Legal risk analysis

Legal risk analysis

Organizations conduct assessments to identify different types of organizational risk. For example, they may conduct enterprise risk assessments to identify the strategic, operational, financial, and compliance risks to which the organization is exposed. In most cases, the enterprise risk assessment process is focused on the identification of “bet the company” risks – those that could impact the organization’s ability to achieve its strategic objectives.

Most organizations also conduct internal audit risk assessments to aid in the development of the internal audit plan. A traditional internal audit risk assessment is likely to consider financial statement risks and other operational and compliance risks.

While both of these kinds of risk assessments are typically intended to identify significant compliance-related risks, neither is designed to specifically identify legal or regulatory compliance risks


Objective: Identify, prioritize, and assign accountability for managing strategic, operational, financial, and reputational risks

Scope: Any risk significantly impacting the organization’s ability to achieve its strategic objectives

Typical Owner: Chief Risk Officer/ Chief Financial Officer

Internal Audit

Objective: Determine and prioritize risks to aid in developing the internal audit plan, helping to provide the board and the executive team with assurances related to risk management efforts and other compliance activities

Scope: Financial statement and internal control risks, as well as some operational and compliance risks that are likely to materially impact the performance of the enterprise or financial statements

Typical Owner: Chief Audit Executive


Objective: Identify, prioritize, and assign accountability for managing existing or potential threats related to legal or policy noncompliance—or ethical misconduct—that could lead to fines or penalties, reputational damage, or the inability to operate in key markets

Scope: Laws and regulations with which the organization is required to comply in all jurisdictions where it conducts business, as well as critical organizational policies—whether or not those policies are based on legal requirements

Typical Owner: Chief Compliance Officer