Re: "compliance risk"
#1 is more common, but I have worked for companies than perform #2.
It is surprising, that for something as important as "are we making a good product and are we competent at our jobs" the amount of effort put into compliance is basically box ticking for most.
It is bizarre how many great ideas come out of simple tools like DFMEA and VSM concepts. Even simple things like asking your engineers "stop fixing problems when they fail, spend the day looking for the obvious things that will go wrong and fix them in advance".