Roughly half the work that governments do involves the control of harms.  Law enforcement, security, intelligence and social regulatory agencies all exist primarily to protect citizens from harms of one type or another.  True, they deliver services too, and the public management literature has a great deal to say about how to do service-delivery well.  But their core task is to identify “bads” (hazards, risks, threats, problems, or harms) and to control them effectively, thereby making citizens safer, healthier, and more secure. Little guidance has been available to public officials on the issues peculiar to the risk-control business, even as a series of disasters (quickly dubbed “regulatory failures”) unfold.  Practitioners need the field of Public Management to pay much more attention to the distinctive challenges associated with this type of work.

March, 01 2012   |   Malcolm K. Sparrow

According to the United Nation’s Millenium Declaration [1] much of the urgent agenda for the human race consists of harms insufficiently controlled.  The Declaration begins with a formidably long list of them, which includes terrorism, the threat of nuclear terrorism, transnational crime, smuggling in human beings, money laundering, violent crime, HIV Aids, malaria, child prostitution, genocide, loss of the world’s environmental resources, the persistence of extreme poverty, and so on.  International and Non-Governmental organizations, as well as the society of nations, are challenged to control harms at global and regional levels.  We rely on national governments to handle more-obviously domestic and localized risks, such as crime, occupational hazards, transportation hazards, corruption, pollution; and to guarantee the safety of the food supply, drugs, and consumer products.     

One might expect, therefore, that the identification and control of harms, threats or risks would be recognized as a core discipline for public servants and a priority area for inquiry by public management scholars.  Recent disasters, whether man-made (e.g. the Global Financial Crisis) or natural (e.g. Hurricane Katrina, or the Japanese earthquake and tsunami), have sparked intense debate over the question “what should citizens expect from their governments with respect to risk control?”

From these debates we know something about what the public expects.  With respect to risks, citizens expect governments to be:

  • vigilant, so they can spot emerging threats early, pick up on precursors and warning signs, use their imaginations to work out what could happen, and to do these things even before much harm is done. 
  • nimble, flexible enough to organize themselves quickly and appropriately around each emerging risk, rather than being locked into patterns of practice constructed around the risks of a preceding decade, and
  • skillful, masters of the entire intervention toolkit, and adept at creating new approaches when existing methods turn out to be irrelevant or insufficient to suppress a risk.

But who teaches regulatory and law-enforcement officials how to deliver that kind of performance?  What literature should they read? 

Over the last two decades government reforms have been driven by managerial prescriptions, imported from the private sector, which focus on client-satisfaction, process-improvement, technology adoption, and performance management. 

Regulators, and others with risk-control responsibilities, need practical help with a rather different set of issues: what does it mean to be vigilant with respect to novel or emerging risks?  What is the relationship between enforcement discretion and effective risk control?  How best can regulators modify behavior and manage compliance, and at the same time remain minimally intrusive?  How can executives organize established bureaucracies around specific harm-reduction objectives when the harms don’t align with any established piece of the organizational structure?  How do we measure an agency’s contributions to risk reduction?  How can policymakers justify a budget for preventive work on a long-term and sustainable basis, in the absence of a catastrophe?  On these and many other issues, regulatory and enforcement practitioners are hungry for guidance. 

Scholars might point to the burgeoning Risk literature, and imagine that practitioners can find what they need there.  But the risk literature—provided largely by experimental psychologists and behavioral economists—focuses predominantly on the ways in which risks are perceived by individuals, and how social, emotional and psychological factors distort risk-assessments and affect behavior.  That is all useful for public officials to know, but the risk literature has not focused on the distinctive managerial challenges associated with running a regulatory or risk-reduction program.  It has not explored the different ways of structuring risk-control operations, the nature and exercise of discretion, the linkages between analysis, intelligence and operations, or the tension between organizing around functional or programmatic solutions rather than around concentrations of risk. The risk literature has not so far provided any organizational theory tailored to risk-control tasks. 

Neither has the field of organizational theory—with its early focus on functional specialization and more recent focus on process-management—said much about how to organize an enterprise in a fluid and flexible way around the important risks of the day (and without plunging the agency into a series of debilitating reorganizations).  Regulators will never produce the requisite vigilance nor organizational nimbleness by stressing the enhancement of existing functional units or by refining established processes yet further.  Indeed, functional and process-based forms of professionalism (critical though these remain) often seem to pull in the opposite direction and can appear to restrict an organization’s capacity for fluid, creative, and effective interventions.

We should thank the legal profession for paying attention to the quality of the law itself, offering guidance on modernization, streamlining, coherence, and harmonization across jurisdictions.  And economists have shown us how to think about macro-level resource allocation questions, so we can keep the price-of-a-life at least roughly consistent across a range of risk domains, and balance the costs and benefits of proposed rules.

But these are not the management issues.  Hundreds of thousands of regulatory and law enforcement professionals stand between the state of the law itself and the delivery of effective front-line protections.  What they do matters.  It matters how they organize themselves.  It matters when and why they enforce particular laws.  It matters whether and how they organize their discretion, and what other methods they adopt when the law itself turns out to be obsolete, irrelevant, or insufficient. 

We hear the phrase “risk-based regulation” quite frequently.  Yet there seems to be much greater clarity about what it means for the regulations themselves to be risk-based, and much less clarity about what it means to be a risk-based regulator at the operational level.

These managerial puzzles are not exclusive to the public sector.  Not-for-profit and non-governmental institutions, as they seek to carve out their own piece from harm-reduction agendas, also want to know what it would mean to be a risk-based contributor.  Many non-governmental organizations play important roles in the alleviation of harms such as poverty, disease, exploitation, violence, or trafficking.  Like their public sector counterparts, NGO executives (and foundation grant officers) must navigate a complex landscape of risks, seeking to identify a piece of the harm-reduction task that they can handle, that their supporters can buy into, and that aligns with their organizational capacities and beliefs.  As these organizations seek to define their slice of the action, they too—like regulatory agencies—have some functional and programmatic traditions that can stand in the way.   It is much easier to organize around specific methods or programs than around specific concentrations of risk.  Doing so produces predictable frustrations, as organizations find themselves unable to demonstrate impact, and produce performance accounts consisting largely of programmatic inputs and outputs.

In the public and not-for-profit sectors risk-control practitioners need organizing principles as they seek to establish their market niche and define their own distinctive contributions.  Practitioners must decide how best and at what size to define a new project, and how many projects to define.  They must establish the data-gathering, intelligence, and analytic capacities that enable them to spot emerging problems early, even when those problems do not fit established patterns.  They must figure out how to close risk-mitigation projects—an extremely thorny and ethically contentious issue—because it is easy to keep opening them, and possible (if projects are not closed at roughly the same rate they are opened) to drown under a proliferation of half-completed projects.  It is the practitioners who must decide what not to take on, what type of results to expect, and when to cooperate with other parties around various aspects of the task.  It is the practitioners who have to balance a range of reactive, preventive and proactive methods, and figure out how to integrate these into coherent control strategies.

There is good news.  Practitioners have not waited for theorists to show them the way.  Many of them, deeply dissatisfied with the performance of their own agencies, have already begun inventing for themselves a truly risk-based approach to their business.  Regulators are more explicitly acknowledging and embracing the expert model (focused on risks) as opposed to the legal model (focused on compliance) as the overarching framework for their operations.  They are recognizing different types of discretion, and becoming more comfortable exercising them as they carefully pick and choose what to work on, and how best to intervene.  They are learning how to form constructive and appropriate relationships with regulated industries, centered on priority risk-control imperatives rather than misplaced notions of customer-service. 

Risk-control professionals are also learning the importance of differentiating between controlling bad things (e.g. corruption, pollution problems, specific diseases) and the complementary but distinct work of constructing good things (e.g. organizational integrity, environmental stewardship, “wellness”).  

In the same way that epidemiologists study pathogens, regulators are learning how to scrutinize specific harms to uncover their dynamics and dependencies, identifying vulnerabilities (pivotal nodes or factors, critical commodities, irreplaceable ingredients or mechanisms) that they can then exploit with surgical precision.  Such patterns of analysis and organizational behavior produce cleverly conceived acts of sabotage—tailor-made interventions that can substantially reduce or even eliminate specific problems altogether.

These innovative practices deserve scholarly attention.  In particular, I hope that the field of public management takes note of the sabotage of harms as an emerging professional art-form, full of promise but surely in need of development, formalization and refinement.  If scholars could help the human race define and master that art, such a vast range of unpleasant things might be better contained or suppressed as a result.


Malcolm K. Sparrow
is Professor of the Practice of Public Management at the John F. Kennedy School of Government, Harvard University. He is Faculty Chair of the School's Executive Programs on regulation and enforcement, corruption control, policing, and counter-terrorism. In March 2010 he was appointed by President Barack Obama to the Recovery Independent Advisory Panel, to advise the Recovery Board on protecting the integrity of the economic stimulus package.


Sparrow, Malcolm K. (2008), The Character of Harms: Operational Challenges in Control, Cambridge University Press, Cambridge, England; New York, USA.

Further information at:



[1]  Adopted by the UN General Assembly, September 2000.  United Nations Resolution A/RES/55/2, Fifty-fifth session.  18th September 2000. pp. 1-8.


Share this news

Comments (0)

It is mandatory to be registered to comment

Click here to access.

Click here to register and receive our newsletter.

Partners Program

Executive Master (EMPA)


Public 50