I have a formal risk assessment in which I've rated each regulation from 1 (low) to 5 (high) that I use to set my compliance audit schedule. The meat behind the ratings is there; I just need to clearly define my risk rating system beyond the simple low, moderate, and high classification system. Does anyone have sample definitions for high, moderate, and low? I need it to be clear to anyone reviewing my risk assessment that just because BSA, for example, is rated 5, it doesn't mean that I think the quality of risk management is weak in the BSA area.

In other risk assessments, I have used "inherent risk" (which is risk that is there just by the nature of the beast) then I input a column "control environment effectiveness" (this is all of the mitigating controls, reviews, monitoring, etc that is in place), the final is the "residual risk" which is the remaining risk all things considered (basically the remaining risk with inherent risk along with the control environment effectivess considered). Don't know if this would work in your format?

I look at our previous exams and independent audits to assign high, medium, and low risks. If we have multiple repeat violations then it is a higher risk. Isolated exceptions with no pattern are lower. I also look at the regulatory environment and all the change. Regulations that have had substantial changes are generally a higher risk on my RA. That method seems to work for us and no complaints from examiners. I also use the inhernet/residual risk as MJoyner discussed above.

We do what MJoyner said, give it an inherent risk, then mitigate it down with our controls.

fines and penalites for violations may be something else to consider for a compliance risk rating...

I've taken into consideration all of the things you have listed above in my risk assessment. The way it is designed, ratings of 1 and 2 (low) are audited every three years, 3's (moderate) are audited every two years, and ratings of 4 and 5 (high) are audited every year. Management questioned the number of 4's and 5's we have and assumed that it meant we weren't doing enough to mitigate those areas down to moderate or low. Obviously some areas require an annual audit, and others deserve frequent reviews because of examiner scrutiny, fines and penalties, reg changes, and/or prior audit findings. I explained to management that we could have very strong internal controls, but the risk rating could still be high due to the nature of the regulation. I explained that a 5 rating doesn't necessarily mean that we are likely to have problems, but that if we do, the consequences are so severe that they could cripple the bank. Their suggestion was that I detail for each rating, 1 through 5, exactly what each means. I'm looking for that language.

If you check out the linked document titled "Compliance Risk" on this page, it may help you. The other links may be helpful as well.