This is a relatively a reasonable way of thinking, however there is one catch. Not all regulations are created to reduce risk. Think about PCI-DSS compliance by merchants. PCI-DSS tries to reduce risk for card brands, issuers and acquirers by forcing the key point of compromise (merchants) to apply proper security controls. However, the cost for the merchant to apply those controls is higher than the risk reduction they will gain. That’s why fines are usually established by regulating bodies, to artificially increase the risk to the organization responsible for applying the controls. If this “manipulation of risk economy” is not done properly, then the “good risk management leads to compliance” concept does not work.