3 Key Tips for Conducting a Legal and Compliance Risk Assessment

Legal and compliance risk assessments are critical to the long-term success of a business. Such an assessment maps your compliance and legal risks so you can mitigate legal problems before they start to drag your business down. Most companies complete some form of risk assessment, even if informal, but many do not know where to begin to formalize their process. Here are three tips that will help you start the risk assessment process and use it to great success.

Identify the Stakeholders

Before launching your risk assessment, determine who will participate in the process and to what extent. This is a critical step to an effective risk assessment. It is prudent to involve in-house or outside counsel, internal audit, human resources, and finance functions at a minimum. In order for the risk assessment to be reflective of business operations, it is essential you involve your operational business managers in assessing risk. Often, they are aware of the more subtle ways risk areas can affect your business. Once the team is assembled, define the parameters of the risk assessment and take advantage of the expertise on your team.

Know The Laws Relevant to Your Business

Many companies operate within multiple legal jurisdictions and are therefore subject to a vast array of laws and regulations. Some companies operate in so many different locations or serve clients in so many places, it is difficult to keep track of applicable laws. Identifying the laws and regulations applicable to your business is the first step of any legal and compliance risk assessment.

Standardize Your Risk Vocabulary

When gathering information on the probability or impact of risk areas, it is important to define your quantitative and qualitative labels.  A “high” or “red” risk in HR, may pale in comparison to the financial impact of the lowest or “green” impact risk coming from IT.  Where a violation of employment laws could cost a company a few hundred thousand dollars, a massive data breach could cost tens of millions of dollars.  

In order to properly rank the organization’s risks, everyone needs to be working from the same definitions.  A $500,000 risk to a small business may be catastrophic, but to a large publicly traded corporation, it may not even rank as a low impact. Ensure you specifically define levels of risk and what they mean as clearly as possible. When ranking for impact, look beyond just financial impact. Ensure you consider reputational impact, talent retention impact, workforce impact, and competitive positioning impact when quantifying impact.

Keep Updating

Upon any substantial violations, all companies should revisit their risk assessments.  A risk that used to be “green” or “low” can become a high risk area due to employee misconduct trends or trends in enforcement. If there is any major change in the business: new product lines, acquisitions, mergers, divestitures, addition of international contracts, it is prudent to revisit the risk assessment to keep a current picture of risk visible and mitigated.


The legal and compliance risk assessment is the foundation of your entire compliance and ethics program and doing it right could avoid misconduct and the resulting fines and penalties. CLEAResources is here to help you build a solid foundation. Contact us today for a free initial consultation.