Risk-based regulation is fast becoming the new paradigm for best-practice regulation in Australia. To date, the focus of many regulators in implementing a risk-based approach has been on managing risk associated with non-compliance with obligations imposed on regulated entities. However, risk-based regulation also has an important role to play in managing risk associated with non-compliance of obligations imposed on the regulator as well. This article outlines how a risk-based approach might be used to help regulators manage their own compliance risks.
Trends towards a risk-based approach
Simply put, risk-based regulation means that risks associated with the non-compliance with a regulatory framework are assessed in terms of their likelihood and the impact arising from non-compliance. This approach helps to ensure that regulatory activities and limited resources are prioritised and applied proportionately based on the relative risk of non-compliance.
Over the past few years in Australia, risk-based approach has become more than just an optional tool to assist regulators in the performance of their functions.
- Commonwealth: In September 2014, the Commonwealth Government issued the "Draft Regulation Performance Framework", which establishes a framework for Commonwealth regulators to evaluate their performance, particularly in relation to the compliance costs imposed on regulated entities.1 The Framework notes that comprehensive risk-based processes are essential to ensuring that resources are targeted to areas requiring most attention.
- State: As part of the Quality Regulatory Services (QRS) initiative, NSW regulators are required to implement a risk-based approach to regulation.2 In Victoria, while a risk-based approach is not mandated for State regulators, the Victorian Competition and Efficiency Commission (VCEC) is currently in the process of preparing guidance to assist regulators in implementing a risk-based approach. This comes following a series of reports from Victoria's Auditor-General's Office (VAGO) recommending a risk-based approach to managing, monitoring or reporting on compliance responsibilities.3
- Local: In July 2012, the Productivity Commission issued a report on the "Role of Local Government as Regulator".4 In that report, the Commission highlighted the need for a risk-based approach by local government, particularly given the broad and extensive number of regulatory obligations that local government is currently required to administer and enforce under state legislation.
As is apparent from the foregoing, the various policy documents, reports and guidance documents that have been issued to regulators in relation to risk-based regulation so far emphasise the application of this approach in the context of non-compliance with regulated entities' obligations.
A role for a risk-based approach for regulators' obligations?
In the course of performing functions under the relevant empowering regulatory framework – including undertaking compliance and enforcement activities for non-compliance by regulated entities – regulators are typically required to comply with their own obligations.
These obligations might include requirements in relation to:
- Assessments (e.g. assessments of a licence application)
- Investigations (e.g. investigations of a complaint or reported non-compliance)
- Notifications (e.g. of a decision to refuse to grant a licence)
- Providing reasons (e.g. of a decision that has an adverse impact on a regulated entity)
- Enforcement action (e.g. the requirement to serve a notice before a power of entry is exercised)
- Issuance of guidelines (e.g. to assist regulated entities to comply)
- Review of decisions (when a request for review has been made).
As public bodies, regulators will also be subject to broader obligations in relation to public service employment and financial management (e.g. if the regulator deals with funds as part of its regulatory activities).
A risk-based approach potentially has an important role to play in relation to all of these categories of regulator obligations. A risk-based approach will enable the regulator to identify which of the obligations to which it is subject would result in relatively high risk if non-compliance were to occur and to ensure that procedures and mechanisms are in place to minimise the chance of non-compliance.
Developing a risk-based framework to manage regulators' obligations
A risk-based framework to assist in managing a regulator's compliance obligations could be developed as follows:
- Step 1: Stock-take of obligations that could give rise to legal risk for the regulator.
- Step 2: Risk assessment of obligations identified in Step 1.
- Step 3: Stock-take of mechanisms available to the regulator to address risk.
- Step 4: Development of decision-making process to facilitate the identification of the mechanism to be applied by the regulator to mitigate risk for a particular compliance obligation.
- Step 5: Development of procedural documents and associated training to ensure that the risk-based framework is effectively implemented by the regulator's staff.