Clarifying the difference between regulation designed to manage risks and a risk-based approach to regulation
What is the role of risk management in regulatory structures?
For many federal, state and local government agencies that perform a regulatory role, risk is often an important feature of the regulatory frameworks that they oversee.
Risk management may be the dominant focus of the regulatory framework itself. In this context, risk is a structural feature of the regulatory framework because the regulatory framework has been designed specifically to manage certain risks that are governed by the framework.
Risk will also be a relevant factor for the regulator to consider when applying the regulatory framework in practice ('risk-based approach to regulation'). In this context, risk is used strategically by a regulator when applying the regulatory framework to determine how best (ie. effectively, efficiently and consistently) to use the regulator’s precious resources.
What do we mean by regulation designed to manage risks?
‘Regulation’ can generally be defined as the set of rules applicable under the regulatory framework, with which compliance is expected. The rules may be contained in primary legislation, as well as in a broad spectrum of subordinate instruments, including regulations, directions, and codes.
Regulation is typically designed to achieve a public policy objective, including to:
- recognise, promote or protect the public interest (eg. protection of the environment)
- correct a market failure (eg. undue market power or information asymmetries)
- avoid or reduce harm or injury (eg. harm caused by use of toxic chemicals).
Regulation that has been specifically designed to manage risks may be contrasted with other regulation that has as a primary objective achievement of other goals, such as desirable social outcomes or addressing market failure. Regulation that has been designed to address risks is a precautionary, forward-looking tool, which involves the anticipation and assessment of risks and the use of pre-emptive action to reduce or mitigate the risks which the regulatory framework is designed to address.
When designing regulatory frameworks to manage risks, the regulatory impact assessment process can be used to:
- identify and categorise relevant risks
- analyse and assess each risk to determine the level of threat posed
- evaluate each risk to ascertain which are the most severe and unacceptable compared to those that may be tolerable
- consider the range of regulatory tools available to mitigate unacceptable risks
- assess the costs and benefits of regulatory intervention to address unacceptable risks.
What is a 'risk-based approach to regulation'?
In essence, a risk-based approach to regulation focuses on risks associated with non-compliance with legal rules, rather than the legal rules themselves.
More specifically, the regulator identifies and assesses the risk associated with non-compliance by a particular regulated entity and/or with a particular obligation or group of obligations. Based on this risk assessment, the regulator makes decisions regarding a range of regulatory matters, including:
- whether or not a licence or authorisation to undertake a regulated activity should be granted to a particular regulated entity
- the nature and intensity of compliance and enforcement activity warranted for non-compliance with particular obligations within the regulatory framework
- what monitoring and information-gathering mechanisms are needed and when should they be employed for particular regulated entities and/or regulated activities
- the targets, focus and regularity of audit and inspection programs
- the targets and contents of public reporting on compliance and enforcement activity to encourage voluntary compliance.
Such an approach enables a regulator to tailor its regulatory responses so that they are commensurate with the relevant risks. So, for example:
- In the context of licensing, the regulator could grant an unconditional licence in cases of low risk, impose conditions on the licence in the case of medium risk or reject the licence application in the case of high risk. This approach could alleviate compliance burden on relatively low risk regulated entities.
- For compliance and enforcement activity, the more intrusive enforcement tools and severe enforcement responses could be used to address situations where the risks associated with non-compliance are the highest. In contrast, where the risk associated with non-compliance is relatively low, less intrusive enforcement tools and lighter enforcement responses would be justified. This approach relieves the regulator from securing compliance and taking enforcement action in relation to every obligation within the regulatory regime. The regulator is able to focus compliance and enforcement activity and the regulator's resources where the risks are greatest.
A risk-based approach to regulation can:
- enhance consistency in decision-making because the regulator's response will be dictated by the relative level of risk
- maximise efficiency by allocating resources to areas of highest risk
- increase compliance by focusing on areas where the compliance risk is greatest
- reduce compliance burden by minimising regulatory intervention where the risks are relatively low.
Similarities and differences between regulation designed to manage risks and a risk-based approach to regulation
|RISK REGULATION||RISK-BASED APPROACH TO REGULATION|
|Objectives||Regulation designed to manage risks is aimed at avoiding or minimising unacceptable risks through rules||A risk-based approach to regulation is aimed at prioritising resources towards unacceptable risks when exercising regulatory functions|
|Risk assessment||Risks are assessed and categorised to determine relatively high and low risks in the context of the design of the regulatory framework||Risks are assessed and categorised to determine relatively high and low risks in the context of the application of the regulatory framework|
|Risk criteria||'Likelihood' and 'impact' of risks are used to assess risk when designing the regulatory framework||'Likelihood' and 'impact' of non-compliance are used to assess risk when determining the appropriate compliance response|
|Acceptable and unacceptable risks||Risks are evaluated to determine acceptable and unacceptable risks. The relatively high risks are considered to be unacceptable will be addressed through rules in the regulatory framework||Risks are evaluated to determine acceptable and unacceptable risks. The relatively high risks that are considered to be unacceptable will be prioritised for regulatory action. Relatively low risks may result in no or only limited regulatory action|
|RISK REGULATION||RISK-BASED APPROACH TO REGULATION|
|Response to risk||The regulator does not need to determine what rules should apply to what risks as this is already reflected in the regulatory framework||The regulator must use the risk assessment to determine how to respond to risk in the context of the execution of regulatory functions under the regulatory framework. To the extent that the regulatory framework does not provide an appropriate response, the regulator may need to use the risk assessment as the basis for policy and/or regulatory reform|
|Evaluation of risk||As long as the regulatory framework remains unchanged, the evaluation of risk – which is reflected in the rules comprising the framework – will not change||The evaluation of risk may change over time depending upon the context for the application of the regulatory framework|
|Context for assessment of risk||The risk assessment is used to determine which risks should be the subject of rules and how those risks should be addressed||The risk assessment is used to prioritise regulatory actions undertaken within an existing regulatory framework|
The analysis above illustrates that, while regulation designed to manage risks and a risk-based approach to regulation are similar in some respects, they are nevertheless distinct and serve different purposes. In a nutshell, regulation designed to manage risks helps to ensure that the regulatory framework is designed to address risks that have been anticipated and assessed as unacceptable in the regulatory design process whereas a risk-based approach to regulation helps to ensure that the risks of non-compliance with the regulatory framework are properly assessed and responded to when the regulatory framework is applied in practice.
Maddocks can assist with both these aspects of risk management.
Managing climate change-related risks in the financial system
By Patrick Ibbotson & Jessica Dorricott
Risks posed by climate change to the stability of the US financial system.
GDPR decision slaps down Privacy Shield and imposes strict conditions on Standard Contractual Clauses – implications for Australian organisations
Impacts for Australian entities who are either directly subject to the GDPR or receiving personal data from the EEA.
What is in a name? The disclosure of public servants’ names and contact details under FOI
The OAIC has issued a position paper on the disclosure of public servants’ names and contact details in documents.