How often should boards review risk and compliance frameworks?
Boards should revisit their risk and compliance frameworks at least once a year. They should also review them when the business is growing quickly, entering new markets, raising capital, or dealing with significant regulatory or operational change.
Ongoing oversight like this is a core part of a director’s governance role under New Zealand law.
Why this matters for startups
Risk and compliance frameworks are not just for large corporates. Even early‑stage companies face legal, financial, operational and reputational risks. As a business evolves, the risks it faces (and the controls needed to manage them) change quickly. Without regular review of its frameworks, boards may be relying on incorrect assumptions that no longer ensure compliance with obligations or good industry practice.
What should a risk and compliance framework cover?
At a high level, a risk and compliance framework:
- identifies key risks;
- sets expectations for compliance with law and regulation; and
- allocates responsibility for oversight.
For startups, common risks and compliance matters include financial management, director and officer obligations, data and cybersecurity, employment practices, and sector‑specific regulation.
Directors are expected to exercise care, diligence and oversight across these areas, even where day‑to‑day management is delegated.
How often should reviews occur in practice?
An annual review is generally appropriate for all boards. This allows directors to confirm that risks have been identified accurately and that controls remain proportionate to the company’s size and complexity.
Additional reviews should occur when there is a material change, such as:
- Rapid growth or a shift from idea stage to commercial launch.
- Capital raising or the introduction of new investors.
- Expansion into new jurisdictions or regulated markets.
- Significant regulatory developments (for example, in cybersecurity or privacy).
Ongoing monitoring
Between reviews, boards should ensure that they receive regular updates on key risks and emerging issues. This supports informed decision‑making and demonstrates active oversight.
Practical takeaways
- Risk and compliance frameworks are living documents, not one‑off exercises.
- Annual review is the minimum; change‑driven reviews are often more important.
- Proportionate frameworks are acceptable, but inattention is not.
- Clear reporting helps directors meet their legal duties without over‑engineering governance.
FAQs
Is annual review legally required?
- No specific frequency is mandated, but directors must actively manage and oversee risk as part of their general duties.
Do early‑stage startups really need a formal framework?
- It is recommended that startups at least have a simple framework in place, which has identified and considered the key issues and risks affecting their business.
Who is responsible for the review?
- The board retains responsibility, even if management prepares the framework or supporting reports.
What happens if frameworks are not reviewed?
- Outdated frameworks increase the likelihood of compliance breaches and may expose directors to personal liability if risks are not properly considered.
Need to know more? These may help:
- What does good corporate governance mean for New Zealand companies?
- What are directors’ duties under the Companies Act 1993 in New Zealand?
- When can directors be personally liable in New Zealand?
Or message us here and one of our experts will contact you within 48 hours.
Special thanks to Partner Gareth Clendinning and Associate Tom Mohammed for preparing this article.
Disclaimer: The content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.






