Compliance Risk Assessment Matrix

COMPLIANCE RISK ASSESSMENT MATRIX

TABLE OF CONTENTS

1. Document Control
2. Executive Summary
3. Purpose and Scope
4. Regulatory and Standards Framework
5. Methodology
6. Risk Taxonomy and Categories
7. Likelihood Scoring Rubric
8. Impact Scoring Rubric
9. Control Effectiveness Assessment
10. Residual Risk Calculation and Heat Map
11. Risk Appetite and Tolerance Statement
12. Roles and Responsibilities
13. Data Sources and Inputs
14. Compliance Risk Register (Matrix)
15. Remediation and Action Planning
16. Reporting Deliverables
17. Review Cadence and Triggers
18. Definitions
19. Practice Tips
20. Sources and References

1. DOCUMENT CONTROL

Revision History

2. EXECUTIVE SUMMARY

This Compliance Risk Assessment Matrix provides a structured, repeatable methodology for identifying, evaluating, and prioritizing compliance risks across the organization. It is designed to align with the COSO Enterprise Risk Management Framework (2017), ISO 31000:2018 risk management principles, and the DOJ's Evaluation of Corporate Compliance Programs (September 2024 update). The assessment evaluates inherent risk, control effectiveness, and residual risk to produce a prioritized risk register that informs resource allocation, remediation planning, and board reporting.

Summary of Findings (to be completed):

3. PURPOSE AND SCOPE

3.1 Purpose

This document serves as the organization's primary tool for:

• Systematically identifying compliance risks across all business units, geographies, and regulatory domains
• Evaluating the likelihood and potential impact of each identified risk
• Assessing the effectiveness of existing controls
• Calculating residual risk after considering control effectiveness
• Prioritizing risks for remediation and resource allocation
• Supporting the organization's obligations under SOX Sections 302 and 404 (for public companies) to maintain effective internal controls
• Demonstrating the existence of an effective compliance program as evaluated under the DOJ Evaluation of Corporate Compliance Programs (September 2024)
• Informing board and audit committee oversight of compliance risk

3.2 Scope

☐ All business units and operating divisions
☐ All geographic jurisdictions in which the organization operates
☐ All regulatory domains applicable to the organization
☐ Third-party relationships (vendors, suppliers, agents, intermediaries)
☐ Emerging risks (AI/ML, cryptocurrency, ESG, supply chain)
☐ Other: [________________________________]

Out of Scope (specify any exclusions): [________________________________]

4. REGULATORY AND STANDARDS FRAMEWORK

This risk assessment methodology is informed by the following regulatory requirements and industry frameworks:

4.1 Sarbanes-Oxley Act (SOX) — Sections 302 and 404

Section 302 requires the CEO and CFO of public companies to certify that: (i) the report contains no material misstatements or omissions; (ii) financial statements are accurate in all material respects; (iii) internal controls are properly designed; and (iv) certifying officers have disclosed to the audit committee and auditors all significant deficiencies in internal controls and any fraud involving management or employees with a significant role in internal controls.

Section 404 requires management to assess and report on the effectiveness of internal controls over financial reporting. The company's independent auditor must attest to and report on management's assessment. This compliance risk assessment supports the broader internal controls environment by identifying compliance risks that could give rise to financial misstatement.

Practice Tip (SOX): The SEC has clarified that internal control over financial reporting includes controls over compliance with laws and regulations that could have a material effect on financial statements. FCPA violations, environmental liabilities, and employment claims are common examples of compliance risks with financial reporting implications. Ensure your compliance risk assessment feeds into the SOX 404 scoping process.

4.2 COSO Enterprise Risk Management Framework (2017)

The 2017 COSO ERM Framework, "Enterprise Risk Management — Integrating with Strategy and Performance," organizes ERM around five interrelated components:

1. Governance and Culture — Board oversight, operating structure, core values, human capital, talent competencies
2. Strategy and Objective-Setting — Business context analysis, risk appetite definition, strategic planning integration
3. Performance — Risk identification, risk severity assessment, risk prioritization, risk response implementation
4. Review and Revision — Substantial change assessment, risk and performance review, pursuit of ERM improvement
5. Information, Communication, and Reporting — Information systems, risk communication, enterprise risk reporting

This risk assessment template is designed to align with Components 3 (Performance) and 4 (Review and Revision).

4.3 ISO 31000:2018 — Risk Management Guidelines

ISO 31000:2018 provides principles and a generic framework for managing risk. Key principles reflected in this template include:

• Risk management should be integrated into all organizational activities
• Risk management should be structured and comprehensive
• Risk management should be customized to the organization
• Risk management should be inclusive (involving stakeholders)
• Risk management should be dynamic (responsive to change)
• Risk management should use the best available information
• Risk management should be continually improved

4.4 NIST Cybersecurity Framework 2.0 (February 2024)

NIST CSF 2.0 is organized around six functions: Govern, Identify, Protect, Detect, Respond, and Recover. The Govern function (new in version 2.0) emphasizes cybersecurity governance, leadership accountability, and risk management strategy. Organizations should integrate cybersecurity risk into this compliance risk assessment to ensure a holistic view.

4.5 DOJ Evaluation of Corporate Compliance Programs (September 2024)

The DOJ's Criminal Division updated its Evaluation of Corporate Compliance Programs in September 2024. Prosecutors evaluate three fundamental questions:

1. Is the compliance program well designed? — Risk assessment, policies and procedures, training, reporting mechanisms, third-party management
2. Is the program being applied earnestly and in good faith? — Commitment by senior and middle management, autonomy and resources, incentives and disciplinary measures
3. Does the compliance program work in practice? — Continuous improvement, investigation response, analysis of misconduct and remediation

The September 2024 update added significant focus on AI and emerging technology risk management, whistleblower protections, and data analytics in compliance.

Practice Tip (DOJ): The DOJ evaluates whether companies conduct regular, risk-based compliance assessments. A company with an effective compliance program — including a documented risk assessment — is more likely to receive a favorable resolution in an enforcement action, including reduced monetary penalties and less burdensome compliance obligations.

4.6 FCPA and Anti-Bribery Risk Factors

The FCPA prohibits corrupt payments to foreign officials (anti-bribery provisions, 15 U.S.C. 78dd-1 et seq.) and requires issuers to maintain accurate books and records and sufficient internal controls (accounting provisions, 15 U.S.C. 78m). Key risk factors for FCPA compliance risk assessment include:

• Countries of operation (Transparency International CPI score)
• Use of third-party intermediaries, agents, consultants, and joint venture partners
• Government-facing transactions (permits, licenses, customs)
• Industry sector (extractives, defense, healthcare, infrastructure)
• Gift, travel, and entertainment practices
• Charitable contributions and political donations
• M&A due diligence (successor liability)
• Volume and complexity of transactions

5. METHODOLOGY

5.1 Assessment Approach

This assessment follows a four-step methodology:

Step 1: Risk Identification. Identify all compliance risks through a combination of regulatory mapping, interviews with business owners, review of historical incidents and enforcement actions, and horizon scanning.

Step 2: Inherent Risk Scoring. Evaluate each risk on two dimensions — Likelihood and Impact — without considering existing controls. Inherent Risk = Likelihood x Impact.

Step 3: Control Effectiveness Assessment. Evaluate the design and operating effectiveness of controls mitigating each risk on a 1-5 scale.

Step 4: Residual Risk Determination. Apply control effectiveness to inherent risk to determine residual risk. Residual Risk = Inherent Risk adjusted for Control Effectiveness.

5.2 Risk Velocity

In addition to likelihood and impact, this assessment optionally evaluates risk velocity — the speed at which a risk event would affect the organization:

6. RISK TAXONOMY AND CATEGORIES

Organize identified risks under the following categories (customize as appropriate):

6.1 Core Compliance Risk Categories

6.2 Cross-Cutting Risk Categories

7. LIKELIHOOD SCORING RUBRIC

Factors to consider when assessing likelihood:

• Historical frequency of similar events (internal and external)
• Regulatory enforcement trends and announced priorities
• Industry peer enforcement actions
• Complexity and volume of relevant transactions
• Geographic exposure (high-risk jurisdictions)
• Maturity of applicable compliance controls
• Findings from internal audit or testing
• Complaints, hotline reports, or whistleblower activity

8. IMPACT SCORING RUBRIC

Practice Tip: Customize the dollar thresholds in the impact rubric to reflect your organization's size, revenue, and risk appetite. A $1 million fine is "moderate" for a Fortune 500 company but "severe" for a small or mid-market firm.

9. CONTROL EFFECTIVENESS ASSESSMENT

9.1 Control Strength Scoring

9.2 Control Assessment Dimensions

For each risk, assess controls across the following dimensions:

10. RESIDUAL RISK CALCULATION AND HEAT MAP

10.1 Residual Risk Formula

Inherent Risk Score = Likelihood (1-5) x Impact (1-5) = Range 1-25

Residual Risk = Inherent Risk Score adjusted by Control Effectiveness:

10.2 Heat Map Thresholds

10.3 Visual Heat Map

              IMPACT
           1    2    3    4    5
        +----+----+----+----+----+
    5   | M  | H  | H  | C  | C  |
L   4   | M  | M  | H  | H  | C  |
I   3   | L  | M  | M  | H  | H  |
K   2   | L  | L  | M  | M  | H  |
E   1   | L  | L  | L  | M  | M  |
        +----+----+----+----+----+

L = Low | M = Medium | H = High | C = Critical

11. RISK APPETITE AND TOLERANCE STATEMENT

11.1 Risk Appetite

Risk appetite is the amount of risk the organization is willing to accept in pursuit of its strategic objectives. The Board of Directors / governing body has established the following risk appetite for compliance risk:

☐ Conservative — Organization seeks to minimize compliance risk; zero tolerance for material violations
☐ Moderate — Organization accepts a moderate level of compliance risk with strong controls
☐ Aggressive — Organization accepts elevated compliance risk in pursuit of growth (not recommended for regulated entities)

11.2 Risk Tolerance Thresholds

12. ROLES AND RESPONSIBILITIES

13. DATA SOURCES AND INPUTS

The following data sources should inform the risk assessment:

☐ Incidents, near-misses, and loss events
☐ Ethics hotline and complaint data (volume, categories, trends)
☐ Internal and external audit findings
☐ Regulatory examinations, inquiries, and correspondence
☐ Enforcement actions against the organization
☐ Enforcement actions against industry peers
☐ Product, geographic, and business line changes
☐ M&A activity and integration status
☐ Third-party due diligence results
☐ Key risk indicator (KRI) dashboards
☐ Employee survey results (culture, speak-up)
☐ Training completion rates and assessment scores
☐ Policy exception and waiver logs
☐ Litigation and claims data
☐ Regulatory change tracking (new laws, proposed rules)
☐ Industry benchmarking reports
☐ DOJ and SEC enforcement priorities and speeches
☐ AI and emerging technology deployment inventory

14. COMPLIANCE RISK REGISTER (MATRIX)

14.1 Risk Register Template

15. REMEDIATION AND ACTION PLANNING

15.1 Remediation Priority Framework

15.2 Remediation Action Tracker

16. REPORTING DELIVERABLES

The following deliverables should be produced from this risk assessment:

16.1 Board / Audit Committee Report

☐ Executive summary of top risks
☐ Heat map (visual)
☐ Year-over-year trend analysis
☐ Remediation status update
☐ Changes in risk appetite or tolerance
☐ Emerging risks and horizon scan

16.2 Management Report

☐ Full risk register with scoring
☐ Detailed remediation tracker with owners and deadlines
☐ KRI dashboard
☐ Control testing results
☐ Resource requests and budget implications

16.3 Regulatory and Examiner Materials

☐ Risk assessment methodology documentation
☐ Evidence of annual review and board approval
☐ Remediation evidence for prior-period findings
☐ Training completion and testing results

17. REVIEW CADENCE AND TRIGGERS

17.1 Scheduled Reviews

17.2 Event-Driven Triggers

The risk assessment must be updated upon:

☐ Regulatory inquiry, examination, or enforcement action
☐ Material incident, data breach, or compliance failure
☐ New market, product, or geographic entry
☐ M&A activity (acquisition, divestiture, joint venture)
☐ Significant control failure or audit finding
☐ Material change in applicable law or regulation
☐ Organizational restructuring
☐ DOJ or SEC enforcement action against industry peer
☐ Whistleblower complaint involving systemic compliance issue
☐ Significant third-party risk event

18. DEFINITIONS

19. PRACTICE TIPS

For Solo Practitioners and Small Law Firms Advising Clients:

1. Start with what matters most. Not every client needs a 200-row risk register. Focus on the top 10-15 compliance risks based on the client's industry, size, geography, and regulatory profile. Expand as the program matures.

2. Use enforcement actions as a teaching tool. When explaining risk ratings to boards or management, cite recent enforcement actions in the client's industry. Concrete examples of fines, monitorship terms, and debarment consequences are more persuasive than abstract likelihood scores.

3. Align with the DOJ framework. If a client could face DOJ prosecution (and most companies could, for FCPA, antitrust, fraud, or other federal offenses), structure the risk assessment to address the three questions in the DOJ's Evaluation of Corporate Compliance Programs. This document becomes Exhibit A in any future negotiation.

4. Document your methodology. The DOJ and SEC do not prescribe a single methodology, but they expect consistency and defensibility. Document why you scored each risk the way you did, what data you considered, and who participated.

5. Connect compliance risk to financial risk. For public company clients, ensure compliance risks with potential financial reporting impact are communicated to the SOX 404 assessment team. An FCPA liability, environmental cleanup obligation, or employment class action can be material.

6. Track trends over time. A single-year snapshot is useful; a multi-year trend analysis is far more powerful. Show the board how risks are increasing, decreasing, or remaining stable — and why.

7. Address AI risk. The DOJ's September 2024 update specifically asks whether companies assess risks associated with AI and emerging technology. If your client uses AI in operations, compliance, or customer-facing applications, it should appear in the risk register.

8. Ensure the assessment is not static. The DOJ evaluates whether compliance programs evolve. An identical risk assessment submitted year after year, with no changes, suggests the program is paper-only.

20. SOURCES AND REFERENCES

• COSO ERM Framework (2017): COSO.org
• ISO 31000:2018 Risk Management Guidelines: ISO.org
• NIST Cybersecurity Framework 2.0: NIST.gov
• DOJ Evaluation of Corporate Compliance Programs (Sept. 2024): DOJ.gov
• SOX Sections 302, 404: 15 U.S.C. 7241, 15 U.S.C. 7262
• FCPA: 15 U.S.C. 78dd-1
• Federal Sentencing Guidelines, Chapter 8: USSC.gov
• COSO Compliance Risk Management Guidance: COSO.org

This template is designed for compliance officers, general counsel, and risk management professionals. It should be customized to reflect the organization's specific industry, regulatory environment, size, and risk profile. The methodology and scoring should be reviewed and approved by senior management and the board before initial deployment.