Risk-based regulation is a new arrival in the lexicon of risk and regulation. Regulatorsin Australia, Canada, and the UK have begun developing systems and processes to assess the probability and impact of compliance failures by regulated firms, and to adjust their relationship with firms accordingly. This article explores the motivations for, and key elements of, the risk-based frameworks of one of those regulators, the Australian Prudential Regulation Authority (APRA). It broadens out from this case study to argue first, that risk-based regulation goes hand in hand with the technique of "meta" regulation, the regulation of the firm's own internal self regulation, and will both fuel and be fueled by any trend towards the latter. Second, it argues that risk-based frameworks are not risk-free: whilst they seek to manage risks they inevitably introduce their own. Third, risk-based regulatory frameworks have the potential both to expose and obscure key sociopolitical and socioeconomic choices as to the amount or types of regulatory failures that an agency will tolerate, and which in effect it is requiring society to tolerate. "Risk based frameworks" are attempt to define what are acceptable "failures" and what are not, and thus to define the parameters of blame.