Paper: Regulatory Risk of Not Adopting Available Risk-Reduction Services

1. Purpose

This paper considers whether the Board has a regulatory, compliance, governance and competitive risk exposure if the organisation does not adopt an available risk-reduction service that is:

  1. demonstrably effective;
  2. unique or materially differentiated in the open market;
  3. already being adopted by competitors or comparable organisations; and
  4. relevant to known operational, compliance, security, conduct or resilience risks.

2. Core Board Question

The issue is no longer simply:

“Should we use this service?”

The board-level question becomes:

“If a credible risk-reduction service exists, and peer organisations are using it, what is our defensible reason for not using it?”

3. Regulatory Context

Modern regulators increasingly expect boards to demonstrate active oversight of material and emerging risks, not merely passive compliance.

In Australia, APRA’s CPS 220 places ultimate responsibility on the board for an appropriate risk management framework, while CPS 230 requires regulated entities to manage operational risk, critical operations, disruptions and service-provider risk. ASIC also states that risk identification and management, including emerging risks from technological and market change, are core director responsibilities. APRA CPS220

This means that once a risk-reduction mechanism is known, available and used in-market, the burden shifts. The organisation must be able to show why its alternative approach is equivalent, better, or consciously accepted within risk appetite.

4. The Risk of Non-Adoption

Failure to adopt may create five categories of board risk:

4.1 Foreseeability Risk

If the relevant risk later crystallises, the organisation may struggle to argue the risk was unforeseeable.

Competitor adoption makes the risk and the mitigation visible.

4.2 Reasonable Steps Risk

Regulators, courts, auditors and insurers may ask whether the board and management took reasonable steps.

A known, available and effective control may become part of what is considered reasonable.

4.3 Benchmarking Risk

Competitor adoption can shift the market benchmark.

The question becomes:

“Why was this organisation operating below emerging market practice?”

4.4 Documentation Risk

If the board does not consider the service, there may be a governance record gap.

If it considers and rejects the service, the decision must be supported by evidence, not preference, inertia or cost alone.

4.5 Strategic Risk

Risk reduction may also become a competitive advantage.

Competitors using the service may become more trusted, more insurable, more compliant, more capital efficient or more resilient.

5. Board Duty Lens

The Board does not need to adopt every new service. However, it should ensure that management has properly assessed:

  • the risk being reduced;
  • the evidence that the service reduces that risk;
  • competitor or peer adoption;
  • regulatory expectations;
  • implementation cost and complexity;
  • residual risk if the service is not adopted;
  • whether current controls are equivalent; and
  • whether non-adoption remains within risk appetite.

6. Key Principle

A board can choose not to adopt a risk-reduction service.

But it should not be unaware of it.

And it should not reject it without a documented, evidence-based rationale.

The Board should require management to prepare a formal assessment of the service, including:

  1. risk addressed;
  2. regulatory relevance;
  3. peer adoption evidence;
  4. comparison against existing controls;
  5. implementation pathway;
  6. cost-benefit analysis;
  7. residual risk of non-adoption;
  8. recommendation.

8. Suggested Resolution

The Board notes that where a credible risk-reduction service is available in the open market and is being adopted by competitors or comparable organisations, non-adoption may create regulatory, compliance, operational and strategic risk.

The Board requests management to assess the service and report back with a recommendation, including whether current controls are equivalent and whether any residual risk of non-adoption is within the organisation’s approved risk appetite.

9. Conclusion

The existence of a unique risk-reduction service changes the governance question.

Once the service is known, available and adopted by peers, inaction is no longer neutral.

The Board’s obligation is not necessarily to adopt the service immediately, but to ensure that the decision is informed, documented, defensible and aligned with regulatory expectations and risk appetite.