Focus your compliance spend with a compliance risk assessment

All regulated firms are expected to have ‘adequate’ risk controls in place. But assessing and managing regulatory risk is far from straightforward. Adapting best practice from larger organisations when it comes to risk assessment could not only help you manage risk better and demonstrate controls to the regulator, it could also help you be far more efficient in how you use your compliance resource.

Getting more from your compliance spend

All too often busy compliance teams will dust off the same compliance monitoring plans from year to year. But risks change. And finite internal resources can end up focused on areas which don’t necessarily address their biggest regulatory risks.

By conducting a compliance risk assessment before planning work for the coming period, firms can prioritise oversight of the management of risks that pose the most harm to the firm or clients.

What is a compliance risk assessment?

A compliance risk assessment will identify all the compliance risks the firm is exposed to and identify all its mitigating controls. It will grade the materiality of each of these risks on both an inherent and residual basis. This will help identify where the Compliance monitoring team, should focus its efforts.

A credible risk assessment should accurately characterise the firms’ exposure to specific legislation and regulation, overlaid with the particular risks that arise from the firms’ clients, products and operating model.  This should include the following considerations:

Regulatory exposure: The permissions held by the business will determine to a large extent the regulations which will apply, helping to provide an initial scope for a risk assessment.

Clients: Servicing certain client groups will increase compliance risks for specific regulations, such as retail clients for MiFID services, vulnerable customers, or clients in high-risk jurisdictions for AML. Understanding your client portfolio will help to identify risk ‘hot-spots’.

Products: Similar to an assessment of clients, certain products will result in a heightened compliance risk, such as non-mainstream pooled investments, restricted mass market investments, complex derivative products, contracts for difference for retail clients, and deposit facilities for AML.

Operating model: The structure of your business will also contribute to your compliance risk portfolio, such as the degree to which your business is part of a complex group structure, the extent to which you outsource your operations, and the extent that you rely on manual processes.

What are the benefits of creating a compliance risk assessment?

The compliance risk assessment allows compliance teams to identify, quantify and consider the materiality of the firm’s regulatory risks. But there are also other advantages:

  • Allows prioritisation of resources when creating monitoring plans.
  • Identifies key controls which the firm is relies upon to mitigate material risks.
  • Ensures risk owners and those responsible for operating the firms’ controls are clearly identified.
  • Provides Senior Manger Function (SMF) holders a single document itemising the risk and controls they are responsible for.
  • Allows the firm to ensure it is operating within its risk appetite.
  • Provides a uniform structure to rate compliance risks, which facilitates less challenge when compliance monitoring reports are provided to the Executive.
  • Assists the firm meet its obligations under SYSC 4.

How do you undertake a compliance risk assessment?

Although no two firms are alike, the steps you need to take to conduct an effective compliance risk assessment will fall along the same lines.

  1. Identify the firm’s compliance risk universe. This will include all the regulatory requirements that the firm is subject to and that could present a risk to the business if the firm fails to comply. It will also consider the impact of new risks generated as part of your horizon scanning.
  2. Assess risks. Work with the business to develop a methodology to assess the impact and likelihood of a risk crystalising, aligning this to the firm’s risk appetite.
  3. Create a heat map, which will be used by Compliance and the first line risk owners to visualise the impact of each risk.  (An example provided below)
  4. Identify the first line risk owners and those responsible for the mitigating controls. Identification of first line control owners will generally be the SMF responsible for that area of the business. The mitigating owners will generally report into the relevant SMF.
  5. Grade the impact and likelihood of each risk on an inherent and residual basis. The example heat map below shows the inherent risk of an identified risk at point ‘A’, it also shows the effect of the firm’s mitigating controls with the same risk plotted at point ‘B’. As you can see the risk is initially outside of the firm’s risk appetite before the impact of mitigating controls are considered. Grading the inherent and residual risks of the firm can be an emotive area which will require the input of the first line. When undertaking this exercise areas to consider are previous compliance monitoring findings, the business plans, the strategic objectives of the firm, previous Internal Audit findings, first line oversight activity, quality assurance, root cause analysis in complaints, incident logs and actions taken by regulators against other firms.
  6. Prioritise. Use the compliance risk assessment and heat map to identify compliance risks which represent a higher level of risk, those which are outside of appetite and those which are heavily mitigated by a few controls.
  7. Apply the resulting information is used to align the Compliance monitoring programme to apply a proportionate amount of effort to the identified risks.


Often, when this exercise is undertaken areas will be identified where there is no defined risk or control owner.  The process of creating a compliance risk assessment benefits compliance monitoring teams whilst also helping Senior Managers identify and quantify the compliance risks and controls, they are responsible for.

Once you have identified the where the Compliance monitoring activities should focus you should update your compliance monitoring plan.

How can we help

At Bovill, we can help you apply a risk-based strategy to your compliance monitoring, maximising some of the benefits above. We have supported hundreds of clients with designing and conducting compliance monitoring for firms of every size. Get in touch to find out more.