The recent White Paper sets out a strong intention to introduce risk-based regulation to English higher education. Although expressed most forcibly as providing benefits for external quality assurance - allowing the Quality Assurance Agency to focus its resources on those institutions without a clear track record of quality compliance and standards, and reducing the bureaucratic burden on the majority of providers - the state's intention ranges far wider.
The Higher Education Funding Council for England is being enjoined to apply risk-based principles to financial regulation. Private providers able to demonstrate a good record of degree-level provision abroad are likely to face much lighter scrutiny of their proposals for degree-awarding powers and university titles. Yet risk-based regulation potentially offers increased risk for regulators and government, and key dangers for some institutions and their students.
The aim of introducing risk-based regulation is laudable. It follows good practice in other policy domains, as well as in the recent higher education reforms in Australia. The aim is to allow regulators to deploy resources to greatest effect by focusing on areas in greatest need of regulatory inquiry, to assure standards and to reassure the public and consumers. Although breaking with long-established egalitarian principles in democratic states of treating everyone equally before the law, risk-based regulation tends to find favour among key stakeholders in a policy regime. Governments like it, as it reduces regulators' claims for high levels of resources, and institutions welcome approaches that appear mainly collaborative and offer the prospect of less onerous and repetitive enquiries into their affairs.
But the dangers are not to be underestimated. "Trusted" institutions, lacking regular full review, may become complacent or fail for other, undetected, reasons. They may handle their own risk and reputation control systems badly, fail to learn from their mistakes and mess up their media relations. Ignoring "risk incubation" and associated warning signals is a classic precursor to disaster or fiasco (think of Hurricane Katrina). Risk-based regulators focus and rely on the internal control systems of those they regulate - they generally do not possess the funds to do much else. Yet internal risk control in organisations in recent years has become elevated into a matter of board governance and accountability around reputation, markets and sustainability. Regulators are required to possess quite wide levels of functional and governance expertise, and this can wipe out any resource gains that may accrue from more selective enquiries.
A key political problem for risk-based regulators is that governmental resolve to support such approaches can wither in the face of a high-profile "failure". Popular calls for regulatory villains to be named and fired, along with strong demands for increased regulatory surveillance, are not easily disregarded by politicians in times of stress. Yet normal accidents, even failures, happen. After all, risk is also part of the new enterprise culture of opportunity and innovation that is being encouraged in higher education by the government. Risk-taking as well as risk avoidance is being sought. Here is an enduring dilemma in risk regulation that is not easily reconciled in regulatory regimes.
Regulators will need to display high levels of transparency in determining their plans, not least in establishing into which categories of "trusted/less trusted" institutions fall. The White Paper refers to a technical accumulation of metrics to help make such decisions "objective", yet it is individuals who will make such categorisations. Their interpretations are not infallible. Baseline data on who to trust and who not to cannot be established quickly and may be highly contestable. The QAA and Hefce will need to allow considerable information on their decision-making to enter the public domain for wider scrutiny. On the plus side, such an approach may also enable regulators to generate robust internal audit trails for their own protection when confronted by media storms over failures construed as a consequence of "light-touch" supervision.
"Risk" (the idea that uncertainty can be managed and that corporate bodies can no longer seek to be excused by blaming fate) implies responsibility and holding to account. Such actors need to have a good explanation for failures, backed up by strong evidence.
These are the consequences of risk-based selectivity. To accomplish their objectives, regulators will need to outline quickly the kind of futures (and failures) that they envision. Planning for failure is not easily managed in the language of current public discourse. Regulators need to specify where their responsibilities and accountabilities lie, but also where they do not. Most importantly in the eyes of the government and the student consumer, will risk-based regulation provide the same kind of protection for all students?
The global financial crisis highlights how attempts to control and disperse firm-based risk can eventually come to pose increased systemic risk. In focusing selectively on individual institutions - by analysing their specific risks through new and untried methodologies - regulators may easily lose sight of systemic risks. In an increasingly diversified sector where light-touch approaches will prevail, it may become even more necessary to complement individual reviews with sustained sector-wide monitoring.