How To Create A Compliance Risk Assessment Questionnaire

1. Purpose of a compliance risk assessment questionnaire

Your compliance risk assessment helps you to identify, analyse, prioritise and mitigate legal and regulatory threats to your business. The questionnaire allows you to canvas the opinions of stakeholders in order to create a more rounded assessment of the risks that your organisation faces. 

Consulting with employees from different areas of the business ensures that you gain valuable insight into your compliance risk from a variety of points of view. What seems innocuous to one stakeholder may be more pressing to someone in another department. Without the latter’s input, the compliance function might have under-prioritised it, putting the company at risk. 

From the results of your questionnaire, you can understand more clearly where you need to deploy your resources to gain the greatest impact in your battle against non-compliance. 

2. What to include in a compliance risk assessment questionnaire

2.1 Areas of risk

The larger portion of the questionnaire should be dedicated to questions about specific areas of the business. This approach is likely to elicit answers that can expose risks the interviewee might not have considered as such before they were asked. However, it is a good idea to start off the questionnaire by asking specifically about areas that are known to be related to compliance risk. 

This allows interviewees to have their say on how they view the company’s compliance risk strategy, point out weaknesses and offer suggestions. Ask them about the functions and controls in place, as well as the procedures for identifying and assessing risks.

Sample questions 

• What are your key processes, functions and/or controls that are subject to frequent breakdowns or at the greatest risk of breaking down?
• How does the company communicate about the compliance program and/or compliance values?
• What are the most important things you are working on, and how could they fail?
• Does the company have an assessment process for identifying risks?
• Do you agree or disagree with the top risks that have been identified by management?

2.2 Compliance policies and procedures

Following on from your compliance strategy, the next step is to ask about the company’s current compliance policies and procedures and how effective they are at mitigating those risks. 

For example, you might have a procedure in place to create and maintain insider lists. But is it efficient and effective? Using InsiderLog to create your lists and record all changes helps you build an audit trail that could be invaluable in the event of an investigation. Another feature that helps in such cases is its functionality to send automated emails to insiders until they acknowledge their inclusion on the list. This provides you with evidence that you have done all you can to inform insiders of their responsibilities, something that your current procedures might not provide.

This section should include details of how the compliance team communicates regulatory changes to stakeholders and how it ensures that the company is working within the scope of these legislative requirements. 

Understanding how employees view these aspects of compliance procedures helps you understand whether the current framework is adequate or if you need to adjust the strategy to reduce the risk of compliance breaches due to ignorance or confusion. 

Sample questions 

• What operational controls exist to ensure compliance with the law?
• What is the process for developing and updating the department policies and procedures?
• How do you verify policies and procedures are being accurately implemented?
• What is your method for distributing new regulations or policy changes?

2.3 Leadership

The company’s leadership sets the tone for the organisation and is responsible for the prevailing culture within the business. If leadership is seen to value compliance and encourage whistleblowing, you can build a speak-up culture that reduces compliance risk because employees feel comfortable reporting misconduct before it can become endemic. 

Where there is ambivalence or even antagonism towards reports of wrongdoing, including retaliation against reporting persons, misconduct can prosper unchallenged. This increases the risk of the company being found to have contravened legislation and being issued with a sanction. 

This is why it is important to understand how key employees feel about the attitude and competence of senior leaders in relation to compliance matters.

Sample questions

• How would you evaluate or describe the tone at the top of the organisation?
• How often is senior management updated on legal compliance issues? 

2.4 Monitoring, auditing and response

Understanding how the process of compliance works in practice is key to how effective your procedures are. Look into the culture within the organisation and whether people do feel comfortable reporting on wrongdoing. In order for you to mitigate risk, employees must believe that they will be taken seriously and that the company will monitor and investigate misconduct. 

Find out if key stakeholders believe the company responds to reports of wrongdoing in an efficient and appropriate manner. 

Also, look into how the business reviews and refines its monitoring and response to compliance incidents. Effective organisations continually review and refine their risk management in order to create the most robust systems possible. 

Sample questions

• What is the culture of reporting issues in the workplace?
• What is your process for monitoring issues, and how is that information reported? 
• How are the risks to the organisation currently managed?
• Has the company completed compliance audits? 

2.5 Training and communication

Training and compliance communication provides two main benefits. Firstly, it ensures that the company has done all it can to arm employees with the information they need in order to meet compliance requirements. Secondly, it reinforces the message that the company values compliance above all else. 

Your compliance risk assessment questionnaire should canvas opinions on the manner, frequency of training and compliance communications. This helps you gauge how effective you are at delivering your message. 

It is essential to understand how training is received by stakeholders, who must then use the information in order to be sure they are working within the correct regulatory framework. Effective training can reduce compliance risk, but poorly executed communication from the compliance function increases that risk. 

Sample questions

• What is the process for training the department on internal/external requirements?
• Is the training mandatory?
• How is the training conducted?
• How often is training conducted? 
• How is the completion of training documented? 
• Is the training relevant to the job responsibilities and compliance risks? 
• Are there training materials available, and are they adequate?

3. FAQs

3.1 What should be included in a compliance risk assessment questionnaire?

A compliance risk assessment questionnaire should include questions about the organisation’s compliance programme, relevant laws and regulations, potential compliance risks and the effectiveness of existing control measures. It should also feature questions about the likelihood and impact of each risk from the point of view of that stakeholder. 

3.2 Who should be involved in the development of a compliance risk assessment questionnaire?

You should involve key stakeholders from across the organisation, including compliance professionals, legal and regulatory experts and representatives from various business units. This allows for a range of different views, providing a 360-degree view of your compliance programme. 

3.3 How can an organisation ensure the accuracy and reliability of its compliance risk assessment results?

By using this range of stakeholders during the risk assessment process, you gain a more full, and therefore accurate, view of the state of your compliance efforts. To support this, regularly review and update the questionnaire and use a combination of quantitative and qualitative data to evaluate risks. It’s also good practice to consider seeking input from independent experts, such as legal or regulatory advisors, to ensure that their assessments are comprehensive and accurate.