How to Assess Risk with NAVEX One

Steps to conduct a compliance risk assessment 

Assessing risk is not a one-time task – it’s a continuous process that evolves with your organization. Here are the four key steps: 

Identify: Collect and categorize risks across functions using NAVEX standardized Risk Types 

Evaluate: Assess the likelihood and impact of each risk through centralized scoring and control mapping to understand residual risk 

Prioritize:  Rank risks by significance to guide resource allocation and mitigation planning 

Monitor: Continuously track performance and emerging risks through NAVEX One dashboards and analytics 

By standardizing these steps within NAVEX One, compliance teams can align risk management with business strategy and make informed decisions faster.

How to assess risk across four key domains 

Here’s how to assess four risk domains your organization likely faces using NAVEX One capabilities. 

Human Risk 

What is human risk? 
Human risks are those stemming from employee behavior, conflicts of interest, misconduct, lack of awareness, or cultural conditions that negatively influence engagement and job satisfaction. An unhealthy culture, marked by fear of retaliation, unclear values, or inconsistent leadership behavior, can increase misconduct risk and drive disengagement, turnover, and compliance failures. 

Examples of human risk include: 

• Exposure to employee lawsuits related to harassment, discrimination or wrongful termination 
• High turnover causing loss of institutional knowledge and increased recruitment costs 
• Reputational damage affecting hiring, retention, and customer trust 
• Regulatory fines or enforcement actions stemming from conflicts of interest or noncompliance 

How to assess human risk with NAVEX One 

NAVEX One is an essential tool to track and manage human risk. Across the suite of solutions, you can objectively measure human risk and use that data to inform your mitigation activities. Consider the following ways in which NAVEX One can be used to assess human risk. 

• Tag incidents and identify trends in NAVEX One Whistleblowing & Incident Management using Risk Types such as Retaliation or Workplace Civility to detect behavioral and cultural patterns 
• Track completion and knowledge gaps with NAVEX One Ethics & Compliance Training, where risk-mapped content identifies trends while reducing organizational exposure 
• Centralize and analyze conflict of interest and other disclosures with NAVEX One Disclosure Management under the Conflict of Interest risk type to monitor, remediate and uncover risk patterns 
• Monitor policy acknowledgment and engagement using NAVEX One Policy & Procedure Management to identify awareness gaps and reinforce required procedures 
• Leverage analytics dashboards to surface hotspots – by risk type, department, region, or role – correlating incident and survey data to assess cultural health and its impact on job satisfaction.

Operational Risk 

What is operational risk?  

This risk type refers to internal processes, systems or failures in daily operations. Operational disruptions – whether from system failure, process breakdowns or human error – can erode efficiency and increase compliance risk. 

Consider the following examples of operational risk: 

• Network outage with improper disaster recovery and redundancy leads to customer downtime 
• Operational disruptions from process breakdowns, inadequate staffing, or inconsistent adherence to policies 
• IT system misconfigurations exposing sensitive data 

How to assess operational risk in NAVEX One 

Operational Risks can be challenging to assess given the scope of what this risk encompasses. Given the breadth of operational risk at any given organization, having a single point of truth to document the risks and assign controls is essential in conducting a thorough operational risk assessment. A few ways NAVEX One can help your organization assess organization risk include: 

• Log issues in NAVEX One Risk & Governance and assign relevant owners 
• Map each risk to controls and mitigation plans using control mapping 
• Track remediation progress and set automated alerts for overdue actions

Third-Party Risk

What is third-party risk? 

Third-Party Risks are introduced by vendors, suppliers, contractors, or other external partners – and all businesses rely on third-party relationships. The depth and scale of how intertwined a business is with their third parties varies, but addressing this risk is essential whether you have 10, or 10,000 third-party partners.  

Some examples of third-party risks include: 

• A supplier operating in a high-risk region for human rights violations 
• A third-party marketing firm mishandles customer data 
• A contractor fails lacking proper anti-bribery training and protocols

How to assess third-party risk in NAVEX One

The 2025 State of Risk & Compliance Benchmark Report noted that only 58% of respondents said their organization screens third parties for regulatory compliance, and 54% for cybersecurity and data protection. Third-party risk is too complex to manage in an analog way, and in fact, 60% of survey respondents indicated they use a purpose-built solution. However – that leaves 40% who are, at best, managing with home-grown solutions. 

NAVEX One helps organizations assess third-party risk with the following capabilities: 

• Conduct due diligence using NAVEX One Third-Party Screening & Monitoring 
• Assign risk scores based on geography, industry, and compliance history 
• Automate onboarding workflows to enforce third-party compliance with policies 
• Continuously monitor performance and risk profile changes, focusing on Risk Types such as Global Trade and Free and Fair Competition

Regulatory Risk 

What is regulatory risk? 

Fifty-five percent of NAVEX survey respondents rank regulatory risk as their most important compliance issue. Regulatory Risks are related to non-compliance with laws, regulations or industry standards.  

A few examples of regulatory risks include: 

• New data privacy laws (e.g., GDPR, CCPA) requiring policy updates 
• Missed anti-money laundering (AML) reporting deadlines 
• Fines for non-compliance with healthcare or financial regulations 

How to assess regulatory risk in NAVEX One 

Depending on your organization’s size, industry and geography, the mix of regulatory risks to be concerned with is highly variable. A risk and compliance program that can be right-sized to meet your current needs and scaled up to meet your growth aspirations is essential to stay ahead of the regulatory risk curve. Here are a few ways NAVEX One helps you assess and manage regulatory risk: 

• Stay current on evolving laws and regulations using Regulatory Alerts, part of NAVEX Regulatory Change Management 
• Map regulations to internal policies between risks and NAVEX One Policy & Procedure Management 
• Conduct periodic Risk Assessments to evaluate exposure and readiness 
• Generate audit-ready reports for internal and external stakeholders 

From reactive to proactive risk management 

By unifying risk assessments through NAVEX standardized Risk Types, organizations gain a single view of risk across incidents, training, disclosures, and third-party relationships. This approach enables smarter prioritization, faster risk remediation and stronger organizational resilience.

Ready to assess risk with NAVEX One? 

Only when risks are assessed can you begin to mitigate them. NAVEX One has a full suite of risk and compliance solutions to help you do just that – assess, manage and mitigate risk across your organization. Ready to see how? 

Learn more about NAVEX One.