Compliance Risk Assessment Matrix - California

Ready to Edit

COMPLIANCE RISK ASSESSMENT MATRIX -- CALIFORNIA

Company Name: [________________________________]
Assessment Period: [__/__/____] through [__/__/____]
Assessment Owner: [________________________________] (Chief Compliance Officer)
Approved By: [________________________________] (General Counsel / Audit Committee)
Document Version: [____]

Executive Summary
Purpose and Objectives
Scope and Applicability
Regulatory Framework
Methodology Overview
Risk Taxonomy
Scoring Rubric
Roles and Responsibilities
Data Sources and Inputs
California-Specific Risk Categories
Risk Assessment Matrix
Heat Map and Prioritization
Remediation Planning
Deliverables and Outputs
Review Cadence and Triggers
Governance and Oversight
Appendix A: Definitions
Appendix B: Detailed Scoring Criteria
Appendix C: California Regulatory Risk Inventory
Sources and References

1. EXECUTIVE SUMMARY

This Compliance Risk Assessment Matrix ("Matrix") provides a structured framework for identifying, assessing, and prioritizing compliance risks facing [________________________________] ("Company") with respect to operations in or connected to the State of California. The Matrix aligns with the DOJ Evaluation of Corporate Compliance Programs, the COSO ERM Framework, and the U.S. Sentencing Guidelines Section 8B2.1 requirements for effective compliance and ethics programs.

Key Findings Summary (to be completed after assessment):

Risk Level	Number of Risks	Top Risk Area
Critical (Red)	[____]	[________________________________]
High (Orange)	[____]	[________________________________]
Medium (Yellow)	[____]	[________________________________]
Low (Green)	[____]	[________________________________]

2. PURPOSE AND OBJECTIVES

This Matrix serves to:

Identify and catalog compliance risks across all business functions operating in California
Assess inherent risk levels based on likelihood and impact
Evaluate the effectiveness of existing controls
Calculate residual risk after controls
Prioritize remediation efforts based on risk severity and velocity
Satisfy regulatory expectations for periodic risk assessment under DOJ guidance and USSG 8B2.1
Inform the Board/Audit Committee of the compliance risk profile

3. SCOPE AND APPLICABILITY

This assessment covers:

☐ All business units, departments, and functions with California operations or California-resident customers/employees
☐ Compliance with federal laws applicable to California operations
☐ Compliance with California-specific statutes and regulations
☐ Third-party and vendor compliance risks
☐ Emerging risks (technology, regulatory changes, market dynamics)

4. REGULATORY FRAMEWORK

4.1 Federal Standards

U.S. Sentencing Guidelines 8B2.1: Requires organizations to periodically assess the risk of criminal conduct and take appropriate steps to design, implement, or modify compliance programs to reduce that risk. Seven minimum elements of an effective compliance program must be addressed.
DOJ Evaluation of Corporate Compliance Programs (September 2024 Update): Prosecutors evaluate whether the compliance program is well-designed, adequately resourced and empowered, and works in practice. Key focus areas include risk assessment, policies and procedures, training, confidential reporting, investigation, third-party management, and continuous improvement.
Sarbanes-Oxley Act Section 404: Requires management assessment of internal controls over financial reporting (ICFR) for public companies, using a recognized framework (typically COSO 2013).
COSO ERM Framework (2017): Enterprise Risk Management -- Integrating with Strategy and Performance. Five components: Governance and Culture, Strategy and Objective-Setting, Performance, Review and Revision, Information, Communication, and Reporting.

4.2 California-Specific Requirements

CCPA/CPRA (Cal. Civ. Code 1798.100 et seq.): Comprehensive consumer privacy law requiring data mapping, privacy impact assessments, consumer rights responses (access, deletion, correction, opt-out), and vendor management. Enforced by the California Privacy Protection Agency (CPPA). Penalties up to $2,500 per violation; $7,500 per intentional violation or violation involving a minor.
Cal. Bus. & Prof. Code 17200 (UCL): Prohibits unfair, unlawful, and fraudulent business practices. Broad standing provisions; restitution and injunctive relief available.
FEHA (Cal. Gov. Code 12940 et seq.): Prohibits employment discrimination, harassment, and retaliation. Mandatory sexual harassment prevention training (Cal. Gov. Code 12950.1). Employers with 5+ employees must provide training within six months of hire and every two years.
Cal. Civ. Code 1798.82 (Data Breach Notification): Requires notification to affected individuals and, if 500+ California residents are affected, to the California Attorney General.
Cal. Lab. Code 1102.5: Whistleblower protections for employees reporting violations.

5. METHODOLOGY OVERVIEW

5.1 Assessment Approach

The assessment follows a four-phase approach:

Phase 1 -- Risk Identification: Catalog all compliance obligations through regulatory inventories, incident data, audit findings, and stakeholder interviews.

Phase 2 -- Risk Assessment: Evaluate each risk for inherent likelihood and impact; assess control effectiveness; calculate residual risk.

Phase 3 -- Prioritization: Rank risks by residual score; identify trends; flag emerging risks.

Phase 4 -- Remediation Planning: Develop action plans for high and critical risks with owners, deadlines, and success metrics.

5.2 Assessment Cycle

Full Assessment: Annually (Q1 of each fiscal year)
Interim Updates: Triggered by material events (see Section 15)
Continuous Monitoring: Key Risk Indicators (KRIs) tracked monthly/quarterly

6. RISK TAXONOMY

6.1 Primary Risk Categories

Category Code	Risk Category	Key California Regulators
PRIV	Data Privacy and Security	CPPA, CA Attorney General
EMPL	Employment and EEO	CRD (formerly DFEH), DLSE
CONS	Consumer Protection and Marketing	CA Attorney General, FTC
ACOR	Anti-Corruption and Anti-Bribery	DOJ, SEC, FPPC
SANC	Sanctions and Export Controls	OFAC, BIS
ANTI	Antitrust and Competition	CA Attorney General, FTC, DOJ
ENVR	Environmental Compliance	CalEPA, CARB, SWRCB
HLTH	Health and Safety	Cal/OSHA, CDPH
FINC	Financial Crimes and Securities	SEC, FINRA, DBO
RECK	Recordkeeping and Retention	Various
TECH	Technology, AI, and Emerging Risks	CPPA, FTC
TPRT	Third-Party and Vendor Risk	Various

6.2 Cross-Cutting Risks

☐ Supply chain and third-party compliance
☐ AI/ML governance and automated decision-making (Cal. Civ. Code 1798.185(a)(16))
☐ Recordkeeping and document retention
☐ Model risk (for financial institutions)
☐ Fraud and abuse
☐ ESG and sustainability compliance

7. SCORING RUBRIC

7.1 Likelihood Scale (1-5)

Score	Rating	Description
1	Rare	Event unlikely to occur in the next 12 months; no historical precedent
2	Unlikely	Event could occur but not expected; limited historical precedent
3	Possible	Event may occur; some historical precedent or industry trends
4	Likely	Event is expected to occur; recurring historical precedent or active enforcement trends
5	Almost Certain	Event is expected to occur multiple times; active regulatory scrutiny or known deficiency

7.2 Impact Scale (1-5)

Score	Rating	Financial Impact	Regulatory Impact	Operational Impact	Reputational Impact
1	Minimal	< $50K	Informal guidance	Minor disruption	No media attention
2	Minor	$50K-$500K	Warning letter / MRA	Moderate disruption	Local media
3	Moderate	$500K-$5M	Consent order / fine	Significant disruption	Regional/trade media
4	Major	$5M-$50M	Enforcement action / material fine	Severe disruption	National media
5	Severe	> $50M	Criminal prosecution / license revocation	Business-threatening	Sustained national/international coverage

7.3 Control Effectiveness Scale (1-5)

Score	Rating	Description
1	Nonexistent	No controls in place
2	Weak	Controls exist but are unreliable, untested, or inconsistently applied
3	Basic	Controls are partially effective; gaps exist in design or operation
4	Strong	Controls are well-designed, consistently applied, and periodically tested
5	Mature	Controls are automated, continuously monitored, and independently validated

7.4 Residual Risk Calculation

Inherent Risk Score = Likelihood x Impact (range: 1-25)

Residual Risk Score = Inherent Risk Score adjusted by Control Effectiveness:

Control Effectiveness	Adjustment Factor
5 (Mature)	Inherent Score x 0.20
4 (Strong)	Inherent Score x 0.40
3 (Basic)	Inherent Score x 0.60
2 (Weak)	Inherent Score x 0.80
1 (Nonexistent)	Inherent Score x 1.00

7.5 Risk Rating Thresholds

Residual Score	Rating	Color	Action Required
15.1 - 25.0	Critical	Red	Immediate remediation; Board/Audit Committee notification
10.1 - 15.0	High	Orange	Remediation plan within 30 days; executive oversight
5.1 - 10.0	Medium	Yellow	Remediation plan within 90 days; management oversight
1.0 - 5.0	Low	Green	Monitor through standard processes; annual review

8. ROLES AND RESPONSIBILITIES

Role	Responsibilities
Chief Compliance Officer	Owns methodology; coordinates assessment; aggregates results; reports to Board/Audit Committee
General Counsel	Legal review of risk assessments; advises on regulatory obligations
Domain Risk Owners (Privacy, HR, Security, Finance, Marketing)	Provide risk inputs; own controls; execute remediation plans
Internal Audit	Independent testing and validation of controls; challenge function
Board / Audit Committee	Reviews and approves risk assessment results; oversees remediation
Business Unit Leaders	Identify operational risks; implement controls within business units
IT / Information Security	Assess technology and cybersecurity risks; maintain technical controls

9. DATA SOURCES AND INPUTS

☐ Incident reports, complaints, and hotline data
☐ Regulatory examinations, inquiries, and enforcement actions
☐ Internal and external audit findings
☐ Product/service changes and new market entries
☐ Vendor onboarding assessments and due diligence reports
☐ Key Risk Indicators (KRIs) and metrics dashboards
☐ Loss events and litigation history
☐ Industry peer enforcement actions and regulatory trends
☐ Employee surveys and exit interview data
☐ California-specific regulatory updates (CPPA rulemaking, CRD guidance, AG enforcement)

10. CALIFORNIA-SPECIFIC RISK CATEGORIES

10.1 CCPA/CPRA Compliance Risks

Risk ID	Risk Description	Key Requirements
PRIV-CA-01	Incomplete data mapping and inventory	Cal. Civ. Code 1798.100(d) -- must know what personal information is collected and for what purpose
PRIV-CA-02	Inadequate notice at collection	Cal. Civ. Code 1798.100(a) -- notice required at or before collection
PRIV-CA-03	Consumer rights request (DSR) processing gaps	Cal. Civ. Code 1798.105-1798.125 -- 45-day response deadline
PRIV-CA-04	Vendor/service provider contract deficiencies	Cal. Civ. Code 1798.100(d) -- contractual requirements for service providers
PRIV-CA-05	Sensitive personal information handling	Cal. Civ. Code 1798.121 -- right to limit use of sensitive PI
PRIV-CA-06	Data security safeguards insufficient	Cal. Civ. Code 1798.150 -- private right of action for data breaches resulting from failure to maintain reasonable security

10.2 Employment and EEO Risks (California-Specific)

Risk ID	Risk Description	Key Requirements
EMPL-CA-01	FEHA harassment training gaps	Cal. Gov. Code 12950.1 -- training within 6 months; every 2 years
EMPL-CA-02	Wage and hour non-compliance	Cal. Lab. Code 510, 1194 -- overtime, meal/rest periods
EMPL-CA-03	Worker classification errors	Cal. Lab. Code 2775 (ABC test per Dynamex/AB 5)
EMPL-CA-04	Pay transparency non-compliance	Cal. Lab. Code 432.3 (SB 1162) -- pay scale disclosure
EMPL-CA-05	Leave law violations	CFRA (Cal. Gov. Code 12945.2), Cal. Lab. Code 233 (kin care)

10.3 Consumer Protection Risks

Risk ID	Risk Description	Key Requirements
CONS-CA-01	UCL (17200) exposure from business practices	Cal. Bus. & Prof. Code 17200 -- unfair, unlawful, fraudulent
CONS-CA-02	False advertising	Cal. Bus. & Prof. Code 17500 -- untrue or misleading statements
CONS-CA-03	Automatic renewal compliance	Cal. Bus. & Prof. Code 17600 et seq. (ARL) -- clear disclosure and consent

11. RISK ASSESSMENT MATRIX

11.1 Sample Assessment Entries

Risk ID	Description	Owner	Inherent L	Inherent I	Inherent Score	Control Eff.	Residual Score	Residual Rating	Trend	Primary Regulator	Evidence/Testing Notes	Remediation & Target Date	Status
PRIV-CA-01	CCPA/CPRA data mapping incomplete for new product line	Privacy	4	4	16	2	12.8	High	Up	CPPA	Data inventory missing 3 product categories; vendor records incomplete	Complete data mapping; update ROPA by [__/__/____]	☐ Open
PRIV-CA-06	Data breach risk -- security safeguards below reasonable standard	Security	4	5	20	3	12.0	High	Stable	CA AG	Encryption gaps in legacy systems; access reviews overdue	Implement encryption; complete access reviews by [__/__/____]	☐ Open
EMPL-CA-01	FEHA harassment training not completed for recent hires	HR	3	3	9	2	7.2	Medium	Up	CRD	Training roster shows 15% gap in new hire completions	Enforce onboarding checklist; audit monthly by [__/__/____]	☐ Open
EMPL-CA-03	Worker misclassification risk (ABC test)	HR/Legal	3	4	12	3	7.2	Medium	Stable	DLSE	12 contractor positions not evaluated under ABC test	Complete classification audit by [__/__/____]	☐ Open
CONS-CA-01	UCL exposure from marketing claims	Marketing/Legal	3	4	12	3	7.2	Medium	Stable	CA AG	Claim substantiation file incomplete for 2 product lines	Refresh substantiation; implement approval workflow by [__/__/____]	☐ Open
CONS-CA-03	Auto-renewal law non-compliance	Marketing	2	3	6	4	2.4	Low	Stable	CA AG	Recent audit confirmed compliance; minor UI improvements recommended	Implement UI changes by [__/__/____]	☐ Open

Add additional rows for each identified risk. Expand to cover all risk categories in Section 6.

12. HEAT MAP AND PRIORITIZATION

12.1 Risk Heat Map

IMPACT
  5 |  5   10  [15] [20] [25]
  4 |  4    8  [12] [16] [20]
  3 |  3    6    9  [12] [15]
  2 |  2    4    6    8   10
  1 |  1    2    3    4    5
    +----------------------------
       1    2    3    4    5
                LIKELIHOOD

[  ] = Critical/High risk zone requiring immediate attention

12.2 Top Risks (Ranked by Residual Score)

Rank	Risk ID	Residual Score	Rating	Remediation Deadline
1	[____]	[____]	[________]	[__/__/____]
2	[____]	[____]	[________]	[__/__/____]
3	[____]	[____]	[________]	[__/__/____]
4	[____]	[____]	[________]	[__/__/____]
5	[____]	[____]	[________]	[__/__/____]

13. REMEDIATION PLANNING

For each High or Critical residual risk, complete the following:

Field	Entry
Risk ID	[____]
Risk Description	[________________________________]
Current Residual Score	[____]
Remediation Action(s)	[________________________________]
Action Owner	[________________________________]
Resources Required	[________________________________]
Target Completion Date	[__/__/____]
Target Residual Score After Remediation	[____]
Success Metrics	[________________________________]
Status	☐ Not Started ☐ In Progress ☐ Completed ☐ Deferred
Escalation Required?	☐ Yes ☐ No

14. DELIVERABLES AND OUTPUTS

☐ Completed Risk Assessment Matrix with all identified risks scored
☐ Heat map visualization
☐ Top risks list with executive summary
☐ Remediation plans for High and Critical risks with owners and deadlines
☐ Testing plan aligned to risk priorities
☐ Board/Audit Committee summary presentation
☐ Change log documenting assumptions and scoring decisions
☐ KRI dashboard for ongoing monitoring

15. REVIEW CADENCE AND TRIGGERS

15.1 Scheduled Reviews

Annual Full Assessment: Q1 of each fiscal year
Quarterly Updates: Review KRIs and update risk scores as needed
Board Reporting: Semi-annual compliance risk report to Audit Committee

15.2 Interim Update Triggers

☐ Receipt of regulatory inquiry, subpoena, or examination notice
☐ Material data breach or security incident
☐ New California legislation or CPPA rulemaking affecting the Company
☐ New product launch, market entry, or significant business change
☐ Merger, acquisition, or material corporate transaction
☐ Material control failure or audit finding
☐ Significant enforcement action against industry peer
☐ Whistleblower report or litigation filing raising systemic compliance concerns

16. GOVERNANCE AND OVERSIGHT

Assessment Owner: Chief Compliance Officer
Review Authority: General Counsel and Audit Committee
Approval: Board of Directors (or designated committee)
Distribution: Executive Leadership Team, Audit Committee, relevant domain owners
Confidentiality: This document is confidential and may be subject to attorney-client privilege and work product protection. Distribution must be approved by General Counsel.

APPENDIX A: DEFINITIONS

Inherent Risk: The level of risk before considering the effectiveness of any controls
Control Effectiveness: The degree to which controls mitigate the identified risk
Residual Risk: The level of risk remaining after accounting for control effectiveness
Key Risk Indicator (KRI): A quantitative metric used to monitor changes in risk levels over time
Risk Appetite: The level and type of risk the organization is willing to accept in pursuit of its objectives
Risk Velocity: The speed at which a risk event could impact the organization once it materializes

APPENDIX B: DETAILED SCORING CRITERIA

(Expand the scoring criteria in Section 7 with industry-specific examples and calibration guidance for each risk category.)

Risk Category	Likelihood Calibration Example	Impact Calibration Example
PRIV (Privacy)	L=4 if CPPA has issued guidance specifically applicable to Company's processing activities	I=5 if breach could affect >500K CA residents with private right of action
EMPL (Employment)	L=3 if industry sector has elevated CRD/DLSE enforcement activity	I=4 if class-action exposure exceeds $5M
CONS (Consumer)	L=3 if Company has received AG inquiry in past 24 months	I=4 if potential UCL restitution exceeds $5M

APPENDIX C: CALIFORNIA REGULATORY RISK INVENTORY

Regulatory Area	Key Statute/Regulation	Enforcing Agency	Last Assessment Date	Risk ID(s)
Consumer Privacy	CCPA/CPRA (Cal. Civ. Code 1798.100 et seq.)	CPPA, CA AG	[__/__/____]	PRIV-CA-01 through PRIV-CA-06
Employment Discrimination	FEHA (Cal. Gov. Code 12940 et seq.)	CRD	[__/__/____]	EMPL-CA-01
Wage and Hour	Cal. Lab. Code 510, 1194, 226	DLSE	[__/__/____]	EMPL-CA-02
Worker Classification	Cal. Lab. Code 2775 (ABC Test)	DLSE, EDD	[__/__/____]	EMPL-CA-03
Pay Transparency	Cal. Lab. Code 432.3 (SB 1162)	CRD	[__/__/____]	EMPL-CA-04
Unfair Competition	Cal. Bus. & Prof. Code 17200	CA AG	[__/__/____]	CONS-CA-01
Data Breach Notification	Cal. Civ. Code 1798.82	CA AG	[__/__/____]	PRIV-CA-06
Environmental	Various (CalEPA, CARB)	CalEPA, CARB	[__/__/____]	ENVR-CA-XX
Workplace Safety	Cal/OSHA (Cal. Lab. Code 6300 et seq.)	Cal/OSHA	[__/__/____]	HLTH-CA-XX

SOURCES AND REFERENCES

U.S. Sentencing Guidelines 8B2.1 -- https://guidelines.ussc.gov/
DOJ Evaluation of Corporate Compliance Programs (Sept. 2024) -- https://www.justice.gov/criminal/criminal-fraud/page/file/937501
COSO Internal Control Framework (2013) -- https://www.coso.org/
COSO ERM Framework (2017) -- https://www.coso.org/erm-framework
Sarbanes-Oxley Act Section 404, 15 U.S.C. 7262
CCPA/CPRA, Cal. Civ. Code 1798.100 et seq.
California Privacy Protection Agency -- https://cppa.ca.gov/
Cal. Bus. & Prof. Code 17200 (Unfair Competition Law)
FEHA, Cal. Gov. Code 12940 et seq.
Cal. Lab. Code 1102.5 (Whistleblower Protections)
Cal. Civ. Code 1798.82 (Data Breach Notification)

This document is a template provided for informational purposes only and does not constitute legal advice. It must be reviewed and customized by a qualified attorney licensed in California before implementation.

Ezel AI

Hi! Need help customizing this document? I can tailor every section to your specific case in minutes.

AI Legal Assistant

Ezel AI

Hi! Need help customizing this document? I can tailor every section to your specific case in minutes.

Insert Image

Insert Table

Need to customize this document?

About This Template

Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.

Important Notice

This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.

Last updated: April 2026

Compliance Risk Assessment Matrix - California