Developing and implementing a risk-based compliance and enforcement strategy
Ensuring compliance is critical to the successful implementation of a regulatory framework. Failure to ensure compliance may mean that the regulatory framework will not meet its objectives. In turn, this could compromise the regulator's ability to perform its functions.
Options for compliance and enforcement strategies
A compliance and enforcement strategy is the means by which compliance with the regulatory framework can be maximised. The strategy will include measures to promote voluntary compliance with the regulatory framework. It will also identify the enforcement measures that will be utilised and the circumstances in which these measures will be applied when voluntary compliance has not occurred.
In the past, two main strategies were touted as options to maximise compliance:
- Deterrence strategy: this strategy implies a confrontational and reactive approach, which involves the imposition of sanctions to deal with non-compliant behaviour. The underlying rationale for such a strategy is that if offenders are detected with sufficient frequency and punished with sufficient severity, then they and other potential offenders will be deterred from engaging in non-compliant behaviour in the future.
- 'Advise and persuade' or compliance strategy: in contrast to the deterrence strategy, the compliance strategy emphasises co-operation rather than confrontation. It is proactive in approach in that efforts are geared towards preventing non-compliance rather than sanctioning instances of non-compliance. Enforcement action may be taken in extreme cases where the regulated entity shows no sign of complying with the relevant obligation(s).
In practice, neither of these approaches have been found to be ideal.
- In the case of the deterrence strategy, evidence indicates that there are a range of motivators for regulated entities, which may affect how they respond to such a strategy. This approach may be useful for wilful non-compliers, some partial compliers and incompetent compliers, but may be counter-productive for good corporate citizens, who do not appreciate the adversarial nature of this kind of strategy.
- In relation to the compliance strategy, evidence indicates that such an approach may actually discourage voluntary compliance if regulators are seen to be allowing instances of non-compliance to go unpunished. This approach may be appropriate for the good corporate citizens but is likely to be completely inappropriate for the non-compliers.
Instead, many regulators are now developing risk-based compliance and enforcement strategies, which involve a rigorous and systematic approach to identifying and responding to regulatory risk. Such an approach helps to ensure that risk is managed effectively, efficiently and coherently by the regulator.
What is a risk-based strategy?
In essence, a risk-based strategy focuses on risks associated with non-compliance with legal rules, rather than the legal rules themselves. More specifically, the regulator identifies and assesses the risk associated with non-compliance with a particular obligation or group of obligations and, based on this risk assessment, the regulator makes decisions regarding a range of compliance and enforcement matters, including:
- the nature and intensity of compliance and enforcement activity warranted for each obligation within the regulatory framework
- how compliance and enforcement resources should be deployed
- what monitoring and information-gathering mechanisms are needed
- the focus and regularity of audit and inspection programs
- the contents of public reporting on compliance and enforcement activity to encourage voluntary compliance.
A risk-based strategy enables the regulator to make informed choices regarding its compliance and enforcement activity. If implemented effectively, such a strategy may enhance the efficiency and consistency of the regulator's compliance and enforcement program.
Such an approach also enables a regulator to tailor its compliance and enforcement activities so that they are commensurate with the relevant risks. Generally speaking, the more intrusive enforcement tools and severe enforcement responses should be used to address situations where the risks associated with non-compliance are the highest. In contrast, where the risk associated with non-compliance is relatively low, less intrusive enforcement tools and lighter enforcement responses would be justified.
This approach also relieves the regulator from securing compliance and taking enforcement action in relation to every obligation within the regulatory regime. The regulator is able to focus compliance and enforcement activity and the regulator's resources where the risks are greatest.
Undertaking the risk assessment
Risk is most commonly defined as the product of the probability and impact of non-compliance:
- Probability of non-compliance: the probability of non-compliance is essentially the likelihood of whether or not one or more regulated entities will not comply with the obligation in question. Probability may be assessed based on the compliance posture of the regulated entities (e.g. are they compliant, incompetent or wilfully non-compliant?) which may make them more or less likely to comply with the relevant obligations. Probability may also take into account past compliance records, which may indicate the frequency with which the relevant obligation has been breached. The probability of non-compliance may also be affected by the difficulty associated with achieving compliance with the obligation in question – e.g. where the obligation in question is particularly onerous, such as compliance with demanding technical standards.
- Impact of non-compliance: the impact of non-compliance with a particular obligation may be the occurrence of a significant adverse event – e.g. injury/death or failure of a particular service/facility. In some cases, the obligation will be so trivial that non-compliance will have no or very limited impact – e.g. failure to file a form within the prescribed deadline.
The assessment of both probability and impact of non-compliance should be based on criteria that have been identified in advance to ensure consistency and rigour in the assessment process. When defining risk criteria, the following factors may be taken into consideration:
- the nature and types of impacts that may occur and how they will be measured
- how probability will be defined and applied in particular cases
- the time-frame during which impact and probability will be assessed
- the levels at which risks become acceptable or intolerable.
In most cases, the assessment will be qualitative and will often be undertaken in the context of uncertainty. Moreover, unless there is objective information upon which to base the risk assessment, the assessment will involve a certain degree of subjectivity on the part of those undertaking the risk assessment. It will, therefore, be important to ensure that the regulatory officials who undertake the risk assessment have the requisite skills and experience and that as many perspectives as possible are reflected in the risk assessment. It may also be worthwhile having the risk assessment reviewed by an independent, objective third party.
It is also important to note that risks may be assessed differently over time as external and internal events occur, context and knowledge change, and new risks emerge while pre-existing risks may change and others disappear. Given that a risk assessment is based on an assessment of risks at the time the assessment is undertaken, it will be necessary to ensure that the risk assessment process is undertaken on a regular basis so that the risk assessment remains current and that the strategy is updated on a regular basis.
The success of a compliance and enforcement strategy will depend in large part on the way in which it is implemented.
Mechanisms will need to be put in place to ensure that those responsible for applying the strategy do so in a consistent manner. Failure to apply the strategy in a consistent manner may send mixed signals to regulated parties regarding the regulator's intention and resolve and could ultimately discourage rather than encourage compliance.
In addition, monitoring and data collection will be necessary to help detect instances of non-compliance and, in some cases, to provide evidence to support enforcement action. Ideally, compliance information should be collected and stored in a manner that is easily accessible and facilitates analysis. Moreover, it is imperative that data is reviewed and analysed by staff with appropriate skills and expertise.
External and internal reporting of compliance and enforcement activity undertaken pursuant to the strategy are also important for the successful implementation of the strategy.
Managing climate change-related risks in the financial system
By Patrick Ibbotson & Jessica Dorricott
Risks posed by climate change to the stability of the US financial system.
GDPR decision slaps down Privacy Shield and imposes strict conditions on Standard Contractual Clauses – implications for Australian organisations
Impacts for Australian entities who are either directly subject to the GDPR or receiving personal data from the EEA.
What is in a name? The disclosure of public servants’ names and contact details under FOI
The OAIC has issued a position paper on the disclosure of public servants’ names and contact details in documents.