conducting-compliance-risk-assessments

Structures compliance risk assessment with regulatory inventory and inherent/residual risk evaluation. Use when assessing compliance risk, inventorying regulatory obligations, or prioritizing compliance resources.

11 stars

Best use case

conducting-compliance-risk-assessments is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Structures compliance risk assessment with regulatory inventory and inherent/residual risk evaluation. Use when assessing compliance risk, inventorying regulatory obligations, or prioritizing compliance resources.

Teams using conducting-compliance-risk-assessments should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/conducting-compliance-risk-assessments/SKILL.md --create-dirs "https://raw.githubusercontent.com/CaseMark/skills/main/skills/finance/conducting-compliance-risk-assessments/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/conducting-compliance-risk-assessments/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How conducting-compliance-risk-assessments Compares

Feature / Agentconducting-compliance-risk-assessmentsStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Structures compliance risk assessment with regulatory inventory and inherent/residual risk evaluation. Use when assessing compliance risk, inventorying regulatory obligations, or prioritizing compliance resources.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Conducting Compliance Risk Assessments

## When To Use

- Performing periodic (annual, quarterly) compliance risk assessments for a regulated entity
- Onboarding a new regulatory obligation and evaluating its risk impact
- Prioritizing compliance resources across multiple regulatory domains (AML/BSA, consumer protection, fair lending, privacy, sanctions)
- Responding to regulatory examination findings, enforcement actions, or audit gaps
- Evaluating compliance risk exposure after organizational changes (new products, market entry, M&A)

## Inputs To Gather

- **Entity profile**: charter type, asset size, business lines, geographic footprint, customer segments
- **Regulatory inventory**: all applicable statutes, regulations, and guidance (federal, state, international) [VERIFY jurisdiction-specific requirements]
- **Prior assessment results**: previous risk ratings, audit findings, exam results, MRAs/MRIAs
- **Control documentation**: policies, procedures, training records, monitoring/testing reports
- **Incident data**: regulatory violations, complaints, SARs filed, enforcement actions, litigation
- **Organizational changes**: new products/services, market expansions, system migrations, staffing changes since last assessment
- **Risk appetite statement**: board-approved risk tolerance thresholds

## Workflow

1. **Define scope and methodology**
   - Identify assessment boundaries (enterprise-wide vs. business-line specific)
   - Select risk rating framework: typically a matrix scoring likelihood (1-5) x impact (1-5)
   - Establish rating definitions — anchor each level to concrete indicators (e.g., "4 = regulatory action within 12 months is probable")
   - Confirm assessment period and reporting timeline

2. **Build the regulatory inventory**
   - Catalog every applicable law, regulation, and regulatory guidance document
   - Map each obligation to responsible business line(s) and compliance owner
   - Flag recently enacted or amended regulations [VERIFY effective dates and transition periods]
   - Note cross-border obligations for entities operating in multiple jurisdictions [VERIFY local registration and licensing requirements]

3. **Assess inherent risk per obligation**
   - For each regulatory obligation, rate inherent risk (risk before controls) across dimensions:
     - **Likelihood**: volume/complexity of covered activity, pace of regulatory change, historical violation frequency
     - **Impact**: potential fines/penalties, reputational harm, operational disruption, customer harm
   - Weight factors by materiality — a high-volume activity under active regulatory scrutiny warrants elevated scoring
   - Document rationale for each rating; avoid unsupported "medium" defaults

4. **Evaluate control effectiveness**
   - For each obligation, assess the design and operating effectiveness of existing controls:
     - Policies and procedures: current, approved, accessible to staff
     - Training: frequency, completion rates, content relevance
     - Monitoring and testing: scope, frequency, deficiency tracking
     - Issue management: timely remediation, root-cause analysis, escalation protocols
   - Rate control strength (strong / satisfactory / weak) with supporting evidence
   - Flag control gaps or untested controls explicitly

5. **Calculate residual risk**
   - Residual risk = inherent risk adjusted for control effectiveness
   - Where controls are strong, residual risk may drop 1-2 levels below inherent; where controls are weak or absent, residual risk remains at or near inherent levels
   - Highlight any obligation where residual risk exceeds the board-approved risk appetite

6. **Prioritize and recommend**
   - Rank obligations by residual risk score to produce a heat map or tiered priority list
   - For high and critical residual risks, draft specific remediation recommendations:
     - Control enhancements (new monitoring, additional testing, policy updates)
     - Resource allocation (staffing, technology, budget)
     - Timeline and accountability (owner, target completion, milestone checkpoints)
   - Identify emerging risks (pending regulations, industry trends) for forward-looking planning

7. **Validate and finalize**
   - Circulate draft assessment to business-line risk owners for challenge and concurrence
   - Incorporate feedback; document material disagreements and resolution
   - Present final assessment to senior management and board/committee for approval

## Output

The final deliverable should include:

- **Executive summary**: overall compliance risk posture, key themes, top residual risks
- **Regulatory inventory table**: obligation, applicable law/rule, business line, compliance owner
- **Risk assessment matrix**: each obligation with inherent risk score, control rating, residual risk score, and rating rationale
- **Heat map or dashboard**: visual representation of residual risk distribution across obligations
- **Remediation plan**: prioritized action items for high/critical risks with owners and deadlines
- **Appendices**: methodology description, rating scale definitions, data sources, prior-period comparison

## Quality Checks

- Every regulatory obligation in the inventory has a corresponding inherent and residual risk rating — no gaps
- Rating rationales are specific and evidence-based, not boilerplate
- Control assessments reference actual testing or monitoring results, not just policy existence
- Residual risk scores logically follow from the inherent risk and control effectiveness pairing
- High residual risks each have a documented remediation recommendation with owner and timeline
- Assessment methodology and rating scales are consistent with prior periods (or changes are explained)
- All jurisdiction-dependent obligations are tagged with [VERIFY] where applicability may vary
- Final output has been reviewed by at least one subject-matter compliance officer before submission

Related Skills

We are still matching the closest adjacent skills for this page. In the meantime, continue through the full directory.