The evolution of Governance, Risk, and Compliance practices in the public and private sector

Regulatory enforcement in Australia is experiencing transformative change. Rapidly advancing technology and the need for agile consumer protections are putting Australian regulators under increasing pressure. This year alone, technological revolutions such as AI, alongside security and cyber pressures, have prompted regulators to strengthen their enforcement actions. They also face increasing public scrutiny and expectations of stringent measures to combat corporate misconduct. On 3 September 2025, leaders from the public and private sectors convened in Melbourne to discuss the future of regulation. Hosted by Synergy Group, the event explored how Governance, Risk, and Compliance practices are evolving in response to increasing regulatory complexity, digital disruption, and changing community expectations.

Key insights from the discussion centred around these main themes.

Key insight 1: Compliance can’t be one-size-fits-all

“Peak regulation” is a concept that signals saturated rules and overlapping regulators may have reached a tipping point. Adding more regulation is unlikely to improve outcomes and may increase complexity and compliance costs for businesses.

Peak regulation underscores the importance of smart, risk-based approaches, collaboration across jurisdictions, and intelligence-sharing, which collectively improve regulatory efficiency while maintaining public trust. Lessons from the history of amalgamating and separating regulators demonstrate that combining regulators, while potentially reducing cost, doesn’t always improve regulatory outcomes.  Careful consideration and planning is essential.

Adoption of intelligence-led, risk-based approaches

In this current climate, regulators are rethinking oversight in an increasingly complex environment, adopting intelligence-led, risk-based approaches. Intelligence-led approaches use data analytics and insights across jurisdictions to identify areas where risks are most likely to emerge, moving beyond periodic inspections or standard compliance exercises.

Risk-based approaches prioritise regulatory attention to areas with the greatest potential harm, allowing regulators to focus limited resources on issues that matter most to public trust, safety, and economic stability.

Together, these approaches signify a move away from one-size-fits-all, toward a dynamic, adaptive, and evidence-driven regulatory model.

Artificial Intelligence and digital transformation are supporting this shift

Artificial intelligence (AI) plays an increasingly important role in supporting this model by analysing large volumes of data, detecting unusual patterns, and flagging emerging risks that are difficult for humans to identify manually. In regulatory settings, AI can accelerate the identification of potential non-compliance, improve monitoring efficiency, and free human regulators to focus on complex decision-making. However, AI should not make enforcement decisions; human judgment remains essential to ensure decisions are ethical, contextual, and transparent. AI can also help detect systemic issues across organisations and highlight gaps where regulated entities are not leveraging technology effectively.

Digital transformation is critical because modern, integrated information systems enable better data capture, processing, and sharing.

However, many regulators still operate with fragmented systems, manual processes, and limited interoperability, which hampers cross-agency collaboration and risk detection. Digital transformation requires redesigning processes, embedding strong data governance, and building organisational capabilities so regulators can respond rapidly to emerging risks, streamline oversight, reduce duplication, and lower the burden on regulated entities.

Driving transformation in the public sector is orders of magnitude more complex than in private sector organisations, requiring strong leadership, planning, and investment.

Key insight 2: Regulators and internal auditors can and should support each other

Clear roles and accountabilities are essential in a regulatory environment, as overlapping mandates and complex governance structures can create confusion about accountability. Without clarity, gaps or duplication in oversight can occur, undermining the regulator’s ability to discharge its responsibilities effectively, ensure compliance, and maintain public trust.

Regulators are often interconnected across multiple agencies or departments. This complexity can make it difficult to clearly trace accountabilities. Misalignment or ambiguity can lead to inefficiencies, gaps in oversight, and even regulatory failure. Currently, in some sectors no entity is fully accountable for ensuring the effectiveness of the regulatory system as a whole, highlighting a critical oversight gap.

The key role of Internal Audit

Internal Audit plays a valuable supporting role by providing an independent perspective in regulated organisation on whether key processes and controls operate effectively. Regulators can and should draw on Internal Audit insights to understand whether critical functions, compliance mechanisms, and risk controls are functioning as intended.

Internal Audit can also assess whether staff understand their responsibilities, are appropriately trained, and are following established procedures. Building strong relationships and maintaining open communication channels is crucial for Internal Audit to operate effectively in complex regulatory environments.

By utilising Internal Audit, regulators gain independent assurance and objective insights that support more effective oversight, identify weaknesses in internal controls, uncover emerging risks, and inform risk-based decision-making. Leveraging Internal Audit strengthens governance, improves compliance outcomes, and enhances public trust. Internal Audit is important but works within a broader collaborative culture; it cannot substitute for clear accountability across the organisation.

Key insight 3: Regulators should increasingly adopt a ‘stewardship mindset’

Regulators’ responsibilities extend beyond enforcing rules. They must also earn and maintain the trust and confidence of the public and stakeholders, often referred to as social licence. Social licence reflects the community’s trust and acceptance of the regulator’s actions, even beyond what the law requires. When the public perceives decisions as fair, transparent, and in the public interest, regulators are more likely to achieve cooperation and voluntary compliance. Without this trust, regulatory actions may be questioned, compliance may weaken, and overall system effectiveness can be compromised.

Closely linked to social licence, ethical stewardship involves acting responsibly, fairly, and with integrity in managing the systems and processes regulators oversee. Ethical stewardship ensures that decisions and enforcement actions not only comply with the law but also support the long-term credibility, effectiveness, and fairness of the regulatory system. Regulators are increasingly encouraged to adopt a ‘stewardship mindset’, taking responsibility for system-wide outcomes and actively supporting compliance across the system rather than only enforcing rules.

Purpose, leadership, and organisational culture are central to embedding social licence and ethical stewardship. A clear sense of purpose helps regulators understand their role in serving the community and guides decisions that balance enforcement with public trust. Leadership sets the tone by modelling integrity, transparency, and accountability, while organisational culture reinforces these values in daily operations. 

Key insight 4: A balanced regulatory posture is critical

Regulatory posture refers to the overall approach a regulator takes in influencing and overseeing compliance. It shapes how regulators engage with regulated entities, balance support and oversight, and maintain trust in the system.

Regulatory approaches exist on a spectrum, from educative and supportive strategies that help organisations comply voluntarily, to strict enforcement and prosecution for breaches. A balanced posture is critical: it allows regulators to guide and support entities in meeting obligations, while maintaining the authority and capability to respond decisively when rules are broken.

A balanced approach encourages prevention, education, and detection. Regulators can provide guidance, resources, and cooperative support to entities that meet expectations, fostering voluntary compliance and reducing the risk of unintentional breaches. At the same time, regulators must take firm action when obligations are not met to maintain fairness, public confidence, and the integrity of the regulatory system. By balancing support with enforcement, regulators can build trust, promote ethical behaviour, and achieve better compliance outcomes. Regulatory posture should explicitly recognise that light-touch approaches may fail, while zero-tolerance measures must be proportionate and clearly communicated.

Financial sustainability and independence influence regulatory effectiveness. Funding models based on industry revenue can create conflicts of interest; regulators need secure, impartial funding arrangements to maintain independence and credibility.

In summary: Where to from here? 

The panel observed that we’ve reached ‘peak regulation’ and highlighted the need for transformation to reduce duplication, focus on high-risk areas, and alleviate unnecessary burden on regulated entities. Although public sector transformation is significantly more complex than evolution in private settings, both public and private sector entities can benefit from careful planning, adopting robust digital systems, and nurturing strong leadership. 

It’s imperative that any AI transformations, which can be a powerful tool for identifying emerging risks, patterns, and compliance issues, are human-led, to ensure ethical, contextual, and transparent outcomes. Regulators can and should be stepping into the role of ‘ethical stewardship’. This will enhance regulatory effectiveness and voluntary compliance, especially when combined with social license and organisational culture and leadership. 

To succeed in these transformations, clarity in roles, responsibilities and system oversight will be vital. Internal Audit plays a key supporting role, but must be part of a broader collaborative and communicative culture. Lessons from historical regulator mergers and separations have taught us that combining regulators does not automatically improve outcomes; what we need is careful planning, national coordination where necessary, and system-wide oversight.