Risk theatre: stop the compliance charade before it costs you

Risk. It’s the one word that can make or break a company. Yet, too many TechReg leaders still treat it like an abstract concept, something that can be categorised with vague labels like high, medium, or low. That’s not risk management, that’s deception. And deception, whether intentional or unintentional, is dangerous and costly.

The Illusion of high, medium, and low

Saying a risk is 'high' or 'low' is like saying an investment is 'big' or 'small.' It tells you nothing. If someone told you they had a 'high-risk' stock option, your first question would be: 'How high?' Is it a 20% chance of failure? 50%? 80%? The same logic applies to AI, data protection, cybersecurity, regulatory compliance, and operational risk. Executives don’t make financial decisions based on gut feelings, they make them based on Euros, pounds, dollars (whatever the currency) and probabilities. Risk needs the same treatment.

Far too often, companies waste valuable time and resources on risk assessments that tell them nothing useful. Risk that isn’t quantified properly is risk that isn’t managed properly. Worse yet, businesses deceive themselves into thinking they are making informed decisions when in reality, they’re navigating in the dark.

I’ve found it interesting many years ago working in one of the UK’s largest financial services companies that has risk at the heart of its business, yet in the IT/tech division, risk was paid lip service. Similarly, I worked in a global FMCG company where risk and quality were at the core of its business, yet in the IT/tech division, risk was downplayed, often with statements like "'no, we can't show the business this.' I’ve also worked on client bids with one of the largest tech outsourcing companies globally and seen the sales team actively remove risks because 'the client shouldn't see them.' This kind of risk denial is not just negligent, it’s dangerous.

Using terms like high, medium, and low, or red, amber, and green is meaningless unless you have carefully defined and explained exactly what the terms represent in your business context, in relation to your risk policy and appetite, as well as the type of risk. Otherwise, you might as well talk in terms of limes, oranges, and apples! These categorisations only hold value when they are tied to clear, measurable criteria that allow stakeholders to understand their real impact and significance.

Risk management is not a tick-box exercise

Too many companies treat risk management as a compliance checklist, something to satisfy auditors or regulators. But compliance does not equal security. A company that merely checks the boxes isn’t mitigating risk, it’s documenting it. And documentation in pretty colours doesn’t stop breaches, fines, or reputational damage.

The time wasted on compliance-driven risk assessments that don’t reflect real-world threats is staggering. Companies spend countless hours filling out templates and forms that are filed away and forgotten. These exercises provide a false sense of security, when in reality, they achieve nothing.

A risk template is just a template

Risk templates are useful, but they aren’t solutions. They provide structure, but they don’t replace analysis. If risk management was as simple as filling out a form, every company would be secure, every compliance requirement met, and every breach prevented. But we know that’s not the case.

Every business is different, and so is its risk landscape. A generic template doesn’t capture the nuances of industry-specific threats, evolving challenges, or shifting regulatory requirements. Risk management requires continuous analysis, adaptation, and investment, not just a well-documented spreadsheet.

A major problem with relying on templates is that it encourages a 'set and forget' mindset. Companies complete them once and assume they are covered. This approach is a trap, leading to outdated risk models that fail to account for new and emerging threats. Worse still, companies are lulled into a false sense of security, believing they are managing risk when they are merely paying lip service

The heartbeat of regulatory compliance

Risk management isn’t a side project, it’s the foundation of regulatory compliance. Companies that embed risk assessments into their operational processes and procedures don’t just meet compliance standards, they go beyond. They identify weaknesses before auditors do. They mitigate financial exposure before investors demand answers. They build resilience before competitors catch on.

When risk management drives compliance, companies transform from reactive to proactive. Instead of scrambling to meet regulatory deadlines, they create a culture where compliance is a natural byproduct of robust risk governance.

Risk management is a living and breathing function

Risk isn’t something you evaluate once a year and forget about. It’s not an annual report or a quarterly meeting topic. Risk evolves. Every new piece of tech you deploy, every regulatory change, every new vendor introduces risk into the equation.

Cyber threats don’t wait for your next board meeting. Market disruptions don’t schedule themselves around your fiscal year. Risk management must be dynamic, integrated into daily operations, constantly measured, and continuously refined.

Ignoring this reality is costly. Companies that treat risk as a static concept often find themselves reacting to crises instead of preventing them. The time and money spent cleaning up a disaster far outweigh the effort required to manage risks correctly from the start.

Are companies overplaying or undervaluing risk?

The answer: both. Some companies inflate certain risks to justify larger budgets, while others downplay threats to avoid costly investments, or in some cases, leaders don't want to be seen washing their dirty laundry in front of their peers. Neither approach is sustainable.

Without quantification, risk management is a guessing game. And in business, guessing is expensive. Companies must assess loss exposure in financial terms, identifying which scenarios truly threaten the bottom line and which are overblown distractions.

Do companies articulate the different types of risk?

In simple terms, no. In most cases, it's 2 out of 10 for effort and lots of room for improvement. Not all risks are created equal, yet many companies lump them into a single category. You need to separate and quantify:

• Cyber risk: breaches, ransomware, insider threats, what’s the financial impact of a worst-case scenario?

• Compliance risk: GDPR fines, personal data breaches, sectorial regulations, what are the legal and reputational costs?

• Operational risk: supply chain disruptions, technology failures, how do they affect revenue and productivity?

• Financial risk: financial losses, what’s the exposure in tangible currency?

• Reputational risk: negative media coverage, social backlash, how do they translate into consumer loss and stock price drops?

• AI risk: bias, liability, regulatory concerns, how do emerging technologies introduce new vulnerabilities?

Companies that can’t articulate their risks can’t manage them, let alone link them from a ripple effect perspective. And if they can’t do that, they can’t mitigate financial losses.

It’s cheaper to get it right up front

Risk management should never be an abstract conversation. Executives care about financial performance, shareholder value, and business growth. If TechReg leaders want their concerns taken seriously, they need to speak the language of the boardroom, Euros, losses, and business impact.

The biggest mistake companies make is waiting until something goes wrong before addressing risk. This reactive approach is always more expensive than proactively managing threats from the start. The cost of a breach, a compliance failure, or a reputational hit far exceeds the investment required to do risk management correctly upfront.

Businesses must stop deceiving themselves with vague assessments and wasted time on meaningless exercises. Real risk management is about clear financial impact, actionable data, and strategic decision-making.

Did this resonate? Purpose and Means work with TechReg leaders to align risk, and to build a framework that is customised to your business context in order to quantify risk in terms that will align with the needs of your leadership.

Read about our Risk alignment and risk measurement service and feel free to get in touch to arrange a no obligation call to discuss your requirements.