Regulatory Agencies Inventory and Attributes - Contractual and Legal attributes for the Regulatory Agencies Inventory

Regulatory Agencies Inventory and Attributes

Contractual and Legal attributes for the Regulatory Agencies Inventory

Contractual and Legal attributes capture the penalty exposure and enforcement history associated with this regulatory agency.

Attribute Name	Maturity	Description and Notes
Maximum Penalty	Walk	Description — The maximum financial penalty this agency can impose for a single violation or compliance failure — expressed in the agency’s reporting currency and the regulatory basis for the maximum. Benefit(s) — Provides immediate financial exposure context for risk assessment and board reporting. The maximum penalty is the upper bound of the enterprise’s financial exposure from this regulatory relationship and a key input to the Assessed Risk rating. Source — Manual. Examples — €20 million or 4% of global annual turnover, whichever is higher (GDPR); USD 10 million per violation (SEC — varies by rule); GBP 17.5 million or 4% of global turnover (UK ICO) Notes — Record the maximum statutory penalty as published by the agency. Actual penalties imposed are typically lower. Include the regulatory basis (the specific law or regulation that authorizes the penalty) where known.
Recent Enforcement Actions	Walk	Description — Notable recent enforcement actions by this agency against enterprises in the same industry or facing similar compliance scenarios — with penalty amounts where publicly disclosed. Benefit(s) — Provides context for the agency’s current enforcement posture and the realistic financial exposure the enterprise faces. A pattern of multi-billion-dollar penalties against comparable enterprises is a more relevant risk signal than the theoretical maximum penalty. Source — Manual. Examples — Q1 2025: €1.2 billion in GDPR fines issued across EU member state DPAs (aggregate); 2024: SEC fined [major financial institution] USD 125 million for record-keeping violations Notes — Update at each Review Cadence cycle. Focus on enforcement actions against enterprises of similar size, industry, or compliance scenario to the enterprise. Source: agency annual enforcement reports, public enforcement action databases, legal counsel briefings.

Attribute Name

Maturity

Description and Notes

Maximum Penalty

Walk

Description — The maximum financial penalty this agency can impose for a single violation or compliance failure — expressed in the agency’s reporting currency and the regulatory basis for the maximum.

Benefit(s) — Provides immediate financial exposure context for risk assessment and board reporting. The maximum penalty is the upper bound of the enterprise’s financial exposure from this regulatory relationship and a key input to the Assessed Risk rating.

Source — Manual.

Examples — €20 million or 4% of global annual turnover, whichever is higher (GDPR); USD 10 million per violation (SEC — varies by rule); GBP 17.5 million or 4% of global turnover (UK ICO)

Notes — Record the maximum statutory penalty as published by the agency. Actual penalties imposed are typically lower. Include the regulatory basis (the specific law or regulation that authorizes the penalty) where known.

Recent Enforcement Actions

Walk

Description — Notable recent enforcement actions by this agency against enterprises in the same industry or facing similar compliance scenarios — with penalty amounts where publicly disclosed.

Benefit(s) — Provides context for the agency’s current enforcement posture and the realistic financial exposure the enterprise faces. A pattern of multi-billion-dollar penalties against comparable enterprises is a more relevant risk signal than the theoretical maximum penalty.

Source — Manual.

Examples — Q1 2025: €1.2 billion in GDPR fines issued across EU member state DPAs (aggregate); 2024: SEC fined [major financial institution] USD 125 million for record-keeping violations

Notes — Update at each Review Cadence cycle. Focus on enforcement actions against enterprises of similar size, industry, or compliance scenario to the enterprise. Source: agency annual enforcement reports, public enforcement action databases, legal counsel briefings.

Legal Disclaimers