Tool

The Compliance Maturity Spectrum

A tool to self-assess the maturity and health of your compliance program, plus guidance on how to evolve and mature your compliance program.

03: Compliance Maturity Self-Assessment: People

This self-assessment will help you identify where your organization currently falls on the compliance maturity spectrum. Once you have the results, you can move on to the next section to see a set of recommendations and action items for evolving and optimizing your compliance program.

Moving up on the compliance maturity spectrum requires making a meaningful investment in your people. Greater investment leads to better people-related outcomes, including greater employee engagement, greater commitment from employees to holding themselves and each other to a high standard, and better morale within the compliance team.

Compliance Maturity Scale - Table People
Level 1
Minimal

Leadership team believes compliance is a means to an end.

No individual in the company is responsible for compliance.

Employees are not aware of how compliance impacts their day-to-day.

Level 2
Reactive

Leadership team believes compliance is a means to an end.

Some individuals have responsibilities for compliance, but there are no full-time staff.

Morale of employees with compliance responsibilities is low because meeting compliance requirements is painful and “extra” to their day job.

Most employees are not aware of how compliance impacts their day-to-day.

Level 3
Evolving

Leadership team believes see compliance as essential to business continuity.

Dedicated compliance team in place.

Compliance team’s morale is low or average because they are overworked.Work happens in surges, driven by events such as an audit or a regulatory deadline.

Employees have been trained on certain topics (e.g. security awarements). Commitment to upholding standards varies across the organization.

Level 4
Continuously Compliant

Leadership team believes see compliance as essential to business continuity.

Dedicated compliance team in place.

Compliance team’s morale is low or average because they are overworked.Work happens in surges, driven by events such as an audit or a regulatory deadline.

Employees have been trained on certain topics (e.g. security awarements). Commitment to upholding standards varies across the organization.

Level 5
Strategic

Leadership team sees value in compliance as a strategic advantage to the organization.

Dedicated compliance team in place.

Organization has created a new role to focus on strategy. Someone is proactively looking at regulations to find new business opportunities.Compliance workload shifts from administrative to strategic (due to automation). Morale improves.

All employees understand the importance of compliance and their role in protecting the organization.

Self-assessment questionnaire

Please answer “yes” or “no” for each of the following questions.

1. Does your leadership team set the tone? The executive leadership team believes that compliance matters to the business.

2. Do you have full time professionals on staff who are focused on compliance-related matters (including security, data privacy and regulatory compliance)?

3. Does the compliance team have a seat at the table?

For example, does the most senior member of the compliance team report to someone in the C-suite? Does your compliance team have a direct line of communication to your board?

4. Are the right people in the organization talking to each other at critical junctures?

For example, is your chief compliance officer or your chief information security officer part of conversations about the development of new software/databases/applications?

5. Is there training on compliance so that employees know what’s expected of them?

6. Is the training effective in shifting behavior?

7. Is there alignment between business goals and compliance objectives?

8. Are employees rewarded only for the results they produce? If compliance results is a factor in your compensation scheme, please answer “no” to the question.

9. Does your organization have staff who are proactively analyzing upcoming regulations to determine how your organization might take advantage of regulatory changes?

Self-assessment rubric

Number of times you answered “yes”Compliance Maturity Level
3 or less out of 9Level 1 or 2: Minimal/Reactive
5 or 6 out of 9Level 3: Evolving
7 or 8 out of 9Level 4: Continuously Compliant
9 out of 9Level 5: Strategic