In March 2025, French authorities imposed a $985 million penalty on a Swiss bank for anti-money laundering failures.
Knowing how to conduct a compliance risk assessment is now essential for every regulated organisation. That single enforcement action exceeded many organisations’ entire annual compliance budgets. Across the globe, regulatory fines for financial institutions surged 417% in the first half of 2025 compared to the same period in 2024, totalling $1.23 billion in just six months.
The message from regulators is unambiguous: compliance risk assessment is not a box-ticking exercise. It is a financial survival skill.
| Key Takeaways |
| Global non-compliance fines reached $14 billion in 2024, with AML penalties surging 417% in H1 2025. A structured compliance risk assessment is no longer optional. |
| A compliance risk assessment follows six steps: identify risk areas, map controls, assess risks against controls, measure risk levels, report findings, and implement SMART mitigations. |
| ISO 37301 provides the international standard for compliance management systems, built on Plan-Do-Check-Act and requiring ongoing risk-based assessment. |
| Five control types form the compliance defence: policies and procedures, codes of conduct, compliance audits, impact analysis, and HR-related controls. |
| Risk scoring uses a 5×5 likelihood-by-impact matrix to rank compliance risks as low (1-4), medium (5-14), or high (15-25) and drive resource allocation. |
| Compliance risk reporting must reach the board, audit committee, and functional management with KPIs on breach counts, audit action delays, and control effectiveness. |
| Non-compliant data breaches cost $4.61 million on average, $220,000 more than compliant organisations, making prevention far cheaper than remediation. |
A compliance risk assessment is a structured process for identifying, evaluating, and mitigating the risks that arise when an organisation fails to meet legal, regulatory, or internal policy obligations.
Conducted properly, it converts vague compliance anxiety into a ranked, measurable portfolio of risks with clear owners and SMART actions. Conducted poorly, or not at all, it leaves the organisation exposed to fines, reputational damage, and operational disruption.
This guide explains how to conduct a compliance risk assessment using a practical, six-step framework aligned with ISO 37301, ISO 31000, and COSO ERM principles.
Figure 1: Compliance risk by the numbers. Sources: Fenergo 2025, IBM 2025, Model Office.
Where Compliance Risk Meets Enterprise Risk Management
Before exploring how to conduct a compliance risk assessment, it helps to understand where compliance management and enterprise risk management overlap. These distinct disciplines intersect in two critical areas. First, many jurisdictions impose specific regulations on how organisations must manage business risk. Health and safety legislation, prudential rules in financial services, and data protection laws all carry compliance requirements that risk managers cannot ignore.
Second, non-compliance itself creates a measurable risk: the probability of regulatory sanctions, financial penalties, or reputational harm when obligations are not met. This is compliance risk in its purest form.
ISO 37301 defines compliance risk as the “effect of uncertainty on compliance objectives,” directly mirroring the ISO 31000 risk definition. This alignment is deliberate. It allows organisations learning how to conduct a compliance risk assessment to integrate it into their broader risk assessment process rather than running parallel, disconnected exercises.
The Three Lines Model from the IIA reinforces this: first-line management owns compliance risks day-to-day, the second-line compliance function provides oversight and frameworks, and third-line internal audit provides independent assurance.
Compliance Risk Assessment vs General Risk Assessment
| Dimension | Compliance Risk Assessment | General Risk Assessment |
| Scope | Legal, regulatory, and policy obligations | All risks to organisational objectives |
| Primary standard | ISO 37301, sector-specific regulations | ISO 31000, COSO ERM |
| Risk universe | Regulatory library mapped to operations | Strategic, operational, financial, hazard risks |
| Control focus | Policies, codes of conduct, audits, training | Full control environment |
| Reporting line | Board, audit committee, regulators | Risk committee, executive management |
| Consequence type | Fines, sanctions, licence revocation, criminal liability | Financial loss, operational disruption, reputational damage |
Figure 2: The financial impact of compliance failures. Non-compliant data breaches cost $220K more on average.
Step 1: Identify Compliance Risk Areas Through a Regulatory Library
Understanding how to conduct a compliance risk assessment starts with establishing a consolidated database of every law, regulation, standard, and internal policy that governs the organisation’s operations.
This regulatory library becomes the single source of truth for compliance obligations. Without it, risk identification is guesswork.
Several factors increase the likelihood of non-compliance. Inadequate resources prevent teams from meeting legal obligations. Knowledge gaps about regulatory requirements mean breaches go unrecognised until a regulator intervenes.
Unclear or conflicting internal policies create confusion about which standard applies. Outsourcing to third parties without adequate due diligence transfers operational tasks but not legal accountability.
Building a Compliance Risk Regulatory Library
| Element | Description | Example |
| Primary legislation | National laws with direct compliance obligations | Companies Act, Data Protection Act, AML regulations |
| Secondary regulations | Statutory instruments and sector-specific rules | FCA Handbook, OSHA standards, EPA regulations |
| Industry standards | Voluntary but expected frameworks | ISO 37301, ISO 27001, PCI DSS |
| Internal policies | Board-approved organisational rules | Anti-bribery policy, whistleblowing policy, data handling SOP |
| Contractual obligations | Compliance commitments in commercial agreements | SLAs, NDA terms, vendor data processing agreements |
| Past non-compliance | Historical incidents documented for reference | Prior audit findings, regulatory notices, near-miss log |
Step 2: Identify Compliance Controls and Methods
With the regulatory library established, the next compliance risk assessment step is mapping every existing control that addresses those obligations.
Internal controls are the policies, procedures, and processes an organisation deploys to prevent or detect non-compliance. They fall into five categories, each serving a different purpose within the compliance risk framework.
Five Types of Compliance Risk Controls
| Control Type | Purpose | Examples |
| Policies and Procedures | Define acceptable behaviour and required actions for regulatory compliance | AML procedures, KYC protocols, health and safety SOPs, data retention policies |
| Codes of Conduct | Set behavioural expectations with disciplinary consequences | Employee code of ethics, board director code, professional body rules |
| Compliance Audits and Reviews | Test whether controls operate effectively and identify gaps | Internal audit programmes, compliance spot checks, regulatory examinations |
| Compliance Impact Analysis | Quantify financial and reputational consequences of a breach | Direct cost modelling, indirect cost estimation, ordinal severity scoring |
| HR-Related Controls | Ensure personnel have the competence and incentives for compliance | Compliance training programmes, performance KPIs, disciplinary frameworks |
Figure 3: Compliance control types rated by preventive and detective effectiveness.
Policies and procedures score highest on preventive effectiveness because they define expectations before activity occurs.
Compliance audits and impact analyses rank highest on detective effectiveness because they uncover breaches after the fact. A robust compliance risk assessment recognises that organisations need both.
Relying solely on preventive controls means breaches go undetected. Relying solely on detective controls means damage has already occurred before correction. The COSO Internal Control Framework emphasises this balance across its five components: control environment, risk assessment, control activities, information and communication, and monitoring.
Step 3: Assess Compliance Risks Against Existing Controls
This is the “what if” step. Having identified the regulatory universe and mapped controls, compliance officers now stress-test each obligation: what happens if a staff member fails to report a data breach?
What is the impact if the IT environment crashes and critical compliance records are lost? What are the consequences if a financial crime occurs within the organisation?
Compliance risk assessment at this stage uses qualitative scales (typically 1-5 or 1-10) to estimate the probability of an adverse compliance event occurring. These estimates should draw on multiple inputs: historical incident data from the regulatory library, internal audit findings, industry benchmarking, regulatory enforcement trends, and subject-matter expert judgement. Comparing the organisation’s exposure with peer institutions provides additional calibration.
The output of this step is a gap analysis: for each compliance obligation, how wide is the distance between the inherent risk (before controls) and the residual risk (after controls are applied)? Knowing how to conduct a compliance risk assessment means understanding these gaps. Where gaps are material, the assessment flags the obligation for enhanced treatment in Steps 4-6.
Step 4: Measure Compliance Risk Levels Using a Scoring Matrix
Compliance risk measurement translates qualitative assessments into a structured scoring framework.
The standard approach uses a 5×5 risk matrix that multiplies likelihood by impact to produce a risk score between 1 and 25. This is the same methodology used in enterprise risk management under ISO 31000, which makes integration straightforward.
Figure 4: 5×5 compliance risk scoring matrix. Scores 15-25 require immediate action plans.
Compliance Risk Scoring Bands
| Risk Band | Score Range | Monitoring Frequency | Action Required |
| Low | 1-4 | Annual review | Accept and monitor; document in risk register |
| Medium | 5-14 | Quarterly review | Implement additional controls; assign owners and deadlines |
| High | 15-25 | Monthly review | Immediate mitigation plan; escalate to board and audit committee |
Two measurements matter for each compliance risk. The inherent risk score reflects exposure without any controls in place. The residual risk score reflects exposure after existing controls are applied.
The difference between these two numbers quantifies control effectiveness. Where controls reduce inherent risk by less than 40%, anyone learning how to conduct a compliance risk assessment should flag the obligation for enhanced treatment.
This approach is consistent with how risk metrics drive decisions across the enterprise risk management framework.
Step 5: Compliance Risk Reporting to the Board and Audit Committee
Risk measurement is only valuable if findings reach the people who can act on them. A critical step in learning how to conduct a compliance risk assessment is reporting to three audiences: the board and audit committee (strategic oversight), senior management (operational decisions), and functional managers (day-to-day compliance activities).
Each audience needs different levels of detail, but all need a clear view of where compliance risks sit relative to the organisation’s risk appetite.
Compliance Risk KPIs and Reporting Metrics
| KPI Category | Example Metrics | Reporting Frequency |
| Breach metrics | Number of non-compliance breaches, near-miss incidents, severity distribution | Monthly |
| Audit actions | Open audit findings, overdue remediation actions, average days to closure | Monthly |
| Training compliance | Completion rates by department, pass rates on compliance assessments | Quarterly |
| Regulatory changes | New regulations identified, impact assessments completed, policy updates made | Quarterly |
| Control effectiveness | Controls tested, pass/fail rates, self-assessment vs audit scores | Quarterly |
| Financial exposure | Estimated fine exposure by risk band, compliance insurance coverage gaps | Annually |
Figure 5: Global regulatory fines by region in 2025. EMEA enforcement surged 767% year-over-year.
The compliance function generates these reports, though the company secretary or another governance professional may oversee production. Issues that breach the organisation’s compliance risk appetite must be escalated to the board and audit committee.
Compliance key risk indicators provide the quantitative backbone for these reports, converting qualitative assessments into trackable trends that boards can act on.
Step 6: Compliance Risk Mitigation With SMART Actions
The final step in how to conduct a compliance risk assessment addresses high-ranked risks that require immediate, structured responses. Each mitigation action must be SMART: specific, measurable, achievable, relevant, and time-bound. Vague commitments like “improve compliance training” are not mitigation plans.
“Deploy mandatory annual AML refresher training for all client-facing staff by 30 June 2026, measured by 95% completion rate” is a SMART compliance risk mitigation action.
Compliance Risk Mitigation Monitoring Schedule
| Risk Level | Monitoring Frequency | Review Body | Escalation Trigger |
| High (15-25) | Monthly | Board / Audit Committee | Any deterioration or missed action deadline |
| Medium (5-14) | Quarterly | Senior Management / Risk Committee | Risk score increases or control failure detected |
| Low (1-4) | Annually | Functional Management | Regulatory change affecting the obligation |
Four standard risk responses apply to compliance risks: accept (for low-scored risks within appetite), mitigate (implement additional controls), transfer (insurance or contractual allocation), or avoid (exit the activity creating the compliance obligation).
Most compliance risks cannot be transferred or avoided entirely because legal obligations attach regardless. When learning how to conduct a compliance risk assessment, organisations discover that the primary response is mitigation through strengthened controls, enhanced monitoring, and targeted training.
Figure 6: The six-step compliance risk assessment process aligned with ISO 37301 and COSO.
How to Conduct a Compliance Risk Assessment: A Phased Approach
| Phase | Actions | Deliverables | Success Metrics |
| Days 1-30: Foundation | Assemble compliance risk assessment team. Build regulatory library. Identify top 20 compliance obligations by exposure. | Regulatory library database. Preliminary compliance risk register. | Library covers 90%+ of known regulations. Team RACI approved. |
| Days 31-60: Assessment | Map controls to obligations (Step 2). Score inherent and residual risks (Steps 3-4). Run gap analysis. | Scored compliance risk register. Control gap report. Risk heatmap. | All high-risk obligations scored. Control gaps documented with owners. |
| Days 61-90: Action | Develop SMART mitigation plans for high risks (Step 6). Build reporting dashboard (Step 5). Present to board. | Board compliance risk report. Mitigation action tracker. KPI dashboard. | Board sign-off achieved. All high risks have funded mitigation plans. |
Where Compliance Risk Programs Stall and How to Unstick Them
| Pitfall | Root Cause | Remedy |
| Regulatory library is never updated | No process for monitoring regulatory changes | Assign a regulatory change owner. Subscribe to regulator alerts. Review library quarterly. |
| Controls exist on paper but not in practice | Gap between documented procedures and operational reality | Mandate control testing, not just documentation. Use compliance audits to verify operating effectiveness. |
| Risk scoring is inconsistent across departments | No calibration of likelihood and impact definitions | Publish a compliance risk scoring guide with worked examples. Run calibration workshops. |
| High risks sit on the register with no action | Mitigation plans lack specificity, owners, or deadlines | Enforce SMART action format. Track overdue actions in monthly compliance reports. |
| Compliance risk assessment is a one-off event | Treated as a project, not an ongoing process | Embed in the annual risk calendar. Trigger reassessment on regulatory change, incident, or organisational restructure. |
| Board receives volume, not insight | Reporting overwhelms with detail rather than highlighting decisions needed | Use a one-page compliance risk summary with traffic lights, trend arrows, and explicit decision asks. |
| Third-party compliance risks are overlooked | Due diligence stops at onboarding | Include vendor compliance in the regulatory library. Conduct ongoing compliance risk assessments of critical third parties. |
| Training is generic and untargeted | Same compliance training for all staff regardless of risk exposure | Map training to role-specific compliance obligations. Measure effectiveness through scenario-based assessments. |
The Regulatory and Technology Horizon: 2026-2028
Three shifts will reshape how to conduct a compliance risk assessment over the next two years. First, AI-driven regulatory technology is transforming how organisations monitor obligations.
Automated regulatory change management tools can scan legislative databases, flag relevant changes, and even draft preliminary impact assessments. Global spending on AI governance and compliance is projected to reach $2.54 billion in 2026 and grow to $8.23 billion by 2034.
Second, cross-border enforcement coordination is intensifying. France became the second-largest global enforcer in 2025 at $1 billion in fines, while EMEA penalties surged 767% and APAC fines rose 44%.
Australia is bringing real estate agents, lawyers, and accountants under AML/CTF oversight in 2026. Organisations operating across jurisdictions need compliance risk assessments that account for regulatory divergence, not just domestic requirements.
Third, continuous compliance monitoring is replacing periodic assessment cycles. Rather than annual compliance risk reviews, leading organisations deploy real-time dashboards that track key risk indicators against thresholds and trigger alerts when metrics breach tolerance levels.
This shift from backward-looking assessment to forward-looking surveillance represents the maturity trajectory for compliance risk management. Organisations that understand how to conduct a compliance risk assessment and build their framework on these six steps today will be best positioned to adopt continuous monitoring as the technology matures.
Ready to strengthen your compliance risk assessment framework? Explore our compliance risk assessment templates and compliance risk framework guide for ready-to-use tools. For tailored advisory support, contact our team.
References
1. Fenergo, “Regulatory Penalties for Global Financial Institutions Skyrocket 417% in H1 2025,” 2025.
2. Fenergo, “Global Financial Regulatory Penalties Fall by 18% in 2025,” January 2026.
3. IBM, “Cost of a Data Breach Report 2025,” 2025.
4. ISO, “ISO 37301:2021 Compliance Management Systems,” 2021.
5. ISO, “ISO 31000:2018 Risk Management Guidelines,” 2018.
6. COSO, “Internal Control — Integrated Framework,” 2013.
7. IIA, “The Three Lines Model,” 2020.
8. Secureframe, “130+ Compliance Statistics & Trends to Know for 2026,” 2026.
9. NAVEX, “2025 Risk & Compliance Statistics,” 2025.
10. SQ Magazine, “AI Compliance Cost Statistics 2026,” 2026.
11. Model Office, “Compliance Cost Benchmarking,” 2025.
12. ComplyAdvantage, “The Biggest AML Fines in 2025,” 2025.
13. FinTech Global, “The High Price of Non-Compliance in Financial Services,” 2025.
14. GARP, “Surging Regulatory Fines: How Risk Leaders Can Rise to the Challenge,” 2025.
15. Ethico, “How to Conduct a Compliance Risk Assessment That Actually Drives Action,” 2025.
16. NAVEX, “12 Steps to Conduct an Ethics & Compliance Risk Assessment,” 2025.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.