Does Risk Assessment Matter in Corporate Compliance Programs? An Empirical Study Examining the Impact of Risk Assessment on Corporations’ Compliance Programs

Abstract

Corporations must comply with various laws and regulations, subject to their markets and industry. To manage their compliance risks, corporations are expected to design and implement compliance programs based on risk assessments. This study investigates the impact of risk assessments on the implementation of recommended practices in Corporations’ Compliance Programs (CCPs). Through survey interviews with compliance officers from 93 Forbes 2000 companies, the research examines the relationship between risk levels and 33 recommended practices across Anti-Bribery & Corruption, Data Privacy, and Third-Party compliance risks. Contrary to the initial hypothesis, findings reveal that only nine practices significantly relate to risk levels, including rule-based policies and compliance training testing. Unexpectedly, several practices showed negative relations, particularly in the Third-Party compliance domain, suggesting that higher risk levels do not always lead to broader implementation of recommended practices. The study uncovers mixed results in the Anti-Bribery & Corruption CCP, limited risk-based alignment in the Third-Party CCP, and better alignment in the Data-Privacy CCP. These findings suggest that the relationship between risk and compliance implementation is domain-specific and may be influenced by whether the risk is perceived as core (e.g., Data Privacy) or non-core (e.g., Third-Party). They highlight the need for improved regulatory alignment with corporate practices and further exploration of CCP impacts on risk management. This study offers a novel empirical contribution by systematically examining the link between risk levels and the implementation of specific compliance practices across three compliance areas, providing a granular benchmark for future research.

Keywords

compliance program risk management anti-Bribery & corruption data-Privacy third-Party

Get full access to this article

View all access options for this article.

References

Alix

Venkat

Mogul

Leung

Banks

M. A.

Saary-Littman

(2015). Risk appetite frameworks: Insights into evolving global practices. Global Credit Review, 5, 1–17. https://doi.org/10.1142/S2010493615500014

Anton

S. G.

Nucu

A. E. A.

(2020). Enterprise risk management: A literature review and agenda for future research. Journal of Risk and Financial Management, 13(11), 281. https://doi.org/10.3390/jrfm13110281

Apooyin

(2025). Risk management and compliance in a globalized economy: Navigating regulatory challenges and strategic adaptations. Unpublished manuscript. https://doi.org/10.30574/ijsra.2025.15.1.1098

Armour

Gordon

Min

(2019). Taking compliance seriously. Yale Journal on Regulation, 37(1), 1.

Beasley

D. V. W.

Branson

B. C.

Hime

(2015). Enterprise risk management: From practices to process. Journal of Risk Management, 18(2), 1–12. https://doi.org/10.21314/JOR.2015.316

Benedek

Bognár

(2024). Compliance risk assessment – results of a comprehensive literature review. Acta Polytechnica Hungarica, 21(6), 243. https://doi.org/10.12700/APH.21.6.2024.6.13

Berner

A. T. T. R. P.

Campbell

K. M. D. M.

(2021). Risk management in organizations: A comprehensive approach. Journal of Business Research, 104, 87–101.

Derchi

G. B.

Zoni

Dossi

(2020). Corporate social responsibility performance, incentives, and learning effects. Journal of Business Ethics, 167(3), 627–652. https://doi.org/10.1007/s10551-020-04556-8

De Zwart

(2021). Risk culture, risk appetite and risk appetite statements. In The key code and advanced handbook for the governance and supervision of banks in Australia (pp. 1063–1094). Springer. https://doi.org/10.1007/978-981-16-1710-2_40

10.

Edwards

M. S.

Gallagher

E. C.

(2018). Oh, behave! insights and strategies for teaching business ethics to gen Y students. e-Journal of Business Education & Scholarship of Teaching, 12(1), 1–18.

11.

Falk

Fischbacher

(2006). A theory of reciprocity. Games and Economic Behavior, 54(2), 293–315. https://doi.org/10.1016/j.geb.2005.03.001

12.

Fama

E. F.

(1991). Efficient capital markets: II. Journal of Finance, 46(5), 1575–1617. https://doi.org/10.1111/j.1540-6261.1991.tb04636.x

13.

Frigo

M. A.

Anderson

J. A.

(2011).The role of the chief risk officer in enterprise risk management. Strategic Finance, 93(3), 24–30. https://doi.org/10.1002/jcaf.20677

14.

Gunningham

(2017). Compliance, deterrence and beyond. Encyclopedia of environmental law, Chapter 4, pp. 63-73.

15.

Haelterman

(2022). Breaking silos of legal and regulatory risks to outperform traditional compliance approaches. European Journal on Criminal Policy and Research, 28(1), 19–36. https://doi.org/10.1007/s10610-020-09468-x

16.

Halliday

Scott

(2010). A Culture Analysis of Administrative Justice. Research Repository UCD, 1-19, (2010-04).

17.

Hayes

A. F.

(2015). An index and test of linear moderated mediation. Multivariate Behavioral Research, 50(1), 1–22. https://doi.org/10.1080/00273171.2014.962683

18.

Hayes

A. F.

(2017). Introduction to mediation, moderation, and conditional process analysis: A regression-based approach (2nd ed). The Guilford Press.

19.

Hayes

A. F.

Montoya

A. K.

(2017). A tutorial on testing, visualizing, and probing an interaction involving a multicategorical variable in linear regression analysis. Communication Methods and Measures, 11(1), 1–30. https://doi.org/10.1080/19312458.2016.1271116

20.

ISACA . (2021). Governance, risk, and compliance framework: Enhancing decision-making and risk mitigation. ISACA.

21.

Jamali

(2010). MNCs and international accountability standards through an institutional lens: Evidence of symbolic conformity or decoupling. Journal of Business Ethics, 95(4), 617–640. https://doi.org/10.1007/s10551-010-0443-z

22.

Kahneman

Sibony

Sunstein

C. R.

(2021). Noise: A flaw in human judgment. HarperCollins.

23.

Khan

M. A.

Rehman

M. A. A. B.

(2018). The impact of risk management on organizational performance. International Journal of Business and Management, 13(5), 112–123.

24.

McCrae

Balthazor

(2000). Integrating risk management into corporate governance: The Turnbull Guidance. Risk Management, 2, 35–45. https://doi.org/10.1057/palgrave.rm.8240057

25.

Minbaeva

D. B.

(2005). HRM Practices and MNC knowledge transfer. Personnel Review, 34(1), 125–144. https://doi.org/10.1108/00483480510571914

26.

Monahan

(2008). Enterprise Risk Management: A methodology for Achieving Strategic Objectives. John Wiley & Sons, Inc. ISBN: 978-0-470-37233-3.

27.

Prewett

Terry

(2018). COSO’s updated enterprise risk management framework: Insights into new guidance. Journal of Corporate Accounting & Finance, 29(3), 16–23. https://doi.org/10.1002/jcaf.22370

28.

Rodman

K. A.

(2001). Sanctions Beyond Borders – Multinational Corporations and U.S. Economic Statecraft. ROWMAN & LITTLEFIELD Publishers, Inc. ISBN 0-8476-9307-4 and 0-8476-9308-2

29.

Shimomura

(2020). An Introduction to Anti-Corruption Regulations in Japan. 大東法政論集第23号.

30.

Soane

(2025). Connecting risk, management and organisational goals: Integrating risk with organisations' systems to enhance performance and competitive advantage. Journal of Risk Research. https://doi.org/10.1080/13669877.2025.2485041

31.

Trevino

L. K.

Nieuwenboer

N. A.

Kreiner

G. E.

Bishop

D. G.

(2014). Legitimating the legitimate: A grounded theory study of legitimacy work among ethics and compliance officers. Organizational Behavior and Human Decision Processes, 123(2), 186–205. https://doi.org/10.1016/j.obhdp.2013.10.009

32.

Trevino

L. K.

Weaver

G. R.

Gibson

D. G.

Toffler

B. L.

(1999). Managing ethics and legal compliance: What works and what hurts. California Management Review, 41(2), 131. https://doi.org/10.2307/41165990

33.

Vento

(2020). The FCPA enforcement landscape: What corporate counsel and compliance departments need to know for effective compliance in the new decade. Currents: J. Int'l Econ. L., 24(1), 131.

34.

Viscelli

T. R.

Hermanson

D. R.

Beasley

M. S.

(2017). The integration of ERM and strategy: Implications for corporate governance. Accounting Horizons, 31(2), 69–82. https://doi.org/10.2308/acch-51692

35.

Warren

D. E.

Gasper

P. J.

Laufer

W. S.

(2014). Is formal ethics training merely cosmetic? A study of ethics training and ethical organizational culture. Business Ethics Quarterly, 24(1), 85–117. https://doi.org/10.5840/beq2014233

36.

Watson

Weaver

G. R.

(2003). How internationalization affects corporate ethics: Formal structures and informal management behavior. Journal of International Management, 9(1), 75–93. https://doi.org/10.1016/S1075-4253(03)00004-8

37.

Weber

Fortun

(2005). Ethics and compliance officer profile: Survey, comparison and recommendations. Business and Society Review, 110(2), 97–115. https://doi.org/10.1111/j.0045-3609.2005.00006.x

38.

Weber

Wasieleski

D. M.

(2013). Corporate ethics and compliance programs: A report, analysis and critique. Journal of Business Ethics, 112(4), 609–626. https://doi.org/10.1007/s10551-012-1561-6

Supplementary Material

Please find the following supplemental material available below.

For Open Access articles published under a Creative Commons License, all supplemental material carries the same license as the article it is associated with.

For non-Open Access articles published, all supplemental material carries a non-exclusive license, and permission requests for re-use of supplemental material or any part of supplemental material shall be sent directly to the copyright owner as specified in the copyright notice associated with the article.

0.00 MB

0.11 MB

0.06 MB