If your compliance framework requires a risk assessment and you don’t have one, everything else you’re doing is built on sand.
A compliance risk assessment is the documented process of identifying where your sensitive data lives, who and what can access it, what threats and vulnerabilities exist, and how likely and impactful each risk is. It’s the foundation that tells you what controls you actually need — and it’s the document an examiner or auditor will ask for first.
Despite this, it’s one of the most commonly skipped requirements in small and mid-sized business compliance programs. Not because business owners are careless, but because “risk assessment” sounds abstract and technical, and nobody explains what it actually involves.
HIPAA requires covered entities and business associates to conduct a thorough and accurate risk assessment — this is not optional and not a gray area. The HHS Office for Civil Rights has cited failure to conduct a risk assessment as a contributing factor in virtually every significant HIPAA enforcement action.
GLBA Safeguards Rule requires financial institutions to conduct periodic risk assessments of the risks to customer information and to evaluate the safeguards in place to control those risks.
PCI-DSS requires an annual formal risk assessment as part of the compliance program.
SOC 2 auditors will look for documented risk assessment processes as part of the Common Criteria.
SEC cybersecurity rules require registered advisers to have a process for assessing material cybersecurity risks — which in practice means documented risk assessment.
CMMC / NIST 800-171 require risk assessments as a specific control family.
If you operate under any of these frameworks and you don’t have a current, documented risk assessment, you have a compliance gap — full stop.
Asset inventory. A complete picture of every system, device, application, and data store in your environment, and what category of sensitive data each one touches. You can’t assess risk to assets you don’t know you have.
Threat identification. The realistic threats to your environment: ransomware, phishing, credential theft, insider threat, physical theft of devices, vendor-side breaches, accidental disclosure. These are the scenarios that have actually resulted in enforcement actions and breaches at businesses like yours.
Vulnerability identification. Where the gaps are: unpatched systems, misconfigured access controls, missing MFA, inadequate backup, unencrypted devices, insufficient staff training.
Risk scoring. For each threat/vulnerability combination: how likely is it to occur, and what would the impact be? This produces a prioritized list of risks that drives your remediation roadmap.
Control evaluation. Which existing safeguards are working, which are partially effective, and which are missing entirely.
Remediation roadmap. A prioritized, documented list of what needs to change, in what order, to bring your risk profile to an acceptable level.
Documentation. The completed assessment itself — the artifact your auditor will review, your compliance officer will rely on, and your cyber insurance carrier may request.
At minimum, annually — and whenever there’s a significant change to your environment: new systems, new locations, significant new software, workforce changes, or a security incident. The HIPAA rule says “periodic” and has been interpreted by OCR to mean at minimum annual.
A risk assessment done once and forgotten isn’t a risk assessment — it’s a document. A living compliance program reviews and updates the assessment continuously and formally revisits it at least once a year.
During a regulatory examination or audit, the absence of a risk assessment is an immediate finding — often a significant one. HIPAA enforcement actions frequently cite risk assessment failure as a primary violation. Fines have been issued specifically for this gap, independent of whether a breach occurred.
When a breach does occur, the absence of a risk assessment makes everything worse: it’s evidence that the organization didn’t take its obligations seriously, it tends to result in higher penalties, and it substantially weakens any defense that the breach was unforeseeable.
Cyber insurance carriers increasingly request risk assessment documentation. A policy that doesn’t cover a breach because the organization lacked documented risk management isn’t hypothetical — it’s happening.
NerdSquad conducts technology risk assessments as part of our managed IT and compliance support work. We produce the documentation, identify the gaps, prioritize the remediation, and implement the technical controls the assessment identifies as necessary. The assessment isn’t a consulting deliverable we hand you and walk away from — it’s the foundation of the ongoing relationship.
For regulated industries, see Do you help us stay HIPAA compliant? and Do you help financial advisors stay SEC, FINRA, and GLBA compliant? For the broader compliance picture, see What is digital compliance — and why does your business need to care?