Better risk management

in support of regulatory quality

Incorporating risk assessment tools in RIA to prepare better rules

Charles-Henri MontinSenior regulatory adviserMinistry of Finance of Francehttp://smartregulation.net

Taipei, 7 October 2011

A few concepts to start with

Risk Hazard Risk analysis Precautionary principle Administrative certainty and security Risk management Risk based regulation

Definition of risk based regulation

Range of meanings(1) Regulation of risks to society(2) Loose collection of approaches expressed terms of risk(3) In banking and insurance regulation, the use of firm’s

own internal risk models to set capital requirements(4) Systematised decision making frameworks and

procedures to prioritise regulatory activities and deploy resources, principally relating to inspection and enforcement, based on an assessment of the risks that regulated firms pose to the regulator’s objectives

Definition (4) is that used here

Main elements of risk based regulation

Setting the risk tolerance Risk identification and risk assessment Assigning scores and ranking firms or sites Linking supervisory resources and responses

to the risk scores.

Key issues in design

Approaches taken to risk tolerance The choice between objective and subjective

indicators The relative roles of impact and probability The role of weighting Integrating broader external risks with firm

level risk assessments Dealing with ‘bulge’ –the low risk firms which

are usually the majority of the regulated population

Challenges in implementation

Combining simplicity with complexityKnowledge and data –getting the right data, and making

better use of the knowledge the agency hasStructure and operation of internal risk governance

processes –how to balance the need for organisational structures to ensure the accuracy and consistency of assessments with speed and responsiveness.

Changing the culture to embed the risk based approach across the whole organization

Ensuring internal compliance with the risk based regimeEnsuring that assessments of firms are forward looking

Going beyond the individual firm in assessing risk

Managing blameMaking resources follow risksManaging political risk

Lessons from OECD experiences

Starting out– Start with risks not rules– Ensure the organisation has sufficient powers to implement the

approach– Beware of other regulatory or governmental policies which may

contradict or hinder the adoption of a risk based approach– Ensure you know what your goals are-it is worth doing, but don’t do it

for the wrong reasons Dealing with transition

– Designing and implementing a risk based framework will take time– Organisational challenges are significant and shoud not be

underestimated – Think beyond the risk assessment to how the organisation will respond

Challenges of maintenance– Keep the framework simple to use and be prepared for the need to

make continual adjustments– Think in terms of achievability

Need for communication internally and externally Need to recognise that risk based processes require regulators, and

politicians, to take risks.

The risk cycle in policy making

Definition of risk analysis

Communication on Consumer Health and Food Safety (1) A systematic procedure comprising: the scientific evaluation of hazards and the probability

of their emergence in a given context (risk assessment) The assessment of all measures making it possible to

achieve an appropriate level of protection. It includes assessing the impact of policy alternatives in light of RA results and the desired level of protection (risk management)

The exchange of information with all the parties concerned (risk communication)

Principles for sound risk management

Separation between scientific advice and regulatory responsibilities

Risk assessment advice to be provided by independent scientific committees

Scientific committees to be structured and to work in accordance with principles of excellence (highest possible quality), independence and transparency

Members, minutes, opinions, minority opinions to be published

Open calls for expression of interest for membership

System of indemnities

11

Endorsed in 2005 OECD Guiding Principles for Regulatory Quality and Performance

Risk assessment helps avoid opportunity costs of regulatory failure: Failing to regulate when there is a need (type 1 error) Regulating when there is no need (type 2 error)

“Quantitative risk assessment improves the capacity of a government to focus on the most important risks and reduce them at lowest cost while identifying those risks that fall below a threshold justifying government action.” OECD 2002

RIA has been adopted by all OECD countries for at least some forms of new regulation

But formal risk assessment not comprehensively applied

Risk in Regulatory Impact Assessments (RIA)

Uptake of RIA in OECD Countries

12

13

1. Problem definition2. Objectives of Government action3. Consideration of alternative options4. Impact analysis – costs, benefits and

risk5. Consultation6. Recommendation7. Implementation and review

Steps in Regulatory Impact Assessment

14

Defining the problem What will occur under a ‘do nothing scenario’ ? What is the probability that the outcome will occur? How serious is the harm or injury that could occur? How widespread will it be and who will be affected? What is the level of uncertainty?

Govt objectives are often to “reduce risk” Any reduction in risk involves costs Need to determine how much risk is acceptable What is the value of the risk cost trade-off? Goal should be the minimum effective regulation to meet

objectives

Risk analysis is in all steps in a RIA

15

Alternative Options Risk avoidance – prohibit activity Risk transfer – cause another party to accept the risk

(contracts, compulsory insurance, privatization) Risk retention – accept the loss from the risk event Risk reduction – reduce the probability of the risk event

(licensing, codes and standards, enforcement strategies)

Impact Analysis Calculate costs and benefits of each option; show net

benefit Sensitivity analysis can reveal implications of uncertainty

for decision makers

Analyse the impacts of alternatives

16

Consultation Explore the consequences and probabilities of risk for

each option analyzed Obtain feedback from all groups likely to be affected Seek expert opinions

Recommendation Select option with highest net benefit, only after

accounting for risk in the analysis

Build in implementation and review Was the risk adequately identified? Has government intervention been effective? New science - what has changed, is it still appropriate?

Promoting Transparency

17

Managing complexity Getting the right data can be difficult

But the systematic framework of a risk assessments can be still be useful

Develop in house risk tools Even simple approaches have merit

Build the capacity for risk assessment over time Post implementation reviews reveal lessons

Recognize that risk based processes require regulators and politicians to take risks

Manage communication of risk cost trade offs

But not without its challenges…