6 min read

Compliance Risk Assessment: How to Build a Framework

Andrew Lyssand

November 21, 2023

Compliance Risk Assessment: How to Build a Framework

What a Compliance Risk Assessment Is Not Step 1: Identify the Regulatory Universe Step 2: Assess Inherent Risk Step 3: Evaluate Controls Step 4: Determine Residual Risk and Prioritize Documenting the Assessment Building the Cross-Functional Team Data Sources and Evidence Gathering Scoring and Calibrating the Assessment Acting on the Results Integrating the Assessment into Business Decisions

What a Compliance Risk Assessment Is Not

A compliance risk assessment is not a compliance program audit. An audit evaluates whether existing controls are operating effectively. A risk assessment identifies what risks exist and whether the organization's controls are designed well enough to address them.

It is also not a one-time exercise. Compliance risk changes as the business changes, as regulatory requirements evolve, and as the external environment shifts. Effective compliance programs treat the risk assessment as a recurring process, not a static document.

Step 1: Identify the Regulatory Universe

The first step is mapping the legal and regulatory requirements that apply to your organization. This is driven by the nature of the business, the jurisdictions where you operate, the industries you operate in, and the activities you engage in.

Common compliance domains include:

Anti-corruption (FCPA, UK Bribery Act)
Sanctions (OFAC, EU)
Anti-money laundering
Data privacy (GDPR, CCPA)
Employment law
Environmental regulation
Financial services regulation
Healthcare regulation
Export controls
Antitrust

Most organizations operate across multiple domains, and the specific requirements within each domain vary by jurisdiction.

Step 2: Assess Inherent Risk

For each compliance domain, assess the inherent risk before considering controls. Inherent risk is a function of the organization's exposure: the nature of its business, the countries where it operates, its customer and counterparty population, and its transaction profile.

Key inherent risk factors include:

Geographic risk. Operations in countries with high corruption perception scores, active sanctions programs, or weak rule of law.

Customer and counterparty risk. Relationships with government-owned or government-connected entities, PEPs, or parties in high-risk sectors.

Business model risk. Cash-intensive businesses, high-value asset transactions, and complex multi-party transactions all present elevated money laundering risk.

Transaction risk. High-volume or high-value transactions, unusual payment patterns, and transactions with limited economic rationale.

Step 3: Evaluate Controls

For each identified risk, evaluate the controls your organization has in place to mitigate it. Effective controls are specific, documented, consistently applied, and subject to oversight. Controls that exist on paper but are not operational provide false assurance.

Common control gaps include:

Third-party due diligence that is cursory or applied inconsistently
Training that is completed perfunctorily without assessment of understanding
Reporting mechanisms that employees do not trust or do not know about
Monitoring programs that look at low-risk activities while ignoring high-risk ones

Step 4: Determine Residual Risk and Prioritize

Residual risk is the risk that remains after controls are applied. The assessment compares inherent risk with control effectiveness to find where residual risk is highest. High residual risk areas need more investment: stronger controls, better training, or more sophisticated monitoring.

The prioritization output of a risk assessment drives compliance program design decisions: where to focus training, which third parties to investigate more thoroughly, which transactions to monitor, and where to engage outside expertise.

Documenting the Assessment

A documented risk assessment shows regulators that the organization's compliance program is thoughtfully designed and risk-based. In enforcement proceedings, regulators consistently consider whether an organization had an effective compliance program. Documented risk assessments are evidence of that.

Building the Cross-Functional Team

A compliance risk assessment cannot be produced in isolation by the compliance function. The people who understand where the real risk sits are often the business unit leaders, the finance team, the procurement function, the IT organization, and the legal department. A credible assessment process pulls information from each of these stakeholders and reconciles it against external data sources and independent inquiry.

In practice, this means convening a steering group early in the process. Agree on scope, methodology, and timeline before any data collection begins. The steering group should include:

A senior compliance officer
Representatives from each major business unit
Internal audit
Finance
In-house counsel

For organizations with significant international operations, regional compliance leads should be included as well. Local regulatory nuance is easily missed by a headquarters-only team.

The role of outside experts is to challenge internal assumptions and provide data that internal teams cannot generate themselves. This includes adverse media screening, beneficial ownership research, sanctions and PEP checks, and on-the-ground inquiry in jurisdictions where open-source information is limited. Our background investigations team regularly supports compliance risk assessments by developing this external intelligence on counterparties, executives, and acquisition targets.

Data Sources and Evidence Gathering

A risk assessment is only as reliable as the data that feeds it. Too often, organizations rely on self-reported information from business units without independent verification. Self-reporting is a legitimate starting point, but it has well-known limitations. The people closest to a business activity are rarely the best judges of its risk, and no one wants to volunteer that their function is the one creating exposure.

Useful internal data sources include:

Prior audit and monitoring findings
Internal hotline and whistleblower reports
Regulatory correspondence and enforcement history
Litigation records
Transaction monitoring alerts
HR investigations data
Third-party due diligence files
Industry benchmarking

External sources include regulatory enforcement trends in the organization's sectors, peer enforcement actions, media coverage of similar organizations, and sanctions and watchlist data.

Sometimes the risk profile involves individuals who warrant deeper scrutiny, such as executives at acquisition targets, key business partners, or joint venture sponsors. In those cases, a structured investigative workflow is more useful than a checklist review. Engagements handled through our due diligence services for businesses typically combine corporate records research, litigation searches, regulatory history, media analysis, and human-source inquiry tailored to the specific jurisdictions involved.

Scoring and Calibrating the Assessment

Once risks and controls are identified, the assessment needs a consistent scoring methodology. Most organizations use a matrix approach. They rate inherent risk on likelihood and impact, then overlay control effectiveness to produce a residual risk score. The specific scale matters less than consistency. A three-point scale applied rigorously across the organization is more useful than a ten-point scale applied inconsistently.

Calibration is the step most organizations skip. After scoring is complete, the steering group should review outputs across business units and ask whether the relative rankings make sense. If the most profitable business unit with the most international exposure ends up rated as lower risk than a domestic support function, that is a signal that the scoring inputs or the people providing them need to be reexamined. Calibration sessions also surface hidden disagreements about risk appetite. Those are better aired during the assessment than discovered later during an enforcement action.

A common failure mode is letting the scoring exercise become theatrical. When every risk is rated medium and every control rated effective, the assessment is not telling leadership anything useful. A credible assessment will identify real weaknesses, and senior management should expect to see them. An assessment that reports uniformly positive results is not reassuring. It is evidence that the process is not working.

Acting on the Results

The assessment itself produces no risk reduction. What matters is the remediation plan that follows. Each high residual risk area should be paired with a specific action: a control enhancement, a policy update, a training initiative, an investment in technology, or a change in how business is conducted. Each action should have an owner, a deadline, and a way to verify completion.

Some findings require investigation before remediation. If the assessment surfaces concerns about a specific executive's conduct, a particular business relationship, or an unexplained transaction pattern, a targeted inquiry is the right next step. Our executive misconduct investigation practice handles these situations with the discretion and evidentiary rigor that internal teams often cannot provide on their own. This matters most when the subject of the inquiry has access to the internal resources that would otherwise handle it.

The remediation plan should be reported to the board or audit committee, with progress tracked against the original timeline. Regulators routinely ask to see not just the risk assessment but the follow-through. An organization that can show a disciplined cycle of assessment, remediation, and reassessment is in a significantly stronger position than one that can only produce the assessment document itself.

Integrating the Assessment into Business Decisions

The highest-performing compliance programs use the risk assessment as an input to business decision-making rather than treating it as a standalone compliance artifact. When the organization considers entering a new country, launching a new product, or acquiring a new business, the risk assessment should inform the analysis. Mergers and acquisitions are high-stakes moments where the existing risk assessment framework should drive the scope of pre-closing diligence.

Our due diligence and investigative services support compliance risk management with third-party investigations, background screening, and risk intelligence. Corporate clients integrate the risk assessment, third-party due diligence, and ongoing monitoring under a single corporate due diligence engagement rather than stitching separate vendors together. Contact us to discuss your compliance and due diligence needs.