As part of the Quality Regulatory Services (QRS) initiative, NSW regulators are required to implement a risk-based approach to regulation. To assist regulators in meeting their obligations under the QRS, in July 2014, the NSW Government issued ‘Guidance for regulators to implement outcomes and risk-based regulation’ (Guidance).
This Update explains what a risk-based approach to regulation is, the key elements of the Guidance and, how Maddocks can assist NSW regulators to implement and effective risk-based approach.
What is a risk-based approach to regulation?
In essence, a risk-based approach to regulation focuses on risks associated with non-compliance with legal rules, rather than the legal rules themselves. More specifically, the regulator identifies and assesses the risk associated with non-compliance by a particular regulated entity and/or with a particular obligation or group of obligations.
Based on this risk assessment, the regulator makes decisions regarding a range of regulatory matters, including:
- whether or not a licence or authorisation to undertake a regulated activity should be granted to a particular regulated entity
- the nature and intensity of compliance and enforcement activity warranted for non-compliance with particular obligations within the regulatory framework
- what monitoring and information-gathering mechanisms are needed and when should they be employed for particular regulated entities and/or regulated activities
- the targets, focus and regularity of audit and inspection programs
- the targets and contents of public reporting on compliance and enforcement activity to encourage voluntary compliance.
Such an approach enables a regulator to tailor its regulatory responses so that they are commensurate with the relevant risks. So, for example:
- In the context of licensing, the regulator could grant an unconditional licence in cases of low risk, impose conditions on the licence in the case of medium risk or reject the licence application in the case of high risk. This approach could alleviate compliance burden on relatively low risk regulated entities.
- In relation to compliance and enforcement activity, the more intrusive enforcement tools and severe enforcement responses could be used to address situations where the risks associated with non-compliance are the highest. In contrast, where the risk associated with non-compliance is relatively low, less intrusive enforcement tools and lighter enforcement responses would be justified. This approach relieves the regulator from securing compliance and taking enforcement action in relation to every obligation within the regulatory regime. The regulator is able to focus compliance and enforcement activity and the regulator’s resources where the risks are greatest.
A risk-based approach to regulation can:
- enhance consistency in decision-making because the regulator’s response will be dictated by the relative level of risk
- maximise efficiency by allocating resources to areas of highest risk
- increase compliance by focusing on areas where the compliance risk is greatest
- reduce the compliance burden by minimising regulatory intervention where the risks are relatively low.
What is risk?
The nature and source of risk will depend upon the particular regulatory activity that is being undertaken by the regulator. In the context of compliance and enforcement activities, risk is most commonly defined as the product of the probability and impact of non-compliance:
- Probability of non-compliance: The probability of non-compliance is essentially the likelihood of whether or not one or more regulated entities will not comply with the obligation in question. Probability may take into account past compliance records, which may indicate the frequency with which the relevant obligation has been breached. The probability of non-compliance may also be affected by the difficulty associated with achieving compliance with the obligation in question – eg. where the obligation in question is particularly onerous, such as compliance with demanding technical standards.
- Impact of non-compliance: The impact of non-compliance with a particular obligation may be the occurrence of a significant adverse event – eg. injury/death or failure of a particular service/facility. In some cases, the obligation will be so trivial that non-compliance will have no or very limited impact – eg. failure to file a form within the prescribed deadline.
The assessment of both probability and impact of non-compliance within a regulatory framework should be based on criteria that have been identified in advance to ensure consistency and rigour in the assessment process. When defining risk criteria, the following factors may be taken into consideration:
- the nature and types of impacts that may occur and how they will be measured
- how probability will be defined and applied in particular cases
- the time-frame during which impact and probability will be assessed
- the levels at which risks are acceptable or become intolerable for the regulator (which will dictate whether a compliance obligation is low risk or high risk respectively).
In most cases, the assessment will be qualitative and will often be undertaken in the context of uncertainty. Moreover, unless there is objective information upon which to base the risk assessment, the assessment will involve a certain degree of subjectivity on the part of those undertaking the risk assessment. It will, therefore, be important to ensure that the regulatory officials who undertake the risk assessment have the requisite skills and experience and that as many perspectives as possible are reflected in the risk assessment.
It is also important to note that risks may be assessed differently over time as external and internal events occur, context and knowledge of the regulator change, and new risks emerge while pre-existing risks may change and others disappear. Given that a risk assessment is based on an assessment of risks at the time the assessment is undertaken, it will be necessary to ensure that the risk assessment process is undertaken on a regular basis so that the risk assessment remains current.
Guidance to adopting a risk-based approach to regulation
The Guidance sets out a framework for the development and implementation of a risk-based approach to regulation (Framework). Outlined below are the main elements of the Framework and how Maddocks can help develop and implement those elements.
|ELEMENT OF FRAMEWORK||EXPLANATION FRAMEWORK ELEMENT IN THE GUIDANCE||HOW MADDOCKS CAN HELP|
|DEFINING REGULATORY OUTCOMES||This involves being clear about the regulator’s legislative mandate and using the regulatory framework to identify regulatory outcomes.||Maddocks undertakes a comprehensive ‘stock-take’ of compliance obligations contained within a regulatory framework, which helps to clarify the legislative mandate and regulatory objectives for the regulator.|
|IDENTIFYING AND ASSESING RISKS||Regulators are required to identify and document historical, current and emerging risks.
Regulators should prioritise regulated entities and behaviours via formal risk assessments.
|Maddocks helps regulators identify criteria to assess risk and then to systematically apply those criteria to determine areas of relatively high and low risk.|
|TAILORING THE ENFORCEMENT RESPONSE||Effective risk-based regulation requires regulators to tailor their use of enforcement and other regulatory tools based on risk.||Maddocks undertakes a comprehensive ‘stock-take’ of compliance and enforcement options contained within a regulatory framework. Those options are supplemented with less formal compliance and enforcement options available to the regulator (e.g. education and compliance bulletins). The complete list of compliance and enforcement options are then grouped based on the relative level of risk they could be used to address.|
|IDENTIFYING MEASURES||Regulators need to monitor and assess performance over time to understand the effectiveness and efficiency of a particular response.||Maddocks helps regulators identify ‘operational categories’ within the regulatory framework. These are groups of compliance obligations that essentially deal with the same/similar regulatory issue or topic. Typically, the risk assessment will be the same or similar for compliance obligation within these operational categories. These operational categories enable the regulator to identify compliance areas where the risk may be relatively high, to target compliance and enforcement activities to those areas and then to monitor compliance in those areas over time to assess the effectiveness of the risk-based approach.|
|ALLOCATING RESOURCES||Regulators should allocate resources to regulatory initiatives in proportion to the risk and complexity of regulated entities and behaviours.||The risk-based regulation model Maddocks has developed enables regulators to identify compliance areas and regulated entities of relatively high risk. This enables regulators to allocate their resources accordingly.|
|MONITORING, REPORTING AND CONTINUAL IMPROVEMENT||A structured and consistent focus on monitoring and reporting is critical to, among other things, understand, adapt and strengthen evidence underpinning regulatory initiatives and identify and re-prioritise risks over time.||Maddocks’ model includes a risk-based approach for proactive regulatory activity (eg. auditing, monitoring and reporting) as well as reactive/responsive regulatory activity (to deal with complaints about or actual instances of non-compliance). The model distinguishes between these two categories of regulatory activity because the practical application of the risk-based approach will differ depending which category of regulatory activity is being pursued.|
|IMPLEMENTATION||Effective implementation involves communication of the compliance and enforcement policy, development of internal procedures, training of staff, developing and applying IT resources.||Maddocks has helped developed detailed procedural documents and conducted training to help ensure the effective implementation of a risk-based approach to regulation. Maddocks has also advised on other elements that are critically important to the successful implementation of a risk-based approach to regulation.|
The Maddocks model for risk-based regulation has been successfully implemented at the federal and state government levels for a range of regulatory frameworks. The model has delivered important benefits for regulators and regulated entities, including:
- enhanced consistency and coherence of compliance and enforcement activity
- greater efficiency in decision-making processes regarding compliance and enforcement action
- more efficient allocation of resources by targeting compliance and enforcement activity towards areas of relatively high risk.
If you would more information about the model, please contact one of the authors.