Skip to content.

Secondary navigation

Get Your Demo
A woman sits on a couch by a large window, holding a smartphone and gazing outside thoughtfully. She is surrounded by green plants, with coffee and water on the table in front of her.

What does a successful compliance risk assessment look like?

The cornerstone of an effective compliance program is a good risk assessment, and the cornerstone of a good risk assessment is a good process to assess risk – from knowing when to do an assessment and who does it, to the questions you should ask and the technology you should use. 

If your compliance team has that disciplined process for risk assessments, all the other elements of your compliance program become much easier to guide forward. So today let’s begin a two-part, deep dive into risk assessments, starting with three foundational questions. 

  • Should your compliance risk assessment be part of the company’s larger enterprise risk assessment?  
  • How often should you perform risk assessments?  
  • How do you convince others in the company that your compliance risk assessment is worthwhile?

Compliance risk assessment, or enterprise risk assessment? 

The first question you need to consider is simply who does the compliance risk assessment. Should you, the compliance team, perform your own assessment devoted specifically to compliance risks? Or should your compliance risk assessment be part of a larger enterprise risk assessment that includes the many other risks a company might face (cybersecurity, financial, supply chain, and so forth), and is done by someone else? (Most likely, the internal audit or risk management team.) 

There is no easy or universal answer to this question. If you perform the assessment yourself, you can focus on the regulatory and misconduct issues you believe are most important to your business; but it means more work for you, and you might encounter resistance from other parts of the business that already participated in the enterprise risk assessment. If you consolidate your compliance assessment into the enterprise risk assessment, that means less work for you and your team, but you might not get all the compliance-specific insights you want. 

To evaluate the trade-offs here, compliance officers should ponder several points: 

  • Do you even have an internal audit or risk assessment team that could do the assessment (many businesses don’t), and does that team even want to help?  
  • Has your business recently suffered a significant compliance failure, or gone through an organizational change (merger, layoffs) that might have elevated your compliance risks? If so, that’s a stronger argument for you, the compliance team, doing the assessment yourselves. 
  • Do you have enough manpower, technology support, and respect within the business (be honest!) that you could even do the assessment on your own?  

The good news is that improving technology is making the work of performing a compliance risk assessment easier to do. Still, you’ll need to think carefully about the resources you have, the enthusiasm for ethics and compliance at your business, and your company’s overall compliance risk profile

Two people are seated at a desk in a spacious, well-lit office with large windows and exposed beams. They are engaged in conversation, with one gesturing as they speak and the other listening attentively.

How often should you do the compliance risk assessment?

This question is easier to answer. Ideally, you want to perform a compliance risk assessment every year and after any significant event that might change your company’s overall compliance risk profile. 

Research suggests that most compliance teams do perform at least an annual risk assessment. For example, one recent survey of 130+ compliance officers found that 62 percent perform an annual risk assessment, and another 22 percent perform them once every two or three years.  

The U.S. Justice Department’s guidelines for an effective compliance program don’t expressly say how often you should perform a risk assessment. They do, however, stress the importance of “periodic” updates to the assessment, and say your assessment “should account for emerging risks as internal and external circumstances impacting the company’s risk profile evolve.” Compliance officers can think about that statement in two ways.  

First, if there are clear but slow-moving changes to your risk profile – say, an industry-wide increase in enforcement of tariffs; or a company-wide change in incentive compensation structure – you might plan to incorporate those new concerns into your next risk assessment. Those changes aren’t necessarily “triggering events” that might make you undertake a new risk assessment right away. 

Second, however, you do still need to watch for triggering events that might warrant a fresh risk assessment: a recently closed merger that brings new employees and new IT processes to your enterprise; layoffs that thin the ranks of middle managers who provide oversight; a privacy breach that clearly means some part of your controls didn’t work as expected. 

You might not even need to conduct a “full” compliance risk assessment after such an event, but you’d at least want an issue-specific assessment so that you always have a solid understanding of conduct risk at your business.

How do you convince others to participate? 

This is the most important question of all. For a truly useful and effective compliance risk assessment, the rest of the enterprise must want to participate. So how do you win that battle of persuasion?  

As always, start with senior management. Remind them that a good compliance risk assessment will bring your company’s most pressing compliance risks into focus. That, in turn, will allow you to allocate your program’s resources most efficiently and to strengthen the right controls in the right way.  

You can also remind senior management that a good compliance risk assessment raises the awareness of ethics and compliance issues among middle management, which goes a long way to building a culture of compliance. That culture of compliance, guided by a thoughtful risk assessment, is what regulators will want to see should a violation happen sometime down the road. 

Middle managers and First Line business unit leaders need to hear another message, too: that compliance risks often arise across business functions; and you need their help so that you can identify those fault lines.  

For example, weak training for the sales team and poor documentation requirements in accounting allow corruption risk to take root. Could you discover that on your own, by studying each business process individually? Perhaps. But if you can talk with those team leaders (ideally together, as part of a risk committee), you’re much more likely to see the true risk.

The keys to success: people and planning 

Notice that so far, we’ve barely mentioned technology, questionnaires, AI, and other tools to get compliance risk assessments done. Those will all be explored in the second part of this deep dive, but those things aren’t the foundation of success. They rest on top of the foundation – which is all about careful strategic planning and building the right alliances so that people want your compliance risk assessment to succeed. That’s where you need to start, always.

Playbooks

How to Conduct a Risk Assessment

Risk assessment is a foundational piece of any risk and compliance program – but it is often underutilized and misunderstood. Download this playbook to learn how to conduct a successful risk …

You may also like…

Ready for more? Check out our latest related articles.

  • 8 Jan 2026 Kyle Martin

    How to Assess Risk with NAVEX One

    Learn how to assess risk across human, operational, third-party, and regulatory domains. See how NAVEX One simplifies risk assessment and compliance.

    Read more

See more on similar topics: