The Compliance Maturity Spectrum

A tool to self-assess the maturity and health of your compliance program, plus guidance on how to evolve and mature your compliance program.

04: Compliance Maturity Self-Assessment: Processes

This self-assessment will help you identify where your organization currently falls on the compliance maturity spectrum. Once you have the results, you can move on to the next section to see a set of recommendations and action items for evolving and optimizing your compliance program.

There are four distinct processes that, when used together, affect an organization’s ability to run an effective compliance program.

Compliance Maturity Scale - Table Process

1. Regulatory Updates: The way in which an organization monitors, analyzes, and responds to regulatory updates and industry standards (e.g. maintaining SOC 2 compliance over time).

2. Collaboration: The degree of collaboration between the compliance team, operations teams (e.g. IT, engineering), and business stakeholders. Making sure that the right people are talking to each other at key junctures is crucial to getting to good compliance and good business outcomes.

3. Controls Testing: Controls only improve compliance outcomes when they are implemented correctly and tested regularly. Different organizations take very different approaches to testing, measuring, and ensuring the effectiveness of their controls.

4. Evidence collection: You don’t truly know the effectiveness of your compliance measures unless you have evidence. Each organization will have a very different approach to collecting evidence.

How to Self-Assess

Level 1

  • Level 1 organizations have minimal processes for managing their compliance programs.
  • These organizations do not try hard to keep up with regulations that may affect their market and industry.
  • The organization may or may not not have any controls and they don’t spend time testing controls or ensuring they are effective in the real world.
  • Evidence collection in these organizations is minimal. They may keep track of some policies and operating procedures so they can send documents to their auditors, but they haven’t established an organized system to manage their evidence.
  • There is minimal collaboration between stakeholders. For example, the CTO of the organization may work with control owners (e.g. engineers responsible for security, head of HR responsible for employee handbook) to get certain things done to prep for an audit. Once the audit is over, the groups go back to their “day jobs” and don’t discuss compliance measures again.

Level 2

Similar to level 1 organizations, level 2 organizations have light processes to manage their compliance projects, because they’re handling regulations on a one-off basis in an opportunistic way.

Level 3

  • The move from level 2 to level 3 represents significant progress in process maturity.
  • The organization has a compliance program in place and is looking to expand the scope of their program, streamline their processes, and find efficiencies.
  • A Level 3 organization has a staff dedicated to monitoring regulatory updates and translating them into new company policies (e.g. Director of Compliance/General Counsel). They also have staff dedicated to security measures (e.g. Chief Information Security Officer).
  • The level of collaboration between the compliance officer and their team and other teams such as IT and engineering is significant, which is a big change from level 2. Getting here requires an organization to spend significant time on stakeholder education. People need to learn new ways of working together and must understand the value of adapting new processes.
  • The organization does some testing of controls to make sure they work in the real world, but testing isn’t systemic and there isn’t a predefined standard that’s applied to the tests. The organization has a logical system for running their programs and for gathering and retrieving evidence for audits.

Level 4
Continuously Compliant

  • The move from level 3 to 4 represents a significant step up in process maturity. But unlike the move from level 2 to 3, it does not require an additional investment in time. In fact, getting to level 4 is mainly about standardizing and streamlining operational processes.
  • The organization has implemented a compliance system of record to manage their program at scale and to streamline the collection of evidence.
  • Conversations about risks and compliance are being held at all levels of the organization and compliance is embedded into many business processes.
  • Those responsible for implementing the controls have defined success and failure in relation to their controls and collected evidence. Testing parameters for controls are defined ahead of time so control owners can ascertain whether the evidence adheres to stated policies or falls outside them.

Level 5

  • Organizations at level 5 see a successful compliance program as a business capability and a competitive advantage. The organization proactively thinks about new opportunities that may emerge from new regulations and how to take advantage of change.
  • There is ongoing collaboration between the compliance team and operations teams; product development and engineering work together to ensure products (e.g., data storage and processing systems) are secure and compliant by design.
  • A level 5 organization is a sophisticated user of technology within the risks and compliance realm. For example, not only do they use compliance management software to run their programs, they’ve also set up integrations between their compliance system of record and other applications to automate the testing of controls as much as possible.