By Kevin M. Hyams
This article draws on more than 35 years of practical experience designing and leading governance, risk and compliance assessment work across multiple industries and regulatory subject areas.
Why I wrote this
Maturity assessment is one of the most useful parts of a compliance assessment, but it is also one of the easiest to misunderstand.
In practice, I have often seen teams move too quickly from scope into gap analysis or control testing, before they have a clear view of where the organisation actually stands.
That can create avoidable pressure. People start debating conclusions before they have agreed on the current state. They ask for evidence before they know what level of assurance is reasonable. They treat every issue as if it were equally important.
I wrote this article because maturity assessment should help clarify that early judgement. It should help the team understand current readiness, decide what level of assurance is appropriate for the risk, and document a credible path from today’s position to a stronger, evidence-supported control environment.
That is not about making weak practice look better than it is. It is about giving management a practical, structured and honest view of readiness before the assessment moves deeper.
Every effective compliance assessment starts with one simple question:
Are we meeting the requirements that apply to us?
After the scoping process has identified what applies, the maturity assessment asks a different but closely related question:
Where are we now, and what level of assurance is reasonable for the risk?
That question matters because many organisations have some form of policy, process, control or management practice in place. But “something exists” is not the same as “something can be relied on”.
A practical maturity assessment helps a business:
- Understand current readiness before moving into deeper assessment work
- Distinguish between validated, documented, undocumented, pending and gap positions
- Apply proportionality, materiality and relevance to the level of assessment effort
- Use inherent risk and consequences of failure to decide how much assurance is needed
- Avoid false comfort where controls are assumed but not evidenced
- Create a credible path from current readiness to stronger assurance
- Give management, boards, auditors and advisers a clearer basis for deciding what should happen next
This is the second blog in a six-part series on NORVA’s practical approach to compliance assessment.
In this article, we look at the second phase:
Maturity Assessment.
What is a compliance maturity assessment?
A compliance maturity assessment is an early, structured review of current readiness.
It helps the assessor understand whether each applicable requirement, control or process is already supportable, partially documented, undocumented, pending, or a gap.
It should not be confused with final assurance. It is not the end of the assessment.
It is the stage that helps the team understand the starting position before moving on to gap analysis, control testing, evidence review, and reporting.
In NORVA’s six-phase approach, maturity assessment follows scoping for a reason. Scope decides what applies. Maturity assessment then asks what currently exists, what can be supported, and what level of assurance the organisation should reasonably aim for.
Where does maturity assessment fit in the six connected phases?
A practical compliance assessment can be thought of in six connected phases:
- Scope — assess what applies, focus where risk justifies it, and no more
- Maturity Assessment — understand current readiness and the assurance path
- Gap Analysis — identify what needs attention and what risk remains
- Risk and Control Matrix Assessment — test the controls management relies on and update the assessment position
- Documentary Evidence — support the assessment position and produce evidence on demand
- Inspection-Ready Deliverables — make the assessment usable, reportable and credible
Maturity assessment is the bridge between deciding what applies and deciding what needs attention.
Without it, the assessment can jump too quickly from scope to conclusions.
That is risky, because the organisation may not yet know whether its current practices are validated, documented, incomplete or simply assumed.
A good maturity assessment gives the team a disciplined early view of readiness before the more detailed work begins.
The practical question behind maturity assessment
The practical question is not simply:
Do we have a control?
The better question is:
What do we currently have in place, how well is it supported, and what level of assurance is reasonable for the risk?
That question helps avoid two common mistakes:
- Treating a written policy or stated process as if it automatically proves compliance
- Treating every requirement as if it needs the same depth of testing, evidence and remediation
A maturity assessment should help the assessor apply practical judgement. Some areas may need a fully validated control position. Others may justify a lighter but still documented review. Some may be acceptable for now, provided the risk is understood and the path to improvement is clear.
The point is to avoid both under-assessment and over-assessment.
The maturity statuses should be plain and usable
A maturity assessment should not require complicated language to be useful.
In many assessments, five practical statuses are enough to establish the current position:
- Validated — the control, process or document is in place and supported by evidence
- Documented — the control, process or document exists, but may still need validation or testing
- Undocumented — something may happen in practice, but it is not yet properly recorded or evidenced
- Pending — work is planned or underway, but not yet complete
- Gap — the expected control, process, document or evidence is missing or materially insufficient
These statuses are useful because they are easy to understand. They help management see the current position without turning the assessment into technical language that only a small group can interpret.
They also create a better starting point for gap analysis. A gap is easier to assess when the team knows whether the issue is a missing control, weak documentation, incomplete evidence, delayed implementation or a more serious failure of design or operation.
Why maturity assessment should consider reasonable assurance
Reasonable assurance is an important concept because compliance assessment work is rarely about achieving absolute certainty.
The practical question is usually whether the organisation has done enough, at the right level of depth, to support the position it relies on.
That judgement should be shaped by:
- Inherent risk
- Consequences of compliance failure
- Materiality of the requirement, process or control
- Relevance to the organisation’s activities and obligations
- Available evidence
- Resource capacity
- Cost-benefit
- Management’s appetite for assurance
In a higher-risk area, reasonable assurance may require stronger evidence, more detailed review and a clearer testing path.
In a lower-risk area, a lighter assessment may be proportionate, provided the judgement is documented and the organisation can explain why that level of review was appropriate.
This is where maturity assessment becomes commercially and operationally useful. It helps teams decide where to spend effort, rather than spreading the same level of assessment work across everything.
How proportionality, materiality and relevance should shape the maturity view
Proportionality
Proportionality means the depth of assessment should fit the risk and importance of the requirement. A minor administrative item should not automatically consume the same effort as a control that supports a material compliance obligation.
Materiality
Materiality means the assessor should consider whether the issue could meaningfully affect the organisation’s compliance position, risk exposure, reporting, regulatory standing or ability to rely on the control.
Relevance
Relevance means the assessor should keep asking whether the requirement, control, evidence or weakness actually matters to the organisation’s activities, obligations and risk profile.
Used together, these concepts help avoid assessment work that is either too light to be credible or too heavy to be practical.
What maturity assessment helps management see
A good maturity assessment gives management an early view of the compliance environment.
It can show:
- Where the organisation already has supportable practices
- Where controls exist but evidence is incomplete
- Where practices are informal and need to be documented
- Where work is underway but not yet complete
- Where a clear gap exists
- Where the assurance target should be higher because the risk is higher
- Where a staged improvement path may be reasonable
That early view is valuable because it helps management make better decisions before the assessment becomes too detailed, too expensive or too difficult to steer.
Why maturity assessment reduces cost
Maturity assessment reduces cost by helping teams avoid unnecessary assessment effort.
If a requirement is already validated and supported by evidence, the team may not need to spend as much time rediscovering what is already known.
If a requirement is undocumented, the immediate issues may be documentation and ownership, not full operating-effectiveness testing.
If a requirement is pending, the assessment can record the position honestly and link it to a target date or remediation action.
If a gap exists, the team can decide whether it requires urgent remediation or should be prioritised based on risk and materiality.
This is one way a structured assessment can become more cost-effective. It helps the team spend time where it matters most.
Why maturity assessment improves credibility
A compliance assessment is more credible when it demonstrates how the organisation arrived at its position.
Maturity assessment helps by creating a clear record of current readiness before deeper assessment conclusions are reached.
That matters to senior management, boards, auditors, regulators and clients because they may want to know:
- What was already in place?
- What was documented?
- What was only assumed?
- What evidence supported the current view?
- What still needs validation or testing?
- What level of assurance was considered reasonable?
- What path was agreed to improve the position?
Those questions are not academic. They are often the difference between an assessment that merely records activity and one that supports a more defensible position.
Where maturity assessment can go wrong
Maturity assessment is useful only if it is honest and disciplined.
Common problems include:
- Marking a process as mature because people believe it happens, without checking evidence
- Treating documentation as proof that a control is operating effectively
- Applying the same maturity expectation to every requirement, regardless of risk
- Using vague labels that management cannot interpret
- Failing to distinguish between current readiness and the target assurance position
- Moving into gap analysis before the current state is understood
The remedy is not to make the process heavier. It is to make the judgement clearer.
The assessment should show what exists, what supports it, what is missing, and what level of assurance the organisation is aiming for.
How the assessment tool should support maturity assessment
Maturity assessment should not depend on informal notes, disconnected spreadsheets or memory.
If maturity assessment is a core phase, the assessment tool should support it by design.
A practical assessment tool should help the user:
- Work from the scoped population of applicable requirements
- Capture the current maturity status consistently
- Link maturity status to source requirements and policy context
- Record whether the current position is validated, documented, undocumented, pending or a gap
- Consider inherent risk and consequences of failure when setting the assurance target
- Distinguish between current readiness and the desired assurance position
- Create a clear path into gap analysis, control testing, evidence collection and reporting
- Preserve the reasoning behind management judgement
This is one of the design principles behind the NORVA Solutions Compliance Assessment Toolkit.
NORVA’s Excel-native smart templates are designed to help teams move from policy commitment to scoped assessment work to maturity view to evidence-supported outputs.
The point is not that software replaces judgement.
It does not.
The point is that the right tool helps experienced people apply judgement consistently and document it clearly.
That is what we believe NORVA can help subscribers do.
A practical maturity assessment checklist
Before moving from maturity assessment into gap analysis, the assessment team should be able to answer these questions:
- Have we confirmed the requirements included in the assessment scope?
- Have we identified the current maturity status for each applicable requirement, control or process?
- Have we distinguished between validated, documented, undocumented, pending and gap positions?
- Have we considered inherent risk before deciding the level of assurance needed?
- Have we considered materiality, relevance and proportionality?
- Have we identified where evidence is already available?
- Have we identified where evidence is incomplete or missing?
- Have we avoided treating documentation as proof of operating effectiveness?
- Have we defined the assurance level we are aiming for?
- Have we documented a credible path from current readiness to the target position?
- Can management explain why the maturity view is reasonable?
- Does the maturity assessment provide a reliable foundation for gap analysis, control testing, evidence collection and final reporting?
If the answer to those questions is yes, the assessment is better positioned to move into gap analysis with clarity and discipline.
Conclusion: know where you are before deciding what needs to change
Maturity assessment is not a cosmetic scoring exercise.
It is the point at which the organisation takes an honest, structured view of current readiness.
Done well, it helps the team understand what already exists, what can be supported, what is incomplete, and what level of assurance is reasonable for the risk.
It also helps avoid two expensive mistakes: doing more assessment work than is needed, or relying on a position that is not yet properly evidenced.
That is why maturity assessment belongs near the start of the compliance assessment process.
Scope tells us what applies.
Maturity assessment tells us where we are now.
Gap analysis then becomes more useful because it is built on a clearer view of current readiness.
I hope that helps. Whatever the method, the principle is the same: If it applies, assess it. If you rely on it, prove it.
Make Maturity Assessment Easier
The NORVA Solutions Compliance Assessment Toolkit is designed to help compliance teams and advisory firms scope, assess, evidence and report their compliance position using structured, Excel-native smart templates.
For maturity assessment, the toolkit helps teams capture current readiness, distinguish between documented and validated positions, identify gaps, and define a practical assurance path based on risk, materiality and available evidence.
Each smart template is supported by an editable, principle-based policy document, so the organisation can maintain a clear governance foundation while using the assessment as the detailed record of requirements, controls, evidence, ratings and outcomes.
This helps teams move from informal judgement to a clearer, more supportable assessment position — without the cost and overhead of heavier enterprise systems.
Explore the NORVA Solutions Compliance Assessment Toolkit and see how structured maturity assessment can make your next compliance assessment easier, faster and more evidence-supported.