About This Resource
A weighted scoring model that evaluates compliance risk across regulatory obligation complexity, control effectiveness, inherent risk, and residual risk. Produces a risk score per obligation and an overall compliance risk rating.
When to Use
During compliance risk assessments, annual reviews, or when onboarding new regulatory requirements.
Audience
CCO, CRO, Compliance Officer, Internal Audit Lead
What You Bring
- Regulatory obligations
- Control effectiveness ratings
- Inherent risk scores
What You Get
- Risk score per obligation
- Overall compliance risk rating
- Downloadable Word/PDF
Apply the Framework
Score each regulatory obligation against the criteria below (1 = Low Risk, 5 = High Risk). The framework applies weighted scoring to produce a risk score per obligation and an overall compliance risk profile, enabling prioritisation of compliance investment and management attention.
0 of 42 scores entered0% complete
| Criterion (Weight) | Obligation 1 | Obligation 2 | Obligation 3 | Obligation 4 | Obligation 5 | Obligation 6 |
|---|---|---|---|---|---|---|
Inherent Risk Weight: 5/27 · The level of risk before any controls are applied | Low inherent riskVery high inherent risk | Low inherent riskVery high inherent risk | Low inherent riskVery high inherent risk | Low inherent riskVery high inherent risk | Low inherent riskVery high inherent risk | Low inherent riskVery high inherent risk |
Regulatory Complexity Weight: 4/27 · Complexity of the regulatory requirement and interpretation challenges | Simple / clearHighly complex / ambiguous | Simple / clearHighly complex / ambiguous | Simple / clearHighly complex / ambiguous | Simple / clearHighly complex / ambiguous | Simple / clearHighly complex / ambiguous | Simple / clearHighly complex / ambiguous |
Control Effectiveness (Inverse) Weight: 5/27 · Effectiveness of existing controls — score 5 if controls are weak or absent | Strong controls in placeWeak / no controls | Strong controls in placeWeak / no controls | Strong controls in placeWeak / no controls | Strong controls in placeWeak / no controls | Strong controls in placeWeak / no controls | Strong controls in placeWeak / no controls |
Consequence of Breach Weight: 5/27 · Severity of regulatory, financial, and reputational consequences if breached | Minor consequenceExistential consequence | Minor consequenceExistential consequence | Minor consequenceExistential consequence | Minor consequenceExistential consequence | Minor consequenceExistential consequence | Minor consequenceExistential consequence |
Regulatory Change Velocity Weight: 3/27 · Pace of change in this regulatory area — faster change = higher risk | Stable regulationRapidly evolving | Stable regulationRapidly evolving | Stable regulationRapidly evolving | Stable regulationRapidly evolving | Stable regulationRapidly evolving | Stable regulationRapidly evolving |
Data Dependency Weight: 3/27 · Degree to which compliance depends on data quality and completeness | Low data dependencyHighly data-dependent | Low data dependencyHighly data-dependent | Low data dependencyHighly data-dependent | Low data dependencyHighly data-dependent | Low data dependencyHighly data-dependent | Low data dependencyHighly data-dependent |
Third-Party Exposure Weight: 2/27 · Extent to which compliance relies on third-party actions or data | No third-party dependencyHigh third-party dependency | No third-party dependencyHigh third-party dependency | No third-party dependencyHigh third-party dependency | No third-party dependencyHigh third-party dependency | No third-party dependencyHigh third-party dependency | No third-party dependencyHigh third-party dependency |