Today I thought I would share with you HolisTech®'s Regulatory Risk Cube. In 2003 Patrick Byrne and I completed an assignment with the Royal Australian Navy. We were helping the Navy to design a regulatory framework. As part of the assignment we ran several workshops with ten diverse organisations, including the Australian Antarctic Division, the Australian Council of Healthcare Standards, and the Civil Aviation Authority. The workshops were interesting because the participants were benchmarking themselves against each other, and each expected the others’ system would be the same or very similar - in fact they were very different. The challenge was to develop a generic regulatory framework that encompassed all approaches. One of the outcomes from the workshops was the Regulatory Risk Cube, which is depicted below.

The cube has three axes. The x-axis shows the impact of the adverse event. The y-axis shows the chance of an adverse happening with high-risk at the top of the axis. The z-axis shows the risk being considered against system maturity from high/low to low/high depending on the circumstance.

Note we suggest the cube can be used as means to determine a permissioning strategy. Regulation is after all about giving permission for something to occur in a specified way. We suggest that if the hazard probability is low, and the impact if it occurs is low, and the maturity of the organisation or system is high, then formal regulation probably is not required. Conversely if the hazard impact is disastrous and likely then mandated regulation is appropriate – by that we mean it is authoritarian and inflexible in its application.

We used the cube as a start point diagnostic, from which we developed nine regulatory interactions, six regulatory types, and six groups of regulatory mechanisms that might be employed in any regulatory system. This gives more than 1,297 component permutations available for the design and build of a regulatory system. If you are interested you can read how this all comes together in our peer-reviewed paper titled – “A Strategic Risk Based Approach to Regulating Technologies and Vulnerabilities ”.

From our perspective understanding where a system or organisation fits on the Regulatory Risk Cube matters, and explains why so many systems are over-regulated.

Regards Graham