Compliance Risk Assessment Matrix - Florida

Ready to Edit

COMPLIANCE RISK ASSESSMENT MATRIX -- FLORIDA

Company Name: [________________________________]
Assessment Period: [__/__/____] through [__/__/____]
Assessment Owner: [________________________________] (Chief Compliance Officer)
Approved By: [________________________________] (General Counsel / Audit Committee)
Document Version: [____]

Executive Summary
Purpose and Objectives
Scope and Applicability
Regulatory Framework
Methodology Overview
Risk Taxonomy
Scoring Rubric
Roles and Responsibilities
Data Sources and Inputs
Florida-Specific Risk Categories
Risk Assessment Matrix
Heat Map and Prioritization
Remediation Planning
Deliverables and Outputs
Review Cadence and Triggers
Governance and Oversight
Appendix A: Definitions
Appendix B: Florida Regulatory Risk Inventory
Sources and References

1. EXECUTIVE SUMMARY

This Compliance Risk Assessment Matrix ("Matrix") provides a structured framework for identifying, assessing, and prioritizing compliance risks facing [________________________________] ("Company") with respect to operations in or connected to the State of Florida. The Matrix aligns with the DOJ Evaluation of Corporate Compliance Programs, the COSO ERM Framework, and the U.S. Sentencing Guidelines Section 8B2.1.

Key Findings Summary (to be completed after assessment):

Risk Level	Number of Risks	Top Risk Area
Critical (Red)	[____]	[________________________________]
High (Orange)	[____]	[________________________________]
Medium (Yellow)	[____]	[________________________________]
Low (Green)	[____]	[________________________________]

2. PURPOSE AND OBJECTIVES

This Matrix serves to:

Identify and catalog compliance risks across all business functions operating in Florida
Assess inherent risk levels based on likelihood and impact
Evaluate the effectiveness of existing controls
Calculate residual risk after controls
Prioritize remediation efforts based on risk severity and velocity
Satisfy DOJ and USSG 8B2.1 expectations for periodic risk assessment
Inform the Board/Audit Committee of the compliance risk profile

3. SCOPE AND APPLICABILITY

This assessment covers:

☐ All business units, departments, and functions with Florida operations or Florida-resident customers/employees
☐ Compliance with federal laws applicable to Florida operations
☐ Compliance with Florida-specific statutes and regulations
☐ Third-party and vendor compliance risks
☐ Emerging risks (technology, regulatory changes, market dynamics)

4. REGULATORY FRAMEWORK

4.1 Federal Standards

U.S. Sentencing Guidelines 8B2.1: Organizations must periodically assess criminal conduct risk and design compliance programs accordingly. Seven minimum elements required.
DOJ Evaluation of Corporate Compliance Programs (September 2024 Update): Evaluates whether compliance programs are well-designed, adequately resourced, and work in practice.
Sarbanes-Oxley Act Section 404: ICFR management assessment for public companies using COSO 2013.
COSO ERM Framework (2017): Five components: Governance and Culture, Strategy and Objective-Setting, Performance, Review and Revision, Information, Communication, and Reporting.

4.2 Florida-Specific Requirements

Florida Digital Bill of Rights (Fla. Stat. 501.701-501.721): Effective July 1, 2024. Applies to entities conducting business in Florida with annual global revenues exceeding $1 billion and meeting certain data processing thresholds. Grants consumers rights to access, correct, delete, and opt out of targeted advertising and sale of personal data. Enforcement exclusively by the Florida Attorney General.
Florida Information Protection Act (FIPA) (Fla. Stat. 501.171): Requires notification to individuals of data breaches within 30 days of determination. Notification to the Florida Attorney General required if 500+ individuals affected. Penalties: $1,000/day for first 30 days; $50,000/day thereafter; cap of $500,000 per breach.
Florida Deceptive and Unfair Trade Practices Act (FDUTPA) (Fla. Stat. 501.201 et seq.): Prohibits unfair or deceptive acts in trade or commerce. AG enforcement and private right of action for actual damages.
Florida Civil Rights Act (Fla. Stat. 760.01 et seq.): Prohibits employment discrimination based on race, color, religion, sex, pregnancy, national origin, age, handicap, or marital status. Enforced by the Florida Commission on Human Relations (FCHR).
Florida Whistleblower Act: Public sector (Fla. Stat. 112.3187) and private sector (Fla. Stat. 448.102) protections.

5. METHODOLOGY OVERVIEW

5.1 Assessment Approach

Phase 1 -- Risk Identification: Catalog compliance obligations through regulatory inventories, incident data, audit findings, and stakeholder interviews.

Phase 2 -- Risk Assessment: Evaluate inherent likelihood and impact; assess control effectiveness; calculate residual risk.

Phase 3 -- Prioritization: Rank risks by residual score; identify trends; flag emerging risks.

Phase 4 -- Remediation Planning: Develop action plans for high and critical risks.

5.2 Assessment Cycle

Full Assessment: Annually (Q1 of each fiscal year)
Interim Updates: Triggered by material events (see Section 15)
Continuous Monitoring: KRIs tracked monthly/quarterly

6. RISK TAXONOMY

Category Code	Risk Category	Key Florida Regulators
PRIV	Data Privacy and Security	FL AG, FL Dept. of Legal Affairs
EMPL	Employment and EEO	FCHR, FL DEO
CONS	Consumer Protection and Marketing	FL AG (FDUTPA enforcement)
ACOR	Anti-Corruption and Anti-Bribery	DOJ, SEC, FL Commission on Ethics
SANC	Sanctions and Export Controls	OFAC, BIS
ANTI	Antitrust and Competition	FL AG, FTC, DOJ
ENVR	Environmental Compliance	FL DEP
HLTH	Health and Safety	FL OSHA, FL DOH
FINC	Financial Crimes and Securities	OFR, SEC, FINRA
INSR	Insurance Regulatory	FL OIR
RECK	Recordkeeping and Retention	Various
TECH	Technology, AI, and Emerging Risks	FL AG
TPRT	Third-Party and Vendor Risk	Various

7. SCORING RUBRIC

7.1 Likelihood Scale (1-5)

Score	Rating	Description
1	Rare	Event unlikely to occur in next 12 months; no historical precedent
2	Unlikely	Event could occur but not expected; limited precedent
3	Possible	Event may occur; some historical precedent or industry trends
4	Likely	Event expected to occur; recurring precedent or active enforcement
5	Almost Certain	Event expected multiple times; active regulatory scrutiny or known deficiency

7.2 Impact Scale (1-5)

Score	Rating	Financial Impact	Regulatory Impact	Operational Impact	Reputational Impact
1	Minimal	< $50K	Informal guidance	Minor disruption	No media attention
2	Minor	$50K-$500K	Warning letter	Moderate disruption	Local media
3	Moderate	$500K-$5M	Consent order / fine	Significant disruption	Regional/trade media
4	Major	$5M-$50M	Enforcement action	Severe disruption	National media
5	Severe	> $50M	Criminal prosecution / license revocation	Business-threatening	Sustained national coverage

7.3 Control Effectiveness Scale (1-5)

Score	Rating	Description
1	Nonexistent	No controls in place
2	Weak	Controls exist but unreliable, untested, or inconsistently applied
3	Basic	Controls partially effective; gaps in design or operation
4	Strong	Controls well-designed, consistently applied, periodically tested
5	Mature	Controls automated, continuously monitored, independently validated

7.4 Residual Risk Calculation

Inherent Risk Score = Likelihood x Impact (range: 1-25)

Control Effectiveness	Adjustment Factor
5 (Mature)	Inherent Score x 0.20
4 (Strong)	Inherent Score x 0.40
3 (Basic)	Inherent Score x 0.60
2 (Weak)	Inherent Score x 0.80
1 (Nonexistent)	Inherent Score x 1.00

7.5 Risk Rating Thresholds

Residual Score	Rating	Color	Action Required
15.1 - 25.0	Critical	Red	Immediate remediation; Board/Audit Committee notification
10.1 - 15.0	High	Orange	Remediation plan within 30 days; executive oversight
5.1 - 10.0	Medium	Yellow	Remediation plan within 90 days; management oversight
1.0 - 5.0	Low	Green	Monitor through standard processes; annual review

8. ROLES AND RESPONSIBILITIES

Role	Responsibilities
Chief Compliance Officer	Owns methodology; coordinates assessment; aggregates results; reports to Board/Audit Committee
General Counsel	Legal review; advises on regulatory obligations
Domain Risk Owners	Provide risk inputs; own controls; execute remediation plans
Internal Audit	Independent testing and validation; challenge function
Board / Audit Committee	Reviews and approves results; oversees remediation
Business Unit Leaders	Identify operational risks; implement controls
IT / Information Security	Technology and cybersecurity risk assessment; maintain technical controls

9. DATA SOURCES AND INPUTS

☐ Incident reports, complaints, and hotline data
☐ Regulatory examinations, inquiries, and enforcement actions
☐ Internal and external audit findings
☐ Product/service changes and new market entries
☐ Vendor onboarding assessments and due diligence
☐ Key Risk Indicators (KRIs) and metrics dashboards
☐ Loss events and litigation history
☐ Industry peer enforcement actions
☐ Employee surveys and exit interview data
☐ Florida-specific regulatory updates (FL AG enforcement, FCHR actions, OFR bulletins)

10. FLORIDA-SPECIFIC RISK CATEGORIES

10.1 Data Privacy and Security Risks

Risk ID	Risk Description	Key Requirements
PRIV-FL-01	Florida Digital Bill of Rights applicability and compliance gaps	Fla. Stat. 501.701-501.721 -- $1B revenue threshold; consumer rights; AG enforcement
PRIV-FL-02	FIPA breach notification timeline non-compliance	Fla. Stat. 501.171 -- 30-day notification; AG notice if 500+ affected
PRIV-FL-03	Inadequate data security measures	Fla. Stat. 501.171(2) -- reasonable measures to protect and secure data
PRIV-FL-04	Children's data handling deficiencies	Fla. Stat. 501.1718 (minors' online protections); COPPA (federal)

10.2 Consumer Protection Risks

Risk ID	Risk Description	Key Requirements
CONS-FL-01	FDUTPA exposure from marketing claims	Fla. Stat. 501.204 -- unfair or deceptive acts in trade
CONS-FL-02	Pricing transparency violations	Fla. Stat. 501.160 -- price gouging during emergencies
CONS-FL-03	Telemarketing compliance gaps	Fla. Stat. 501.059 (Florida Telemarketing Act); federal TSR

10.3 Employment and EEO Risks

Risk ID	Risk Description	Key Requirements
EMPL-FL-01	Florida Civil Rights Act discrimination claims	Fla. Stat. 760.01 et seq. -- protected classes; FCHR enforcement
EMPL-FL-02	Workers' compensation non-compliance	Fla. Stat. 440 -- mandatory coverage for 4+ employees
EMPL-FL-03	E-Verify compliance (private employers)	Fla. Stat. 448.095 -- mandatory E-Verify for employers with 25+ employees (effective 2023)

10.4 Insurance and Financial Risks (if applicable)

Risk ID	Risk Description	Key Requirements
FINC-FL-01	Office of Insurance Regulation compliance gaps	Fla. Stat. 624-651 (Florida Insurance Code)
FINC-FL-02	Money services business licensing	Fla. Stat. 560 (OFR licensing requirements)

11. RISK ASSESSMENT MATRIX

Risk ID	Description	Owner	Inherent L	Inherent I	Inherent Score	Control Eff.	Residual Score	Rating	Trend	Regulator	Evidence/Testing Notes	Remediation & Target Date	Status
PRIV-FL-01	FL Digital Bill of Rights applicability gaps	Privacy	4	4	16	2	12.8	High	Up	FL AG	Applicability analysis incomplete; privacy notices not updated for FDBR	Complete assessment; update notices by [__/__/____]	☐ Open
PRIV-FL-02	FIPA breach notification readiness gaps	Security	3	4	12	3	7.2	Medium	Stable	FL AG	IR plan exists but 30-day timeline not tested; AG notification process undocumented	Test IR plan; document AG notification workflow by [__/__/____]	☐ Open
CONS-FL-01	FDUTPA exposure from marketing claims	Mktg/Legal	3	4	12	3	7.2	Medium	Stable	FL AG	Claim substantiation file incomplete for 2 product lines	Refresh substantiation; approval workflow by [__/__/____]	☐ Open
EMPL-FL-01	FCRA discrimination complaint trends	HR	2	3	6	4	2.4	Low	Stable	FCHR	No open complaints; policies updated; training current	Continue monitoring; annual review	☐ Monitored
EMPL-FL-03	E-Verify compliance for new hires	HR	3	3	9	3	5.4	Medium	Down	FL DHS	E-Verify enrollment confirmed; audit found 3% of new hires not timely verified	Implement automated E-Verify integration by [__/__/____]	☐ Open

Add additional rows for each identified risk.

12. HEAT MAP AND PRIORITIZATION

12.1 Risk Heat Map

IMPACT
  5 |  5   10  [15] [20] [25]
  4 |  4    8  [12] [16] [20]
  3 |  3    6    9  [12] [15]
  2 |  2    4    6    8   10
  1 |  1    2    3    4    5
    +----------------------------
       1    2    3    4    5
                LIKELIHOOD

12.2 Top Risks (Ranked by Residual Score)

Rank	Risk ID	Residual Score	Rating	Remediation Deadline
1	[____]	[____]	[________]	[__/__/____]
2	[____]	[____]	[________]	[__/__/____]
3	[____]	[____]	[________]	[__/__/____]
4	[____]	[____]	[________]	[__/__/____]
5	[____]	[____]	[________]	[__/__/____]

13. REMEDIATION PLANNING

For each High or Critical residual risk:

Field	Entry
Risk ID	[____]
Risk Description	[________________________________]
Current Residual Score	[____]
Remediation Action(s)	[________________________________]
Action Owner	[________________________________]
Resources Required	[________________________________]
Target Completion Date	[__/__/____]
Target Residual Score After Remediation	[____]
Success Metrics	[________________________________]
Status	☐ Not Started ☐ In Progress ☐ Completed ☐ Deferred
Escalation Required?	☐ Yes ☐ No

14. DELIVERABLES AND OUTPUTS

☐ Completed Risk Assessment Matrix with all risks scored
☐ Heat map visualization
☐ Top risks list with executive summary
☐ Remediation plans for High and Critical risks
☐ Testing plan aligned to risk priorities
☐ Board/Audit Committee summary presentation
☐ Change log of assumptions and scoring decisions
☐ KRI dashboard for ongoing monitoring

15. REVIEW CADENCE AND TRIGGERS

15.1 Scheduled Reviews

Annual Full Assessment: Q1 of each fiscal year
Quarterly Updates: Review KRIs; update risk scores
Board Reporting: Semi-annual compliance risk report

15.2 Interim Update Triggers

☐ Receipt of regulatory inquiry, subpoena, or examination notice
☐ Material data breach or security incident
☐ New Florida legislation or AG enforcement guidance
☐ New product launch, market entry, or significant business change
☐ Merger, acquisition, or material corporate transaction
☐ Material control failure or audit finding
☐ Significant enforcement action against industry peer
☐ Whistleblower report or litigation raising systemic compliance concerns
☐ Hurricane or natural disaster affecting Florida operations (consider FDUTPA price gouging triggers)

16. GOVERNANCE AND OVERSIGHT

Assessment Owner: Chief Compliance Officer
Review Authority: General Counsel and Audit Committee
Approval: Board of Directors (or designated committee)
Confidentiality: Confidential; may be subject to attorney-client privilege. Distribution approved by General Counsel.

APPENDIX A: DEFINITIONS

Inherent Risk: Risk level before considering control effectiveness
Control Effectiveness: Degree to which controls mitigate the identified risk
Residual Risk: Risk level remaining after accounting for controls
Key Risk Indicator (KRI): Quantitative metric monitoring risk changes
Risk Appetite: Level and type of risk the organization is willing to accept
Risk Velocity: Speed at which a risk event could impact the organization

APPENDIX B: FLORIDA REGULATORY RISK INVENTORY

Regulatory Area	Key Statute/Regulation	Enforcing Agency	Last Assessment Date	Risk ID(s)
Consumer Privacy	FL Digital Bill of Rights (Fla. Stat. 501.701-501.721)	FL AG	[__/__/____]	PRIV-FL-01
Data Breach Notification	FIPA (Fla. Stat. 501.171)	FL AG	[__/__/____]	PRIV-FL-02
Consumer Protection	FDUTPA (Fla. Stat. 501.201 et seq.)	FL AG	[__/__/____]	CONS-FL-01
Employment Discrimination	FL Civil Rights Act (Fla. Stat. 760.01 et seq.)	FCHR	[__/__/____]	EMPL-FL-01
Immigration Verification	E-Verify (Fla. Stat. 448.095)	FL DHS	[__/__/____]	EMPL-FL-03
Ethics / Public Officials	Fla. Stat. 112.311 et seq.	FL Commission on Ethics	[__/__/____]	ACOR-FL-XX
Insurance	FL Insurance Code (Fla. Stat. 624-651)	OIR	[__/__/____]	FINC-FL-01
Environmental	Fla. Stat. 403 (Environmental Control)	FL DEP	[__/__/____]	ENVR-FL-XX
Workplace Safety	FL OSHA (Fla. Stat. 442)	FL OSHA	[__/__/____]	HLTH-FL-XX

SOURCES AND REFERENCES

U.S. Sentencing Guidelines 8B2.1 -- https://guidelines.ussc.gov/
DOJ Evaluation of Corporate Compliance Programs (Sept. 2024) -- https://www.justice.gov/criminal/criminal-fraud/page/file/937501
COSO ERM Framework (2017) -- https://www.coso.org/erm-framework
Florida Digital Bill of Rights (Fla. Stat. 501.701-501.721)
Florida Information Protection Act (Fla. Stat. 501.171)
Florida Deceptive and Unfair Trade Practices Act (Fla. Stat. 501.201 et seq.)
Florida Civil Rights Act (Fla. Stat. 760.01 et seq.)
Florida Commission on Ethics -- https://www.ethics.state.fl.us/
Florida Whistleblower Act (Fla. Stat. 112.3187; 448.102)
Florida Attorney General Consumer Protection -- https://www.myfloridalegal.com/

This document is a template provided for informational purposes only and does not constitute legal advice. It must be reviewed and customized by a qualified attorney licensed in Florida before implementation.

Ezel AI

Hi! Need help customizing this document? I can tailor every section to your specific case in minutes.

AI Legal Assistant

Ezel AI

Hi! Need help customizing this document? I can tailor every section to your specific case in minutes.

Insert Image

Insert Table

Need to customize this document?

About This Template

Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.

Important Notice

This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.

Last updated: April 2026

Compliance Risk Assessment Matrix - Florida