Principle 2: Risk based and data driven

instruments made under the PGPA Act:

Best practice advice

Best practice regulators take a risk based approach to operational policy development, administration, compliance and enforcement activities, and are informed by data, evidence and intelligence. A risk based approach allows a regulator to properly assess the risks of non-compliance and respond in a proportionate way to the harm being managed. Tolerances may be deliberately tight where there are, for example, risks to human life.

Strategic management of risk can also improve efficiency by prioritising resources to the areas of highest risk, and increase compliance by focusing limited resources on the areas of the greatest risk of non-compliance. It can also reduce the overall compliance and cost burden by minimising government intervention where the risks are relatively low.

Data and digital technology can be leveraged to help regulators better understand and manage risks. This requires building capability and having the right infrastructure to support effective data use and digital literacy. Regulators should also consider opportunities to collaborate with other regulators and across government entities to use existing data and digital solutions to minimise regulatory burden and cost.

Regulators should consider where compliance could be streamlined and, where appropriate, consider the business practices of regulated entities, allowing them to adopt innovative approaches to meet their obligations.

Regulators should also continually monitor the environment they operate to ensure regulatory approaches keep pace with changes in technology, industry practices and community expectations, and effect change accordingly.

Adopting a risk based and data driven approach means regulators:

  • consider the risks, cost effectiveness and impact of regulatory action, both before and after the regulatory action has commenced
  • maintain a compliance and enforcement strategy that articulates the regulator’s approach to risk and how this informs decision-making, publishing where appropriate
  • focus on risk culture,  build staff understanding of regulator’s approach to risk and how it flows to day-to-day decision making
  • build staff and organisational data capability and digital literacy, drawing on expertise to support effective use, including regulatory technology (RegTech) solutions
  • use intelligence and data, including data points such as enterprise size, to inform a risk based approach to compliance and enforcement
  • actively monitor and plan for risks of market changes and new business models that may have flow-on effects for operations, including those on the edge of, or just outside, a regulator’s legal objectives, functions and role
  • modify their regulatory approach to encourage voluntary compliance where appropriate and focus compliance and enforcement activity where risks and impact of harm are greatest
  • commit to publish the data they hold and share data across regulators where permitted and appropriate
  • take into account the cumulative burden of regulations, including the impact on smaller businesses and sole traders, when establishing and implementing processes
  • seek to achieve their objectives while ensuring that economic outcomes, such as impacts on competition, innovation and growth, are explicitly considered in implementation
  • are receptive to diverse views about implementation of regulation, while ensuring the integrity of the regulatory system.

Did you find this content useful?