Without them internally, it'll just fall to regulators, which of course is what shareholders want; to privatize upside and socialize downside.
As someone who has scaled orgs from tens to thousands of engineers, I can tell you: you need value teams to own their own risk.
A small, central R&D team may work with management to set the bar, but they can't be responsible for mitigating the risk on the ground - and they shouldn't be led to believe that that is their job. It never works, and creates bad team dynamics. Either the central team goes too far, or they feel ignored. (See: security, compliance.)