In February 2025, cryptocurrency exchange OKX paid more than $504 million to the US Department of Justice after pleading guilty to operating without an effective anti-money-laundering program.
The penalty was the single largest compliance fine of the year — but it was far from isolated. Across financial services alone, regulatory fines surged 417% in the first half of 2025, totalling $1.23 billion, as regulators in North America, Europe, and Asia-Pacific tightened enforcement on AML, sanctions, and data protection failures.
These numbers tell a clear story: the era of treating compliance as a checkbox exercise is over. Non-compliance now costs US businesses an average of $14.82 million per year — nearly triple the cost of building and maintaining an effective compliance program. Yet 85% of compliance executives report that regulatory complexity has increased significantly over the past three years, and 63% say fragmented organizational data makes compliance harder, not easier.
A compliance risk assessment framework is the structured, repeatable process that sits at the center of this challenge.
| Key Takeaways |
| Non-compliance costs US businesses an average of $14.82 million annually — nearly triple the cost of maintaining compliance programs, making a compliance risk assessment framework a financial necessity, not a bureaucratic exercise. |
| Regulatory fines surged 417% in H1 2025 ($1.23 billion globally), with sanctions enforcement alone jumping from $3.7 million to $228.8 million year-over-year, driven by geopolitical tensions and intensified enforcement. |
| A robust compliance risk assessment framework aligns with ISO 37301 (compliance management systems), ISO 31000 (risk management), and COSO ERM to create a defensible, certifiable program. |
| 82% of compliance executives plan to increase technology investment (PwC 2025), yet 63% say fragmented data across the organization remains their biggest compliance obstacle. |
| Third-party risk is the fastest-growing compliance exposure: 46% of organizations experienced a vendor-related data breach in 2025, and 30% faced a compliance violation tied to third-party oversight. |
| Effective frameworks follow a lifecycle — Scope → Identify → Assess → Control → Monitor → Report → Review — with each phase producing auditable artifacts and SMART actions. |
Built correctly, it identifies where your organization is most exposed to regulatory failure, prioritizes resources toward the risks that matter most, and creates the auditable evidence trail that regulators expect.
This guide walks through each component of a defensible framework — from risk identification through control assessment, third-party risk management, and technology enablement — with current data, practitioner tools, and an implementation roadmap you can put to work this quarter.
Figure 1: Compliance Risk by the Numbers — Key Statistics for 2025-2026
What a Compliance Risk Assessment Framework Actually Does
A compliance risk assessment framework is a systematic methodology for identifying, evaluating, and managing the risks that arise when an organization fails — or might fail — to meet its legal, regulatory, and internal policy obligations.
The key word is systematic. Ad hoc compliance checks catch some problems. A framework catches the patterns, dependencies, and emerging exposures that ad hoc approaches miss.
Under ISO 37301:2021, the international standard for compliance management systems, the compliance risk assessment is a core requirement — not a nice-to-have. Unlike its predecessor (ISO 19600), ISO 37301 is certifiable, meaning accredited auditors can verify your framework against a recognized benchmark.
Combined with ISO 31000 for general risk management principles and COSO ERM for enterprise-wide risk governance, these standards provide the scaffolding for a framework that regulators, auditors, and boards will trust.
The framework typically operates across seven phases: Scope → Identify → Assess → Control → Monitor → Report → Review. Each phase produces specific artifacts — a regulatory inventory, a risk register, control effectiveness scores, KRI dashboards, and board-ready reports — that collectively demonstrate your program’s maturity and defensibility.
Organizations that skip phases, or treat them as one-time exercises, are the ones that end up in enforcement crosshairs.
Why This Matters (With Numbers)
Compliance spending often faces skepticism from the C-suite: “How much is enough?” and “What’s the ROI?” are questions every compliance officer has fielded. The data provides a definitive answer.
Figure 2: The Financial Case for Compliance — Cost of Non-Compliance vs. Maintaining Compliance
According to the Ponemon Institute, non-compliance costs US businesses an average of $14.82 million annually, encompassing fines, business disruption, productivity losses, and revenue erosion.
Maintaining a compliance program, by contrast, averages $5.47 million — roughly a third of the cost of getting it wrong. When a breach involves a non-compliance factor, the IBM Cost of a Data Breach Report 2025 puts the average cost at $4.61 million per incident, $174,000 more than breaches without a compliance component.
Beyond direct penalties, the downstream consequences multiply. Revenue losses of 15–25% in affected business lines are common as customers move to competitors they trust more.
Shareholder value declines of 30% or more have been recorded following major compliance failures. And average litigation and regulatory response costs reach approximately $2 million per incident, excluding the fine itself.
So What: A compliance risk assessment framework is not a cost center — it’s insurance against losses that run 2.7x higher than the program cost. Now What: Use these figures in your next board risk committee presentation to secure funding for framework buildout or refresh.
The Enforcement Landscape: Where Regulators Are Hitting Hardest
Understanding the enforcement environment is step one in calibrating your framework’s priorities. Global regulatory fines have shifted dramatically in both volume and geographic focus.
Figure 3: Regulatory Compliance Fines by Region — H1 2024 vs H1 2025
Fenergo’s 2025 Global Regulatory Penalties Report shows 139 financial penalties in H1 2025 totalling $1.23 billion — a 417% year-over-year increase. North America accounted for 86% of the global total ($1.06 billion), while EMEA penalties rose 147% to $168 million. Sanctions enforcement was the standout category, with fines jumping from $3.7 million in H1 2024 to $228.8 million in H1 2025 as geopolitical tensions intensified regulatory demands.
For full-year 2025, AML/KYC penalties totalled $3.8 billion globally, down from $4.6 billion in 2024 — but the decline masks a sharp regional divergence.
North American fines fell 58% as the DOJ shifted enforcement priorities, while EMEA penalties surged 767% and APAC rose 44%. The message for compliance teams: your regulatory risk management strategy must be jurisdiction-specific, not one-size-fits-all.
| Enforcement Area | H1 2025 Fines | YoY Change | Key Driver |
| AML/KYC | $743M | +312% | Crypto exchange failures |
| Sanctions | $228.8M | +6,084% | Geopolitical enforcement |
| Transaction Monitoring | $156M | +89% | Inadequate systems |
| Data Protection | $98M | +45% | GDPR/CCPA escalation |
| Customer Due Diligence | $78M | +67% | Beneficial ownership gaps |
Building the Framework: Seven Core Components
Those enforcement numbers don’t exist in a vacuum — they map directly to specific weaknesses in organizations’ compliance programs.
A robust compliance risk assessment framework addresses each vulnerability through a structured lifecycle. Here are the seven components that separate defensible programs from paper exercises.
1. Scope, Objectives, and Governance
Define what the assessment covers (business units, jurisdictions, risk domains), what it aims to achieve (regulatory readiness, audit preparation, risk-appetite calibration), and who owns each phase.
Align governance to the Three Lines Model: first line owns controls, second line (compliance function) provides oversight and methodology, third line (internal audit) provides independent assurance. Document these roles in a RACI matrix with named owners, not function titles.
2. Regulatory Inventory and Obligation Mapping
Compile every legal, regulatory, and contractual obligation that applies to your operations. This isn’t a one-time exercise — regulations change constantly.
The PwC Global Compliance Survey 2025 found that 90% of compliance executives say their responsibilities have broadened to include AI ethics, ESG metrics, and supply chain oversight on top of traditional areas like anti-corruption and data protection.
Map each obligation to the business process, system, or third party it affects, and assign an owner responsible for monitoring changes.
3. Risk Identification
Identify potential compliance risks using a combination of top-down and bottom-up methods. Top-down: regulatory change scanning, industry benchmarking, and scenario analysis.
Bottom-up: risk and control self-assessments (RCSAs), incident analysis, audit findings, and whistleblower reports.
Common compliance risk categories include regulatory change, employee conduct, data privacy, third-party failures, financial reporting, anti-corruption, and emerging technology (AI, crypto).
Figure 4: Primary Sources of Compliance Risk (2025)
4. Risk Assessment and Prioritization
Evaluate each identified risk on two dimensions: likelihood (probability of occurrence) and consequence (financial, legal, reputational, operational impact). Use a standardized risk assessment matrix — a 5×5 grid works well for most organizations — and score both inherent risk (before controls) and residual risk (after controls).
This dual scoring reveals control effectiveness gaps. Combine qualitative judgment with quantitative methods: Monte Carlo simulation for high-impact scenarios, bow-tie analysis for cause-consequence mapping, and tornado charts for sensitivity analysis on key variables.
| Impact ↓ / Likelihood → | 1 – Rare | 2 – Unlikely | 3 – Possible | 4 – Likely | 5 – Almost Certain |
| 5 – Catastrophic | 5 (Medium) | 10 (Medium) | 15 (High) | 20 (High) | 25 (High) |
| 4 – Major | 4 (Low) | 8 (Medium) | 12 (Medium) | 16 (High) | 20 (High) |
| 3 – Moderate | 3 (Low) | 6 (Medium) | 9 (Medium) | 12 (Medium) | 15 (High) |
| 2 – Minor | 2 (Low) | 4 (Low) | 6 (Medium) | 8 (Medium) | 10 (Medium) |
| 1 – Insignificant | 1 (Low) | 2 (Low) | 3 (Low) | 4 (Low) | 5 (Medium) |
5. Control Assessment and Gap Analysis
Review existing controls against each prioritized risk. Evaluate both design effectiveness (is the control designed to mitigate the risk?) and operating effectiveness (is it working as intended in practice?).
A control that exists on paper but isn’t followed is worse than no control at all — it creates false assurance. Score control effectiveness using a formula like: CE = ROUND((Residual Score / Inherent Score) × 5, 0), where 1 = highly effective and 5 = ineffective. Map gaps to risk treatment options: mitigate, transfer, avoid, or accept.
6. Risk Response and Action Planning
For each gap, develop SMART actions: Specific, Measurable, Achievable, Relevant, Time-bound. Every action needs a named owner (not a department), a due date, evidence-of-closure criteria, and a follow-up cadence.
Feed the highest-priority actions into your risk mitigation plan and track them through an issues-and-actions register. The KPMG 2025 SOX Survey found that average testing hours per control increased to 16 hours (up from 12 in FY22), reflecting the growing rigor regulators expect in control validation.
7. Monitoring, Reporting, and Continuous Improvement
Establish key risk indicators (KRIs) with red/amber/green thresholds and escalation rules. Build a KRI dashboard that rolls up to the board level and distinguishes leading from lagging indicators.
Report findings to senior management quarterly, to the board semi-annually, and to regulators as required. The framework itself must be reviewed at least annually — or whenever a material regulatory change, organizational restructure, or significant incident occurs.
The Practitioner’s Toolkit: Compliance KRIs That Drive Action
A framework without measurable indicators is a framework without teeth. The table below provides compliance KRI examples with thresholds calibrated to typical mid-to-large organizations. Adjust thresholds based on your risk appetite statement.
| KRI | Green | Amber | Red | Escalation Action |
| Overdue compliance training (%) | <5% | 5–15% | >15% | Notify CCO; suspend system access after 30 days |
| Open regulatory findings (count) | 0–2 | 3–5 | >5 | Board risk committee briefing |
| Policy breach incidents (per quarter) | 0–1 | 2–4 | >4 | Root cause analysis; CAPA within 14 days |
| Third-party compliance audit pass rate | >90% | 75–90% | <75% | Enhanced due diligence; contract review |
| Regulatory change backlog (days) | <30 | 30–60 | >60 | CCO escalation; temporary manual controls |
| Whistleblower reports unresolved >30 days | 0 | 1–2 | >2 | Board audit committee notification |
| Control testing deficiency rate | <10% | 10–20% | >20% | Remediation plan within 7 days |
Third-Party Compliance Risk: The Exposure You Can’t Outsource
Your vendors’ compliance failures are your compliance failures — regulators don’t distinguish between first-party and third-party lapses when issuing penalties.
The Hyperproof 2025 IT Compliance Benchmark Report found that 46% of organizations experienced a third-party data or privacy breach affecting their records, and 30% reported a compliance violation directly tied to third-party oversight gaps.
A strong third-party risk management (TPRM) program integrates with your compliance risk assessment framework at three points: during vendor onboarding (pre-contract due diligence), throughout the relationship (continuous monitoring and periodic reassessment), and at termination (data return/destruction verification).
Use the Shared Assessments TPRM Framework or NIST 800-161 as your assessment backbone, and ensure your vendor contracts include audit rights, compliance certification requirements, and breach notification timelines.
Key regulatory developments driving TPRM rigor in 2025–2026 include the EU Corporate Sustainability Due Diligence Directive (CSDDD), which mandates supply chain human rights and environmental due diligence; DORA (Digital Operational Resilience Act) for financial services ICT third-party risk; and updated FINRA third-party risk guidance emphasizing outsourcing oversight.
Organizations that treat TPRM as a procurement function rather than a compliance function are setting themselves up for the next wave of enforcement.
Technology’s Role: From GRC Platforms to AI-Augmented Compliance
Compliance can’t scale with spreadsheets alone. The PwC Global Compliance Survey 2025 found that 82% of firms plan to increase investment in compliance technology, while 71% believe AI will have a net positive impact on compliance operations.
The global GRC software market reflects this momentum, growing from $21 billion in 2025 to a projected $39 billion by 2031 at a 10.8% CAGR.
Figure 5: Global GRC Software Market Growth (2023–2031)
Where technology adds the most value to a compliance risk assessment framework:
| Capability | What It Replaces | Compliance Impact |
| Regulatory change management (RegTech) | Manual scanning of Federal Register, EU OJ | Reduces regulatory change backlog from weeks to hours |
| Automated control testing | Manual sample-based testing | Continuous assurance; deficiency detection in real time |
| AI-powered risk scoring | Subjective analyst judgment alone | Consistent, explainable risk ratings across business units |
| Third-party monitoring | Annual vendor questionnaires | Real-time risk signals from financial, cyber, and news data |
| Policy management platforms | Shared drives and email attestations | Version control, automated distribution, completion tracking |
| Incident management workflows | Email chains and spreadsheets | Structured triage, escalation, root cause, and closure tracking |
A word of caution on AI: Gartner projects that spending on AI governance platforms will reach $492 million in 2026 and surpass $1 billion by 2030. The EU AI Act is now in force, and organizations deploying AI in compliance processes need their own AI risk assessment framework to avoid creating new compliance risks while trying to solve existing ones.
What Compliance Leaders Are Prioritizing Right Now
The PwC Global Compliance Survey 2025, which surveyed compliance executives across industries and geographies, reveals where the profession is focusing its attention and investment.
Figure 6: Compliance Executive Priorities and Challenges — PwC Global Compliance Survey 2025
The data paints a clear picture: compliance teams are simultaneously dealing with expanding scope (90% report broader responsibilities), increasing complexity (85%), and fragmented data (63%).
Technology investment (82%) and AI adoption (71% net-positive view) are seen as the path forward. For practitioners building or refreshing a compliance risk assessment framework, these numbers validate the case for integrated GRC platforms over point solutions, and for embedding data governance into the framework design from day one.
From Blueprint to Execution: A Phased Approach
Theory without implementation is shelf-ware. The roadmap below breaks framework deployment into three phases, each with concrete deliverables and success metrics. Adjust timelines based on organizational size and existing program maturity.
| Phase | Actions | Deliverables | Success Metrics |
| Days 1–30: Foundation | Assemble cross-functional working group (compliance, legal, IT, operations). Conduct regulatory inventory. Define risk appetite and tolerance thresholds. Select GRC platform. | Regulatory obligation register. Risk appetite statement draft. RACI matrix. Platform vendor shortlist. | 100% of applicable regulations catalogued. Risk appetite approved by board. |
| Days 31–60: Assessment | Run compliance risk identification workshops. Perform inherent risk scoring. Assess existing controls (design + operating effectiveness). Identify gaps. | Compliance risk register with inherent/residual scores. Control effectiveness matrix. Gap analysis report. | All critical business units assessed. Top 10 risks ranked and owners assigned. |
| Days 61–90: Activation | Develop SMART action plans for top risks. Configure KRI dashboards. Conduct first-cycle monitoring. Draft board reporting template. Schedule annual review cycle. | KRI dashboard (live). Issues & actions register. Board risk report template. Annual review calendar. | KRI dashboard operational. First board report delivered. 100% of high-risk gaps with remediation plans. |
Where Programs Stall — And How to Unstick Them
We’ve seen compliance frameworks fail more often from execution gaps than from design flaws. The table below captures the most common failure modes and their fixes — drawn from practitioner experience and regulatory enforcement trends.
| Pitfall | Root Cause | Remedy |
| Framework exists on paper but isn’t operationalized | No named owners; no integration with business processes | Assign RACI with individuals (not departments). Embed compliance checkpoints into operational workflows. |
| Risk register is static and outdated | Annual-only assessment; no trigger-based updates | Implement continuous monitoring with KRI thresholds. Update register on regulatory change, incident, or org restructure. |
| Siloed compliance data across departments | No central GRC platform; reliance on spreadsheets and email | Invest in integrated GRC technology. 63% of firms cite data fragmentation as their top compliance barrier (PwC 2025). |
| Third-party risks ignored or under-assessed | TPRM treated as procurement, not compliance | Integrate vendor compliance into the framework lifecycle. Require pre-contract due diligence and continuous monitoring. |
| Board and senior management disengaged | Compliance reports are too operational; no decision framing | Use What/So What/Now What structure. Present risk-appetite breaches and decision items, not activity summaries. |
| Training is checkbox compliance | Generic e-learning modules; no role-specific content | Deploy scenario-based training tied to actual risk events. Track completion KRIs and link to access privileges. |
| Incident response is reactive, not planned | No incident response plan; no root cause analysis process | Develop playbooks per incident type. Conduct tabletop exercises quarterly. Log lessons learned and feed back into risk register. |
Three Shifts That Will Rewrite the Compliance Playbook
Looking ahead to 2026–2028, three forces are converging to reshape how compliance risk assessment frameworks must operate.
1. AI as both tool and risk domain. The compliance function is adopting AI for regulatory change monitoring, risk scoring, and anomaly detection. Simultaneously, AI governance regulations (EU AI Act, proposed US federal AI frameworks) are creating entirely new compliance obligations.
Organizations need dual capability: using AI for compliance and managing compliance of AI. The firms that build shadow AI risk management into their frameworks now will be ahead of the curve when enforcement catches up.
2. Cross-border regulatory fragmentation. The 767% surge in EMEA enforcement fines in 2025, combined with new frameworks like DORA, CSDDD, and the UK’s Economic Crime and Corporate Transparency Act, means compliance risk assessments must be jurisdiction-granular. A single global compliance program with “localize later” is no longer viable. Frameworks must bake in jurisdiction-specific obligation mapping, local regulatory relationship management, and cross-border data transfer controls from the start.
3. Continuous compliance replacing periodic assessment. The shift from annual compliance reviews to continuous, technology-enabled monitoring is accelerating. Real-time KRI dashboards, automated control testing, and event-driven risk reassessment are replacing the calendar-driven cycle.
Operational resilience frameworks are pushing this further, requiring organizations to demonstrate ongoing compliance through impact tolerance assessments rather than point-in-time audits.
Ready to build or refresh your compliance risk assessment framework? Visit riskpublishing.com/services for frameworks, templates, and consulting services, or explore our compliance risk assessment resources for practitioner tools you can deploy this quarter.
References
1. Fenergo — Regulatory Penalties for Global Financial Institutions Skyrocket 417% in H1 2025
2. Fenergo — Global AML Fines Research Report 2025
3. PwC — Global Compliance Survey 2025
4. KPMG — The 2025 KPMG SOX Survey
5. Secureframe — 130+ Compliance Statistics & Trends for 2026
6. ISO 37301:2021 — Compliance Management Systems
7. Mordor Intelligence — GRC Software Market Size, Share & 2031 Growth Trends
8. Gartner — Global AI Regulations Fuel Billion-Dollar Market for AI Governance Platforms
9. Hyperproof — Third-Party Risk Management Best Practices
10. FINRA — 2025 Annual Regulatory Oversight Report: Third-Party Risk
11. IBM — Cost of a Data Breach Report 2025
12. Ropes & Gray — Risk and Compliance in 2026: Six Key Themes
13. Diligent — Third-Party Risk Management in 2025 14. SCCE — Compliance Risk Assessments: An Introduction
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.