Regulatory Agencies Inventory and Attributes

Description — The overall risk rating for the enterprise’s regulatory exposure to this agency — the combined assessment of likelihood and impact of a compliance failure, enforcement action, or penalty from this agency.

Benefit(s) — Surfaces high-risk regulatory relationships for priority governance attention. Drives the depth of compliance program investment, monitoring intensity, and legal counsel engagement for each agency.

Source — Manual.

Examples — Very High, High, Medium, Low, Very Low

Notes — Valid values: Very High | High | Medium | Low | Very Low. Risk considerations: enforcement intensity, maximum penalty severity, complexity of requirements, rate of regulatory change, current compliance posture, and industry-level enforcement trends. Assessed at onboarding and reviewed at each formal review cycle.

Description — An assessment of how aggressively this agency is currently enforcing its requirements — reflecting actual enforcement actions, investigation frequency, and penalty severity in the recent period.

Benefit(s) — Enforcement intensity can change significantly with changes in agency leadership, political context, high-profile incidents, or new regulatory mandates. An agency that was dormant under previous leadership may become very active under new leadership. Tracking enforcement intensity enables the enterprise to adjust compliance investment in response to real changes in regulatory posture.

Source — Manual.

Examples — Very Active (frequent investigations, significant penalties, public enforcement actions); Active (regular enforcement activity); Moderate (selective enforcement); Light (infrequent enforcement); Dormant (no recent enforcement activity)

Notes — Valid values: Very Active, Active, Moderate, Light, Dormant. Reviewed at each formal review cycle. Sources: agency annual reports, public enforcement action databases, legal counsel briefings, industry association alerts.

Description — The enterprise’s current assessed compliance posture with respect to this agency’s requirements.

Benefit(s) — Provides a single-attribute summary of the enterprise’s current compliance standing with this agency. Enables a compliance dashboard across all agencies: which regulatory relationships have gaps requiring remediation?

Source — Manual.

Examples — Fully Compliant, Substantially Compliant, Partially Compliant, Non-Compliant, Under Assessment

Notes — Valid values: Fully Compliant, Substantially Compliant, Partially Compliant, Non-Compliant, Under Assessment. Assessed by the Enterprise Compliance Owner with input from Legal Counsel. Non-Compliant status should trigger immediate escalation.

Key Risk Factors

[Multi-Value]

Description — The specific conditions driving the Assessed Risk rating for this agency — the vulnerabilities or circumstances that elevate the enterprise’s compliance exposure.

Benefit(s) — Translates the overall risk rating into actionable remediation targets. A practitioner reading Key Risk Factors knows exactly which conditions to address to reduce the Assessed Risk rating.

Source — Manual.

Examples — Recent industry enforcement surge; Pending new regulation under development; Current compliance gaps in enterprise program; Upcoming regulatory examination; Agency leadership change increasing enforcement posture; Conflicting requirements with another jurisdiction; Rapid rate of regulatory change; Inadequate monitoring coverage

Notes — Separate multiple risk factors with semicolons.