Administering Regulation: Achieving the right balance
Administering
Regulation
ACHIEVING THE RIGHT BALANCE
Better Practice Guide June 2014
www.anao.gov.au
Better Practice Guide
June 2014
© Commonwealth of Australia 2014
ISBN 0 642 81460 0 (Print)
ISBN 0 642 81461 9 (Online)
Except for the content in this document supplied by third parties, the Australian National Audit Office logo,
the Commonwealth Coat of Arms, and any material protected by a trade mark, this document is licensed
by the Australian National Audit Office for use under the terms of a Creative Commons AttributionNonCommercial-ShareAlike 3.0 Australia licence. To view a copy of this licence, visit
http://creativecommons.org/licenses/by-nc-sa/3.0/au/
You are free to alter, transform, or build upon this document for non-commercial purposes, as long as you
attribute the document to the Australian National Audit Office and distribute the resulting work under a
licence the same or similar to this one.
Permission to use material for which the copyright is owned by a third party must be sought from the
relevant copyright owner. As far as practicable, such material will be clearly labelled.
For terms of use of the Commonwealth Coat of Arms, visit the It’s an Honour website
at http://www.itsanhonour.gov.au/.
Requests and inquiries concerning reproduction and rights should be addressed to:
Executive Director
Corporate Management Branch
Australian National Audit Office
19 National Circuit
BARTON ACT 2600
Or via email:
[email protected]
The ANAO welcomes contributions from
stakeholders for consideration when preparing
future updates to this Better Practice Guide.
Contributions should be addressed to the Director,
Communication, Australian National Audit Office,
GPO Box 707 Canberra ACT 2601 or by email to
[email protected].
Foreword
An appropriate level of effective regulation is an essential part of well-functioning economies and
supports the achievement of economic, social or environmental policy objectives.
In designing regulatory approaches governments need to strike a balance between the obligation to
protect the community or public interest, while at the same time not imposing unnecessary costs on
those they regulate or indirectly the broader community.
This Better Practice Guide (the guide) is being published in a period of change in regulatory approach.
During 2013, the Australian Government made a commitment to regulatory reform with the aims
of reducing the burden of regulation, boosting productivity, increasing competitiveness, reducing
unnecessary regulation and lifting regulatory performance.
To support implementation of the regulatory reform agenda, the Australian Government released two
publications in March 2014. The Australian Government Guide to Regulation which requires policy
makers to consider the impact of regulation early in the policy process and encourages departments
and agencies to reflect on whether regulation is the most appropriate response to a policy issue.
The Regulator Audit Framework, developed by the Productivity Commission, provides guidance on
assessing the performance and behaviour of regulators, particularity in relation to compliance costs
imposed on business and other regulated entities.
Where regulation is considered by government to be an appropriate policy response, regulators continue
to have an obligation to administer regulation well. This includes regulators adopting approaches that
minimise the regulatory burden, using risk-based approaches in the targeting of their compliance
activities, being accountable for, and transparent in, decision-making, and monitoring and evaluating
both their own performance and the achievement of regulatory outcomes.
This guide replaces the Australian National Audit Office’s (ANAO’s) 2007 Administering Regulation
Better Practice Guide and aims to provide guidance to regulators on how to efficiently and effectively
administer regulation. The content of the guide has been revised to reflect the changing focus of
regulatory administration. In particular, greater attention is given in this guide to the importance of risk
management, effective stakeholder engagement, the value of data analysis as a source of regulatory
intelligence, regulator behaviour, and regulator and regulatory performance.
Better practice principles are outlined in the guide to assist Australian Government regulators in
assessing the quality of their administrative practices and in identifying where improvements can be
made. In writing the guide, we recognise that regulators regulate very different types of entities operating
in diverse industries and sectors of the economy. Consequently, there is no one-size-fits-all model for
administering regulation. The guide, therefore, focuses on better practice principles and characteristics
that are relevant to regulators, irrespective of their size, organisational structure or policy and regulatory
objectives, and can be tailored to suit individual circumstances. I encourage agencies to use this guide
in reviewing and further developing their regulatory practice.
The ANAO appreciates the contributions of those individuals, departments and agencies that have
assisted us in developing this guide.
Ian McPhee
Auditor-General
June 2014
Foreword
i
Contents
Foreword.............................................................................................................................................................................................................................................. i
Glossary............................................................................................................................................................................................................................................. iv
1Introduction..........................................................................................................................................................................................................................1
1.1 Why a better practice guide on administering regulation?..........................................................................................3
1.2 Regulatory approaches................................................................................................................................................................................5
1.3 Focus of the guide.............................................................................................................................................................................................8
1.4 Structure of the guide....................................................................................................................................................................................8
Part 1—Managing regulatory performance.................................................................................................................................................... 11
2
Managing regulatory performance.............................................................................................................................................................13
2.1 Defining regulatory outcomes and administrative priorities.....................................................................................13
2.2 A risk-based approach to regulatory administration....................................................................................................... 14
2.3 Effective stakeholder relationships..................................................................................................................................................15
2.4 Effective information management.................................................................................................................................................18
2.5 Transparency and accountability......................................................................................................................................................21
2.6 Managing regulatory capability......................................................................................................................................................... 23
2.7 Measuring, reporting and evaluating regulatory performance............................................................................. 27
2.8 Additional reference and guidance material ........................................................................................................................ 28
Part 2—Key regulatory activities...............................................................................................................................................................................31
3
Registration, licensing and authorising entry into a regulated industry or sector........................................... 33
3.1 Receiving an application.......................................................................................................................................................................... 33
3.2 Assessing compliance against requirements...................................................................................................................... 35
3.3 Decision-making process....................................................................................................................................................................... 38
3.4 Recovering regulatory costs................................................................................................................................................................ 39
4
Monitoring compliance.......................................................................................................................................................................................... 41
4.1 Developing a monitoring strategy..................................................................................................................................................... 41
4.2 Implementing the strategy..................................................................................................................................................................... 43
4.3 Evaluating the monitoring strategy and effectiveness of compliance activities.................................... 44
5
Managing non-compliance............................................................................................................................................................................... 45
5.1 Encouraging compliance........................................................................................................................................................................ 45
5.2 Addressing serious risks..........................................................................................................................................................................47
5.3 Remediation and monitoring an entity’s return to compliance............................................................................ 52
6
Responding to adverse events or regulatory failure.................................................................................................................. 53
6.1 Event notification or identification.................................................................................................................................................... 54
6.2 Understanding the risk.............................................................................................................................................................................. 55
6.3 Response management.......................................................................................................................................................................... 55
6.4 Post-event evaluation................................................................................................................................................................................. 57
Appendix 1................................................................................................................................................................................................................................... 59
Summary of key considerations................................................................................................................................................................... 61
Index.................................................................................................................................................................................................................................................. 67
Contents
iii
Glossary
iv
Adverse event
The realisation of a risk and/or the occurrence of an unintended event
that has unfavourable consequences and/or the potential to cause harm.
Regulated entity
Any person, business or organisation that is required to comply with
prescribed regulatory requirements.
Regulatory approach
The strategies and interventions adopted by a regulator in administering
a regulatory regime. These can be influenced by government policy, the
behaviour of regulated entities and other stakeholders, and the broader
operating environment.
Regulation
The administration of any rule put in place with government authority
where there is a reasonable expectation of compliance. Regulation is
intended to influence or compel specific behaviour by business and
the community and includes legislation, regulations, quasi-regulations,
such as industry standards and codes of practice, industry/government
agreements, accreditation schemes and international treaties to which
Australia is a signatory.
Regulator
Any Australian Government agency or department empowered by
legislation to administer and enforce regulation. This can be an agency
specifically established for this purpose or a function within a department.
Regulatory risk
An actual or potential event or circumstance that interferes with
the achievement of a regulatory policy objective or administrative
outcome. It can be categorised into two broad groups: risk that affects
a regulator’s ability to effectively administer regulation; and risk that
decreases a regulated entity’s ability or willingness to comply with
regulatory requirements.
Stakeholder
The wide range of groups and individuals with which a regulator interacts,
including regulated entities, other regulators, the community and peak
industry groups.
Better Practice Guide | Administering Regulation
Better Practice Guide
Introduction
Regulation is a key tool for achieving the social, economic and environmental policy objectives
of governments. It is often a cooperative effort between regulators, the regulated and the
broader community.
Adapted from—Principles for the Governance of Regulators, Organisation for Economic Co-operation and Development (OECD),
Paris, 2013.
Introduction
1 Introduction
1.1 Why a better practice guide on administering regulation?
Regulation is one of the mechanisms through which the Australian Government can work to promote
and safeguard the welfare of the community, and protect the environment and public interest. It involves
the administration of any rule put in place with government authority where there is a reasonable
expectation of compliance.1 Regulation is intended to influence or compel specific behaviour by
business and the community and includes legislation, regulations, quasi-regulations, such as industry
standards and codes of practice, industry/government agreements, accreditation schemes and
international treaties to which Australia is a signatory.2
Regulation in Australia operates at all levels of government. In its various forms regulation is far
reaching and affects everyone in their daily lives as individuals, as well as businesses and community
organisations. Food labelling, medicines, industrial safety and financial planning are all areas of
regulatory activity. While regulation may assist countries to manage risk and potential harm to the
community and economy, regulation also imposes costs on regulated entities3 and in many cases the
community as a whole. Regulatory policy setting must therefore be carefully considered by government
in achieving the right balance.
The extent to which a government uses regulation to deal with public policy issues and the scope of its
regulatory approach is a matter for the Government of the day. Nevertheless, when regulation is chosen
by government as a policy response, the regulatory approach and tools adopted should be effective and
be able to be applied consistently, transparently, effectively and efficiently, and in accordance with the
supporting policy and legislation. Sound regulatory administration is risk-based and should generally
be proportionate to the risk of non-compliance or regulatory failure. Adopting a risk-based approach
can assist a regulator in minimising compliance costs for regulated entities, streamlining interaction
between them and regulated entities, and enhancing the benefits derived for the community. Decisions
made in administering regulation should be objective and made without undue bias and in the absence
of conflicts of interest.
Ultimately, all regulators have a core responsibility to administer regulation:
ff with the aim of achieving the underlying social, economic or environmental policy objectives; and
ff in accordance with the powers and authority given to them through legislation and government
direction.4
1 Regulations can be created by the Government, the Parliament and/or a regulator that has been authorised to make
regulations or rules with which business or the community are required to comply.
2 This definition draws on the Australian Government Guide to Regulation—March 2014; the Victorian Guide to Regulation,
Edition 2.1—August 2011, published by the Department of Treasury and Finance, State of Victoria; and the Hampton
Implementation Principles, May 2007, released by the National Audit Office and Better Regulation Executive.
3 Regulated entities is a term being used to generically refer to any person, business or organisation that is required to
comply with prescribed regulatory requirements.
4 Organisation for Economic Co-operation and Development (OECD), Recommendation of the Council on Regulatory Policy
and Governance, OECD Paris, 2012.
Introduction
3
This Better Practice Guide (the guide) replaces the Australian National Audit Office’s (ANAO’s) 2007
Administering Regulation Better Practice Guide and has been updated to reflect changes in the
regulation policy environment. This guide aims to assist Australian Government regulators to meet
their responsibilities efficiently and effectively. It seeks to achieve this by providing information and
guidance on aspects of better practice regulatory administration and a framework to assist regulators
in assessing the quality of their administrative practices and identifying improvements that can, and
should, be made.
The guide does not seek to cover all administrative strategies and processes a regulator may adopt, but
provides a framework and principles upon which regulators can draw when developing their systems
and processes. There is no single approach to applying the principles outlined in this guide as the
way regulation is administered is influenced by a number of factors including the specific activity being
regulated, a regulator’s legislated powers and authority, stakeholder expectations, and the ability and
willingness of regulated entities to meet their obligations.
Figure 1.1 summarises the key steps in the regulatory process. The shaded sections identify the areas
of focus for this guide—regulatory administration and review.
Figure 1.1: The regulatory process
Source: ANAO—adaptation of ‘The cycle of regulatory activities’, Principles for the Governance of Regulators, OECD Paris,
2013, p. 21.
4
Better Practice Guide | Administering Regulation
The process of regulation commences when policy makers determine, having considered the available
policy options, that the most appropriate response to a social, economic or environmental risk is
regulation.5 Depending on the risks being addressed and their context, regulation can take many
forms including self-regulation, such as compliance with industry codes of practice, through to an
enforcement-based approach. Regulation can also operate in conjunction with other approaches to
achieving particular policy objectives and appropriate consideration needs to be given to the interaction
between regulation and other government programs in achieving objectives.
Introduction
1.2 Regulatory approaches
Self-regulation approaches can be established in areas where regulatory risks are low or there is a
reasonable expectation that regulated entities will behave appropriately and be accountable for their
actions and performance, and/or where industry is best placed to design regulatory solutions that
achieve government policy objectives. Self-regulated entities will generally be subject to some level of
compliance monitoring, although this is likely to focus on whether a regulated entity has processes and
management systems in place to meet the objectives of the regulatory regime. At the other end of the
spectrum, enforcement-based regulatory regimes are rules based systems where a regulator has little
flexibility or discretion in how they respond to regulatory compliance issues. Most Australian Government
regulators6 operate somewhere along the spectrum between self-regulation and enforcement-based
regulation. Figure 1.2 outlines the range of regulatory responses available to government.
Figure 1.2: Range of regulatory responses
Self-regulation
Quasi-regulation
Co-regulation
Enforcementbased regulation
Voluntary approach
whereby regulated
entities are required to
comply with codes of
practice or principles that
outline expected behavior
in the industry or sector.
Government has a role
in the development
of regulation such as
codes of practice or
accreditation schemes
with the aim of influencing
behavior in the industry
or sector.
Characterised by a strong
relationship between
industry and government.
Government has a role
in the development
of regulation, such as
codes of practice or
accreditation schemes,
supported by
a legislated role.
Industry has a limited
role that is generally
restricted to consultation.
Self-regulation may
involve compliance
or enforcement by
government or
a third party.
Ongoing dialogue and
interaction may occur
with government, but
government generally
has no formal compliance
or enforcement role.
Government has a role in
compliance monitoring
and enforcement.
Compliance with
regulatory requirements
is mandatory with
sanctions and penalties
able to be applied for
non‑compliance.
There is generally
little flexibility or
discretion in relation to
regulatory compliance.
Regulators may use a combination of regulatory approaches as illustrated in the following case study
of the Australian Communications and Media Authority’s approach to regulating mobile premium
services. These are services that deliver information and entertainment to consumers through their
mobile devices at a cost higher than standard charges.
5 The Australian Government Guide to Regulation available from <http://www.cuttingredtape.gov.au> discusses the processes
supporting consideration of the need for regulation and requirements to be meet where regulation is proposed to government
as a policy response to a social, economic or environmental risk.
6 A regulator is any Australian Government agency or department empowered by legislation to administer and enforce
regulation.
Introduction
5
Case study: The Australian Communications and Media Authority
Administering Regulation: Mobile Premium Services
Mobile Premium Services provide information and entertainment services to consumers via SMS
(text messaging) and MMS (multi-media messaging) to mobile devices using six- and eight-digit
telephone numbers commencing with the ‘19’ prefix. The Mobile Premium Service market gained
momentum in 2005–06 with the launch of a wide range of information and entertainment services
available in text and audio-visual formats.
Mobile Premium Service related complaints to the Telecommunications Industry Ombudsman
had risen to almost 10 000 in the September 2008 quarter, representing around 10 per cent of all
submitted complaints. A number of problems with the Mobile Premium Service market became
apparent, including:
ff lack of transparency in the prices and terms and conditions of services, resulting in billing
complaints;
ff lack of transparency in the supply chain involving mobile carriers, content providers and
content aggregators, making it difficult for consumers to know who to complain to;
ff poor complaint handling arrangements, leading to dissatisfied consumers; and
ff commercial incentives for content providers to avoid complying with existing self-regulatory rules.
The Australian Communications and Media Authority (ACMA) worked with the industry to develop
a code of practice that was registered by the ACMA in 2009. A revised code was put in place in
June 2012. It requires content providers to supply to consumers clear and accurate information
about charges and maintain effective complaint‑handling arrangements. It also requires mobile
carriers to monitor content providers’ compliance with the code.
The code is supported by two service provider determinations made by the ACMA. These enable
consumers to bar access to Mobile Premium Services and provide the ACMA with powers to
disrupt services that are found to cause significant detriment to consumers. The ACMA has taken
targeted action to enforce compliance with the code, and is able to seek substantial financial
penalties for repeated non-compliance.
This combination of measures fostered significant improvements in Mobile Premium Service
business practices and has achieved a 95 per cent reduction in Mobile Premium Service-related
complaints to the Telecommunications Industry Ombudsman.
Sound regulatory administration involves consideration of several key overarching principles that guide
regulatory practice and can influence the effectiveness of the regulatory regime and the costs imposed
on business and the community. These interrelated principles presented in Figure 1.3 have application,
albeit to varying degrees, during all stages of the regulatory process. While not all-inclusive, the
principles presented here act as a stimulus for regulators when assessing the quality of their regulatory
practices and in identifying areas where improvements can be made.
6
Better Practice Guide | Administering Regulation
Understanding the environment—paramount to the implementation and operation of any
regulatory regime is having a well-developed understanding of the operating environment and
risks being addressed. Regulation is not a one-size-fits-all approach, and different strategies
and approaches are required to address different risks. It is also the case that the operating
environment and risks may change over time and regulators need to have a flexible and ongoing
ability to assess such changes.
Introduction
Figure 1.3: Key principles supporting effective regulatory practice
Deciding on an appropriate regulatory strategy—in administering regulation, a regulator
must choose from an array of available strategies that it considers will achieve the greatest net
benefit for the community in the most efficient and effective manner, and at the least cost to
business and the community. A sound understanding of its operating environment and how it
changes over time can assist a regulator in deciding on the most appropriate regulatory strategy
and intervention to address the identified risk or harm.
Educating regulated entities about the regulatory regime—regulated entities need to be
aware of and understand their compliance obligations, and have the ability to readily access
information about them. This requires regulators to effectively communicate to regulated entities
their compliance obligations and their rights as a participant in a regulatory regime.
Monitoring compliance with regulatory requirements and managing non-compliance—a
key component of any regulatory regime is monitoring compliance with regulatory requirements
and managing non-compliance. A risk-based approach to these activities assists a regulator
in addressing the most serious risks, patterns of systemic non-compliance and effectively
allocating its resources while avoiding imposing unnecessary costs on regulated entities. In the
circumstances where a risk event occurs that has the potential to cause harm, a regulator may
also need to have in place strategies to respond to the risk to minimise the potential for harm and
prevent its recurrence.
Assessing the effectiveness of the regulatory regime in achieving the Government’s
policy goals and any unintended consequences arising—once a regulatory regime has
been in place for some time, there is benefit in the responsible agency reviewing whether the
regulation is achieving the desired policy objectives, and the associated costs and benefits for
regulated entities and the community. There may also be benefit in regulators benchmarking their
practice against other mature regulatory regimes operating in other jurisdictions.
Sound regulatory practice suggests that the effectiveness and efficiency of regulation should be
periodically reviewed to determine whether the Australian Government’s policy objectives are
being achieved and to inform future regulatory administration. The frequency of review activity
may be guided by government policy requirements. In reviewing regulation a regulator may find
that the regulation is redundant or requires updating to reflect changes in the environment, and in
these circumstances, the regulator should consider available options for the repeal or amendment
of the supporting legislation or regulatory instrument.
Introduction
7
1.3 Focus of the guide
The target audience for this guide is Australian Government regulators. In drafting the guide the
ANAO has acknowledged that regulators vary in size and function and regulate very different types
of entities operating in different industries and sectors of the economy and as a result there is no
one‑size‑fits‑all approach for administering regulation. The guide also acknowledges that the extent to
which government uses regulation to deal with public policy issues is a matter for the Government of
the day, but when regulation is chosen as a policy response, regulators have an obligation to administer
regulation well. Consequently, this guide aims to provide guidance to both senior managers who are
responsible for the oversight to regulatory administration and operational managers who are involved in
day-to-day regulatory administration.
The guide outlines a series of better practice principles to assist senior managers in reviewing the
effectiveness of their agency’s regulatory administration and to guide future practice. More practical
implementation advice and case studies have also been included to assist operational managers in
delivering an efficient and effective regulatory regime.
While the guide is aiming to provide guidance to Australian Government regulators, regulators in other
jurisdictions may also find the guide useful.
1.4 Structure of the guide
The structure of the guide is outlined in Figure 1.4. Part 1 discusses a series of thematic issues that
have application during all stages of the regulatory process. Many of these issues are matters common
to public sector administration, but are discussed in the context of contributing to better regulatory
outcomes. This section also provides senior managers with an overview of key considerations
fundamental to the effective administration of a regulatory regime. Part 2 focuses on a number of key
operational regulatory activities that are common to most Australian Government regulators. These
include: registration, licensing and authorising entry; monitoring compliance; managing non‑compliance;
and responding to an adverse event or regulatory failure.
8
Better Practice Guide | Administering Regulation
Introduction
Figure 1.4: Structure of the guide
Chapter 1
Introduction
ff
ff
ff
ff
Why a better practice guide on administering regulation?
Regulatory approaches
Focus of the guide
Structure of the guide
Part 1—Managing regulatory performance
Chapter 2
Managing regulatory performance
ff
ff
ff
ff
ff
ff
ff
Defining regulatory outcomes and administrative priorities
A risk-based approach to regulatory administration
Effective stakeholder relationships
Effective information management
Transparency and accountability
Managing regulatory capability
Measuring, reporting and reviewing regulatory performance
Part 2—Key regulatory activities
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Registration,
licensing and
authorising entry
into a regulated
industry or sector
Monitoring
compliance
Managing
non‑compliance
Responding to an
adverse event or
regulatory failure
ff Receiving an
application
ff Assessing
compliance against
requirements
ff Decision-making
process
ff Recovering
regulatory costs
ff Developing a
monitoring strategy
ff Implementing
the strategy
ff Evaluating the
monitoring strategy
and effectiveness
of compliance
activities
ff Encouraging
compliance
ff Addressing
serious risks
ff Remediation and
monitoring an
entity’s return
to compliance
ff Event notification
or identification
ff Understanding
the risk
ff Response
management
ff Post-event
evaluation
The guide includes a summary of key considerations that regulators may find useful in assessing the
extent to which their current regulatory practice reflects the principles outlined in the guide. A reference
to additional guidance and reading material is also provided at the end of Chapter 2.
Introduction
9
Better Practice Guide
Part 1
Managing regulatory
performance
Part 1—Managing regulatory performance
This part of the guide discusses a series of thematic issues that have application during all stages of
the regulatory process. Many of these issues are matters common to public sector administration,
but are discussed in the context of contributing to better regulatory outcomes and aim to provide
senior managers with an overview of key considerations fundamental to the effective administration
of a regulatory regime.
The topics discussed include:
ff defining regulatory outcomes and administrative priorities;
ff a risk-based approach to regulatory administration;
ff effective stakeholder relationships;
ff effective information management;
ff transparency and accountability;
ff managing regulatory capability; and
ff measuring, reporting and evaluating regulatory performance.
2 Managing regulatory performance
The actions of a regulator can influence both the effectiveness and efficiency of the regulatory regime.
Where the Australian Government has made the policy decision that regulation is an effective strategy
for managing a policy challenge and its associated risks, a regulator is required to administer the
regulatory regime using the powers and authority prescribed in the supporting legislation enacted by the
Parliament. This involves regulation being administered transparently, consistently and proportionately in
response to the level of risk or harm to the community, and at a cost justified by the risk being addressed.
Above all, regulators should discharge their responsibilities with integrity, honesty and objectivity.
Part 1
Effective regulatory administration supports achievement of key policy objectives while minimising
the burden and compliance cost for regulated entities. Well-functioning regulators have a clear
understanding of the regulatory outcomes being sought, apply a risk-based approach to regulatory
administration, effectively engage with stakeholders to share and collect information, use
information as a source of intelligence to guide regulatory activity, are transparent in their approach,
accountable for their actions and decisions, and monitor and report on their performance and the
effectiveness of the regulatory regime.
Effective regulatory administration combines the elements of better practice regulatory behaviour
with sound governance and management practice. Such an approach enables a regulator to meet its
responsibilities to government, the community and other stakeholders7 and to be accountable for its
decisions and actions.
This section of the guide discusses management processes and principles which, when applied,
may assist a regulator in achieving the Government’s desired policy objectives, while not placing an
unnecessary burden or cost on regulated entities and indirectly the community. Regulators are subject
to the same governance and performance expectations as other government agencies and while the
activities and principles described in this section of the guide are not prescriptive or all inclusive, when
implemented by a regulator they may contribute to better regulatory administration and ultimately
improved regulatory performance and outcomes.
2.1 Defining regulatory outcomes and administrative priorities
To enable a regulator to achieve the Government’s desired policy objectives and respond effectively
to regulatory risk, the objectives of the regulatory regime should be clearly outlined in the supporting
legislation or legislative instruments and communicated to key stakeholders. Well-defined objectives
assist regulators in identifying the most appropriate strategies and activities to address the identified
risk. Legislative frameworks may not be prescriptive about regulatory objectives and outcomes. In
such instances additional clarity could be sought from supporting sources such as accompanying
explanatory material, the supporting regulations, or it may be appropriate for a regulator to seek further
advice from the responsible Minister or policy department.
A Minister’s letter or statement of expectation provided to a regulator can be a useful vehicle for clarifying
regulatory outcomes and administrative priorities. The Minister’s letter or statement should outline
the Government’s broader policy framework within which a regulator must operate, the objectives or
the regulatory regime, the role of the regulator, how it is envisaged that the regulator will conduct its
operations, and performance expectations. A regulator may find it useful to outline in its corporate plan
7 The term stakeholder refers to the wide range of individuals and groups with which a regulator interacts, including regulated
entities, other regulators, the community and peak industry groups.
Chapter 2—Managing regulatory performance
13
how it proposes to meet the objectives of the regulatory regime, the Government’s expectations and
the way in which its performance will be evaluated and reported. Such processes aid transparency and
accountability by informing stakeholders about the role of the regulator, what it is expected to achieve
and how its performance will be assessed.
Key consideration—defining regulatory outcomes and administrative priorities
ff Regulators and stakeholders should have a clear understanding of the objectives of the
regulatory regime.
2.2 A risk-based approach to regulatory administration8
Risk management is an integral component of good regulatory administration and underpins almost
all regulatory activity. It can be used to guide the development of management systems, processes
and structures to support regulatory administration, the monitoring and management of regulatory
compliance, and the efficient allocation of available resources.
Regulatory risk
Regulatory risk is an actual or potential event or circumstance that interferes with the achievement
of a regulation policy objective or administrative outcome, and that is measured in terms of the
consequences of an event and its likelihood.
This definition draws on the AS/NZS/ISO 3100:2009 risk management standard.9
Risk management in a regulatory context is as much about organisational culture as it is about the
process of identifying, assessing and ranking risk. Senior management can establish a risk management
culture within their agency by communicating consistent messages about the importance of risk
management, incorporating risk management into all aspects of the agency’s operations, and taking
action that clearly demonstrates the agency’s approach to managing risk.
Adopting a risk-based approach to regulatory administration can have benefits for both regulated
entities and regulators. Compliance costs for regulated entities can be minimised with entities assessed
as lower risk being subject to a lighter touch compliance approach without unnecessary intrusion
by regulators. On the other hand, higher risk entities may be subject to more scrutiny by a regulator
and incur additional compliance costs, with these costs offset by improved regulatory outcomes and
benefits for the community. Efficiency gains for regulators are also possible with regulators allocating
their resources based on an assessment of risk across the regulatory regime. Consequently, resources
can be concentrated in areas where they can contribute most to the achievement of the regulatory
outcomes with compliance responses proportionate to the level of risk.
A risk-based approach can also assist in engendering support for the regulatory regime with
stakeholders having confidence in the regulator’s approach and ability to mitigate risks. Nevertheless,
stakeholders’ tolerance of risk can vary and regulators, in managing risk, need to be flexible and
adaptable in responding to changes in stakeholder expectations.
8 This section draws on the publication Risk and Regulatory Policy: Improving the Governance of Risk, OECD Paris, 2010.
9 Standards Australia and Standards New Zealand, AS/NZS ISO 3100:2009 Risk Management—Principles and Guidelines,
Standards Australia and Standards New Zealand, 2009.
14
Better Practice Guide | Administering Regulation
It is important to highlight that a regulator’s role is not to completely eliminate risk, but to effectively
manage risk, as the cost associated with eliminating risk would in most cases be prohibitive. In adopting
a risk-based approach a regulator should therefore consider stakeholder expectations, while at the
same time acknowledging that some level of residual risk will exist in the system.
While adopting risk-based approaches to regulatory administration is integral to sound practice, the
value of maintaining a base level of compliance management activity for regulated entities should not
be overlooked. The potential for a low-risk entity to be subject to some form of compliance activity
can be a sufficient incentive for these entities to continue to voluntarily meet their obligations. Such
interactions also provide an opportunity for regulators to engage with regulated entities and act as a
conduit for education and two-way information sharing.
Part 1
Risk-based approaches provide regulators with a structured framework to identify, analyse, prioritise
and respond to risk. Regular monitoring of regulatory risk enables a regulator to adjust its strategies,
activities and enforcement activities to reflect changing priorities that result from new and evolving
regulatory threats and changes in stakeholder expectations. This may result in either an escalation or
reduction in regulatory activity.
Key considerations—a risk-based approach to regulatory administration
ff Promote a risk management culture that supports an integrated approach to the identification
and management of risk, while recognising that a level of residual risk will remain as the cost
associated with eliminating risk would in most cases be prohibitive.
ff Integrate risk management into strategy, planning, decision-making and other processes.
ff Assign responsibility for managing significant business risk to the most relevant senior
manager to reinforce the regulator’s risk management culture and emphasis on action.
ff Regularly monitor and review risks—this information can be shared across the regulator and
used to adapt or tailor risk management processes and effort according to the likelihood,
consequences and nature of risks identified.
ff Educate officers about a regulator’s risk management policies and procedures and make sure
officers are trained in their application.
2.3 Effective stakeholder relationships
In administrating regulation, regulators necessarily interact with a broad range of stakeholders, as
illustrated in Figure 2.1. Effective stakeholder interactions and relationships rely on a regulator identifying
key stakeholders, the value of engagement and how best to undertake engagement activities. Effective
two-way engagement and communication with regulated entities can lead to positive regulatory
outcomes. When regulated entities have a clear understanding of their compliance requirements they
are better able to and may be more willing to comply. Similarly, through interacting with regulated
entities a regulator can gain valuable insights into the behaviour of regulated entities that can be used
to guide future compliance activity and the allocation of its available resources. Two-way engagement
also provides insights into the overall effectiveness of the regulatory regime and regulator performance.
Chapter 2—Managing regulatory performance
15
Figure 2.1: Potential regulator–stakeholder relationships
Regulated
entities
Government
agencies
Parliament
Peak bodies
Regulator
Australian
community
Regulatory
beneficiaries
Law enforcement
agencies
Other regulators
– domestic and
international
Communication mechanisms
Effective communication and stakeholder interaction is essential to regulators achieving the Government’s
regulatory outcomes. If regulated entities are not aware of their regulatory obligations or face significant
barriers to accessing such information, they are not well positioned to comply. Australian Government
policy requires agencies to publish information online and use information technology to disseminate
information, maximise the amount of information that is published voluntarily, and apply a presumption
of openness when deciding whether and how to publish public sector information, unless there is a
compelling reason to the contrary.
Effective communication methods facilitate dialogue between regulators and stakeholders. In designing
their strategies for stakeholder interactions, regulators may find benefit in considering the diversity of
communication mechanisms required to effectively reach regulated entities and other stakeholders
and the capacity of the intended audience to effectively access and use the selected communication
mechanisms. Communication mechanisms can include: publishing information online; social media;
electronic distribution of information to subscribers of information services; formal consultative
arrangements; informal and ad hoc processes; point of contact and feedback mechanisms; or a
combination of these. Through these processes regulators need to act as a authoritative source of
information for regulated entities and other stakeholders.
16
Better Practice Guide | Administering Regulation
Regulators’ websites
With limited exceptions, Australian Government agencies, including regulators, are subject to the
Freedom of Information Act 1982 and are required under the information publication scheme to publish
a range of information on their websites.10 Online publication promotes transparency and accountability
by making information available to all interested stakeholders at minimal cost.
The use of social media communication channels provides regulators with the opportunity to
communicate with a large audience, very quickly and at a low cost. This type of communication can be
particularly useful where up-to-date and accurate information needs to be quickly distributed to a wide
audience. However, social media is self-moderating and information can be distributed by third parties
without the accuracy of the information having been verified. Consequently, regulators may need to
monitor social media communication channels where they are used to ensure credible information is
readily available. A regulator making use of social media should have in place an appropriate social
media policy to guide employees’ behaviour.
Part 1
Social media
Electronic distribution
Providing a capacity for, and encouraging stakeholders to subscribe to, an electronic information
or notification service can assist in maximising coverage at a low cost. Advice, guidance and other
general information about the regulatory regime or notification of the posting of relevant information on
a regulator’s website can be provided to stakeholders and other interested parties in a timely manner.
Such facilities should also allow subscribers to unsubscribe or opt out of the process where they no
longer wish to receive the information or notifications.
Formal engagement arrangements
Regular formal engagement between regulators and key stakeholders provides the opportunity for an
open exchange of information, opinions and feedback on regulatory matters. To maximise the value of
formal engagement arrangements, regulators should include a diverse range of stakeholders, such as
industry and professional associations and business and consumer groups. A standing consultative
group that reflects the interests, experiences and organisational characteristics of stakeholders is likely
to have higher credentials and legitimacy.
The value of regulators engaging directly with regulated entities should also be considered. Given the
reach of regulation, a personal interaction between the regulator and regulated entities may be valuable
in providing information and guidance. Such an approach recognises the diversity of the regulated
environment and the differing needs of regulated entities.
One of the risks associated with formal and ongoing engagement relates to the issue of regulatory capture.
This occurs where an officer involved in administering a regulatory regime develops a relationship with
the regulated entity or industry and represents their interests in advance of the interests of the regulator.
In some circumstances this risk can be managed by separating responsibility for regulatory functions,
such as: stakeholder relationship engagement; registration, licensing or entry decisions; and ongoing
compliance management. However, in other circumstances, this may not be possible or the benefits
arising from an ongoing relationship with a regulated entity outweigh the associated risks. In these
circumstances, a higher level of management oversight may be beneficial to maintain the integrity of
the regulatory regime.
10 Some Australian Government agencies, such as intelligence agencies, are exempt from the Freedom of Information
Act 1982. Others agencies such as some of the courts and tribunals, are exempt in relation to certain documents.
Chapter 2—Managing regulatory performance
17
Informal and ad hoc forums
Ad hoc meetings, seminars, participation in industry forums or conferences and discussion groups
enables regulators to interact with selected stakeholders on specific regulatory issues when information
exchange is most useful—for regulators and stakeholders. To leverage off existing mechanisms,
regulators may also choose to engage with third parties with whom regulated entities are likely to
interact. For example, engaging with an industry peak body may provide an effective mechanism for
the distribution of information and guidance to a large number of stakeholders.
Point of contact and feedback mechanisms
An email address, telephone number or website enquiry facility gives stakeholders simple, low-cost
access to a regulator. Such facilities need to be effectively managed so that queries or feedback can
be responded to in a timely way. Expected timeframes for reply or action should be publicly available
and the individual making an enquiry or providing feedback should be made aware of the process and
associated timeframes. Regulators may also wish to identify whether the individual making the enquiry
or providing feedback is expecting a call-back or other form of formal response from the regulator.
This assists in understanding and managing the individual’s expectations.
Success in respect of these interactions is determined largely by a regulator’s ability to provide a
timely, accurate and helpful response to an enquiry or feedback. It may also be useful to personalise
the interaction by providing a point of contact for any follow-up enquiries. Where an entity making a
complaint or providing feedback feels that they have been treated fairly and their concerns have been
given due consideration, the chances of the matter remaining unresolved are reduced.
Assessing the effectiveness of stakeholder engagement
The effectiveness of a regulator’s strategies for engaging with stakeholders can be difficult to measure,
but doing so can guide future interactions. A regulator can readily measure the level of interaction
with stakeholders, but measuring the impact of these interactions is far more challenging as it can
be difficult to attribute changes in regulated entities’ behaviour to any one factor. To develop a more
fulsome understanding of the impact of stakeholder interactions and engagement activities regulators
may find value in consulting stakeholders about the effectiveness of different activities, and monitoring
trends in compliance or other behaviours following engagement activities.
Key considerations—effective stakeholder relationships
ff Promote and value two-way engagement and communication with regulated entities.
ff Communicate information to stakeholders in an accessible format and consider the capacity of
the intended audience to effectively access and use the selected communication mechanisms.
ff Monitor and assess the outcomes of engagement activities.
2.4 Effective information management
Effective regulatory administration is based on sound information management practices, including: the
collection and retention of relevant data to support regulators in identifying and managing risks, making
regulatory decisions, and evaluating regulatory administrative strategies and practice. Regulatory data
may be supplied to, or acquired by, regulators through their normal activities.
18
Better Practice Guide | Administering Regulation
A sound regulatory information management system:
ff facilitates the capture of data that may provide insight into regulatory risk, non-compliance by
regulated entities and potential negative regulatory outcomes;
ff supports analysis of data to assist in identifying trends and patterns that may be indicative of
systemic risks or weaknesses in the regulatory regime;
ff disseminates information in a timely way only to those who have a legitimate interest in the information
and a need to know;
ff creates a repository of information that supports consistency in decision-making; and
Data collected in isolation may not be sufficient to identify regulatory risk, but when combined with
other data and examined through the use of analytical tools and other research methods, evidence
of heightened regulatory risk that warrants investigation may be identified. Such an approach allows
regulators to be responsive to changing circumstances and behaviour, and supports a risk-based and
cost-effective approach to regulatory administration.
Part 1
ff assists regulators in meeting their statutory record-keeping obligations.
In managing data and information regulators are required like other Australian Government agencies to
comply with relevant legislative standards, together with government information policy requirements,
including freedom of information, privacy and security, and recordkeeping.
Collecting relevant data
Collecting relevant data can assist regulators in identifying, assessing, and understanding the
prevalence and nature of risks in their operating environment. Relevant data is data that can be easily
understood and used, meets the needs of the intended audience, and provides an insight into the
issue being considered. Regulators can identify shortfalls and redundancies in their data holdings by
regularly comparing data collected and their data needs. Shortfalls can be addressed by the collection
of new or expanded data sets from regulated entities and/or the identification of new data sources.
Where a regulator requests information from a regulated entity there should be a clear purpose for the
information and other options for accessing the data should have been considered.
As the community increasingly uses information sources such as online news reporting and social media,
there is a growing need for regulators to scan the environment to gather information about community
and stakeholder expectations. Increasingly, regulators are being called upon to respond to behaviours
that are perceived by the media, the community or other stakeholders as unacceptable. Informal sources
of information, such as social media, can inform regulatory administration, decisions and actions.11
Sharing data within the agency
Information access protocols should allow regulatory decision-makers timely access to data holdings.
Well-designed information access protocols recognise the need to control access to certain data
(for example, restricting access for privacy or secrecy reasons), but also allows timely access to
data where there is a demonstrated need to know. Such an approach can reduce the incidence of
‘information silos’ within a regulator.
While data collected by regulators should only be shared on a need to know basis, it can be difficult
for regulators to identify all instances where data should be shared and with whom. In considering
when and how information should be made available, regulators need to consider the potential risk
11 The impact of external influences and stakeholder expectations or regulatory administration and risk management is
discussed in the Productivity Commission’s Report, Regulator Engagement with Small Business, released in October 2013.
Chapter 2—Managing regulatory performance
19
and consequences of disclosing or not disclosing the information. Periodic review of data-sharing
approaches is likely to benefit a regulator.
Data-sharing across government and jurisdictions
Regulators can, in certain circumstances, gain a significant benefit from accessing information held
by other government agencies, whether these are Australian, state or territory government entities.
Some regulators have authority under their supporting legislation to acquire data from other entities to
assist them in fulfilling their regulatory role. However, other agencies, which do not have this power may
benefit from having access to data and information held by third parties.
A regulator may be able to access information held by another domestic or international agency by
entering into a memorandum of understanding, or some other form of data-sharing agreement, providing
the agency is not prohibited by legislation from sharing the information held. Such an agreement would
be expected to outline the information that is to be shared, how the information is to be stored and
used, and how privacy and other information requirements will be managed consistent with legislative
obligations and government policy requirements.
The Australian Taxation Office is an example of an agency that uses information from various sources to
assist with fulfilling its administrative functions. Data-matching is used to identify people who are not in
the tax system, not correctly reporting and/or who are behind in meeting their obligations with respect
to the lodgement of documents, paying debts or superannuation contributions.
Case study: Australian Taxation Office
Data analysis and matching—assisting taxpayers to comply and identifying
non‑compliance
The Australian Taxation Office (ATO) uses analysis and matching of third party data to assist
entities (business, individuals etc) to comply with and check that entities are meeting their
obligations with respect to the lodgement of documents, correct reporting, paying debts or
superannuation contributions.
Financial institutions and other organisations, both in Australia and overseas, report details of
financial transactions and other activities to the ATO. This includes employment and income
support payments, superannuation and health insurance payments, bank interest and other
investment income, and property and share transactions. Increasingly, the ATO is receiving
information from overseas, such as details of employment-related foreign source income.
Third-party information and the details reported by taxpayers on their current and previous returns
are automatically matched. Information matching gives taxpayers and tax agents the option
of having some fields in returns pre-filled. This enables the ATO to alert taxpayers to potential
liabilities arising from investment income and capital transactions such as sale of real estate and
other assets, before they lodge their tax return.
Over 600 million transactions are reported to the ATO annually. This helps the ATO to develop
a picture of entities’ financial dealings, supporting the detection of undeclared income and fraudulent
claims. By comparing third-party data against information provided in tax returns, the ATO raised
over $900 million in revenue adjustments from some 450 000 reviews and audits in 2013.
Where a regulator uses data-matching techniques the regulator must comply with the Privacy Act 1988
and other legislative requirements.
20
Better Practice Guide | Administering Regulation
Key considerations—effective information management
ff Manage data in accordance with legislative and policy requirements.
ff Consider information access protocols to allow regulatory decision-makers timely access to
data holdings.
Regulatory processes, by their very nature, require delegated officers to frequently make administrative
decisions in the course of their normal duties. These decisions can range from whether to impose a
civil penalty for breach of a regulation through to which regulated entities may be audited as part of a
targeted compliance program. Stakeholders have expectations that regulators ensure transparency
and accountability in administrative decision‑making and act consistently, lawfully and in a manner
free from bias.
Part 1
2.5 Transparency and accountability
Regulators are required by government to be transparent and accountable in their decision-making
processes. This places an obligation on regulators to provide a broad range of information to regulated
entities and other stakeholders, unless there is a compelling reason for the information not to be
disclosed. Regulators are responsible for creating and maintaining accurate records of their activities,
including their decision-making processes. The recording of regulatory actions and the reasons
for these actions is important for both transparency and accountability, particularly as a regulator’s
decisions or actions may be later challenged.
A minimum standard of documentation should be maintained for all regulatory decisions for
accountability and transparency purposes. For more complex or sensitive decisions additional
information, commensurate with the level of risk and sensitivity, may also need to be retained. Such
records should be sufficient to support an independent assessment of the matter in question.
Furthermore, documenting the steps and timelines in the regulatory decision-making process can
assist a regulator in demonstrating to a third party that regulatory action was taken lawfully and due
process was provided to affected entities in accordance with procedural and legislative requirements.12
Guidance on the minimum standards to be applied in the recording and storing of official information
in relation to decisions made by a regulator should be distributed to all officers engaged in regulatory
processes. In addition, to this guidance regulators may also find value in documenting their internal
decision-making processes.
The complexity of a regulatory regime and the number, type and frequency of regulatory decisions
may require decisions to be made in various parts of an organisation. Establishing appropriate internal
decision-making processes, effective internal communication and information sharing mechanisms,
can aid in promoting consistency in decision-making and information sharing across the organisation.
12 This may include procedural fairness, a process that requires a decision-maker to apply a fair and proper process when
making a decision, particularly when the decision could negatively affect a regulated entity.
Chapter 2—Managing regulatory performance
21
Managing conflicts of interest
Public officials involved in regulatory activities, in particular decision-makers and those advising
decision-makers, should be aware of situations that constitute, or could give rise to a conflict of interest.
Decisions should be made by regulators in a fair and unbiased manner and must not be influenced by
self-interest, external affiliations and/or the likelihood that the officer, or those close to them, will gain
any personal or financial advantage. Conflicts of interest can pose a significant risk for a regulator and
can undermine stakeholders’ confidence in their integrity.
Conflicts of interest can arise at various points in the regulatory cycle. Regulators should have conflict of
interest policies and supporting procedures in place. A policy should outline disclosure requirements,
risk mitigation and ongoing management and review requirements. A regulator’s conflict of interest
policy should be widely accessible and easy to understand, providing a consistent message about
the agency’s expectations and the processes for managing conflicts of interest at all levels within the
organisation. Regulators should also establish mechanisms to encourage their officers to declare any
actual, potential or perceived conflicts of interest as they are identified.
The benefits of a pro-disclosure approach are diminished if officers are not encouraged and required
to disclose conflicts of interest on an ongoing basis.
If a conflict of interest becomes evident or is declared by an officer, a regulator should carefully consider
the nature of the conflict and the risk it poses and implement mitigation strategies proportionate to the
risk. For example, where resources permit, separating responsibility for registration, licensing or entry
assessment, and compliance monitoring and enforcement may assist in reducing the potential for a
conflict of interest arising from regulatory capture.
Regulators periodically reviewing their conflict of interest policy and processes through a program of
internal audits and/or peer reviews, and the monitoring of decisions and decision-making processes by
senior management can help to maintain the integrity of the regulatory regime. Stakeholder feedback
and complaint mechanisms can also be useful sources of information about the effectiveness of a
regulator’s conflict of interest policies and processes.
Handling disagreements and disputes
While there are clear benefits from having sound relationships between regulators, regulated entities
and other stakeholders, disagreements and disputes will arise where a regulated entity or stakeholder
feels aggrieved as a consequence of a decision by, or the actions of, a regulator. Well-defined dispute
handling processes can assist a regulator in resolving a dispute in the most appropriate, timely and
cost-effective way.
Processes that enable regulated entities and regulators to mutually resolve disputes are generally
regarded as being the better approach. Effective internal dispute management can prevent escalation
and avoid unnecessary costs being incurred. Where a dispute cannot be resolved internally, entities
subject to regulation have the ability to seek redress through external review processes. However,
formal external review should be considered as the last option, wherever possible.
External review mechanisms are normally defined in legislation and allow entities subject to regulation
to refer a matter to an independent body. Other review options include lodging a complaint with the
Commonwealth Ombudsman and initiating a judicial review proceeding through a court. Regulators, in
providing notice of decisions to regulated entities, should advise the regulated entity or stakeholder if
the decision is reviewable and provide the details of review options.
22
Better Practice Guide | Administering Regulation
Handling complaints
Well-defined and independent complaints handling procedures can enhance transparency and
accountability in regulatory administration. Regulators’ complaints handling arrangements need to
reflect the complexity of the regulatory environment and provide an effective avenue for regulated
entities or other stakeholders to seamlessly provide feedback and lodge formal complaints. This may
require cooperation between agencies and the integration of complaints handling arrangements, for
example, where a regulatory function has been outsourced to another agency.
To continually enhance regulatory practice and associated administrative processes, regulators should
regularly monitor their complaints handling arrangements, the nature of complaints and the outcomes
of internal reviews, to identify areas for improvement.
Part 1
Regulators can adopt a range of approaches to managing complaints, with their method of choice
likely to be influenced by their size, structure and the nature of their operating environment. The
Commonwealth Ombudsman publishes guidance on complaint handling, which regulators may find
useful in designing, implementing and/or reviewing their complaints handling procedures.
Key considerations—transparency and accountability
ff Maintain a minimum standard of documentation for all regulatory decisions to support
accountability and transparency.
ff Disseminate to all staff details of the minimum standards to be applied in the recording and
storing of official information.
ff Develop and implement conflict of interest policies and supporting procedures.
ff Establish well-defined dispute handling processes to address circumstances where a
disagreement or dispute arises.
ff Provide mutual resolution approaches to disputes.
ff Regularly monitor complaint handing arrangements, the nature of complaints and the
outcomes of internal reviews to identify areas for improvement.
2.6 Managing regulatory capability
Australian Government regulatory functions are performed by a range of entities that vary considerably
in size, structure, function and complexity. Some regulators have been formed with the sole purpose
of regulating a market, product or service, while others may be a section or function embedded within
a department. As a result, there is a range of approaches used in the resourcing and delivery of
regulatory functions, from regulatory functions being exclusively or predominately provided in-house
through to functions being outsourced with oversight and administrative accountability retained by
the responsible regulator. The following sections discuss a range of factors that should be taken into
account when considering how to build regulatory capability and in outsourcing regulatory activities.
Skills and capabilities required to support effective regulatory administration
Regulators need to have a clear understanding of their role and function, and the skills and capabilities
required to achieve the Government’s desired policy objectives. This knowledge can guide a regulator’s
workforce planning, including the training, development and retention of its officers, and the targeted
recruitment of persons with the skills required to fill identified gaps.
Chapter 2—Managing regulatory performance
23
The skills and capability requirements of officers involved in regulatory activities can be very broad,
depending on the nature of activities being undertaken by the regulator. As a result, regulators
need to invest in the training and development of their officers. Training, retention and recruitment
programs, need to target developing and maintaining competencies that are essential for effective
regulatory administration.
While technical proficiency, formal technical qualifications and industry experience may be important
for regulatory officers, there is also a requirement for skills in a broad range of areas, including:
ff risk and quality management—the design and application of the regulator’s risk and quality
management systems and procedures are enhanced when officers have practical experience in
applying the relevant national and international standards;
ff stakeholder engagement—stakeholder confidence in a regulator’s performance is enhanced
when the regulator communicates effectively. Officers who are skilled in stakeholder engagement,
social networks, website design, public relations and dealing with the media enable a regulator to
create an effective public interface. To comply with the Australian Government’s information policy
requirements, regulatory information is required to be accessible and available online, unless there
is a need to protect the information;
ff communication—well-developed communication and inter-personal skills enable officers to
establish productive and professional relationships with regulated entities and other stakeholders
and develop an engagement approach where there is an ongoing, longer-term relationship;
ff team management—skills and experience in leading multi-discipline teams assist in maximising the
individual contributions of each discipline and the collective output of the team;
ff data analysis and management—quality information is a key component of effective regulatory
administration. Officers with skills in designing and implementing data management systems and
undertaking complex data analysis are key members of a regulator;
ff audit and inspection—the quality of a compliance assessment is enhanced when it is conducted
by officers who are trained, or have experience, in auditing techniques. Important skills include:
scoping an audit, planning, information management, quantitative and qualitative analysis, evidence
gathering and document preparation;
ff legal and criminal investigation—lawful exercise of regulatory authority and sound practices for
collecting evidence to support criminal prosecution underpin sound regulatory administration. Officers
with appropriate legal and investigative skills help to ensure that regulatory powers are exercised
effectively. Australian Government policy requires that investigations be carried out by appropriately
qualified and experienced personnel supported by a suitable level of managerial oversight. Officers
undertaking such investigations are required to meet the competency requirements set out in the
Australian Government Investigations Standards; and
ff contract management—officers with experience in handling contracts contribute to effective
management of outsourced regulatory activities.
Where persons employed by regulators are required to hold mandatory qualifications, regulators
may benefit from maintaining a central record of the qualifications and experience, particularly where
a qualification may require periodic re-certification or renewal. This assists in ensuring that only
appropriately qualified and experienced officers, holding the relevant qualifications, are involved in the
specified activities and action is taken to ensure officers’ qualifications are maintained as required.
24
Better Practice Guide | Administering Regulation
Developing capability
Regulators require a broad range of skills and experience and maintaining this capability can be a
challenge for many regulators. In larger regulators, different regulatory functions can be allocated to
different sections or areas that support the development of skills in the required areas. In smaller
regulators, officers may have responsibility for a variety of tasks and regulatory functions requiring them
to maintain a broader skills set.
In maintaining the required skills and/or mix of skills, a regulator may find benefit in adopting several
approaches to developing its capacity. These can include:
ff creating an information sharing environment—the sharing of knowledge and experience though a
community of practice or similar mechanism can be a valuable approach to developing capability.
Regulators may wish to explore opportunities to establish networks internally to discuss common
issues, share lessons learnt and promulgate better practice regulatory administration;
Part 1
ff developing operating procedures or guidance—comprehensively documenting procedures can
represent a significant overhead for a regulator, but the procedures can provide a point of reference;
promote a consistent approach to regulatory administration by providing a clear decision-making
framework and improve transparency of the decision-making process;
ff participating in networks—contributing to national, regional and international networks, creates
opportunities for shared learning and capability building;
ff focusing on professional development—better practice regulators encourage officers to maintain
and develop their skills through participation in professional development programs and training,
the attainment of professional qualifications and participation in continuing professional education;
ff actively managing retention—fundamental to successful regulatory administration is people with
the required skills, experience and approach. These officers support the work of regulators by
being professional, accountable, resilient and demonstrating a commitment to the agency’s values.
Succession planning is important in retaining highly performing officers and building workforce
capability; and
ff targeting recruitment activities—understanding the skills and competencies needed to assist in
achieving the desired regulatory outcomes can assist a regulator when undertaking recruitment
activities. The competencies sought can be clearly specified through targeted recruitment processes
and guide the selection of officers with the required skills and experience.
Outsourcing regulatory activities
Regulatory activities may be outsourced for various reasons, including: a regulator does not have the
necessary capacity or specialist/technical skills, is focusing on core high-value activities, or it may be
able to achieve greater value for money through outsourced arrangements. A regulatory function or
activity may be outsourced by the regulator, but the regulator remains responsible and accountable for
the administration of its regulatory performance.
As with the management of any outsourced Australian Government function, the key to success is
effective management arrangements. This involves choosing a service provider that can provide the
right skills, experience and capability; clearly defining the service delivery requirements, expectations
and performance standards; and monitoring the performance of the service provider and actively
managing the contractual relationship.
Chapter 2—Managing regulatory performance
25
Choosing an appropriately skilled and experienced service provider
The outsourcing of regulatory activities may require a regulator to establish a contractual arrangement
with another government agency or a business entity. However, choosing the right service provider is
critical to effective and efficient regulatory administration. A regulator may benefit from considering the
following issues when choosing a service provider:
ff the service provider’s experience in providing similar services;
ff knowledge of the operating environment and past industry experience;
ff the skills, experience and capacity of key personnel;
ff the capacity of the service provider to respond to changes in the regulated environment;
ff whether the service provider has internal quality arrangements in place to support the delivery of
effective and efficient regulatory services; and
ff whether a contractual arrangement would represent an efficient and effective use of available
financial resources.
Clearly defining service delivery requirements
Service delivery requirements and expectations should be outlined in the contract with the service
provider. Details to be included in the contract with the service provider may include:
ff services to be provided, including specific deliverables and associated quality standards;
ff expected timelines for delivery of the services;
ff progress reporting requirements to facilitate performance monitoring;
ff key performance indicators;
ff confidentiality and ownership of data, information and intellectual property generated by the
service provider;
ff specific instructions and undertakings that ensure the service provider meets legislative and policy
obligations; and
ff contract payment arrangements.13
Managing outsourced service provider performance
As a regulator is ultimately responsible for its regulatory performance, it is important that the regulator has
systems and procedures in place to provide management with assurance that outsourced regulatory
functions and activities are undertaken in accordance with performance standards set by the regulator,
and that the information provided to them in relation to these activities is accurate and timely.14
The contract should establish a performance and quality framework against which the performance
of the service provider can be formally assessed during the contract period. Assigning a senior officer
from within the regulator to oversee the delivery of services will assist in providing management
with assurance that the required standards are being met and high-quality regulatory services are
being provided.
13ANAO, Better Practice Guide, Developing and Managing Contracts—Getting the Right Outcome, Achieving Value for
Money, Canberra, February 2012.
14 Where a regulator chooses to procure the services of a third party to assist with the delivery of regulatory functions, the
regulator is required to comply with the Australian Government’s Commonwealth Procurement Rules July 2012, released
by the Department of Finance.
26
Better Practice Guide | Administering Regulation
Key considerations—managing regulatory capability
ff Periodically review training, retention and recruitment programs to make certain that
they focus on developing and maintaining competencies that are essential for effective
regulatory administration.
ff Manage outsourced regulatory activities in accordance with better practice contract
management principles and practices.
ff Periodically assess performance of the service provider against performance and quality
indicators during the contract period.
Part 1
ff Assign a senior officer from within the regulator to oversee the delivery of outsourced functions
or activities to provide assurance that the required standards are being met and high-quality
regulatory services are being provided.
2.7 Measuring, reporting and evaluating regulatory performance
Central to a regulator’s operational effectiveness is a sound performance management framework.
The framework not only facilitates effective internal management of the agency, but also enables
the regulator to demonstrate to stakeholders that its operations conform to legislative requirements,
are cost-effective and are achieving the desired regulatory outcomes.
Well-documented and carefully-structured management systems and procedures provide a regulator
with the tools to define regulatory outcomes and administrative priorities, and measure and report
on performance.
Measuring and reporting performance
The Australian Government’s performance measurement and reporting framework requires regulators
to measure, monitor and report on their performance. Performance information systems should be
designed to inform internal and external stakeholders about the performance of agencies’ activities
including whether the regulation is achieving the Australian Government’s stated policy objectives, the
costs associated with administering the regulation and the cost of compliance for regulated entities.
This is generally achieved through agencies’ annual reporting to the Parliament, or through additional
reporting requirements identified in Ministers’ letters or statements of expectation.
Internally, access to and analysis of key management information, such as workload statistics and
costing targets, facilitates day-to-day operational and resource management. While identifying
measures of regulatory effectiveness is particularly challenging for many regulators, it is important that
effectiveness and efficiency indicators are defined, measured and reported for internal management
and external accountability purposes. This is particularly important where regulators are operating in a
cost recovery environment.
In addition to reporting externally on performance through an annual report to the Parliament, regulators
may also find benefit in publishing performance information more frequently on their websites. Regularly
monitoring and reporting against established benchmarks for routine business processes may assist
in managing stakeholders’ expectations in relation to the regulatory process and aid management in
monitoring and assessing operational performance.
Chapter 2—Managing regulatory performance
27
Encouraging the participation of stakeholders in the regulatory process, through consultation and
feedback can assist a regulator in understanding whether an appropriate balance is being achieved in
relation to risk, the underlying regulatory burden, and the efficiency and effectiveness of the regulatory
regime. A mechanism that regulators may find valuable for this purpose is the Ministerial Advisory
Councils that have been established for each Cabinet Minister. These are a consultation mechanism
comprising of representatives from business, the not‑for-profit sector and other industry stakeholders.
Evaluating the effectiveness of regulation
While the Australian Government may mandate particular review approaches, regulation should also
be periodically reviewed to confirm that it is meeting the Government’s policy objectives and expected
outcomes, and is not imposing unnecessary costs on regulated entities and indirectly the community.
In reviewing and evaluating regulatory regimes, regulators can identify areas where improvements can
be made. Incorporating such review activities into normal management practice can assist a regulator
in maintaining the currency, efficiency and effectiveness of the regulatory regime. Such reviews should
consider the effectiveness of the regulation being administered and the efficiency and effectiveness
of the agency’s regulatory administration. Specific areas of focus should be whether the regulation is
achieving the Australian Government’s stated policy objectives, the cost of compliance for regulated
entities, the costs associated with administering the regulation, and whether the same outcomes could
be achieved through other policy measures. Review and evaluation activities can also identify areas
where the performance of regulators can be improved. It is also important to give consideration to the
interaction of regulation with related government initiatives that contribute to the same objectives.
Particular attention is being given by the Australian Government to reducing the regulatory burden
for business and the community. This involves the audit of the existing stock of regulation with the
aim of quantifying the regulatory burden and reducing the quantum of regulation and red tape.
A whole‑of‑government framework for assessing regulator performance has also been developed by the
Productivity Commission. This framework provides a useful approach for regulators in assessing their
own performance, and is expected to guide future administrative arrangements and regulatory practice.
Key considerations—measuring, reporting and reviewing regulatory performance
ff Define relevant effectiveness and efficiency indicators to support reporting for internal
management and external accountability purposes.
ff Undertake periodic reviews to consider the effectiveness of the regulation being administered
and the efficiency and effectiveness of the agency’s regulatory administration.
ff Draw on stakeholder views to understand their expectations about the effectiveness of the
regulatory regime, whether an appropriate balance is being achieved in relation to risk, the
underlying regulatory burden, and the efficiency and effectiveness of the regulatory regime.
2.8 Additional reference and guidance material
The Australian Government Guide to Regulation available from the Cutting Red Tape website
<http://www.cuttingredtape.gov.au> discusses the processes supporting consideration of the need
for regulation and requirements to be meet where regulation is proposed to government as a policy
response to a social, economic or environmental risk.
28
Better Practice Guide | Administering Regulation
A comprehensive overview of management issues impacting on regulators is provided in two OECD
publications: Principles for the Governance of Regulators and Recommendation of the Council on
Regulatory Policy and Governance.
Two useful points for reference for regulators are:
ff Malcolm Sparrow, The Regulatory Craft: Controlling Risks, Solving Problems, and Managing
Compliance, Brookings Institution Press, Washington DC, 2000; and
ff Malcolm Sparrow, The Characters of Harm, Cambridge University Press, Cambridge, 2008.
The Productivity Commission’s Report—Regulator Engagement with Small Business, October 2013
discusses leading practices in regulator engagement, the report is available from <http://www.pc.gov.au>.
The Regulator Audit Framework developed by the Productivity Commission and available from
<http://www.pc.gov.au> provides guidance on assessing the performance and behaviour of regulators,
particularity in relation to compliance cost imposed on business and other regulated entities.
Part 1
General guidance for establishing and implementing risk management processes is provided in
AS/NZS/ISO 3100:2009 risk management standard, published by Standards Australia and Standards
New Zealand.
Guidance on recordkeeping better practice is provided by the National Archives of Australia and is
available from <http://www.naa.gov.au>. For an overview of better practice records management also
refer to AS ISO 15489 records management standard and related Australian and international standards.
Guidance and further information about decision-making and documenting decisions can be
found at the Administrative Review Councils’ website <http://www.arc.ag.gov.au>. Also see the
Australian Administrative Law Policy Guide available from the Attorney-General’s Department’s website
<http://www.ag.gov.au>.
Information about managing conflicts of interest can be found in the publication—Identifying and
managing conflicts of interest in the public sector, July 2009. The publication and related conflict
of interest toolkit is available from the Independent Commission Against Corruption’s website
<http://www.icac.nsw.gov.au>.
For guidance on internal review processes, see Administrative Review Council, REPORT TO THE
ATTORNEY-GENERAL, Internal Review of Agency Decision Making, Report No. 44—November 2000
available from the Administrative Review Council’s website <http://www.arc.ag.gov.au>.
Information about better practice complaints handling is available from the Commonwealth
Ombudsman’s website <http://www.ombudsman.gov.au>.
Information about managing conflicts of interest can be found in the publication—Identifying
and managing conflicts of interest in the public sector, July 2009. The publication and related conflict
of interest toolkit is available from the Independent Commission Against Corruption’s website
<http://www.icac.nsw.gov.au>.
For further information on handling complaints also see the alternative dispute resolution section of the
Attorney-General’s Department website <http://www.ag.gov.au>.
Guidance on workforce planning and development can be found in the Australian Public Service
Commission, Workforce Planning Guide, available from <http://www.apsc.gov.au>.
Chapter 2—Managing regulatory performance
29
The Commonwealth Procurement Rules released in July 2012, and available from the Department of
Finance website <http://www.finance.gov.au>, details the policy framework supporting the procurement
of services by Australian Government agencies. Regulators when procuring the services of a third party
to support regulatory activity are required to comply.
The ANAO Better Practice Guide—Developing and Managing Contracts, February 2012, outlines better
practice approaches to developing and managing Australian Government contracts.
Guidance that may assist in developing performance measures and implementing a performance
reporting system is provided in ANAO Report No.28, 2012-13, The Australian Government Performance
Measurement and Reporting Framework—Pilot Project to Audit Key Performance Indicators and ANAO
Report No.21, 2013-14, Pilot Project to Audit Key Performance Indicators.
30
Better Practice Guide | Administering Regulation
Better Practice Guide
Part 2
Key regulatory activities
Part 2— Key regulatory activities
This part of the guide discusses key operational regulatory activities that are common to most Australian
Government regulators. This includes: registration, licensing and authorising entry; monitoring and
managing compliance with regulatory obligations; and responding to an adverse event and regulatory
failure. In undertaking these activities regulators need to bear in mind the expectations of the responsible
Minister and the Government’s regulatory policy position. In this respect, regulators are being increasingly
called upon to be accountable for their performance and the achievement of regulatory outcomes, while
at the same time minimising the regulatory burden on business and the community.
The chapter structure and topics discussed in this section are outlined below.
ff Registration, licensing and authorising entry into a regulated industry or sector:
ff receiving an application;
ff assessing compliance against requirements;
ff decision-making process; and
ff recovering regulatory costs.
ff Monitoring compliance:
ff developing a monitoring strategy;
ff implementing the strategy; and
ff evaluating the monitoring strategy and effectiveness of compliance activities.
ff Managing non-compliance:
ff encouraging compliance;
ff addressing serious risks; and
ff remediation and monitoring an entity’s return to compliance.
ff Responding to adverse events or regulatory failure:
ff event notification or identification;
ff understanding the risk;
ff response management; and
ff post-event evaluation.
32
Better Practice Guide | Administering Regulation
3 Registration, licensing and authorising entry
into a regulated industry or sector
Regulators may have responsibility for managing entry into a regulated industry or sector. By
managing registration, licensing and entry, regulators aim to minimise risks and enhance the
achievement of policy objectives by restricting entry where regulatory requirements are not met.
Registration, licensing or entry requirements are generally defined in legislation or subordinate
regulatory instruments and are a key part of regulatory regimes. This can range from business licensing
requirements through to authorising the entry of goods or persons into Australia. Registration, licensing
or entry can be contingent on an applicant obtaining a licence, certificate, accreditation or permit,
registering with the regulator, and/or meeting any costs associated with these processes.15 Entities that
hold an existing registration or licence may also be required to submit an annual return, pay an annual
fee, or meet specified reporting requirements for renewal of their registration or licence.
Key processes associated with the registration, licensing or entry of goods, services, people or entities
into a regulated industry or sector generally involves receiving an application, assessing compliance
with requirements and making a decision about the granting of registration, a license or entry. This
chapter discusses each of the three components in the process.
An effective application process facilitates the preparation and submission of applications in a timely
manner, at minimum cost to the applicant and regulator, and with all the information required for the
regulator to commence the assessment process. Applications should generally be able to be submitted
electronically and/or completed through an online interface with the regulator, recognising that in some
instances supporting documents may need to be sighted by the regulator or their agent. Application
forms and processes should be fit-for-purpose and proportionate to the requirements of the regulatory
regime. Only information that is necessary for the assessment of the application should be requested
from an applicant and regulators should consider whether the information, in whole or part, is available
from another government agency or department.
Part 2
3.1 Receiving an application
A regulator can assist an applicant to prepare an application by having:
ff available, accessible, clear and comprehensive guidance material about the requirements of
registration, licensing or entry, including how applications will be assessed, and ongoing compliance
obligations;
ff a well-designed application process; and
ff open channels of communication.
15 The terms registration and licensing are used to describe the range of activities associated with managing entry into a
regulated industry or sector. This may include, but is not limited to, the issuing of a permit or operating certificate, or
authorising entry.
Chapter 3—Registration, licensing and authorising entry into a regulated industry or sector
33
Accessible, clear and comprehensive guidance material
The transparency of the application process can be increased when guidance material describes the
application process for registration; licensing or entry; the responsibilities of the applicant and the
regulator; the decision-making process and timelines for key considerations in the assessment process
and likely costs that may be recovered by the regulator.
Guidance available to potential applicants should:
ff be accessible, comprehensive and easily understood, and available in different formats to meet the
needs of applicants;
ff include details of the entry requirements, timeframes for assessment of applications and how an
applicant’s eligibility for entry will be assessed;
ff provide practical examples of the type of information required to be provided to support an
application; and
ff be regularly reviewed and updated to ensure it incorporates any changes to regulatory requirements
and procedures for the processing of applications. This is particularly important where the application
process may require supporting evidence to be gathered over an extended period.
A well-designed application process
A well-designed application process should be proportionate to the nature and complexity of the
regulatory regime and to the risk being mitigated. An application process should be designed to achieve
policy objectives, but should not create unnecessary barriers to entry. The burden placed on applicants
should be minimised, with application processes and associated data and other requirements limited
to information needed to support informed decision-making by the regulator. For example, a guided
online registration process supported by automated decision-making may be appropriate for low risk
activities where the information provided can be verified, or the regulator has a subsequent opportunity
to intervene. For more complex processes, where applicants are required to meet a broad range of
requirements or criteria, a suite of documents may be needed to clearly articulate registration, licensing
or entry requirements, and subsequent compliance obligations.
Open channels of communication
Open channels of communication between applicants and regulators can improve the efficiency of the
application process. Information exchange can be enhanced by a regulator:
ff providing comprehensive and accessible information about the application and assessment process
for registration, licensing or entry to regulated entities;
ff providing an online help facility where an applicant can review frequently asked questions or make
contact with the regulator;
ff nominating a single point of contact through which information requests and responses are
coordinated;
ff providing feedback to applicants on their applications where mandatory requirements of criteria
have not been meet and indicating where improvements can be made; and
ff where an application may involve activity over an extended period (months or years), communicating
future changes to the application or assessment processes early, providing an applicant with
sufficient time to respond to the changing requirements.
34
Better Practice Guide | Administering Regulation
Key considerations—receiving an application
ff Provide guidance to assist applicants in preparing and submitting applications for registration,
licensing or entry.
ff Registration, licensing or entry processes are streamlined where possible and proportionate
to the nature and complexity of the regulatory regime.
3.2 Assessing compliance against requirements
It is important that any eligibility or assessment criteria are readily available to potential applicants, and
that applications are consistently assessed against the criteria. Generally, the first stage of the process
is a compliance assessment whereby the regulator determines whether the applicant meets mandatory
requirements and all required information has been provided. An online application process can assist
a regulator in determining whether an application meets the mandatory registration, licensing or entry
requirements. An applicant may be restricted from submitting an application for registration, licensing
or entry unless all of the necessary information is provided or if specified criteria have not been met.
Where an application is rejected, further information and/or assistance can be provided to the applicant
to assist them to comply with the prescribed requirements.
Subject to the nature of the regulatory regime, the approval process for registration, licensing or entry
may be able to be streamlined and an applicant can be quickly notified of the regulator’s decision.
However, more complex assessment processes may occur over an extended period and involve a
range of activities, such as desk-based reviews, expert panel assessments and onsite inspections. To
reduce the burden on applicants any proposed changes to the application or assessment process,
during this time, should be minimised and where they are proposed, be based on sound analysis. Any
changes need to be communicated to applicants well in advance and a transitional process may need
to be established where an application or assessment process has commenced.
Part 2
Given the diversity of regulation operating in Australia, a registration, licensing or entry decision may
be based on an applicant meeting verifiable criteria. This could include age and country of origin in
relation to the issuing of a working holiday visa, through to an applicant meeting complex requirements
supported by scientific research and analysis.
In undertaking application assessments regulators can face a number of challenges requiring flexibility
in their approach. Challenges can include:
ff a regulator not having had a long association with the applicant, and therefore not having a full
appreciation of the applicant’s capacity and commitment to meet regulatory obligations;
ff an applicant not having extensive experience in the industry or sector and not fully understanding
the requirements of the regulatory regime;
ff an applicant not having sufficient evidence to support an application for registration, licensing or
entry. This can require a regulator to rely on qualitative data as opposed to quantitative information
or soundly-based research, and/or require an applicant to undertake further research to verify
claims made, imposing a significant burden on the applicant;
Chapter 3—Registration, licensing and authorising entry into a regulated industry or sector
35
ff an applicant lacks practical experience and operational data to support the claims made in the
application due to not having previous experience in the industry or sector. As a result, the regulator
may not be able to assess compliance with all regulatory requirements without first allowing an
applicant to operate in the sector. In assessing applications for registration, licensing or entry,
regulators need to balance risk and potential for harm to the community or economy against the
objectives of the regulatory regime and benefit of approving an applicant’s registration, license or
entry; and
ff the application assessment process can be resource intensive, but there is an expectation that the
costs of assessment processes should be minimised particularly where costs are recovered from
applicants. Regulators should aim to minimise these costs and the burden placed on applicants.
Subject to the complexity of the application process, completing registration, licensing or entry
assessments in stages may overcome some of these limitations. For particularly complex applications,
regulators may find benefit in having processes through which they can engage with applicants to help
them to understand the requirements of the regulatory regime before submitting an application.
Application assessment processes must be adequately documented to support accountability by the
regulator. This can involve the recording of the assessment outcomes against each of the requirements
or criteria and the conclusions reached. Incorporating internal quality control and review processes into
the assessment process can also support transparency and accountability, and help to ensure that
officers assessing applications have the required knowledge, skills and experience.
The Civil Aviation Safety Authority is the Australian Government aviation safety regulator which, among
other responsibilities, controls entry into Australia’s civil aviation industry. The issuing of an Air Operator’s
Certificate by the Civil Aviation Safety Authority under Section 27 of the Civil Aviation Act 1988 is one of
the most important and complex regulatory actions undertaken by the Civil Aviation Safety Authority.
The process is a key mechanism for managing entry into Australia’s commercial aviation industry.
An Air Operator’s Certificate is the instrument issued by the Civil Aviation Safety Authority authorising
an individual or, more usually, an organisation to conduct commercial aviation activities, namely regular
public transport, charter or aerial work operations. The processes involved in issuing an Air Operator’s
Certificate are discussed in the following case study.
36
Better Practice Guide | Administering Regulation
Case study: Civil Aviation Safety Authority
Managing entry into Australia’s commercial aviation industry—issuing an
Air Operator’s Certificate under the Civil Aviation Act 1988
The Civil Aviation Safety Authority (CASA) informs applicants about their obligations and the
processes supporting the issuing of an Air Operator’s Certificate under the Civil Aviation Act
1988 through the publication of the Air Operator’s Certificate Process Manual and Handbook.
This provides CASA officers and industry with a national standard procedure for the processing
of an application for an Air Operator’s Certificate and any applications for variation, renewal or
cancellation of a Certificate.
As part of the assessment process, CASA must establish whether the applicant meets the
required safety and other related regulatory requirements and verifies all the information provided
by the applicant. This can include, but is not limited to, assessing the:
ff suitability of the organisation to safely conduct the activities;
ff qualifications and competence of its personnel;
ff facilities and aircraft to be used; and
CASA performs an initial administrative assessment of an application centrally and then assigns
an assessment team from the appropriate regional office to conduct a technical assessment.
The technical assessment process includes a technical documentation assessment of a number
of safety critical activities, followed by a verification process to ensure these activities conform to
the applicant’s operations manual and other regulatory requirements.
Part 2
ff suitability of procedures and practices to control the organisation so that operations can be
conducted safely.
The verification process can include interviews of key personnel, as well as the conduct of proving
flights in aircraft to be operated and such other aircraft tests or demonstrations of procedures
as may be necessary to allow CASA to assess whether the applicant can safely conduct the
operations to be covered by the Air Operator’s Certificate for which the application has been made.
Once the assessment process is finalised, a recommendation is submitted by the relevant regional
manager to a central delegate for final review and, if all of the necessary criteria have been met,
the certificate is issued, subject to such standard and special conditions as may be necessary.
Key considerations—assessing compliance with registration, licensing or entry
requirements
ff The assessment methodology is risk-based, taking account of the applicant’s level of
experience in the regulated industry or sector.
ff Internal quality control and review processes support the independent evaluation of entry
decisions and verify that the supporting systems and processes are operating as intended,
and that the officers assessing applications have the required knowledge, skills and experience
to do so.
Chapter 3—Registration, licensing and authorising entry into a regulated industry or sector
37
3.3 Decision-making process
Well-defined decision-making procedures help to ensure consistency, transparency and accountability
for registration, licensing or entry decisions. Achieving these outcomes is enhanced when steps in the
decision‑making process are documented and available and the assessment process is undertaken
consistent with the procedures specified.
To enhance transparency in the registration, licensing and entry approval process it is particularly
important for regulators to specify to potential applicants any powers it may have to impose special
conditions. Documenting examples of the type and timing of restrictions that may be applied can
provide potential applicants with important information that may influence their decisions to apply for
registration, licensing or entry.
Advising applicants of the outcomes of registration, licensing or entry decisions
Providing an applicant with a decision in writing, including the reasons for the decision, in response
to their application enhances transparency and accountability. A documented decision provides the
applicant with valuable information. For example, a successful business applicant, granted a conditional
license, can identify changes to their processes and procedures that if improved would allow the entity to
enhance its compliance with the requirements of the regulatory regime. For an unsuccessful applicant,
documenting the reasons for the decision can assist in determining whether it is cost-effective to rectify
the identified shortfalls and/or to reapply for registration, a license or entry.
Where an application for registration, licensing or entry is conditionally approved, any conditions should
be consistently applied, be able to be monitored and enforced by the regulator and be designed to
support the achievement of the Government’s policy objectives.
Decisions by regulators may be reviewable and regulators should advise applicants of this when
providing the details of their decision. Review processes are discussed in Part 1 of the guide.
Key considerations—decision-making process supporting registration, licensing
or entry assessment
ff Entry approval decision-making procedures are fully documented and made available
to applicants.
ff Make potential applicants aware of a regulator’s capacity to impose conditions or restrictions
through the granting of a conditional approval.
ff Provide applicants with fully-documented decisions that state the reasons for the decision
and any conditions imposed.
ff Any conditions imposed are consistently applied, are able to be monitored and enforced and
are designed to support the achievement of the Government’s policy objectives.
ff Advise applicants of review options where a decision is reviewable.
38
Better Practice Guide | Administering Regulation
3.4 Recovering regulatory costs16
Cost recovery involves charging regulated entities for some or all of the costs associated with a specific
regulatory activity. Registration, licensing or entry assessments are examples of some regulatory
processes where costs may be recovered. The Australian Government’s Cost Recovery Guidelines
set out when it may be appropriate to recover the costs of a government activity and how to seek
policy approval for cost recovery, and advise on the design, implementation and review of a cost
recovered activity.
Cost recovery charges can take the form of a:
ff fee—a charge for specific goods, services and in certain circumstances, regulatory activity. This
involves charging an entity a fee that is based solely on the cost of providing the specific good,
service or regulatory activity. Cost recovery fees must have a clear and direct relationship to the cost
of providing the activity; or
ff levy—a form of tax imposed on an identified group or industry sector rather than a specific entity.
A cost recovery levy differs from general taxation as it is ‘earmarked’ to be used for a specific
government activity relating to the group or sector that has been charged. The revenue collected
should be closely related to the cost of delivering the activity to the indentified group or sector.
Implementing cost recovery arrangements
For a regulator to be able to implement cost recovery arrangements, each cost recovered activity requires:
ff specific policy approval by the Australian Government (for example, approval by the Cabinet);
Part 2
Approval to undertake cost recovery and the types of activities a regulator may fund through cost
recovery are decisions of the Australian Government. However, regulators implementing cost recovery
arrangements should aim to minimise costs to applicants or regulated entities.
ff legal authority to charge both individuals and organisations a cost recovery fee or levy for the
regulatory activity;
ff a reasonably close relationship between expenses and costs recovered, so that the charge for an
activity reflects the costs incurred in undertaking that activity; and
ff appropriate documentation and reporting to support transparency of the activity.
Cost recovery across government activities is based on a set of principles which are designed to
ensure consistency in the approaches applied. The core principles are:
ff efficiency—the activity being cost recovered should be delivered efficiently and meet its intended
outcomes;
ff transparency—the design, implementation and review of cost recovered activities should be
transparent, in particular, the methodology used to calculate the charge should be documented
and accessible to stakeholders and ideally should reflect the costs of undertaking individual
activities; and
ff stakeholder interaction—agencies engage with stakeholders throughout each stage of the cost
recovery process. This includes during the initial design and policy approval stages, development of
the cost recovery process, implementation and review.
16 This section draws on the Australian Government’s Cost Recovery Guidelines released by the Department of Finance in
2005. At the time of the release of this guide the guidelines were under review.
Chapter 3—Registration, licensing and authorising entry into a regulated industry or sector
39
All cost recovery activities must be periodically reviewed.17 The reviews should be designed to allow a
regulator to:
ff respond to changing conditions, such as the introduction of new products and changing community
attitudes towards the level of acceptable risk;
ff assess the appropriateness of existing fees and levies with the aim of minimising direct and indirect
costs to individuals, business and the community; and
ff effectively manage the cost-recovery model, minimising the need for major reviews, and mitigating
the risk of undue stakeholder influence on the regulator.
Variations to an existing cost recovered activity require Ministerial or Cabinet approval, depending upon
the level of revenue expected to be raised.
Key considerations—recovering regulatory costs
ff Periodically review cost recovery arrangements to ensure continued conformance with
legal requirements and government directives contained in the Australian Government Cost
Recovery Guidelines.
ff Where costs are to be recovered from applicants or regulated entities, costs should be directly
related to the services provided by the regulator.
ff Recovery arrangements should be cost-effective and not impose excessive compliance costs
on regulated entities.
17 In accordance with the Australian Government’s Cost Recovery Guidelines (2005), agencies recovering costs must review
cost recovery arrangements at least every five years. Reviews should consider the appropriateness of cost recovery, the
design of any cost recovery charges, cost recovery impacts and the adequacy of monitoring arrangements.
40
Better Practice Guide | Administering Regulation
4 Monitoring compliance
A systematic, risk-based program of compliance review activities provides a regulator with a
cost‑effective approach to monitoring compliance, enables available resources to be targeted to
higher priority regulatory risks and to respond proactively to changing and emerging risks.
Regulators generally have a responsibility to give confidence to the Parliament, the Government and the
community, that individuals or entities choosing to participate in a regulated activity, industry or sector
are complying with their obligations and the potential for harm is minimised. The risk of non-compliance
by regulated entities should be actively monitored and analysed to understand the level and nature of
non-compliance. This information can inform decisions about where a regulator focuses its attention
and the strategies to be used to address non‑compliance.
4.1 Developing a monitoring strategy
In developing compliance monitoring strategies, regulators also need to consider the form of the
regulatory regime. As discussed in Section 1.2, regulation can take many forms and subject to the nature
of the regulatory regime the role of the regulator in monitoring compliance can vary. A regulator may
have a limited compliance monitoring role in a self-regulation regime, while in an enforcement‑based
regime this would be a core activity for a regulator.
Part 2
Developing a monitoring strategy based on the assessment of risks can assist a regulator to give
confidence to key stakeholders that regulatory risks are being appropriately managed and that the level
of residual risk is acceptable. Understanding risk in the regulatory environment also supports regulators
in selecting the most appropriate compliance monitoring activities and to direct resources towards
the areas of higher risk, where maximum benefit can be achieved. A compliance monitoring strategy
should usefully describe the types of activities to be undertaken, the reasons for their selection, and the
frequency of the activities.
Types of activities
There are various types of monitoring activities, and decisions in selecting the optimal approach requires
the balancing of the benefits expected to be derived against the costs imposed on regulated entities.
Activities that provide early warning of potential or likely non-compliance allow a regulator to intervene
proactively to mitigate emerging risks. Such activities could include: analysing past compliance
behaviour, investigating unsolicited reports of non‑compliance (community tip-offs), monitoring the
reported performance of regulated entities, engaging with stakeholders, and analysing compliance
trends in the regulated industry or sector.
Matching the type of monitoring activity with the compliance behaviours and characteristics of
regulated entities can allow a regulator to tailor its approach. Low intensity monitoring activities may
be appropriate where the risk of non‑compliance and the potential for harm is low. However, higher
intensity activities may be necessary where the risk of non-compliance is high, or past behaviour
indicates that a regulated entity may be unwilling to voluntarily comply.
Data analysis can be used by regulators to monitor compliance and risk and identify trends or
behaviours which can be an indicator of non-compliance. Examining trends in available data may
identify deficiencies and concentrations of risks and can provide insights into the level of regulatory
compliance. This can assist regulators in tailoring their compliance monitoring activities to identify the
prevalence and nature of non-compliance by regulated entities.
Chapter 4—Monitoring compliance
41
Frequency of activities
Compliance monitoring activities can occur at the point when an activity or interaction with a regulator
takes place or at some later period. For example, people entering Australia are screened at the border
to minimise the risk of prohibited or illegal goods, materials or substances, which could cause significant
harm to the community or economy, entering Australia. Other regulatory compliance monitoring and
assessment activities may be undertaken following licensing, registration or entry to monitor whether
any associated conditions are being met, and be linked to the assessment of the level of risk posed by
an entity, past compliance behaviour and/or future events such as market pressures.
In determining the frequency of compliance monitoring activities regulators should consider the:
ff nature of the regulatory regime and the risk of significant and serious harm to the community
or economy;
ff potential consequences of non-compliance and the likelihood of non-compliance by regulated
entities;
ff operating environment and opportunities to monitor regulatory compliance when interacting with
regulated entities;
ff regulated entities’ compliance history and willingness to comply; and
ff likely deterrent effect of compliance monitoring activities.
As compliance monitoring activities place some level of a burden on regulated entities, the strategy’s
design should, where possible, be proportionate to the level of risk. A regulator can minimise the
burden for regulated entities by:
ff linking the provision of information to the level of risk—requiring entities with a lower risk profile to
provide less information or information less frequently;
ff minimising the frequency of data collection and exploring whether the information may be available
from another source, subject to privacy and other legislative requirements;
ff only requesting from regulated entities information that is required to assist in monitoring risk and
compliance; and
ff monitoring the effectiveness of compliance activities in achieving regulatory compliance and using
this information to guide future planning and activity.
Key considerations—developing a monitoring strategy
ff Adopt and promote a risk-based approach to compliance monitoring.
ff Monitoring activities to be undertaken and their frequency is identified in the compliance
monitoring strategy.
ff Take a flexible approach so that regulatory risks are systematically reviewed and when new
or emerging risks are identified, the strategy is reviewed and adjusted, as necessary, so that
regulatory outcomes can be achieved within defined residual risk parameters.
42
Better Practice Guide | Administering Regulation
4.2 Implementing the strategy
A compliance monitoring strategy requires a regulator to develop and implement a schedule of planned
compliance monitoring activities. A compliance plan or strategy should incorporate a program of activities
for a specified period of time that may range from a month or quarter to several years depending on the
type and nature of risks being managed. In implementing the monitoring activities a regulator may use
a diverse range of interventions which are proportionate to the risk of non-compliance and regulated
entities’ behaviour.
As regulatory risks can change over time, a regulator’s planning processes should be sufficiently flexible
to respond to changing priorities. Effective regulators have the capacity to modify their compliance
monitoring strategies subject to the level of risk and potential harm to the community. The monitoring
strategy needs to respond to business-as-usual risks and provide flexibility for regulators to react to
sudden or unpredictable changes. When this occurs, an interim monitoring strategy may need to be
developed and implemented. The interim strategy would usually operate until either the regulatory
environment returns to normal or a new monitoring strategy is implemented. Regulators modifying their
regulatory posture, by increasing or decreasing monitoring activities proportionate to the level of risk,
can assist with resource allocation and management.
Planning compliance activities
The planning process supporting the conduct of compliance activities should identify the:
ff period of time that regulated entities have been operating in the industry or sector and their
compliance history;
Part 2
Different approaches may be required for monitoring compliance, subject to the nature and design of
the regulatory regime. Detailed planning should guide the conduct of compliance monitoring activities
and provides key stakeholders with confidence that these activities are targeted and will capture the
evidence required to reliably assess the level of compliance by regulated entities.
ff approach to be used to monitor and assess regulatory risk and compliance;
ff potential data sources and other resources to be used to assist in monitoring and assessing
compliance with regulatory requirements;
ff proposed mix of activities to be used to address regulatory risks and non-compliance—such as
education, monitoring, audit or investigation; and
ff expected outcomes expressed as both short and longer term goals, for example, the number of
warning notices issued as opposed to an increasing level of voluntary compliance measured over
a predetermined period.
Information to be considered when planning activities can include:
ff market conditions and the compliance behaviour of entities operating in the industry or sector;
ff compliance history of regulated entities—information held by the regulator or other agencies where
information sharing arrangements are in place;
ff regulated entities’ performance since the last compliance assessment; and
ff community and stakeholder feedback and perceptions.
The Department of the Environment has developed a structured approach to planning for compliance
activities. The following case study outlines the department’s approach in relation to the planning for
compliance activities undertaken in relation to the Fuel Quality Standards Act 2000.
Chapter 4—Monitoring compliance
43
Case study: Department of the Environment
Planning compliance activities under the Fuel Quality Standards Act 2000
When planning compliance activities the Department of the Environment fuel quality inspectors are
required to:
ff search the department’s information holdings to identify regulated entities that have been the
subject of complaints, other agency referrals or previous investigation;
ff prioritise the selection of regulated entities for site inspections based on identified indicators of
non‑compliance, emerging trends and risk;
ff prepare a trip plan for a geographical area, allowing for targeted and random site selection,
including an assessment of workplace health and safety risks;
ff attend fuel supply sites and assess compliance with fuel quality and information standards and
documentation requirements; and
ff obtain fuel samples for on-site testing and transport to a National Association of Testing
Authorities accredited laboratory for analysis to determine if the fuel complies with the relevant
fuel quality standard.
In responding to suspected or detected breaches of the legislation departmental officers’:
ff conduct an initial assessment to determine whether the matter can be addressed by monitoring
or compliance activities or whether enforcement action is necessary;
ff aim to select a response that is appropriate, cost effective, proportionate and tailored to different
regulatory compliance scenarios, based on the degree of risk and the regulated entity’s individual
circumstances;
ff establish a case for action and record the reasons for choosing a particular response; and
ff decide if disclosure of information to other government agencies, for consumer protection or
taxation purposes or the making of a public announcement, is necessary.
The compliance process assists the regulated entity to understand the nature and extent of the
non-compliant behaviour and the resulting impact on air quality and human health, how similar
breaches can be avoided in the future, and that further breaches will not be tolerated and could
lead to enforcement action.
Key considerations—implementing the compliance monitoring strategy
ff Build in flexibility so that unscheduled activities may be undertaken to address new regulatory
risks that emerge during implementation or changing risk priorities.
ff Plan individual monitoring activities in sufficient detail to ensure they are addressing higher
priority regulatory risks or regulatory risks identified by the regulator which if addressed may
prevent or reduce overall levels of non-compliance.
4.3 Evaluating the monitoring strategy and effectiveness of compliance activities
A compliance monitoring plan is one of the key risk management tools for most regulators. It is
therefore important the implementation of the plan is monitored to ensure the plan reflects regulatory
risk priorities, and achieves the desired level of compliance assurance. Monitoring and evaluating the
outcomes of the strategy can guide the allocation of the regulator’s limited resources and assist with
identifying activities and/or interventions that are not yielding the desired result. These activities can be
disbanded and the resources allocated to higher-value activities. Periodic evaluation can also inform
the development of the compliance strategy or plans for future years.
44
Better Practice Guide | Administering Regulation
5 Managing non-compliance
There is no ‘one-size-fits-all’ approach to addressing non-compliance. It is generally accepted that
regulators need a range of response options that are proportionate to the risks presented by an
entity’s non-compliance.
The achievement of the Governments’ economic, social or environmental policy objectives through the
administration of regulation will generally depend upon the level of compliance by regulated entities. To
secure regulated entities’ compliance, regulators should encourage regulated entities to comply with
regulatory requirements by providing advice and guidance that is readily accessible and in a form that
is appropriate for the intended audience. When a regulated entity fails to meet compliance obligations
(generally referred to as non‑compliance), a regulator should assess the extent of the non‑compliance
and the potential for harm, and initiate proportionate action to address the risks posed. The seriousness
of the non‑compliance and the regulated entity’s compliance history may influence the design of a
regulator’s response. Where a regulator has an ongoing relationship with a regulated entity, the aim is
to reduce and/or eliminate the risk of non‑compliance. However, in some instances, the public interest
may be best served by a regulator revoking an entity’s permission to operate and the entity exiting the
regulated industry or sector. This chapter discusses how regulators can:
ff encourage regulated entities to comply with regulatory requirements;
ff address serious risks arising from non-compliance by regulated entities; and
5.1 Encouraging compliance
Flexibility in responding to non-compliance enables a regulator to design and implement a response
that is targeted at the highest priority risks posed by the non-compliance. This approach is likely to
achieve desired regulatory outcomes at administrative costs to the regulator and compliance costs on
the regulated entity commensurate with the risk of the non-compliance.
Part 2
ff manage non-compliant entities’ return to compliance.
In addition, flexibility when addressing non-compliance enables the response to:
ff be proportionate to the risks posed by the non-compliance;
ff recognise the capacity and motivation of the non-compliant entity to return to compliance; and
ff signal the seriousness with which the regulator views the non-compliance.
Figure 5.1 describes a set of graduated responses a regulator may use to address non-compliance.
The diagram shows a hierarchy of responses and suggests a pattern of using lower level responses
to address most instances of non-compliance, while reserving more punitive measures for serious
non‑compliance or for when lower level responses fail to achieve the desired regulatory outcomes.
Chapter 5—Managing non-compliance
45
Figure 5.1: Graduated response to non-compliance
Source: ANAO. Based on the enforcement pyramid in Ian Ayres and John Braithwaite, Responsive Regulation: Transcending
the Deregulation Debate, Oxford University Press, New York, 1992, p. 35.
Regulatory compliance management responses can range from encouragement, such as education
and training, to sanctions, such as the revocation of a licence. Regulators may also choose to invoke
their regulatory powers to instigate criminal proceedings or civil action when the circumstances of the
non-compliance warrant such action.
Graduated responses allow the regulator to either escalate action if an entity does not respond
appropriately to the initial regulatory action or reward an entity for improved performance by moving
down the hierarchy.
By selecting an initial regulatory response from the lower levels of the enforcement pyramid, the threat
of escalation may provide sufficient inducement for compliance at lower cost (to the regulator and the
entity) than if a more punitive sanction were initially imposed.
One approach to encouraging regulated entities to voluntarily comply is to publish the range of
responses to non‑compliance. A regulator should have a clear position or regulatory posture which is
communicated to relevant stakeholders and regulated entities.
46
Better Practice Guide | Administering Regulation
Clearly defining operational procedures and the circumstances that would trigger an escalation:
ff encourages voluntary compliance by regulated entities;
ff enhances transparency of the compliance process;
ff improves efficiency and consistency of decision-making; and
ff provides confidence to management, regulated entities, the community and other stakeholders that
the decision to take action and the action is proportionate to the circumstances and consistent with
legislative requirements.
As the level of compliance intervention for a regulated entity increases or decreases, the decision
and the reasons for the decision should be documented. A regulated entity should also be advised of
the outcomes of a regulator’s compliance monitoring actions and be provided with an opportunity to
contest the outcomes where they may adversely affect the entity.
Key considerations—encouraging compliance
ff Develop a set of relevant graduated responses to address non-compliance.
ff Develop and communicate criteria to assist decision-makers in designing a regulatory
response that is consistent and proportionate to the risks posed by the non-compliance.
The nature and extent of a regulator’s response to non-compliance is influenced by an assessment of the
risks posed and the potential harm that could arise from an entity’s non-compliance. The assessment
may result in the regulator deciding to impose a sanction, such as revoking an entity’s permission to
operate. In cases where the regulator determines that such action is not appropriate, alternate methods
for addressing the risks posed by the non-compliance must be considered. Serious and imminent risks
require immediate regulatory action, this action may be of an administrative or punitive nature.
Part 2
5.2 Addressing serious risks
The relationship between a regulator’s response to non-compliance and the consequences of the
non‑compliance is depicted in Figure 5.2.
Figure 5.2: Regulatory response to non-compliance
Chapter 5—Managing non-compliance
47
Immediate regulatory action
Factors influencing the decision to take immediate regulatory action can include:
ff an adverse effect on community safety and/or the potential for harm;
ff the potential consequences of the non-compliance and the likelihood that the consequences will occur;
ff the extent to which the consequences, if they were to occur, would seriously threaten the sustainability
of the regulatory regime;
ff the potential economic and social cost of the non-compliance; and
ff Australia’s obligations under relevant international agreements or treaties.
Based on an assessment of these factors, a regulator may decide to:
ff not take immediate action or take no further action because the risks are not significant and can
be managed by other means;
ff work with the regulated entity to increase their awareness of regulatory requirements and encourage
voluntary compliance;
ff take immediate action, which may include proposing changes to the supporting policy framework
and supporting legislative arrangements, and/or the imposition of a penalty or sanction, such as the
temporary suspension of an entity’s licence;
ff initiate a formal investigation to support subsequent civil or criminal legal proceedings; and
ff assess further the nature and extent of the non-compliance to inform future regulatory action.
When responding to non-compliance, the options available to the regulator may also be guided by
the supporting legislation and likely public concern about the seriousness of the non-compliance
or potential for harm. Other factors which may be considered in deciding an appropriate regulatory
response can include:
ff the time elapsed since the non-compliant behaviour and a regulated entity’s more recent
compliance history;
ff the deterrent or preventive value of a specific regulatory response;
ff whether the proposed regulatory response will promote compliance, and engender confidence in
the regulator;
ff the level of intent and whether the non-compliance was intentional, negligent or resulted from a lack
of understanding of regulatory and legislative requirements;
ff the likelihood of the non-compliant behaviour continuing or being repeated;
ff whether the non-compliant behaviour was disclosed by the regulated entity;
ff the level of cooperation provided by the regulated entity in addressing the non-compliant behaviour; and
ff the costs and benefits of different regulatory responses.
Characteristics of regulatory responses to non-compliance
When deciding on the manner in which serious regulatory risks will be addressed, a regulator should
act decisively, in a timely way and with a response which is proportionate to the risk and lawful.
48
Better Practice Guide | Administering Regulation
Timely response
Once non-compliance is found, the decision to act must be made quickly and the response implemented
without delay. This is particularly important where significant adverse economic or social outcomes
may occur, such as death or serious injury, if the non-compliance is not addressed.
Proportionate response
Regulatory action that is proportionate to the regulatory risks posed by non-compliance has benefits for
the regulator and the non-compliant regulated entity. A proportionate response minimises the:
ff amount of regulatory intervention needed to effectively mitigate the risks; and
ff costs of the regulatory action to the regulator (enforcement costs) and to the regulated entity (business
costs).
Aligning the level of a regulatory response to the regulatory risks is most effective when the response can
be targeted at the non-compliance. How a regulator responds to non-compliance may also be guided by
an entity’s past compliance history. For example, a regulator may adopt a different regulatory posture with
an entity displaying persistent non-compliant behaviour to an entity that has made a mistake, but has no
past history of non-compliance or which is new to the sector and may not clearly understand its obligations.
Lawful response
In all instances of identified non-compliance regulators are required to decide on a course of action, even
if this is to take no further action in relation to a particular instance. The actions of regulators must be
lawful and defensible. In deciding on a response to non-compliance, regulators must record the response
chosen and the reasons for the response.
Part 2
The Australian Fisheries Management Authority uses a targeted risk-based compliance and enforcement
approach to oversee licensed fishing boats operating in the Australian Fishing Zone and Australian
Government managed fisheries. The Australian Fisheries Management Authority’s compliance activities
are designed to encourage voluntary compliance.
Unlawful regulatory action undermines public confidence in the regulator, can encourage regulated
entities to test the regulatory requirements and could result in a legal challenge. Such challenges
compromise a regulator’s ability to effectively mitigate risks posed by non-compliance. They also
increase the costs of the regulatory action for both the regulator and the regulated entity.
Australian Government policy supporting compliance enforcement actions
When managing regulatory compliance, a regulator may need to comply with various legislative and
policy requirements. In particular, Australian Government requirements relating to procedural fairness,
the use of coercive information gathering powers and the conduct of formal investigations that may
result in judicial proceeding against an entity.
Procedural fairness
When implementing regulatory compliance activities and making decisions, a regulator must have
regard to procedural fairness obligations. When making a decision about how to proceed, the
decision‑maker should apply a fair and proper process, particularly when the decision could negatively
affect a regulated entity. Some examples of decisions to which procedural fairness could apply include:
ff denying or varying the right of access to a regulated industry or sector;
ff imposing on a regulated entity a penalty or sanction; and
ff publishing information about a regulated entity that may potentially damage its reputation.
Chapter 5—Managing non-compliance
49
Case study: Australian Fisheries Management Authority
Compliance approaches
The Australian Fisheries Management Authority (AFMA) uses a targeted, risk-based compliance
and enforcement programs to encourage voluntary compliance and deter non-compliance
by licensed fishing boats operating in the Australian Fishing Zone and Australian Government
managed fisheries. A range of measures are used, including:
ff education and awareness activities;
ff general deterrence inspections program;
ff electronic satellite based vessel monitoring system; and
ff compliance risk management teams.
Education and awareness activities that are undertaken as part of ongoing compliance activities
can take various forms including media releases, articles for industry journals, letters, SMS
messages, alerts to industry participants, and presentations at conferences and training programs.
AFMA also uses a rolling program of general deterrence inspections. AFMA advised that it uses
a targeted approach based on intelligence and risk assessment. Each inspection targets a
geographic area, which may include a number of ports and fisheries. Over time AFMA is placing
less reliance on in‐field inspection activity as a mechanism to detect and deter illegal activity, but
some field inspection activity is being maintained in order to sustain a general deterrence presence.
Satellite based vessel monitoring systems are used to track the movement of vessels and to monitor
compliance with restrictions on areas closed to fishing. Licence holders are only permitted to
undertake fishing activities if they have an operational vessel monitoring systems. This technology
allows AFMA to remotely monitor fishing activities in a cost-effective way and to efficiently target
compliance resources.
AFMA forms Compliance Risk Management Teams in response to specific identified risks. The
risk treatment strategies are customised to the nature of the risk, but may include data-matching,
covert and overt surveillance, intelligence gathering and investigations.
Detailed information on AFMA’s compliance program can be found at <http://www.afma.gov.au>.
The program is also discussed in ANAO Report No.20 2012–13, Administration of the Domestic
Fishing Compliance Program.
Coercive powers
Coercive powers are statutory powers conferred on government agencies to enable them to obtain
information in support of the performance of their functions. These powers can include the right to enter
premises, right to seize goods, requiring an individual to provide information or documents, or requiring
an individual to provide information orally under oath or affirmation.
Acts of the Parliament that impose regulatory compliance responsibilities generally authorise the use
of coercive powers, largely for information gathering. Coercive powers should be used judiciously and
only by officers who are properly trained and authorised.
50
Better Practice Guide | Administering Regulation
The use of coercive information-gathering powers may be subject to reporting and review processes
to prevent their inappropriate use. The Administrative Review Council’s Report no. 48—May 2008, The
Coercive Information‑Gathering Powers of Government Agencies, contains a set of 20 best practice
principles governing the exercising of coercive information gathering powers.
Commonwealth fraud control requirements
Managing fraud risks is a responsibility of all persons employed by the Australian Government. Fraud
may also be referred to as serious non‑compliance. One of the challenges for agencies is to accurately
identify fraud. Non‑compliance may arise due to a lack of understanding or awareness of obligations,
carelessness or error, rather than intentional or deliberate non-compliance.
When undertaking investigations, regulators need to have strategies, systems and processes in
place to identify potential fraud and to respond to fraud-related matters appropriately. This obligation
includes investigating fraud and taking appropriate corrective actions to remedy the harm. Where an
investigation or other compliance activity is commenced, which may be subsequently used to support
judicial proceedings, the Australian Government Investigations Standards may also apply.
A regulator may choose to proceed with a criminal prosecution where the nature of the non‑compliance
is of a serious or recurrent nature, and when taking such action is in the public interest. If evidence of fraud
cannot be established to support a criminal prosecution, it may be appropriate for a regulator to explore
other options, including administrative sanctions or penalties, allowed under the supporting legislation.
The Prosecution Policy of the Commonwealth applies only to criminal proceedings brought by the
Australian Government and promotes consistency in the making of decisions in relation to the conduct
of prosecutions. The decision to proceed with a prosecution is to be made by an independent person
who has not been responsible for investigating the identified non‑compliance.
Part 2
Prosecution Policy of the Commonwealth
The policy recognises that Australian Government resources are limited and sets out guidelines for
determining whether it is appropriate to initiate or continue a prosecution. Agencies should consider
prosecution as an option for addressing serious non-compliance, as prosecutions can build community
confidence in the regulatory regime and act as a deterrent to non-compliant regulated entities.
Documented decisions
As discussed in Chapter 2—Managing regulatory performance, documenting regulatory decisions
assists in ensuring transparency and accountability of the regulatory regime.
All regulatory compliance decisions, along with the reasons for the decisions and the evidence relied
upon in reaching the decisions, should be documented. As many administrative decisions are reviewable,
maintaining accurate records of decisions made in exercising regulatory functions and powers is
essential, particularly where a decision made by a regulator may be challenged at a later stage.
Evaluating compliance outcomes
A key aspect of addressing non-compliance by regulated entities is the review and assessment of
compliance outcomes. This may include the outcomes of compliance activities and changes in regulated
entities behaviour measured over time. Using this data to understand the extent of non‑compliance of
regulated entities and the impact of different compliance strategies, can guide planning for and the
conduct of future compliance activities.
Chapter 5—Managing non-compliance
51
Key considerations—addressing serious risk
ff Provide clear guidance on the steps that must be taken to assess the risks posed by
non‑compliance and to determine whether immediate regulatory action is needed to control
the most serious threats.
ff Define procedures for responding to non-compliance and train officers in their application.
5.3 Remediation and monitoring an entity’s return to compliance
In some situations, where non-compliance is identified, a regulator may wish to establish a monitoring
strategy to guide its future compliance activities and confirm that the risk posed by the non-compliant
behaviour is managed appropriately and mitigated. Monitoring activities should be proportionate to the
risk of non-compliance continuing and provide a level of assurance that the risk has been addressed,
while not imposing unnecessary costs on the regulated entity.
Monitoring activities may include:
ff self-assessment by the regulated entity with ad-hoc verification by the regulator;
ff conducting desk-audits of progress reports submitted by the entity;
ff reviewing evidence of completed remedial action submitted by the entity, such as photographs and
invoices for work completed;
ff conducting on-site inspections and audits;
ff reviewing assessments conducted by other regulators; and
ff monitoring community and stakeholder feedback.
The cost effectiveness of each type of activity and the cost to regulated entities should be considered
when deciding the most appropriate monitoring strategy.
Key considerations—remediation and monitoring an entity’s return to compliance
ff Fully document all regulatory decisions taken when addressing non-compliance.
ff Apply an approved monitoring strategy to guide future compliance activities by the regulator
and to confirm that the risk posed by non-compliance is managed appropriately and mitigated
accordingly.
52
Better Practice Guide | Administering Regulation
6 Responding to adverse events or regulatory failure
Events occur that can result in regulatory policy objectives not being achieved, or pose a serious
threat to their achievement. When an adverse event occurs, a regulator needs to act to minimise the
harm caused and mitigate the increased risks the event poses to achieving regulatory objectives.
One of the key challenges for regulators, particularly regulators applying a risk-based approach, is
that some level of residual risk and the potential for regulatory failure will remain within the regulatory
regime. Regulators have to assess risk and make decisions about how to apply their resources to
minimise the potential for harm. However, despite their efforts, events can occur that cause or have the
potential to cause harm to the community or economy. These events are principally triggered by either
non-compliance with regulatory requirements by a regulated entity or a failure of the regulatory regime.
Examples of such events are:
ff foreign objects identified in processed food;
ff environmental damage resulting from higher than approved levels of active ingredient in an
agricultural chemical; and
These types of events are referred to as adverse events. Irrespective of the cause of an adverse event
or when an adverse event occurs, a regulator must act quickly and decide the best course of action
to minimise the potential for harm and to maintain the integrity of the regulatory regime. Responses
to an adverse event may include a crisis management response, a response of a regulatory nature, a
change to a regulator’s administrative practice, or a change to government policy and the associated
supporting legislative and regulatory instrument. Responding to an adverse event involves consideration
of the steps outlined in Figure 6.1.
Part 2
ff unexpected medical reactions to an approved therapeutic good.
Figure 6.1: Responding to an adverse event
Event notification or identification
A regulator is notified of the occurrence of an adverse event or identifies an event
that has the potential to cause harm to the community or economy.
Understanding the risk
The risk posed by the event is examined to understand its cause and consequence,
and to identify the entities affected.
Response management
Possible responses to the adverse event are identified and evaluated,
a response plan is developed and implemented.
Post-event evaluation
A systematic and structured assessment of the effectiveness of a regulator’s
arrangements for responding to an adverse event.
Chapter 6—Responding to adverse events or regulatory failure
53
6.1 Event notification or identification
To respond to an adverse event a regulator requires timely and relevant information about the event,
including the extent of the threat and the potential for harm to the community. Notification procedures
assist a regulator to gather the necessary and relevant information, in some instances the reporting of
information of this nature is a legislative requirement. Educating regulated entities about the need to
notify a regulator of an adverse event, how to notify them, the applicable timeframe for notification and
what information is required, increases the likelihood that events will be reported when they occur. In
addition to formal notification processes, regulators may benefit from engaging with other stakeholders,
including members of the community and regulated entities, to support the early identification and
reporting of risks or the occurrence of an event which could have an adverse outcome.
Effective notification processes have the following characteristics:
ff information about how to report an adverse event is easily accessible and should outline the types
of events that must be reported, the timeframes for the reporting of an event, the process for
reporting, and regulated entities’ obligations;
ff information can be reported by various means, but the approaches should support a timely response
by the regulator. Proforma templates and online reporting may assist the regulator in collecting the
necessary information to understand and respond to an adverse event; and
ff well defined contact points—the regulator may have several channels for the reporting of an adverse
event, but the information is directed to a single point of contact or work area responsible for
coordination of the regulator’s response and dissemination of information to relevant parties as soon
as possible after it is received.
In addition to formal notification processes, regulators may identify potential threats by scanning the
media and monitoring regulatory activity in other jurisdictions.18 The media and regulatory agencies
in other jurisdictions can be a useful source of information for regulators. A potential threat may
be identified through reporting in the media or by notification from a regulator operating in another
jurisdiction, prior to a regulator receiving formal notification of an adverse event. While informal sources
of information, these mechanisms can provide a regulator with an early warning about the emergence
of risk, a potential threat or an adverse event. This can assist the regulator in responding quickly.
Key considerations—adverse event notification
ff Information about how to report an adverse event is easily accessible and outlines the types
of events that must be reported, the process for reporting, and regulated entities obligations.
ff There is a clearly-defined and known single point of contact or work area responsible for
coordinating a regulator’s response and disseminating information to relevant parties as soon
as possible after it is received.
18 The term media is used to refer to all forms of media, including print, television, online formats and social media.
54
Better Practice Guide | Administering Regulation
6.2 Understanding the risk
An adverse event occurs where a risk is realised that a regulatory regime was designed to prevent.
Understanding the conditions that led to the risk being realised is critical to responding to the risk in
a measured way. Regulators need to also understand the impact of the risk and identify stakeholders
who may be affected.
Identifying the causes of an adverse event is one of the first steps in responding with the aim of
preventing further harm to the community and minimising the likelihood of its recurrence. An adverse
event may be the result of non-compliance by a regulated entity and or a failure of the regulatory
regime. Understanding the specific cause of the event can assist the regulator in determining the most
appropriate and immediate response. A regulator’s response in the first instance should focus on
minimising harm to the community.
To effectively respond to an adverse event, regulators also need to understand who or which entities
are affected by the event, and in what way. This knowledge can assist regulators in customising their
response to an adverse event to effectively minimise or reduce the potential for harm.
6.3 Response management
Part 2
To develop a sound understanding of the cause of an adverse event a regulator may commence an
investigation of the event with the aim of better understanding how the event occurred, whether the
event was preventable and determining appropriate action to avert its recurrence. Having identified the
underlying risk, regulators can then determine key risk indicators that may provide early warning about
the possible repetition of the adverse event or changes in the level of risk. This information can then
be used to guide future compliance monitoring and can assist a regulator in varying their response in
proportion to the level of risk.
A regulator’s role in responding to an adverse event may be defined in legislation or otherwise authorised
by government. A regulator’s response will generally be based on the extent to which the event
may cause harm, threatens the achievement of regulatory objectives and/or diminishes confidence in
the regulator.
For an adverse event assessed as minor, a regulator’s normal administrative processes may be sufficient
to manage the threats. However, where an event has caused, or has the potential to cause, considerable
harm or significantly undermine the community’s confidence in the regulatory regime, the regulator is
likely to need to deliver a tailored response. A regulator’s response to an adverse event should be
well coordinated and planned to protect the community and prevent unintended consequences. In
relation to a major event, the regulator will generally be expected to bring the matter to the attention of
government, through the responsible Minister or other appropriate channels.
Documented approach
Well-documented response management procedures can assist a regulator to activate its response
management system quickly and efficiently. The regulator can take action in a coordinated manner
to minimise and, if possible, remove the threat arising from an adverse event, engage with key
stakeholders, and communicate effectively with individuals and entities affected, or likely to be affected,
by the adverse event.
Chapter 6—Responding to adverse events or regulatory failure
55
Regulators should have well-documented adverse event response procedures, which cover both
low risk activities and higher risk incidents that can have an immediate and significant impact on the
community. These procedures should be up to date, readily available, and endorsed by the agencies
involved in providing response management. Endorsement by all agencies involved is particularly
useful where multiple agencies may be involved in responding to an event. Such an approach helps to
clarify agencies’ roles and responsibilities and promotes accountability for their actions. It also gives
confidence to stakeholders, and particularly those who may be directly affected by the event, that the
planned response is designed to successfully minimise the threat.
The early involvement of relevant agencies in response management planning, in the case of an adverse
event, can assist with identifying available resources and capability. It also provides the regulator with an
opportunity to establish a response management network that can be used for the timely distribution
of information.
Incorporating a communications strategy into response management procedures provides a regulator
with a framework to support systematic and coordinated engagement and communication with
stakeholders. The procedures can outline: known stakeholders; how to identify affected parties; the
types of information, advice and warnings which should be disseminated; the delivery methods to
be used; and when the information should be disseminated. A communication strategy can help a
regulator to ensure that stakeholders are receiving the information they need at the right time, whether
this be people or entities directly affected by the adverse event, decision-makers or other parties.
Clearly defined decision-making processes
An effective response to an adverse event is timely, proportionate and targets the harm that may have
already been caused, and minimises the potential for further harm. The emergency nature of some
adverse events compresses decision-making timeframes. When this occurs, decision-makers need to
make sure that, to the extent practicable, pre-established procedures are followed to ensure that the
actions taken in response to an adverse event are designed to protect the community from harm and
are reasonable and lawful in the circumstances.
Normal decision-making procedures or timelines may be inappropriate for responding to adverse
events. As a result, special decision-making processes may need to be enacted where an adverse
event has an immediate impact on the community. These procedures must accord with legislative
requirements, and officers should be trained in their application. When making decisions in response
to an adverse event, it is particularly important to make sure:
ff a balance is maintained between the need for timely regulatory action and affording appropriate due
process to the regulated entity (or entities) affected;
ff the regulatory action is proportionate to the threat or potential for harm; and
ff the rationale underpinning decisions is suitably documented, lawful and made in accordance with
established procedures and is in the public interest.
Proportionate and timely response
The nature and timing of a response to an adverse event can be influenced by the circumstances
surrounding the event. A regulator’s response needs to be timely and proportionate to the risk or
potential for harm. Where a threat poses an immediate risk or harm to the community, regulatory action,
such as restricting a regulated entity’s right to continue to operate in the manner that caused, or was
highly likely to have caused, the adverse event may be appropriate. In other instances, advising the
community of the treatment and actions to take to avoid exposure to the threat may be more appropriate.
56
Better Practice Guide | Administering Regulation
Accordingly, the range of responses available to a regulator will vary and a regulator will need to use
judgement in choosing the most appropriate strategy and determining whether an immediate response
is required. Decisions made to support the actions taken by a regulator should be well-documented,
including the basis for the decision and subsequent actions.
Key considerations—response management
ff A response to an adverse event focuses on protecting the community from harm.
ff Adverse event response procedures should be up-to-date, readily available, and endorsed by
the agencies involved in providing response management.
ff Adverse event communications strategies provide a framework to support systematic and
coordinated engagement and communication with stakeholders, ensuring that stakeholders
are receiving the information they need at the right time.
6.4 Post-event evaluation
Understanding the causes of an adverse event can assist a regulator in responding in such a way to
prevent the event from reoccurring. Where an event was caused by non-compliance by a regulated
entity or entities, the regulator may:
Part 2
Regulators have a responsibility to minimise the likelihood of adverse events occurring, and if they
do occur, to minimise the potential for harm to the community, economy and regulatory objectives.
Conducting a post-adverse event evaluation is integral to helping to reduce the likelihood of similar
events occurring in the future and improving a regulator’s response to an adverse event.
ff commence an investigation of the event with the aim of better understanding how the event occurred,
whether the event was preventable and determining appropriate subsequent action;
ff increase regulatory oversight, for example, by placing restrictions on the entity’s operations or
increasing compliance monitoring activities;
ff review the monitoring strategy and reporting requirements, particularly the frequency of compliance
assessments;
ff engage with other regulated entities operating in the same industry or sector to raise awareness of
the underlying risk, treatment strategies and the consequences of non‑compliance;
ff impose a regulatory sanction or penalty; and
ff decide to take no further action, as the regulator has already implemented measures to prevent the
recurrence of the event.
If the non-compliance resulted from poor administrative practices or regulatory failure, the regulator
must review its systems, processes and the regulatory framework and immediately implement changes
to address the deficiencies. This may include changing the way risks are assessed, reassessing the
acceptable level of residual risk, introducing new compliance monitoring strategies or seeking to amend
the supporting legislation or regulatory instruments.
Chapter 6—Responding to adverse events or regulatory failure
57
Evaluating the performance of response management arrangements is also a key element of a
regulator’s approach to continuous improvement. A systematic and structured assessment of all
aspects of a regulator’s response management processes and the effectiveness of these arrangements
in managing an event’s actual and potential impacts provides the regulator with valuable feedback and
possible areas for improvement.
While the format and scope of an evaluation will be influenced by its potential costs and benefits,
the quality of an evaluation, and the extent to which the findings are accepted and acted upon, are
enhanced when:
ff all entities that were involved in the adverse event response participate;
ff the methodology gives confidence to stakeholders that the evaluation team has the capacity to act
independently and has the skills and experience to arrive at balanced and informed conclusions;
ff a detailed report is produced and made available to relevant stakeholders; and
ff evaluation findings are acted upon by the regulator and remedial action is taken to prevent the
recurrence of a similar event in the future.
Key considerations—post-event evaluation
ff Evaluate the response to an adverse event to help reduce the likelihood of similar events
occurring in the future and improve a regulator’s response management.
58
Better Practice Guide | Administering Regulation
Better Practice Guide
Appendix 1
Appendix 1
Summary of key considerations
Part 1—Managing regulatory performance
Defining regulatory outcomes and administrative priorities
Regulators and stakeholders should have a clear understanding of the objectives of the
regulatory regime.
A risk-based approach to regulatory administration
Promote a risk management culture that supports an integrated approach to the identification
and management of risk, while recognising that a level of residual risk will remain as the cost
associated with eliminating risk would in most cases be prohibitive.
Integrate risk management into strategy, planning, decision-making and other processes.
Assign responsibility for managing significant business risk to the most relevant senior manager
to reinforce the regulator’s risk management culture and emphasis on action.
Regularly monitor and review risks—this information can be shared across the regulator and used
to adapt or tailor risk management processes and effort according to the likelihood, consequences
and nature of risks identified.
Educate officers about a regulator’s risk management policies and procedures and make sure
officers are trained in their application.
Promote and value two-way engagement and communication with regulated entities.
Communicate information to stakeholders in an accessible format and consider the capacity of
the intended audience to effectively access and use the selected communication mechanisms.
Appendix 1
Effective stakeholder relationships
Monitor and assess the outcomes of engagement activities.
Effective information management
Manage data in accordance with legislative and policy requirements.
Consider information access protocols to allow regulatory decision-makers timely access to
data holdings.
Appendix 1
61
Transparency and accountability
Maintain a minimum standard of documentation for all regulatory decisions to support accountability
and transparency.
Disseminate to all staff details of the minimum standards to be applied in the recording and storing
of official information.
Develop and implement conflict of interest policies and supporting procedures.
Establish well-defined dispute handling processes to address circumstances where a disagreement
or dispute arises.
Provide mutual resolution approaches to disputes.
Regularly monitor complaint handing arrangements, the nature of complaints and the outcomes
of internal reviews to identify areas for improvement.
Managing regulatory capability
Periodically review training, retention and recruitment programs to make certain that they focus on
developing and maintaining competencies that are essential for effective regulatory administration.
Manage outsourced regulatory activities in accordance with better practice contract management
principles and practices.
Assign a senior officer from within the regulator to oversee the delivery of outsourced services to
provide assurance that the required standards are being met and high-quality regulatory services
are being provided.
Periodically assess performance of the service provider against performance and quality indicators
during the contract period.
Measuring, reporting and reviewing regulatory performance
Define relevant effectiveness and efficiency indicators to support reporting for internal management
and external accountability purposes.
Undertake periodic reviews to consider the effectiveness of the regulation being administered and
the efficiency and effectiveness of the agency’s regulatory administration.
Draw on stakeholder views to understand their expectations about the effectiveness of the
regulatory regime, whether an appropriate balance is being achieved in relation to risk, the
underlying regulatory burden, and the efficiency and effectiveness of the regulatory regime.
62
Better Practice Guide | Administering Regulation
Part 2—Key regulatory activities
Receiving an application
Provide guidance to assist applicants in preparing and submitting applications for registration,
licensing or entry.
Registration, licensing or entry processes are streamlined where possible and proportionate to
the nature and complexity of the regulatory regime.
Assessing compliance with registration, licensing or entry requirements
The assessment methodology is risk-based, taking account of the applicant’s level of experience
in the regulated industry or sector.
Internal quality control and review processes support the independent evaluation of entry decisions
and verify that the supporting systems and processes are operating as intended, and that the
officers assessing applications have the required knowledge, skills and experience to do so.
Decision-making process supporting registration, licensing or entry assessment
Entry approval decision-making procedures are fully documented and made available to applicants.
Make potential applicants aware of a regulator’s capacity to impose conditions or restrictions
through the granting of a conditional approval.
Any conditions imposed are consistently applied, are able to be monitored and enforced and are
designed to support the achievement of the Government’s policy objectives.
Advise applicants of review options where a decision is reviewable.
Recovering regulatory costs
Appendix 1
Provide applicants with fully-documented decisions that state the reasons for the decision and
any conditions imposed.
Periodically review cost recovery arrangements to ensure continued conformance with legal
requirements and government directives contained in the Australian Government Cost Recovery
Guidelines or other policy.
Where costs are to be recovered from applicants or regulated entities, costs should be directly
related to the services provided by the regulator.
Recovery arrangements should be cost-effective and not impose excessive compliance costs on
regulated entities.
Appendix 1
63
Developing a monitoring strategy
Adopt and promote a risk-based approach to compliance monitoring.
Monitoring activities to be undertaken and their frequency is identified in the compliance
monitoring strategy.
Take a flexible approach so that regulatory risks are systematically reviewed and when new
or emerging risks are identified, the strategy is reviewed and adjusted, as necessary, so that
regulatory outcomes can be achieved within defined residual risk parameters.
Implementing the compliance monitoring strategy
Build in flexibility so that unscheduled activities may be undertaken to address new regulatory
risks that emerge during implementation or changing risk priorities.
Plan individual monitoring activities in sufficient detail to ensure they are addressing higher priority
regulatory risks or regulatory risks identified by the regulator which if addressed may prevent or
reduce overall levels of non-compliance.
Encouraging compliance
Develop a set of relevant graduated responses to address non-compliance.
Develop and communicate criteria to assist decision-makers in designing a regulatory response
that is consistent and proportionate to the risks posed by the non-compliance.
Addressing serious risk
Provide clear guidance on the steps that must be taken to assess the risks posed by
non‑compliance and to determine whether immediate regulatory action is needed to control
the most serious threats.
Define procedures for responding to non-compliance and train officers in their application.
Remediation and monitoring an entity’s return to compliance
Fully document all regulatory decisions taken when addressing non-compliance.
Apply an approved monitoring strategy to guide future compliance activities by the regulator and to
confirm that the risk posed by non-compliance is managed appropriately and mitigated accordingly.
64
Better Practice Guide | Administering Regulation
Adverse event notification
Information about how to report an adverse event is easily accessible and outlines the types of
events that must be reported, the process for reporting, and regulated entities obligations.
There is a clearly-defined and known single point of contact or work area responsible for coordinating
a regulator’s response and disseminating information to relevant parties as soon as possible after
it is received.
Response management
A response to an adverse event focuses on protecting the community from harm.
Adverse event response procedures should be up-to-date, readily available, and endorsed by the
agencies involved in providing response management.
Adverse event communications strategies provide a framework to support systematic and
coordinated engagement and communication with stakeholders, ensuring that stakeholders are
receiving the information they need at the right time.
Post-event evaluation
Appendix 1
Evaluate the response to an adverse event to help reduce the likelihood of similar events occurring
in the future and improve a regulator’s response management.
Appendix 1
65
Index
A
Department of the Environment, 43–44
Ad hoc forums, 18
Developing a monitoring strategy, 41
Addressing serious risks, 3, 7, 13, 32, 42, 43, 47, 51,
52, 53, 55, 56, 57, 64, 65
Developing capability
recruitment, 23–25, 27, 62
Adverse event
retention, 18, 23–25, 27, 62
communications strategy, 56
Disagreement and dispute handling, 22–23, 29, 62
notification/reporting, 17, 32, 54, 65
Documented decisions, 12–13, 15, 17–19, 21–23, 25,
29, 32–35, 37–39, 41, 47–49, 51–53, 56–57, 61–64
post-event evaluation, 32, 58
potential for harm, 7, 36, 41, 45, 48, 53–57
proportionate and timely response, 56
responding to, 55–58, 65
response management, 32, 55–58, 65
Annual report, 27
Audit, 2–4, 24, 28–30, 43
Australian Fisheries Management Authority, 49, 50
reviewable, 22, 38, 51, 63
E
Encouraging compliance, 4, 8–9, 15, 17–18, 21–23,
25, 28–29, 32–35, 43, 45–50, 52, 63–64
evaluating regulatory performance, 27
Evaluation
effectiveness of regulation, 27–28, 62
Australian Government Procurement Rules, 26, 30
regulatory performance, 27
Australian Taxation Office, 20
F
B
Better Practice Guide
focus of the guide, 8
structure, 8–9
Fraud, 51
Freedom of information, 19, 29
G
Guidance, 23
C
Civil Aviation Safety Authority, 36–37
Guidance material, 17, 25, 28, 30, 33, 34, 45
Code of practice, 5–6
I
Coercive powers, 50
Information management, 12, 18–19, 21, 24, 50, 61
Communication mechanisms, 16
Internal review processes, 23, 29, 62
Complaints
managing, 6, 18, 22–23, 62
K
Compliance history, 42–43, 45, 48–49
Key principles supporting effective regulatory practice,
7
Compliance monitoring, 5, 8, 22, 32, 41–44, 47, 55,
57, 64
Key regulatory activities, 32
Conflict of interest, 3, 22–23, 29, 62
M
Consistent, 3, 13, 14, 20–22, 25, 35, 38, 47, 63–64
Managing regulatory capability, 12, 23–25, 27, 56, 62
Contract management, 23–27, 62
Media, 6, 17, 19, 24, 50, 54
Cost recovery, 39–40, 63
Minimising harm, 55
Data
analysis, 12, 20, 24, 41
collecting relevant, 18–19
matching, 21, 50
Index
Monitoring compliance, 7
D
activities, 41–42, 52, 64
frequency of activities, 42
planning compliance activities, 43–44
strategy, 41–44, 64
sharing, 19–20
Index
67
N
Non-compliance
graduated response, 45–47, 64
immediate regulatory action, 47–48, 52, 64
proportionate response, 3, 14, 22, 33–35, 42–45,
47–49, 52, 56, 63–64
timely response, 49, 54, 56
Regulatory obligations, 3–5, 7–8, 15–16, 19–22,
24–28, 32–38, 40–45, 47–49, 51, 53–54, 56–57,
61, 63, 65
Regulatory outcomes, 5, 8, 12–16, 19, 25, 27–28, 32,
36, 42, 45, 53, 55, 57, 61, 64
Regulatory performance, 11–13, 25–26, 28, 51, 61–62
regulatory posture, 43
Remediation, 32, 45, 52, 64
O
Risk
Outsourcing regulatory functions and activities, 23–27,
62
managing regulatory risk, 3, 5, 7, 12–15, 17, 19–22,
24, 28–29, 32, 34, 36–37, 40–45, 48–50,
52–53, 54–57, 61–64
P
regulatory risk, 8, 32, 53–58
Penalty, 21, 48, 57
risk-based approaches, 15
Planning compliance activities, 42–43, 45, 48–49
Policy objectives, 3, 5, 7, 13, 23, 27–28, 33–34, 38,
45, 53, 63
Sanction, 46–48, 57
Policy response, 3, 5, 8, 28
Self-regulation, 5, 41
Privacy, 19–21, 29, 42
Social media, 17, 19
Procedural fairness, 21
Stakeholder engagement
Productivity Commission, 19, 28–29
communication methods, 16–19, 34, 54, 65
Prosecution, 24, 44, 51
effectiveness of, 18
Public interest, 3, 37, 44–45, 48, 51, 56
social media, 16–17, 19, 54
Stakeholder relationships, 15, 17–18, 24, 29, 56–57,
61, 65
Q
Quality management, 24
Quasi-regulation, 3
T
R
The Australian Communications and Media Authority,
5–6
Record keeping, 19, 21, 23–24, 29, 44, 62
The Australian Government Guide to Regulation, 5, 28
Recovering regulatory costs, 27, 39, 40, 63
The regulatory process, 4
Registration, licensing or authorising entry
Transparency and accountability, 5, 13, 21, 25, 32, 62
compliance with requirements, 35–37, 39, 52, 57,
63
guidance to applicants, 28, 33–35
notification of outcome, 38
receiving an application, 6, 8, 12, 15, 24, 32–38,
52, 56, 61, 63–64
Regulation
definition, 3
Regulatory approaches, 5
Regulatory burden, 13, 28, 32, 34–36, 42, 62
Regulatory capture, 17, 22
Regulatory decisions, 12–13, 15, 19, 21–22, 25, 29,
32–35, 38, 47–49, 51, 56–57, 61, 63–64
Regulatory key considerations, 8–9, 12, 15, 18, 21,
23, 27–28, 34–35, 37–38, 40, 42, 44, 47, 52, 54,
57–58, 61
68
S
Better Practice Guide | Administering Regulation
U
Understanding the environment, 7
W
Workforce planning, 18, 23–25, 27, 29, 62
The ANAO welcomes contributions from
stakeholders for consideration when preparing
future updates to this Better Practice Guide.
Contributions should be addressed to the Director,
Communication, Australian National Audit Office,
GPO Box 707 Canberra ACT 2601 or by email to
[email protected].
Administering Regulation: Achieving the right balance
Administering
Regulation
ACHIEVING THE RIGHT BALANCE
Better Practice Guide
June 2014
www.anao.gov.au
Better Practice Guide
June 2014