As the regulatory environment evolves, financial institutions are reassessing their approaches to compliance risk. The traditional reliance on qualitative narratives, subject matter expertise, and manual scoring is no longer sufficient as regulatory expectations shift to a risk-based framework grounded in data. Regulatory agencies, including the Federal Reserve, OCC, FDIC, and FinCEN, are explicitly calling for risk-based compliance programs that provide objective, evidence-backed insights into how risks are identified, assessed, and managed.
As recently as July 2025, the Federal Reserve proposed changes to its bank supervisory rating system to reduce subjectivity in rating large banks, emphasize risk-based management, and move toward quantifiable assessments of risk and control effectiveness. In addition to data-driven scoring, agencies now expect institutions to maintain regularly updated risk assessments that reflect evolving business activities and regulatory changes while linking identified risks to controls and issue management. As such, internal compliance teams must move beyond qualitative assessments and adopt a quantitative, data-driven risk framework.
Why Quantifying Compliance Risk Matters
Quantifying compliance risk enables risk management to transform from a reactive process to a data-driven function. This is not to say a systematic approach becomes purely preventative; instead, a data-driven approach enhances the ability to detect issues early on and with greater accuracy. Even within a structured framework, data analysis retains its detective nature by interpreting signals and uncovering hidden risks.
Quantitative risk values change subjective judgments into measurable, comparative data, creating a clear and structured basis for prioritizing compliance efforts. By transforming vague concerns into a prioritized, actionable list, a data-driven approach leads to greater visibility and facilitates more targeted, evidence-based risk mitigation. Assigning quantitative values to risk enables banks to prioritize and allocate resources based on the potential impact of a compliance issue, ensuring that the most critical areas receive appropriate attention. It also allows banks to demonstrate to internal stakeholders and regulators that risks are being systematically identified, assessed, and managed in an auditable and defensible manner.
Moreover, a quantitative approach enables institutions to analyze trends and identify root causes, offering greater insight into the underlying drivers of operational failures or compliance breaches. By systematically tracking data over time, banks can uncover recurring issues, patterns, and outliers that manual review alone may miss. As a result, banks can strengthen their control frameworks by addressing the specific weaknesses or gaps identified. Ultimately, root cause analysis ensures that solutions address the source of the problem, not just its symptoms, and reduces the likelihood of repeat incidents.
Additionally, by leveraging automation and data analytics, banks can continuously monitor key risk indicators and identify emerging threats in real time, making it easier to detect recurring issues, refine controls, and address potential risks before they escalate. In turn, it strengthens the overall control environment and enhances both strategic decision-making and regulatory confidence.
Practical Ways to Quantify Compliance Risk
A generally accepted approach to quantify compliance risk is the implementation of risk scoring models, which provide a structured and repeatable framework for evaluating risk exposure across an organization. These models assess inherent risk — the risk present before controls — and control effectiveness resulting in a residual risk score that reflects the level of remaining risk. Residual scores are often weighted and aggregated across business lines, products, or regions, allowing for a more tailored approach specific to an institution’s risk profile. This focused approach supports strategic decision-making, enhances comparability, and facilitates effective resource allocation.
Benefits of risk scoring models include:
- Consistency and objectivity which reduce bias and promote uniformity;
- Improved visibility, which enables trending analysis and data-driven reporting;
- Efficient prioritization of high-risk areas; and
- Regulatory alignment supported by auditable and well-documented data.
Common challenges of risk scoring models include:
- Oversimplification of complex scenarios;
- Subjectivity based on individual judgement, especially around control scoring, which promotes inconsistency;
- False sense of precision, which leads to misplaced confidence; and
- Data quality issues compromising output reliability.
To address these challenges, institutions should:
- Supplement scoring with expert judgement and qualitative commentary;
- Standardize input criteria and scoring methods, and include independent challenge
- Communicate the limitations and avoid the overreliance on scores alone; and
- Invest in data governance and validation processes to ensure accurate and reliable data.
When paired with contextual analysis, quantitative risk scoring models become a powerful tool for managing compliance risk. With thoughtful implementation and continuous improvement, these models provide the structure and clarity needed to effectively identify, prioritize, and manage risk across the organization.
Likewise, analyzing control testing results alongside audit and examination findings allows banks to quantify the rate of failed controls, exceptions, or partial implementations, while leveraging historical trends to calibrate risk levels over time. Relying solely on results from one line of defense limits the perspective to that specific function, potentially overlooking critical insights from the other two lines of defense. Therefore, it is essential to integrate results from all three lines of defense to gain a comprehensive and more realistic view of risk. A holistic approach helps banks uncover deeper vulnerabilities and supports a more effective risk response.
Similarly, institutions can leverage issue and event data to enhance the accuracy and relevance of compliance risk ratings. This includes analyzing the frequency, severity, and root causes of regulatory fines, including those tied to anti-money laundering, data privacy, fair lending, and consumer protection. Internal policy violations, as well as hotline or whistleblower reports, can be used to expose underlying issues in processes, culture, or oversight functions. Consumer complaints can signal emerging risks tied to dissatisfaction, operational breakdowns, or misconduct before they escalate to regulatory action.
Collectively, these methods create a structured, data-driven, and proactive approach for measuring and managing compliance risk, ultimately strengthening regulatory credibility and organizational resilience.
Bridging Qualitative & Quantitative Inputs
Effectively bridging qualitative and quantitative inputs is crucial for creating a comprehensive and well-rounded compliance risk assessment. One approach is to develop risk narratives supported by concrete data rather than subjective judgment.
| Instead of this: | Consider this: |
| The wealth management unit poses high risk. | “We assess a high residual risk in our wealth management arm due to three failed AML control tests in Q2 and two regulatory complaints.” |
| The retail lending unit has compliance challenges. | “The retail lending unit faces significant compliance risk, evidenced by four fair lending violations this year and delayed remediation of two critical audit findings.” |
| Customer service quality poses risk. | “An increase in hotline whistleblower reports citing improper conduct and a 23% increase in unresolved escalations in Q3 indicate heightened customer service risk.” |
This approach grounds the risk discussion in measurable facts, increases transparency, and adds credibility and clarity to risk reporting.
Additionally, the use of visual dashboards to display risk trends across business lines, products, or regions helps stakeholders quickly identify areas of concern and track changes over time. These tools enhance decision-making by blending context with measurable evidence, making risk assessments both actionable and regulator-ready.
Conclusion
With the Federal Reserve and the OCC placing a greater emphasis on data-driven oversight, purely qualitative compliance risk assessments are no longer sufficient and may raise concerns during regulatory examinations. Regulators now expect institutions to substantiate their risk assessments with clear, quantifiable data that demonstrates control effectiveness and residual risk. Institutions that adopt data-driven frameworks are better equipped to anticipate issues, justify their decisions, and allocate resources effectively.
But data alone is not enough. Users must interpret data within the proper context, verify its accuracy, and ensure its comprehensive nature. Now is the time to assess whether your current risk assessment approach reflects this new regulatory reality. Revisit your framework. Validate your data sources. Define clear roles for each line of defense. Consider engaging experienced third parties to support the effort, whether to perform the heavy lifting, validate your approach, or provide independent insight that strengthens the credibility and effectiveness of your compliance program. Above all, shift the way you view data: it is no longer an obligation, it is a strategic asset.
In today’s regulatory environment, compliance programs that cannot demonstrate risk reduction are no longer considered adequate; measurement is a new mandate. Institutions must move beyond traditional qualitative assessments and adopt transparent, data-driven risk assessment frameworks to remain effective, credible, and resilient. Embracing a data-backed approach is no longer a best practice – it is the regulatory expectation.
About the author
Melissa is a Senior Consultant with Asurity Advisors. She is an experienced advisory professional with over seven years of experience assisting clients in the financial services sector. Throughout her career, she has led and supported a diverse range of projects, including data quality reviews, regulatory compliance initiatives, business process optimization, and developing and performing risk assessments. Melissa is also known for her technical expertise, particularly in building advanced Excel tools that automate manual tasks, streamline workflows, and enable deep analysis of complex datasets. She is also highly skilled in regulatory compliance, data analysis, problem-solving, process improvement, and project management, ensuring successful project completion.
[1] Federal Deposit Insurance Corporation. “Issuance of the Anti-Money Laundering/Countering the Financing of Terrorism Program Requirements Notice of Proposed Rulemaking and Interagency Statement.” Financial Institution Letter (FIL-42-2024), July 19, 2024.
[2] Federal Reserve Board. (2025, July 10). Federal Reserve Board requests comment on targeted proposal to revise its supervisory rating framework for large bank holding companies to address the “well managed” status of these firms. Press release. Federal Reserve