In the example you have given (assessment of adequacy) is an assessment of whether they comply with the law. This differs from a Risk Assessment where there is risk that they might not comply with the law yet you are happy to accept this. Apologies if I didn't explain that bit fully. In the US a company is deemed adequate if they have signed up and been certified under Safe Harbor (remembering to check what they have agreed to within that agreement ... as they may not be covered for everything you want), although it is a voluntary scheme and some sections are restricted from being part of this (and covered under other acts and regulations to do with finance and telecommunications) a company who has not signed up to it (never mind the wooliness of the T&Cs) gives no guarantee of adequacy.
Although the United States of America (US) is not included in the European Commission list, the Commission considers that personal data sent to the US under the “Safe Harbor” scheme is adequately protected. When a US company signs up to the Safe Harbor arrangement, they agree to:
follow seven principles of information handling; and
be held responsible for keeping to those principles by the Federal Trade Commission or other oversight schemes.
Certain types of companies cannot sign up to Safe Harbor. View a list of the companies signed up to the Safe Harbor arrangement on the US Department of Commerce website.