When the US Department of Justice investigated a Fortune 500 healthcare company in 2024 for HIPAA violations, prosecutors didn’t start with the incident itself. They started with the company’s compliance risk assessment.
Specifically, they asked: When was the last assessment conducted? What methodology was used? What response rate did you achieve? The company’s assessment had a 38% response rate and hadn’t been updated in 19 months. The settlement cost $18.3 million.
That scenario plays out more than most compliance officers realize. The DOJ’s Evaluation of Corporate Compliance Programs (ECCP), updated in September 2024 to address AI risk, explicitly directs prosecutors to evaluate whether an organization’s risk assessment is “current and subject to periodic review.”
A stale or poorly designed compliance risk assessment questionnaire isn’t just a missed opportunity — it’s a liability.
Yet most organizations treat the questionnaire as a formality: generic questions, annual distribution, poor response rates, and results that sit in a spreadsheet until the next audit.
| Key Takeaways |
| A compliance risk assessment questionnaire is the primary data-collection instrument for identifying where your organization is most exposed to regulatory failure — but only if the response rate exceeds 80%. Below that threshold, you’re making strategic decisions on incomplete data. |
| The DOJ’s Evaluation of Corporate Compliance Programs (updated 2024) explicitly asks prosecutors to assess whether an organization’s risk assessment is current, risk-based, and drives downstream controls — making questionnaire design a prosecutorial evaluation criterion. |
| Non-compliance costs US businesses 2.71x more than maintaining a compliance program ($14.82M vs. $5.47M annually, Ponemon Institute), with business disruption and productivity loss accounting for over half the total. |
| Effective questionnaires cover seven domains: regulatory obligations, employee conduct, third-party risk, data privacy, financial controls, incident reporting, and emerging technology (AI, crypto) — tailored to your organization’s specific risk profile. |
| Organizations with training completion rates below 70% are 3.5x more likely to face compliance violations (Brandon Hall Group), making training coverage a critical questionnaire metric. |
| This guide includes 30+ ready-to-use sample questions organized by risk domain, response rate optimization tactics, and a DOJ-aligned scoring methodology you can deploy this quarter. |
The White & Case 2025 Global Compliance Risk Benchmarking Survey found that while 93% of compliance functions are at least moderately engaged in risk assessment, only 64% provide their boards with periodic compliance reports — suggesting a gap between collecting data and acting on it.
This guide closes that gap with a structured, DOJ-aligned approach to building questionnaires that drive decisions, not shelf-ware.
Figure 1: Compliance Risk Assessment — Key Metrics for 2025-2026
What Prosecutors Actually Evaluate in Your Risk Assessment
The DOJ’s ECCP is the single most important external reference point for compliance program design. When prosecutors evaluate whether a compliance program is effective, they assess three core questions:
(1) Is the program well-designed? (2) Is it being applied earnestly and in good faith? (3) Does it work in practice? The compliance risk assessment questionnaire sits at the foundation of all three.
Figure 2: DOJ Compliance Program Evaluation — Key Assessment Areas
Specifically, the ECCP asks prosecutors to evaluate: What methodology did the company use to identify, analyze, and address its compliance risks? Is the risk assessment current? Does it drive the company’s compliance program resources and attention?
The September 2024 update added a new emphasis on AI risk governance, whistleblower protections, and data analytics capabilities — all of which should be reflected in your questionnaire design.
So What: A well-designed questionnaire isn’t just good practice — it’s a legal defense asset. If your organization faces an enforcement action, the quality of your risk assessment process directly influences sentencing, fine calculations, and deferred prosecution agreement terms.
Now What: Align every section of your questionnaire to one of the ECCP’s evaluation pillars. When regulators ask “show us your risk assessment,” you should be able to map each question to a specific regulatory expectation.
Seven Risk Domains Every Questionnaire Must Cover
Those DOJ evaluation criteria translate directly into the domains your questionnaire needs to address.
A compliance risk assessment framework typically identifies risks across multiple categories. The questionnaire is the instrument that surfaces ground-level data from each domain. Missing a domain means missing a risk — and that gap will show up in an audit or enforcement action.
Figure 3: Recommended Questionnaire Coverage Distribution by Risk Domain
| Domain | What to Assess | Key Questionnaire Focus |
| Regulatory Obligations | Currency of regulatory inventory; obligation-to-process mapping; change management lag | Do respondents know which regulations apply to their function? Is there a backlog of unaddressed regulatory changes? |
| Third-Party & Vendor Risk | Pre-contract due diligence; ongoing monitoring; subcontractor oversight gaps | Are third parties assessed before onboarding? When was the last vendor compliance review? See our TPRM guide. |
| Employee Conduct & Ethics | Code of conduct awareness; conflict of interest declarations; speak-up culture | Would employees report a concern? Do they know how? What barriers exist? |
| Data Privacy & Cybersecurity | Data classification; access controls; incident response readiness; cross-border transfers | Are data handling procedures followed? When was the last data privacy impact assessment? |
| Financial Controls | Segregation of duties; expense approval workflows; anti-corruption/FCPA exposure | Are financial controls reviewed and tested? Are high-risk transactions flagged? |
| AI & Emerging Technology | AI use inventory; algorithmic bias checks; shadow AI monitoring; crypto-related controls | Is AI being used without compliance review? Are automated decisions explainable and auditable? |
| Incident Management | Reporting channels; investigation timelines; root cause analysis; lessons-learned loops | Are incidents investigated within SLA? Are corrective actions tracked to closure? |
30+ Ready-to-Use Questions by Risk Domain
Generic questions produce generic answers. The sample questions below are specific, measurable, and designed to surface actionable risk data — not tick-box confirmations. Adapt them to your organization’s risk taxonomy and industry context.
Regulatory Awareness and Obligations
| # | Question |
| 1 | Can you identify the three most significant regulations that apply to your business unit? If yes, list them. |
| 2 | Have any new regulations or regulatory changes affected your operations in the past 12 months? Describe the impact. |
| 3 | Is there a documented process for tracking regulatory changes relevant to your function? Rate its effectiveness (1-5). |
| 4 | When was the last time your regulatory obligation register was reviewed and updated? |
| 5 | Have you received any regulatory inquiries, warnings, or notices in the past 24 months? |
Third-Party and Vendor Compliance
| # | Question |
| 6 | What due diligence is performed on third parties before contract execution? Describe the process. |
| 7 | How frequently are critical vendors reassessed for compliance risk? (Annually / Semi-annually / Ad hoc / Never) |
| 8 | Do vendor contracts include compliance certification requirements, audit rights, and breach notification clauses? |
| 9 | Have any third-party incidents (data breaches, regulatory violations, business disruptions) affected your operations in the past 12 months? |
| 10 | How many fourth-party (subcontractor) relationships do your critical vendors maintain, and what visibility do you have into their compliance? |
Employee Conduct and Ethics
| # | Question |
| 11 | What percentage of your team completed the annual compliance training program? (Provide exact figure) |
| 12 | Would you feel comfortable reporting a compliance concern through existing channels? If not, what barriers exist? |
| 13 | Are conflict-of-interest declarations collected and reviewed at least annually? |
| 14 | Describe a situation where a compliance concern was raised in your team. How was it handled? |
| 15 | How are new hires onboarded on compliance policies relevant to their role? |
Data Privacy and Cybersecurity
| # | Question |
| 16 | Does your business unit process personally identifiable information (PII)? If yes, is a data privacy impact assessment (DPIA) in place? |
| 17 | Are data access permissions reviewed and updated at least quarterly? |
| 18 | How quickly could your team detect and report a data breach? (Hours / Days / Weeks / Unsure) |
| 19 | Are cross-border data transfers documented with appropriate safeguards (SCCs, BCRs, adequacy decisions)? |
| 20 | When was your last cybersecurity awareness exercise (phishing simulation, tabletop, etc.)? |
Financial Controls and Anti-Corruption
| # | Question |
| 21 | Are segregation-of-duties controls in place for all high-value financial transactions? |
| 22 | Is there a documented process for approving gifts, hospitality, and entertainment expenditures? |
| 23 | Have any unusual or suspicious financial transactions been flagged in the past 12 months? How were they resolved? |
| 24 | Are expense reports reviewed by someone independent of the submitter? |
| 25 | How are FCPA/anti-bribery compliance requirements communicated to employees in high-risk jurisdictions? |
AI and Emerging Technology Risk
| # | Question |
| 26 | Does your business unit use any AI or machine learning tools (including generative AI)? List them. |
| 27 | Have these AI tools been assessed for bias, explainability, and compliance with the EU AI Act or equivalent regulations? |
| 28 | Are there controls in place to prevent shadow AI (unauthorized AI tool usage by employees)? |
| 29 | How are automated decisions reviewed for accuracy and fairness? |
| 30 | Does your unit use cryptocurrency, blockchain, or digital asset technologies? If yes, what compliance controls exist? |
The Response Rate Problem (And How to Solve It)
Here’s the uncomfortable truth about most compliance risk assessments: they’re built on incomplete data. When only 40% of stakeholders respond to a compliance questionnaire, you’re making risk-prioritization decisions based on less than half the picture.
Brandon Hall Group research found that organizations with training completion rates below 70% are 3.5 times more likely to face compliance violations — and questionnaire response rates follow a similar pattern.
Figure 4: Why Response Rate Matters — Data Confidence vs. Risk Detection
Best-in-class programs push questionnaire response rates above 85%, giving them a comprehensive view of their risk landscape. The table below outlines specific tactics to move from typical (40–60%) to target (80%+) response rates.
| Tactic | How to Implement | Expected Impact |
| Executive sponsorship | CEO or CCO sends the introductory email. Frame it as a business priority, not a compliance ask. | +15-20% response rate. People respond to authority signals. |
| Brevity over breadth | Cap the questionnaire at 25-35 questions. Use conditional logic to skip irrelevant sections. | +10-15%. Shorter surveys complete faster. |
| Role-specific tailoring | Different question sets for operations, finance, IT, legal. Generic questions get generic answers. | +10-12%. Relevance drives engagement. |
| Deadline with accountability | Set a 10-business-day deadline. Send reminders at day 5 and day 8. Escalate non-responders to line managers. | +8-10%. Accountability converts procrastinators. |
| Demonstrate action on results | Share a summary of last year’s results and the actions taken. People participate when they see outcomes. | +12-15%. “You said, we did” builds trust. |
| Anonymous option for sensitive areas | Allow anonymous responses for conduct and ethics questions. Named responses for operational questions. | +5-8% on sensitive domains specifically. |
From Answers to Action: Scoring and Prioritization
Collecting data is the easy part. The hard part is converting questionnaire responses into a prioritized risk register that drives resource allocation.
Use the scoring methodology below — aligned to ISO 31000 and COSO ERM principles — to translate qualitative survey responses into quantified risk scores.
Step 1: Convert Responses to Risk Indicators
Map each question response to a risk indicator. Binary questions (Yes/No) score directly. Scale questions (1-5) map to likelihood or impact.
Open-ended responses are coded by themes and frequency. Feed the scored responses into your risk register as evidence supporting the inherent risk rating.
Step 2: Apply the 5×5 Risk Matrix
Score each risk domain on likelihood (1-5) and impact (1-5) using the risk assessment matrix. Multiply to get the inherent risk score (1-25).
Then assess control effectiveness to derive the residual risk score. Control effectiveness = ROUND((Residual / Inherent) × 5, 0), where 1 = highly effective and 5 = ineffective.
| Impact ↓ / Likelihood → | 1 – Rare | 2 – Unlikely | 3 – Possible | 4 – Likely | 5 – Almost Certain |
| 5 – Catastrophic | 5 (Medium) | 10 (Medium) | 15 (High) | 20 (Critical) | 25 (Critical) |
| 4 – Major | 4 (Low) | 8 (Medium) | 12 (High) | 16 (High) | 20 (Critical) |
| 3 – Moderate | 3 (Low) | 6 (Medium) | 9 (Medium) | 12 (High) | 15 (High) |
| 2 – Minor | 2 (Low) | 4 (Low) | 6 (Medium) | 8 (Medium) | 10 (Medium) |
| 1 – Insignificant | 1 (Low) | 2 (Low) | 3 (Low) | 4 (Low) | 5 (Medium) |
Step 3: Prioritize and Assign Owners
Rank risks by residual score. The top 10 become your priority action list. Each risk needs a named owner (not a department), SMART actions, due dates, and evidence-of-closure criteria.
Feed into your risk treatment plan and track through an issues-and-actions register. Report the top risks to the board risk committee with red/amber/green status and recommended decisions.
The Business Case: Where Your Program Stands and What’s at Stake
Only 25% of organizations have reached a “Measured” or “Optimized” compliance program maturity level, according to NAVEX’s 2025 State of Risk & Compliance survey.
The majority remain at “Defined” or “Managed” stages — meaning they have policies and processes, but lack the data-driven measurement and continuous improvement that distinguish strong programs from adequate ones.
Figure 5: Compliance Program Maturity Distribution — Where Organizations Stand in 2025
The financial consequences of staying at lower maturity levels are quantifiable. Ponemon Institute research shows that non-compliance costs US businesses an average of $14.82 million annually — 2.71 times the cost of building and maintaining an effective compliance program.
Figure 6: Anatomy of Non-Compliance Costs — Where the $14.82M Goes
Business disruption ($4.12M) and productivity loss ($3.28M) together account for half the total cost — not fines, which many executives assume dominate.
This means a well-designed compliance risk assessment questionnaire doesn’t just prevent penalties; it prevents the operational paralysis that follows a compliance failure.
Every hour your team spends responding to a regulatory inquiry, restating financials, or managing a data breach investigation is an hour not spent on revenue-generating activity.
The Practitioner’s Toolkit: Technology That Scales Assessment
Spreadsheet-based questionnaires work for small organizations with straightforward regulatory obligations.
They fail at scale. Once you’re managing 100+ respondents across multiple business units and jurisdictions, the data aggregation, gap analysis, and reporting overhead makes manual processes unsustainable.
The PwC Global Compliance Survey 2025 found that 82% of compliance executives plan to increase technology investment, driven by exactly this scaling challenge.
| Tool Category | What It Does for Questionnaire Processes | When to Invest |
| GRC Platforms (ServiceNow, MetricStream, Archer) | Centralized questionnaire distribution, automated scoring, integrated risk register, real-time dashboards | When you exceed 200 respondents or operate in 3+ regulatory jurisdictions |
| Survey/Workflow Tools (Microsoft Forms, Qualtrics) | Low-cost questionnaire distribution with conditional logic and basic analytics | Immediate — good starting point for organizations building their first program |
| RegTech Solutions (Ascent, Cube) | Automated regulatory change tracking that feeds directly into questionnaire updates | When your regulatory obligation register exceeds 100 items |
| AI-Powered Analytics | Pattern detection in open-ended responses; anomaly flagging across respondent cohorts | When you need to scale analysis of qualitative data from 500+ respondents |
| Continuous Monitoring Platforms | Real-time control effectiveness data that supplements periodic questionnaire results | When moving from periodic to continuous compliance assessment |
Regardless of platform, integrate your questionnaire results with your KRI dashboard. Map questionnaire findings to key risk indicators with leading and lagging metrics so the board sees a single, integrated risk picture rather than disconnected compliance data points.
Getting from Zero to Operational in One Quarter
Whether you’re building a compliance risk assessment questionnaire from scratch or overhauling an existing one, the roadmap below breaks deployment into three phases with concrete deliverables.
| Phase | Actions | Deliverables | Success Metrics |
| Days 1–30: Design | Map DOJ ECCP pillars to questionnaire domains. Draft 25–35 questions per respondent group. Pilot with 10–15 stakeholders. Refine wording based on pilot feedback. | Draft questionnaire. Pilot results report. Stakeholder communication plan. | Pilot response rate >90%. Average completion time <20 minutes. |
| Days 31–60: Deploy | Distribute questionnaire with executive sponsorship. Run reminder cadence (Day 5, Day 8). Escalate non-responders. Begin scoring as responses arrive. | Completed questionnaires. Raw data file. Preliminary risk scores by domain. | Response rate >80%. All seven risk domains covered. |
| Days 61–90: Act | Finalize risk scoring. Populate risk register with questionnaire evidence. Build top-10 priority action list. Present findings to board/risk committee. | Scored risk register. Board risk report. SMART action plans for top 10 risks. Annual assessment calendar. | Board report delivered. 100% of high risks have named owners and due dates. |
What Goes Wrong — And the Fixes That Actually Work
We’ve reviewed hundreds of compliance risk assessments across industries. The failure modes are remarkably consistent — and almost always relate to execution, not design.
| Pitfall | Root Cause | Remedy |
| Low response rate (<50%) | No executive sponsorship; generic messaging; too long (50+ questions); no demonstrated action on past results | CCO-signed distribution. Cap at 35 questions. Share prior-year outcomes. Set hard deadline with escalation. |
| Generic questions that produce useless data | Copy-pasted template not tailored to organization’s risk profile or industry | Map every question to a specific risk domain and ECCP evaluation pillar. Use role-specific versions. |
| Results sit in a spreadsheet with no follow-through | No scoring methodology; no owner for converting findings to actions; no board reporting | Implement the 5×5 scoring matrix above. Assign a risk owner per domain. Include in quarterly board report. |
| Annual cadence misses emerging risks | Calendar-driven process with no trigger-based updates | Supplement the annual full assessment with event-triggered mini-assessments (regulatory change, incident, M&A). |
| Third-party risks excluded or under-assessed | Questionnaire sent internally only; vendor compliance treated as a procurement task | Include third-party risk questions. Send abbreviated questionnaires to critical vendors. See our TPRM guide. |
| AI and emerging tech blind spots | Questionnaire designed pre-2023; no questions on generative AI, shadow AI, or crypto | Add an AI/emerging tech domain per the DOJ’s September 2024 ECCP update. Update annually. |
| No anonymity option kills honest reporting | All responses attributed; employees self-censor on conduct and ethics questions | Allow anonymous responses for sensitive domains. Track anonymity rates as a speak-up culture KRI. |
FAQ Section: Compliance Risk Assessment Questionnaire
How often should you run a compliance risk assessment questionnaire?
Most US programs run a full compliance risk assessment questionnaire annually with a quarterly delta refresh on top. In practice, the cadence that survives audit committee scrutiny is event-driven, not calendar-driven.
Material rule changes (the SEC cybersecurity disclosure rule, the EU AI Act), M&A activity, or a control breach all warrant an out-of-cycle refresh. Calendars are how programs lapse. Triggers are how they stay current.
Should a compliance risk assessment questionnaire vary by regulator?
Yes — and most US programs that try to run a single one-size-fits-all compliance risk assessment questionnaire find that out the hard way.
A FINRA broker-dealer needs different questions than a HIPAA-covered healthcare entity, and an OCC heightened-standards bank carries supervision expectations a SaaS firm never sees.
The smarter pattern is one core questionnaire plus regulator-specific modules layered on top — SEC, FDA, FinCEN, OCC — that share scoring but not scope.
What coverage rate does a compliance risk assessment questionnaire need to be defensible?
The 80% response-rate threshold most teams cite is a floor, not a target. For high-risk populations — control owners, second-line risk staff, executives signing certifications — anything below 95% should trigger escalation.
Sample-size logic from internal audit applies: weight your compliance risk assessment questionnaire by exposure, not headcount.
A 60% response rate from finance leadership tells regulators more about the program than a 100% response from interns.
When should a compliance risk assessment questionnaire be replaced or supplemented by interviews?
Questionnaires are great at coverage and bad at nuance. Once a domain shows up amber or red on the matrix, swap survey instruments for structured interviews and facilitated workshops.
The DOJ Evaluation of Corporate Compliance Programs (ECCP) explicitly rewards evidence of how risks were probed — and a compliance risk assessment questionnaire alone rarely earns that credit.
Hybrid programs run roughly 80% questionnaire and 20% interview, but the 20% does the heavy lifting.
What does a board-ready output from a compliance risk assessment questionnaire look like?
Board-ready output from a compliance risk assessment questionnaire usually runs five pages: a domain heat map, the top-10 residual risks with owners, a control-deficiency tracker, a regulatory-change log, and an emerging-risk watchlist.
Audit committees want trend lines, not snapshots. Programs that report breach history and remediation status next to each score consistently get faster approvals on resource asks.
One-time risk reports, however polished, almost never earn that credibility past a second board meeting.
Is a compliance risk assessment questionnaire protected by attorney-client privilege?
Sometimes — and the difference matters when a regulator subpoenas the file. A compliance risk assessment questionnaire run at the direction of in-house or outside counsel for the purpose of legal advice can fall under attorney-client privilege and work-product protection.
Run it through compliance alone and the file is usually discoverable. US programs of any scale now structure the engagement letter, document marking, and distribution list to preserve privilege from day one. DOJ guidance on cooperation rewards the discipline.
How should a compliance risk assessment questionnaire treat third parties and fourth parties?
Third-party scope is where most compliance risk assessment questionnaire programs underbuild. Vendors handling FCI, CUI, regulated data, or critical operations belong in the same scope as internal control owners — not as an afterthought.
Fourth-party visibility (your vendor’s vendors) is harder, but the Verizon 2025 DBIR found third-party involvement in breaches doubled to 30%, and the SEC and OCC now treat third-party concentration as material.
Critical fourth parties should produce attestation evidence, not just contractual assurance.
What AI-specific questions belong in a 2026 compliance risk assessment questionnaire?
A 2026 compliance risk assessment questionnaire should carry a discrete AI module covering inventory completeness, model classification, EU AI Act conformity status, training-data lineage, hallucination thresholds, and post-market monitoring.
The NIST AI RMF gives the methodology; the EU AI Act and Colorado’s AI Act give the deadlines.
Programs that fold AI into the existing IT-risk section tend to under-capture the obligations — AI now warrants its own row on the risk register.
Where the Profession Is Heading — And How to Get Ahead
Three trends are reshaping how compliance risk assessment questionnaires will need to evolve over 2026–2028.
1. Continuous assessment replacing annual surveys. The shift from once-a-year questionnaires to continuous, technology-enabled data collection is accelerating.
Organizations are embedding compliance pulse checks into operational workflows — a three-question micro-survey after every vendor onboarding, a monthly control-effectiveness check for high-risk processes, a real-time regulatory change acknowledgment workflow.
The annual comprehensive questionnaire remains the backbone, but it’s supplemented by a stream of ongoing data that keeps the risk register current between full cycles.
2. AI-powered analysis of qualitative responses. Open-ended questions produce the richest risk intelligence, but analyzing 500+ narrative responses manually is impractical.
Natural language processing is now being applied to code themes, detect sentiment shifts, flag emerging risks, and identify outlier responses that warrant investigation.
The PwC survey found 71% of compliance leaders believe AI will have a net positive impact on their function — and questionnaire analysis is one of the most immediate, low-risk applications.
3. Cross-functional integration with enterprise risk management. Compliance risk assessment questionnaires are converging with operational risk assessments, IT risk reviews, and business continuity assessments into integrated GRC frameworks.
The organizations that still run compliance, cyber, and operational risk assessments as separate, siloed exercises are duplicating effort and missing the interconnections between risk domains. Integrated questionnaires that feed a single enterprise risk management framework are the direction of travel.
Ready to build or refresh your compliance risk assessment questionnaire? Visit riskpublishing.com/services for templates, frameworks, and consulting services, or explore our compliance risk assessment guide and risk assessment process resources to get started.
References
1. DOJ — Evaluation of Corporate Compliance Programs (Updated September 2024)
2. White & Case — 2025 Global Compliance Risk Benchmarking Survey
3. NAVEX — 2025 State of Risk & Compliance Statistics
4. PwC — Global Compliance Survey 2025
5. Secureframe — 130+ Compliance Statistics & Trends for 2026
6. Ethico — DOJ Compliance Program Evaluation Criteria 2025
7. Covington — DOJ Updates Guidance for Evaluation of Corporate Compliance Programs
8. Harvard Law School Forum — Key Updates to the DOJ ECCP
9. Absorb LMS — Compliance Training KPIs by Maturity Stage
10. MetricStream — GRC in 2025: Essential Survey Insights
11. Ethico — Compliance Program Effectiveness Metrics for the Board
12. Corporate Compliance Insights — How to Use the DOJ’s ECCP
13. SCCE — Compliance Risk Assessments: An Introduction
14. ISO 37301:2021 — Compliance Management Systems
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.