90754 Introducing a risk-based approach to regulate businesses How to build a risk matrix to classify enterprises or activities Adopting a risk-based approach can simplify key regulatory processes that govern business activities. This fundamental step involves moving On the other hand, risk is also not from inspections, licensing, and other regulatory tools that cover all identical to the level of hazard, that business uniformly to an approach that tailors the instruments used for is, the potential severity of the regulation and control based on the level of risk. The higher the potential consequences only: if an event is very unlikely, even if potential risk posed by a specific business activity, the stricter the control and the consequences are dire, the overall greater the need for licensing or permitting and more frequent risk level may not be considered inspections. For low-risk activities, a license or permit should generally extremely high. not be required, and inspections should be rare. Having a proper An adequate understanding and definition of risk is to define it, in line methodology and tools to classify enterprises or activities according to with best practice and research risk is thus particularly important. Risk matrices are the primary way used findings, as the product of to conduct this sort of classification. “magnitude” (which itself is the combination of the severity of the effect and of the numbers potentially Classification of activities or Understanding and defining affected) and “likelihood”: businesses based on their risk level “risk” in the right way is at the core of many reforms in the Risk should be understood here as Risk level = Magnitude x business regulation practice area. the combination of the likelihood of Probability Determining which businesses will an adverse event (hazard, harm) be required to obtain a prior permit occurring, and of the potential or license before starting operation In the next sections of this note, we magnitude of the damage caused requires classifying them according will present more in detail how such (itself combining number of people to risk. Likewise, reforming business assessment and classification work affected, and severity of the damage inspections by targeting inspection at the level of a given for each). visits according to the risk level “establishment”, i.e. a given outlet or requires such a classification. The It is important that risk not be premise (not necessarily an entire usual form this takes is a matrix. wrongly understood as only the business, as an enterprise may have probability of some violation or several physical locations). The While the format of such a matrix is problem taking place – indeed, in examples will focus on technical relatively simple – one axis some types of establishments, safety inspections, which is the least representing severity, the other certain violations may be frequent covered by existing publications. probability – there is often some (highly likely), but have very little (if confusion as to how these should be any) adverse effects. defined. Investment Climate l World Bank Group 1 risk: 55. The level of risk associated with a particular business is determined by applying the LOC factor to the level of hazard. Application of the LOC factor may cause the level of risk to increase, decrease, or remain the same as the level of hazard – see Table 3 below. Table 3: Risk Categories: FIGURE 1. EXAMPLE OF A RISK-BASED MATRIX Likelihood of Compliance Very high High Medium Low Very low High LM UM UM H H Level of Upper Hazard medium LM LM UM UM H Lower medium L LM LM UM UM Low L L LM LM UM Abbreviations: H=high, UM=upper medium, M=medium, L=low 56. Each risk category can be assigned a letter to represent the level of risk, as is currently the case in many of the existing risk assessment Source: Common Approach to Risk Assessment, United schemes: Kingdom Better Regulation Delivery Office High risk – Cat A Figure 1 provides an example of a risk matrix from the  Compliance history (are violations frequent or United Kingdom Upper medium developed by therisk – Cat Better B1 Regulation repeated, or on the contrary is this a “model Delivery Office for use across all agencies. establishment,” meaning in the first case that an Lower medium risk – Cat B2 accident is more likely, in the second less so) => In this matrix, “hazard” Low risk is – the equivalent Cat C of “magnitude.” In affects Probability the United Kingdom, the likelihood of compliance is used rather than likelihood of violation or adverse event. Thus, “high likelihood” is positive, and “very low” likelihood of 13 Understanding commonly used risk factors compliance is on the contrary associated with high risk. Because regulation, licensing, and inspections cover Page The two approaches are completely equivalent. many different fields and issues, risk factors vary In terms of risk factors, this definition of risk as likelihood depending on the type of hazard envisioned. For tax combined with magnitude generally translates in the inspections, the hazard would be non-payment of taxes, following aspects of the establishment having a direct and thus relevant issues include volume of economic Common Approach to RA – Overview PP v0.3 activity of the business, proportion of cash transactions bearing on its risk level: etc. However, a range of factors tend to apply and are  Type of activity (some are inherently more hazardous relevant across a large number of regulatory fields. than others, as it is more likely that accidents can This note focuses specifically on the whole range of occur; also, some can lead to particularly severe technical safety inspections (such as occupational safety damage, meaning the seriousness of impact is and health, construction, fire safety). Tax and food safety higher) => affects Magnitude and Probability inspections are covered in other, in-depth knowledge documents prepared by investment climate teams of the  Size of establishment (a larger establishment will World Bank Group. have a proportionally higher negative effect if an accident takes place) => affects Magnitude Based on best international practice, there is consensus that some of the key factors used to classify  Location of establishment (isolation means it will establishments according to risk from a technical safety have less effects on surroundings; proximity to perspective are: sensitive natural resources or to densely populated  Type of activity conducted inside the facility – both in areas will increase effects) => affects Magnitude terms of "what people do" (e.g. if people sleep in the facility, they are at greater risk of not being able to escape if there is an accident; or if they perform 2 Investment Climate l World Bank Group specific technical tasks which are high risk for  General structure of the building – that is, are there workers) and in terms of "what the activity can underground parts and/or is the building very high- provoke" (certain industrial processes can inherently rise, both of which may (a) present specific structural lead to explosions that could destroy the entire risks, and (b) lead to particular difficulties in case neighbourhood, for instance, while many other emergency escape is required. activities simply cannot have such an effect).  Location of the building – this is applicable in case of inherently hazardous activities (e.g. possibility of explosion, of chemical pollution etc.); location close to densely populated areas increases risks as does KEY NOTIONS FROM THE UNI TED KINGDOM’S location near important natural resources (such as BETTER REGULATION DE LIVERY OFFICE: “A water, natural reserves, and forests). COMMON APPROACH TO R ISK ASSESSMENT” The term “risk-based targeting” is used to refer to: Creating a risk matrix  the selection of the most appropriate intervention to drive better regulatory outcomes, Risk criteria and matrices should be very short, which may be education, provision of incorporate only a small number of parameters, and information, inspection, and so on; include only parameters that are easily known about the  the allocation of resources against the various business or the establishment. If risk matrices are too interventions; long and complex, they become very difficult to use; if  the criteria against which businesses are there are too many parameters, the essential ones can targeted for those interventions. get "buried" under all the small ones. A typical risk matrix Risk assessments (or risk “ratings”) of businesses should would be less than one page, including at least the ideally be based not only on what is found at the time of following factors (and possibly others that would be an inspection or other intervention, but should also take country- and regulator-specific): account of other relevant, available intelligence to inform the judgment about regulatory response. In such  Sector of activity circumstances the resulting assessment may be the determining factor in how that business is regulated. Risk  Type of process (if manufacturing, which products assessment is therefore key to better regulation and are involved, and whether hazardous substances are plays a crucial part in all of its principles: accountability, used or stored) or type of activity (if non- transparency, proportionality, targeting, and consistency. manufacturing, do people reside permanently and/or Targeting: Risk assessments based on good intelligence sleep in the facility, and/or are disabled or (for example, intelligence that is shared with other incapacitated people regularly present) regulators) support effective risk-based targeting, which in turn reduces duplication of regulatory activity and  Number of people present in the establishment in nugatory regulatory activity, thus reducing burdens on normal operation and/or maximum number that can compliant businesses. At a micro level, targeting is based be present on intelligence about the compliance status of a business, judgment about the likelihood of its future compliance,  Location (surrounded or not by inhabited area or and what (if any) intervention is required. That judgment close to sensitive object from an environmental must be intelligence based. perspective, such as a water source) in the case of Frequency: In most of the current risk assessment hazardous industrial facilities approaches, the concluding stage involves assigning a suitable type of intervention, and its frequency, for the  Specific aspects of the building, such as underground particular level of risk. For example, in the current health parts and/or high-rise (difficulties for evacuation) and safety risk assessment regime, “Category A‟ premises are scheduled to receive an inspection at least  Specific hazardous machinery being used in the annually, whereas a change of risk rating from Category building (list to be determined based on the A to Category B changes the regime to alternative forms regulatory field). of intervention. For the food standards regime, a change from Category A to Category B generally means a move from annual primary interventions to once every two Avoiding frequent mistakes years. Even though building a risk matrix sounds relatively straightforward, experience shows that it can frequently be challenging in a number of ways. Investment Climate l World Bank Group 3 Common mistakes that should be avoided in designing a determination of which types of activities are risk matrix for business inspections include: most and least hazardous.  The first task should be to help regulatory Some matrices give insufficient weight to the key factors - the agencies hazards that are trying (left in the to base theirdiagram) procedures may concern listed above the safety (e.g. of individual the number of people or groups who can be in the on risk classification to (re)define what their premises) and overly focus of employees (internal) or surrounding residents or passers-by (external), of health on technical issues or formal overall goals and objectives are, in order to criteria, resulting (ditto), the environment, soil movements or of effective extraction. in an inaccurate classification: - the define barriers key risksIthat (left)should are be the addressed. measures (equipment,  Most systems, training of the points and/or included in the proposed Often goals are vague or defined merely in terms matrices relate procedures) that should prevent a hazard leading to a genuine undesirabledetails to highly specific event. (e.g. the of “enforcing compliance with legislation.” It is - with undesirable events (centre), one could think of the release of a flammableits essential to define the positive outcome to be condition of the building, and aspects of achieved medium, (such as exposure decreasing to hazardous substances orelectrical labor-related unforeseen installations) that can only be revealed emissions into the with inspectors on site, possibly requiring a environment. deaths and injuries, or food- and water-borne lengthy and detailed inspection. While these risk and from II - barriers fatalities) this the riskare (right) the to criteria measures be used (equipment, systems, factors may betraining and/or relevant and grounded in for inspection planning. In the absence of these procedures) that should prevent the undesirable event escalating legislation, many are minorinto in genuine a terms of the level steps, risk criteria will not be adequate. disaster. of risk they pose, and cannot be used for  Often calam - risk ities criteria are (right) based on are twosuch events as a blowout risk factors planning as they are or explosion, only revealed illness after or death, or only: the scope of serious activities and pollution the prior water. of surface history inspection. A questionnaire handed out to of the establishment (compliant or not). However, businesses prior to inspection would the most fundamental of risk dimensions is the inadequately address this issue as businesses The bow-tie model is taken from the safety literature, but is so generic that with only may knowingly or un-knowingly self-report type of activity. It may seem that developing a a few modifications it can classification on this basis requires deep also be used for other purposes incorrectly.such as health, In addition, the such questionnaire would environment, soil movements technical expertise, statistical data and and effective extraction. create additional administrative burden for considerable work. However, examples from business operators. As a rule, such very detailed H ow does 8. countries other SSManalyse and experience risks? from regulators technical points should be avoided to build a can in most fields allow for a relatively easy good risk matrix. SSM uses the following matrix when analysing risks: FIGURE 2: RISK MATRIX FOR THE NETHERLANDS’ STATE S UPERVISION OF MINES Risk assessment m edium high risk high risk Very large risk 10 11 12 large low risk m edium high risk Potential consequence risk 7 8 9 Marginal very low low risk m edium risk risk 4 5 6 negligible very low very low low risk risk risk 1 2 3 U Unlikely nlikely Li kely likely Very Verylikely! unlikely Probability The boxes in the matrix are numbered 1 to 12, whereby 1 = potential consequence very low and unlikely and 12 = very great potential consequence and very likely. After an assessment has been made for each category this result is used in the following matrix. 4 Investment Climate l World Bank Group In the matrix below, the estimated potential risk from the previous matrix is combined with the extent of compliance, whereby s = poor compliance and g = good compliance. Setting priorities : risk-forced enforcement FIGURE 3: BEYOND RISK CLASSIFICATION: RISK-BASED ENFORCEMENT IN THE NETHERLANDS A B risk C D ° measure of compliance A High risk – bad compliance - high priority, high pressure inspection B The Netherlands’ High risk State Supervision – good complianceof -Mines notinvolve priority, only classif iesassociation establishments according to risks, it adapts its branch C enforcement – bad Small risk strategy compliance based - incidental on the combination supervision, of risk profile focus on contraveners and compliance history, according to this matrix: D Smal risk – good compliance - no supervision, except in case of complaints A – high risk, low compliance: high priority, high inspection pressure with immediate sanctions where possible B – high risk, good compliance: medium priority, some inspections, involve branch business association to support This leads to the following supervisory strategies (in general terms). compliance C –has A: Supervision highlow low risk, priority, high occasional compliance: pressure focusing inspectioninspection, with immediate on infringers, increase awareness of relevant legislation, intervention disciplinary including where possible encouraging information activities by branch association, and so on. B: SupervisionD –has good encourage priority, low risk, compliance: compliance by inspect only in means to response of specific, inspection pressure complaints substantiated and involve sector association Source (Figures 2 and 3): The Netherlands’ State Supervision of Mines , Strategic Vision. C: Occasional inspection, focusing on infringers, increase awareness of relevant legislation, including encouraging individual information activities by the sector. D: Active response  Some to complaints. criteria are difficult to assess or somewhat generally easy to identify, provided that the common subjective (such as “condition of the building”). If mistakes listed above are avoided. 10. With whom does SSM criteria on the work? condition of the establishment are The difficulty usually lies in the use of such matrices included, this should be as part of the Cooperation is an important means of limiting the inconvenience of supervisory because in many cases, regulators do not have adequate compliance activities to people history and and businesses. should preferably Cooperation comes in bemany forms varying from information systems allowing them to sufficiently assess based on a checklist. the exchange of information Thus, the and arranging result of the of company visits to a full likelihood ofof the delegation compliance in each establishment. inspection, through the duties. For mineral extraction (domain), SSM haschecklist, would result in fact in a single point of been contact, or ‘front an overall office ’ forrisk score a long for the “compliance history” time. As this would have to be based on prior records, such has concluded That is why SSMdimension, whichcooperative the with the Health agreements allows for updating records and needSafety to exist and be computerized. Therefore, establishment’s Inspectorate and the overall risk after VROM Inspectorate, rating. having been appointed by the Minister information systems are a necessary tool to make full use of Social Affairs & Employment to supervise working conditions and working of risk hours matrices. However, some preliminary division of establishments based on their inherent characteristics Conclusion (e.g. sector, size, type of activity) is already a 7 Risk matrices are fundamental instruments used to considerable improvement in terms of risk management, classify establishments depending on their risk level – compared to treating all establishments as identical. and adapt the regulatory response (e.g. inspections, Thus, govenments that do not have such information licensing) on this basis. This means that resources can systems in place can start implementing risk-based be used more effectively and efficiently, and that approaches to classification and planning. administrative burden is minimized while positive outcomes are maximized. Creating a risk matrix in itself is not necessarily a complex exercise, and can be done using international experience and examples, and relying also on the regulators’ and experts’ experience in the country. The parameters leading to higher or lower hazard are Investment Climate l World Bank Group 5 References Much has been written on the subject of risk assessment, risk management and related approaches. Specifically on the issue of risk matrices and risk management in regulatory issues, and to see practical examples and guidance on how to use them, readers can refer to the following (referred to in this note): United Kingdom’s Better Regulation Delivery Office, Common Approach to Risk Assessment http://www.bis.gov.uk/brdo/resources/risk-based- regulation/risk-assessment - model matrix can be found on page 13 United Kingdom’s Food Standards Agency, Food Law Code of Practice for England http://www.food.gov.uk/multimedia/pdfs/codeofpracticeen g.pdf - detailed explanation of risk ratings system can be found in Annex 5, pages 125-137 United Kingdom’s Health and Safety Executive, Advice/Guidance to Local Authorities on Targeting Interventions – Annex: Risk Rating http://www.hse.gov.uk/lau/lacs/67-2/annexe-b-risk-rating- system.pdf (also refer to whole Guidance document for context: http://www.hse.gov.uk/lau/lacs/67-2.htm ) United Kingdom Trading Standards (local authorities regulatory function) – Association of Chief Trading Standards Officers, Risk Assessment Scheme – 2013 https://knowledgehub.local.gov.uk/c/document_library/get_fil e?uuid=0edad691-9faa-4d82-b8da- 69f645ac5ad0&groupId=6415217 Netherlands’ State Supervision of Mines, 2012-2016 Strategy and Programme http://www.sodm.nl/sites/default/files/redactie/Strategy%2 0and%20Programme%20for%202012-2016.pdf - risk assessment approach detailed on pages 29-31 6 Investment Climate l World Bank Group Analysis and note prepared by Florentin Blanc and Ernesto Franco- Temple (Investment Climate Department, World Bank Group). The findings and views published are those of the authors and should not be attributed to IFC, the World Bank, the Multilateral Investment Guarantee Agency (MIGA), or any other affiliated organizations. Nor do any of the conclusions represent official policy of the World Bank or of its Executive Directors or the countries they represent. The Investment Climate Department of the World Bank Group helps governments implement reforms to improve their business environments and encourage and retain investment, thus fostering competitive markets, growth, and job creation. Funding is provided by the World Bank Group (IFC, the World Bank, and MIGA) and over 15 donor partners working through the multidonor FIAS platform. Investment Climate l World Bank Group 7 Contact Andrei Mikhnev l Global Product Leader, Business Regulation l Investment Climate Email: amikhnev@worldbank.org TEL: 1-202-458-1970 www.wbginvestmentclimate.org