As part of the Quality Regulatory Services (QRS) initiative, NSW regulators are required to implement a risk-based approach to regulation.

To assist regulators in meeting their obligations under the QRS, in July 2014, the NSW Government issued "Guidance for regulators to implement outcomes and risk-based regulation" (Guidance).

This Update explains what a risk-based approach to regulation is, the key elements of the Guidance and, how Maddocks can assist NSW regulators to implement and effective risk-based approach.

What is a risk-based approach to regulation?

In essence, a risk-based approach to regulation focuses on risks associated with non-compliance with legal rules, rather than the legal rules themselves.

More specifically, the regulator identifies and assesses the risk associated with non-compliance by a particular regulated entity and/or with a particular obligation or group of obligations.

Based on this risk assessment, the regulator makes decisions regarding a range of regulatory matters, including:

  • whether or not a licence or authorisation to undertake a regulated activity should be granted to a particular regulated entity
  • the nature and intensity of compliance and enforcement activity warranted for non-compliance with particular obligations within the regulatory framework
  • what monitoring and information-gathering mechanisms are needed and when should they be employed for particular regulated entities and/or regulated activities
  • the targets, focus and regularity of audit and inspection programs
  • the targets and contents of public reporting on compliance and enforcement activity to encourage voluntary compliance.

Such an approach enables a regulator to tailor its regulatory responses so that they are commensurate with the relevant risks. So, for example:

  • In the context of licensing, the regulator could grant an unconditional licence in cases of low risk, impose conditions on the licence in the case of medium risk or reject the licence application in the case of high risk. This approach could alleviate compliance burden on relatively low risk regulated entities.
  • In relation to compliance and enforcement activity, the more intrusive enforcement tools and severe enforcement responses could be used to address situations where the risks associated with non-compliance are the highest. In contrast, where the risk associated with non-compliance is relatively low, less intrusive enforcement tools and lighter enforcement responses would be justified. This approach relieves the regulator from securing compliance and taking enforcement action in relation to every obligation within the regulatory regime. The regulator is able to focus compliance and enforcement activity and the regulator's resources where the risks are greatest.

A risk-based approach to regulation can:

  • enhance consistency in decision-making because the regulator's response will be dictated by the relative level of risk.
  • maximise efficiency by allocating resources to areas of highest risk
  • increase compliance by focusing on areas where the compliance risk is greatest 
  • reduce the compliance burden by minimising regulatory intervention where the risks are relatively low.

What is risk?

The nature and source of risk will depend upon the particular regulatory activity that is being undertaken by the regulator.

In the context of compliance and enforcement activities, risk is most commonly defined as the product of the probability and impact of non-compliance:

  • Probability of non-compliance: The probability of non-compliance is essentially the likelihood of whether or not one or more regulated entities will not comply with the obligation in question. Probability may take into account past compliance records, which may indicate the frequency with which the relevant obligation has been breached. The probability of non-compliance may also be affected by the difficulty associated with achieving compliance with the obligation in question – e.g. where the obligation in question is particularly onerous, such as compliance with demanding technical standards.
  • Impact of non-compliance: The impact of non-compliance with a particular obligation may be the occurrence of a significant adverse event – e.g. injury/death or failure of a particular service/facility. In some cases, the obligation will be so trivial that non-compliance will have no or very limited impact – e.g. failure to file a form within the prescribed deadline.

The assessment of both probability and impact of non-compliance within a regulatory framework should be based on criteria that have been identified in advance to ensure consistency and rigour in the assessment process. When defining risk criteria, the following factors may be taken into consideration:

  • the nature and types of impacts that may occur and how they will be measured
  • how probability will be defined and applied in particular cases
  • the time-frame during which impact and probability will be assessed
  • the levels at which risks are acceptable or become intolerable for the regulator (which will dictate whether a compliance obligation is low risk or high risk respectively).

In most cases, the assessment will be qualitative and will often be undertaken in the context of uncertainty. Moreover, unless there is objective information upon which to base the risk assessment, the assessment will involve a certain degree of subjectivity on the part of those undertaking the risk assessment. It will, therefore, be important to ensure that the regulatory officials who undertake the risk assessment have the requisite skills and experience and that as many perspectives as possible are reflected in the risk assessment.

It is also important to note that risks may be assessed differently over time as external and internal events occur, context and knowledge of the regulator change, and new risks emerge while pre-existing risks may change and others disappear. Given that a risk assessment is based on an assessment of risks at the time the assessment is undertaken, it will be necessary to ensure that the risk assessment process is undertaken on a regular basis so that the risk assessment remains current.

Guidance to adopting a risk-based approach to regulation

The Guidance sets out a framework for the development and implementation of a risk-based approach to regulation (Framework). Outlined below are the main elements of the Framework and how Maddocks can help develop and implement those elements.

Click here to view table.

The Maddocks model for risk-based regulation has been successfully implemented at the federal and state government levels for a range of regulatory frameworks. The model has delivered important benefits for regulators and regulated entities, including:

  • enhanced consistency and coherence of compliance and enforcement activity
  • greater efficiency in decision-making processes regarding compliance and enforcement action
  • more efficient allocation of resources by targeting compliance and enforcement activity towards areas of relatively high risk.