One of the main challenges for regulators is how to stretch our resources to adequately cover our responsibilities. Compliance planning is an essential tool for meeting these challenges. Where are you going to put your regulatory efforts? How much capacity do you have? Where do you put your energy to minimise harm? How do you communicate your plan so duty holders do the things you want them to do in advance? How do you maximise voluntary compliance? How do you use data and intelligence systems?
How to manage scarce resources
Nick Heys is the Director of the Australian Competition and Consumer Commission (ACCC). He emphasises being proactive and strategic as an organisation. Not simply reacting to market issues. Identifying and fixing the important problems and telling people about it. Having an annual strategic review.
Rachel Scalongne is Director at the Department of Regional Development, Manufacturing and Water, in Queensland. She says, ‘One of the benefits of compliance planning is that it allows you to challenge each other and think through and then work out where you may want to focus now and where you may want to focus into the future, and what you need to get there, whether it be data black holes or just the capability of the workforce.’
It is no use having a great plan if you can’t then deliver it because you don’t have the infrastructure or the skill sets. Compliance planning ensures that you put those steps in place to deliver on your goals.
‘I’ve never met a regulator who says, “I have enough resources”,’ Rachel points out.
Andrew Wilson is General Manager of Compliance, Enforcement and Technical Services at Dairy Food Safety Victoria. They licence or regulate almost 3,500 dairy businesses, but only have six full-time verification staff. How does he allocate his scarce resources over such a broad remit?
‘We’ve always had an approach where activities are given a nationally agreed risk rating of high, medium or low and then regulatory effort is focused on those’, he explains. ‘High risk activities get checked a certain amount of times per year or per licence period, but there are probably some better efficiencies we can add to that to get sharper and better support verification activities. People have been taking milk from cows for eons. Therefore, the risk associated with doing that on a large scale hasn’t really changed. So how do you improve on a regulatory system that doesn’t involve a lot of fast pivots? For us that was looking at how can we focus our energies to better allocate resources within businesses themselves or within licenced businesses, as opposed to just the broad brush of high risk, low risk, medium risk. We went through organisational change management to show people that what we were actually checking was all the same; it was just the methodology that changed.’
How do you manage data?
Rachel stresses the importance of data. There are lots of data sources departments hold, but regulators might not see the value in using it for compliance. She says, ‘It has value in other activities, but can it also help you understand your risks? Some of it’s patience and time, and trying to understand the business and use the people that are doing the work to help along that journey. That’s my greatest advice to those that are regulating. Do it collectively. Don’t do it in isolation.’
Nick’s ACCC uses internal and external surveys to put forward ideas and suggestions. They do a lot of data analysis. They talk with other regulators in their space, and with state and international regulators. And they do one-on-one discussions on where the market is heading and what issues they are seeing with their stakeholders.
Andrew agrees with Rachel that you have to look at what you’ve already got in your toolkit. ‘There’s heaps of information that we sit on as regulators. For ourselves we’ve looked at all the compliance and licencing information we had against some of our dairy manufacturers for the past ten years and we threw it into a big bucket and used an artificial intelligence program to see if it could pull out any identifiable patterns when we told that program what the risks were around particular food safety recalls. For example, if we had multiple listeria detections in a given product combined with poor compliance outcomes, was that a precursor to that company having more recalls or other issues within the marketplace? We did a proof of concept and the results are really promising.’
Regulators struggle with catching up to market evolutions and technological innovations. So how do we anticipate compliance issues? How do we deal with unknowns versus knowns?
Nick stresses the importance of horizon scanning; trying to look at emerging priorities or issues that might cause concern in a couple of years.
‘One of the tools that we found really quite successful is when we announce our priorities there are a number of external law firms, industry associations and others that actually watch with interest what we announce, and then they will reach out to members of their association or their clients and actually advice that the ACCC has prioritised conduct X and this is what you need to do to address it. And that has been a really effective compliance mechanism for us.’
Dairy Food Safety Victory engages through surveys with a team that collects information from their licencees, informed by compliance patterns from the previous year. ‘If we issued a lot of compliance issues around a particular risk’, says Andrew, ‘we will do a survey of people who undertake that activity and tell the story about how well our industry controls that given risk. We then analyse the data and go back to industry and say, “Here’s where we see improvements can be made, and here’s the way to do that”. And we use that information to support our compliance activities as well, so when my compliance staff go in to verify those controls, they’ve got a ready-made resource to point the licencee towards and say, “Here’s where you’re not quite up to scratch. Here’s information to support compliance in a sustainable fashion going forward, so we shouldn’t have to have this conversation when I come back.” And that uplifts the whole industry.
‘There are flow-down effects as well, such as better quality and process control. And I think that being able to tell that story over and over again is really a way to demonstrate to all stakeholders that you’re actually adding value to your regulatory job.’
Rachel uses environmental scanning as an example of measuring unknown cohorts. Anyone can cut down trees in a rural setting, so you aren’t dealing strictly with licenced businesses. So how do you measure compliance?
She says, ‘Satellite imagery was a good tool to work out where that change may be happening, which is different from saying, “I regulate you and you have a licence and a level of responsibility and I can communicate with you”. It’s understanding your environment and using the best tools to collect the data to be proactive.’
The bush telegraph
Rachel affirms the bush telegraph is alive and well in her organisation. This is prominent in a lot of regional communities, where ordinary people spread the word about what the authorities are targeting.
Rachel says, ‘The bush telegraph is often a positive thing. My regional colleagues are really good at spreading information at meetings with organisations and member associations about what we are looking at. Like when you get your electricity bill it tells you you’re a house of four and you are under or over where you need to be.
‘It’s important to tell a performance story. Why are we here to regulate? Address the why.’
‘Probably the biggest lesson we’ve learned over the last ten years in having an integrated compliance and enforcement approach’, says Nick, ‘is that it’s about identifying problems to make decisions about what cases to pursue. The one change we’re trying to implement across our organisation is you don’t stop once you get that penalty from the federal court. Leveraging that judgment is really central to what we do. The whole reason for actually taking a matter through the courts in the first place isn’t really about penalising business for non-compliance but trying to identify systemic market-based issues we want change.’
What Nick wishes he knew when he started was the importance of a compliance plan as an internal and external document. He says it’s an integrated approach. ‘We don’t just want enforcement cases, education pieces and audits. It really needs to be integrated across the organisation and then followed through. It’s a circular process. So if you take enforcement action, that then leads to further engagement, and vice versa.’
Rachel stresses not trying to go from 0 to 100 in one year. ‘Take it step by step. Make sure your plan includes how you’re going to collect information and what you’re going to do with it so you can sell the benefits from that integrated, circular loop to help keep driving you forward.’
Andrew has learned to look at ways to evaluate effectiveness other than just straight measures of compliance. ‘There are ways you can measure compliance that aren’t obtuse’, he says, ‘and actually demonstrate that you deliver value to all your stakeholders rather than just being a regulatory burden to business. Also, one size does not always fit all. You need to be really delicate in how you treat different areas of your regulatory cohort, keeping in mind their individual pressures and your intended outcome. What’s necessarily great for one of the largest dairy manufacturing plants in the Southern Hemisphere may not be great for an artisanal cheese maker with half a dozen goats.”
This article is based on a National Regulators Community of Practice Webinar I facilitated in Janurary 2022. You can watch the full webinar and view the entry slide I discussed below. Additional Q&A’s from the session are available here.
You can view additional details on my role in creating EPA Victoria’s first annual compliance plan here. If you want to explore this topic further, I discuss the importance of strategic planning, setting regulatory priorities to maximise voluntary compliance and harnessing the value of complaints with other regulatory leaders in two other blog posts which you can check out here.