Compliance

How to Conduct a Compliance Risk Assessment (Step-by-Step)

A compliance risk assessment is the systematic process of identifying, analysing, and prioritizing an organization's compliance risks — enabling the allocation of compliance resources to the areas of greatest potential exposure. This step-by-step guide covers the complete methodology for Nigerian organizations.

"A compliance risk assessment that produces no high-risk findings is not a well-run programme — it is an incomplete one."
The compliance risk assessment is the cornerstone of a risk-based compliance programme. It enables the compliance function to move beyond reactive compliance — responding to regulatory breaches after they occur — to proactive compliance management: identifying where obligations are most likely to be breached, under what circumstances, and with what consequences, then allocating controls and monitoring resources accordingly.

The Compliance Risk Assessment Process

Step 1 — Build the Regulatory Obligations Register

Before assessing risk, you must know what you are required to comply with. The regulatory obligations register is the complete, documented list of all applicable laws, regulations, standards, licences, codes, and contractual commitments.

  • Assign an owner for each regulatory obligation — the person responsible for ensuring the organization meets that requirement
  • Document the specific requirement, the applicable penalty for non-compliance, and the frequency of monitoring
  • Update the register immediately when new regulations are issued or existing ones are amended

Step 2 — Identify Compliance Risks

For each regulatory obligation, identify the specific ways in which the organization could fail to meet it. Compliance risks are not abstract — they are specific scenarios:

  • "KYC documentation not updated when customer circumstances change — leading to holding of outdated beneficial ownership information in breach of CBN AML/CFT Regulations"
  • "Annual returns not filed with CAC within the required timeframe — triggering penalty of ₦X per month of delay"
  • "Personal data processed without a lawful basis documented — breach of Nigeria Data Protection Act 2023 Section [X]"

Step 3 — Rate Each Risk

Each compliance risk is rated on two dimensions: likelihood of occurrence and impact if it occurs. The product of these two ratings produces a composite risk score.

LikelihoodScoreImpactScore
Very Likely (occurs frequently)5Critical (major financial penalty, licence revocation)5
Likely (has occurred recently)4Significant (material fine, regulatory censure)4
Possible (industry precedent exists)3Moderate (manageable fine, formal warning)3
Unlikely (theoretical)2Minor (internal remediation required)2
Remote (extremely rare)1Negligible (no external consequence)1

Step 4 — Assess Existing Controls

For each identified risk, document the controls currently in place and assess their effectiveness: Are they well-designed? Are they actually operating? Are they being tested? A well-designed control that is not operating provides no protection.

Step 5 — Calculate Residual Risk

Residual risk = Inherent risk adjusted for control effectiveness. A high inherent risk with strong, well-tested controls produces a lower residual risk. A moderate inherent risk with absent or ineffective controls may produce a higher residual risk than expected.

Step 6 — Prioritize and Build the Action Plan

Compliance risks where residual risk exceeds the organization's risk appetite require additional controls, enhanced monitoring, or acceptance with board approval. The action plan must specify: the required action, the owner, the completion date, and the expected post-action residual risk.

Step 7 — Report and Monitor

The compliance risk assessment results, together with the action plan status, must be reported to the Audit Committee or Board Compliance Committee at least quarterly. Significant new compliance risks that arise between formal assessments must be reported immediately.

Key Takeaway

A compliance risk assessment is the compliance function's most important planning tool. Organizations that conduct rigorous, honest, and regularly updated compliance risk assessments know where their vulnerabilities are before regulators do — and can close them proactively. Those that conduct pro-forma assessments know only what they have chosen to find.

Read: Monitoring & Enforcement →