Beyond societal and organizational risk management? Varieties in governing automation and algorithmic risks in bureaucracies

Over the last decade, the use of automated decision-making (ADM) systems in public policymaking and administration – including predictive policing, biometric borders, health care ‘optimization’, automated ‘detection’ of social security fraud, or dialect recognition and genetic coding in asylum decisions – has increased in scale and depth. While concern over the social, economic and political risks of ADM applications by the state is well documented, we lack comparative accounts of how and why countries regulate these applications within the public realm differently. This paper develops a comparative framework for exploring respective policy variety by expanding the perspective of risk regulation regimes (Hood, Rothstein, and Baldwin 2001) as forms of societal and organizational risk management. We discuss the value and limitations of this classic comparative lens for the regulation of ADM systems in bureaucracies. We identify three characteristics of ADMs that require an expansion of the risk regulation regime lens: (1) apparent indeterminacy of agency in complex human-machine interactions; (2) the fusion of data, decision rules and enforcement in ADM systems; (3) the highly context-specific interaction of policy, design and practice in real world applications of ADM. Taken together, these collapse the hegemonic conceptual distinctions between policy design/delivery, and between public/private accountability of the last half-century. We discuss how the in-built institutionalist perspective of risk regulation regimes can be adapted to theorize variation in countries’ efforts and struggles to address the political, policy and conceptual challenges of ADM uses in the bureaucracy.