The Value of Starting Simple: A Risk Assessment Spreadsheet

by Jeff Kaplan

For those just getting started with compliance risk assessments, the KISS approach can be invaluable.  And by KISS, I mean “Keep it Simple with Spreadsheets.”  Spreadsheets are not mandatory in conducting risk assessments, of course.  But for the beginners in this area, they can be exceedingly useful.   

Consider the simple model below – along with associated commentary. Something like the following can be a helpful tool in creating or improving your risk assessment program.

Risk areas

The risk areas to be assessed generally include:

  • substantive areas of criminal law risk, such as corruption, antitrust, export control/trade, insider trading/confidential information, and fraud,
  • ethical, as well as legal, areas of risk, e.g., conflicts of interest,
  • in some instances, civil law, e.g., employment law, defamation.

Additionally, some risk areas should be broken down into sub-risk areas, e.g., bribery of government officials as well as commercial bribery.

Risk areas can often be excluded from the compliance risk assessment process if they have been the subject of other risk assessments or do not appear to represent significant legal or ethical peril (de minimis risks). An example of the latter is copyright risks for most organizations (although copyright can be a significant risk area for some industries, such as publishing or entertainment).

Risk scenarios

Risk scenarios are scenarios of the most foreseeable and significant ways in which relevant law/ethical standards could be violated on a line or staff unit basis.

For instance, it is not necessarily sufficient to identify a company as having a significant fraud risk, without identifying the type of fraud at issue e.g., consumer fraud, financial risk, tax fraud, etc.

Mitigation – both existing and recommended

Risk mitigation generally includes written standards, training, other communication, policies, procedures, assigned accountability, internal controls, auditing/monitoring and any other form of mitigation that varies significantly by risk area. Generally speaking, a more detailed discussion of existing controls will assist in yielding more helpful recommendations as to additional mitigation to consider.  For example, rather than simply listing “training” as a control for a given risk area, it is helpful to discuss the type of training, how recently and how frequently it is conducted, for what audience, and even relevant feedback on effectiveness.

Risk mitigation for a risk assessment generally does not encompass controls such as the helpline, investigations, discipline, incentives and background checks, at least as a general matter.  This is because those controls are operative with respect to all risk areas and do not generally control for particular risks.  These areas should, of course, be subject to periodic assessment, but those efforts will likely be more in the nature of a program assessment than a risk assessment.

Finally, the breadth and depth of risk assessment for any given area will generally depend on various factors.  E.g., if a risk assessment is being conducted following a violation at a company, that may suggest the need for a broader and deeper assessment than a risk assessment being conducted on a routine basis.

Leave a comment


* Required , ** will not be published.

= 4 + 6