Regulatory compliance is one of the most persistent sources of confusion in enterprise risk management. The confusion is not about what regulatory compliance requires — that is usually well-understood by legal and compliance teams. The confusion is about what regulatory compliance provides. The answer, which is not universally accepted, is that regulatory compliance provides evidence that you met a minimum regulatory standard at a point in time. It does not provide evidence that you managed risk effectively. These are different things, and treating them as equivalent is a risk management failure with significant consequences.
What the Difference Looks Like in Practice
An organisation can be fully compliant with every applicable regulation and still be carrying unacceptable risk. Regulations set minimum standards that apply to all organisations in a sector, regardless of their specific risk profile, operating context, or the nature of their particular exposures. A minimum standard that is appropriate for the median organisation may be entirely inadequate for an organisation with above-average exposure — to cyberattack, to environmental hazard, to supply chain disruption, or to any other category of risk that the regulation addresses only at a baseline level.
Conversely, an organisation can have a world-class risk management framework — genuinely sophisticated, well-resourced, consistently practised — and still have compliance gaps. Compliance with specific regulatory requirements and quality of risk management are correlated but not equivalent. The direction of the gap matters: an organisation that has excellent risk management but a compliance gap in a specific requirement is in a better operational position than one that has achieved compliance but has no underlying risk management capability. Neither gap is desirable. They are not the same.
The Governance Trap
Many boards and executive teams have conflated regulatory compliance with risk governance to the point where they use the terms interchangeably. Board risk committee agendas focus primarily on compliance status — which regulations are met, which are pending, which represent a gap. Risk management agenda items — what risks is the organisation actually carrying, how are those risks being managed, are the controls working — are either absent or secondary.
This is understandable. Compliance is measurable and reportable in a way that risk management quality often is not. Compliance has external validators — regulators, auditors, certification bodies. Risk management quality requires internal judgement that is harder to systematise and harder to report. But the consequence of the conflation is that the board is informed about compliance status and uninformed about actual risk exposure. That is a governance failure regardless of the compliance position.
The Legal Exposure Dimension
There is a specific legal risk associated with treating regulatory compliance as the ceiling of risk management responsibility. In litigation following a significant adverse event, regulatory compliance is relevant but not determinative. The question before the court is whether the organisation met the standard of care that a reasonably prudent organisation in that sector would have applied. If that standard, in practice, exceeds the regulatory minimum — as it often does in mature, well-resourced sectors — then compliance with the regulatory minimum is not a complete defence.
I have reviewed cases where an organisation cited regulatory compliance as evidence of adequate risk management, and the court or expert witness process demonstrated that the regulatory minimum was well below what comparable organisations in the sector were actually doing. Compliance with a minimum standard that was inadequate to the actual risk is not a satisfying defence. It is evidence that the organisation met a low bar.
Building Risk Management Beyond Compliance
The organisations that manage risk most effectively treat regulatory compliance as a floor, not a ceiling. They use compliance requirements as the baseline from which they build a genuine risk management capability — one that is calibrated to their specific risk profile, operates continuously rather than periodically, and is subject to independent verification rather than self-assessment.
This requires a clear internal understanding of the distinction between the compliance function — which is responsible for ensuring the organisation meets its regulatory obligations — and the risk management function — which is responsible for ensuring the organisation understands and manages its material risks. Both are necessary. Neither is a substitute for the other. Organisations that have one but not the other are carrying a gap that may not be visible until something goes wrong.
The most effective way to close this gap is to be explicit about it. Frame the distinction clearly for boards and executive teams. Report on compliance status and risk management quality separately. Make explicit the cases where regulatory compliance is adequate and those where the organisation's specific risk profile requires additional controls beyond the regulatory minimum. That transparency is the foundation of genuine risk governance — as distinct from compliance management dressed up as risk management.
Tony Ridley provides enterprise risk governance advisory, independent risk framework review, and board-level risk reporting improvement services. Contact us to discuss your requirements.