A Strategic Risk Based Approach to Regulating Technologies and Vulnerabilities

A Strategic Risk Based Approach to Regulating Technologies and Vulnerabilities based on HolisTech's® Regulatory Framework presented at the 2007 International Symposium on Technology and Society (ISTAS`07), titled Risk, Vulnerability, Uncertainty, Technology and Society, at the University of Nevada, Las Vegas, USA in June 2007. Co-authored with Graham Durant-Law.

The paper outlines a strategic risk based approach to regulation based on the generic regulatory system developed with the participation of nine of Australia's premier regulatory organisations. The result is a generic strategic management paradigm of regulation and the various behavioural interactions that regulatory systems may utilise. It includes regulatory strategies that may be employed to influence how organisations and people behave, as well as other aspects of regulating, including regulatory metrics, regulatory types, and the mechanisms of regulation. The generic nature of the framework provides for its application in almost any context and to any objective. It also provides for a top-down strategic approach to risk management, an unfortunately all too rare occurrence.

In 2003, the Royal Australian Navy (RAN) commissioned HolisTech® Pty Ltd to develop an intellectually robust and defendable regulatory framework based on a strategic risk management approach that would accommodate the operational exigencies of a military environment. To achieve this, our team of Graham Durant-Law, Denise McQuire and myself reviewed over 300 articles, papers, instructions and policies and engaged the most significant regulatory agencies in Australia in a study and workshop to firstly define a "generic" regulatory framework considered to be best practice. This "generic" framework formed the basis upon which the RAN tailored and refined its own framework to meet its operational and "duty of care" requirements.

During the conduct of this assignment, all participants believed that regulation was conducted in an identical if not similar way. However, it soon became apparent that this was not the case. Although the reasons for regulation were generally consistent - to modify or control behaviours in people or organisations to reduce and/or manage risk of some sort - the frameworks and methods were very different. One organisation would regulate outcomes to ensure the service provided to the public was achieved, another was regulating the materiel artefacts or technologies to ensure safety was not compromised, another was regulating compliance to black letter and grey letter law, and yet another was looking at the deficiencies in process and how that might compromise the outcomes required. The challenge was to develop a generic regulatory framework that encompassed all approaches.

This was achieved by the weaving of regulatory strategies, regulatory interactions, regulatory types, and regulatory mechanisms into a coherent system wrapped within a three dimensional risk management cube. The result is a comprehensive but generic risk based regulatory system that can be used in any context and has provided a number of new concepts to the regulatory body of knowledge.

The strength of the approach is the comprehensive coverage of all elements of a system no matter the technology, the size and regardless of context. A further strength is the ease with which it can be developed within a software database application to provide the robustness of action and collaboration required of a comprehensive and systematic approach.

The HolisTech® Team and RAN staff also visited each of the below organisations and also involved the same organisations in a number of workshops in the development of this framework: