The purpose of risk management is to identify potential events that may impact on an entity, quantify the impact and likelihood of occurance and then manage the risk in accordance with the organisation's risk appetite.
Risk appetite - the amount of risk an organisation will assume in pursuit of its goals - this should be defined by each organisation.
The risk appetite should be aligned to the risk culture, particularly as the risk appetite of different functions and individuals will impact on the adherence to the official (accepted) "appetite stance".
Organisations, even with extreme risk appetite, cannot deliberately choose to ignore the law. They may however allocate less resources to ensure strict compliance.