I tried to compile such a "list of horribles" about 30 years ago and finally gave up--for the reasons Randy cites. Instead of quantifying risk in terms of dollar penalties, I divided the world of legal/regulatory risks into two major categories: those with unacceptable risks, and everything else. Unacceptable risks included non-compliance that laws/regs with criminal penalties. (I didn't want to go to jail and assumed all my fellow employees felt the same way.) Also included were laws/regs with penalties that could threaten the free exercise of our charter. Also on my "unacceptable" list were violations of laws that would undermine public trust and respect for our company (discrimination, money laundering, kickbacks, and other subjects you NEVER want to to see in the news.) Finally, my unacceptable risks included ANY violation of ANY law/reg that our regulators could cite as a repeat offense. Repeat violations damage your credibility and competence in the eyes of your most vigilant and best-armed critic.
_________________________
...gone fishing.