Risk as an Approach to Regulatory Governance: An Evidence Synthesis and Research Agenda

Governments around the world have begun to develop and implement risk governance and risk-based regulation and are often inspired by the insights from risk studies in doing so. Following these developments, scholars have begun to map, explore, and interrogate risk governance models and strategies and risk-based regulatory approaches and instruments, and their performance. This article presents an evidence of academic literature on risk as an approach to regulatory governance. It follows the logic and applies tools of meta-research, a systematic and replicable process of synthesizing research findings across a body of original research. Following a staged approach, 135 peer-reviewed journal articles from an initial body of 1,125 articles were analyzed. The article presents the main findings from the evidence synthesis, presents the gaps in our knowledge, and suggests a future agenda for research on risk as an approach to regulatory governance. The article finds that despite ongoing conceptual and normative debates about the need for risk governance and risk-based regulation, we lack a good understanding of how it operates in practice. Future scholarship is urged to be critical of the potential gap between academic and policy rhetoric on risk-based regulatory governance and the application of this approach to regulatory governance on the ground.


Introduction
Regulatory governance (the development, delivery, evaluation, and reform of regulation) has witnessed several paradigm shifts since the 1960s. These include moves toward performance-based regulation, mixed-incentive enforcement models such as responsive regulation, and the use of insights from the behavioral sciences in "nudge-type" regulation. This article reflects on one of the major paradigm shifts from this period: the shift to risk as an approach to regulatory governance. The central focus of this article is risk as encapsulating a way of regulating problems and situations, and the processes, techniques and instruments applied in risk-based regulatory governance-as popped to risk as a problem or situation to be solved (risk as an object of regulation).
This article presents an evidence synthesis of the peerreviewed academic literature on risk-based regulatory governance since the late 1980s (when the notion of risk as an approach to regulatory governance began to emerge in academic and policy debates) building on an initial set of over 1,000 peer-reviewed journal articles and book chapters published over the last decade. Evidence syntheses fit a broader trend of meta-research or metascience: "an approach in which science turns the lens of scrutiny on itself" (Schooler, 2014, p. 9) (see also Bearfield & Eller, 2008;Sutton et al., 2016). In short, this article is concerned with questions about the construction, validation, and replication of knowledge on risk-based regulatory governance. It asks: What is known about risk-based regulatory governance? And what is the basis of this knowledge?
Two broad motivations discussed in the broader evidence synthesis literature underpin this article (for discussions of this literature, see van der Heijden, 2021;van der Heijden & Kuhlmann, 2018). First, synthesizing the knowledge created through studies of risk-based regulatory governance and drawing lessons that may be assumed to hold across a wide variety of settings-possibly beyond the populations or cases included in the original studies (Brady & Collier, 2004;King et al., 1994;Larsson, 2009). Second, understanding whether and to what extent the knowledge that has been created 1032202S GOXXX10.1177/21582440211032202SAGE Openvan der Heijden research-article20212021 1 Victoria University of Wellington, New Zealand 2 Australian National University, Australia through studies of risk-based regulatory governance answers the questions posed by those who introduced theories and concepts essential to risk-based regulatory governance, reflects the reality described by them, and is of use to those who wish to apply this knowledge in regulatory practice (Creswell & Miller, 2000;Gorin, 2007;Merriam, 1995;van der Heijden & Kuhlmann, 2018).
In what follows, the article presents the four main themes that emerged from the evidence synthesis: insights on the evolution, questions around the limits of risk-based regulatory governance, ethical challenges, and epistemic challenges. The conclusion sums up the main findings from the evidence synthesis and presents a research agenda for future research on risk-based regulatory governance. Extensive supplementary data are provided in the Online Appendixes to this article: an overview of examples of dominant risk governance and risk-based regulation models (Online Appendix A), an overview of the foundational texts underpinning the meta-review (Online Appendix B), and an overview of the publications studied for the systematic evidence review (Online Appendix C). First, however, the methodology underlying evidence synthesis is briefly explained.

Evidence Synthesis Methodology
The evidence synthesis presented in this article builds on a broad reading of peer-reviewed journal articles and book chapters on risk as an approach to regulatory governance published in English between 2009 and 2019. Prior to selecting these articles, a narrative review was carried out of 30 foundational texts on risk, risk management, risk-based regulation, and risk governance published since the 1980s. The narrative review has informed the process of sourcing the articles for the evidence synthesis.

Selection and Analysis of Source Material
The narrative review was carried out as a means to "scope" the field and followed conventional practice for selecting documents (Campbell Collaboration, 2018;Gough et al., 2012): A keyword search (see below) was carried out on Google Scholar to capture a workable set of foundational texts that discuss risk governance and risk-based regulation. Foundational texts were identified by their citation count. This resulted in a set of 22 monographs (ranging from one to four authors), six edited volumes (all books), and two journal articles (that do not overlap with those identified for the systematic evidence review, below; and that do not overlap substantially with the monographs or chapters from the edited volumes). Online Appendix B provides an overview of these 30 foundational texts. This set was complemented with publications cited in the foundational texts traced ("snowball sampling").
The evidence synthesis includes peer-reviewed publications from the fields of law, political science, and public administration. Following conventional practice for the type of evidence synthesis presented here, documents were sourced from the Web of Science database (Gough et al., 2012;Heyvaert et al., 2017;Moher et al., 2009;van der Heijden, 2021). A keyword search was used to capture a workable set of publications that engage with risk-based regulatory governance. The keyword searches were: (risk AND based AND regulat*), resulting in 417 documents; (risk AND regulat*), resulting in 130 documents; ("risk regulat*"), resulting in 80 documents; (risk AND based AND govern*), resulting in 89 documents; (risk AND govern*), resulting in 553 documents; and ("risk govern*"), resulting in 148 documents. The asterisk (*) operates as a wildcard-for example, the term "regulat*" allows the search to find "regulation," "regulating," "regulate," "regulator," and so on.
After removing duplicates, this initial search resulted in a set of 1,125 peer-reviewed journal articles and book chapters. All abstracts and summaries of these were read to identify those publications that explicitly engage with risk in relation to regulatory governance (for book chapters lacking an abstract or summary, the introduction section was read). Inclusion criteria were (a) the terms "risk" and "regul*" or "risk" and "govern*" no more than three words apart in the abstract or summary; or (b) the notion of risk explicitly discussed in the context of the development, delivery, evaluation, and reform of regulation or the political process underlying these regulatory activities in the abstract or summary. A total of 135 publications met these inclusion criteria. Online Appendix C provides an overview of these. (An Excel file of the 1,125 identified peerreviewed journal articles and book chapters is available upon request. Please reach out to the author.) The initial focus of the evidence synthesis on publications in the areas of law, political science, and public administration may have somewhat skewed the set of source publications. That having been said, the set of 135 peer-reviewed articles opens a large enough window on academic studies into risk-based regulatory governance over the last decade to provide insight on what is known about risk-based regulatory governance, and what the basis of this knowledge is (Cooper, 2017;Heyvaert et al., 2017). All documents sourced for the evidence synthesis were read in full, and notes (including the key insights reported, the area of study, and the type of research project undertaken) were kept in a working document. The document was coded to capture the "repetitiveness" and "rarity" of themes and findings reported across the various publications (cf. Bearfield & Eller, 2008;Sutton et al., 2016;van der Heijden, 2019).

Evidence Map
To gain an understanding of the breadth and depth of the set of 135 articles, it is of relevance to ask some basic questions: Are these publications conceptual or empirical; if empirical, what type of study were undertaken and where; and, what are the geographical locations of the (lead) authors of them? Answering such questions helps sketching a map of the evidence available (Gough et al., 2012).
Conceptual or empirical. The publications included in the evidence synthesis are almost evenly split between conceptual discussions of risk-based regulatory governance (51%, n = 69) and empirical studies of this approach to regulatory governance in practice (49%, n = 66). Of the empirical articles and book chapters, the majority address studies of a single case (62% of the 66 empirical publications), a third builds on studies of one to 10 cases (33%, n = 22), and a very small number builds on large-n studies (5%, n = 3). Strikingly, very little studies explicitly contrast the performance of riskbased regulatory governance with other regulatory governance strategies.
Geographical orientation. When considering authors' geographical location, the sample of 135 publications indicates that most authors of these come from continental Europe (39%, n = 53), the United Kingdom (24%, n = 33), and the United States (13%, n = 17). Scholars from other Western countries were also highly represented, including Australia (8%, n = 11) and Canada (5%, n = 7). Publications were coded based on the home-base of its first author when published. Understanding that this clustering comes with complications for articles and book chapters written by groups of authors with different regional backgrounds or with first authors holding multiple affiliations in different regions, the finding of Western dominance in the literature is still noteworthy. Likewise, the 66 empirical publications largely focus on examples from Western countries: continental Europe (35% of the 66 empirical publications, n = 23), the United Kingdom (14%, n = 9), and the United States (9%, n = 6). Again, cases from other Western countries were highly represented in empirical studies, including Australia (6%, n = 4), Canada (3%, n = 2), and Western countries in publications with a "global focus" (14%, n = 9). This indicates that a large part of the world is underrepresented in driving the academic debate on risk-based regulatory governance: Only a few articles and book chapters are written by (first) authors from Asia, Africa, or Latin America (n = 14; 10%). Likewise, only a handful of the empirical articles focus on these world regions (18% of the 66 empirical publications, n = 12).
Summing up. In sum, when looking at the full set of articles included in the evidence synthesis, it becomes clear that they engage with theoretical questions of risk-based regulatory governance approximately as much as with matters of real-world development and implementation. By and large, their empirical studies build on single-n case studies, rather than comparative medium-n or large-n studies. Generally, empirical studies address parts of a risk-based regulatory governance regime and not regimes as a whole, and tend to focus on the development of (parts of) the regimes rather than on their evaluation. And, by and large, the debate on risk-based regulatory governance is driven by scholars from continental Europe and Anglo-Saxon countries, and the available knowledge base, by and large, builds on studies from Western countries also. Some scholars argue that risk governance may be a specific conceptualization of regulatory governance that fits well within the context of liberal Western democracies, but perhaps less well elsewhere (Smismans, 2017). That said, when overviewing the 66 empirical articles, little homogeneity in risk-based regulatory governance is observed across (Western) countries-or, as one scholar states, "Risk regulation is a messy world" (Hutter, 2017, p. 106).

Findings
Synthesizing the risk-based regulatory governance knowledge base is all but easy. In what follows, findings from the evidence synthesis are clustered in four broad and somewhat overlapping themes that recurred across the 135 articles and chapters.

Theme 1: The Evolution of Risk-Based Regulatory Governance (or: How Did We End Up With It in the First Place?)
It goes without saying that humankind has always been subject to risk. Our understanding of risk has, however, changed over time. Our ancient ancestors thought of risk as something they could not influence, and they considered risk along the lines of fate and determinism. Our ancient ancestors thought of risk as something they could not influence. They looked at their future as set in stone, regulated either by the forces of nature or by spirits and deities. Risk as a way of thinking about a makeable and thus changeable future is a rather recent development (Burgess, 2016;Hutter, 2017;Macrae, 2010). One of the world's leading risk scholars, Eugene Rosa, has captured this well by stating, "Risk has a very long past, but very short history" (Rosa, 1998, p. 15). For an excellent history of risk assessment and risk management, see Peter Bernstein's (1996) book Against the Gods: The Remarkable Story of Risk. Another excellent historical overview is Niklas Luhmann's (1991) Risk: A Sociological Theory.
A very brief history. The contemporary understanding of "risk" can be traced back to 12th-century Italy. It was in Italy at that time that merchants needed control over the future gains and losses of the goods they were trading. Early developments in probability theory and a documented history of trade allowed for rudimentary estimates of the uncertainties of investments. This was a major development, as it allowed the risk of trading in a good (the uncertainty of loss or gain) to be separated from the good itself, and the risk to be traded for a price. Suddenly, the unknown future "could be estimated, commodified and exchanged" (Doron, 2016, p. 20). In short, it had become clear that "risk is a choice rather than a fate" (Bernstein, 1996, p. 8). Of course, this process did not happen overnight. It took some 600 years, from the 12th to the 18th century, to move from a rudimentary understanding of risk as something that is not merely fate or determinism to the idea that risk can be captured, calculated, and to some extent controlled by humans. Once this notion was accepted, the development sped up incredibly quickly. The fundamentals were laid for risk as an object of public governance particularly during the Enlightenment, when public authorities in Europe began to collect large volumes of data at the population level, and when ongoing developments in probability theory and mathematics at that time made it possible to trace patterns in that data (Alemanno, 2016;Huber, 2010).
From the 18th century onward, risk became a fundamental concept that allowed for "rational" governance, particularly at the population level. Two central insights accelerated this "rational" governance. First is the insight that "state policy should be shaped by administrative and arithmetic knowledge of the population" (Doron, 2016, p. 21). Second is the insight that at the aggregate level, some risks can be controlled, either by pooling the risk through public insurance and state-organized welfare or by minimizing the risk through modifying and deterring it in its origins-even when as individuals, people are often unable to control the risks to which they are subject (Luhmann, 1991). The Industrial Revolution that started in the second half of the 18th century brought about a range of risk-related changes that were unprecedented-a novel distribution of risks through rapid urbanization, negative externalities, and the working and living conditions in which large groups of working-class people suddenly found themselves. Particularly in Europe, insights into these new risks led to a growth of risk-pooling initiatives, such as public health schemes, unemployment insurance, and public pensions (Pierson & Casteles, 2006).
A "natural" development. In one reading of the historical development of risk-based regulatory governance, it emerged "naturally." In the 19th and 20th centuries, it became apparent that many of the "new" risks were too intricate to be addressed through traditional legal instruments (Steele, 2004). Specifically, the system of tort law in the United States, in which the evidentiary burden is on the plaintiff, struggled to deal with these new indirect or slow-to-materialize risks that arose from industrialization. In response, the United States Congress concluded that the tort system "was incapable of providing an effective response to the increasing threats to the public health and safety and the environment attributable to new technologies and development" (Shapiro & Glicksman, 2003, p. 3). Between the 1960s and 1990s, in the United States, this led to a move away from minimal federal regulation toward an approach to risk governance in which the government often took action to regulate anticipated health, safety, and environmental harms. Risk technologies (particularly risk estimation) were considered a rational way of providing public security. In the 1980s, the turn to New Public Management provided another push, but calling on governments to become more cost-effective and efficient (Hood, 1995;McLaughlin et al., 2002). Obviously, the "utilitarian" tools of risk assessment and risk management that by then were widely applied by firms allowed government departments to "allocate regulatory resources in proportion to the risks and interventions they require" (Davies et al., 2010, p. 963) and "explicitly explain their selective decisions based on the assessment of the risk that the regulated actors (companies or individuals) present" (Macenaite, 2017, p. 512). Countries elsewhere, particularly in Europe, followed suit (Hood et al., 2001;Majone, 2016).

Limitation of freedom by stealth.
A more critical reading of this period is provided by "governmentality" scholars (Foucault, 2009). They argue that the new risks, or, more precisely, the new understanding of risks, allowed those in power to push for a way of governing that was ever more intrusive. That is, risks have become more than being the "mere" objects of public governance. In this critical reading, of interest to those in power are the underlying practices of these risks and "how to most effectively govern the conduct and actions of populations to minimize identified risks" (Edge & Eyles, 2015, p. 189). That is, rather than seeking to reduce a risk, governments have become interested in reducing the behavior that may result in the risk. Thus, not only can the government hold individuals responsible for having caused harm, but the government can hold individuals responsible for engaging in activities and behaviors that may cause harm. At the same time (the 1930s to 1970s), governments largely embraced regulation as the central mode of public governance, resulting in what is often termed "the regulatory state" (Majone, 1994;Moran, 2002;Sunstein, 1990). To critical governance scholars, the combination of a changing understanding of risk and a growing use of regulation as preferred mode of public governance allows governments to limit individual freedom even more than they have ever before. That is, regulating (read: restricting) behaviors because they may cause harm, particularly at the aggregate level of society (Dean, 2009). In sum, the new understandings of risk (and regulation) have moved the object of public governance from substance and matter to human conduct, and the modes of public governance from restoring damage and preventing harm to imposing on and internalizing in people norms of "accepted" behavior through regulatory interventions.
Risk-based regulatory governance as responsibilization. In another critical reading of this period, scholars point out that governments often show "an overreaction . . . to a risk or (public safety) incident by issuing more regulation and more oversight than necessary to control the risk at an acceptable level" (de Ridder & Reinders, 2014, p. 4). This can result from responses being made too swiftly, and from the incoherent addition of risk-based regulatory governance elements to an existing regulatory regime, which may cause regulatory failure in the future (Anabtawi & Schwarcz, 2011). It may result from a tendency of regulators "to be drawn to their highest risks and . . . pull back resources from lower risks" (Black & Baldwin, 2012, p. 2). Lower risks may, over time, produce significant harm and political contention. Other scholars point out that risk as an approach to regulatory governance has resulted in the process of "responsibilization" in which citizens are increasingly expected to take the responsibility to protect themselves (Ansell & Baur, 2018). Risk as an approach to regulatory governance is then seen to fit a neo-liberal policy agenda and to be a justification for undermining (social) welfare and a shift in which governments adapt to their limited capabilities to protect citizens' rights (Garland, 1996;Hinds & Grabosky, 2010) (but for an opposing view, see Lodge, 2011). In a somewhat related way, making risk central to regulatory governance creates an illusion of the manageability of risk. That may result in a false sense of security about how well future risks can be reduced, pooled, mitigated, or prevented through risk-based regulatory governance (Burgess, 2016;Power, 1999).
Summing up: Risk has become an approach to regulatory governance. Irrespective of what reading of the historical development one prefers, by the 1980s the jump to risk-based regulatory governance had become a possibility-and was made on both sides of the Atlantic. In risk-based regulatory governance, the focus is no longer on risk as an object of regulatory governance, but risk as an approach to regulatory governance (Haines, 2017;Hutter, 2017;Macenaite, 2017). Risk is used as a decision-making resource that allows for a reasoned allocation of regulatory resources based on risk levels and for a reasoned response to a possible harm or gain when there is a lack of knowledge in qualitative or quantitative terms (Steele, 2004). As such, risk-based regulatory governance can be defined as "an evidence-based means of targeting the use of resources and of prioritizing attention to the highest risks in accordance with a transparent, systematic, and defensible framework" (Black & Baldwin, 2010, p. 181). Finally, the move toward risk-based regulatory governance fits societal calls on governments to become proactive (and prevent harm before it occurs) rather than being reactive (and restore harm once it is done) that have increased in strength since the 1980s (Tait & Levidow, 1992; van der Heijden & Hodge, 2021).

Theme 2: Has Risk-Based Regulatory Governance Reached Its Limits?
In the wake of large disasters, including the Chernobyl nuclear disaster in the Soviet Ukraine in 1986, the BSE (bovine spongiform encephalopathy) crisis in the United Kingdom in 1996, and the 9/11 terrorist attacks in New York in 2001, writings by a range of influential thinkers on the role of risk in modern society entered mainstream debate (van der Heijden & Hodge, 2021). Among the best-known thinkers are Ulrich Beck, who coined the term "risk society," Anthony Giddens, Aaron Wildavsky, and Niklas Luhmann.
A societal preoccupation with risk. In broad brush strokes, the main argument of these thinkers can be summed up as follows: Throughout the 20th century, society at large has become preoccupied with risk and taming the future. Risk causes great anxiety at the societal level, and the wide range of regulatory governance interventions that have been put in place to reduce, pool, mitigate or prevent risk, risk causes do not seem to reduce that anxiety (Beck, 1992;Giddens, 1997;Luhmann, 1991;Wildavsky, 1988). To Beck, this preoccupation exists because we are faced with greater risks than ever before: Risks are global, outlast generations, and affect all, regardless of class, culture, or citizenship. To Giddens, we have this preoccupation because we now "live on a high technological frontier which absolutely no one completely understands and which generates a diversity of possible futures" (Giddens, 1998, p. 25). To Wildavsky (1988), it is because of the paradoxical situation that risk prevention requires risk-taking and risk exposure. To Luhmann (1991), finally, it is because large risks loom in different systems (such as the economy, the environment, or politics) that are difficult for those outside those systems to mitigate but that may have detrimental consequences across systems. These thinkers present insights on novel risks (and amplified existing ones) and insights of systemic risks that are see reflected in the risk-based regulatory governance models that have been adopted globally (Klinke & Renn, 2021). Despite the potential opportunities that new technologies (such as developments in information and communications technology, nanotechnology, genetically modified foodstuffs, and artificial intelligence) bring, their risks cannot (yet) be (objectively) estimated and thus, not be "rationally" addressed through regulatory governance (Florin & Bunting, 2009;Giorgi, 2013;Hodge et al., 2014).
From "ordinary" risks to systemic ones. At the same time, many of today's major risks are systemic, meaning that they are embedded in the larger context of societal processes. "Systemic risks have therefore a growing potential of harm since effects can be amplified or attenuated throughout the prolongation of effects based on a complex system of interdependencies" (van Asselt & Renn, 2011, p. 436). Thus, while our understanding of risk, risk evaluation, and risk management has grown tremendously over the last decades, it has also become clear that it is exceptionally difficult to reduce, pool, mitigate, or prevent many of the risks that we are facing today. Around the globe, it is observed that risk-based regulatory governance has become a routine rather than a tailored intervention (Renn, 1998). Over recent years, questions have been raised about whether risk-based regulatory governance may perhaps provide a false sense of security. The power of risk-based regulatory governance to safeguard society through carefully calculated regulatory interventions may very well have come to its absolute limit (Klinke, 2021;Klinke & Renn, 2021). These limitations bring us back to the "classic" questions about the ontology and epistemology of risk (Aven, 2010;Renn, 1998;Rosa, 1998;Rosa et al., 2014). More and more, the leading risk scholars are calling for a move away from, or at least a softening of, the high value assigned to "hard" probabilities based on "objective," quantitative data, collected and processed by technical experts. They call for the inclusion of "subjective," qualitative data and knowledge of lay people in the assessment and management of risk, and these calls are echoed in regulatory scholarship (Ansell & Baur, 2018;Haines, 2017;Hutter, 2017). This change has also affected risk-based regulatory governance in practice, in which risk as an approach to regulatory governance appears to be developing in a narrow and a broad sense.
Summing up: From a narrow to a broad understanding of riskbased regulatory governance. In a narrow sense, the central premise behind risk-based regulatory governance maintains to be the "adoption of apparently rational, objective, and transparent ways of prioritizing work, and the deployment of limited regulatory resources" (Hutter, 2017, p. 103). In a broad sense, the central premise behind risk-based regulatory governance is a "paradigm of administrative constitutionalism [that] promotes a model of public administration that is designed to address the factual and normative complexities of . . . risk evaluation by granting to public administration substantial and ongoing problem-solving discretion in relation to particular issues. This power is needed so that the processes of . . . risk evaluation can adapt to the [technical, political, economic, societal and other] uncertainties and issues involved in relation to specific . . . risks" (Fisher, 2010, p. 30). Likewise, in a narrow sense, risk-based regulatory governance is "an 'aspiration to control' future events [and] regulation is one manifestation of a modern belief that risks can be anticipated and controlled" (Hutter, 2017, p. 102). In a broad sense, risk-based regulatory governance is open to acknowledging that fully reducing risk to zero is impossible, and it works "to instil processes and practices . . . that help prepare public and private organisations to recognise and manage these potentially catastrophic events" (Boin, 2010, p. 248).

Theme 3: The Epistemic Challenges of Risk as an Approach to Regulatory Governance
Many of the epistemic challenges discussed in the literature address the limits of and differences in knowing what constitutes a risk and how best to respond to it. Scholars agree that sound risk assessment and management builds on multiple sources of knowledge regarding a range of elements (Haines, 2013;Hutter, 2017). These elements include, but are not limited to, the extent of harm, the probability of occurrence, the remaining uncertainties (incertitude), the geographical and temporal spread of harm (ubiquity), the duration of harm (persistence), the reversibility of harm, the delay effect between the trigger and the occurrence of harm, and the potential for mobilization of those affected (Renn & Klinke, 2016).
The data challenge in risk-based regulator governance. However, obtaining sound knowledge on these elements and applying it well is anything but easy. Scholars are particularly critical of over-technocratic applications of risk-based regulatory governance, and of overconfidence about what this approach to regulatory governance may bring (Black & Baldwin, 2010;Renn, 1998). "Expectations that risks can be anticipated and managed may lead organisations to convey impressions that they are in much greater control tha[n] is in reality feasible, and the pressure may be on them to be seen to be doing something in response to the identification of risks" (Hutter, 2010, p. 252). With the growing knowledge of risk assessment and risk management, risk-based regulatory governance has become "something of a cult. Today, an almost magical aura surrounds the estimation of probable harm" (Durant, 1998, p. 73). Scholars stress that it is particularly problematic that risk assessment and risk management require the simplification of complex data and a reliance on proxies where data are lacking (Hutter, 2017). The data that exist often do not allow for risk assessment, historical data may be outdated, and too much weight may be given to probabilities derived from incomplete data (Aven, 2016). Data can be compromised at the political level by partisan or other interests, and biases may color how data are interpreted or even provided (Aven, 2011). For example, in risk-based regulatory governance, benefit-cost analyses are often used to understand whether people are willing to be subject to a specific risk. The exact framing of questions is critical. The answer to the question of how much people are willing to pay to reduce the risk of losing income/health/happiness/and so on will be substantially different from the answer to how much they would pay for the certainty of maintaining their income/health/happiness/and so on (Renn, 1998;Shapiro & Glicksman, 2003).
Multiple "truths" about risks and their appropriate regulatory responses. More and more, claims to know what constitutes a risk and what constitutes an appropriate regulatory response are disputed. Often, a distinction is made between "objective" and "perceived" risks (Cedergren & Tehler, 2014). Over recent decades, scholars have put to the test the objectivity of technical risk assessments and have identified a range of biases and ethical and sociocultural influences that affect risk identification and estimation (Rosa, 1998;Viscusi & Zeckhauser, 2015). In response, more weight is now given to the knowledge of risk held by people other than technical experts, such as the general public affected by the risk (Poortvliet et al., 2016). It should be kept in mind, however, that a larger knowledge base of what constitutes a risk and what the response to the risk should be by no means provides a blueprint for effective risk-based regulatory governance (Shapiro & Glicksman, 2003;van Asselt & Renn, 2011). Here, our bounded cognitive abilities come into play (Kahneman, 2011). One of the core epistemic challenges of risk-based regulatory governance is that humans have a limited capacity to deal with uncertainties and probabilities. We quickly jump to conclusions based on partial or misunderstood information about risk (Van Coile, 2016). To prevent poorly designed risk-based regulatory governance interventions being made that lean too heavily on either "objective" or "perceived" risks and risk knowledge, scholars urge a move away from a static understanding of risk toward a more dynamic understanding of degrees of uncertainty. They further urge a move away from risk aversion toward trial-and-error risk taking that allows for learning from adversity and promotes resilience through risk-based regulatory governance (de Vries & Boeckhout, 2011;Wildavsky, 1988).

Theme 4: The Ethical Challenges of Risk as an Approach to Regulatory Governance
A final theme that recurs in the literature is the ethical challenges that come with risk as an approach to regulatory governance. When overviewing the range of ethical challenges discussed, two broad issues stand out. The first is a call on governments to reduce risk inequalities across different groups in society, and the second is a call on governments to improve the legitimacy and accountability of risk evaluation and risk reduction, pooling, mitigation, and prevention.
From rational-instrumental to social-political models of riskbased governance. One of Ulrich Beck's (1992) better-known statements in his book Risk Society is that "[w]ealth accumulates at the top, risk at the bottom" (p. 35). Beck was concerned that risks disproportionally affect groups in society that are already marginalized. Other scholars are less dystopian, but still argue that risks do not affect everyone equally. Often, they warn, risks are not chosen by individuals or groups but are imposed on them by the actions of others (Lodge & Wegrich, 2012). Likewise, risk responses desired by some may have negative consequences for others. "[R]isk-related decision making is not about risks alone or about a single risk usually. Evaluation requires risk-benefit evaluations and risk-risk trade-offs. [There] are competing, legitimate viewpoints over evaluations about whether there are or could be adverse effects" (Renn & Klinke, 2016, p. 208). It is partly because of these insights that scholars have begun to call for more inclusive and participatory risk-based regulatory governance processes. Such participatory processes allow for risk assessment and the development of regulatory interventions that build on the knowledge of technical experts, expert bureaucrats, scientists, and lay people (Lodge & Wegrich, 2012). They call for a move away from a rational-instrumental model of regulatory governance toward a societal-political one. This, of course, does not imply that all risk-based regulatory governance interventions require extensive participation. The changing levels of risk knowledge and the changing nature of risks allow for different types of participation. For example, relatively simple and conventional risks can be addressed by expert bureaucrats, technical experts, and scientists. When the risks that are faced are more complex and ambiguous, affected stakeholders and sometimes even civil society at large may need to be consulted (Renn, 2015). Not only does this allow for a broad knowledge base to be obtained, but it also helps to make affected stakeholders aware of the risks to which they are subject and the (self-regulatory) actions they can themselves take to reduce their exposure (Steele, 2004).

Risk-based regulatory governance is not value free.
Scholars also call on regulatory policymakers and practitioners to keep in mind that risk-based regulatory governance "[is not] a free-standing and technical guide to regulatory intervention [but a] particular way to construct the regulatory agenda" (Black & Baldwin, 2010, p. 210). Risks are not value free. Their construction, packaging, and identification involve political choices, and this gives considerable power to decision makers (Baldwin & Black, 2016;van Asselt & Renn, 2011). At the same time, heightened public awareness of risks asks decision makers to "justify not taking action rather than taking action" (Tosun, 2013, p. 42). A challenge for regulators in risk-based regulatory governance is that they may "be criticized for being too harsh when things are calm and being too lax when risks have been realized" (Hutter, 2017, p. 107). To put this differently, the growth of riskbased regulatory governance may raise legitimacy problems for a government: how can it demonstrate its effectiveness if the problems it seeks to address do not occur (Ansell & Baur, 2018)? Governments engaged in risk-based regulatory governance may also face accountability challenges. The aura of objectiveness and rationality that comes with this approach to regulatory governance may shift blame away from government, or result in symbolic responses with little practical value (Macenaite, 2017;Rothstein & Downer, 2012). Risk governance can also change the dynamics of regulatory capture, particularly when governments are highly reliant on third parties for technical risk assessments and other knowledge (Jansen, 2017). To help to improve the legitimacy and accountability of risk-based regulatory governance, scholars therefore call on governments to increase the openness of their risk-based regulatory governance regimes (Hood et al., 2001). That can be done by, for instance, increasing public participation in risk assessment and the development of interventions, as discussed above. Alternatively, governments may wish to provide greater transparency in information-gathering and processing, as well as about the making of decisions on the kind of risks that are accepted and the kind that are not.

Conclusion and Future Research Agenda
Building on meta-research logic and tools, this article has presented an evidence synthesis of a large body of literature that engages with "risk" as encapsulating a way of regulating problems and situations, and the processes, techniques, and instruments applied in risk-based regulatory governance. This concluding section presents the main findings from the evidence synthesis. While the findings are bounded by the selection criteria of both reviews (see "Evidence Synthesis Methodology" section), the breadth and depth of the source publications is considered wide enough to draw conclusions that reach beyond the individual publications reviewed. Building on these findings, this section concludes with a research agenda on risk-based regulatory governance, particularly by highlighting the gaps in our knowledge.

Conclusions
First, over recent decades, risk has become a dominant approach to regulatory governance. Of course, risk has always been an object of regulatory governance. As an approach to regulatory governance, it does, however, rest on a set of assumptions about how regulatory resources can best be allocated to achieve desirable societal outcomes-or, to put it better, how resources can best be allocated to prevent harm in the first place or to respond to it adequately when it arises. This fits a broader trend of moving from a reactive to a practice stance in how they seek to address harms. Generally, risk-based regulatory governance does not aim for zero harm for all observed risks: "the aim is not to develop absolutely fault-free systems but systems which are capable of handling faults quickly when they develop" (Hutter, 2010, p. 259). Keeping these insights in mind, regulators have begun to complement their risk-based regulatory governance strategies and tools with risk response plans. These include preparedness plans that stipulate how to act to minimize harm during a disaster, resilience thinking about how to "bounce back" or "fall forward" after a disaster, and explicit precautionary strategies that clearly state when zero harm ("better safe than sorry") is required and when it is not (O'Malley, 2016;Sanchez et al., 2018;Wildavsky, 1988).
Second, regulators who make risk an approach to regulatory governance will quickly encounter the tension between what Elizabeth Fisher (2010) refers to as a rational-instrumental and a deliberative-constitutive understanding of risk assessment and risk management. The former calls for "more science" in risk-based regulatory governance, the latter for "more democracy." For a long time, marrying risk-based regulatory governance to the rational-instrumental approach made sense because it aligned well with a neo-classical rational choice model in which humans were considered to make predictable decisions within bounded contexts. Since the 1980s, however, the behavioral sciences have pointed to the limited predictive value of the neo-classical rational choice model (Kahneman, 2011). Likewise, since the 1980s, it has become clear that many of today's most pressing risks transcend traditional regulatory boundaries (Aven & Renn, 2010). These insights indicate that siloed agencies and nation-states can no longer regulate risks independently, and they also point to the limits of a rational-instrumental understanding of risk assessment and risk management. The evidence synthesis presented stresses that risk as an approach to regulatory governance calls for tailored solutions and bespoke applications. "Good risk governance rests upon a combination of best available interdisciplinary knowledge, including the awareness of its limitations and uncertainties, and careful synthesis of public concerns, values and visions" (Renn, 2008, p. 368).
Third, risk-based regulatory governance comes with its own risks. "Our faith in risk management encourages us to take risks we would not otherwise take," Peter Bernstein (1996, p. 335) argues, and this may very well echo in the area of regulatory governance (Hallsworth et al., 2018). Others have stated that risk as an approach to regulatory governance may result in a false sense of security, in modeling that looks good on paper but would not stand the test of practice, or even in a means of resource allocation that is captured by political or private interests. Keeping these insights in mind, regulators need to realize that in a narrow sense risk provides little more than a utilitarian approach to regulatory governance. It may make resource allocation more transparent and accountable, and perhaps more systematic and rational. It will not make resource allocation less political or contested. How to allocate resources under risk-based regulatory governance ultimately depends on "how risk is defined and on the chosen (declared) rationale justifying regulatory action. There exists indeed an important, and yet often neglected, linkage between conceptualisation of risk and proposed solutions of risk-related policy problems" (Alemanno, 2016, p. 197).
Fourth, and related to the above, equally important to keep in mind for those interested in applying this approach to regulatory governance is that it produces a paradox. Risk-based regulatory governance may, at first glance, seem to be a rational, transparent, and accountable way to allocate limited regulatory resources to address the most pressing risks. However, the efficiency gains of that utilitarian motivation for choosing this approach to regulatory governance may quickly be undone if risk-based regulatory governance is not taken seriously. Both rational-instrumental and societal-political risk assessments ask for substantial investment in time and resources. Deciding on the right level of risk management and risk-based regulatory governance to implement will be equally time and resource intensive. However, without taking these steps seriously, the risks of risk-based regulatory governance may outweigh the benefits.
Fifth and final, while the findings summarized here are insightful, they fall short in addressing the pressing questions of what forms of risk-based regulatory governance yield desirable outcomes, where and why. An understanding that governments take different approaches to risk-based regulatory governance, even in different policy areas within a single jurisdiction, helps to stress that there is no one-size-fits-all model for risk-based regulatory governance. The current evidence base is, however, too small to conclude whether, when, and where risk-based regulatory governance is desirable in the first place. In the light of the long-standing and active debate on risk as an approach to regulatory governance in the literature, the limited number of evaluative, comparative case studies-either comparisons between different types of risk governance or comparisons between risk governance and other regulatory governance approaches-is striking (for a promising exception of an ex-ante comparative evaluation, see Rodenrijs et al., 2014). In a similar vein, the limited evidence base available by and large builds on studies from Western countries carried out by scholars from these countries. In short, while much has been written about risk-based regulatory governance, still much is unknown.

Future Research Agenda
Before mapping out a future research agenda, I must first step in as author and raise my own voice. Following the conventional evidence synthesis practice, I have let the literature do the talking to this point. Strikingly, the issues that I have identified and the insights that I have collected above overlap, to some extent, with other evidence syntheses of the regulatory governance literature that I have carried out-for example, on the use of behavioral insights in regulatory practice (van der Heijden, 2020) and responsive regulation (van der Heijden, 2021). What follows is, in part, inspired not only by the current evidence synthesis, but by my broader interest in synthesizing the available knowledge on regulatory governance. Thus, while the research agenda for riskregulation and risk governance that follows logically results from the evidence synthesis presented in this article, it also reflects my hope of how the broader regulatory governance literature will develop in the future.
Evidently, it is crucial to be critical of the potential gap between academic and policy rhetoric on risk-based regulatory governance and the application of this approach to regulatory governance on the ground. While there is ample talk about how risk as an approach to regulatory governance may result in more (cost-)effective regulatory regimes (i.e., utilitarian motivations for its application) or more transparent and accountable regulatory regimes (i.e., political or moral motivations for its application), the evidence synthesis indicates that the empirical research remains largely silent as to whether these expectations are consistently met in real-world settings. While the academic interest in risk as an approach to regulatory governance is substantial, we know little about how, where, and with what effects it is applied in regulatory practice. This leaves demanding research challenges for the future of regulatory governance scholarship and the future or risk studies into the application of risk-based regulatory governance on the ground. What appears particularly relevant are medium-n and large-n studies, as well as studies that move beyond the Western liberal democracies.
It is also essential to scrutinize the explanatory reach of the accumulated knowledge base. While there is ample research on the use of risk-based regulatory governance in the regulatory governance of finance (particularly after the global financial crisis of 2007-2008), food production (particularly after the BSE crisis in the United Kingdom in the 1990s), and technology (particularly on nanotechnology), it remains at question whether lessons learnt from these areas (and their high profile cases) are applicable elsewhere. The set of factors that explain the success or failure of risk-based regulatory governance in these repeatedly studied areas may-and most probably will-be the starting point for studies that criticize this set for being too limited for a full understanding of risk as an approach to regulatory governance and its outcomes.
It is equally important to create a stronger connection between the often utilitarian and normative (public administration) theories that drive much of the current knowledge base of this approach to regulatory governance and other dominant theories in regulatory governance scholarship. For example, the "more realistic, less rational" model of human behavior and related theorizing that drive much of the behavioral-insights-regulation literature (e.g., "nudging" Halpern, 2019;Thaler & Sunstein, 2009) may help to better understand why risk-based regulatory governance performs the way it does in real-world settings. Alternatively, scholars may wish to synthesize the existing knowledge base through the lenses provided by these theories, and deepen our understanding of themes such as agency, empowerment, and political contestation in the development and implementation of risk-based regulatory governance.
Last but not least, a final set of core challenges is to understand whether and how promising examples of risk-based regulatory governance can be successfully transplanted to other locations; whether and how synergies can be created between these interventions and other regulatory governance instruments and approaches, such as responsive regulation, so that their impact as a whole is greater than the sum of the impacts of each of them; and how we can ensure that the progress (to be) made in using risk as an approach to regulatory governance will not be reversed by future swings in political leadership. Future scholarship may wish to gain a deeper understanding of which design and implementation strategies are effective for achieving such synergies, as well as of the entrenchment of risk-based regulatory governance that yield desirable outcomes.
To conclude, important advances have been made on our understanding of risk as an approach to regulatory governance. The existing knowledge base is strongly supported by a sound foundation of empirical research and conceptual debates published over the last decade, and a strong body of foundational literature published since the 1980s. We now have a strong base on which to continue and expand our research in this important area of regulatory governance, and we are faced with challenging research questions on the use of its tools, instruments, and processes in addressing the challenges that lie ahead of us.

Author's Note
A very early version of this article was made available to the G-REG community as "Risk Governance and Risk-Based Regulation: A Review of the International Academic Literature. State of the Art in Regulatory Governance Research Papers no 2" and a series of blog posts on www.RegulatoryFrontlines.blog.