---
name: conducting-compliance-risk-assessments
language: en
description: Structures compliance risk assessment with regulatory inventory and inherent/residual risk evaluation. Use when assessing compliance risk, inventorying regulatory obligations, or prioritizing compliance resources.
tags:
  - process
  - financial-compliance
  - compliance
  - regulatory
metadata:
  author: casemark
  practice_areas:
    - Regulatory Compliance
    - Financial Regulation
    - Compliance
  document_types:
    - Process Documentation
  skill_modes:
    - Process Management
---
# Conducting Compliance Risk Assessments

## When To Use

- Performing periodic (annual, quarterly) compliance risk assessments for a regulated entity
- Onboarding a new regulatory obligation and evaluating its risk impact
- Prioritizing compliance resources across multiple regulatory domains (AML/BSA, consumer protection, fair lending, privacy, sanctions)
- Responding to regulatory examination findings, enforcement actions, or audit gaps
- Evaluating compliance risk exposure after organizational changes (new products, market entry, M&A)

## Inputs To Gather

- **Entity profile**: charter type, asset size, business lines, geographic footprint, customer segments
- **Regulatory inventory**: all applicable statutes, regulations, and guidance (federal, state, international) [VERIFY jurisdiction-specific requirements]
- **Prior assessment results**: previous risk ratings, audit findings, exam results, MRAs/MRIAs
- **Control documentation**: policies, procedures, training records, monitoring/testing reports
- **Incident data**: regulatory violations, complaints, SARs filed, enforcement actions, litigation
- **Organizational changes**: new products/services, market expansions, system migrations, staffing changes since last assessment
- **Risk appetite statement**: board-approved risk tolerance thresholds

## Workflow

1. **Define scope and methodology**
   - Identify assessment boundaries (enterprise-wide vs. business-line specific)
   - Select risk rating framework: typically a matrix scoring likelihood (1-5) x impact (1-5)
   - Establish rating definitions — anchor each level to concrete indicators (e.g., "4 = regulatory action within 12 months is probable")
   - Confirm assessment period and reporting timeline

2. **Build the regulatory inventory**
   - Catalog every applicable law, regulation, and regulatory guidance document
   - Map each obligation to responsible business line(s) and compliance owner
   - Flag recently enacted or amended regulations [VERIFY effective dates and transition periods]
   - Note cross-border obligations for entities operating in multiple jurisdictions [VERIFY local registration and licensing requirements]

3. **Assess inherent risk per obligation**
   - For each regulatory obligation, rate inherent risk (risk before controls) across dimensions:
     - **Likelihood**: volume/complexity of covered activity, pace of regulatory change, historical violation frequency
     - **Impact**: potential fines/penalties, reputational harm, operational disruption, customer harm
   - Weight factors by materiality — a high-volume activity under active regulatory scrutiny warrants elevated scoring
   - Document rationale for each rating; avoid unsupported "medium" defaults

4. **Evaluate control effectiveness**
   - For each obligation, assess the design and operating effectiveness of existing controls:
     - Policies and procedures: current, approved, accessible to staff
     - Training: frequency, completion rates, content relevance
     - Monitoring and testing: scope, frequency, deficiency tracking
     - Issue management: timely remediation, root-cause analysis, escalation protocols
   - Rate control strength (strong / satisfactory / weak) with supporting evidence
   - Flag control gaps or untested controls explicitly

5. **Calculate residual risk**
   - Residual risk = inherent risk adjusted for control effectiveness
   - Where controls are strong, residual risk may drop 1-2 levels below inherent; where controls are weak or absent, residual risk remains at or near inherent levels
   - Highlight any obligation where residual risk exceeds the board-approved risk appetite

6. **Prioritize and recommend**
   - Rank obligations by residual risk score to produce a heat map or tiered priority list
   - For high and critical residual risks, draft specific remediation recommendations:
     - Control enhancements (new monitoring, additional testing, policy updates)
     - Resource allocation (staffing, technology, budget)
     - Timeline and accountability (owner, target completion, milestone checkpoints)
   - Identify emerging risks (pending regulations, industry trends) for forward-looking planning

7. **Validate and finalize**
   - Circulate draft assessment to business-line risk owners for challenge and concurrence
   - Incorporate feedback; document material disagreements and resolution
   - Present final assessment to senior management and board/committee for approval

## Output

The final deliverable should include:

- **Executive summary**: overall compliance risk posture, key themes, top residual risks
- **Regulatory inventory table**: obligation, applicable law/rule, business line, compliance owner
- **Risk assessment matrix**: each obligation with inherent risk score, control rating, residual risk score, and rating rationale
- **Heat map or dashboard**: visual representation of residual risk distribution across obligations
- **Remediation plan**: prioritized action items for high/critical risks with owners and deadlines
- **Appendices**: methodology description, rating scale definitions, data sources, prior-period comparison

## Quality Checks

- Every regulatory obligation in the inventory has a corresponding inherent and residual risk rating — no gaps
- Rating rationales are specific and evidence-based, not boilerplate
- Control assessments reference actual testing or monitoring results, not just policy existence
- Residual risk scores logically follow from the inherent risk and control effectiveness pairing
- High residual risks each have a documented remediation recommendation with owner and timeline
- Assessment methodology and rating scales are consistent with prior periods (or changes are explained)
- All jurisdiction-dependent obligations are tagged with [VERIFY] where applicability may vary
- Final output has been reviewed by at least one subject-matter compliance officer before submission