Risk-Based Approach

It’s always a bit of a giggle when a politician, or a government official makes a statement that they are “taking a risk-based approach” to that issue or policy.

It is a well-worn line – but if I had a dollar ……

In my observation, it is more than often used as a complete throwaway line because they have no idea what the risks are, let alone how they are going to be managed.  In the end, the risk-based approach becomes an approach of – let’s hope that doesn’t happen.

Granted, policy development for national, state and local governments is a complex area and there are always risks in the pursuit of public policy.

For example:

  • the VET Fee Help scheme was a schmozzle as reported here by the Australian;
  • the NAPLAN policy was designed to affect the education of children. Who would have thought though that NAPLAN would have an impact on property prices – My School public school ratings may be driving up house prices, AFR 2015; and
  • then there’s the family day care public policy debacle in which the program was highly vulnerable to blatant fraud – reported here in the Guardian.

In this blog we will look at what a risk-based approach is and how governments should utilise it when developing public policy.

What is a risk-based approach and why it is necessary?

Taking a risk-based approach involves the implementation of a control environment commensurate with the potential impacts of an event/incident on the community.

At its core, adopting a risk-based approach is a recognition of the fact that the same level of control (preventative and/or detective) cannot be applied in the same manner across all aspects of the relevant public policy area.  I discussed the concept of proportionality in a recent blog (here), and adopting a risk-based approach supports that concept.

For the purposes of this blog, I’m going to focus on three key areas of public policy/regulation in which a risk-based approach is not negotiable:

  • Biosecurity
  • Food safety
  • Medical Devices and Pharmaceuticals

Case Study –Berry Contamination

In 2015, a significant number of Australian consumers contracted Hepatitis A from consuming frozen berries sourced from China.  The outbreak led to calls for greater food testing to prevent a similar incident in the future.

Whilst this may seem to be a rational and reasonable response, the reality was that to increase the level of testing would have required resources well beyond those available.  To increase the breadth of testing increases the cost of testing, both within Government and to the producers themselves.

The only outcome in this case would have been an increase to the cost of imported food – a cost that consumers would be loathed to pay.

This may seem heartless – even callous, but the reality is, it is only in the rarest cases that Hepatitis A is fatal. If Australia was to test all food imports for diseases that were the equivalent of Hepatitis A in terms of symptoms/prognosis, can you imagine what the cost would be?

To that end, a risk-based approach needs to be taken i.e. there needs to be a balance between the cost of treatment and testing and the impact on the community.


How do we do it effectively?

Step 1: Identify the Risks

It seems obvious, but you cannot take a risk-based approach without understanding the risk/s.  As I wrote about in Blog #1 for 2018 – what is a risk; risks need to be expressed as events – and it is no different here.

Let’s look at some of the risks for the previously mentioned areas of public policy/regulation where a risk-based approach is taken:

  • Biosecurity.
    • Preventable/at fault catastrophic outbreak of communicable disease within the population.
    • Preventable/at fault catastrophic outbreak of communicable disease within the agriculture industry.
  • Food safety.
    • Preventable/at fault catastrophic outbreak of food borne illnesses within the population.
  • Medical Devices and Pharmaceuticals.
    • Inappropriate/incorrect approval of pharmaceuticals/drugs that result in widespread impacts on public safety.
    • Inappropriate/incorrect approval of medical device/s that result in widespread impacts on public safety.

Step 2: Identify the Consequences

Once the risks are identified, the consequences are then determined.  This assessment is then used as the basis to determine the control environment (step 3).

Step 3: Identify the Control Environment

Once the consequences have been determined, this information is then used to determine the control environment, both preventative and detective controls.

Let’s look at a couple of examples:

Inappropriate/incorrect approval of medical device/s that result in widespred impacts on public safety.

There are medical devices where, if they fail, the most plausible consequence could be the death of a patient.  In these instances:

  • There needs to be significant controls built into the conditions for approval;
  • There needs to be strict audit protocols; and
  • Any incident needs to be investigated quickly and thoroughly.

Here’s another example:

Preventable/at fault catastrophic outbreak of communicable disease within the agriculture industry.

There are communicable diseases that, if they were to be introduced into Australia (e.g. foot and mouth disease) would have a devastating impact on the economy.  Once again, in these instances:

  • There needs to be significant controls built into the importation of bio products;
  • There needs to be strict audit protocols; and
  • There needs to be a significant emphasis on response/quarantine protocols.

The following matrix is a representation of the relationship between the consequence and the control environment:

The application of control environment to consequence ensures that the resources are appropriately allocated for maximum impact.


Taking a risk based-approach is critical, given that there are insufficient resources available to governments and organisations to control everything.

But, when you are sitting at a meeting in the future and you hear someone say that they are taking a risk-based approach, it might be worth asking what the risk is that is being managed under this approach.

Unleash your inner risk gladiator! Join our mailing list for all the latest news, tips, and special offers.
This free E-book dives into risk management, exploring the issues and concepts involved in effectively managing risks in an accessible and comprehensive manner applicable to organisations of all shapes and sizes.