Skip to content.

Secondary navigation

Get Your Demo
Definitive Guide

12 Steps to Conduct an Ethics & Compliance Risk Assessment

A more effective ethics and compliance assessment starts with a better process. This guide gives you a 12-step framework and template to uncover your true risk profile, and build a program that drives meaningful change.

This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply to the reCAPTCHA services. You can learn more about how NAVEX processes your personal data by reviewing the NAVEX privacy statement.

Available in

Make your ethics and compliance risk assessment count with our helpful 12-step guide

Follow best practices

You’ll get a step-by-step ethics and compliance assessment template, from planning to implementation

Identify real risk

Uncover the specific ethics and compliance risks you face

Build a stronger program

Use your findings to create more effective mitigation plans

Two women sit together at a table in a bright office, looking at documents and smiling. Behind them is a wall with colorful sticky notes and a chart. Plants and large windows are in the background.

Why it’s important to conduct compliance risk assessments

A risk assessment that sits on a shelf is a risk in itself. This guide provides the structure to build a better risk, ethics and compliance assessment so you can uncover critical risks and create a clear path forward. 

You’ll learn how to: 

  1. Secure the leadership buy-in needed for a successful compliance and risk assessment 
  2. Choose the right risk management framework and methodology 
  3. Use different data collection methods to get a complete picture 
  4. Rate inherent risk and evaluate your existing controls 
  5. Develop a realistic action plan that prioritizes high-risk areas
Get your guide
Two women in business attire smiling and looking at a laptop screen in a modern office setting, appearing to collaborate on a project.

Planning makes perfect: 6 key steps before you begin your ethics and compliance risk assessment

A high-quality E&C risk assessment requires careful planning. Steps 1-6 actually happen before you even begin the assessment itself – ensuring you have the steps and resources to succeed before you cover the critical components.  

Our guide provides a detailed approach to help you get your assessment done right the first time, every time.  

  1. Get leadership buy-in 
  2. Establish the process 
  3. Secure resources 
  4. Build a framework and methodology 
  5. Establish your risk appetite 
  6. Identify opportunities for automation
Get your guide
Close-up of a curved surface covered with a geometric pattern of interwoven red, orange, and black rectangles, creating an abstract, visually dynamic effect.

How to conduct your ethics and compliance risk assessment – a templated approach

With clearly defined roles and a strong planning framework, you’re ready to begin your risk assessment. Steps 7-12 in this guide cover tools and templates to help you identify, assess and manage the risks your organization faces.  

  • Collect the data 
  • Identify risk factors and risk 
  • Rate inherent risk 
  • Identify, map and rate mitigating controls 
  • Calculate residual risk 
  • Develop your action plan
Get your guide

More ethics, risk and compliance assessment resources for you to explore

Frequently asked questions about ethics and compliance risk assessments

  • What is an ethics and compliance risk assessment?

    An E&C risk assessment can help you understand where unethical or illegal conduct might occur within the organization. It is key to developing your organization’s risk profile. It identifies: 

    • Ethics, compliance, and reputational risks your organization may face given its industry and geography 
    • Risks related to your employee population 
    • Your current and planned mitigation strategies to reduce risk to a level deemed 
    • acceptable by your organization

  • How do you define ethics and compliance risk?

    Ethics and compliance risk is defined as a threat to an organization’s operational, legal, financial, or reputational standing that results from: 

    • Failure to comply with applicable laws, regulations and internal standards of ethical conduct 
    • Unlawful or unethical behavior of those working for or on behalf of the organization, which results in legal and reputational damage to the organization, themselves or others

  • What does an ethics and compliance risk assessment cover?

    An ethics and compliance risk assessment is one part of a larger, integrated risk management (IRM) process and can be conducted along with other risk assessments. A classic definition of risk management considers risks in relation to their potential negative impact on an organization’s ability to achieve its strategic objectives. 

    For example, while offering a bribe to win a contract may support the strategic objective of generating revenue, it can also lead to severe fines, prosecution and reputational damage. Therefore, an effective E&C risk assessment looks beyond immediate consequences to account for long-term financial and reputational impact. 

    A well-informed ethics and compliance risk assessment looks at: 

    • The organization’s business model 
    • The geographic location of its operations 
    • The industry sector and the competitiveness of the market
    • The regulatory landscape 
    • Clients and customers 
    • Products and services 
    • Supply chain and third parties 
    • Transactions and projects 
    • The ways in which risks may manifest themselves

  • What types of risk can this guide help me manage?

    The approach outlined in this guide can be applied to any form of compliance, ethics, and conduct risk, such as data privacy, bribery and corruption, conflict of interest, financial integrity and fraud, and modern slavery.

  • Why are ethics and compliance risk assessments important?

    Here are three reasons ethics and compliance risk assessments are important for a well-managed E&C program:  

    • Risk assessments help you understand your organization’s risk profile 
    • Risk assessments help you meet regulatory expectations 
    • Risk assessments provide a strong foundation for your ethics and compliance program

  • What’s the difference between risk assessment and due diligence?

    While risk assessment and due diligence are often used in relation to each other, they are different terms.  

    Due diligence is a detailed examination of a third party and its financial records, conducted before becoming involved in a business arrangement with it. In this context, a risk assessment will generally inform the extent of due diligence efforts at various points in a third-party relationship or transaction. 

    While there is no “one-size-fits-all” risk assessment, the exercise should generally consist of a holistic, top-to-bottom review of the organization and its touchpoints to the outside world.

  • What are the 12 steps to a successful ethics and compliance risk assessment?

    A successful ethics and compliance risk assessment includes 12 steps in two phases: planning and implementation. They are:  

    1. Get leadership buy-in 
    2. Establish the process 
    3. Secure resources 
    4. Build a framework and methodology 
    5. Establish your risk appetite 
    6. Identify opportunities for automation 
    7. Collect the data 
    8. Identify risk factors and risk 
    9. Rate inherent risk 
    10. Identify, map and rate mitigating controls 
    11. Calculate residual risk 
    12. Develop your action plan

  • How often should you complete an ethics and compliance risk assessment?

    Ethics and compliance risk assessments should be completed at least annually, though for high-risk industries this might be biannually or even quarterly dependent on regulatory requirements.  

    In addition, all organizations should prioritize a new ethics and compliance risk assessment whenever new vendors, procedures or equipment are introduced that have an impact on existing workflows, processes and operations – or more generally if there are any significant changes to how the business operates. A fresh corporate risk assessment ensures you can account for and track any emerging new risks out of these changes.

Take control of your risk landscape. Uncover your true risk profile and build a program that drives meaningful change.

Get your guide

See more on similar topics: