John H.
Man in dark suit jacket, wearing light checkered shirt, dark tie and glasses.

Regulation is a core function of government, overseeing services that touch all our lives – from the safety of our drinking water, and rehabilitation of old mine sites, to the quality of our kindergarten services. Using an intelligence-led approach to regulation takes the guesswork out of promoting compliance, and it supports regulators to focus their resources on the highest non-compliance risks across our expansive state.

We continue to find similar problems across a range of regulators in our audits. Our most recent reports to parliament on the effectiveness of the state’s regulators on animal welfare services, dam safety, and firearms regulation, highlighted some common themes.

Last year we wrote to all public sector regulators and oversight bodies and recommended they self-assess their regulatory approaches against the better practices we published in Regulating animal welfare services (Report 6: 2021–22). This includes, where necessary, implementing the changes needed to enhance their regulatory performance. Next year, we will ask them to provide their progress in completing the self-assessment and implementing any enhancements. Each year, we report to parliament on a summary of entities' self-assessments and share other insights in our status of Auditor-General’s recommendations reports.

Definition box

What does it mean to be intelligence-led?

Intelligence-led regulators plan to use data, information, and operational intelligence as central elements of their regulatory approach.

An intelligence-led regulatory approach enhances planning and enables regulators to make the best use of their resources to target the behaviours and conduct that pose the highest risk, regardless of location. A sound intelligence-led regulatory approach combines:

  • a clear understanding of the entity’s regulatory role, functions, and objectives

  • fit-for-purpose systems and plans, including a data collection and use plan

  • a sound risk framework

  • a compliance monitoring and enforcement plan.

Each of these elements is important but it is the effective integration of them to inform decision-making that distinguishes the intelligence-led regulator.

What regulatory practices support intelligence-led regulators?

Understand your role, functions, and objectives

We have found that regulators and oversight bodies at times fail to clearly document how their operations align with their regulatory roles, functions, and objectives. These are important steps for regulators and oversight bodies in ensuring they achieve the objectives and intended outcomes of legislation. If not done, they may fail to fulfil some of their legislated functions.

Report insight5


Check that what is being done aligns with what should be done.

Periodically, regulators need to map and check strategies, operations, activities, processes, and systems to ensure they align and contribute to achieving the legislated and organisational purposes and objectives.

Implement systems and plans that support you to effectively collect and use data

A data collection and use plan can help regulators clearly articulate how data can support their planning and decision-making.


  • What questions do you need to answer to show you are fulfilling your legislative functions?

  • What data and information do you need to answer those questions?

  • What data is available (and its quality and reliability) and how will you access it?

  • How will you use the data? What benefits might it bring for the entities you regulate?

  • What are your data security, confidentiality, and privacy requirements?

  • What systems do you need to obtain, store, and analyse the data?

In many cases, regulators fail to integrate data-driven thinking into their planning, thereby unnecessarily limiting the usefulness of the data.

Develop and implement a risk management framework

Increasingly, industry and government expect regulators to deliver better outcomes and minimise any unnecessary burden of compliance. A risk framework and a compliance prioritisation framework or model can support regulators to prioritise, focus, and deploy their resources in proportion to the risk to the regulatory outcomes they aim to achieve.

Entities can consider risks in terms of the compliance and safety risks present and emerging within the regulated population and industry. It’s also important for the regulator to consider its own organisational (regulator) risk, how these 2 risk profiles overlap, and its risk appetite/threshold. The overlap is where a regulator may consider prioritising its efforts and resources.


  • Do you have risk and compliance prioritisation frameworks in place? Do they ensure you deploy your resources proportionately with the risks to the regulatory outcomes you are seeking?

  • Have you collectively worked towards developing consistent and complimentary approaches to risk-based compliance and enforcement planning?

Report insight5


Regulators should establish risk and compliance prioritisation frameworks to enable them to focus and deploy resources proportionate to the risk to the regulatory outcomes being sought.

Where more than one public sector entity contributes to enforcing the regulatory environment, regulators should develop and implement consistent and complementary risk management frameworks across the regulated environment.

Develop a compliance and monitoring plan

Transparent regulators develop a sound and defensible compliance monitoring and enforcement plan to inform their ongoing and forward activities. The plan should enable flexibility to respond to complaints about the regulated industry or individual regulated entities across the state.


  • Do you have a defensible monitoring and enforcement plan in place, based on risks and proportionate actions in response to non-compliance?

  • Have you communicated your compliance monitoring and enforcement plan to the regulated entities and to the public to help promote trust and confidence?

  • How much goodwill do you have with those being regulated? Is self-regulation and compliance high among those you regulate?

Report insight5


Regulators’ risk and prioritisation frameworks should inform the development of a sound and defensible compliance monitoring and enforcement plan (regardless of whether it is an annual plan or a dynamic plan).

This plan will inform proactive monitoring and enforcement activities and provide a basis for assessing performance.

Communicating compliance monitoring and enforcement plans to the regulated population/industry and to the public helps the regulator promote:

  • public trust and confidence in the regulator
  • goodwill with those being regulated (a no-surprises approach)
  • self-regulation and compliance assurance among those being regulated
  • deterrence of non-compliance.


This blog on planning is the first in a series on good regulatory practices we are publishing over the next 4 months. Keep an eye out for our next articles containing advice on taking action, reporting, and learning.