Conducting Compliance Risk Assessments

When To Use

• Performing periodic (annual, quarterly) compliance risk assessments for a regulated entity
• Onboarding a new regulatory obligation and evaluating its risk impact
• Prioritizing compliance resources across multiple regulatory domains (AML/BSA, consumer protection, fair lending, privacy, sanctions)
• Responding to regulatory examination findings, enforcement actions, or audit gaps
• Evaluating compliance risk exposure after organizational changes (new products, market entry, M&A)

Inputs To Gather

• Entity profile: charter type, asset size, business lines, geographic footprint, customer segments
• Regulatory inventory: all applicable statutes, regulations, and guidance (federal, state, international) [VERIFY jurisdiction-specific requirements]
• Prior assessment results: previous risk ratings, audit findings, exam results, MRAs/MRIAs
• Control documentation: policies, procedures, training records, monitoring/testing reports
• Incident data: regulatory violations, complaints, SARs filed, enforcement actions, litigation
• Organizational changes: new products/services, market expansions, system migrations, staffing changes since last assessment
• Risk appetite statement: board-approved risk tolerance thresholds

Workflow

1. Define scope and methodology

   • Identify assessment boundaries (enterprise-wide vs. business-line specific)
   • Select risk rating framework: typically a matrix scoring likelihood (1-5) x impact (1-5)
   • Establish rating definitions — anchor each level to concrete indicators (e.g., "4 = regulatory action within 12 months is probable")
   • Confirm assessment period and reporting timeline

2. Build the regulatory inventory

   • Catalog every applicable law, regulation, and regulatory guidance document
   • Map each obligation to responsible business line(s) and compliance owner
   • Flag recently enacted or amended regulations [VERIFY effective dates and transition periods]
   • Note cross-border obligations for entities operating in multiple jurisdictions [VERIFY local registration and licensing requirements]

3. Assess inherent risk per obligation

   • For each regulatory obligation, rate inherent risk (risk before controls) across dimensions:
     • Likelihood: volume/complexity of covered activity, pace of regulatory change, historical violation frequency
     • Impact: potential fines/penalties, reputational harm, operational disruption, customer harm
   • Weight factors by materiality — a high-volume activity under active regulatory scrutiny warrants elevated scoring
   • Document rationale for each rating; avoid unsupported "medium" defaults

4. Evaluate control effectiveness

   • For each obligation, assess the design and operating effectiveness of existing controls:
     • Policies and procedures: current, approved, accessible to staff
     • Training: frequency, completion rates, content relevance
     • Monitoring and testing: scope, frequency, deficiency tracking
     • Issue management: timely remediation, root-cause analysis, escalation protocols
   • Rate control strength (strong / satisfactory / weak) with supporting evidence
   • Flag control gaps or untested controls explicitly

5. Calculate residual risk

   • Residual risk = inherent risk adjusted for control effectiveness
   • Where controls are strong, residual risk may drop 1-2 levels below inherent; where controls are weak or absent, residual risk remains at or near inherent levels
   • Highlight any obligation where residual risk exceeds the board-approved risk appetite

6. Prioritize and recommend

   • Rank obligations by residual risk score to produce a heat map or tiered priority list
   • For high and critical residual risks, draft specific remediation recommendations:
     • Control enhancements (new monitoring, additional testing, policy updates)
     • Resource allocation (staffing, technology, budget)
     • Timeline and accountability (owner, target completion, milestone checkpoints)
   • Identify emerging risks (pending regulations, industry trends) for forward-looking planning

7. Validate and finalize

   • Circulate draft assessment to business-line risk owners for challenge and concurrence
   • Incorporate feedback; document material disagreements and resolution
   • Present final assessment to senior management and board/committee for approval

Output

The final deliverable should include:

• Executive summary: overall compliance risk posture, key themes, top residual risks
• Regulatory inventory table: obligation, applicable law/rule, business line, compliance owner
• Risk assessment matrix: each obligation with inherent risk score, control rating, residual risk score, and rating rationale
• Heat map or dashboard: visual representation of residual risk distribution across obligations
• Remediation plan: prioritized action items for high/critical risks with owners and deadlines
• Appendices: methodology description, rating scale definitions, data sources, prior-period comparison

Quality Checks

• Every regulatory obligation in the inventory has a corresponding inherent and residual risk rating — no gaps
• Rating rationales are specific and evidence-based, not boilerplate
• Control assessments reference actual testing or monitoring results, not just policy existence
• Residual risk scores logically follow from the inherent risk and control effectiveness pairing
• High residual risks each have a documented remediation recommendation with owner and timeline
• Assessment methodology and rating scales are consistent with prior periods (or changes are explained)
• All jurisdiction-dependent obligations are tagged with [VERIFY] where applicability may vary
• Final output has been reviewed by at least one subject-matter compliance officer before submission