“Compliance burden” is one of those phrases that arrives carrying its own diagnosis. Burden is what something is when you’ve decided it shouldn’t be there. A burden is to be lifted, redistributed, made lighter. The word comes pre-loaded with the assumption that the load is wrong, the carrier is right, and the problem is one of weight rather than design.

For at least a decade, that’s been the working assumption in Australian boardrooms. The compliance load is too heavy. Therefore the answer is to redistribute it, automate it, outsource it, or push back against it. Three-quarters of directors in the AICD’s most recent sentiment survey expect the burden to grow in 2026. Compliance and regulation, the survey found, have now overtaken cyber risk as the dominant pressure on Australian boards. The diagnosis is universal and the response is uniform. More compliance capacity. More frameworks. More attestations. A larger second line. A heavier first one.

Most of those directors are wrong about the burden, and most of the responses being designed in their boardrooms will make the situation worse. Not because the regulators are right and the directors are wrong. Because the burden isn’t actually a regulatory problem. It’s an architectural one.

The burden that wasn’t

The conventional story is that the load has grown because the regulators have grown. Each new statute, prudential standard, royal commission and mandatory disclosure regime adds another layer to the pile. APRA’s CPS 230. The new Aged Care Act. The mandatory climate disclosure regime. The Cyber Security Act. The statutory privacy tort. The ASX 5th Edition principles. Stack them up and you have the obvious culprit for why a director feels heavier this year than last.

The problem with this story is that the regulators themselves are quietly admitting it doesn’t quite hold.

APRA’s targeted amendments to CPS 230, effective 1 July 2026, walked back several requirements the original 2025 standard couldn’t be met in practice. The federal government decided not to proceed with the mandatory AI guardrails proposed in 2024, settling instead for a voluntary standard that has since been quietly absorbed into APRA expectations. Tranche 2 of the Privacy Act has been “progressing” since February 2026 with no published timeline. The new Aged Care Act took an extra four months to commence beyond its original July 2025 target, and the prudential standards were redrafted in the lead-up.

A pattern emerges. Regulators are calibrating downward. Not because the underlying risks have shrunk, but because the system absorbing the response has its own limits. The regulator who was going to demand the world has settled for what can actually be inspected.

Boards are doing the opposite. They are adding more frameworks, not fewer. Adding more attestations, not better ones. Adding more committees, not sharper ones. The compliance burden, as boards actually experience it, is growing fastest in the gap between what the regulator is asking for and what the board has decided to do in response.

What boards are actually adding

A typical large not-for-profit board now operates with a risk committee, an audit committee, a finance committee, a quality committee, a governance and nominations committee, a clinical or sector-specific committee, and an ESG or sustainability committee. Each committee has its own charter, its own annual workplan, its own reports going to the full board, and its own assurance lines. Each was added in response to something specific. Few have ever been retired.

The committee structure is the visible part. Beneath it sits a stack of registers, policies, attestations and frameworks accreted, slowly, over a decade of “we should probably have a policy on that”. Cyber risk policy. AI use policy. Climate risk policy. Modern slavery policy. Whistleblower policy. Sexual harassment policy. Conflicts of interest policy. Procurement policy. Each one approved at a board meeting. Each one with an annual review date. Each one consuming a portion of the agenda once a year, defended by the staff member who wrote it.

This is the compliance burden, considered honestly. Not the regulators. The accreted response to the regulators. A risk function that responded to every new exposure by adding capacity rather than reorganising the capacity it already had. A board that approved every addition because each one made sense on its own.

There’s a phrase for the result, even if the profession doesn’t use it. It’s the burden of accumulated good intentions.

What “less compliance” actually means

The contrarian phrase is misleading on its own terms. Less compliance does not mean less rigour. Less compliance means a smaller number of frameworks, each one doing more work, each one held to a sharper standard, each one capable of producing assurance the board can actually defend.

In practice it requires moves most boards have been postponing.

Start with consolidation. Most organisations have multiple risk frameworks running in parallel. An enterprise risk framework. A financial risk framework. A clinical or operational risk framework. A cyber risk framework. A climate risk framework. A compliance risk framework. Each was built when the relevant exposure first became board-level. Each has its own taxonomy, its own heat map, its own reporting cycle. Most of them duplicate. Few of them speak to each other. A consolidated framework with branches into sector-specific risk does the same work, generates better assurance, and lifts a meaningful portion of the “burden” off the board agenda permanently.

The harder move is retirement. Most boards have never retired a policy, charter or committee. They have only added. The policy graveyard is a discipline almost no organisation practises. Once a year, the board should ask which of last year’s frameworks produced a single piece of assurance that changed a decision. Whatever’s on the list of “didn’t” should be killed. The administrative effort of running it costs more than the framework saves.

Then there’s method review, in the verify-then-trust sense. A board paper that includes an assurance line is worth more than five board papers that include attestations. The committee’s question shifts from “did the policy get reviewed” to “did the policy do any work this year”. The questions look similar. They are not. The first invites a yes. The second invites a conversation. The agenda time freed up is significant.

The discomfort

This is the bit most boards postpone, and the postponement is understandable.

Retiring a framework feels riskier than maintaining it. A framework that exists, even on paper, can be pointed to when a regulator asks. A retired framework cannot. The instinct to keep everything that has ever been written is rational at the level of the individual director and disastrous at the level of the system.

The way through is to distinguish the framework from the assurance. A framework is a document. An assurance is a conclusion the board can defend. Most boards have far more of the first than the second. The retirement exercise is not getting rid of assurance. It is recognising that most of the documents in the binder weren’t producing any.

The other discomfort is who has to do it. Retiring a framework requires a serving CoSec or risk officer to acknowledge that a piece of work they’ve been administering doesn’t matter. That is not a conversation most CoSecs are paid to start. It needs the chair to start it.

What’s changing

The doctrinal shift now under way in Australian governance runs in exactly this direction. ASIC’s enforcement priorities for 2026 don’t reward boards that have the most policies. They reward boards that can show how they generated the assurance the policies were meant to produce.

ASIC Chair Joe Longo’s recent AICD address ran under the title “The times they are a-changin’ but directors’ duties aren’t.” The duty hasn’t moved. The bar that proves you’ve met it has, and the bar increasingly looks like sharper, fewer, better-defended frameworks rather than a longer compliance register.

The same logic shows up in the mandatory climate disclosure regime arriving for Group 2 entities on 1 July 2026. The Standard doesn’t ask boards how many climate risks they have logged. It asks who oversees them, how the oversight is structured, and what process produces the conclusions reported externally. A board with one well-built climate governance line is likely more compliant than a board with three policies, two committees, and a board pack section that no director can summarise.

The market is already pricing this. The boards that retired things last year are not the ones complaining about burden this year. The boards complaining about burden are the ones that have spent five years adding.

The cut

The boards that will look up in 2030 and find themselves still operational will not be the boards that added the most frameworks. They will be the boards that retired the ones that stopped working, kept the ones that did, and treated their compliance burden as a problem of design rather than weight.

Compliance burden, as a phrase, has been doing its work for a decade. The work has been to tell boards they’re right to feel heavy. They are. They’ve been pulling a load they built themselves, one well-intentioned addition at a time, and calling it the regulator’s fault.

The pile isn’t the problem. The pile is the symptom. The problem is that nobody has been allowed to take anything off it.