Many laws and regulations require organizations to implement specific risk control measures. Which statement is true?

• A. These measures are a means of implementing the risk control techniques of separation, duplication, and diversification.
• B. The cost of adhering to these legal requirements becomes part of the cost of risk.
• C. These laws and regulations are amended infrequently and do not require ongoing monitoring.
• D. Failure to comply with legal requirements can expose an organization to sanction, but not to liability.

Answer: (B)

In risk management, the cost of risk includes not only expected losses but also the costs of actions taken to prevent or reduce those losses. When laws and regulations require specific risk‑control measures, the resources spent to meet those requirements are part of managing risk, because they directly reduce potential losses and liability.

That’s why the statement that the cost of adhering to legal requirements becomes part of the cost of risk is the best choice. It recognizes compliance as a risk control expense—a deliberate investment in prevention that is folded into the overall cost of managing risk.

The other ideas don’t fit as well. Regulatory requirements aren’t limited to the simple implementation of separation, duplication, or diversification in every case; they encompass a broader set of mandates and controls. Regulations are updated and require ongoing monitoring, not infrequent or static compliance. And failing to comply can lead to liability as well as sanctions, not just sanctions.