conducting-compliance-risk-assessments
Structures compliance risk assessment with regulatory inventory and inherent/residual risk evaluation. Use when assessing compliance risk, inventorying regulatory obligations, or prioritizing compliance resources.
Best use case
conducting-compliance-risk-assessments is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Structures compliance risk assessment with regulatory inventory and inherent/residual risk evaluation. Use when assessing compliance risk, inventorying regulatory obligations, or prioritizing compliance resources.
Teams using conducting-compliance-risk-assessments should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/conducting-compliance-risk-assessments/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How conducting-compliance-risk-assessments Compares
| Feature / Agent | conducting-compliance-risk-assessments | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Structures compliance risk assessment with regulatory inventory and inherent/residual risk evaluation. Use when assessing compliance risk, inventorying regulatory obligations, or prioritizing compliance resources.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Conducting Compliance Risk Assessments
## When To Use
- Performing periodic (annual, quarterly) compliance risk assessments for a regulated entity
- Onboarding a new regulatory obligation and evaluating its risk impact
- Prioritizing compliance resources across multiple regulatory domains (AML/BSA, consumer protection, fair lending, privacy, sanctions)
- Responding to regulatory examination findings, enforcement actions, or audit gaps
- Evaluating compliance risk exposure after organizational changes (new products, market entry, M&A)
## Inputs To Gather
- **Entity profile**: charter type, asset size, business lines, geographic footprint, customer segments
- **Regulatory inventory**: all applicable statutes, regulations, and guidance (federal, state, international) [VERIFY jurisdiction-specific requirements]
- **Prior assessment results**: previous risk ratings, audit findings, exam results, MRAs/MRIAs
- **Control documentation**: policies, procedures, training records, monitoring/testing reports
- **Incident data**: regulatory violations, complaints, SARs filed, enforcement actions, litigation
- **Organizational changes**: new products/services, market expansions, system migrations, staffing changes since last assessment
- **Risk appetite statement**: board-approved risk tolerance thresholds
## Workflow
1. **Define scope and methodology**
- Identify assessment boundaries (enterprise-wide vs. business-line specific)
- Select risk rating framework: typically a matrix scoring likelihood (1-5) x impact (1-5)
- Establish rating definitions — anchor each level to concrete indicators (e.g., "4 = regulatory action within 12 months is probable")
- Confirm assessment period and reporting timeline
2. **Build the regulatory inventory**
- Catalog every applicable law, regulation, and regulatory guidance document
- Map each obligation to responsible business line(s) and compliance owner
- Flag recently enacted or amended regulations [VERIFY effective dates and transition periods]
- Note cross-border obligations for entities operating in multiple jurisdictions [VERIFY local registration and licensing requirements]
3. **Assess inherent risk per obligation**
- For each regulatory obligation, rate inherent risk (risk before controls) across dimensions:
- **Likelihood**: volume/complexity of covered activity, pace of regulatory change, historical violation frequency
- **Impact**: potential fines/penalties, reputational harm, operational disruption, customer harm
- Weight factors by materiality — a high-volume activity under active regulatory scrutiny warrants elevated scoring
- Document rationale for each rating; avoid unsupported "medium" defaults
4. **Evaluate control effectiveness**
- For each obligation, assess the design and operating effectiveness of existing controls:
- Policies and procedures: current, approved, accessible to staff
- Training: frequency, completion rates, content relevance
- Monitoring and testing: scope, frequency, deficiency tracking
- Issue management: timely remediation, root-cause analysis, escalation protocols
- Rate control strength (strong / satisfactory / weak) with supporting evidence
- Flag control gaps or untested controls explicitly
5. **Calculate residual risk**
- Residual risk = inherent risk adjusted for control effectiveness
- Where controls are strong, residual risk may drop 1-2 levels below inherent; where controls are weak or absent, residual risk remains at or near inherent levels
- Highlight any obligation where residual risk exceeds the board-approved risk appetite
6. **Prioritize and recommend**
- Rank obligations by residual risk score to produce a heat map or tiered priority list
- For high and critical residual risks, draft specific remediation recommendations:
- Control enhancements (new monitoring, additional testing, policy updates)
- Resource allocation (staffing, technology, budget)
- Timeline and accountability (owner, target completion, milestone checkpoints)
- Identify emerging risks (pending regulations, industry trends) for forward-looking planning
7. **Validate and finalize**
- Circulate draft assessment to business-line risk owners for challenge and concurrence
- Incorporate feedback; document material disagreements and resolution
- Present final assessment to senior management and board/committee for approval
## Output
The final deliverable should include:
- **Executive summary**: overall compliance risk posture, key themes, top residual risks
- **Regulatory inventory table**: obligation, applicable law/rule, business line, compliance owner
- **Risk assessment matrix**: each obligation with inherent risk score, control rating, residual risk score, and rating rationale
- **Heat map or dashboard**: visual representation of residual risk distribution across obligations
- **Remediation plan**: prioritized action items for high/critical risks with owners and deadlines
- **Appendices**: methodology description, rating scale definitions, data sources, prior-period comparison
## Quality Checks
- Every regulatory obligation in the inventory has a corresponding inherent and residual risk rating — no gaps
- Rating rationales are specific and evidence-based, not boilerplate
- Control assessments reference actual testing or monitoring results, not just policy existence
- Residual risk scores logically follow from the inherent risk and control effectiveness pairing
- High residual risks each have a documented remediation recommendation with owner and timeline
- Assessment methodology and rating scales are consistent with prior periods (or changes are explained)
- All jurisdiction-dependent obligations are tagged with [VERIFY] where applicability may vary
- Final output has been reviewed by at least one subject-matter compliance officer before submission