Risk-Based Approaches to Business Regulation IN FOCUS A Note for Reformers FINANCE, COMPETITIVENESS & Aris Molfetas and Lars Grava INNOVATION INVESTMENT CLIMATE © 2020 The World Bank Group 1818 H Street NW Washington, DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org All rights reserved. This volume is a product of the staff of the World Bank Group. The World Bank Group refers to the member institutions of the World Bank Group: The World Bank (International Bank for Reconstruction and Development); International Finance Corporation (IFC); and Multilateral Investment Guarantee Agency (MIGA), which are separate and distinct legal entities each organized under its respective Articles of Agreement. We encourage use for educational and noncommercial purposes. The findings, interpretations, and conclusions expressed in this volume do not necessarily reflect the views of the Directors or Executive Directors of the respective institutions of the World Bank Group or the governments they represent. The World Bank Group does not guarantee the accuracy of the data included in this work. Rights and Permissions The material in this publication is copyrighted. Copying and/or transmitting portions or all of this work without permission may be a violation of applicable law. The World Bank encourages dissemination of its work and will normally grant permission to reproduce portions of the work promptly. All queries on rights and licenses, including subsidiary rights, should be addressed to the Office of the Publisher, The World Bank Group, 1818 H Street NW, Washington, DC 20433, USA; fax: 202- 522-2422; e-mail: pubrights@worldbank.org. Authors Aris Molfetas (amolfetas@ifc.org) is a Private Sector Specialist in the World Bank Group’s Investment Climate Unit. He advises governments in a range of areas relevant to business regulation and construction regulation reform. Lars Grava (lgrava@worldbank.org) is a Senior Private Sector Specialist in the World Bank Group’s Investment Climate Unit. He advises governments in a range of areas relevant to business regulation reform. The authors are grateful for the valuable contributions and peer review comments received from Christine Zhenwei Qiang (WBG Investment Climate Practice Manager), Andreja Marusic (WB Senior Private Sector Specialist), Phil Preece (United Kingdom Office for Product Safety and Standards), Sylvia Solf (WBG Senior Private Sector Specialist), Tania Ghossein (WBG Senior Private Sector Specialist), Florentin Blanc (Consultant). The text was enriched with cases on Moldova, provided by Victoria Tetyora (IFC Associate Operations Officer) and Galina Cicanci (IFC Operations Officer) and on Jordan, provided by Abeer Kamal Shalan (IFC Operations Officer). Photo Credit: World Bank Photo Library and Shutterstock.com INTRODUCTION 3 KEY CONCEPTS AND DEFINITIONS 3 THE LEVELS OF RISK-BASED REGULATION 4 Level 1: Strategic Risk Assessment — Whether to Regulate 4 Level 2: Operational Risk Assessment — How to Regulate 6 Level 3: Risk Planning, Profiling, Monitoring and Enforcement — Whom to Regulate 8 Risk Assessment 8 Risk-based Planning 13 Enforcement Management Models in Risk-based Frameworks 16 RISK-BASED REGULATION MATURITY MODEL 17 OTHER KEY CONSIDERATIONS 22 ICT Solutions 22 Implementing an RBR Project 22 RISK-BASED APPROACHES TO BUSINESS REGULATION: A NOTE FOR REFORMERS | 1 2 | RISK-BASED APPROACHES TO BUSINESS REGULATION: A NOTE FOR REFORMERS Introduction G overnments increasingly use risk-based regulation (RBR) to adapt their degree of regulatory control to the actual risks posed by industry sectors, economic activities, and business establishments. Risk-based regulation aims to protect public goods, such as safety, health, and the environment, while at the same time avoiding unnecessary burdens on businesses. Properly implemented, a risk-based approach to regulating businesses meets four objectives: • To attain public policy objectives, such as reformers and practitioners with the highlights of an promoting the health and safety of the population approach to implementing a risk-based regulation and protecting the environment by targeting system. higher-risk businesses. • To reduce the regulatory burden on low-risk Key Concepts and Definitions businesses. Risk combines the probability that a hazard will To make better use of scarce government • cause harm and the magnitude and severity of the resources. harm caused if the hazard materializes. To enhance accountability, transparency, • predictability, and consistency in decision making. Harm is any form of damage done to people (life, health, property, etc.), to the environment (natural When designing regulation and developing models and cultural), or to other public interests (tax fraud for monitoring and enforcement, risk guides harms state revenue). The magnitude of that harm assessments of costs and benefits. This note presents will depend on the scope and nature of damage. Figure 1. The Definition of Risk Magnitude and Risk Probability of severity of harm hazard causing harm RISK-BASED APPROACHES TO BUSINESS REGULATION: A NOTE FOR REFORMERS | 3 Hazard is any adverse event that may cause harm. and regulatory domains); (2) at the operational level (through decisions on what instruments to Probability of harm is the degree of likelihood use and which types of operators to focus on); and that a hazard will occur that leads to potential harm. (3) at the risk planning, profiling, monitoring and enforcement level (by deciding which businesses to regulate and inspect and how to do so). In many advanced countries such as the Netherlands, the percentage of businesses As described below, the levels of RBR are also inspected every year by a regulator like the useful for government policymakers and regulators tax service is 5 percent. Similar patterns exist to design their response to the Covid-19 pandemic in other EU countries, and reductions in the — in terms of response, reopening and recovery. number of inspections have not resulted in worse outcomes. The challenge for countries is to move from quantity of inspections to Level 1: Strategic Risk Assessment — quality of inspections as an objective of the Whether to Regulate risk management system. Strategic risk assessment typically occurs in the initial stages of the regulatory life cycle or during a review of existing regulations, when government policy makers and decision makers are actively The Levels of Risk-based identifying problems and risks and designing Regulation responses. Such evidence-based assessment can RBR can improve efficiency, effectiveness, and inform decisions about the necessity and optimal transparency in three ways: (1) at the strategic level degree of regulation needed to protect or promote (when making decisions concerning entire sectors public wellbeing, and it can help determine whether Figure 2. Levels of RBR and Their Relationships Economy-wide/ Level 1: Strategic Risk Assessment Policy Whether to regulate? Consider: economic sector, regulatory area and type of activity Level 2: Operational Risk Assessment Sectoral/ How to regulate? Activity Select the most appropriate regulatory instrument: permits, inspections, alternatives to regulation Firm Level/ Level 3: Risk Planning, Profiling, Monitoring & Enforcement Whom to regulate? Targeted Agency assesses, plans, enforces 4 | RISK-BASED APPROACHES TO BUSINESS REGULATION: A NOTE FOR REFORMERS regulation is necessary for the economic sector • What regulatory and nonregulatory responses are (e.g., finance, manufacturing, agribusiness), the available to address risks (e.g., taxes, charges, regulatory domain (e.g., food safety, occupational subsidies, information campaigns, self- or co- or workplace safety, environmental protection), regulation, etc.)? business activity (e.g., shipping cargo, processing • To what extent can risks be reduced/mitigated food, selling dry goods), or a combination of these using these possible responses? (such as occupational safety in a specific sector). • What are the costs and benefits of each risk- Determining that a sector or activity requires mitigation option? regulation raises an important question: What • What is the best response to the risk, and how is the optimal degree of regulatory intervention should it be implemented? needed to mitigate the risks to public wellbeing? To choose a mode of action that will, in total, Answering these questions allows policy makers generate the maximum benefit for the public, the to decide on the best response — no action, decision maker must consider the activity’s benefit, regulatory solutions, or other alternatives — to the the risk it creates, and the cost of addressing that identified risks (see figure 3). For example, consider risk. The following questions are useful when a regulator who must respond to a new economic considering risks and reasons for regulation, how activity, such as multisided platforms in the best to respond to changing circumstances, and accommodation industry (e.g., Airbnb, HomeAway, what improvements can be made. ClickStay, Booking.com, etc.). Introducing regulation is only one of the available options, and • What are the hazards posed? the approach ultimately taken toward these new • How large/serious/significant are they? business models must be based on the risks they pose to consumers and the public at large. In an • What is the probability that the hazards will cause RBR system, the regulator first explores the risks harm? arising from the activity and then considers risk- • What is the regulator’s risk tolerance? treatment strategies in addition to regulation.1 One or a combination of risk-treatment strategies may • What is the level of risk mitigation required? be selected to manage the risks of this new activity. 1 Taxation and subsidies are used in fiscal policy but may also be included in the category of regulation when, for example, taxation is used to influence consumer habits relating to tobacco and alcohol consumption. RISK-BASED APPROACHES TO BUSINESS REGULATION: A NOTE FOR REFORMERS | 5 Figure 3. Regulation is One of Several Risk Treatment Strategies Risk Avoidance Risk Mitigation Ban Activity Regulation Self-regulation by Compliance promotion, industry, voluntary consumer awareness, third party certification, & information or deferring risk campaigning treatment to a later Risk Toleration stage (contingency Risk Sharing planning) Source: Adapted by the authors, based on the UNECE publication, Risk Management and Regulatory Frameworks: Towards a Better Management of Risks, June 2012. Level 2: Operational Risk Assessment — Regulatory instruments: How to Regulate • Prior approvals (mandatory ex ante controls): “Operational risk assessment” identifies and registration, permits, licenses, inspections selects the optimal intervention and regulatory • Ex post controls: inspections, audits, regular instruments for managing a risk. Basing regulation reporting, maintain compliance with minimum on risk means that regulatory agencies can opt technical requirements for alternative regulatory instruments to promote compliance and achieve regulatory outcomes. • Mandatory third-party certification: standards, These can range from direct or constraining options self-regulation by industry and professional (such as prior approvals and ex ante inspections) associations to lighter-touch instruments (such as registration • Self-declaration of compliance: reliance on requirements). The operational risk assessment operators’ liability as a deterrent against fraud may determine that a business activity or a subset of (e.g., in EU non-food product regulations for firms within a business activity pose very low risks, relatively low-risk goods) making a different risk treatment strategy more appropriate. In that case, alternatives to regulation, Alternatives to regulation: such as information campaigns, can be combined with regulatory responses. The following types of • Voluntary third-party certification: regulatory instruments can be considered as part nonmandatory standards and self-regulation of operational risk assessment. The instruments, by industry and professional associations and arranged here broadly from greatest to least direct instruments used for increasing consumer control, are not mutually exclusive and may overlap. awareness and choice 6 | RISK-BASED APPROACHES TO BUSINESS REGULATION: A NOTE FOR REFORMERS • Consumer awareness: businesses’ public self- safeguards), a more traditional form of government disclosure of information; consumer as de facto command-and-control may be more appropriate; regulator; voluntary rating/grading schemes and options might include licensing or inspections transparency requirements with stringent requirements or certifications from a certified third party. If, on the other hand, the • Compliance promotion: information campaigns likelihood of an adverse event and its potential directed at businesses severity and magnitude are both low, the activity may require only self-certification, perhaps even RBR can use a simple but effective risk matrix to with no explicit requirements per se beyond those determine appropriate regulatory instruments in existing legislation covering the activity (e.g., based on the levels of risk identified to the legislation governing IT firms producing software). regulators’ objectives (see figure 4). For example, Creating a risk matrix need not be a complex if both the probability of a hazard’s occurrence and exercise. It can be done using research and/or data its potential severity and magnitude are high (e.g., combined with regulators’ and experts’ experience a polluting factory without proper environmental and benchmarking with international practices. Figure 4. Risk Matrix to Determine Regulatory Instruments Probability of a Hazard Causing Harm Very Low Low Medium High Very High Ins Li pe ce High Low Medium Upper Medium Upper Medium High Ex ctio nsin High Po ns, g, E st Ce x Co rt an Severity and Magnitude of Harm ntr ifica te Ce S ols tio rtif im n, ica plif Upper Medium Low Medium Lower Medium Upper Medium um tio ied Upper Medium High n, L Ex ice Po nsi st ng Re Co & gis ntr tra ols Co tion Low Medium Low m ntr , ELower Lower Medium M Medium Upper Medium Upper Medium ols x P os Ex t Po st Co ntr Low Low ols Low Lower Medium Lower Medium Upper Medium RISK-BASED APPROACHES TO BUSINESS REGULATION: A NOTE FOR REFORMERS | 7 Box 1. Overhauling Business Licensing Requirements in Greece Through a Risk-Based Approach. The Government of Greece (GoG), with the support of the World Bank, streamlined business licensing procedures in priority sectors by using a risk-based approach in 2014-2017. The objective was to reform a regulatory system that was mostly based on burdensome ex-ante licensing requirements that were ineffective in safeguarding the public interest, towards a regulatory delivery approach which leveraged both ex ante and ex post tools and was based on risk proportionality. This would lead to a risk-based, transparent, and cost-effective business licensing regime consistent with EU good practice. More than 300 business activities were reformed during the project’s first phase in key economic sectors such as food and beverage manufacturing, tourism accommodation, extractive activities, logistics, waste management, and retail service activities which posed potential risks to public health. The burdens imposed on businesses by the licensing system in Greece had grown exponentially through the years. The licensing system was based on overly prescriptive regulations and was plagued by overlap and duplications among the various line ministries and regulatory agencies. Businesses were required to obtain numerous and overlapping licenses and permits before they were allowed to operate. This included general licenses applied to all businesses irrespective of risk as well as sector-specific licenses. The licensing and inspections systems were not linked nor were they transparent or easily understandable by the private sector. The GoG, with support from the World Bank, initiated implementation of a risk-based system in 2016 by enacting a new framework law on licensing. The 2016 law introduced risk-based approaches to regulating business activities, introduced risk-based approaches to regulating business activities, a framework for an online unified information management system known as the Integrated Licensing and Inspections Management System (ILIMS), and a framework for third-party conformity assessments as a possible tool to be used as part of the licensing procedure for high-risk activities. The GoG classified economic activities into risk categories by conducting a risk assessment of each economic activity based on its impact on health, safety and the environment, and by benchmarking against European best practice. Based on the law, mandatory licensing requirements could be applied only to specific activities that posed a high risk to public health, safety or the environment. In the case of low risk businesses, the law replaced onerous licensing requirements with a registration by only requiring business owners to notify the municipality through an online platform before commencing their business activity. The “notification” system required business operators to fill out a simple document providing the authorities with key data on their business so that the inspectorates would be able to inform their risk assessments and prioritize inspections. Barriers to entry were removed by cancelling or streamlining several licenses, most notably the blanket licensing requirements that affected businesses across various sectors (horizontal licenses). Low risk businesses can now start immediately after notifying the government, rather than wait for a license to be issued, which could previously take weeks or several months for some business activities. Lastly, public administration efficiency is improved by allowing regulators to focus their checks on those businesses that present higher risks to public safety and the environment. Level 3: Risk Planning, Profiling, asking, “What could happen?” and “How serious Monitoring and Enforcement — Whom would it be?” to Regulate The following series of steps will lead to a robust Risk Assessment risk-assessment system in a given sector or regulatory domain. Risk assessment is the process of identifying, analyzing, and assessing the risks posed to Step 1: Set the Strategic Context for Risk regulators’ objectives by economic activities, Reduction establishments, and products. It provides the means of linking the application of supervisory, monitoring, The regulatory agency must define the desired and enforcement resources to the risk scores assigned regulatory outcomes based on the public policy to the regulated entities (i.e., products, activities, objectives it is mandated by the government to and establishments). In short, risk assessment means implement (e.g., environmental protection, food 8 | RISK-BASED APPROACHES TO BUSINESS REGULATION: A NOTE FOR REFORMERS safety, consumer protection, etc.). The starting and jurisdiction. The comprehensive database point for this step is thus to identify the regulatory must contain the objects that must be monitored to agency’s mandate. safeguard against the identified risks and achieve the risk reduction goal. Gaps in information sources must The key at this stage is to articulate a strategy for the be identified, and ways must be found to mitigate regulatory domain or the economic sector that sets them. Reliable mechanisms for data collection are out a clear mission and specific goals measurable also needed to ensure that the database is regularly by tangible outcomes (e.g., 30 percent reduction in updated. food poisoning incidents by 2025), not outputs (e.g., number of inspections conducted or fines issued). Step 3: Assess the Risks The strategic goals and outcomes for risk reduction The third step, assessment of risks, is composed of must be realistic based on existing levels of a number of sub-steps: compliance. This analysis must be done at the outset and should be reviewed only once a year, except • Risk identification: The regulatory agency must when an event occurs that requires reassessment of identify potential types of hazard as well as the priorities; examples include an international public subjects that can be adversely affected by that health crisis, such as COVID-19, or a domestic potential hazard and the resulting harm they may event that suggests the system is failing, such as a suffer (see figure 5 for examples). A “risk” is the major incident involving multiple casualties. This probability of harm occurring, so it is necessary strategy provides the context for the rest of the to first identify the hazard to be mitigated. In risk process. turn, a hazard must relate to the intent behind the government’s public policy objective, otherwise Step 2: Compile a Database of the Regulated the harm may be real but unimportant. The starting Entities (Objects) point is to identify the objective, then the potential The second step entails defining the regulatory hazards to it, and finally the harms that may occur agency’s scope of work. The regulatory agency must due to those hazards. This identification task can take stock of all regulated entities that pose a risk to its be accomplished using a combination of desk objectives and that fall within its regulatory mandate research and operational experience. Figure 5. Examples of Workplace Hazard Identification and Related Harm Caused Regulatory Demmain: Occupational Safety Workplace hazard Example of hazard Example of harm caused Object Knife Cuts Substance Benzene Leukemia Material Mycobacterium tuberculosis Tuberculosis Source of energy Electricity Shock, electrocution Condition Wet floor Slips, falls Process Welding Metal, fume, fever Practice hard rock mining Silicosis Behavior Bullying Anxiety, fear, depression Source: https://www.ccohs.ca/oshanswers/hsprograms/hazard_risk.html. RISK-BASED APPROACHES TO BUSINESS REGULATION: A NOTE FOR REFORMERS | 9 • Risk analysis: The regulatory agency must entities. These criteria can then be used to develop match the hazards identified with potential a risk profile for each object. Risk criteria include negative consequences and analyze the elements the intrinsic (or static) characteristics of the of risk involved. One common approach is to regulated entities and acquired (or dynamic) risk describe the levels of harm for each regulatory criteria (figure 6 provides an example from the domain (e.g., workplace safety, environmental tourism industry). protection, consumer safety) and then to analyze • Intrinsic (or static) risk criteria can be them in terms of the various elements of risk: used to classify inspection objects into risk • nature of the possible harm groups. These characteristics usually remain unchanged over time, are easily identifiable • extent of the possible harm and known, and can be assigned scores before • probability of harm occurring any inspection is conducted. These include: In some cases, the elements of risk may be obvious, – type of activity/processes/equipment while in other cases they may require extensive – size of the activity or scope/volume of research (e.g., determining the impact of salt on operations cardiovascular diseases). – characteristics of people and number of • Develop risk criteria: The risk analysis will help people in or near the establishment that may identify the risks to regulators’ objectives and be exposed to risk set the basis for developing criteria relevant to – location of the establishment/specific aspects assessing the overall risk posed by the regulated of the building (i.e., basement, high rise, etc.) Figure 6. Example: A Posible Approach to Tourism Entity Risk Criteria Intrinsic Criteria Facilities within the Public Safety Food Safety Occupational safety Establishment • Number of occupants • Restaurants selling and preparing • Working conditions • Swimming pool • Indoor smoking food from animal origin • Number of workers • Waterpark • Mechanical hazards • Restaurants selling and preparing • Staff working in heights • Sports facilities • Electrical hazards food from non-animal origin (e.g. cleaning windows) • Bars • Raw foods • Gas storage • Night club • Perishable foods Location • Events • LPG tank • Scale of food management • Adjacent to other residential • Restaurants • Number of floors activities or commercial buildings • Floor area • Water sourcing • Adjacent to a school, Security • Building height • Alcohol service Kindergarten, hospital, • Checks • Active fire safety systems • Cold storage nursing home • Safety measures for • Number of fire exits • Disposable gloves use occupants • Pests control Acquired Criteria Record of Compliance Other Considerations • Complaints against the operator • ISO 22000 • Willingness to comply • Status of implementation of HACCP or GHP rules • Ability to comply within the timeframe • Golden list • Number of violations • Recognition awards • Number or value of fines • Grade • Frequency of violations 10 | RISK-BASED APPROACHES TO BUSINESS REGULATION: A NOTE FOR REFORMERS • Acquired (or dynamic) risk criteria include Does it include allocation of key responsibilities those that may change over time and cannot be to staff? Is the system being implemented easily assessed without a site inspection. These and monitored? Has the organization adopted include: management system standards? Has the system been audited by a certified third party?) – Availability and adequacy of internal risk management systems/measures. This can – Compliance profile, including the object’s be disaggregated into additional criteria by compliance history, its attitude toward separately assessing management (e.g., such as compliance, and barriers to non-compliance competence, technical knowledge, commitment (e.g., awareness, capacity to comply, informal to compliance), and management systems. competition, objection to regulations). (Relevant questions for the latter include: Is there an adequate system for managing relevant risks? Box 2. Tips on Some “Don’ts” in Designing Risk Criteria • Avoid lengthy, complicated risk criteria. • Avoid automatically using legal requirements that don’t target the root problem; start with risks, not rules. • Avoid overweighting the size of activity/scope/volume of operations and underweighting the type of the activity. For example, a very large rewrapping and repackaging establishment will pose lower risks to food and occupational safety than a small slaughterhouse, since inadequate facilities and hygiene at slaughterhouses can result in contamination of meat and occupational hazards to workers. • Avoid formulating ambiguous criteria that may be subject to interpretation. For example, in the context of occupational safety, working at height is a well-established source of hazard. At the same time, since “working at height” is subject to interpretation, it is advisable to define a measurable threshold for this criterion. • Avoid classifying too many objects in the high-risk category. Since finite resources must be prioritized on the high- risk objects, classifying too many objects as high-risk will undermine prioritization. • Avoid using criteria where evidence is not robust. For example, the damage arising from some genetically modified organisms (GMOs) remains a matter of scientific debate. Therefore, using the presence of GMOs as a proxy for risk may be premature. • Do not assume that low-risk objects will remain low risk perpetually; risks are dynamic. Box 3. Risk-Based Regulation in Jordan The World Bank Group supported the Government of Jordan in reforming its inspection system based on an RBR approach. The reform connected 14 inspection directorates in the regulatory domains of labor rights, environmental protection, public health and safety, occupational safety and health, food and drugs safety, fire safety and municipal inspections through an Integrated Inspection Management System (IIMS). The objective of the IIMS was to establish a shared registry of objects and subjects, automate inspection procedures, and enable data exchange between the directorates. The RBR reform in Jordan also included developing risk assessments to inform the inspectorates’ inspection planning by identifying intrinsic and acquired criteria. Each criterion was broken down into weights with a clear scoring scheme. This was initially designed using a simple Excel file with formulas that calculated the combined risk score, assigned a risk category (high, medium, low), and frequency of visits for each category. The tools were tested by the inspectorates to ensure they were relevant and yielded realistic outputs. The profile risk criteria were incorporated in the inspection checklist so that inspectors could collect and update this information at each visit. The risk tools were later automated through the IIMS. RISK-BASED APPROACHES TO BUSINESS REGULATION: A NOTE FOR REFORMERS | 11 • Risk evaluation: The last sub-step of risk matrix (see figure 4), a simple tool used to increase assessment requires using the risk criteria: the visibility and understanding of risk criteria and to assist in decision making. • To identify the risks that matter in a specific economic sector or regulatory domain, and Step 4: Classify objects into risk categories based on each object’s risk profile • within a range of risks, to rank them in importance. The final step of the risk assessment process is to classify the regulated population into risk categories Determining the relative importance of each risk by building a risk profile using the risk criteria criterion is achieved by assigning higher weights developed earlier. This requires assessing each to risk criteria that may have greater significance object on each of the selected criteria to determine vis-à-vis the severity, magnitude, and probability the nature of harms posed by each regulated entity of harm to the regulator’s objectives. For example, and the extent of the harm posed in terms of the in the environmental protection regulatory domain, number of people affected, the vulnerability of industrial use of dangerous chemicals is a source of some groups of people or the environment, and so harm; therefore, raw materials and refined products on. These assessments are used by the agency to used in industry can be a risk criterion. At the same assign scores to each regulated entity. These scores time, within the dangerous materials category, some must then be combined with a score reflecting the will be more dangerous than others. For example, probability that the risk will materialize, based boiling water can be dangerous since it can result in on the regulated entity’s compliance profile. The serious burns or even death, but it is comparatively intersection of the potential severity and magnitude less dangerous than radioactive material due to the of the hazard with the record of the entity’s (non) different nature and extent of potential harm posed compliance will determine the estimated risk level by the two substances. The purpose of risk evaluation for each object. The purpose behind the risk profile is to assign different scores to each criterion (in this is not to see how “hazardous” a business is but how example, radioactive materials and boiling water) important it is to inspect the business. For example, and to rank them relative to each other risk criterion. an oil and gas operation must always be inspected For example, a regulator may determine that the risk even though it may be extremely well run and have criterion “location” is more important than the risk an excellent compliance record. By contrast, a criterion “materials.” A chemical factory operating small business, such as a convenience store, may in a remote rural area poses the same hazards as have a poor compliance record but it may not be a chemical factory operating in a peri-urban area, worth using significant resources to inspect it since but the latter can potentially cause far more harm the nature of the business may not pose serious risks because of its proximity to neighboring people and to the regulators’ objectives. Typically, regulatory buildings. Weighting thus reveals what is important agencies use tools such as risk matrices or pyramids to the regulator and the regulator’s risk tolerance. to stratify and communicate risk profiling into low-, These determinations can be supported by a risk medium-, and high-risk categories. 12 | RISK-BASED APPROACHES TO BUSINESS REGULATION: A NOTE FOR REFORMERS Box 4. RBR in the Age of COVID-19 At the time of writing this note the COVID-19 pandemic is sweeping across the globe, posing new challenges to policymakers, regulators and businesses. Although it is still early to predict how the unfolding crisis will play out and what its impact will be on businesses and societies around the world, the need for frameworks that will help regulators prioritize mitigating the threat and reopening the economy becomes even more pertinent. Since regulators must now strike a new balance between the compliance burden on the private sector and the heightened risks to public health and occupational safety, RBR can help assess those risks as science offers more insights on how the virus spreads and how businesses must adapt their operations. RBR can help regulators strike a better balance when shaping new health and safety regulations, when planning their monitoring and enforcement activities, and when reopening their economies. Inspecting each business establishment to ensure compliance with new health regulations and protocols can drain even the most well-resourced institutions. RBR can help regulators prioritize their activities, as well as develop guidance tools for businesses. During the pandemic, use of RBR has helped regulators determine which businesses pose the highest risks to public health and consequently issue prohibitions and other restrictions on their operations (this is related to Levels 1 and 2 of RBR described in this paper). During the reopening, for example, Ho Chi Minh City, Vietnam has introduced a Scoring System for self-assessment of Covid-19 infection risk by businesses. The self-assessment helps businesses asses the Infection Risk Index (IRI). The IRI will determine whether they can re-open, if adjustments are necessary, or if they need to suspend operations. After economies have reopened, the intrinsic (static) and acquired (dynamic) risk criteria of businesses can be monitored to determine whether businesses are in compliance with Covid-19 public health requirements (Level 3 of RBR) and the regulator can take appropriate enforcement action. Risk-based Planning risk objects that require moderate monitoring, as compared to the low-risk objects. This level may “Risk-based planning” builds on the risk assessment require compliance audits, third-party certification, phase described above to determine the tools, and a reasonable number of site inspections. The resources, and level of regulatory control most top of the pyramid represents high-risk objects that appropriate to accomplishing the strategic goal for may require more frequent and thorough monitoring risk reduction. (see figure 7 for an example). A “risk pyramid” can be a useful classification tool Step 1: Match the number and type of objects of for gaining the high-level perspective needed for each risk category with available resources risk planning. Regulators can create profiles using any shape they choose; however, the most useful Step 1 requires regulatory agencies to take stock shape is often a pyramid, because it guides the of their resources in terms of number and skills of regulator toward targeting a smaller number of the personnel, equipment, infrastructure, and funding. most high-risk entities. The base of the pyramid Doing so will indicate how resources can best be represents the largest number: the low-risk objects deployed to attain the regulator’s risk reduction requiring less frequent site-inspections, which can goals while limiting the frequency and duration typically be carried out on an audit basis. In some of monitoring activities (e.g., site inspections, jurisdictions, self-reporting, information provision, complaints management, desk research, archiving, and voluntary certification could suffice. The and information sharing). middle levels of the pyramid represent medium- RISK-BASED APPROACHES TO BUSINESS REGULATION: A NOTE FOR REFORMERS | 13 Figure 7. A Risk Pyramid Stratifying the Regulated Population and Matching Risks to Available Resources High Risk High frequency of inspections Upper Medium Risk Medium frequency of inspections Lower Medium Risk Low frequency of inspections Information campaigns, Low Risk sample or themed inspections Source: Adapted from Ian Ayres and John Braithwaite, Responsive Regulation (Oxford University Press, 1992), p. 3. Step 2: Develop tools for monitoring and data the tax authorities, or other regulators that collection to inform risk profiling and risk-based may have good-quality data on the private planning sector. This can include data from commercial chambers and professional associations. This Regulatory agencies should aim to design an initial type of information can help an inspectorate risk-based system in such a way as to generate comprehensively map all objects and subjects in as much data as possible. Gathering additional their jurisdiction rather than exclusively relying data will enable the regulator to further refine the on site-inspections and complaints. Moreover, framework. Once enough data has been collected, if or when other inspectorates develop good- subsequent versions of the risk-based system can quality databases, these should be shared with require less information from low-risk firms. Some other relevant inspectorates and regulatory of the main channels for collecting this additional agencies. The ultimate objective should be information include (1) existing databases, such as to build comprehensive business profiles that the business registry or an agency’s own registries; integrate information from the business registry, (2) proactive strategies, such as checklists that can the licensing authorities, and the inspectorates. be used during site inspections; and (3) reactive strategies in the form of a risk-based complaint • Risk-based checklists: Checklists are compliance- management system. assessment tools that guide frontline staff during site inspections, ensuring standardization and • Existing databases: Agencies tasked with consistency in their activities in the regulatory planning, profiling, monitoring and enforcement domain; they also help regulatory agencies can leverage existing databases from other determine the most appropriate response to regulatory agencies to improve their intelligence mitigate those risks. Checklists help simplify and and avoid duplicating efforts. For example, they strengthen the inspection procedure by ensuring can use data from existing business registries, that frontline staff focus on the key elements 14 | RISK-BASED APPROACHES TO BUSINESS REGULATION: A NOTE FOR REFORMERS of compliance and on what are likely to be the • Risk-based complaints management systems: main risk areas. In addition, checklists can help A common challenge in non-risk-based regulatory raise private sector awareness and compliance systems is that regulatory agencies tend to become regarding the areas on which the objects will be reactive and to respond to every complaint inspected. Finally, checklists can be a useful tool received. The solution is to create a system that to collect, process, and analyze information in distinguishes serious complaints that require an efficient, reliable, and standardized manner a response from ones that require no response that will inform risk assessments and risk-based but are still useful for intelligence and planning planning. By ensuring consistency, checklists purposes. serve as especially important tools for less developed systems as well as for mature systems trying to implement RBR. Box 5. Checklists and Other RBR-Based Reforms in Moldova The World Bank Group supported the Government of Moldova in implementing a 2011 law that introduced RBR for inspections. This entailed institutional reform that resulted in merger, liquidation and reorganization of the existing 58 inspectorates into 13 inspectorates and 5 regulators, implementation of an Inspections Management System and adoption of risk tools such as risk profiling of industries and firms, inspections planning, risk criteria ranking, complaints management systems and checklists to be used during site inspections. A typical checklist consists of information about the inspector and business subject to inspection, information about the business to determine if the earlier assigned criteria is still valid, a list of questions with assigned weighting, reference to the legal basis for each criterion, a scaling table to assign rating, and a list of relevant normative acts. Each inspectorate developed separate checklists for inspecting businesses operating in different areas within a sub-sector. For example, the Ministry of Agriculture, Regional Development and Environment developed checklists of businesses that fall under the supervision of the Food Safety Agency, such as separate checklists for vet chemists, vet warehouses, alcohol production, wine production, poultry production, cattle farming, pig breeding, production, import, sales and storage of plant protection products and fertilizers. The use of checklists reduced the duration of inspections since both inspectors and businesses understood what the inspector needed to check. Checklists also brought discipline and structure in place of discretionary decision-making. Benefits from the implementation of RBR were the following: • Average frequency of inspections per company was reduced by 55% - from 5.15 to 2.3. • Average duration of an inspection was reduced by 41% - from 1.35 to 0.79 days. • Annual number of days for all inspections per business was reduced by 70% - from 6.05 to 1.81 days Ultimately, it was calculated that private sector firms were saving USD 5.4 million per year in compliance costs savings and 41,883 firms have benefited from the inspections reform, of which an intrinsic and critical part was the RBR component. Step 3: Revise the risk criteria and risk planning intelligence gathering in all its operations, from when/if necessary site inspections to desk research to complaints management. In good-practice RBR systems, the Risk assessments should not be treated as static regulatory agency will access data from other X-rays but rather as dynamic tools that must be agencies, including where relevant, information on constantly updated and refined. The regulatory public good outcomes. agency must prioritize data collection and embed RISK-BASED APPROACHES TO BUSINESS REGULATION: A NOTE FOR REFORMERS | 15 Enforcement Management Models in of risk, among others. Consequently, consistency is Risk-Based Frameworks important in enforcement action decisions. This can be achieved through an Enforcement Management The ultimate purpose of enforcement is to ensure Model (EMM). EMM refers to the decision-making that businesses prevent harm by effectively frameworks regulatory agencies should follow to managing the immediate and most serious identify enforcement actions in the event of verified sources of risk; to promote sustained compliance; non-compliance. EMM can help management and to hold businesses accountable in cases of monitor the fairness, transparency, and consistency sustained or severe non-compliance. Frontline of enforcement decisions; support experienced staff must consider several factors before deciding inspectors in making decisions in complex cases; on an enforcement action (e.g., a financial penalty), and guide less experienced frontline staff. Overall, such as the violator’s compliance history, previous a robust EMM can support consistent, transparent, enforcement actions imposed on the business, the proportionate decision making through standardized severity of the violation, and the associated degree criteria and enforcement procedures. In turn, this Box 6. Principles of a Robust Enforcement Management Model2 • Enforcement actions must be effective in achieving compliance and risk control. • Enforcement actions must be proportionate to the risks posed to the regulator’s objectives by the non-compliance event. • Decisions on enforcement actions must be transparent and justified. Businesses subject to an enforcement action must be informed why the regulator reached that decision. • Enforcement actions must be consistent in their approach. Consistency must not be interpreted as uniformity, however, but as the agency’s use of a similar approach in similar circumstances. promotes accountability for frontline staff as well as or by amending existing regulations on sanctions. efficiency, impartiality, and fairness in enforcement The five broad categories of enforcement actions, decisions. ranging from less to more severe and from more common to less common, are captured in figure 8. Step 1: Set out the principles for enforcement decisions and the available enforcement actions Step 2: Develop the EMM Implementation of a risk based EMM requires The EMM can be operationalized through decision- moving away from a highly prescriptive sanction making frameworks (for example, decision trees) that system. This can be achieved by introducing guide the enforcement process. These decision trees general categories of enforcement actions through should aim to combine information collected during regulation, such as a framework law on inspections, the monitoring process — for example, through a 2 According to the U.K. Health and Safety Executive’s Enforcement Policy Statement, “Proportionality means relating enforcement action to the risks. Those whom the law protects and those on whom it places duties (dutyholders) expect that action taken by enforcing authorities to achieve compliance or bring businesses to account for non-compliance should be proportionate to any risks to health and safety, or to the seriousness of any breach, which includes any actual or potential harm arising from a breach of the law. In practice, applying the principle of proportionality means that enforcing authorities should take particular account of how far the business has fallen short of what the law requires and the extent of the risks to people arising from the breach.” 16 | RISK-BASED APPROACHES TO BUSINESS REGULATION: A NOTE FOR REFORMERS Figure 8. A Robust Enforcement Management Model Supports Inspectors through a Variety of Enforcement Actions and Standardized Decision- Making Frameworks Serious Severe Minor Violation Medium Violation Major Violation Violation Violation Guidance & Warning Letters Financial Penalties Temporary Permanent Persuasion Prohibition Prohibition Note: This is a simplified model; e.g. repeated medium violations may justify a financial penalty. site inspection to determine the seriousness of the the same even in the same country as different non-compliance and the associated degree of risk regulatory agencies will be at different development — with contextual factors. These may include the stages. business’s relevant incident history, if any. In cases where the business has had a previous enforcement The framework in table 1 below presents four action for the same violation, regulators should generations of RBR: determine if the operator has the capacity to comply • Initial (“zero”) level: no risk-based approach. but purposefully circumvents the requirements for These exhibit overlap and duplication, prescriptive economic gain or if it demonstrates the willingness regulation, no systematic data collection, low and ability to cooperate and takes concrete steps to capacity, and lack of information. mitigate the non-compliance. • First generation of reforms: foundations for RBR. This generation exhibits some clarified Risk-Based Regulation Maturity mandates, basic strategy, data-collection system, Model classification according to business objectives, some technical expertise, basic risk-assessment Risk-based regulation can be implemented by methodology, basic checklists, and publicly governments at various stages of development available information. and to varying degrees. As mentioned above, risk-based regulation is typically linked to • Second generation of reforms: applying RBR licensing and inspections systems and therefore in some sectors/domains. RBR principles and the implementation of licensing and inspections risk models have been piloted or implemented reforms often determines the stage of maturity of in a number of regulatory agencies; long-term the RBR reform. A Maturity Model (see table 1) strategy, clear mandates, information sharing, presents the stages for reform to assist reformers and collaboration exist among regulatory in sequencing and prioritizing reforms for levels 2 agencies; standardized tools are deployed for risk (operational) and 3 (planning, profiling, monitoring assessments, checklists, and so on; information and enforcement). The Model will not always be communications technology (ICT) is in widespread RISK-BASED APPROACHES TO BUSINESS REGULATION: A NOTE FOR REFORMERS | 17 use; and performance management, complaints of data; business profiles are comprehensive, management, and enforcement management are with static and dynamic characteristics; key developed. performance indicators are based on outcomes; risk models are used, including application • Third generation of reforms: implementing a of new technologies; risk-based enforcement comprehensive RBR system. Related domains management modules have been adopted; and to apply RBR are integrated; risk assessments ICT is extensively used to support all monitoring have been designed based on numerous sources and enforcement functions. Box 7. Some Caveats to Applying RBR Implementation of risk-based systems requires developing the overall maturity of a licensing and inspections system over time (see section below on the maturity model for RBR). Reformers who attempt to introduce elements of RBR without first ensuring their reforms’ solid foundations risk failing to reap the benefits the approach offers. For example, the starting point for improving an inspections system plagued by overlap and duplication is NOT to introduce risk assessments and risk-based checklists. Rather, the starting point should be to address those overlaps through institutional reform, legal reform, or governance tools (e.g., cooperation agreements) to clarify the mandates and mission of the various inspectorates, align their mission with risks, consolidate inspectorates where necessary to improve efficiency and effectiveness, and ensure integration of the new institutions at the operational level. Using the maturity model described in table 1, it is possible to assess the current licensing and inspections system and sequence reforms to implement an RBR system. Nevertheless, RBR has a role even in the most challenging environments, including fragile and conflict- affected countries. For example, RBR can introduce a systematic methodology for ensuring public health and safety while reducing burdens on low-risk businesses; guide decisions on what data is necessary for evidence-based decision making at all levels of government; reduce discretionary decision making by requiring justification for inspection targeting and regulatory enforcement; and provide a framework for prioritizing regulatory enforcement decisions. Note: All previous generations of reforms are assumed to be incorporated into the next more advanced level. 18 | RISK-BASED APPROACHES TO BUSINESS REGULATION: A NOTE FOR REFORMERS Table 1. Risk-based Regulation Maturity Model Text in purple relates to level 2: selection of regulatory instruments and licenses. Text in green relates to level 3: inspections, monitoring & enforcement. Weak Regulatory First Generation Second Generation Third Generation Compliance Reforms: Introducing Reforms: Applying RBR Reforms: Implementing System Foundations for RBR in Some Sectors/Domains a Comprehensive RBR System Institutional Overlap & duplication are Mandates between some Mandates between most Mandates between all Framework prevalent between the regulatory authorities are regulatory authorities are regulatory authorities regulatory authorities. clarified in some regulatory clarified in most regulatory clarified based on regulatory domains and/or economic domains and/or economic domains and/or sectors. Inspectorates’ missions are sectors. sectors. overlapping, and there is no Integration, consolidation, coordination. Institutional framework Conformity assessments or merger of food, for inspection functions by certified third parties are environmental protection, is coordinated and introduced as a possible occupational safety, consolidated to remove tool as part of the licensing public health, and border overlaps and duplications. procedure (e.g. for high risk inspection management (for activities). phytosanitary, veterinary, and sanitary inspections). Information sharing between some inspectorates and planning of joint inspections. Agreements between regulatory agencies to regulate information sharing and collaboration (e.g., Memoranda of Understanding or Standard Operating Procedures). Legal Legal framework is A framework policy or Implementing regulations New regulations are Framework fragmented and overly law on licensing or a for regulatory domains designed based on scientific prescriptive. consolidated law on or economic sectors evidence, technical experts’ licensing and inspections are reformed consistent opinions, inspectors’ inputs, All or most business is available and has with RBR principles and and data. activities require ex ante introduced principles for guidelines. authorizations. RBR. And/or a legal act Continuous improvement on RBR may have been A classification of business of sector regulations by There is no standardized adopted by an agency. activities is being used by involving the inspectors classification of business all regulatory authorities through a consultative activities. A classification of business and is based on an process. activities is being used international standard (ISIC, The legal framework on by some regulatory NACE, NAICS, SIC, etc.). inspections is unclear; authorities. overlaps and duplication are Legal framework on all prevalent. A framework policy or aspects of enforcement law on inspections or (i.e., sanctions) is reformed a consolidated law on consistent with RBR licensing and inspections principles. is available and has introduced RBR principles. RISK-BASED APPROACHES TO BUSINESS REGULATION: A NOTE FOR REFORMERS | 19 Strategy A long-term strategy for Long-term strategy for Long-term strategy includes Long-term strategy includes achieving the objectives of achieving the objectives a specific mission and a specific mission, goals, the regulatory agency does of the regulatory agency is goals. KPIs are not well outcomes, and objectives. not exist. available, but it is not well developed or they are KPIs are based on articulated, with specific based on outputs instead of outcomes. mission, goals, and key outcomes. performance indicators (KPIs). Data Collection There is no systematic There is a recording and Improved reporting A comprehensive business & Reporting on collection and analysis of reporting mechanism to available on inspections profile that integrates Inspections data on businesses. systematically collect and tracking of KPIs. information from the data on inspections and business registry, the generate statistical reports ICT module that allows authorities issuing licenses, for analysis. recording of inspection and the inspectorates has outcomes in a systematic been adopted. Registry of inspection manner has been subjects (business entity/ developed. Document and workflow entrepreneur) and objects systems are fully (location/facility) classified automated. according to business activities. Human Regulatory agencies are Inspectors receive training Inspectors receive KPIs are developed to Resources not familiar with risk-based and acquire technical advanced training and have measure the inspectors’ principles. expertise on the regulatory technical expertise in the performance in achieving domain and/or economic regulatory domain and/or compliance objectives Inspectorates have limited sector they are tasked with economic sector they are based on core skills, capacity, and staff are supervising. tasked with supervising such as risk assessment, not assessed on their as well as in risk-based understanding of regulated competence. approaches. subjects, compliance Inspectors are audited to promotion, proportionality, contribute to Continuous and adequacy of inspection Professional Development measures. in core competencies. ICT module on management of inspectors’ competencies to map which inspector is more appropriate to inspect each subject/object. 20 | RISK-BASED APPROACHES TO BUSINESS REGULATION: A NOTE FOR REFORMERS Risk Regulations are not being Risk assessments are Risk models are developed Risk-based inspection Assessments designed based on risk. being used to determine for each regulatory domain planning is based on risk & Inspections the most appropriate (identifying risk categories, models. Planning There is no registry of approach to regulating risk indicators, and regulations, and there is business activities weights). Risk models experiment no risk assessment or (registration, licensing, with predictive elements inspections planning. technical requirements). An ICT module to simulate by leveraging new risk-models has been technologies such as AI A basic inspection planning developed. (artificial intelligence). functionality allows inspectorates to use simple Risk-based inspection criteria to generate lists of checklists have been businesses and locations developed. for inspections. The registry of inspection A registry of up-to-date subjects/objects and regulations applicable to inspection history and each regulatory domain is complaints were used to available. develop a basic risk- based inspection planning Basic checklists for functionality. compliance have been developed. Complaints No complaints or A complaints management Enforcement management An ICT module for decision Management enforcement management system has been has been reformed support on enforcement & Enforcement takes place. implemented to efficiently based on RBR principles. management is available. Management manage inspections and Operational manuals prioritize complaints. are available to support inspectors in decision making on enforcement actions. Transparency Information on ex ante All issuing authorities All issuing authorities All relevant information on authorizations and technical publish basic information publish detailed information ex ante authorizations and requirements to operate on ex ante authorizations on ex ante authorizations technical requirements is a business is not publicly and technical requirements and technical requirements available online through an available. related to their regulatory related to their regulatory authoritative resource. This domain/mandate, but domain/mandate, but information is standardized, Information on this information may be this information may be and the database can inspectorates’ mission, fragmented and/or uneven. fragmented and/or uneven provide entrepreneurs with goals, and performance and not client-centered. tailored information. is not publicly available. A public inspection portal Information on compliance is available to publish Inspection checklists are Client-facing checklist promotion is not publicly summary inspection published online. and guidance modules available. reports and to receive are available that allow feedback from the private Grievance and redress/ businesses to carry out risk sector. appeals management is self-assessments. available. RISK-BASED APPROACHES TO BUSINESS REGULATION: A NOTE FOR REFORMERS | 21 Other Key Considerations a better identification and follow up of risks; (iii) lower administrative burdens for businesses ICT Solutions and entrepreneurs to comply with regulations; (iv) increased quality and effectiveness of inspections Information communications technology (ICT) leading to higher compliance; (v) improved internal solutions are critical to implementing RBR systems, efficiency and reduced administrative costs for especially at the planning, profiling, monitoring governments; and (vi) increased transparency of and enforcement level. ICT solutions range from inspection operations for businesses, leading to simple Excel lists with static criteria to simple fewer opportunities for corruption. Implementation websites that allow low-risk businesses to notify of ICT solutions, however, may incur significant authorities and automatically register their activity expenses, require training, and pose challenges for to comprehensive technology solutions that support retaining expertise. the entire life cycle of inspection activities. The latter type of solution is known as an Inspection In addition to the benefits of ICT, research shows Management System (IMS). that introducing an inspection management system, especially one shared across various inspectorates, Basic IMS includes a registry of inspection subjects can help institutionalize many of the good practices (legal entities) and objects (physical locations) required for effective business inspections. classified according to business activities; a registry of regulations applicable to each regulatory domain; and modules to support systematic reporting and Implementing an RBR Project recording mechanisms for inspections findings. Reformers can take several broad, sequential steps Intermediate solutions include modules that to successfully implement RBR projects. support risk-based inspections planning, complaints management, and risk model simulations. IMS may 1. Diagnose the licensing and inspections system; also include front-end capabilities, such as public assess whether the system is mature enough to inspection portals for publishing summary inspection implement an RBR approach. reports to improve transparency, online channels to submit complaints and appeal enforcement 2. Communicate the RBR concept and the merits of decisions, and basic mobile inspection capabilities. the approach to key stakeholders. Advanced systems can integrate inspection practices across multiple inspectorates and risk- 3. Identify a champion who can spearhead an RBR based inspection planning and risk modeling; some approach and raise awareness and obtain buy-in modules support decision making on enforcement from other agencies relevant to making it work. management, fully fledged document and workflow systems, automated or real time integration with 4. Introduce RBR in a framework law or regulation. other information sources such as registries, and performance management capabilities enabled 5. Introduce ICT solutions to support implementation through business analytics. Lastly, comprehensive of RBR tools. ICT solutions such as IMS can also include procedures for licensing and registration, to offer the 6. Support the client with guidelines on how to entire lifecycle of regulatory compliance, through implement the law in operations, from developing Integrated Licensing Management and Inspection risk assessments and risk classification systems Systems. to enforcing rules. The key benefits of ICT for RBR include (i) the 7. In an inspections project, it is possible to go more ability to create registries of regulations and deeply into sectors and develop vertical modules regulated entities; (ii) improved targeting through for risk assessments. 22 | RISK-BASED APPROACHES TO BUSINESS REGULATION: A NOTE FOR REFORMERS