A Step-by-Step Compliance Risk Assessment Framework with 5×5 Scoring Matrix, US Regulatory Mapping (OCC, SEC, CFPB, OFAC, FinCEN), Worked Risk Register, and Remediation Tracking
US regulators collected over $6 billion in financial institution fines in 2023 — and that figure excludes the cost of consent order remediation programs, internal investigations, and reputational fallout. Most of those penalties were not caused by a failure to know the rules.
They were caused by a failure to systematically identify regulatory exposure, score it against likelihood and impact, and close the gaps before an examiner arrived.
That is what a compliance risk assessment framework is designed to prevent.
This guide gives you a complete, practitioner-ready methodology: a six-step process, a 5×5 scoring matrix calibrated to US regulatory consequences, a compliance universe covering OCC, SEC, CFPB, OFAC, FinCEN, HIPAA, and more, a worked risk register with 10 real examples, a remediation tracking template, and a 90-day implementation roadmap.
1. What Is a Compliance Risk Assessment and Why Does It Matter?
A compliance risk assessment is a structured, evidence-based process for identifying the regulatory and legal obligations applicable to your organization, evaluating how likely you are to fall short of those obligations and what the consequences would be, and prioritizing your compliance effort accordingly.
It is the analytical core of your compliance program — the document that tells you where to focus, what to fix first, and how to demonstrate to regulators that your program is risk-based rather than reactive.
Most organizations carry compliance obligations they are not fully aware of, particularly after expanding into new products, markets, or business lines without a systematic regulatory mapping exercise.
A bank that launches a buy-now-pay-later product without re-running its compliance risk assessment may not immediately recognize it has acquired CFPB TILA exposure it did not previously carry.
A healthcare system that acquires a physician practice inherits HIPAA obligations that may differ from its hospital operations.
The compliance risk assessment is the mechanism that catches these gaps before a regulator does.
Before working through the framework, it helps to be clear on what compliance risk is and what it is not. The table below draws the key distinctions.
| Risk Type | Primary Source | Consequence if Ignored |
| Compliance Risk | Failure to meet laws, regulations, rules, or codes of conduct | Fines, sanctions, license revocation, consent orders, reputational damage |
| Legal Risk | Contractual disputes, litigation, or unenforced legal rights | Financial judgments, litigation costs, settlement obligations |
| Operational Risk | Failures in people, processes, systems, or external events | Service disruption, financial loss, operational breakdowns |
| Reputational Risk | Negative perception by customers, regulators, or the public | Loss of clients, reduced market access, talent attrition |
| Strategic Risk | Poor strategic decisions or competitive dynamics | Revenue decline, market share loss, failed business model |
Table 1: Compliance Risk vs. Related Risk Types — Key Distinctions
Compliance risk sits at the intersection of legal, operational, and reputational risk. Because the external reference point — the specific rule — is largely fixed and measurable, it is amenable to a rigorous scoring methodology.
For the relationship between compliance risk and your broader enterprise risk program, see our guides on enterprise risk management frameworks and the three lines model, which places compliance squarely in the second line of oversight.
2. The Six-Step Compliance Risk Assessment Framework
The framework below draws on ISO 31000:2018 Clause 6 and COSO ERM 2017 Component 3 (Performance), adapted specifically for regulatory and compliance risk.
It moves from universe building through to monitoring and reporting, and produces outputs that regulators recognize as evidence of a mature, risk-based compliance program.
Step 1: Define the Compliance Universe
Before you can assess compliance risk you need to know what laws, regulations, rules, supervisory expectations, and codes of conduct apply to your organization.
Most compliance programs have gaps in their universe mapping — particularly in stable areas no longer top of mind, obligations picked up through M&A activity, and emerging regulatory guidance not yet codified into formal rules.
Build the universe starting with your primary federal regulator and working outward to secondary regulators, state agencies, and voluntary standards.
A practical shortcut: most primary US regulators publish examination manuals that spell out exactly what they will assess. The OCC Comptroller’s Handbook covers 70+ booklets by activity and risk type.
The CFPB Supervision and Examination Manual provides detailed procedures for every consumer finance rule the CFPB enforces. These documents are your compliance universe map.
Step 2: Identify Compliance Risks
With the universe mapped, identify the specific compliance risks — the ways your organization could fail to meet each obligation. A compliance risk is not just a rule; it is a specific gap or scenario where you might fall short.
For BSA/AML, the risk might be ‘inadequate beneficial ownership documentation for legal entity customers.’
The best sources are: peer enforcement actions from CFPB, SEC, OCC, and FinCEN databases; internal audit findings from the last three years; regulatory change logs; and structured interviews with first-line business units.
Step 3: Score Inherent Risk Using the 5×5 Matrix
Inherent risk is the risk before any controls are applied. Scoring on a 5×5 likelihood-by-impact matrix gives you a baseline you then adjust for control effectiveness to reach residual risk.
The scales below are calibrated specifically to US regulatory consequences — penalty thresholds differ significantly from operational risk scoring.
| Score | Probability | Indicator |
| 5 — Almost Certain | > 75% | Breach already occurring or regulator has issued a finding |
| 4 — Likely | 50–75% | Gap exists; peer enforcement action in last 12 months; regulator attention signaled |
| 3 — Possible | 25–50% | Control gaps in last audit; guidance recently updated; exam scheduled |
| 2 — Unlikely | 10–25% | Controls largely effective; minor gaps; no recent regulatory activity |
| 1 — Rare | < 10% | Robust controls; no identified gaps; area not an active regulatory focus |
Table 2a: Likelihood Scoring Scale — Calibrated to US Regulatory Context
| Score | Definition — Financial, Regulatory, and Reputational Consequence |
| 5 — Catastrophic | > $50M fine or license revocation; criminal referral; systemic enforcement action |
| 4 — Major | $10M–$50M fine; consent order; mandatory remediation program; senior management accountability |
| 3 — Moderate | $1M–$10M fine; supervisory letter; formal corrective action plan required |
| 2 — Minor | < $1M fine; informal supervisory feedback; management letter comment |
| 1 — Negligible | No direct penalty; internal self-identified gap; voluntary remediation |
Table 2b: Impact Scoring Scale — Financial, Regulatory, and Reputational Consequences
Inherent risk score = Likelihood x Impact. A BSA/AML CDD gap with likelihood 4 (OCC flagged CDD deficiencies at peer banks in the last 12 months) and impact 5 (large bank with FinCEN penalties historically in nine figures) gives an inherent risk score of 20 — before any control consideration.
Step 4: Assess Control Effectiveness and Calculate Residual Risk
Control effectiveness assessment is where many compliance risk assessments fall short. The temptation is to document the existence of a control and call the risk mitigated. Regulators do not assess the existence of policies — they assess whether controls operate effectively.
Rate each control: Effective (reduces inherent score by 40–60%), Partially Effective (20–40%), or Ineffective (0–20%). Residual score = Inherent score x (1 – Control Effectiveness Reduction). A BSA/AML inherent score of 20 with a partially effective control at 30% reduction gives residual risk of 14 — still High and requiring priority remediation.
| Risk Score (L x I) | Required Action |
| 1–4 Low | Accept or monitor. No immediate action. Include in next annual review cycle. |
| 5–9 Medium | Management attention required. Remediation plan within 60 days. Assign named owner. |
| 10–14 High | Priority remediation within 30 days. Escalate to Compliance Committee or CCO. |
| 15–25 Critical | Immediate Board/Audit Committee escalation. Stop-the-line protocols. Consider regulatory notification. |
Table 3: Compliance Residual Risk — Required Action by Score Range
Step 5: Develop Remediation Plans
Every compliance risk rated Medium or above needs a documented remediation plan with a specific action, a named owner, a target completion date, and measurable evidence of closure.
The plan is not a vague intent to ‘improve controls.’ For Critical risks, regulators expect immediate escalation to the Board, a root cause analysis, and real-time monitoring of remediation progress.
For High risks, a 30-day remediation window with monthly progress reporting to the Compliance Committee is standard practice.
Step 6: Monitor, Report, and Update
Build a monitoring cadence: quarterly risk register updates, annual full reassessment, and triggered updates for material regulatory changes, new business activities, or significant peer enforcement actions.
The board-level output — a compliance risk report with RAG ratings, trend analysis, and remediation status — is what demonstrates to regulators a functioning, risk-based program.
For techniques to translate compliance risk scores into financial exposure estimates, see our post on risk quantification for boards.
3. US Regulatory Mapping: Building Your Compliance Universe
The table below maps the primary US regulatory frameworks by sector with their key rules and enforcement consequences.
Use this as your universe-building starting point. Organizations operating across multiple sectors carry overlapping obligations that must be explicitly addressed in the risk register.
| Sector | Regulator | Key Rule / Citation | Primary Compliance Areas | Penalty / Consequence |
| Banking | OCC | 12 USC 1; OCC Heightened Standards | Capital adequacy, BSA/AML, CRA, third-party risk | Consent orders, CMPs, license revocation |
| Banking | Federal Reserve | BHC Act; Reg Y; SR Letters | Capital planning, CCAR/DFAST, model risk, governance | MRAs, cease and desist, enforcement actions |
| Banking | FDIC | Federal Deposit Insurance Act; Part 364 | Safety and soundness, deposit insurance, consumer protection | CMPs, prohibition orders, memoranda of understanding |
| Securities | SEC | Securities Act 1933; Exchange Act 1934 | Registration, Reg BI, disclosure, 4-day cyber incident (8-K) | Fines up to $10M/violation; disgorgement; debarment |
| Securities | FINRA | Rules 4370, 3310, 2111 | AML, suitability, BCP, supervision, communications | Fines, suspensions, permanent industry bars |
| Consumer Finance | CFPB | CFPA; TILA; RESPA; FCRA; FDCPA | Mortgage, credit cards, debt collection, UDAAP | Restitution; CMPs up to $1M/day for knowing violations |
| AML / Sanctions | FinCEN | Bank Secrecy Act; USA PATRIOT Act | CDD, SARs, CTRs, AML program requirements | Civil and criminal penalties; personal CCO liability |
| AML / Sanctions | OFAC | IEEPA; Trading with the Enemy Act | SDN screening, blocked assets, transaction licenses | CMPs up to $1.3M/violation; criminal penalties |
| Healthcare | HHS OCR | HIPAA Privacy; Security; Breach Notification | PHI protection, access controls, 60-day breach reporting | CMPs up to $1.9M/category/year; criminal referrals |
| Insurance | NAIC / State DOIs | State insurance codes; NAIC Model Acts | Rate filings, market conduct, solvency, claims handling | Fines, license suspension, consent orders |
| All Public Cos. | SEC (SOX) | SOX Sec. 302, 404; 8-K; 10-K | ICFR certification, material weakness, cyber incident disclosure | Securities fraud charges; CEO/CFO personal liability |
Table 4: US Compliance Universe — Regulatory Mapping by Sector (OCC, SEC, CFPB, OFAC, FinCEN, HHS, NAIC, EPA)
Two areas warrant special attention in 2025. OFAC sanctions compliance has become materially more complex following expanded programs on Russia, China technology restrictions, and cryptocurrency.
OFAC’s civil penalties reach $1.3 million per violation or twice transaction value, and the agency pursues enforcement against organizations whose compliance programs were not adequate for their transaction complexity.
Separately, the SEC’s cybersecurity disclosure rules effective December 2023 require public companies to report material incidents within four business days on Form 8-K and disclose their cybersecurity risk management program annually on Form 10-K.
For organizations with EU operations, DORA adds a parallel ICT risk management layer. Our DORA compliance checklist covers the EU-specific requirements US firms with EU exposure must satisfy alongside domestic obligations.
4. Compliance Risk Assessment Template: Worked Register with 10 Examples
The register below combines the scoring methodology with the regulatory universe to produce a practical, auditable output.
Each row is a specific compliance risk with its regulatory citation, root cause, inherent risk score (L x I), and remediation plan.
These 10 examples are drawn from the most common enforcement actions and examination findings across US financial services and healthcare. Adapt the citations, likelihood scores, and timelines to your own control environment.
| Compliance Risk | Regulator | Root Cause / Gap | L | I | Score | Rule Ref. | Remediation Action | Owner | Status |
| BSA/AML — CDD Gap | FinCEN / OCC | Incomplete beneficial ownership verification for legal entity customers | 4 | 5 | 20 | 31 CFR 1010.230 | Enhanced KYC workflow; automated CDD forms; FinCEN CDD Rule training | CCO | Open |
| OFAC — SDN Screening | OFAC | Outdated SDN list on wire transfer screening; no daily refresh in place | 3 | 5 | 15 | OFAC SDN List | Immediate SDN update; daily automated refresh; vendor SLA review | CISO / Compliance | In Progress |
| SEC Reg BI — Form CRS | SEC | Broker-dealer accounts lack Form CRS disclosure evidence at point of sale | 4 | 4 | 16 | Exchange Act Rule 15l-1 | Form CRS workflow redesign; rep training; supervisory review at sale | CCO / Legal | Open |
| CFPB UDAAP — Fee Disclosure | CFPB | Third-party fees in Loan Estimate exceed TILA tolerance thresholds | 3 | 4 | 12 | TRID Rule | Fee tolerance audit; LOS system reconfiguration; 45 originators retrained | Mortgage Compliance | Open |
| HIPAA — Access Control | HHS OCR | Terminated employee access not revoked within 48-hour policy deadline | 4 | 3 | 12 | 45 CFR 164.308(a)(1) | Automated de-provisioning workflow; HRMS-IT integration; quarterly access audit | CISO / HR | In Progress |
| SOX 404 — ITGC Gap | SEC / PCAOB | Change management for financial reporting systems lacks documented approvals | 3 | 4 | 12 | PCAOB AS 2201 | Change management policy update; ServiceNow approval gate; ITGC training | IT / Internal Controls | Open |
| FINRA 3310 — AML Testing | FINRA | Independent AML testing not completed within required annual cycle | 2 | 4 | 8 | FINRA Rule 3310(c) | Schedule independent test within 60 days; update annual testing calendar | CCO / Internal Audit | Open |
| OCC — Vendor BCP Review | OCC | Critical fintech vendor BCP not reviewed in prior 12 months | 3 | 3 | 9 | OCC Bulletin 2023-17 | Vendor BCP request issued; third-party calendar updated; contract addendum negotiated | Procurement / Risk | Open |
| FCRA — Adverse Action Timing | CFPB / FTC | Adverse action notices on credit decisions issued beyond 30-day FCRA requirement | 2 | 3 | 6 | 15 USC 1681m | Workflow trigger review; automated notice generation; quality control sampling | Consumer Lending | Open |
| EPA — Emissions Reporting | EPA | Annual GHG report submitted 12 days after mandatory deadline | 2 | 2 | 4 | 40 CFR Part 98 | Reporting calendar alert; assign EHS coordinator; automated deadline reminders | EHS / Legal | Closed |
Table 5: Compliance Risk Register — 10 Worked Examples (L = Likelihood; I = Impact; Score = L x I)
Three of the ten risks are rated Critical (score 15+), all involving sanctions and securities compliance — areas where regulators have imposed eight- and nine-figure penalties.
The BSA/AML CDD gap and SEC Reg BI documentation findings reflect areas where the OCC and FINRA have conducted recent industry sweeps.
Firms that have not assessed these domains since 2021 are likely carrying risk they have not quantified.
For AML-specific risk assessment priorities, the FinCEN AML/CFT National Priorities identifies the highest-priority ML/TF risks financial institutions should assess — sanctions evasion, ransomware, and corruption appear consistently at the top.
5. Remediation Tracking: Managing Gaps Through to Closure
A compliance risk assessment without remediation tracking is half a program. Regulators examining your compliance function expect to see not just that you identified risks, but that you managed them through to closure with documented evidence.
The tracking register below structures this with RAG status, ownership, and completion percentage for monthly reporting to your Compliance Committee and Board.
| Risk | Score | Owner | Start | Target | Actions Taken | RAG Status | % Done |
| BSA/AML CDD Gap | 20 — Critical | CCO | Feb 15 | Mar 31 | CDD workflow in 3 of 5 lines; forms updated | Yellow — On track, 2 lines pending | 70% |
| OFAC SDN Screening | 15 — Critical | CISO / Compliance | Feb 8 | Feb 15 | SDN updated; daily refresh live; vendor SLA executed | Green — Complete | 100% |
| SEC Reg BI Form CRS | 16 — Critical | CCO / Legal | Feb 20 | Mar 20 | Form CRS redesigned; 3 training cohorts scheduled | Yellow — Training in progress | 60% |
| CFPB Fee Disclosures | 12 — High | Mortgage Compliance | Mar 1 | Apr 30 | LOS in UAT; 45 originators retrained | Yellow — UAT pending sign-off | 55% |
| HIPAA Access Control | 12 — High | CISO / HR | Feb 10 | Mar 10 | Auto de-provisioning live; 30-day audit complete | Green — Substantially complete | 90% |
| SOX 404 ITGC | 12 — High | IT / Internal Controls | Mar 5 | Apr 15 | Policy approved; ServiceNow workflow in configuration | Yellow — Configuration in progress | 40% |
| FINRA AML Testing | 8 — Medium | CCO / Internal Audit | Mar 15 | May 15 | External tester engaged; fieldwork starts April 1 | Green — On track | 30% |
| OCC Vendor BCP | 9 — Medium | Procurement / Risk | Mar 1 | Apr 15 | BCP received from vendor; contract addendum in negotiation | Green — On track | 45% |
Table 6: Compliance Remediation Tracking Register — RAG Status and Completion Tracking
The register serves two purposes. Internally it is your program management tool — the single source of truth for what is being done, who owns it, and whether it is on track.
Externally, in a regulatory examination or enforcement inquiry, it is your evidence that you identified the issue and acted with urgency.
Regulators consistently distinguish between organizations that self-identified and remediated proactively versus those directed by an examiner — that distinction often determines whether a formal enforcement action is necessary.
For a broader framework connecting remediation tracking to your issues and actions register, see our post on operational risk key risk indicators.
6. OFAC Compliance Risk: A Focused Deep Dive
OFAC sanctions risk deserves separate treatment because the framework is structurally different from most other regulatory domains.
OFAC operates a strict liability regime for some violations — meaning an organization can face penalties even without knowledge that a transaction was prohibited, provided it lacked adequate procedures to detect and block it.
The burden effectively reverses: the organization must demonstrate it had an adequate compliance program.
OFAC’s Framework for Compliance Commitments identifies five essential components: management commitment, risk assessment, internal controls, testing and auditing, and training. The risk assessment component requires evaluation of exposure across customers and counterparties, products and services, geographies, and transaction types.
The highest-priority OFAC risks in the current environment are: correspondent banking with institutions in high-risk jurisdictions, customer onboarding for entities with ownership in designated countries, cryptocurrency transactions involving sanctioned addresses, and trade finance for goods subject to export controls or secondary sanctions.
Each should appear as a separately scored line in your compliance risk register. On SDN screening: the list is updated multiple times weekly.
Organizations relying on weekly or monthly refresh are materially understating their OFAC residual risk.
7. CFPB Compliance Risk: Consumer Finance Focus
The CFPB covers the broadest range of consumer financial products of any single US regulator — mortgage, credit cards, auto lending, student loans, debt collection, credit reporting, remittances, and prepaid accounts.
For organizations in consumer finance, CFPB items typically dominate the high-risk bands of the compliance risk register.
The CFPB’s most powerful enforcement tool is UDAAP — Unfair, Deceptive, or Abusive Acts or Practices — which is intentionally broad and does not require a specific rule violation. The CFPB UDAAP examination procedures are publicly available and should be a required reference for any consumer finance compliance risk assessment.
The highest-priority CFPB compliance risks for 2025 based on recent enforcement patterns: fee transparency (junk fee scrutiny across mortgage, credit cards, and deposit products), fair lending under ECOA and HMDA (AI-driven credit decisioning faces heightened disparate impact scrutiny),
Section 1071 small business lending data collection (final rules now in effect for larger lenders), and medical debt credit reporting accuracy.
8. Integrating Compliance Risk into Your Enterprise Risk Framework
A compliance risk assessment operating in isolation from your ERM program creates blind spots. Compliance gaps invisible to the CRO may not receive the resource allocation they need.
ERM risk registers without compliance risk give a distorted picture of overall exposure to the Board. The goal is integration without duplication.
Connecting to COSO ERM
COSO ERM 2017 Component 3 (Performance) explicitly calls for risk identification and assessment across all risk categories including compliance.
The COSO ERM Framework provides the architecture for rolling compliance risk into a portfolio view the Board can use for strategic decisions. Our COSO ERM framework guide covers the integration in detail.
Connecting to ISO 31000
ISO 31000:2018 Clause 6.4 (Risk Analysis) is where compliance risk scoring fits within the ISO framework. Our ISO 31000 risk assessment methodology covers the full process including the criteria-setting step that should precede any scoring exercise.
Three Lines and Compliance Risk Ownership
The first line owns the compliance risk — the mortgage originations team is responsible for TILA compliance, not the compliance department.
The compliance function (second line) sets standards, conducts oversight, runs the assessment, and reports to the Board. Internal audit (third line) independently tests whether first and second lines are functioning.
Organizations that assign compliance risk ownership exclusively to the second line consistently find that first-line remediation stalls and issues recur.
9. Compliance Risk KRIs: Early Warning Indicators
KRIs for compliance risk give the Compliance Committee and Board a forward-looking view of deteriorating compliance posture — not just a backward-looking register of known gaps. The eight KRIs below include amber and red thresholds calibrated to US regulatory expectations.
| KRI | Domain | Amber Threshold | Red Threshold | Owner |
| Regulatory exam findings open > 90 days | Compliance Program | Amber: > 2 open | Red: > 5 open, or any Critical finding > 30 days | CCO |
| SAR filing rate deviation from prior quarter | BSA / AML | Amber: > 20% deviation | Red: > 40% deviation or regulator concern raised | MLRO / CCO |
| OFAC screening false positive rate | Sanctions | Amber: > 15% | Red: > 30% or screening system flag | CISO / Compliance |
| Consumer complaints escalated to CFPB | Consumer Finance | Amber: > 5% of total complaints | Red: > 10% or any direct CFPB contact | CCO / Customer Relations |
| Policy exceptions approved in quarter | All Domains | Amber: > 5 in any regulated area | Red: > 10, or same exception recurring | CRO / CCO |
| Compliance training overdue (% of required) | All Staff | Amber: > 10% overdue | Red: > 25% overdue or mandatory item overdue | HR / Compliance |
| Critical vendors with overdue BCP review | Third-Party Risk | Amber: < 85% reviewed annually | Red: < 70% or any critical vendor with open findings | Procurement / Risk |
| Regulatory changes unassessed > 30 days | Regulatory Change | Amber: > 3 items unassessed | Red: > 5 items or any < 90 days to effective date | Compliance |
Table 7: Compliance Risk KRI Library — Eight Indicators with Thresholds and Owners
For a comprehensive KRI library spanning operational, ESG, and third-party risk alongside compliance, see our key risk indicators complete framework and the KRI framework for boards.
10. Five Compliance Risk Assessment Failures to Avoid
Failure 1: Building the Universe from Memory
Compliance teams relying on institutional knowledge rather than systematic regulatory mapping consistently miss requirements — especially in stable areas no longer top of mind, or obligations picked up through M&A. Build the universe from regulatory text, examination manuals, and external legal counsel review.
Failure 2: Confusing Documentation with Control Effectiveness
The existence of a policy is not evidence that a control is working. A BSA/AML program with a written CDD policy never audited for effectiveness is not an effective control. Build effectiveness testing into your methodology using sampling, transaction testing, or observation — not just policy review.
Failure 3: Accepting Business Unit Self-Assessments Without Challenge
Business units consistently understate compliance risk when asked to self-assess. The second line’s job is to challenge those assessments with external reference points — peer enforcement actions, examination findings, regulatory guidance — that provide a more objective likelihood calibration.
Failure 4: No Regulatory Change Management Process
Organizations without a formal process routing new regulatory obligations through the compliance risk assessment are consistently behind the curve. Build a 30-day maximum latency between a regulatory change and its business impact assessment.
Failure 5: Treating the Assessment as an Annual Event
Annual assessments are a minimum, not a best practice. Material regulatory changes, business model changes, enforcement actions, and major control failures all warrant triggered updates between the annual cycle.
A compliance program that updates its assessment once a year regardless of what happens is calendar-based, not risk-based.
11. 90-Day Implementation Roadmap
A compliance risk assessment framework is achievable in 90 days for most US organizations when sequenced correctly. The roadmap below produces a board-ready compliance risk report at the end of Phase 3 with a functioning risk register and remediation tracking process in place.
| Phase | Label | Key Actions | Owner | Outputs |
| Days 1–30 | Foundation and Scoping | Map all applicable regulations to each business line; build compliance universe; assign regulatory owners; interview first-line business units | CCO + Legal + Business Heads | Compliance universe register; regulatory inventory; scoping memo |
| Days 31–60 | Risk Identification and Scoring | Run compliance risk workshops; score all risks on the 5×5 matrix; populate register with root cause, regulatory citation, and inherent risk rating | Compliance + Risk + Internal Audit | Scored risk register; heat map by domain; top-10 critical risks list |
| Days 61–90 | Remediation and Reporting | Build remediation plans for Critical and High risks; assign owners and dates; produce first compliance risk report for Board/Audit Committee; set quarterly cadence | CCO + Board Secretary + 1st Line Owners | Remediation register; Board report; KRI dashboard; monitoring calendar |
Table 8: Compliance Risk Assessment — 90-Day Implementation Roadmap
The single most important success factor is executive sponsorship from the CCO and Board Audit Committee.
Frame the exercise as: this tells us where we could face a significant regulatory penalty and what we are doing about it. That framing gets first-line engagement. Without it, the risk register becomes a compliance department artifact rather than an organization-wide risk management tool.
12. What Is Changing: AI, ESG, and Crypto in the Compliance Universe
AI and Algorithmic Compliance Risk
AI-driven credit decisioning, fraud detection, and customer service tools create compliance risks most existing assessments have not fully addressed. The CFPB, OCC, and Federal Reserve have all issued guidance on model risk and fair lending implications of automated decisioning.
Any compliance risk assessment conducted in 2025 should include AI governance as a standalone domain. See our post on AI and machine learning risk management for applicable KRI frameworks.
ESG and Sustainability Disclosure
SEC climate disclosure rules and CSRD obligations for US firms with EU operations have created a new compliance risk domain centered on sustainability reporting accuracy. Our ESG key risk indicators framework maps 43 ESG KRIs against SEC, ISSB S2, CSRD, and GRI standards.
Cryptocurrency and Digital Assets
The regulatory perimeter for digital assets has expanded significantly following SEC enforcement actions, FinCEN rulemaking on CVC mixing, and OFAC designation of cryptocurrency addresses. For organizations that hold, transact, or service digital assets, crypto-related BSA/AML, OFAC screening for on-chain transactions, and SEC registration requirements should all appear as distinct items in the compliance risk register.
Ready to Build Your Compliance Risk Assessment?
Start with Step 1: build the compliance universe. Spend one week systematically mapping every regulation that applies to every business activity your organization conducts. The universe is the foundation — everything else depends on having a complete, accurate, and current picture of your regulatory obligations.
Browse the full library of practitioner-ready templates, risk registers, KRI dashboards, and regulatory mapping tools at riskpublishing.com — designed for compliance and risk professionals who need outputs that will stand up to regulatory scrutiny.
Key External References
1. ISO 31000:2018 Risk Management — Guidelines. ISO.
2. COSO. (2017). Enterprise Risk Management — Integrating with Strategy and Performance.
3. OCC Comptroller’s Handbook. Office of the Comptroller of the Currency.
4. CFPB Supervision and Examination Manual. Consumer Financial Protection Bureau.
5. FinCEN. (2021). AML/CFT National Priorities. Financial Crimes Enforcement Network.
6. OFAC. (2019). A Framework for OFAC Compliance Commitments. US Treasury.
7. SEC. (2023). Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rules.
8. FFIEC. BSA/AML Examination Manual (2022 Update).
10. Federal Reserve. (2011). SR 11-7: Supervisory Guidance on Model Risk Management.
11. FINRA. Rule 3310: Anti-Money Laundering Compliance Program.
12. PCAOB. AS 2201: An Audit of Internal Control Over Financial Reporting.
13. HHS OCR. HIPAA Enforcement — Civil Money Penalties and Resolution Agreements.
Related Resources on RiskPublishing.com
Enterprise Risk Management Framework Guide — Integrating compliance risk into your ERM architecture
Three Lines Model Implementation Guide — RACI for compliance risk ownership across the three lines
Risk Identification Framework — Techniques for building a comprehensive compliance risk universe
Risk Assessment Methodology — ISO 31000 risk assessment process aligned to compliance scoring
COSO ERM Framework Guide — Connecting COSO Performance component to compliance risk
Key Risk Indicators: Complete Framework — KRI library including compliance risk early-warning indicators
KRI Framework for Boards — Board-ready compliance KRI dashboards and reporting
Risk Quantification for Boards — Translating compliance risk scores into financial exposure estimates
Operational Risk Management — Process-level controls that support compliance risk mitigation
Third-Party Risk Management Framework — Vendor compliance obligations under OCC, CFPB, and OFAC
DORA Compliance Checklist — EU compliance obligations for US firms with EU operations
AI and Machine Learning Risk Management — AI compliance risk KRIs and governance frameworks
ESG Key Risk Indicators Framework — SEC and CSRD ESG disclosure compliance risk mapping
Business Continuity Management Guide — BCM compliance under FFIEC, HIPAA, and FINRA
Operational Risk Key Risk Indicators — KRIs for issues and actions management supporting remediation
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.