Risk-based regulation: an important tool for local government as regulator
Why is risk-based regulation important for local government?
There is a broad range of areas for which local government has a regulatory oversight role, including building, planning, food safety and animal management.
In July 2012, the Productivity Commission (Commission) issued a report entitled 'Performance Benchmarking of Australian Business Regulation: the Role of Local Government as Regulator'. The report, which was initiated by the Council of Australian Governments (COAG), focused on local government regulatory responsibilities that materially impact on business costs. It assessed whether they impose unnecessary compliance burdens on businesses or restrict competition.
The Commission noted that the implementation and enforcement of state and territory laws – rather than local laws – dominates the regulatory workload of local government. It outlined some of the challenges that local government is currently facing, including an expanding regulatory role, with a growing list of responsibilities and requirements delegated to councils by state/territory governments and, in some cases, without commensurate increases in available resources. The Commission also found that no state government provided comprehensive training or guidance to local government on how to administer and enforce regulation.
The Commission identified a range of 'leading practices' for local government that it considered would significantly improve the cost-effectiveness of business-related regulation. In relation to administering and enforcing regulation, the United Kingdom's use of the 'Regulator's Compliance Code' was observed as being a leading practice.
The Regulator's Compliance Code has been implemented in the United Kingdom to improve the quality and consistency of local government regulatory enforcement and inspection activities. This Code is underpinned by a range of principles including that 'regulators, and the regulatory system as a whole, should use comprehensive risk assessment to concentrate resources on the areas that need them most'. In the Code, this principle is translated into practical terms by providing that regulators should 'only perform inspections following a risk assessment, so that resources are focused on those least likely to comply'.
In endorsing the use of a regulators' compliance code, such as that in the United Kingdom, the Commission stated that 'Key elements of any guide would include regulatory administration and enforcement strategies based on risk management and responsive regulation'. More recently (October 2013), the Commission released a report on 'Regulator Engagement with Small Business'. This report affirmed the importance of a risk-based approach to regulation to reduce the impact of small business regulation.
A consistent theme in the narrative regarding local government's burgeoning regulatory responsibilities and the undue impact of regulation on (small) business is the need for a risk-based approach to regulation. Such an approach allows local government's resources to be utilised more effectively and efficiently. Rather than diluting precious compliance and enforcement resources across a wide range of activities, local government can dedicate the majority of resources to areas where the risk of non-compliance is greatest.
What is a risk-based approach to regulation?
In a compliance and enforcement context, a risk-based approach to regulation focuses on risks associated with non-compliance with legal rules, rather than considering the legal rules in isolation. Specifically, the regulator identifies and assesses the risk associated with non-compliance with a particular obligation or group of obligations and, based on this assessment, the regulator makes decisions regarding a range of compliance and enforcement matters, including:
- the nature and intensity of compliance and enforcement activity warranted for each obligation within the regulatory framework
- how compliance and enforcement resources should be deployed
- what monitoring and information-gathering mechanisms are needed
- the focus and regularity of audit and inspection programs
- the contents of public reporting on compliance and enforcement activity to encourage voluntary compliance.
This approach allows the regulator to make informed choices regarding its compliance and enforcement activity. If implemented effectively, it may enhance the efficiency and consistency of the regulator's compliance and enforcement program.
Such an approach also enables a regulator to tailor its compliance and enforcement activities to be commensurate with the relevant risks. Generally, the more intrusive enforcement tools and severe enforcement responses should be used to address situations where the risks associated with non-compliance are highest. Where the risk associated with non-compliance is relatively low, less intrusive enforcement tools and lighter enforcement responses would be justified.
This approach also relieves the regulator from securing compliance and taking enforcement action in relation to every obligation within the regulatory regime.
How is risk assessed?
Risk is most commonly defined as the product of the probability and impact of non-compliance:
- Probability of non-compliance: The probability of non-compliance is essentially the likelihood of whether or not one or more regulated entities will not comply with the obligation in question. Probability may be assessed based on the compliance posture of the regulated entities (e.g. are they compliant, incompetent or wilfully non-compliant?) which may make them more or less likely to comply with the relevant obligations. Probability may also take into account past compliance records, which may indicate the frequency with which the relevant obligation has been breached. The probability of non-compliance may also be affected by the difficulty associated with achieving compliance with the obligation in question e.g. where the obligation in question is particularly onerous, such as compliance with demanding technical standards.
- Impact of non-compliance: The impact of non-compliance with a particular obligation may be the occurrence of a significant adverse event, e.g. injury/death or failure of a particular service/facility. In some cases, the obligation will be so trivial that non-compliance will have no or very limited impact e.g. failure to file a form within the prescribed deadline.
The assessment of both probability and impact of non-compliance should be based on criteria that have been identified in advance to ensure consistency and rigour in the assessment process. When defining risk criteria, the following may be considered:
- the nature and types of impacts that may occur and how they will be measured
- how probability will be defined and applied in particular cases
- the time-frame during which impact and probability will be assessed
- the levels at which risks are acceptable or become intolerable.
In most cases, the assessment will be qualitative and will often be undertaken in the context of uncertainty. Unless there is objective information upon which to base the risk assessment, the assessment will involve a certain degree of subjectivity on the part of those undertaking the risk assessment. It will, therefore, be important to ensure that the regulatory officials who undertake the risk assessment have the requisite skills and experience, and that as many perspectives as possible are reflected in the risk assessment. It may also be worthwhile having the risk assessment reviewed by an independent, objective third party.
It is also important to note that risks may be assessed differently over time as external and internal events occur, context and knowledge change, and new risks emerge while pre-existing risks may change and others disappear. Given that a risk assessment is based on an assessment of risks at the time the assessment is undertaken, it will be necessary to ensure that the process is undertaken on a regular basis so that the assessment remains current and that the compliance and enforcement strategy is updated on a regular basis.
The importance of effective implementation
The success of a risk-based approach to regulation will depend in large part on the way in which it is implemented.
Mechanisms will need to be put in place to ensure that those responsible for applying the approach do so in a consistent manner. Failure to apply the approach in a consistent manner may send mixed signals to regulated parties regarding the regulator's intension and resolve and could ultimately discourage rather than encourage compliance.
Monitoring and data collection will also be necessary to help detect instances of non-compliance and, in some cases, to provide evidence to support enforcement action. Ideally, compliance information should be collected and stored in a manner that is easily accessible and facilitates analysis. Moreover, it is imperative that data is reviewed and analysed by staff with appropriate skills and expertise.
External and internal reporting of compliance and enforcement activity undertaken pursuant to the approach are also important for the successful implementation of the approach.
Developing a risk-based approach to regulation can be a challenging exercise for government, which may explain why some regulators – particularly local government regulators – have been reluctant to adopt this approach so far.
In some cases, there may be a large number of risks to be managed by a regulator, which may make identification and prioritisation of risks particularly difficult. Resources and tools to respond to risks may be limited, which can hamper efforts to effectively respond. Also, approaches to, and an appreciation of risk may vary within an organisation, which could compromise the ability to adopt and implement a coherent, comprehensive and effective approach to risk management.
There are clear benefits associated with a risk-based approach to regulation for the regulators themselves (enhanced efficiency, consistency and effectiveness), businesses they regulate (less red tape) as well as – in the case of local government – ratepayers who fund the cost of regulators' activities (more efficient use of resources). In the medium to long term, these benefits will weigh heavily in favour of adopting a risk-based approach to regulation, particularly for local government.
Managing climate change-related risks in the financial system
By Patrick Ibbotson & Jessica Dorricott
Risks posed by climate change to the stability of the US financial system.
GDPR decision slaps down Privacy Shield and imposes strict conditions on Standard Contractual Clauses – implications for Australian organisations
Impacts for Australian entities who are either directly subject to the GDPR or receiving personal data from the EEA.
What is in a name? The disclosure of public servants’ names and contact details under FOI
The OAIC has issued a position paper on the disclosure of public servants’ names and contact details in documents.