Compliance Risk Assessment: Executive Summary & Best Practices

Introduction

Most boards receive compliance risk assessments they cannot act on. Dense documents, risk score matrices, regulatory citations in technical shorthand — and no clear answer to the question that actually matters: what does the board need to decide today?

That gap is expensive. When leadership cannot read the assessment, residual risks go unaddressed, resources get distributed on instinct, and regulators notice.

The OCC fined TD Bank $450 million in 2024 for BSA/AML compliance program deficiencies. Citibank absorbed a $75 million penalty the same year for failing to maintain processes that monitor ongoing compliance. Both cases trace back to the same root cause: governance structures that couldn't surface the right information to the people responsible for acting on it.

This post addresses three things: what a compliance risk assessment actually is and why boards need to own it, how to structure one step by step, and how to write an executive summary that supports real decisions rather than gathering dust.

TL;DR

  • A compliance risk assessment maps where your organization is exposed to regulatory, legal, or policy violations — and the severity of each.
  • Every assessment turns on three concepts: inherent risk, control effectiveness, and residual risk.
  • A board-ready executive summary requires five elements: risk posture, top risks, control gaps, prioritized actions with owners, and escalation flags.
  • Most assessments fail because they're one-time events with no remediation ownership and no format a board can use.
  • Every finding needs a named owner, a deadline, and a verifiable outcome — not just a rating.

What Is a Compliance Risk Assessment and Why Should Leadership Care?

A compliance risk assessment is a structured process for identifying where an organization is exposed to violations of applicable laws, regulations, industry standards, or internal policies, and evaluating how likely those violations are and how much damage they would cause. Unlike a general enterprise risk assessment, the scope is specifically regulatory and policy obligations.

Why Boards Cannot Delegate This Away

The DOJ's September 2024 Evaluation of Corporate Compliance Programs makes the board's stake concrete: prosecutors explicitly evaluate compliance program quality when determining whether to bring charges, what form a resolution takes, the size of any monetary penalty, and what compliance obligations attach to a criminal resolution. The DOJ's core question is whether the program is "adequately resourced and empowered to function effectively."

That standard creates a real distinction in outcomes. A board that received thorough, decision-ready compliance reporting is in a fundamentally different position than one that received a 60-page technical document it couldn't act on.

Beyond enforcement exposure, the strategic case is straightforward:

  • Shows exactly where compliance spending should go — instead of spreading budgets across low-risk areas
  • Surfaces which business units carry disproportionate risk, something that rarely appears in routine reporting
  • Identifies documented controls that employees don't follow in practice

NACD's Director Essentials: Ethics and Compliance Oversight puts it plainly: boards can be held liable if they fail to ensure adequate compliance reporting systems or ignore them once established. The question for leadership is not whether to oversee compliance, but whether current reporting actually gives them what they need to act.

Inherent Risk, Controls, and Residual Risk: The Three Pillars

These three concepts appear in nearly every compliance framework. Getting them right matters because they determine what actually surfaces in board reporting.

Inherent Risk

The OCC defines inherent risk as "the risk that an activity would pose if no controls or mitigating factors were in place." Think of it as the starting exposure before your organization does anything about it.

Factors that drive inherent risk include:

  • Regulatory complexity and rate of change in your industry
  • Product and transaction volume
  • Third-party vendor relationships
  • Geographic jurisdictions you operate in
  • Maturity of the relevant business line

A new product launched in a regulated area carries higher inherent risk than a well-established process that's been audited repeatedly.

Control Effectiveness

Controls — policies, procedures, monitoring systems, oversight mechanisms — exist to reduce either the likelihood or impact of non-compliance. The critical nuance: a control that exists on paper but isn't followed provides no actual risk reduction.

Control adequacy also varies by scale:

  • Smaller organizations typically rely on experienced personnel and direct oversight
  • Larger organizations need formal documented controls, multi-layered monitoring, and independent testing

Residual Risk

The OCC defines residual risk as "the level of risk after controls are taken into account." This is the number that drives board decisions.

If residual risk exceeds the organization's defined risk appetite, one of two things must happen: controls must improve, or inherent risk must come down.

The goal of every executive summary is to communicate residual risk clearly. Raw inherent scores alone are not decision-useful.

Three-pillar compliance risk framework inherent risk controls residual risk flow

How to Conduct a Compliance Risk Assessment: A Step-by-Step Framework

Step 1 — Define Scope and Regulatory Universe

Before collecting any data, document what's in scope. Catalog applicable laws, regulations, industry standards, and internal policies. Consider:

  • Geographic jurisdictions and multi-state or international obligations
  • Industry-specific requirements (financial services, healthcare, retail)
  • Data privacy obligations
  • Third-party and vendor relationships

The DOJ expects organizations to understand their risk profile across locations, industry sector, regulatory landscape, clients, and business partners. A scope map — not a generic checklist — is what distinguishes a defensible assessment from a performative one.

Step 2 — Map Operational Risk Contact Points

Identify the specific processes, decisions, and transactions where non-compliance could actually occur. Common areas include:

  • Contract execution and vendor management
  • Data handling and privacy practices
  • Financial reporting and transaction monitoring
  • Hiring practices and background screening
  • Technology systems with regulatory implications

Conduct interviews with business unit leaders and frontline managers. The compliance function sees the framework; the people closest to operations see the real exposures.

Step 3 — Assess Likelihood and Impact

Evaluate probability using evidence across four dimensions:

  • Historical violations and near-misses
  • Control failure rates and testing gaps
  • Frequency of regulatory change in the relevant area
  • Training completion rates and knowledge gaps

Impact assessment should span financial penalties, operational disruption, reputational damage, and legal exposure.

The step most assessments skip: distinguish between inherent likelihood (before controls) and residual likelihood (after controls). Reporting only one number collapses the information boards need to evaluate whether current spending on controls is working.

Step 4 — Evaluate Control Effectiveness

For each identified risk, work through four questions:

  1. Does a control exist?
  2. Do employees follow it consistently?
  3. Can it detect violations quickly enough to matter?
  4. Are findings escalated appropriately when violations are detected?

A documented control that no one follows is a liability, not a safeguard — regulators will find it before you do. Identify gaps where controls are absent, weak, or untested.

Step 5 — Prioritize, Assign Ownership, and Set Timelines

Not every risk can be addressed at once. For each priority finding, document:

| Field | What to Include | |-------|-----------------|
| Specific risk | Plain-language description | | Control gap | What's missing or failing | | Recommended action | Concrete remediation step | | Accountable owner | Named role, not a committee | | Target completion date | Specific date, not "Q3" | | Success metric | Verifiable proof of closure |

Compliance risk finding remediation tracking table with six required fields

Without a named owner and a deadline, findings sit in a report and expire.

How to Write a Compliance Risk Assessment Executive Summary

The executive summary translates a full assessment — which may span dozens of pages — into a decision-ready briefing for boards, audit committees, and senior leadership. The goal is not comprehensiveness. It is clarity.

A board member should read the executive summary and immediately understand three things: the organization's current risk posture, what changed since the last assessment, and what decisions or approvals are required.

The Five Components Every Executive Summary Needs

  1. Overall risk posture statement — a plain-language characterization of where the organization stands (improving, stable, or deteriorating)
  2. Top identified risks with inherent and residual ratings side by side
  3. Significant control gaps tied to specific business impact
  4. Priority remediation actions with named owners and target dates
  5. Escalation flags — risks that exceed stated risk appetite and require board-level decisions

Format and Language

EY's 2023 Global Board Risk Survey found that approximately 60% of boards say emerging risks are insufficiently addressed, and 61% of board members are not aligned on material risks for the next 12 months. That misalignment often starts with how risk information is formatted and delivered.

Practical formatting rules:

  • Use plain language over regulatory citations
  • Use heat maps or traffic-light indicators for risk levels
  • Avoid replicating the technical detail of the full report
  • If a board member cannot orient themselves in two minutes, the summary has not done its job

PwC's audit committee dashboard guidance notes that pre-read materials continue to grow in volume — dashboard-style reporting helps make compliance information clear, concise, and actionable rather than adding to the pile.

Trend vs. Snapshot

An effective executive summary shows whether risk posture is improving, stable, or deteriorating compared to the prior period. EY found that highly resilient boards are 1.9x more likely to review risk exposures as part of strategy and performance reviews (86% vs. 46% of other boards). Year-over-year or quarter-over-quarter comparisons give boards the directional context that isolated scores cannot.

Five-component board-ready compliance risk executive summary structure overview

The Board-Advisor Role in Bridging the Gap

Many organizations have skilled compliance and risk staff who produce thorough assessments but struggle to translate findings for a board audience. The technical work is sound — the governance-ready packaging is missing.

A board-facing advisor closes that gap by packaging the technical findings into formats boards can act on. Tyson Martin's board-ready compliance deliverables include:

  • A one-page risk view covering top risks, trend analysis, ownership, and next actions
  • A one-page risk appetite statement aligned to the organization's tolerance thresholds
  • An escalation ladder that defines what goes to the board versus what stays with management

Together, these outputs give directors clear decisions at the board level, defined delegation at the management level, and execution they can inspect over time.

Best Practices That Turn Findings Into Defensible Decisions

Treat the Assessment as a Continuous Cycle

A single annual assessment is a starting point, not a compliance program. Regulations change, operations shift, and new vendor relationships create new exposures between annual reviews.

Leading practice structure:

  • Annually: Comprehensive assessment across all in-scope areas
  • Quarterly: Progress reviews on priority risk remediation
  • Event-triggered: Reassessment following acquisitions, leadership changes, regulatory enforcement actions, or significant technology implementations

Compliance risk assessment continuous cycle annual quarterly and event-triggered cadence

KPMG's 2024 guidance on modernizing compliance risk assessments identifies specific triggers: changes in regulations, internal policy changes, business operations changes, and findings from regulatory exams or audits. The DOJ expects assessments to stay current and account for emerging risks, including new technology risks. That expectation is not satisfied by an annual cycle alone.

Involve the Right Stakeholders

If only the compliance team contributes, the assessment reflects only one perspective. Business unit leaders, regional managers, legal, HR, IT, and finance must all participate. The people closest to day-to-day operations see risks the compliance function does not.

EY's board risk data shows that 81% of highly resilient boards consult sufficient internal and external stakeholders to determine which compliance-related issues require formal response or action plans. The same discipline applies at the assessment level.

Close the Loop With Documented Remediation

The most common failure point in compliance programs is the gap between identified risk and completed action. Every material finding should enter a tracked remediation workflow with:

  • A named owner (a specific role, not a committee)
  • A concrete deadline
  • A verifiable proof of closure — not "vendor committed to fix" but "evidence received and validated"

Tyson Martin's remediation tracking approach uses a weekly execution check-in to surface blockers within two weeks, not two quarters. Monthly executive reviews cover exceptions and approvals. Quarterly board updates tie back to trend metrics and decisions.

That cadence generates the audit trail regulators look for when they ask whether an organization took findings seriously.

Align to Board-Level Risk Appetite and Decision Rights

If an assessment never surfaces a question for board decision, it likely hasn't been honest about residual risk. Define in advance what residual risk levels require board escalation versus management delegation.

Without that clarity, the executive summary becomes a reassurance document rather than a decision-forcing tool. This is especially true in financial services, healthcare, and retail — sectors with frequent regulatory shifts and multi-jurisdictional obligations. Boards need to know:

  • Which risks they own versus which they've delegated to management
  • What thresholds trigger escalation
  • Why those boundaries were set where they were

Frequently Asked Questions

How do you write an executive summary for a compliance risk assessment?

Structure it around five elements: an overall risk posture statement in plain language, top risks with inherent and residual ratings, significant control gaps with business impact, priority remediation actions with named owners and timelines, and any risks that exceed your stated risk appetite and require board escalation. Use heat maps or traffic-light indicators rather than dense technical text.

What is the difference between inherent risk and residual risk in a compliance assessment?

Inherent risk is your exposure before any controls exist. Residual risk is what remains after controls are applied. Residual risk — not inherent risk — is what boards should use to make decisions and determine whether additional mitigation is needed.

How often should a compliance risk assessment be updated?

Conduct a comprehensive annual assessment, quarterly progress reviews on priority risks, and triggered reassessments when material events occur: acquisitions, new regulations, leadership changes, or significant technology implementations. HHS-OIG recommends at least annual assessments; the DOJ expects them to stay current between cycles.

Who should be responsible for the compliance risk assessment?

The compliance function typically owns the process, but business unit leaders must contribute — they have direct knowledge of operational risk. Board and audit committee oversight provides governance accountability. Smaller organizations without a dedicated compliance function can assign ownership to a senior risk or legal leader with appropriate board visibility.

What should a board look for when reviewing a compliance risk assessment?

Boards should look for four things:

  • Residual risk posture stated clearly, not buried in technical detail
  • Trend data showing whether risk is improving or worsening
  • Control gaps with named owners and remediation timelines
  • Explicit identification of risks exceeding the organization's stated risk appetite

What are the most common reasons compliance risk assessments fail to drive action?

Four failure points appear consistently:

  • Treating the assessment as an annual one-time event rather than a living process
  • Limiting contributors to the compliance team instead of drawing in business unit leaders
  • Generating risk scores with no assigned remediation ownership
  • Presenting findings in a format boards cannot use to make decisions