Enforcement needs to be risk-based and proportionate: the frequency of inspections and the resources employed should be proportional to the level of risk and enforcement actions should be aiming at reducing the actual risk posed by infractions.

In order for inspections and enforcement to be effectively founded on risk-focus and risk-proportionality, it is first needed that these actually be allowed by legislation (and broader case law). In a number of countries, legal wording and/or legal interpretation make it very difficult to properly use risk-based approaches, because they are understood to mandate full enforcement of every norm, without any discretion in targeting and response. In practice, there is overwhelming evidence that there cannot be effective, universal coverage by inspections, and that enforcement decisions are never without any discretion (since there is always some discretion in determining whether there is a violation, and what it is). Such legal doctrines or rules, however, make it very difficult for inspection and enforcement institutions to develop risk-based approaches where discretion is openly embraced, and organised – even though in practice they allow to move from arbitrary selectivity (through lack of time and resources) to meaningful selectivity (based on risk).

The first need is thus to have legislation that explicitly and clearly allows for selectivity in inspection visits (not requiring universal control) and for differentiation in enforcement response (allowing for adaptation to circumstances and proportionality, as long as criteria are clear). Further, it is even better if legislation not only allows but actually requires the use of risk-based approaches. Evidence suggests that many inspection and enforcement institutions are reluctant to reduce their discretionary power, and thus resist the introduction of risk-based approaches, which replace unbounded individual discretion by clear criteria for targeting and response. Having policies, laws and regulations that mandate them is thus clearly good practice.

• Evidence: framework or sector-specific legislation contents regarding discretion, risk proportionality

Allowing and even mandating the use of risk-based approaches is insufficient if there is no proper understanding of what such approaches actually mean, and how to implement them. Risk should be properly understood as combining the likelihood of some adverse event, with the potential magnitude and severity of the consequences of this event (i.e. “high risk” is very different from “high likelihood of violation”). It is thus important to have an official definition of risk that applies across all regulatory areas. In order to make co-ordination of actions between different inspection structures more effective, to allow for better allocation of resources across different fields and regulatory areas, and to allow for more meaningful risk-proportionality, it is very useful to have a common approach to risk assessment and risk management across government. This should include a unified definition of risk, as well as common tools and methods to assess and rate risks, and to determine the appropriate response. Of course, sufficient customisation for the needs of specific areas must be allowed. If they are not wholly shared across different institutions or functions, there should at least be a sufficiently high level of similarity to allow for coherence across the regulatory system.

• Evidence: official document(s) on risk assessment and risk management

Risk-focus should not only be mandated by official guidance (and if possible by legislation), it also should take place in practice. This means that the vast majority of inspections should be proactive, with their targeting based on risk assessment (itself relying on data on different sectors and establishments). Risk factors taken into account for this targeting should include at least intrinsic risk of the activity, scope of operations, vulnerability factors (location, population served) if relevant, and past track record. Even when receiving complaints or other information, a risk-based methodology should be used to determine whether to conduct reactive inspections: reliability or credibility of the information, seriousness of the risk outlined in the complaint, past track record (previous complaints), etc. Reactive inspections should remain a minority of the total, and systematic response by an inspection (one complaint, one inspection) should be excluded. At the same time, a base-level frequency of inspections can be required to maintain supervision credibility. Also, incidentally, an inspection may be needed to provide the regulator with sufficient insight into current market developments or a firm’s market initiatives, even if the ex-ante risk assessment does not mandate the inspection.

• Evidence: official guidelines on targeting, annual reports with data on inspection activities and targeting (with data on different risk groups)

Risk-proportionality in taking enforcement decisions is at least as important as targeting inspections based on risk assessment. When assessing the situation in an establishment, inspectors should consider not only whether there are any violations, but whether these violations are part of a pattern, whether they reflect deliberate reckless behaviour or result from mistakes that the operator is ready to correct at the earliest, and crucially whether these violations actually create serious risks for the public welfare (safety, health, environment etc.) – and, if so, the magnitude of these risks. As much as possible, there should be official guidance clarifying how risk proportionality works and how enforcement decisions should be taken, so as to increase transparency and reduce uncertainty.

• Evidence: official guidelines on risk-proportional enforcement, annual reports with data on enforcement decisions and analysis/trends

Risk-communication is essential to any risk management strategy. In the case of inspections and enforcement activities this means in particular transparency about risk criteria to make discretion legitimate, clarity about limitations in risk prevention to ensure expectations are correctly managed, and better information about key risks so as to improve compliance with key requirements and improve outcomes. Such information should target all key stakeholders: business operators, consumers, workers, citizens. A key element of risk communication is to make it clear that managing risk cannot be done by inspectors alone. Strong information and outreach is a key element of success.

• Evidence: official policy and evidence of outreach efforts