I recently completed a comprehensive risk assessment, thus compliance was only a small part of the whole, but I used Excel for my matrix.
For compliance, I had two sections -- one for Deposit / Operations / Administration regulations such as ACH/NACHA, CRA, Reg E, Reg C, etc. and the other for Lending regulations such as Reg AA, Reg B, Reg Z, etc.
Each of these reg items, I rated based on six risk categories -- credit risk, market risk, operational risk, funding/liquidity risk, legal & reputation risk , and compliance risk.
Each category was given a weight based on its relative importance and rated 3, 6, or 9 for low, medium, or high risk. And the weighted-risk average was calculated and shown on the far right column.
I also included a narrative portion which presented an overview of the risk assessment process, explained the methodology I used and provided some specific details on what activities or concerns that resulted in the numbers that were expressed on the matrix.
This is all a bit complicated to picture I'm sure. I can send you a copy of my template if interested.
Steve