Home Admin Guide Compliance Module How to Identify Risks in Compliance Projects

How to Identify Risks in Compliance Projects

Last updated on Jun 04, 2025

Identifying risks is one of the first and most crucial steps when building your compliance project in Humadroid. Done right, it lays the foundation for all your future mitigation efforts, reporting, and governance tracking. Below, we’ll walk you through how to approach risk identification with clarity, structure, and business context.

🧠 What Is Risk Identification?

Risk identification is the process of uncovering events or conditions that could negatively affect your organization’s ability to achieve its objectives. In compliance, risks are often linked to:

  • Legal obligations (e.g., data privacy laws)

  • Regulatory frameworks (e.g., ISO 27001, SOC 2)

  • Internal policies (e.g., code of conduct, security protocols)

  • Operational procedures (e.g., vendor onboarding, remote work)

This step is about discovery, not judgment. You don’t have to decide yet how significant or likely a risk is, just that it exists.

🔍 Where to Look for Risks

The sources you use to identify risks will depend heavily on your organization’s specific context, the industry in which you operate, the regulations that apply, and how your internal processes work. Below are several common starting points to help you get going:

  1. Framework Requirements: Start with the framework you’ve selected (e.g., ISO 27001, HIPAA, SOC 2). Look at its core requirements and ask: “What could cause us to fail here?”

    Example (SOC 2 - Security): The principle requires access controls. If your company lacks multi-factor authentication (MFA) for admin users, that’s a potential compliance risk. *

  2. Business Processes: Map workflows in HR, finance, operations, and IT. Identify weak points, manual steps, or gaps in documentation.

    Example: In HR onboarding, if there is no checklist to ensure background checks are done, that’s an operational and legal risk.

  3. Previous Incidents: Review past issues like data breaches, audit failures, and support escalations.

    Example: If a past audit flagged a lack of formal vendor risk assessments, make this a formalized risk to track.

  4. External Factors: Look at legal changes, economic shifts, political risks, or vendor instability.

    Example: New GDPR regulations may expose your organization to penalties if your privacy notices are not up to date.

  5. Stakeholder Interviews: Ask team leads in IT, legal, HR, and operations about their concerns.

    Example: A legal manager might express concern about the lack of training logs for employees. That can be logged as a compliance documentation risk.

⏱️ Timeline & Tips

Risk identification for your first project can take anywhere from a few hours to a few days, depending on the size of your organization.

✅ Don’t aim for perfection, aim for coverage

✅ Involve cross-functional teams

✅ Revisit your risks quarterly or after any significant incident or audit

🛠️ How to Add Risks in Humadroid

Go to the Compliance section on the left -> Pick the project you want to add Risks -> Go to the "Risks" tab -> click "Add Risk"

  1. Enter a Title and Description that reflect your organization’s exposures.

  2. Select Risk Category, assign an Owner, and set a Next Review Date so nothing slips through

  3. On the Risk Assessment tab, you’ll see the predefined impact categories, based on the Scoring Method you selected earlier. Enter the Likelihood and Potential Impact values in each category, and Humadroid will calculate the risk score.

  4. Select a Treatment Strategy (Accept, Mitigate, Transfer, or Avoid) and link any relevant controls or documents for complete traceability.

💡 Note: If the Risk Score Summary is at or above the level of the Treatment Threshold of the picked Scoring Method, then you won't be able to Accept the Risk. You will need to take action on it, as it's too high-risk to accept and move on.

Examples of Common Risks:

  • Lack of MFA for Admin Access
    Admin users are not required to use multi-factor authentication, increasing the likelihood of unauthorized access. This is a common issue flagged under SOC 2's Security principle, which requires strong access controls.

  • No documented vendor assessment process
    Vendors are onboarded on an ad hoc basis without consistent risk assessments. This creates blind spots and is often highlighted in third-party risk management reviews (ISO 27001 A.15).

  • Outdated privacy policy
    Your public-facing privacy policy hasn’t been updated despite recent regulatory changes like GDPR rulings or CPRA amendments. This leaves you exposed to potential legal penalties.

  • Excessive admin rights
    More employees than necessary have unrestricted access to internal systems. This violates the principle of least privilege and increases the risk surface area in case of an insider threat.

  • No defined incident response plan
    Your organization has no written and approved process for handling security incidents. This gap would be flagged during audits and leaves you unprepared in a crisis.

Each of these risks connects to a real-world weakness that could compromise your compliance posture, and each one can be turned into a documented, trackable item in your Humadroid project.

These examples show how real-world weaknesses translate into clearly trackable risks.

🧩 Link Risks to Other Compliance Components

Risks can later be linked to:

  • Controls (preventive measures you take)

  • Documents/Policies (e.g., Incident Response Policy)

Linking Risks with controls, or documents, allows you to have a full picture and understanding of your project.

📘 Learn more: What are Scoring Methods and how to define them

By identifying risks with care and structure, you set up a compliance posture that’s proactive, auditable, and ready for change.