The Compliance Risk Assessment Process
Step 1 — Build the Regulatory Obligations Register
Before assessing risk, you must know what you are required to comply with. The regulatory obligations register is the complete, documented list of all applicable laws, regulations, standards, licences, codes, and contractual commitments.
- Assign an owner for each regulatory obligation — the person responsible for ensuring the organization meets that requirement
- Document the specific requirement, the applicable penalty for non-compliance, and the frequency of monitoring
- Update the register immediately when new regulations are issued or existing ones are amended
Step 2 — Identify Compliance Risks
For each regulatory obligation, identify the specific ways in which the organization could fail to meet it. Compliance risks are not abstract — they are specific scenarios:
- "KYC documentation not updated when customer circumstances change — leading to holding of outdated beneficial ownership information in breach of CBN AML/CFT Regulations"
- "Annual returns not filed with CAC within the required timeframe — triggering penalty of ₦X per month of delay"
- "Personal data processed without a lawful basis documented — breach of Nigeria Data Protection Act 2023 Section [X]"
Step 3 — Rate Each Risk
Each compliance risk is rated on two dimensions: likelihood of occurrence and impact if it occurs. The product of these two ratings produces a composite risk score.
| Likelihood | Score | Impact | Score |
|---|---|---|---|
| Very Likely (occurs frequently) | 5 | Critical (major financial penalty, licence revocation) | 5 |
| Likely (has occurred recently) | 4 | Significant (material fine, regulatory censure) | 4 |
| Possible (industry precedent exists) | 3 | Moderate (manageable fine, formal warning) | 3 |
| Unlikely (theoretical) | 2 | Minor (internal remediation required) | 2 |
| Remote (extremely rare) | 1 | Negligible (no external consequence) | 1 |
Step 4 — Assess Existing Controls
For each identified risk, document the controls currently in place and assess their effectiveness: Are they well-designed? Are they actually operating? Are they being tested? A well-designed control that is not operating provides no protection.
Step 5 — Calculate Residual Risk
Residual risk = Inherent risk adjusted for control effectiveness. A high inherent risk with strong, well-tested controls produces a lower residual risk. A moderate inherent risk with absent or ineffective controls may produce a higher residual risk than expected.
Step 6 — Prioritize and Build the Action Plan
Compliance risks where residual risk exceeds the organization's risk appetite require additional controls, enhanced monitoring, or acceptance with board approval. The action plan must specify: the required action, the owner, the completion date, and the expected post-action residual risk.
Step 7 — Report and Monitor
The compliance risk assessment results, together with the action plan status, must be reported to the Audit Committee or Board Compliance Committee at least quarterly. Significant new compliance risks that arise between formal assessments must be reported immediately.
Key Takeaway
A compliance risk assessment is the compliance function's most important planning tool. Organizations that conduct rigorous, honest, and regularly updated compliance risk assessments know where their vulnerabilities are before regulators do — and can close them proactively. Those that conduct pro-forma assessments know only what they have chosen to find.
Read: Monitoring & Enforcement →