Neha Patil (Editor)

Regulatory risk differentiation

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit
Regulatory risk differentiation

Regulatory risk differentiation the process used by a regulatory authority (the regulator) to systemically treat entities differently based on the regulator's assessment of the risks of the entity's non-compliance.

Contents

Regulators can include law enforcement agencies, while the word entities applies to all those under the authority of the regulator – in most cases ranging from individuals to companies to synthetic entities to multinationals operating within the regulator's jurisdiction.

The process requires the regulator to directly link a robust risk assessment to a suggested regulatory response (e.g. financial penalties, criminal imprisonment). Regulatory risk differentiation is also referred to as the Compliance Model in some regulatory agencies. See for example the Australian Prudential Regulatory Authority risk differentiation approach known as: PAIRS / SOARS. PAIRS is the Probability And Impact Rating System, while SOARS is the Supervisory Oversight And Response System.

Dualistic model

The simplest compliance model is a regulatory framework or model known as dualistic, where the regulator reacts to an entity's behaviours depending on whether the behaviour is seen as either right or wrong. This is also known as a black and white response, and is often used for strict liability offences in law.

Compliance continuum

It is a significant improvement to shift to a compliance continuum (or spectrum), where the regulator reacts to a spectrum of compliance behaviours. The Australian Customs Office applies a compliance continuum.

Compliance pyramid

When the reaction of the regulator is tied to the behaviour, it is known as a responsive compliance model. The responsive compliance model was suggested by Ian Ayres and John Braithwaite in their book Responsive Regulation: Transcending the deregulation debate which built on earlier work by John Scholz.

The Ayres and Braithwaite compliance model was elegantly represented as a compliance pyramid.

The shape of the compliance pyramid indicates:

  • the number of clients that might be found at each level in the model,
  • the hierarchical and escalating nature of regulatory engagement, and
  • the increasing focus towards the apex on the small minority who appear to deliberately seek to contravene the system.

    • The choice of remedy (e.g. financial penalties, criminal imprisonment) imposed by the regulator becomes increasingly severe higher up the pyramid – with the view of creating an incentive for entities to move towards more compliant behaviours. The Australian Taxation Office (ATO) uses a compliance pyramid.

    In the mid-1990s the ATO's Cash Economy Project further developed their compliance pyramid. An entity's apparent motivation for compliance or non-compliance, based on evidence (known as their motivational posture), was explicitly coupled to a suggested response.

    In this version of the compliance pyramid, four broad categories of client (called archetypes) were defined by their underlying motivational postures:

  • The disengaged clients who have decided not to comply,
  • The resistant clients who don't want to comply,
  • The captured clients who try to comply, but don't always succeed, and
  • The accommodating clients who are willing to do the right thing.

    • This approach has been widely adopted, particularly within Australia. Several other regulators have similar approaches. It is also described as the enforcement pyramid by some regulators although enforcement is only one of the compliance strategies implicit in the model.

    The strength of the model is the regulator being seen to apply the right remedy to the right situation, by taking an entity's apparent motivation (including their efforts to comply) into account. See for example Julia Black's paper: "'Chancer', 'Failure' or 'Trier'? Regulatory Conversations and the Construction of Identities" July 2008 or "The ATO Compliance Model in Action: A Case Study of Building and Construction by Neal Shover, Jenny Job and Anne Carroll" and "Reducing the risk of policy failure: challenges for regulatory compliance"

    In the OECD paper "Reducing the Risk to Policy Failure: Challenges for Regulatory Compliance" the regulatory responses were distilled down to ensuring that clients were ready, willing and able to comply.

  • Ready > Clients who know what compliance is > Knowledge constraint > Educate and Exemplify
  • Willing > Clients who want to comply > Attitudinal constraint > Engage, Encourage, Enforce
  • Able > Clients who are able to comply > Capability constraint > Enable and Empower

    • A similar framework is used in the UK Pension Regulator approach.

    Risk bow-tie diagram

    Another way of looking at this is as a risk bow-tie. See bow tie diagrams in risk management

    .

    Organisations in oil and gas, mining, aviation, industrials and finance have had success using bowties.

    These compliance enhancement strategies fit into a standard structure:

  • deter, (educate, exemplify, engage, encourage, enable, empower)
  • detect, (using quantitative and qualitative intelligence) and
  • deal with (educate, exemplify, engage, encourage, enable, empower, enforce)

    • What happens when the law is uncertain?

    Some commentators do not believe that the compliance pyramid applies when legitimate differences of views exist as to compliant behaviour. Regulators all need to establish their positions in this situation, but it is clear that some regulators do still apply the compliance pyramid when the law is uncertain.

    Risk matrix mapping – risk differentiation framework

    Explicitly considering the likelihood and consequence of the risk of regulatory non-compliance

    Some regulators vary regulatory risk differentiation approaches by mapping suggested remedies to an entity's perceived risk of non-compliance. This approach has been used by the Australian Prudential Regulatory Authority, the Australian Taxation Office and the UK Pension Regulator

    Explicitly considering the likelihood and consequences of an entity possibly breaking a law is a requirement of the UK Statutory Code of Practice for Regulators which emerged from the 2005 Hampton Report "Reducing administrative burdens – effective inspection and enforcement". The later Macrory Review "Regulatory Justice – making sanctions effective" effectively codifies the Ayres and Braithwaite Compliance Pyramid into the UK Regulatory Enforcement and Sanctions Act 2008.

    In these compliance models the possibility of entities breaking a law has both a likelihood of occurrence and a consequence of occurrence, known as a 'risk event'. Considering entities' likelihood of not complying and the consequences of their not complying usually provides a 'power distribution' of a few large consequence or higher likelihood clients and many more lower consequence/likelihood ones.

    This can be represented as a scatter plot on a risk matrix, as shown in the adjacent diagram.

    The scatterplot risk matrix to the left shows that most entities are compliant most of the time – in other words, assessed as both lower consequence and lower likelihood of their not complying with the law.

    From a risk management perspective the regulator has a more significant interest in higher consequence clients or events than lower consequence. The next two diagrams build on the scatterplot diagram to the left.

    In this example, The ATO links its strategies to the likelihood and/or consequences of entities not complying with a law. The ATO risk matrix to the left shows how the ATO divides its clients into four categories, and allocates appropriate detection strategies to each category.

    These strategies are proactive and continuous for higher consequence, reactive and periodic for lower consequence. The strategies are reviewing for taxpayers more likely to break the law, and only monitoring for those less likely.

    The diagram to the left provides more detail, giving names to each category of client, providing all of the strategies - deter, detect and deal with strategies, and the strategies' associated activities.

    It is important to note that the boundaries between category are able to be moved to allocate more or fewer clients to each category. It is normal to see fewer higher likelihood and/or consequence clients rather than 50% of the population or 50% of the assessed likelihood or consequence. In other words, the boundary is shifted so there can be a strong focus on the few assessed to be higher risk.

    This allows more resources to be allocated to more intensive strategies focusing on higher risk entities, providing an incentive to entities to want to be seen to be compliant. The robustness of the risk assessments, and the quality of the data on which the assessments rely, are therefore very important.

    The diagram below shows how end to end risk management steps (from ISO 31000) align with risk differentiation and the risk bow-tie.

    Use of the regulatory risk differentiation approach, including awards

    In September 2009 the UK Pension Regulator, which uses this approach, was shortlisted for a Better Regulation Award

    The above approach was discussed in the ATO Commissioners speech "Do you see what I see" given to the Australian Tax Teachers Association in January 2010. In June 2010 the ATO released its revised "Large Business and Tax Compliance" booklet that detailed its approach to risk differentiation in the Large Market

    In January 2011 the risk differentiation approach was also 'highly commended' in the annual Australian Comcover Risk awards The entire approach is mapped out in the UNSW ATAX 2012 paper 'New dimensions in regulatory compliance'

    References

    Regulatory risk differentiation Wikipedia
    (Text) CC BY-SA