In December 2024, women in the US earned just 80.9 cents for every dollar earned by men — the worst gender earnings ratio since 2016, according to the Institute for Women’s Policy Research.
Most boards reviewed their executive incentive plans that quarter without ever opening a compensation risk assessment checklist that would have surfaced the gap.
That disconnect is the reason this article exists. A compensation risk assessment checklist is the operating instrument that forces pay decisions through the same risk lens you already apply to cyber, third-party, and operational risk.
We treat it the way ISO 31000 treats any other risk: identify, analyse, evaluate, treat, monitor — with named owners, quantified exposures, and tested controls.
| Practitioner takeaway |
| A compensation risk assessment checklist forces every incentive plan, pay grade, and equity grant through the same lens used for any other enterprise risk: identify, analyze, evaluate, treat, monitor. |
| The 2024 US gender pay-gap widened to 80.9 cents on the dollar — the worst level since 2016 — making pay-equity audits a non-negotiable line item on the compensation risk assessment checklist. |
| Under SEC Rule 10D-1, every NYSE and Nasdaq listed issuer must operate a compliant clawback policy; the SEC has signalled that any near-term refinements will not take effect before the 2026 proxy season, so the rule stands. |
| Pay-for-performance design that ignores risk-adjusted metrics is the single biggest driver of the excessive risk-taking the SEC’s 2010 disclosure rule was designed to prevent. |
| Anchor the compensation risk assessment checklist to ISO 31000, COSO ERM, and the IIA Three Lines Model so that HR, Risk, Audit, and the Compensation Committee read the same scorecard. |
| Translate qualitative findings into quantified exposure (legal reserves, retention cost, EMV of clawback events) before taking the compensation risk assessment checklist to the board. |
This guide walks through the full compensation risk assessment checklist a publicly-listed US employer should run in 2026: the regulatory baseline (SEC Rule 10D-1, Dodd-Frank Section 953, the EEOC’s expanding pay-equity enforcement), the seven risk domains that show up on every board-grade checklist, and the KRIs and remediation moves that close the gap between policy and practice.
If you run an enterprise risk function, sit on a compensation committee, or own pay decisions in HR, you will leave with a defensible, board-ready instrument anchored to ISO 31000:2018 and COSO ERM.
Why a Compensation Risk Assessment Checklist Matters in 2026
Compensation has moved from an HR back-office process to a top-tier enterprise risk. Three forces drove the shift. First, regulators turned compensation into a disclosure regime.
The SEC pay-versus-performance final rule (Item 402(v) of Regulation S-K) requires US public companies to lay out the relationship between executive pay and shareholder return in every proxy statement.
Second, SEC Rule 10D-1, the Dodd-Frank clawback regime, makes recovery of erroneously-awarded incentive compensation mandatory after a financial restatement. Third, every state has tightened pay-transparency rules, and the EEOC has signalled greater enforcement appetite under EEOC equal-pay guidance.
Practitioners feel the pressure on the ground. The compensation risk assessment checklist now sits alongside the enterprise risk register as a governance artifact the board expects on a defined cadence.
The chart below summarises which compensation risks US HR and risk leaders are flagging most often in 2025–2026.
Figure 1. Top compensation risks cited by US HR and Risk leaders, 2025-2026 — the ranked exposures that every compensation risk assessment checklist must cover.
Two patterns matter. The compliance risks (clawback, transparency, equal-pay) cluster at the top because they create immediate legal exposure.
The behavioural risks (excessive risk-taking, pay-for-performance misalignment) cluster just below because they cause slower-burning damage that shows up in restatements and reputational events. A compensation risk assessment checklist that ignores either layer leaves the board exposed.
If you are still building the foundations, start with our complete guide to the risk assessment process before layering compensation-specific controls on top. The discipline is the same — the artifacts and KRIs change.
Regulatory Baseline Every Compensation Risk Assessment Checklist Must Meet
Before you assess design risk, audit the regulatory floor. Under SEC Rule 10D-1, every issuer listed on the NYSE or Nasdaq must adopt and disclose a compliant clawback policy that recovers erroneously-awarded incentive compensation from current and former executive officers in the event of a material accounting restatement.
Pearl Meyer notes that the SEC has flagged possible refinements, but any changes will not take effect before the 2026 proxy season — so the rule, as written, governs every compensation risk assessment checklist run this year.
On disclosure, the SEC pay-versus-performance rule forces five years of executive compensation data to be tabulated against shareholder return, peer-group return, net income, and a company-selected measure.
On equal pay, DLA Piper’s pay-equity tracker shows the EEOC pursued 111 merit suits in fiscal 2024 — including 13 systemic cases — securing nearly $700 million for more than 21,000 workers. That is the compliance backdrop a compensation risk assessment checklist has to clear.
Standards You Should Anchor the Compensation Risk Assessment Checklist To
Standards alignment makes the compensation risk assessment checklist defensible to auditors and meaningful to the board. Anchor it to four references and stop reinventing terminology.
| Standard | What it gives the compensation risk assessment checklist | Reference |
| ISO 31000:2018 | Process — identify, analyse, evaluate, treat, monitor | ISO.org |
| COSO ERM 2017 | Governance components — risk culture, strategy, performance, review | coso.org |
| IIA Three Lines Model 2020 | Role clarity — first line owns, second line oversees, third line assures | theiia.org |
| SEC Rule 10D-1 | Mandatory clawback policy and disclosure | SEC.gov |
| SEC Item 402(v) | Pay-versus-performance disclosure framework | SEC.gov |
If your risk appetite statement does not include a quantified appetite line for compensation-related exposure, that is the first remediation item — every other entry on the compensation risk assessment checklist depends on it.
The Seven Domains on a Board-Grade Compensation Risk Assessment Checklist
A serviceable compensation risk assessment checklist covers seven domains. Skip one and the checklist will fail audit. The table below maps each domain to its primary risk question, the controls a US-listed employer should evidence, and the KRI that signals trouble.
| Domain | Primary risk question | Anchor control | KRI to monitor |
| 1. Pay equity & discrimination | Are people of equal value paid equally? | Privileged statistical regression analysis annually | % pay-gap variance vs control group |
| 2. Incentive design risk | Do the metrics reward the right behaviour? | Risk-adjusted scorecards, capped payouts | Ratio of variable to fixed pay vs peer group |
| 3. Clawback & forfeiture | Can the company recover ill-gotten incentives? | SEC Rule 10D-1 compliant policy with annual attestation | Days-to-recover after restatement event |
| 4. Pay-for-performance alignment | Does pay actually track performance? | P4P disclosure tested under multi-year scenarios | TSR vs CAP correlation in proxy |
| 5. Pay transparency & disclosure | Are job posts, ranges, and proxies compliant by jurisdiction? | Centralised job-architecture and posting controls | Posting compliance rate by state |
| 6. Tax, wage-and-hour & benefits | Is the plan compliant with IRC 409A, FLSA, ERISA? | Annual tax / 409A review with external counsel | # of wage-and-hour claims per 1,000 FTEs |
| 7. Retention & flight risk | Will critical talent leave at the wrong time? | Vesting cliffs, retention agreements, succession map | Voluntary regrettable attrition in critical roles |
Each domain lives as its own row on the master checklist with an inherent and residual rating. We score on the 5×5 likelihood-by-impact matrix anchored to the organisation’s risk appetite — anything above appetite triggers the escalation path defined in the Three Lines Model.
How Mature Is Your Compensation Risk Assessment Checklist Today?
Most US employers sit at Stage 2 of a four-stage maturity ladder. Stage 1 is reactive — pay decisions get made, and risk reviews happen only after lawsuits or restatements. Stage 2 is compliant — the company meets SEC, EEOC, and state disclosure obligations but treats the work as a checkbox.
Stage 3 is risk-aligned — the compensation risk assessment checklist plugs into the enterprise risk register and the appetite statement. Stage 4 is predictive — quantitative models forecast tail outcomes before plans go live.
Figure 2. Compensation risk maturity ladder — capability scores by stage. Most US employers sit between Stage 2 and Stage 3.
The bigger the gap between Stage 2 and Stage 3, the harder it is to defend the compensation risk assessment checklist when something goes wrong.
Bridging it requires three moves: name a single second-line owner of compensation risk, integrate KRIs into the existing dashboard, and run the next checklist as a structured risk assessment, not a procurement exercise.
Running the Pay-Equity Audit Inside the Compensation Risk Assessment Checklist
Pay equity is the highest-ranked compensation risk because it generates simultaneous regulatory, reputational, and litigation exposure.
The Institute for Women’s Policy Research reports that the gap widened in 2024 — the second consecutive year of regression — wiping out four years of progress.
Figure 3. US gender earnings ratio by year. The 2024 reversal is the largest two-year regression since the IWPR began tracking. Source: IWPR Equal Pay 2025 report.
A defensible pay-equity audit inside the compensation risk assessment checklist follows five steps: scope the comparator pools, assemble the dataset (pay components, demographics, tenure, performance, location), run a multivariate regression under attorney-client privilege, identify statistically significant residual differences, and remediate the outliers before the next compensation cycle.
The audit should be repeated annually — the EEOC’s January 2025 federal-employer report makes clear that age-by-gender intersections are now in scope.
Most employers fail at step 1, not step 5. Defining “substantially similar work” is harder than it looks.
California and several other states use a broader “substantially similar” standard than the federal Equal Pay Act’s “equal work” test, and the comparator pool you choose can shift residual gaps by ten percentage points.
Document every methodological decision — when the case is challenged, the methodology is what gets defended.
Pay-Equity KRIs Inside the Compensation Risk Assessment Checklist
KRIs translate the audit into a continuous control. The four indicators below show up on every pay-equity dashboard we run, and they belong on the compensation risk assessment checklist as standing items.
| KRI | Threshold (illustrative) | Escalation path |
| Adjusted pay-gap residual at 95% confidence | Green <2%, Amber 2-5%, Red >5% | Red triggers Compensation Committee within 30 days |
| % of new hires with prior-pay reliance flag | Green <5%, Amber 5-10%, Red >10% | Red triggers HR policy review and recruiter retraining |
| Salary-band overlap rate at performance-equivalent grades | Green >60%, Amber 40-60%, Red <40% | Red triggers job-architecture review |
| Compliance rate of pay-range job postings by state | Green >98%, Amber 95-98%, Red <95% | Red triggers ATS controls and counsel review |
If you do not yet have a structured KRI library, our 50 KRIs every risk manager should track walks through the design discipline. The same calibration logic carries over to compensation.
Incentive Design Risk on the Compensation Risk Assessment Checklist
Incentive design risk is what kept Federal Reserve and SEC examiners awake after 2008 — and what produced the original Section 956 disclosure rules.
The question is simple: does the plan reward behaviour the board actually wants, or does it tempt employees to take risk the firm cannot absorb? Compensation Advisory Partners frames the work as a multi-disciplinary review involving HR, Risk, Legal, Finance, and business leadership.
That is the team the compensation risk assessment checklist convenes.
Figure 4. Typical pay-at-risk by role band — the higher the variable percentage, the more rigorous the compensation risk assessment checklist must be.
The People Processes / Everstage benchmark puts most non-sales roles in an 8-25% at-risk band, senior leaders up to 40%, and quota-driven sales or CEO roles up to 60% or higher.
Higher at-risk percentages multiply the magnitude of behavioural distortion if the metrics are wrong, so the compensation risk assessment checklist scales scrutiny with pay mix.
Six Design Tests on the Compensation Risk Assessment Checklist
Run every incentive plan through these six tests before it goes to the Compensation Committee.
- Metric balance test. Does the scorecard combine financial outcomes with risk-adjusted, qualitative, and forward-looking measures? Single-metric plans are the highest-risk design.
- Time-horizon test. Are payouts deferred long enough for risk to surface? Annual plans without deferral or LTI gating are flagged.
- Cap and floor test. Is there a hard cap on payout (typically 200% of target) and a performance floor that prevents payouts at zero performance?
- Risk-adjustment test. Can the Compensation Committee modify or reduce payouts based on risk events that did not show up in the scorecard?
- Clawback linkage test. Are all incentive payments contractually subject to the SEC Rule 10D-1 clawback policy?
- Stress test. Has the plan been modelled under three scenarios: business-as-usual, downturn, and tail event? Monte Carlo simulation or simple scenario analysis catches bad mechanics before they reach payroll.
If three or more tests fail, the plan is not ready to release. Send it back to design with documented red-flag findings — that documentation is what the second line uses on the next compensation risk assessment checklist cycle.
Clawback Discipline as a Hard Control on the Compensation Risk Assessment Checklist
Clawback policy is the only domain on the compensation risk assessment checklist where compliance is binary — either the policy meets the SEC standard or the company faces delisting risk.
Under SEC Rule 10D-1, the company must recover the excess of any incentive-based compensation that would not have been awarded had the financials been reported correctly, regardless of fault, from current and former executive officers, going back three years from the restatement date.
The compensation risk assessment checklist tests four things on clawback: policy adoption (filed and disclosed), policy scope (all incentive-based compensation tied to financial measures), recovery mechanics (who calculates, who approves, who enforces), and disclosure (Form 10-K Item 9C and proxy CD&A). Get any of the four wrong and the residual rating stays red.
Clawback Trigger Mapping for the Compensation Risk Assessment Checklist
| Trigger event | Compensation in scope | Recovery window | Practical control |
| Material accounting restatement (Big R) | Incentive comp tied to financial measures, 3-year look-back | As soon as reasonably possible (Rule 10D-1) | Standing recovery sub-committee with delegated authority |
| Little r restatement (immaterial errors) | Same as above (Big R or Little r both trigger) | As soon as reasonably possible | Joint review by Audit and Compensation Committees |
| Restrictive-covenant breach | Per contract — typically all unvested awards | Per individual award agreement | HR notifies Comp Committee within 5 business days |
| Misconduct (broader than 10D-1) | Per discretionary clawback policy | Per board decision | Investigation protocol with Legal and HR |
| Risk-event clawback (forward-looking) | Variable comp linked to the risk event | Per plan terms | Risk Committee assesses materiality, recommends to Comp Committee |
The compensation risk assessment checklist also tests whether the clawback population is findable — former executives who left two years ago must still be reachable for recovery. That is a vendor-database control as much as a legal one.
If your HRIS does not maintain accurate post-termination contact data on former Section 16 officers, that is a discrete remediation item.
Where Compensation Risk Assessment Checklist Programs Stall — And How to Unstick Them
Programs fail in predictable ways. The pitfalls below are the ones the second line sees most often. The remedies are pragmatic, not aspirational.
| Pitfall | Root cause | Remedy |
| HR owns the checklist alone | Compensation treated as administrative, not enterprise risk | Move sign-off to Risk Committee with HR as first line; second line owns the checklist |
| Pay-equity audit only when sued | No standing KRI on pay-gap residual | Annual privileged audit + quarterly KRI review on the compensation risk assessment checklist |
| Clawback policy filed but never tested | No process for restatement-to-recovery handoff | Tabletop exercise simulating a Big R restatement once per year |
| Plans reward single-metric performance | Finance-led design that ignores risk overlay | Add risk-adjusted modifier and Compensation Committee discretion clause |
| State posting compliance gaps | Decentralised job-posting authority | Centralise ATS controls and approve every posting against the state matrix |
| Retention agreements that survive misconduct | Legal templates not aligned to clawback policy | Re-paper templates to incorporate forfeiture and recovery language |
| No quantified board view | Heatmaps without dollar exposure | Translate top exposures into expected loss and reserve implications using structured risk-register fields |
Frequently Asked Questions About the Compensation Risk Assessment Checklist
How often should the compensation risk assessment checklist be run?
Annually at minimum, with a deeper review whenever there is a material change — a new incentive plan, an M&A deal, a change in disclosure regime, or a regulatory enforcement action against a peer.
Most US public companies align the cadence with the proxy timetable so the compensation risk assessment checklist feeds directly into the CD&A drafting process.
Who owns the compensation risk assessment checklist under the Three Lines Model?
First line: HR/Total Rewards designs and operates pay programs. Second line: Risk and Compliance own the checklist methodology, scoring, and reporting. Third line: Internal Audit assures the program.
The Compensation Committee receives the consolidated output. If a single second-line owner is not named, the compensation risk assessment checklist will fragment across functions and accountability evaporates — that is the most common governance failure mode the Three Lines Model implementation guide addresses.
Does a compensation risk assessment checklist apply to private companies?
Yes — though the regulatory drivers differ. Private companies are not bound by SEC Rule 10D-1, but they face the same EEOC pay-equity exposure, IRC 409A risk on deferred compensation, and FLSA wage-and-hour exposure.
Private equity portfolio companies in particular get pushed by sponsors to run a compensation risk assessment checklist because the exit due-diligence process will expose any gaps.
How does the compensation risk assessment checklist link to the broader risk register?
Every domain on the checklist becomes a row on the enterprise risk register, with inherent and residual scores, named owners, KRIs, and treatment actions. The compensation risk assessment checklist is the upstream working paper; the register is the downstream system of record.
The same scoring scale must be used in both, otherwise risk aggregation breaks at the executive committee level.
What’s the difference between a compensation risk assessment checklist and an incentive plan risk assessment?
Scope. The incentive plan risk assessment looks only at variable-pay design — usually annual bonus, LTI, and sales commissions.
The compensation risk assessment checklist sits one layer above and covers fixed pay, variable pay, equity, benefits, severance, and the governance controls around all of them. SEC pay-versus-performance disclosure and EEOC pay-equity exposure cannot be addressed by an incentive-only review.
Should ESG and DEI metrics stay on the compensation risk assessment checklist annual incentive scope?
This is the most contested question on the 2026 compensation risk assessment checklist. Everstage’s 2026 trends review reports that several large issuers, including Barclays, have moved climate-related KPIs out of annual bonus schemes and into long-term incentive plans where outcomes are measurable.
The pragmatic position: keep ESG and DEI metrics that are observable and quantifiable inside the year, and migrate longer-cycle measures to LTIs. Either way, document the rationale in the compensation risk assessment checklist.
How does the compensation risk assessment checklist handle whistleblower and retaliation risk?
As a discrete control. Compensation that disadvantages employees for raising concerns — whether through performance-rating manipulation, withheld bonuses, or denied promotions — is an SEC, EEOC, and OSHA whistleblower exposure all at once.
The compensation risk assessment checklist tests for retaliation indicators (e.g., disproportionate negative ratings post-complaint) and routes findings to Internal Audit. This is one of the controls a well-designed risk assessment policy picks up.
Can AI tools automate the compensation risk assessment checklist?
Partially, and selectively. AI is genuinely useful for pay-equity statistical analysis, anomaly detection in payroll runs, and horizon scanning of regulatory changes.
AI is risky when used for performance-rating recommendations or termination decisions without human review — the EEOC has explicitly flagged algorithmic decision-making as an enforcement priority. The compensation risk assessment checklist must include an AI-governance row that ties to your AI risk management framework.
Looking Ahead: How the Compensation Risk Assessment Checklist Will Evolve, 2026-2028
Three shifts are already visible. First, regulatory convergence. The SEC, the EEOC, the OFCCP, and state regulators are increasingly looking at the same data — pay components by demographic, by job code, by location.
The smart compensation risk assessment checklist anticipates that convergence and feeds a single dataset to all of them, rather than maintaining parallel files for each regulator.
Second, quantification. Boards have stopped accepting heatmaps without dollar exposure. Within two years, every top-quartile compensation risk assessment checklist will quantify expected loss for the top three to five risks — clawback exposure under Big R restatement, pay-equity reserve, retention shock from a key-talent exit.
The methodology is the same Monte Carlo and scenario analysis that already runs on the operational risk side.
Third, dynamic monitoring. Static annual checklists are giving way to continuously-updated dashboards where KRI breaches automatically trigger reassessment.
The compensation risk assessment checklist of 2028 will look more like a live dashboard than a Word document — but the discipline behind it will still be ISO 31000 and COSO ERM, executed under the IIA Three Lines Model. Practitioners who build that discipline now will not have to retro-fit it later.
One closing observation: the compensation risk assessment checklist is the most cross-functional artifact in the risk function. HR will not run it alone.
Risk will not run it alone. Legal will not run it alone. The board members who care about it most are the ones who have seen what happens when it is run badly — usually after the fact, in an SEC enforcement action or a class-wide pay-equity case.
Run it well, and it is a quiet control that nobody notices. Run it badly, and the front page of the Wall Street Journal does the noticing for you. If you need help building or refreshing your compensation risk assessment checklist — including pay-equity audit design, clawback testing, or board-grade risk reporting .
Risk Publishing’s advisory desk works with US risk and HR leaders to deliver defensible, standards-anchored programs. Visit our services page or contact us to talk through scoping. You will also find ready-to-use templates, the underlying ISO 31000 and COSO ERM frameworks, and the broader risk management library at riskpublishing
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.