Create a catalog / list of the regulations (e.g., externally imposed, internally imposed, and contractually assumed) we have to comply with, and add who is responsible for each one.
Second step would be to indentify the likelihood and impact of non-compliance.
Operations
Identify best practices.
Possibly create a checklist/toolkit of things individuals should be asking or considering when trying to assess risk.
Finance
Identify risks related to complexity of central lead/Unit organization and the roles and responsibilities of each.
Identify risks related to implementation of Deficit Policy