COMPLIANCE RISK ASSESSMENT MATRIX
[// GUIDANCE: Pair this with your testing plan and board reporting pack.]
TABLE OF CONTENTS
- Document Header
- Methodology Overview
- Risk Taxonomy
- Scoring Rubric
4.1 Likelihood
4.2 Impact
4.3 Control Strength
4.4 Residual Risk - Roles and Responsibilities
- Data Sources and Inputs
- Deliverables and Outputs
- Review Cadence and Triggers
- Matrix Template (Sample)
- Appendix: Definitions
1. DOCUMENT HEADER
Compliance Risk Assessment Matrix for [COMPANY], effective [DATE]; owned by [COMPLIANCE OWNER].
2. METHODOLOGY OVERVIEW
- Annual baseline plus event-driven updates (new product/geo, regulator inquiry, incident, M&A).
- Evaluate inherent risk, control strength, and residual risk; prioritize remediation by severity and velocity.
3. RISK TAXONOMY
- Data privacy/security, sanctions/export, anti-corruption/anti-bribery, antitrust/competition, consumer protection/marketing, employment/EEO, product/safety, environmental, financial crimes/securities, healthcare/PHI, sector-specific rules.
- Include cross-cutting risks: third-party, AI/ML, recordkeeping, model risk (if financial), fraud/abuse.
4. SCORING RUBRIC
4.1 Likelihood (1-5)
- 1 Rare; 2 Unlikely; 3 Possible; 4 Likely; 5 Almost certain.
4.2 Impact (1-5)
- Consider regulatory, financial, operational, customer, and reputational harm.
- 1 Minimal; 2 Minor; 3 Moderate; 4 Major; 5 Severe/systemic.
4.3 Control Strength (1-5)
- 1 Nonexistent; 2 Weak/unreliable; 3 Basic/partially effective; 4 Strong/consistent; 5 Mature/automated/monitored.
4.4 Residual Risk
- Residual = function of inherent (likelihood x impact) adjusted for control strength.
- Heat map thresholds: High (red), Medium (amber), Low (green); define numeric cutoffs.
5. ROLES AND RESPONSIBILITIES
- Compliance: owns methodology, challenge function, aggregation, reporting.
- Domain owners (privacy, security, HR, finance, product): provide inputs, own controls, remediate.
- Internal Audit (if any): independent testing/validation.
- Executive/Board Committee: review/approve results and remediation plans.
6. DATA SOURCES AND INPUTS
- Incidents, complaints, hotline data; regulator exams/inquiries; audit findings; product changes; geographic expansion; vendor onboarding; KRIs; loss events; peer/regulatory enforcement actions.
7. DELIVERABLES AND OUTPUTS
- Heat map; top risks list; remediation plan with owners/dates; testing plan alignment; board/committee summary; change log of assumptions and scoring decisions.
8. REVIEW CADENCE AND TRIGGERS
- Formal update: annually.
- Interim updates: upon regulator contact, material incident/breach, new market/product, M&A, or control failure.
9. MATRIX TEMPLATE (SAMPLE)
| Risk ID | Description | Owner | Inherent L | Inherent I | Control Strength | Residual Score | Trend | Regulator(s) | Evidence/Testing Notes | Remediation & Target Date | Status |
|---|---|---|---|---|---|---|---|---|---|---|---|
| PRIV-01 | CPRA/CCPA data handling gaps in new product | Privacy | 4 | 4 | 2 | High | up | [CA CPPA] | Notice at collection missing; DSR workflow incomplete | Implement DSR workflow; update notices by 2025-03-31 | Open |
| EMP-02 | FEHA harassment training not completed for new hires | HR | 3 | 3 | 2 | Medium | stable | [CA CRD] | Training roster shows gaps; policy acknowledgement pending | Complete training; enforce onboarding checklist by 2025-02-15 | Open |
[// GUIDANCE: Expand rows for each risk; add scoring legend in Appendix.]
10. APPENDIX: DEFINITIONS
- Inherent Risk: risk level before controls.
- Control Strength: effectiveness of controls in place.
- Residual Risk: risk after considering controls.
- KRI: key risk indicator used to monitor risk changes.