Compliance Risk Assessment Matrix - Texas

Ready to Edit

COMPLIANCE RISK ASSESSMENT MATRIX -- TEXAS

Company Name: [________________________________]
Assessment Period: [__/__/____] through [__/__/____]
Assessment Owner: [________________________________] (Chief Compliance Officer)
Approved By: [________________________________] (General Counsel / Audit Committee)
Document Version: [____]

Executive Summary
Purpose and Objectives
Scope and Applicability
Regulatory Framework
Methodology Overview
Risk Taxonomy
Scoring Rubric
Roles and Responsibilities
Data Sources and Inputs
Texas-Specific Risk Categories
Risk Assessment Matrix
Heat Map and Prioritization
Remediation Planning
Deliverables and Outputs
Review Cadence and Triggers
Governance and Oversight
Appendix A: Definitions
Appendix B: Texas Regulatory Risk Inventory
Sources and References

1. EXECUTIVE SUMMARY

This Compliance Risk Assessment Matrix ("Matrix") provides a structured framework for identifying, assessing, and prioritizing compliance risks facing [________________________________] ("Company") with respect to operations in or connected to the State of Texas. The Matrix aligns with the DOJ Evaluation of Corporate Compliance Programs, the COSO ERM Framework, and USSG 8B2.1.

Key Findings Summary:

Risk Level	Number of Risks	Top Risk Area
Critical (Red)	[____]	[________________________________]
High (Orange)	[____]	[________________________________]
Medium (Yellow)	[____]	[________________________________]
Low (Green)	[____]	[________________________________]

2. PURPOSE AND OBJECTIVES

This Matrix serves to:

Identify and catalog compliance risks across all business functions operating in Texas
Assess inherent risk levels based on likelihood and impact
Evaluate control effectiveness and calculate residual risk
Prioritize remediation by severity and velocity
Satisfy DOJ and USSG 8B2.1 expectations for periodic risk assessment
Address Texas-specific regulatory requirements including the TDPSA and DTPA
Inform the Board/Audit Committee of the compliance risk profile

3. SCOPE AND APPLICABILITY

☐ All business units with Texas operations or Texas-resident customers/employees
☐ Federal laws applicable to Texas operations
☐ Texas-specific statutes and regulations
☐ Third-party and vendor compliance risks
☐ Emerging risks (technology, regulatory changes, market dynamics)

4. REGULATORY FRAMEWORK

4.1 Federal Standards

U.S. Sentencing Guidelines 8B2.1: Periodic risk assessment; seven minimum compliance program elements.
DOJ Evaluation of Corporate Compliance Programs (September 2024 Update): Program design, resourcing, and effectiveness evaluation.
SOX Section 404 / COSO 2013: ICFR for public companies.
COSO ERM Framework (2017): Enterprise risk management integration with strategy.

4.2 Texas State Law

Texas Data Privacy and Security Act (TDPSA) (Tex. Bus. & Com. Code Ch. 541): Effective July 1, 2024. Applies to persons conducting business in Texas that process personal data of Texas consumers. Grants consumer rights: access, correction, deletion, portability, and opt-out of targeted advertising, sale, and profiling. Requires data protection assessments for high-risk processing. Small business exemption (SBA definition) except for sale of sensitive data. TX AG exclusive enforcement; 30-day cure period. Global opt-out mechanism recognition effective January 1, 2025.
Tex. Bus. & Com. Code 521.053 (Data Breach Notification): Requires notification to affected individuals without unreasonable delay (no more than 60 days after determination of breach). If 250+ Texas residents affected, must notify TX AG. If 10,000+ individuals affected, must notify consumer reporting agencies.
Texas Deceptive Trade Practices Act (DTPA) (Tex. Bus. & Com. Code 17.46): Prohibits false, misleading, or deceptive acts or practices in trade or commerce. Laundry list of specific prohibited acts. Private right of action for consumers with treble damages for knowing violations. TX AG enforcement authority.
Texas Commission on Human Rights Act (TCHRA) (Tex. Lab. Code Ch. 21): Prohibits employment discrimination based on race, color, disability, religion, sex, national origin, age, or retaliation. Administered by the Texas Workforce Commission Civil Rights Division (TWC-CRD). Compensatory damages capped by employer size: $50K (15-100 employees), $100K (101-200), $200K (201-500), $300K (501+).
Texas Whistleblower Act (Tex. Gov't Code Ch. 554): Protects public employees from retaliation for good-faith reporting of law violations. Private sector employees may have protections under Sabine Pilot doctrine (Texas common law prohibiting discharge for refusal to commit an illegal act).
Tex. Penal Code Ch. 36 (Bribery and Corrupt Influence): Criminal penalties for bribery and improper gifts to public servants.
Texas Ethics Commission (Tex. Gov't Code Ch. 572): Standards of conduct for state officers and employees.

5. METHODOLOGY OVERVIEW

Phase 1 -- Risk Identification: Catalog compliance obligations.
Phase 2 -- Risk Assessment: Evaluate inherent risk and control effectiveness.
Phase 3 -- Prioritization: Rank by residual score; identify trends.
Phase 4 -- Remediation Planning: Action plans for high/critical risks.

Full Assessment: Annually (Q1)
Interim Updates: Material events (Section 15)
Continuous Monitoring: KRIs monthly/quarterly

6. RISK TAXONOMY

Category Code	Risk Category	Key Texas Regulators
PRIV	Data Privacy and Security	TX AG
EMPL	Employment and EEO	TWC-CRD
CONS	Consumer Protection and Marketing	TX AG (DTPA enforcement)
ACOR	Anti-Corruption and Ethics	TX Ethics Commission, DOJ
SANC	Sanctions and Export Controls	OFAC, BIS
ANTI	Antitrust and Competition	TX AG, DOJ
ENVR	Environmental Compliance	TCEQ
HLTH	Health and Safety	OSHA (federal; Texas does not have a state OSHA plan)
FINC	Financial Services	TX Dept. of Banking, TX DI
ENRG	Energy and Utilities	PUCT, RRC (if applicable)
RECK	Recordkeeping and Retention	Various
TECH	Technology, AI, and Emerging Risks	TX AG
TPRT	Third-Party and Vendor Risk	Various

7. SCORING RUBRIC

7.1 Likelihood Scale (1-5)

Score	Rating	Description
1	Rare	Unlikely in next 12 months
2	Unlikely	Could occur but not expected
3	Possible	May occur; some precedent
4	Likely	Expected to occur; active enforcement
5	Almost Certain	Expected multiple times; known deficiency

7.2 Impact Scale (1-5)

Score	Rating	Financial	Regulatory	Operational	Reputational
1	Minimal	< $50K	Informal guidance	Minor disruption	No media
2	Minor	$50K-$500K	Warning letter	Moderate disruption	Local media
3	Moderate	$500K-$5M	Consent order/fine	Significant disruption	Regional media
4	Major	$5M-$50M	Enforcement action	Severe disruption	National media
5	Severe	> $50M	Criminal/license revocation	Business-threatening	Sustained national

7.3 Control Effectiveness Scale (1-5)

Score	Rating	Description
1	Nonexistent	No controls
2	Weak	Unreliable, untested, inconsistent
3	Basic	Partially effective; gaps exist
4	Strong	Well-designed, consistent, periodically tested
5	Mature	Automated, continuously monitored, independently validated

7.4 Residual Risk Calculation

Inherent Risk = Likelihood x Impact (1-25)

Control Effectiveness	Adjustment
5 (Mature)	Inherent x 0.20
4 (Strong)	Inherent x 0.40
3 (Basic)	Inherent x 0.60
2 (Weak)	Inherent x 0.80
1 (Nonexistent)	Inherent x 1.00

7.5 Risk Ratings

Residual Score	Rating	Color	Action
15.1 - 25.0	Critical	Red	Immediate remediation; Board notification
10.1 - 15.0	High	Orange	Remediation within 30 days
5.1 - 10.0	Medium	Yellow	Remediation within 90 days
1.0 - 5.0	Low	Green	Monitor; annual review

8. ROLES AND RESPONSIBILITIES

Role	Responsibilities
Chief Compliance Officer	Owns methodology; coordinates assessment; reports to Board
General Counsel	Legal review; regulatory obligation analysis
Domain Risk Owners	Provide inputs; own controls; execute remediation
Internal Audit	Independent testing and validation
Board / Audit Committee	Review and approve; oversee remediation

9. DATA SOURCES AND INPUTS

☐ Incident reports, complaints, hotline data
☐ Regulatory examinations and enforcement actions (TX AG, TWC-CRD, TCEQ)
☐ Internal and external audit findings
☐ Product/service changes and market entries
☐ Vendor risk assessments
☐ KRIs and dashboards
☐ Loss events and litigation history
☐ Industry peer enforcement actions
☐ Texas-specific regulatory updates (TX AG enforcement, TDPSA rulemaking, Ethics Commission opinions)

10. TEXAS-SPECIFIC RISK CATEGORIES

10.1 Data Privacy and Security Risks

Risk ID	Risk Description	Key Requirements
PRIV-TX-01	TDPSA consumer rights compliance gaps	Tex. Bus. & Com. Code Ch. 541 -- access, correction, deletion, opt-out; 45-day response; data protection assessments
PRIV-TX-02	TDPSA data protection assessment deficiencies	Required for targeted advertising, sale, sensitive data, profiling; must document and maintain
PRIV-TX-03	Data breach notification timeline non-compliance	Tex. Bus. & Com. Code 521.053 -- 60-day notification; TX AG if 250+; CRAs if 10,000+
PRIV-TX-04	Global opt-out mechanism not recognized	TDPSA 541.055(e) -- effective Jan 1, 2025; must honor universal opt-out signals
PRIV-TX-05	Sensitive data processing without consent	TDPSA -- opt-in consent required for sensitive data (racial/ethnic, religious, health, sexual orientation, citizenship, genetic, biometric, child data)

10.2 Consumer Protection Risks

Risk ID	Risk Description	Key Requirements
CONS-TX-01	DTPA exposure from marketing claims	Tex. Bus. & Com. Code 17.46 -- laundry list of prohibited acts; treble damages for knowing violations
CONS-TX-02	Warranty and product claims deficiencies	DTPA 17.50 -- breach of express/implied warranty actionable
CONS-TX-03	Telemarketing compliance gaps	Tex. Bus. & Com. Code Ch. 302; federal TSR/TCPA

10.3 Employment and EEO Risks

Risk ID	Risk Description	Key Requirements
EMPL-TX-01	TCHRA discrimination/retaliation claims	Tex. Lab. Code Ch. 21 -- protected classes; damages caps by employer size
EMPL-TX-02	Workers' compensation non-compliance	Tex. Lab. Code Ch. 406-417 -- non-subscription risk; if subscriber, DWC compliance
EMPL-TX-03	Non-compete/non-solicitation enforcement risks	Tex. Bus. & Com. Code 15.50 -- enforceability requirements

10.4 Anti-Corruption and Ethics Risks

Risk ID	Risk Description	Key Requirements
ACOR-TX-01	Gift to public servant violations	Tex. Penal Code 36.08-36.09 -- Class A misdemeanor
ACOR-TX-02	Bribery exposure	Tex. Penal Code 36.02 -- second-degree felony

10.5 Energy and Environmental Risks (if applicable)

Risk ID	Risk Description	Key Requirements
ENVR-TX-01	TCEQ air/water permit compliance gaps	Tex. Health & Safety Code Ch. 382; Tex. Water Code Ch. 26
ENRG-TX-01	PUC/RRC regulatory compliance	Tex. Util. Code; Tex. Nat. Res. Code Ch. 91

11. RISK ASSESSMENT MATRIX

Risk ID	Description	Owner	Inh. L	Inh. I	Inh. Score	Control Eff.	Residual	Rating	Trend	Regulator	Evidence/Notes	Remediation & Date	Status
PRIV-TX-01	TDPSA consumer rights processing gaps	Privacy	4	4	16	2	12.8	High	Up	TX AG	Opt-out mechanism incomplete; DSR workflow not tested; privacy notice gaps	Implement opt-out; update notices by [__/__/____]	☐ Open
PRIV-TX-02	Data protection assessments not completed	Privacy/Legal	3	4	12	2	9.6	Medium	Up	TX AG	No DPAs on file for targeted advertising or sensitive data processing	Complete DPAs by [__/__/____]	☐ Open
CONS-TX-01	DTPA exposure from marketing claims	Mktg/Legal	3	4	12	3	7.2	Medium	Stable	TX AG	Claim substantiation file incomplete; no formal review process	Refresh substantiation; implement workflow by [__/__/____]	☐ Open
EMPL-TX-01	TCHRA discrimination complaint trends	HR	2	3	6	4	2.4	Low	Stable	TWC-CRD	No open complaints; policies current; training up to date	Continue monitoring	☐ Monitored
PRIV-TX-03	Breach notification readiness	Security	3	4	12	3	7.2	Medium	Stable	TX AG	IR plan exists; 60-day timeline documented; AG notification process needs testing	Test notification workflow by [__/__/____]	☐ Open

Add additional rows for each identified risk.

12. HEAT MAP AND PRIORITIZATION

12.1 Risk Heat Map

IMPACT
  5 |  5   10  [15] [20] [25]
  4 |  4    8  [12] [16] [20]
  3 |  3    6    9  [12] [15]
  2 |  2    4    6    8   10
  1 |  1    2    3    4    5
    +----------------------------
       1    2    3    4    5
                LIKELIHOOD

12.2 Top Risks

Rank	Risk ID	Residual Score	Rating	Deadline
1	[____]	[____]	[________]	[__/__/____]
2	[____]	[____]	[________]	[__/__/____]
3	[____]	[____]	[________]	[__/__/____]
4	[____]	[____]	[________]	[__/__/____]
5	[____]	[____]	[________]	[__/__/____]

13. REMEDIATION PLANNING

Field	Entry
Risk ID	[____]
Risk Description	[________________________________]
Current Residual Score	[____]
Remediation Action(s)	[________________________________]
Action Owner	[________________________________]
Target Completion Date	[__/__/____]
Target Residual Score	[____]
Success Metrics	[________________________________]
Status	☐ Not Started ☐ In Progress ☐ Completed ☐ Deferred

14. DELIVERABLES AND OUTPUTS

☐ Completed Risk Assessment Matrix
☐ Heat map visualization
☐ Top risks list with executive summary
☐ Remediation plans for High/Critical risks
☐ Board/Audit Committee summary
☐ KRI dashboard

15. REVIEW CADENCE AND TRIGGERS

Annual Full Assessment: Q1
Quarterly KRI Reviews
Interim Triggers: Regulatory inquiry, data breach, new TX legislation (e.g., TDPSA amendments), M&A, control failure, peer enforcement, whistleblower report, severe weather events (DTPA price gouging provisions under Tex. Bus. & Com. Code 17.46(b)(27))

16. GOVERNANCE AND OVERSIGHT

Assessment Owner: Chief Compliance Officer
Review Authority: General Counsel and Audit Committee
Confidentiality: Subject to attorney-client privilege. Distribution approved by General Counsel.

APPENDIX A: DEFINITIONS

Inherent Risk: Risk level before controls
Control Effectiveness: Degree to which controls mitigate risk
Residual Risk: Risk after controls
KRI: Key Risk Indicator
Risk Appetite: Acceptable risk level
Risk Velocity: Speed of risk materialization

APPENDIX B: TEXAS REGULATORY RISK INVENTORY

Regulatory Area	Key Statute/Regulation	Enforcing Agency	Last Assessment	Risk ID(s)
Consumer Privacy	TDPSA (Tex. Bus. & Com. Code Ch. 541)	TX AG	[__/__/____]	PRIV-TX-01 to PRIV-TX-05
Data Breach	Tex. Bus. & Com. Code 521.053	TX AG	[__/__/____]	PRIV-TX-03
Consumer Protection	DTPA (Tex. Bus. & Com. Code 17.46)	TX AG	[__/__/____]	CONS-TX-01 to CONS-TX-03
Employment	TCHRA (Tex. Lab. Code Ch. 21)	TWC-CRD	[__/__/____]	EMPL-TX-01
Ethics / Public Officials	Tex. Penal Code Ch. 36; Tex. Gov't Code Ch. 572	TX Ethics Commission	[__/__/____]	ACOR-TX-01, ACOR-TX-02
Environmental	Tex. Health & Safety Code; Tex. Water Code	TCEQ	[__/__/____]	ENVR-TX-01
Workplace Safety	Federal OSHA (29 U.S.C. 651 et seq.)	Federal OSHA	[__/__/____]	HLTH-TX-XX

SOURCES AND REFERENCES

U.S. Sentencing Guidelines 8B2.1 -- https://guidelines.ussc.gov/
DOJ Evaluation of Corporate Compliance Programs (Sept. 2024) -- https://www.justice.gov/criminal/criminal-fraud/page/file/937501
COSO ERM Framework (2017) -- https://www.coso.org/erm-framework
Texas Data Privacy and Security Act -- https://www.texasattorneygeneral.gov/consumer-protection/file-consumer-complaint/consumer-privacy-rights/texas-data-privacy-and-security-act
Tex. Bus. & Com. Code 521.053 (Breach Notification)
Texas DTPA (Tex. Bus. & Com. Code 17.41 et seq.)
TCHRA (Tex. Lab. Code Ch. 21)
Texas Ethics Commission -- https://www.ethics.state.tx.us/
Tex. Penal Code Ch. 36 (Bribery)
Texas Whistleblower Act (Tex. Gov't Code Ch. 554)

This document is a template provided for informational purposes only and does not constitute legal advice. It must be reviewed and customized by a qualified attorney licensed in Texas before implementation.

Ezel AI

Hi! Need help customizing this document? I can tailor every section to your specific case in minutes.

AI Legal Assistant

Ezel AI

Hi! Need help customizing this document? I can tailor every section to your specific case in minutes.

Insert Image

Insert Table

Need to customize this document?

About This Template

Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.

Important Notice

This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.

Last updated: April 2026

Compliance Risk Assessment Matrix - Texas