Risk Assessment and Regulation in the Federal Government: A Brief Overview

Report for Congress
Risk Assessment and Regulation
in the Federal Government:
A Brief Overview
March 13, 2003
Rob Buschmann
Analyst in American National Government
Government and Finance Division

Congressional Research Service ˜ The Library of Congress

Risk Assessment and Regulation in the Federal
Government: A Brief Overview
An important function of the regulatory process on the federal level is to assess
and control risks—damage from events that may or may not occur—that confront the
citizenry. Some agencies use risk assessment methods to help understand and control
risks; they then use the rulemaking process to select which methods of risk control
to use. Risk assessment, the rulemaking process, and methods of risk control all
generate controversy. Congress sometimes mandates which risks federal agencies
address, to what extent they are controlled, and how they are controlled. Congress
may change how agencies perform these tasks by changing either the law governing
how a specific risk is handled, or the regulatory process through which risks are
understood, analyzed, and controlled. Legislation in the 108th Congress dealing with
risk assessment and regulation includes homeland security bills, such as S. 6, S. 104,
and S. 157, and bills addressing a range of other issues, including S. 337, H.R. 716,
and H.J. Res. 2. This report will be updated to reflect pertinent legislative and
regulatory developments.

Risk and Regulation............................................1
The Process of Risk Assessment..................................2
Define the Hazard and Identify Adverse Events..............2
Determine the Probability the Event Will Happen............2
Find the Severity of Consequences........................3
Characterize the Risk...................................4
Controversies in Risk Assessment.................................4
Uncertainty ...........................................4
Risk Interactions......................................5
Data Quality..........................................5
Disregarding Very Rare Catastrophes......................5
Distribution of Consequences............................6
Risk Assessment in Decision Making and Regulating.................6
Role of Congress in Risk Regulation...............................7th
Legislation in the 107 Congress..........................8
Legislation in the 108th Congress..........................8
Related CRS Reports...........................................9

Risk Assessment and Regulation in the
Federal Government: A Brief Overview
Risk and Regulation
One of the important functions of the federal government’s regulatory process
is to assess and control risks to citizens. Risk assessment is a tool designed to help
decision makers understand these risks to human welfare, safety, and property from
terrorism, tornados, technology, and other potentially harmful things. Risk
assessment may take a range of information into account, including research in such
areas as toxicology, psychology, biology, chemistry, and statistics, and is sometimes
seen as the area where science is brought to bear upon complex policy problems. In
some federal government agencies, risk assessment influences risk control decisions,
which are discussed, developed, and implemented through the regulatory process.
In turn, the regulatory process influences how government controls risks by dictating
how dialogues about risk are structured—for example, through the notice-and-
comment requirements of rulemaking, or by requiring specific analysis of a rule’s
effect on some population.1 Regulatory decision-making in risk issues depends on
both science and policy as well as legal authority.
In recent years the federal government’s processes for risk assessment and
regulatory decision-making have been controversial. Some experts assert that the
way risk decisions are made in the United States is irrational and chaotic, resulting
in thousands of lives endangered and millions of dollars lost.2 Others maintain that
current risk assessment and control methods reflect the complex needs and desires
of the American people, and that any attempt to change them should be limited.3
This report provides an overview of these issues by giving brief answers to the
following questions: How does one conduct a risk assessment? What controversies
or difficulties are associated with that process? What role does risk assessment play
in controlling risks, and how does the regulatory process affect those decisions? What
part does Congress play in overseeing the process of risk regulation?

11996 amendments to the Regulatory Flexibility Act (P.L. 104-121), for example, require
agencies to analyze the impacts of some rules on small businesses.
2See W. Kip Viscusi, Rational Risk Policy (Oxford, U.K.: Clarendon Press, 1998).
3See Joan Claybrook, testimony before U.S. Congress, House Government Reform
Committee, Subcommittee on Energy Policy, Natural Resources, and Regulatory Affairs,
Regulatory Accounting and Costs and Benefits of Federal Regulations, unpublished
hearings, March 12, 2002.

The Process of Risk Assessment
Experts debate the meaning of the term “risk,” but most accept two concepts as
central: likelihood and consequence.4 Likelihood refers to the probability that an
event will happen; consequence refers to the result associated with that event. Many
risk assessors, especially when dealing with human welfare, focus on negative
(adverse) events and the unwelcome consequences of those events. Risk assessment
helps decision makers by describing in quantitative and qualitative terms the
probability of, and possible consequences from, an adverse event. Most risk
assessments consist of four general steps:
!define hazards and identify adverse events;
!determine the likelihood those events will happen;
!describe the severity of consequences from those events, and who or what
those consequences will affect; and
!characterize the risk, giving a picture that will be useful in decisionmaking.
Define the Hazard and Identify Adverse Events. A hazard, in risk
assessment parlance, is an event or condition that can lead to negative consequences.
Finding and defining a hazard may be straightforward: floods and fires are relatively
simple examples. Other times, the hazard may not be so obvious: some chemicals,
natural and man-made, have been termed “hazardous” only after research or an
unfortunate event brought their potential dangers to light. Some hazards from large
airliners with full fuel tanks, for example, became shockingly clear after the events
of September 11, 2001.
Associating an adverse event with a hazard is the next part of this risk
assessment step. Adverse events may be identified through scientific testing (health
effects of chemicals), recalling historical events (terrorist attacks on public
buildings), or other means. The event, like the hazard, may be either straightforward,
or the complex result of a number of related occurrences.
Determine the Probability the Event Will Happen. Determining the
probability of an adverse event is arguably the most difficult and controversial part
of a risk assessment. A risk assessor may use many sources to estimate the
probability of an event. Historical data, for example, are used by insurance
companies to set health care premiums for persons of different ages and medical
conditions. A risk assessment that uses historical data, however, assumes the future
will closely resemble the past—an assumption that may not apply to some risks.

4These is ongoing debate over the exact definition of “risk” among risk analysts; see Daniel
M. Byrd and C. Richard Cohen, Introduction to Risk Analysis (Rockville, Maryland:
Government Institute Press, 2000), pp. 1-3; David Vose, Risk Analysis: A Quantitative
Guide (New York: John Wiley and Sons, 2000), p. 1; and The Society for Risk Analysis,
“Glossary of Risk Analysis Terms,” available at [http://www.sra.org/glossary.htm], visited
March 12, 2003.

Therefore, to supplement historical data, many risk assessors also use original and
current scientific work or expert judgment. Through research and judgment, assessors
may attempt to predict conditions that might occur in the future and that might affect
the probability of potential risks. For example, experts may develop disaster
scenarios and estimate the likelihood of various events that have effects on
consequences; this is common when events are so rare that few historical data exist,
and experimentation is either impossible or immoral.5
Risk assessors never have enough evidence to lead to an exact probability of an
event happening. The process of risk assessment is, in fact, applied when there are
significant uncertainties about relationships between causes and outcomes. In many
cases, evidence is indirect, and the validity and completeness of data can be
questioned. As a result, risk assessors create assumptions based on principles that
are sometimes unique to their fields of expertise to fill in the gaps in their knowledge.
These “default options” are based on the scientific judgment of the risk assessor and
depend on the purpose of the assessment. Often they are choices based on a plausible
range of scientific possibilities. Such choices in risk assessment can be extremely
controversial, as they reflect agencies’ interpretations of the mission and authority
given them by Congress. Risk assessment experts almost universally recommend
that when policy choices are made in risk assessments, they should be explicitly
acknowledged, and the reasoning behind their use explained.6
Find the Severity of Consequences. Some risk assessments require an
analysis of the severity of an event’s consequences. Severity has different meanings,
depending on the context of the risk assessment: strictly environmental consequences
from a chemical plant leak may range from destruction of a habitat to temporary
pollution of a small stream, while consequences from a terrorist incident may range
from massive loss of life to slight structural damage to a building.
Risk assessors may also ask who or what is likely to suffer the consequences of
the event. “Who” may mean communities living within 10 miles of a nuclear reactor;
“what” may mean parts of a skyscraper affected by intense fire or high winds. In
some cases, this step addresses the different vulnerabilities of different groups—for
example, children often are assumed to be more vulnerable to toxic chemicals than
adults. Some risk assessments request the input of interested and affected groups to
ensure that nothing and nobody is left out. Others consider how risks of different
threats combine to affect populations in different environments.
While not as controversial as estimating the probability of an event, estimating
severity and identifying who or what could be affected can be problematic. Leaving

5For example, assessing the risk of a skyscraper collapsing during an earthquake might
include modeling the strength of the earthquake, the epicenter of the earthquake, the
proximity of other (possibly falling) buildings, and the resistance of skyscrapers to various
kinds of quakes. Obviously, not many of these issues are able to be experimentally tested,
so some degree of judgment is needed to create a model.
6See National Research Council, Science and Judgment in Risk Assessment (Washington:
National Academy Press, 1994.)

important potentially interested and affected groups out of a risk assessment at this
stage can invalidate the entire process.
Characterize the Risk. In the second step, risk assessors attempt to
determine the likelihood of adverse events; in the third step, risk assessors try to
identify upon what or whom the consequences of the adverse event would fall. The
final step of a risk assessment combines this information to arrive at a picture of the
overall risk that populations or assets face from an adverse event or set of events.7
Risk characterization increasingly includes a description of uncertainty, both in
the information used in the risk assessment, and in the assessment’s final results.
Some risk characterizations provide relatively complete descriptions of uncertainty,
while others intentionally or inadvertently omit them. Some risk characterizations
stop before assigning explicit numbers to consequences, while others attempt to add
precision by expressing risks numerically. Some combine the results across
populations or hazards, perhaps to reflect a national point of view; others present
risks for subgroups of the population. The choices made in this final step depend on
resources available, the purpose of the assessment, and policy considerations. There
seems to be a trend toward more detail and caveats in risk characterization, so as to
allow policymakers a clearer picture of the usefulness, assumptions, and limitations8
of the risk assessment. On the other hand, numerous details and caveats sometimes
make risk assessments seem less useful to policymakers, as the assessments may no
longer provide solid answers to the question, “is it safe or not?”
Controversies in Risk Assessment
Risk assessment is sometimes seen as the scientific part of risk analysis, the
process which produces the hard facts risk managers use when comparing different
safety-related policy options. Conversely, because of uncertainty in predicting future
events and estimating the magnitude of losses, some skeptics see risk assessment as
value judgments masquerading as science. In debates about the value of risk
assessment, several generic issues seem to recur: uncertainty, risk interactions, data
quality, disregard of very rare consequences, and the distribution of consequences.9
Uncertainty. The conclusion of every risk assessment is a set of estimates.
A common criticism of risk assessment is that few assessments are accompanied by

7For more information on this step, seen by many as a crucial link between risk assessments
and risk management decisions, see Paul C. Stern and Harvey V. Fineberg, eds.
Understanding Risk: Informing Decisions in a Democratic Society (Washington: National
Academy Press, 1996).
8Office of Management and Budget guidelines, issued in February 2002, instruct federal
agencies to follow certain procedures in characterizing certain types of risk. See U.S. Office
of Management and Budget, “Guidelines for Ensuring and Maximizing the Quality,
Objectivity, Utility, and Integrity of Information Disseminated by Federal Agencies,”
Federal Register, vol. 67, no. 36, Feb. 22, 2002, p. 8460.
9A further discussion on some of these issues can be found in Bernard D. Goldstein’s
chapter titled “Risk Assessment as an Indicator for Decision Making” in Robert W. Hahn,
ed., Risks, Costs, and Lives Saved (Washington: AEI Press, 1996), pp. 67-84.

statements of the confidence that risk assessors have in their conclusions. Risk
assessments, some argue, draw conclusions that are not necessarily the only ones that
can be drawn from the data. Critics also express concern that once a conclusion is
stated in a risk assessment, further discussion about alternative conclusions tends to
disappear—along with the uncertainty risk assessors have about the judgment they
have made. On the other hand, some argue that uncertainty is hard to measure, and
that constantly reporting uncertainty and ranges of possibility can unnecessarily
confuse issues.
Risk Interactions. Risk assessments generally analyze specific events or
categories of events, producing probabilities and consequences for each. Such a
process can miss risk interactions, when two or more risks influence each other. For
example, should three separate events occur in a single community—an attack on a
mobile communications system, another on a power grid, and the release of
biological weapons in a crowded shopping center—the calculations, and the results,
change. When considered separately, each event’s chance and consequences may be
able to be estimated. If all of the attacks happen simultaneously, however, one
cannot simply add the consequences from each to find the result; the whole could be
greater or less than the sum of the parts. Some risk assessment methods are being
developed which will attempt to handle such complicated scenarios.10
Data Quality. Often, quantified likelihood and consequences come only after
analysis of years of relatively common events when the circumstances of those events
and their effects can be clearly measured. Some critics claim that what risk
assessment cannot measure, it implicitly disregards as unimportant. In addition, at
some point more information becomes overly burdensome to find, or is simply
unavailable, and one has to make a best guess to arrive at a risk. How much
information to obtain before making final risk assessments is the subject of
continuing debate in risk assessment. Many vociferous exchanges over risk
assessment’s use boil down to arguments over the depth and relevance of the11
information upon which assessments are based.
Disregarding Very Rare Catastrophes. Risk assessors sometimes,
through choice or inadvertence, do not consider very unlikely and catastrophic
adverse events, especially if a large amount of time passes without any such events
occurring. Some scholars have noted that this tendency is “particularly noteworthy
for relatively complex systems and for estimates of extremely low probabilities ....
(I)t has even earned a name: the ‘disqualification heuristic,’ or the temptation to
conclude that certain highly unpalatable outcomes simply couldn’t occur.”12 In other

10The insurance industry, for example, has developed models for terrorist attacks. See
“RMS Launches Game Theory-based Terrorism Risk Model,” press release from Risk
Management Solutions, Sept. 18, 2002, http://www.rms.com/NewsPress/PR_091802.asp,
visited Feb. 27, 2003. See also Joseph B. Treaster, “The Race to Predict Terror’s Costs,”
New York Times, Sept. 1, 2002, sec. 3, p. 1.
11See Paul Slovic, “Trust, Emotion, Sex, Politics, and Science: Surveying the Risk-
Assessment Battlefield,” Risk Analysis, vol. 19, no. 4, 1999, pp. 689-701.
12William R. Freudenburg, “Heuristics, Biases, and the Not-So-General Public: Expertise

words, there is a possibility that, as time goes by, and very rare and catastrophic
events do not occur, an agency’s risk assessors may begin to disregard the risk of
those types of events entirely.13
Distribution of Consequences. Consequences tend to be aggregated and
averaged over time and space in some risk analyses. Such aggregation may hide
areas of extremely high and low vulnerability and threat within a single “average”
area or industry. For example, one recent study found that the lifetime risk to a
person on the ground of dying from an accidental airplane crash is 9 in 10 million;
however, that figure varies by a factor of about 100 depending on how far an14
individual’s home is from an airport. On the other hand, consequences can be
divided up to the point that each individual consequence appears trivial relative to the
effects of other (perhaps better understood) adverse events.
Risk Assessment in Decision Making and Regulating
Risk assessments may form the foundation for decisions to address risk (also
known as risk management), but they are only one of many types of input in such
decision-making. Economic costs, political considerations, ethical values, and the
benefits of risky activities can all play a prominent role in risk management,
especially for high-profile risks. Although risk management strategies vary widely,
most can be divided into rough categories based on the law or regulation dealing with
the risk. These categories are:
!Health-based: no more than a certain level of risk from the hazard is allowed;
for example, a law or regulation may require no greater than a one-in-a-
million lifetime risk of cancer from a certain chemical.
!Technology-based: the best (or a specified) technology must be used to reduce
the risk; for example, car manufacturers might be required to use the most
effective child restraint system in their vehicles.
!Cost-based: the amount of risk reduction is balanced with the cost involved;
for example, small businesses may be held to less rigorous pollution standards
because of their limited ability to pay for pollution controls.
!Information or market-based: information on competing products might be
provided so people can consider risks and costs individually; for example,

and Error in the Assessment of Risks,” in Social Theories of Risk, edited by Sheldon
Krimsky and Dominic Golding (Westport, CT: Praeger Publishers, 1992), p. 232.
13Ibid., p. 242.
14Kimberly M. Thompson, R. Frank Rabouw, and Roger M. Cooke, “The Risk of
Groundling Fatalities from Unintentional Airplane Crashes,” Risk Analysis vol. 21, no. 6,
2001, pp. 1025-1037. The article notes that in earlier work on the same subject the average
risk was used but possible variability in that number was never quantified.

food processors might be required to list nutritional facts on products.15 One
could also place tax incentives or emissions trading under this category, as
they would influence companies’ and individuals’ behavior but not require
any particular standards.
These categories are not generally mutually exclusive; risk control strategies can
fit into more than one of the above categories.
The federal regulatory process can also affect how risks are regulated. The
process of rule making, with its notice-and-comment procedures, analytical
requirements, and central presidential review, can make publicly addressing risks
difficult for an agency. In particular, the analytical requirements for agencies and the
President’s review office—the Office of Information and Regulatory Affairs
(OIRA)—have generated much debate. As a result of the increasingly complex rule
making process, some agencies take a less direct route to regulation, relying on
guidance documents, informal communications, voluntary agreements, and court
decisions to manage risks.16
Role of Congress in Risk Regulation
Congress has two powerful tools for affecting the way government deals with
risk. One is to make statute-specific changes affecting strategies for dealing with
risk—for example, changing from a health-based to a cost-based strategy (or vice
versa) for pesticide residues. The other is to make changes to the regulatory process
itself by amending the procedures agencies must follow, and analyses they must
perform, in assessing risk and reaching rulemaking decisions. Congress has in the
past used both statute-specific and process methods to direct how agencies regulate
There are some general advantages and disadvantages to statute-specific
changes. Statute-specific changes allow policymakers to address changes in a
particular issue without worrying about the broader effects of such changes:
switching management of pesticide risks will not affect the way the country manages
risks from terrorism. Specific changes to statutes may also provide Congress a more
exact way to dictate how risks are controlled, rather than leaving decisions to agency
heads or other members of the executive branch. In recent years, Congress has used
these methods: The Food Quality Protection Act of 1996 (P.L. 104-170), for
example, changed the legal mandate for setting allowable pesticide residues on food
Some critics of risk regulation in the United States cite differing statutory
mandates underlying agencies’ missions as one of the reasons they believe risks are

15These categories are adapted from George Gray, “The Risk Management Challenge,”
lecture at Harvard Center for Risk Analysis conference titled Analyzing Risk: Science,
Assessment, and Management, Boston, MA, Sept. 24-27, 2002.
16See Cornelius M. Kerwin, “Issues and Contradictions,” in his Rulemaking: How
Government Agencies Write Law and Make Policy (Washington: CQ Press, 1994), pp. 89-


not managed well in this country.17 Process changes are intended to address that
perceived problem by having agencies go through, for example, a standardized
procedure to determine how serious certain risks are. Process changes can take at
least two forms: analysis or decision making. Requiring or preventing analysis
implies only producing (or not producing) information on the effects of a regulation
or management strategy; changing decision making actually forces agencies to make
their choices based on certain criteria. For example, Congress could require every
agency to analyze every regulation for its effect on small business (an analysis
process change), or it could require every agency to select the regulatory option that
has the least effect on small business (a decision making process change.)18
Changing process may assist in standardizing regulatory decisions across agencies,
but it may also hinder some agencies from achieving other (sometimes legally
mandated) goals, such as protection of privacy rights or wildlife habitat.19 The 1996
public law amending the Regulatory Flexibility Act, mentioned earlier, is an example
of a recent analysis process change.20
Legislation in the 107th Congress. A large amount of legislation in the

107th Congress required or recommended risk assessment as a decision-making tool,th

both as statute-specific changes and process changes. Bills in the 107 included the
Homeland Security Act of 2002 (H.R. 5005, P.L. 107-296), and bills on
transportation security (S. 1991 and others), natural disasters (H.R. 3592 and others),
food safety (S. 2013 and others), and environmental and public health (S. 700, now
P.L. 107-9.)
Legislation in the 108th Congress. Legislation to date in the 108th
Congress that addresses risk and its regulation includes homeland security bills, such
the Comprehensive Homeland Security Act of 2003 (S. 6), the Chemical Security Act
of 2003 (S. 157), and the National Defense Rail Act (S. 104.) As in the 107th, bills
on other topics also include risk assessment and regulation provisions, including the
Arsenic-Treated Residential-Use Wood Prohibition Act (S. 337), the IMPACT Act
(H.R. 716), and the Consolidated Appropriations Resolution FY 2003 (H.J.Res. 2,
now P.L. 108-7.)

17See John D. Graham, “Making Sense of Risk: An Agenda for Congress,” in Robert W.
Hahn, ed., Risks, Costs, and Lives Saved: Getting Better Results from Regulation (New
York: Oxford University Press, 1996), pp. 183-207.
18In general, then, an analysis process change requires agencies to more fully explore and
analyze certain policy options, while a decision making process change may require
agencies to eliminate one or more policy options completely.
19For example, if every agency is required to select the regulatory option that saves the most
lives, agencies that regulate areas in which saving lives is not an easily proved benefit may
be forced to select options that reduce the other benefits their regulations might have.
20See supra note 1.

Related CRS Reports
CRS Issue Brief IB94036, The Role of Risk Analysis and Risk Management in
Environmental Protection, by Linda-Jo Schierow.
CRS Report RL 31207, Federal Regulatory Reform: An Overview, by Gary