Risk Assessment and Regulation in the Federal Government: A Brief Overview

An important function of the regulatory process on the federal level is to assess and control risks--damage from events that may or may not occur--that confront the citizenry. Some agencies use risk assessment methods to help understand and control risks; they then use the rulemaking process to select which methods of risk control to use. Risk assessment, the rulemaking process, and methods of risk control all generate controversy. Congress sometimes mandates which risks federal agencies address, to what extent they are controlled, and how they are controlled. Congress may change how agencies perform these tasks by changing either the law governing how a specific risk is handled, or the regulatory process through which risks are understood, analyzed, and controlled. Legislation in the 108th Congress dealing with risk assessment and regulation includes homeland security bills, such as S. 6 , S. 104 , and S. 157 , and bills addressing a range of other issues, including S. 337 , H.R. 716 , and H.J.Res. 2 . This report will be updated to reflect pertinent legislative and regulatory developments.

RL31781 -- Risk Assessment and Regulation in the Federal Government: A Brief Overview

March 13, 2003



An important function of the regulatory process on the federal level is to assess and control risks--damage from events that may or may not occur--that confront the citizenry. Some agencies use risk assessment methods to help understand and control risks; they then use the rulemaking process to select which methods of risk control to use. Risk assessment, the rulemaking process, and methods of risk control all generate controversy. Congress sometimes mandates which risks federal agencies address, to what extent they are controlled, and how they are controlled. Congress may change how agencies perform these tasks by changing either the law governing how a specific risk is handled, or the regulatory process through which risks are understood, analyzed, and controlled. Legislation in the 108th Congress dealing with risk assessment and regulation includes homeland security bills, such as S. 6, S. 104, and S. 157, and bills addressing a range of other issues, including S. 337, H.R. 716, and H.J.Res. 2. This report will be updated to reflect pertinent legislative and regulatory developments.

Risk and Regulation

One of the important functions of the federal government's regulatory process is to assess and control risks to citizens. Risk assessment is a tool designed to help decision makers understand these risks to human welfare, safety, and property from terrorism, tornados, technology, and other potentially harmful things. Risk assessment may take a range of information into account, including research in such areas as toxicology, psychology, biology, chemistry, and statistics, and is sometimes seen as the area where science is brought to bear upon complex policy problems. In some federal government agencies, risk assessment influences risk control decisions, which are discussed, developed, and implemented through the regulatory process. In turn, the regulatory process influences how government controls risks by dictating how dialogues about risk are structured--for example, through the notice-and-comment requirements of rulemaking, or by requiring specific analysis of a rule's effect on some population. (1) Regulatory decision-making in risk issues depends on both science and policy as well as legal authority.

In recent years the federal government's processes for risk assessment and regulatory decision-making have been controversial. Some experts assert that the way risk decisions are made in the United States is irrational and chaotic, resulting in thousands of lives endangered and millions of dollars lost. (2) Others maintain that current risk assessment and control methods reflect the complex needs and desires of the American people, and that any attempt to change them should be limited. (3) This report provides an overview of these issues by giving brief answers to the following questions: How does one conduct a risk assessment? What controversies or difficulties are associated with that process? What role does risk assessment play in controlling risks, and how does the regulatory process affect those decisions? What part does Congress play in overseeing the process of risk regulation?

The Process of Risk Assessment

Experts debate the meaning of the term "risk," but most accept two concepts as central: likelihood and consequence. (4) Likelihood refers to the probability that an event will happen; consequence refers to the result associated with that event. Many risk assessors, especially when dealing with human welfare, focus on negative (adverse) events and the unwelcome consequences of those events. Risk assessment helps decision makers by describing in quantitative and qualitative terms the probability of, and possible consequences from, an adverse event. Most risk assessments consist of four general steps:

  • define hazards and identify adverse events;

  • determine the likelihood those events will happen;

  • describe the severity of consequences from those events, and who or what those consequences will affect; and

  • characterize the risk, giving a picture that will be useful in decisionmaking.

Define the Hazard and Identify Adverse Events. A hazard, in risk assessment parlance, is an event or condition that can lead to negative consequences. Finding and defining a hazard may be straightforward: floods and fires are relatively simple examples. Other times, the hazard may not be so obvious: some chemicals, natural and man-made, have been termed "hazardous" only after research or an unfortunate event brought their potential dangers to light. Some hazards from large airliners with full fuel tanks, for example, became shockingly clear after the events of September 11, 2001.

Associating an adverse event with a hazard is the next part of this risk assessment step. Adverse events may be identified through scientific testing (health effects of chemicals), recalling historical events (terrorist attacks on public buildings), or other means. The event, like the hazard, may be either straightforward, or the complex result of a number of related occurrences.

Determine the Probability the Event Will Happen. Determining the probability of an adverse event is arguably the most difficult and controversial part of a risk assessment. A risk assessor may use many sources to estimate the probability of an event. Historical data, for example, are used by insurance companies to set health care premiums for persons of different ages and medical conditions. A risk assessment that uses historical data, however, assumes the future will closely resemble the past--an assumption that may not apply to some risks. Therefore, to supplement historical data, many risk assessors also use original and current scientific work or expert judgment. Through research and judgment, assessors may attempt to predict conditions that might occur in the future and that might affect the probability of potential risks. For example, experts may develop disaster scenarios and estimate the likelihood of various events that have effects on consequences; this is common when events are so rare that few historical data exist, and experimentation is either impossible or immoral. (5)

Risk assessors never have enough evidence to lead to an exact probability of an event happening. The process of risk assessment is, in fact, applied when there are significant uncertainties about relationships between causes and outcomes. In many cases, evidence is indirect, and the validity and completeness of data can be questioned. As a result, risk assessors create assumptions based on principles that are sometimes unique to their fields of expertise to fill in the gaps in their knowledge. These "default options" are based on the scientific judgment of the risk assessor and depend on the purpose of the assessment. Often they are choices based on a plausible range of scientific possibilities. Such choices in risk assessment can be extremely controversial, as they reflect agencies' interpretations of the mission and authority given them by Congress. Risk assessment experts almost universally recommend that when policy choices are made in risk assessments, they should be explicitly acknowledged, and the reasoning behind their use explained. (6)

Find the Severity of Consequences. Some risk assessments require an analysis of the severity of an event's consequences. Severity has different meanings, depending on the context of the risk assessment: strictly environmental consequences from a chemical plant leak may range from destruction of a habitat to temporary pollution of a small stream, while consequences from a terrorist incident may range from massive loss of life to slight structural damage to a building.

Risk assessors may also ask who or what is likely to suffer the consequences of the event. "Who" may mean communities living within 10 miles of a nuclear reactor; "what" may mean parts of a skyscraper affected by intense fire or high winds. In some cases, this step addresses the different vulnerabilities of different groups--for example, children often are assumed to be more vulnerable to toxic chemicals than adults. Some risk assessments request the input of interested and affected groups to ensure that nothing and nobody is left out. Others consider how risks of different threats combine to affect populations in different environments.

While not as controversial as estimating the probability of an event, estimating severity and identifying who or what could be affected can be problematic. Leaving important potentially interested and affected groups out of a risk assessment at this stage can invalidate the entire process.

Characterize the Risk. In the second step, risk assessors attempt to determine the likelihood of adverse events; in the third step, risk assessors try to identify upon what or whom the consequences of the adverse event would fall. The final step of a risk assessment combines this information to arrive at a picture of the overall risk that populations or assets face from an adverse event or set of events. (7)

Risk characterization increasingly includes a description of uncertainty, both in the information used in the risk assessment, and in the assessment's final results. Some risk characterizations provide relatively complete descriptions of uncertainty, while others intentionally or inadvertently omit them. Some risk characterizations stop before assigning explicit numbers to consequences, while others attempt to add precision by expressing risks numerically. Some combine the results across populations or hazards, perhaps to reflect a national point of view; others present risks for subgroups of the population. The choices made in this final step depend on resources available, the purpose of the assessment, and policy considerations. There seems to be a trend toward more detail and caveats in risk characterization, so as to allow policymakers a clearer picture of the usefulness, assumptions, and limitations of the risk assessment. (8) On the other hand, numerous details and caveats sometimes make risk assessments seem less useful to policymakers, as the assessments may no longer provide solid answers to the question, "is it safe or not?"

Controversies in Risk Assessment

Risk assessment is sometimes seen as the scientific part of risk analysis, the process which produces the hard facts risk managers use when comparing different safety-related policy options. Conversely, because of uncertainty in predicting future events and estimating the magnitude of losses, some skeptics see risk assessment as value judgments masquerading as science. In debates about the value of risk assessment, several generic issues seem to recur: uncertainty, risk interactions, data quality, disregard of very rare consequences, and the distribution of consequences. (9)

Uncertainty. The conclusion of every risk assessment is a set of estimates. A common criticism of risk assessment is that few assessments are accompanied by statements of the confidence that risk assessors have in their conclusions. Risk assessments, some argue, draw conclusions that are not necessarily the only ones that can be drawn from the data. Critics also express concern that once a conclusion is stated in a risk assessment, further discussion about alternative conclusions tends to disappear--along with the uncertainty risk assessors have about the judgment they have made. On the other hand, some argue that uncertainty is hard to measure, and that constantly reporting uncertainty and ranges of possibility can unnecessarily confuse issues.

Risk Interactions. Risk assessments generally analyze specific events or categories of events, producing probabilities and consequences for each. Such a process can miss risk interactions, when two or more risks influence each other. For example, should three separate events occur in a single community--an attack on a mobile communications system, another on a power grid, and the release of biological weapons in a crowded shopping center--the calculations, and the results, change. When considered separately, each event's chance and consequences may be able to be estimated. If all of the attacks happen simultaneously, however, one cannot simply add the consequences from each to find the result; the whole could be greater or less than the sum of the parts. Some risk assessment methods are being developed which will attempt to handle such complicated scenarios. (10)

Data Quality. Often, quantified likelihood and consequences come only after analysis of years of relatively common events when the circumstances of those events and their effects can be clearly measured. Some critics claim that what risk assessment cannot measure, it implicitly disregards as unimportant. In addition, at some point more information becomes overly burdensome to find, or is simply unavailable, and one has to make a best guess to arrive at a risk. How much information to obtain before making final risk assessments is the subject of continuing debate in risk assessment. Many vociferous exchanges over risk assessment's use boil down to arguments over the depth and relevance of the information upon which assessments are based. (11)

Disregarding Very Rare Catastrophes. Risk assessors sometimes, through choice or inadvertence, do not consider very unlikely and catastrophic adverse events, especially if a large amount of time passes without any such events occurring. Some scholars have noted that this tendency is "particularly noteworthy for relatively complex systems and for estimates of extremely low probabilities .... (I)t has even earned a name: the 'disqualification heuristic,' or the temptation to conclude that certain highly unpalatable outcomes simply couldn't occur." (12) In other words, there is a possibility that, as time goes by, and very rare and catastrophic events do not occur, an agency's risk assessors may begin to disregard the risk of those types of events entirely. (13)

Distribution of Consequences. Consequences tend to be aggregated and averaged over time and space in some risk analyses. Such aggregation may hide areas of extremely high and low vulnerability and threat within a single "average" area or industry. For example, one recent study found that the lifetime risk to a person on the ground of dying from an accidental airplane crash is 9 in 10 million; however, that figure varies by a factor of about 100 depending on how far an individual's home is from an airport. (14) On the other hand, consequences can be divided up to the point that each individual consequence appears trivial relative to the effects of other (perhaps better understood) adverse events.

Risk Assessment in Decision Making and Regulating

Risk assessments may form the foundation for decisions to address risk (also known as risk management), but they are only one of many types of input in such decision-making. Economic costs, political considerations, ethical values, and the benefits of risky activities can all play a prominent role in risk management, especially for high-profile risks. Although risk management strategies vary widely, most can be divided into rough categories based on the law or regulation dealing with the risk. These categories are:

  • Health-based: no more than a certain level of risk from the hazard is allowed; for example, a law or regulation may require no greater than a one-in-a-million lifetime risk of cancer from a certain chemical.

  • Technology-based: the best (or a specified) technology must be used to reduce the risk; for example, car manufacturers might be required to use the most effective child restraint system in their vehicles.

  • Cost-based: the amount of risk reduction is balanced with the cost involved; for example, small businesses may be held to less rigorous pollution standards because of their limited ability to pay for pollution controls.

  • Information or market-based: information on competing products might be provided so people can consider risks and costs individually; for example, food processors might be required to list nutritional facts on products. (15) One could also place tax incentives or emissions trading under this category, as they would influence companies' and individuals' behavior but not require any particular standards.

These categories are not generally mutually exclusive; risk control strategies can fit into more than one of the above categories.

The federal regulatory process can also affect how risks are regulated. The process of rule making, with its notice-and-comment procedures, analytical requirements, and central presidential review, can make publicly addressing risks difficult for an agency. In particular, the analytical requirements for agencies and the President's review office--the Office of Information and Regulatory Affairs (OIRA)--have generated much debate. As a result of the increasingly complex rule making process, some agencies take a less direct route to regulation, relying on guidance documents, informal communications, voluntary agreements, and court decisions to manage risks. (16)

Role of Congress in Risk Regulation

Congress has two powerful tools for affecting the way government deals with risk. One is to make statute-specific changes affecting strategies for dealing with risk--for example, changing from a health-based to a cost-based strategy (or vice versa) for pesticide residues. The other is to make changes to the regulatory process itself by amending the procedures agencies must follow, and analyses they must perform, in assessing risk and reaching rulemaking decisions. Congress has in the past used both statute-specific and process methods to direct how agencies regulate risk.

There are some general advantages and disadvantages to statute-specific changes. Statute-specific changes allow policymakers to address changes in a particular issue without worrying about the broader effects of such changes: switching management of pesticide risks will not affect the way the country manages risks from terrorism. Specific changes to statutes may also provide Congress a more exact way to dictate how risks are controlled, rather than leaving decisions to agency heads or other members of the executive branch. In recent years, Congress has used these methods: The Food Quality Protection Act of 1996 (P.L. 104-170), for example, changed the legal mandate for setting allowable pesticide residues on food

Some critics of risk regulation in the United States cite differing statutory mandates underlying agencies' missions as one of the reasons they believe risks are not managed well in this country. (17) Process changes are intended to address that perceived problem by having agencies go through, for example, a standardized procedure to determine how serious certain risks are. Process changes can take at least two forms: analysis or decision making. Requiring or preventing analysis implies only producing (or not producing) information on the effects of a regulation or management strategy; changing decision making actually forces agencies to make their choices based on certain criteria. For example, Congress could require every agency to analyze every regulation for its effect on small business (an analysis process change), or it could require every agency to select the regulatory option that has the least effect on small business (a decision making process change.) (18) Changing process may assist in standardizing regulatory decisions across agencies, but it may also hinder some agencies from achieving other (sometimes legally mandated) goals, such as protection of privacy rights or wildlife habitat. (19) The 1996 public law amending the Regulatory Flexibility Act, mentioned earlier, is an example of a recent analysis process change. (20)

Legislation in the 107th Congress. A large amount of legislation in the 107th Congress required or recommended risk assessment as a decision-making tool, both as statute-specific changes and process changes. Bills in the 107th included the Homeland Security Act of 2002 (H.R. 5005, P.L. 107-296), and bills on transportation security (S. 1991 and others), natural disasters (H.R. 3592 and others), food safety (S. 2013 and others), and environmental and public health (S. 700, now P.L. 107-9.)

Legislation in the 108th Congress. Legislation to date in the 108th Congress that addresses risk and its regulation includes homeland security bills, such the Comprehensive Homeland Security Act of 2003 (S. 6), the Chemical Security Act of 2003 (S. 157), and the National Defense Rail Act (S. 104.) As in the 107th, bills on other topics also include risk assessment and regulation provisions, including the Arsenic-Treated Residential-Use Wood Prohibition Act (S. 337), the IMPACT Act (H.R. 716), and the Consolidated Appropriations Resolution FY 2003 (H.J.Res. 2, now P.L. 108-7.)

Related CRS Reports

CRS Issue Brief IB94036, The Role of Risk Analysis and Risk Management in Environmental Protection, by [author name scrubbed].

CRS Report RL 31207, Federal Regulatory Reform: An Overview, by Gary Galemore.


1. (back)1996 amendments to the Regulatory Flexibility Act (P.L. 104-121), for example, require agencies to analyze the impacts of some rules on small businesses.

2. (back)See W. Kip Viscusi, Rational Risk Policy (Oxford, U.K.: Clarendon Press, 1998).

3. (back)See Joan Claybrook, testimony before U.S. Congress, House Government Reform Committee, Subcommittee on Energy Policy, Natural Resources, and Regulatory Affairs, Regulatory Accounting and Costs and Benefits of Federal Regulations, unpublished hearings, March 12, 2002.

4. (back)These is ongoing debate over the exact definition of "risk" among risk analysts; see Daniel M. Byrd and C. Richard Cohen, Introduction to Risk Analysis (Rockville, Maryland: Government Institute Press, 2000), pp. 1-3; David Vose, Risk Analysis: A Quantitative Guide (New York: John Wiley and Sons, 2000), p. 1; and The Society for Risk Analysis, "Glossary of Risk Analysis Terms," available at http://www.sra.org/glossary.htm, visited March 12, 2003.

5. (back)For example, assessing the risk of a skyscraper collapsing during an earthquake might include modeling the strength of the earthquake, the epicenter of the earthquake, the proximity of other (possibly falling) buildings, and the resistance of skyscrapers to various kinds of quakes. Obviously, not many of these issues are able to be experimentally tested, so some degree of judgment is needed to create a model.

6. (back)See National Research Council, Science and Judgment in Risk Assessment (Washington: National Academy Press, 1994.)

7. (back)For more information on this step, seen by many as a crucial link between risk assessments and risk management decisions, see Paul C. Stern and Harvey V. Fineberg, eds. Understanding Risk: Informing Decisions in a Democratic Society (Washington: National Academy Press, 1996).

8. (back)Office of Management and Budget guidelines, issued in February 2002, instruct federal agencies to follow certain procedures in characterizing certain types of risk. See U.S. Office of Management and Budget, "Guidelines for Ensuring and Maximizing the Quality, Objectivity, Utility, and Integrity of Information Disseminated by Federal Agencies," Federal Register, vol. 67, no. 36, Feb. 22, 2002, p. 8460.

9. (back)A further discussion on some of these issues can be found in Bernard D. Goldstein's chapter titled "Risk Assessment as an Indicator for Decision Making" in Robert W. Hahn, ed., Risks, Costs, and Lives Saved (Washington: AEI Press, 1996), pp. 67-84.

10. (back)The insurance industry, for example, has developed models for terrorist attacks. See "RMS Launches Game Theory-based Terrorism Risk Model," press release from Risk Management Solutions, Sept. 18, 2002, http://www.rms.com/NewsPress/PR_091802.asp,visited Feb. 27, 2003. See also Joseph B. Treaster, "The Race to Predict Terror's Costs," New York Times, Sept. 1, 2002, sec. 3, p. 1.

11. (back)See Paul Slovic, "Trust, Emotion, Sex, Politics, and Science: Surveying the Risk-Assessment Battlefield," Risk Analysis, vol. 19, no. 4, 1999, pp. 689-701.

12. (back)William R. Freudenburg, "Heuristics, Biases, and the Not-So-General Public: Expertise and Error in the Assessment of Risks," in Social Theories of Risk, edited by Sheldon Krimsky and Dominic Golding (Westport, CT: Praeger Publishers, 1992), p. 232.

13. (back)Ibid., p. 242.

14. (back)Kimberly M. Thompson, R. Frank Rabouw, and Roger M. Cooke, "The Risk of Groundling Fatalities from Unintentional Airplane Crashes," Risk Analysis vol. 21, no. 6, 2001, pp. 1025-1037. The article notes that in earlier work on the same subject the average risk was used but possible variability in that number was never quantified.

15. (back)These categories are adapted from George Gray, "The Risk Management Challenge," lecture at Harvard Center for Risk Analysis conference titled Analyzing Risk: Science, Assessment, and Management, Boston, MA, Sept. 24-27, 2002.

16. (back)See Cornelius M. Kerwin, "Issues and Contradictions," in his Rulemaking: How Government Agencies Write Law and Make Policy (Washington: CQ Press, 1994), pp. 89-120.

17. (back)See John D. Graham, "Making Sense of Risk: An Agenda for Congress," in Robert W. Hahn, ed., Risks, Costs, and Lives Saved: Getting Better Results from Regulation (New York: Oxford University Press, 1996), pp. 183-207.

18. (back)In general, then, an analysis process change requires agencies to more fully explore and analyze certain policy options, while a decision making process change may require agencies to eliminate one or more policy options completely.

19. (back)For example, if every agency is required to select the regulatory option that saves the most lives, agencies that regulate areas in which saving lives is not an easily proved benefit may be forced to select options that reduce the other benefits their regulations might have.

20. (back)See supra note 1.

Return to CONTENTS section of this Long Report.