support provided by Stephanie Haenn.

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Chapter 11 Responsive Regulation, Trust, and Intrinsic Motivation Within the Nuclear Industry: Impacts of a Safety Culture Tool**

#### **Benoît Bernard**

**Abstract** Safety culture has now a long history within the nuclear industry. Since the first appearance of the concept in the aftermath of the Chernobyl accident, growing attention has been paid to cultural issues with regard to safety. The concept is also highly contested and several authors suggested that regulatory bodies (RB) should stay away from safety culture. In contrast, this chapter intends to explore the impacts of a safety culture tool on the regulator–regulatee relationship, in particular, regarding a more responsive regulatory approach, the interactions between trust and control, and the motivation of licensees to be compliant.

**Keywords** Safety culture assessment · Safety oversight · Responsive regulation

Safety culture is nowadays a fashionable concept. In contrast, an important and influential part of research in that field has shown some reluctance to use this concept. Among the critics, it is pointed out that safety culture discards deeper organisational analyses taking into account interactions between culture, technology, and structure (Naevestad 2009), power relations (Antonsen 2009), or actual meanings behind observable behaviours (Silbey 2009; Guldenmund, 2010). Hopkins (2018) adopts an even more radical approach since he considered that the concept should be abandoned.

Therefore, some authors recommend to regulatory bodies (RB) to stay away from safety culture (Grote and Weichbrodt 2013). In that line of thinking, safety culture seems indeed weakly appropriate for regulating at-risk industry: safety culture is apparently highly abstract and intangible, it cannot be imposed through prescriptive rules, and safety culture is hardly measurable through numbers and also difficult to address at a distance.

B. Bernard (B)

Bel V, Brussels, Belgium e-mail: benoit.bernard@belv.be

<sup>©</sup> The Author(s) 2024

J.-C. Le Coze and B. Journé (eds.), *The Regulator–Regulatee Relationship in High-Hazard Industry Sectors*, SpringerBriefs in Safety Management, https://doi.org/10.1007/978-3-031-49570-0\_11

However, safety culture is also about reorganising routines and promoting a shift in perspective in the regulatory work. As a complement to a traditional compliancebased or a goal-oriented oversight strategy, safety culture lays the emphasis on a more responsive attitude, i.e., a regulatory style responding to the safety frames of reference (mindset) of a regulated entity and evolving according to the progresses implemented.

The safety culture assessment tool considered in this chapter is mainly based on field observations. Applied for several years within Bel V (the Belgian nuclear TSO), the assessment process is fed by safety culture observations performed by inspectors after any contact with a licensee. These observations are recorded within an observation sheet and are assessed on a yearly and multiannual basis. The main results of the assessment are shared and discussed with the concerned licensee.

Focusing on the regulator–regulatee relationship, the chapter will explore the way in which this safety culture tool has an impact on trust between a regulator and a nuclear licensee. In addition, we will show that the nature of the results of safety culture assessment—strongly based on metaphorical expressions—has an impact on the type of licensee motivation to follow the requirements. At the core of the relationship between the regulator and the regulatee, the results of the safety culture assessment aim indeed at stimulating self-regulation and encouraging a regulated entity to a proactive reflection about its performance.

#### **11.1 Safety Culture as a Responsive Regulation Tool**

As developed in a previous paper (Bernard 2014), safety culture oversight calls for a shift in perspective for regulatory bodies. Driven by a holistic and systemic approach, safety culture oversight allows a regulatory body to develop a more responsive attitude (Ayres and Braithwaite 1992; Baldwin and Black 2008).

Within compliance-based regulation—grounded in an analytic perspective—the focus is given on the licensee's rule compliance, and, consequently, on potential discrepancies. Within a goal or performance-based orientation, the regulator compares the performance of the licensees regarding pre-defined criteria.

The traditional compliance-based regulatory strategy allows a formalism that helps to foster greater compliance. Nevertheless, this prescriptive approach implies a "by-the-book" enforcement style that could induce "adversarial legalism" on the part of licensees (see Table 11.1). Moreover, rigid enforcement is not always optimal to develop a cooperative climate between inspectors and a licensee (May and Wood 2003) or to promote the continuous improvement of a plant.

Rather than seeking adherence to requirements, performance-based regulation embodies the notion that regulation should be based on specific outcomes to achieve. This regulatory model is grounded in a reactive strategy. As a core disadvantage, this approach tends to focus on well-known risks or familiar issues that could give rise to narrow safety assessments by the regulator.


**Table 11.1** Summary of the distinctions between compliance-based, goal-oriented, and responsive regulatory strategies

Conversely, safety culture enables a holistic and a systemic view of safety. As we will see in the next sections of this paper, safety culture cannot be directly regulated, but it can be observed in order to develop a cross-cutting perspective of an at-risk installation and to engage a licensee in the continuous improvement of its behavioural and organisational capabilities. In addition, extending the field of intervention of a regulatory body and its understanding of a licensee frame of reference, safety culture observations contribute to more flexible oversight.

#### **11.2 A Combination of Trust and Control**

According to responsive regulation theory, cooperation and trust are at the heart of the regulator–regulatee relationship. This trust issue is even more important when sensitive aspects such as safety culture observations are discussed with licensees (Naevestad et al. 2019).

Regarding the experience gained through the implementation of the tool, it appears that trust and control are more complements than substitutes (Six 2013): trust and control are indeed parallel concepts and should be understood in their interactions and combination. Following this line of thought, we posit that more trust doesn't mean less control.

Actually, from a regulatory body approach, a safety culture oversight process is an opportunity to capture informal safety issues that are sometimes poorly addressed (e.g., leadership style, capacity to change, workforce perceptions …). In other words, a safety culture assessment provides a regulatory body with a better view of the strengths and weaknesses of a nuclear installation as well as of the safety areas in need of attention.

The assessment method used has been already introduced in previous works (Bernard 2018). In a nutshell, safety culture observations are analysed through a four-dimensional model structured by two axes. Firstly, safety culture observations could concern "organisational processes" or "behavioural" issues. Secondly, safety

**Fig. 11.1** Illustration of the types of safety culture observations that were made following the assessment of a nuclear facility

culture observations could concern "managerial" issues (what is said and done by managers) or "workplace practices" (what is done in the field). At the intersection of the two axes, four zones appear reflecting the different "building blocks" of safety culture: i.e., management system, leadership, human performance (HP), and learning. Figure 11.1 illustrates the overall results from the assessment of a nuclear installation.

These results identified specific issues but showed also the strong interactions between the four safety culture dimensions: the overall overconfidence regarding the robustness of processes leads people to play down "what is really done" in the field and minimise the importance of human performance (HP) issues. More largely, HOF-related problems are therefore not sufficiently considered and a "HOFfatalism" appears (for instance, assertions such as "what can we do to resolve or manage HOF issues" are regularly captured within this plant). This in turn reinforces the importance attached to processual and technical sides of safety as well as the shared belief that the organisation in place "cannot go wrong".

From a regulatory perspective, it was then of high importance to monitor the capacity of the plant to adopt a less overconfident self-view. The learning dimension and, in particular, the quality of event root causes analysis were of high importance to enhance an open-minded view on actual field practices in order to avoid excessive confidence in past results. In a responsive way, a RB could then follow up progress regarding root causes analysis methods, including HOF issues, and, more specifically, to monitor the potential impacts on the HOF maturity level within the plant.

In other words, through this kind of tool, a regulatory body obtains valuable insight into the critical safety issues to be addressed by a licensee and, therefore, to verify its capability to provide appropriate actions to tackle these issues.

As a result, the safety culture tool increases the level of trust concerning some safety areas but, at the same time, extends the scope of RB control: the use of the tool creates a broader knowledge of the status of the plant (intangible aspects) and challenges the existing "boundaries" between trust and distrust.

#### **11.3 Metaphors as Keys to Cognitive Changes**

Adopting a regulatory perspective, we saw that a safety culture assessment provides a larger and deeper understanding of the frames of reference within a regulated installation. Indeed, as a main added value, a safety culture assessment allows a regulator to better understand the mental frameworks, norm sets and value-laden explaining attitudes, behaviours, and organisational practices. As already mentioned, this information is critical to the ability to request and monitor changes within a regulated installation.

We intend also to highlight the role of "metaphors" as critical elements of the building of regulator–regulatee relationships. Metaphors such as stories or myths play a key role in constructing, maintaining and improving a culture. Regarding safety, these metaphors—such as those described in the literature, e.g., "Practical drift" (Snook 2000), the "Normalization of deviance" (Vaughan 1996), the "Icarus Paradox" (Miller 1992) or, in our case, "HOF-fatalism"—are all the more important since they are shared and used to figure out shortcomings and then nurture safety imagination.

As a case in point, in the frame of an inspection with the head of the safety department of the assessed plant, we had the opportunity to capture the following (safety culture) observation:

During an inspection, several weeks after the yearly safety report highlighting the overall results of the safety culture assessment, the head of the safety department explained to the inspector (the author of the assessment but who was not present during the presentation of results to the director board of the plant) that "HOF-fatalism" was a critical issue for them. He gave an extensive explanation of the metaphor and realized after several minutes that the inspector could have been the author of the safety culture assessment (and asked). (Extract from working notes made by this author)

Firstly, this observation certainly reflects the licensee's willingness to take into consideration the regulator's view. However, in our view, the candid and spontaneous explanation by the licensee was not purely driven by an objective of pleasing the regulator. From our perspective, beyond the anecdote, there is evidence that the safety director gave an implicit message to the regulator, a "relational signal" (Lindenberg 2000) expressing the regulatee commitment to the regulator's view.

Using an image to convey meanings about safety, the metaphor appears then to be an effective communication tool between the regulator and the regulatee. More fundamentally, we argue that the metaphor played a critical role in changing the cognitive framework of the licensee. Obviously, it was only the position of one of the plant directors, who holds a special interest in maintaining the quality of the relationship with the regulator. But as a matter of fact, HOF issues as well as the maturity level of the plant in this area were far from being a priority before the dissemination of the results.

In other words, the results of the assessment contributed to stimulating more proactive reflection about the plant safety performance. From a problem considered as "intractable", HOF turned out to be a safety issue to be further addressed. Highlighting the "HOF-fatalism", the regulators expressed a concern on an area in need of improvement. Adopting the metaphor, the regulatee raised its awareness and recognised the safety issue.

In addition, in contrast with technical facts or discrepancies against safety standards, the licensee perceived regulatory action as not purely controlling but promoting or improving safety: the kind of results obtained from the safety culture assessment induces the licensee self-regulation. As a result, the accountability requested from the regulatee is no longer driven by bureaucratic compliance but grounded in higher awareness and stronger ownership. Put another way, this enables "selfdetermination" (Deci and Ryan 2000) which has a positive effect on intrinsic (vs. externally dictated) motivation to be "compliant".

#### **11.4 Conclusions**

This chapter explored the impact of a safety culture tool on regulator–regulatee relationships. We stressed that safety culture allows more adaptive safety oversight and, at the micro-level, challenges the existing balance between trust and control. In addition, we highlighted the pivotal role of "metaphors", as concepts used outside of their conventional frame—Reason's "Swiss Cheese Model" is certainly one of the most striking examples in this respect.

Focusing on the experience gained from the implementation of a safety culture observation tool, metaphors have been considered as a valuable means by which the regulator, and the regulatee can find common understanding. Metaphors also play a key role in increasing intrinsic motivation for compliance.

Moreover, bearing in mind that regulation is an attempt to alter the behaviour of the regulated, we also highlighted a change in the licensee's cognitive frame. In other words, regarding the question of measuring the success or failure of a regulatory strategy, we argue that the impact on the regulatee cognitive framework is a relevant indicator.

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Chapter 12 The Regulator, the Regulatee, and the End of the World as We Knew It**

**Julien Etienne** 

**Abstract** The rapid breakdown of the climate has radical implications for hazardous industries and for the regulator–regulatee relationship. It will lead to an exponential increase in NaTech events, and as such will transform the scale and level of complexity of contingency planning. As most fossil-fuelled hazardous industries play an oversized role in overshooting planetary boundaries, these industries will need to transform radically or shut down. To tackle such challenges, the regulator– regulatee relationship needs to transform itself so as to still be relevant and impactful in a troubled future.

**Keywords** Climate change · NaTech events · Regulation · Existential risk

#### **12.1 Introduction**

Year-on-year temperatures recorded across the globe show a continuous, rapid warming path. Extreme weather events are multiplying at a pace and with an intensity that exceeds what scientific models had anticipated.1 There is a marked acceleration in the signs of climate breakdown visible the world over.<sup>2</sup>

There is no logical reason whatsoever to assume that things will get better any time soon. Societies have been on the same path of exponential growth since the Great Acceleration (Steffen et al. 2015a) started in the 1950s, with ever more intense impacts on the Earth system. CO2, of which we are emitting more and more, stays in the atmosphere for centuries. Emissions of methane, which is a far more potent greenhouse gas than CO2, are increasing at a rapid rate that scientists are only starting to understand.3 Several critical parts of the Earth system have or are about to pass the point of no return, including the West Antarctic and Greenland ice sheets, warmwater coral reefs, the Northern permafrost, and the Amazon rainforest (Ripple et al. 2021; Armstrong McKay et al. 2022), which will create even more disruption. And

J. Etienne (B)

Independent consultant, London, UK e-mail: julienetienne.consult@gmail.com

<sup>©</sup> The Author(s) 2024

J.-C. Le Coze and B. Journé (eds.), *The Regulator–Regulatee Relationship in High-Hazard Industry Sectors*, SpringerBriefs in Safety Management, https://doi.org/10.1007/978-3-031-49570-0\_12

there is no tested technological fix that can be deployed at scale in time to revert it all. Instead, the climate is evolving so quickly, scientists tell us that we cannot hope to adapt to it rapidly enough.4

It is the end of the world as we knew it, and therefore, it is also the end of 'business as usual'.

In this chapter, I explore what it means for hazardous industries and the regulator– regulatee relationship (hereafter RRR) to enter 'business as unusual'. The question I seek to answer is not: "should the RRR change?" In a radically transformed and transforming world, it would be preposterous to claim that anything can continue as it is. Instead, the question I seek to answer is: "how should the RRR transform itself to be relevant and impactful in future?"

#### **12.2 Three Perspectives on the Regulation of Hazardous Industries**

Let me begin by outlining three different rationales for regulating hazardous industries and thus three different roles for the RRR.

The first one is rooted in economism, the dominant ideology since the third quarter of the twentieth century. It argues that regulation is there to address market failure. The market generates hazards, but it is not good at managing them. These "externalities" have ranged from chronic pollution to occupational diseases and accidents, and the occasional major disaster. In that perspective, the RRR exists to ensure those externalities are addressed over time, repeatedly bringing the attention of the regulatee back to those dimensions its economic rationality supposedly leads it to ignore. Because these externalities are technical in nature (not only in terms of what causes them but also of what impacts they have on the world), the RRR is also technical in nature. It is worth noting that the RRR has usually ignored the systemic externalities of hazardous industries, such as climate change or cascading biodiversity loss.

The second perspective is rooted in history. The regulation of hazardous industries grew in response to social tensions, in the context of industrial development within and in the vicinity of cities. Regulation aimed to manage those tensions while enabling the growth of industry (Fressoz 2012). A shorthand for the role of regulation was therefore to make hazardous industries "acceptable" to society. There have been strong economic interests at play, then and now, that the regulation of industrial risks has spearheaded while taming criticism and protest. In that perspective, the RRR is there both to address society's angst and to protect industry from it. The widespread acceptation of fossil-fuelled refining, chemicals, agriculture, plastics, and tourism may be seen as a testament to the successful taming of societal concerns.<sup>5</sup>

The third perspective is rooted in time. Regulation is there to preserve equilibrium over time, as implied in such expressions as "body temperature regulation", for example. Applied to societies, equilibrium is the preservation of societal functions such as sustenance, order, consensus, or communication (noting that various societies have different ways of fulfilling these functions). It is about endurance and maintenance (Caye 2020). Nowadays, hazardous industries contribute to an oversized share of crucial functions: the supply of energy, food, health, transportation, and communication. A core role of regulation has been to ensure that such functions could be delivered through the *continuous safe operation* of hazardous industries (refining, air and rail transport, nuclear fission, etc.) The regulator's continuous surveillance and steering of such crucial functions has been channelled through the RRR.

#### **12.3 The Future of Hazardous Industries and Risk Regulation Regimes**

Hazardous industries and the outer world are in a so-called double materiality relationship: there is what the world does to the industry, and there is what the industry does to the world.

The impact of a rapidly warming world on hazardous industries is multifarious (Garcia et al. 2021). Droughts pose significant challenges for industrial processes that need cooling. They reduce water supply in case of fire. Heatwaves raise cooling needs that may go beyond design expectations. They affect workers' capacity to carry out their tasks, to respond to unexpected events, and they make human error more likely. Heatwaves may make stored substances that react exothermically more dangerous. Buckling rails and roads, melting tar may interrupt supply of raw materials but also make it more difficult or impossible for emergency services to reach a site in case of an accident. It could affect the structural integrity of site platforms, e.g., at chemical plants. Droughts and heatwaves create conditions for wildfires that may reach industrial sites. Excessive air temperature makes it difficult and, beyond a certain point, impossible for planes or helicopters to take off and fly at low altitude, also undermining emergency response capacity. Flooding and submersion may close off emergency routes, precipitate uncontrolled shutdown of hazardous processes, threaten the continuous cooling of certain stored materials (peroxides) by shutting down generators, and lead to contamination of the wider environment if containment of hazardous substances is breached. High winds and storms can shut down power lines and affect buildings.

In sum, extreme weather will lead to an exponential growth in 'NaTech' events (see e.g., Mesa-Gómez et al. 2020). While not directly triggered by industry, these events will therefore lead to an exponential growth in industry's "externalities", taking the meaning of "market failure" to a whole new level. NaTech events will add to the growing anxiety about climate change and rejection of fossil fuels, making it ever more difficult to make hazardous industries "acceptable" to society. The multiplication of NaTech events will also break any pretence that it is possible to continuously operate hazardous industries safely. Indeed, it would be reckless to keep all or even most hazardous industries *on* when circumstances (e.g., a sustained + 50 °C heatwave) make emergency response extremely difficult, if not impossible.

Another laundry list of challenges emerges when one considers the impacts of industry on the world (Sterner et al. 2019). Fossil fuel extraction and processing play an outsized role in driving climate change, ocean acidification, and aerosols pollution. Fossil fuels and chemical processing drive the dramatic overshooting of the recently measured planetary boundary for novel entities (Persson et al. 2022). The chemical industry together with mining plays a major role in the breakdown of biogeochemical flows (principally phosphorus and nitrogen). Transportation contributes greatly to aerosols pollution and, for air travel in particular, climate change.6

(Most) hazardous industries are, therefore, the problem. From a regulatory perspective, the understanding that the "externalities" of hazardous industries extend to undermining humanity's future on Earth is, alas, a novelty. The social unrest that scientists expect will materialise as a result of water and food scarcity, compounded by mass climate migrations, dwarfs the regulator's concern with making hazardous industries acceptable to society. Above all, reaching an equilibrium and safeguarding societal functions can only mean pushing industries not only to operate within the boundaries of safe operation (Rasmussen 1997) but also within planetary boundaries (Steffen et al. 2015b). Indeed, scientists, the UN, and various social movements openly call for the immediate "phasing out of fossil fuels", which implies the radical transformation or shutdown of most hazardous industries. Whether these industries' role in taking us all outside the "safe operating space" of planetary boundaries can be reversed is a critical question, one that mingles engineering—is it possible to re-engineer these industries very rapidly?7—economics—should the industry be greened or should it be downsized?—and sociology—can societies withstand withdrawal from the services and products delivered by hazardous industries?

#### **12.4 The Future of the Regulator–Regulatee Relationship**

These challenges justify an urgent transformation of the relationship between regulator and regulatee. As a first attempt at rebuilding the RRR, I consider below what needs to change (or not) in order to make it relevant and impactful.


other interests (Etienne 2013). The boundaries for safe operation they consider are those of the organisation they regulate, but they ignore the far-ranging impacts of those organisations on the Earth system. When industrial activities cannot be redirected rapidly to operate within planetary boundaries, then they should not be authorised, unless a very robust case about their critical importance can be made.


ground to incorporate concepts of planetary boundaries into the risk governance of high-hazard industries (Cosens et al. 2014).

7. **The RRR should be about grounding planetary issues at the local level**. Its reach all the way down to the local level makes the RRR a valuable forum. As several commentators have noted, climate mitigation and adaptation need not only to be thought about and acted on at the global level. It is also crucial to translate them and to explore in depth their implications at the local level (Bonnet et al. 2021). Transforming industries affects not only sites but also the wider ecosystem of social and economic relationships that are tightly linked to those sites. In this regard, the RRR is often already set at the right level. Where members of the local community have been involved in the conversation about regulating industrial hazards—which has been increasingly the case in the past two decades—a framework already exists to build a shared understanding of what needs to be done, why, and how it may be done.

#### **12.5 Conclusion**

I have argued that the existential risk of the Earth system breakdown (including climate change and biodiversity loss) poses a critical challenge to the RRR. It cannot be maintained as it is. Business as usual is a self-defeating strategy, whether one thinks of regulation as a solution to market failure, a way of making hazardous industries acceptable, or a way of ensuring the safe operation of industries that deliver core services and products to society. The RRR will need to substantially change, in particular to make the boundaries of safe operation for individual sites work within the planetary boundaries. This can only be a collaborative effort or else it will fail. Indeed, decarbonising high-hazard industries or decommissioning them affects many more actors than workers and neighbours. Hazardous industries hold central functions in the current economy, with countless other sectors depending on them. It will not be possible to make significant progress unless those other sectors, those who regulate them, and the broader supply chains (which may well extend beyond the jurisdiction of the state) also transform themselves within the same timelines. The RRR needs to be a crucial node in that collective endeavour.

#### **Notes**


#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.