By Kevin M. Hyams
The fundamental question
At the heart of every effective compliance assessment is one practical question: Are we meeting the requirements that apply to us?
The right compliance assessment tool should help the compliance team reach a clear, defensible answer: we know what applies, we are doing what is needed, and we can show the evidence that supports it.
That answer matters because compliance assessment is personal for the people responsible for it. They are expected to interpret requirements, make proportionate scoping decisions, gather evidence, explain gaps and produce outputs that others can rely on. The right tool should reduce that burden, not add to it.
That question sounds simple, but answering it properly requires more than a list of obligations. It requires a clear workflow for deciding what applies, how deeply it should be assessed, where evidence will be retained, and how the results will be reported.
Without that workflow, teams can struggle with unclear scope, inconsistent assessments, scattered evidence, and outputs that must be rebuilt manually. Enterprise-level systems are most useful when they support a process that is already clear enough to benefit from them.
There is also an important scoping decision that often gets lost. Compliance assessment is not meant to be a mechanical exercise in treating every regulatory requirement as equally applicable, material, or urgent. Most regulatory frameworks acknowledge some form of proportionality, risk-based assessment, and reasonable — not absolute — assurance. In practical terms, that means each regulated entity should assess the requirements that apply to it to a depth that reflects its size, activities, risk profile, operating environment, stakeholder expectations, and the potential harm that non-compliance could cause.
That is why the central question is not:
Have we assessed everything?
The better question is:
Are we meeting the requirements that apply to us?
The practical gap is the missing middle: many teams have outgrown light spreadsheets, but they are not ready for the cost, implementation burden and upkeep of a full enterprise platform. NORVA Solutions' Compliance Assessment Toolkit is designed for that middle ground — structured enough to ensure consistent work, but familiar enough to start without a heavy implementation project.
A key part of that structure is that compliance assessment requirements in NORVA’s smart templates are anchored to regulatory source materials, hyperlinked directly within the relevant templates. Each template also includes a built-in evidentiary document repository so the location of supporting documents can be retained with the assessment and made easier to review or inspect at any point.
This is also the practical answer to the “isn’t this just another spreadsheet?” objection. The value is not the file format alone. The value is the programmed assessment logic, guided workflow and output generation powered by NORVA’s Assessment Runtime Engine.
Why this paper matters now
The promise of heavier enterprise-level GRC systems is attractive. Better visibility. More automation. Evidence kept in one place. Cleaner reporting. Less last-minute pressure before an audit, inspection or client review.
But the lived experience of many practitioners is more mixed. In community discussions, the same themes appear repeatedly: tools look strong in demos, implementation takes longer than expected, evidence still ends up scattered, teams discover that software cannot compensate for an unclear process, and the ongoing manpower required to maintain the system becomes an unexpected cost in itself.
That does not mean that enterprise-level platforms are inherently flawed. It means they are often bought before the organisation is ready to benefit from them. My view is simple: the process has to come before the platform.
The pattern practitioners keep describing
Across the research, five concerns stand out clearly:
- Heavier tools can require significant internal time, expertise and configuration before they deliver value.
- Manual mapping, integration fixes and policy rewriting often consume more effort than expected.
- Evidence collection remains a practical bottleneck when it is not captured within the workflow.
- Ongoing upkeep becomes a hidden workload, especially for lean teams.
- Many organisations are caught between basic spreadsheets and over-engineered platforms.
That last point is important. The market often presents the choice as if there are only two options: use spreadsheets or buy an enterprise-level GRC platform. In practice, many teams need something in between.
The missing middle
The missing middle is where many practical compliance teams live.
- They need more structure than ad hoc spreadsheets can provide.
- They need a repeatable way to assess requirements, controls, evidence and outputs.
- They need to support real work, not just produce a neat dashboard at the end.
- They need something affordable and easy enough to adopt without turning the tool into the project.
They also need the assessment itself to stay close to its sources. In practical terms, that means being able to see the underlying requirement, understand where it came from, assess the response, retain the evidence, and produce an output without losing the thread between those steps. NORVA’s smart templates are designed to preserve that thread.
That is where programmed template functionality matters. NORVA’s Assessment Runtime Engine supports the guided assessment experience within the smart template, helping users move through the work with greater consistency, less manual reconstruction, and a clearer path to usable outputs.
This is where the usual debate can become unhelpful. The real question is not whether spreadsheets are good or bad. The better question is whether the workflow inside them is structured enough to answer the question that matters:
Are we meeting the requirements that apply to us?
That question includes two important judgements.
First, which requirements apply?
Second, to what degree do they apply in this regulated entity’s risk environment?
Without that proportionality judgement, teams can easily do too much work, too little work or the wrong work. A practical compliance workflow should help users narrow the assessment to what matters, while still leaving a clear trail for how that judgement was reached.
This matters because the missing middle is not only a technology gap. It is also a judgement gap. Many teams do not need a heavier platform straight away. They need a structured, defensible way to decide what applies, how deeply to assess it, what constitutes enough evidence, and how to explain the answer.
Why ordinary spreadsheets fall short
Excel remains familiar, flexible and widely used. That is why compliance work often starts there. But ordinary spreadsheets usually break down when the assessment becomes more serious.
The common weaknesses are easy to recognise:
- Different assessors interpret requirements differently.
- The original regulatory source material is separated from the assessment logic, making it harder to see exactly what is being assessed and why.
- Evidence sits in folders, emails, or separate systems rather than being linked to the assessment logic.
- Ratings and status updates are applied inconsistently.
- Reports are rebuilt manually after the work is supposedly complete.
- The organisation cannot easily explain how it got from a requirement to an assessed response.
At that point, the spreadsheet is no longer just a working document. It becomes a risk in its own right.
Why proportionality matters in compliance assessment
One of the most discouraging thoughts for any assessor is the belief that every stated regulatory requirement must be assessed in the same way, at the same level of detail, regardless of the organisation’s actual circumstances.
In practice, compliance assessment is rarely meant to work that way. Regulations, auditors and oversight stakeholders generally recognise that judgement is needed. Many frameworks refer, directly or indirectly, to proportionality, risk-based assessment, materiality, relevance or reasonable assurance. The purpose is not to create certainty over every possible compliance point. The purpose is to form a supportable view of whether the organisation is meeting the requirements that apply to it.
That distinction matters.
A small or less complex organisation may not need the same depth of evidence, control design or governance structure as a larger, more complex, systemically important or higher-risk organisation. Equally, a lower-risk activity may not require the same level of assessment depth as an area where failure could cause significant customer harm, regulatory concern, operational disruption, financial loss, reputational damage, or wider market impact.
A practical workflow, therefore, needs to help users make three linked judgements:
- Applicability: Does this requirement apply to us?
- Proportionality: If it applies, how deeply should it be assessed?
- Evidence: What level of evidence is enough to support a reasonable assessment?
This is not about lowering standards. It is about focusing effort where it matters most. Without proportionality, assessment work can become overwhelming, inconsistent and difficult to defend. With proportionality, the organisation can show not only what it assessed, but why that scope and depth made sense.
For NORVA Solutions, this sits directly behind the central assessment question:
Are we meeting the requirements that apply to us?
The words “that apply to us” are doing important work. They recognise that compliance assessment is not just a checklist exercise. It is a structured judgement about relevance, risk, evidence and reasonable assurance.
Why heavier platforms can sometimes disappoint
The opposite problem is assuming that a heavier platform will fix the process. It rarely works that way.
An enterprise-level platform can centralise, automate and report. But it still needs a clear operating model underneath it. If requirements are unclear, controls are poorly mapped, evidence is not gathered in context, or reporting logic is inconsistent, the platform may simply scale those weaknesses.
That is why I like the phrase: automation is a force multiplier, not a foundation. It is a powerful idea because it protects teams from buying complexity before they have earned the right to benefit from it.
What a practical workflow needs to connect
A workable compliance assessment process does not need to begin with a heavy system. But it does need to connect the essential steps clearly:
- Source requirements: What regulatory or other source materials are the assessment requirements anchored to?
- Applicability: Which requirements apply to this organisation?
- Proportionality: To what degree do those requirements apply, given the organisation’s size, activities, risk profile, operating environment and the potential impact of non-compliance?
- Controls: What is in place to meet those requirements?
- Assessment: How are we rating maturity, implementation and response?
- Evidence: What supports the assessed response, and is the level of evidence appropriate to the risk and importance of the requirement?
- Validation: How has the assessed response been checked?
- Outputs: What reports, registers and dashboards can be produced without rebuilding the work?
Most teams do not fail because they cannot perform any one of these steps. They struggle because the steps do not join together. The gaps between source requirements, applicability, proportionality, assessment responses, evidence, and output create rework, uncertainty, and inspection anxiety.
The goal is not simply to complete more assessment activity. The goal is to connect the assessment activity to the right requirements, the right level of review, the right evidence and the right outputs.
Where NORVA’s Compliance Assessment Toolkit fits
NORVA’s Compliance Assessment Toolkit is designed for the missing middle between light spreadsheets and heavier GRC platforms.
It is Excel-native because Excel is already part of how many teams work. But it is not an ordinary spreadsheet. The programmed functionality, ease of use, and efficiency built into NORVA’s smart templates are powered by NORVA’s Assessment Runtime Engine — the underlying logic that turns a familiar workbook environment into a guided compliance assessment workflow.
In practical terms, that means helping teams move through the assessment in a more controlled way:
- requirements are organised for assessment;
- applicability and proportionality can be considered as part of the scoping judgement;
- users can focus assessment effort on the requirements that apply, and on the level of review appropriate to the organisation’s risk context;
- assessment requirements are anchored in regulatory source materials hyperlinked directly into the relevant smart templates;
- programmed assessment functionality is powered by NORVA’s Assessment Runtime Engine, supporting guided use, consistency and efficiency;
- responses are guided through consistent status and rating logic;
- evidence is captured in context through a built-in evidentiary document repository within each template;
- validation is recorded as part of the same workflow;
- outputs such as dashboards, status reporting and risk registers are generated from the work already completed.
That source-to-evidence connection matters. It helps users move beyond a loose list of tasks and towards a more defensible assessment trail:
requirement → applicability → proportionality → assessment → evidence → validation → output
This helps users avoid two common problems: over-assessing requirements that are not material to their context, and under-assessing requirements that carry real regulatory, operational or stakeholder significance.
The important point is that the structure is not cosmetic. NORVA’s Assessment Runtime Engine powers the template behaviour that makes the workflow easier to follow, more efficient to complete, and more useful as an assessment record.
The aim is not to pretend that every organisation needs less technology. Some will eventually need a full enterprise platform. But many teams first need a defensible workflow they can use now — without heavy cost, long implementation or a system they are not ready to maintain.
What “inspection-ready” should mean in practice
Inspection-ready should not mean rushing to gather evidence after the assessment is complete. It should mean the work has been structured so that the source requirement, assessed response, supporting evidence and reporting output are already connected and inspection-ready.
It should also mean that scoping decisions can be explained. If an organisation determines that a requirement is key, applicable only to a limited degree, or not applicable, that judgement should not disappear into informal notes or memory. It should be capable of being recorded, supported and reviewed.
This is where proportionality becomes practical. Reviewers do not usually expect perfection or certainty. They expect a reasonable, risk-based explanation of what was assessed, why it was assessed, what evidence was considered and how the organisation reached its conclusion.
That is why two design choices are central to NORVA’s smart templates:
- Regulatory source anchoring: assessment requirements are linked to relevant regulatory source materials within the template, helping users understand the basis for the requirement being assessed.
- Built-in evidence repository: each template includes a dedicated place to locate evidentiary documents, helping users keep supporting materials close to the assessment and easier to review or inspect when needed.
This does not remove the need for professional judgement. It makes the judgement easier to support, review, and explain.
What makes it more than a spreadsheet
The fact that NORVA’s Toolkit is Excel-native is intentional. It provides users with a familiar work environment and helps avoid the costs and friction of a large-scale implementation project. But Excel-native should not be confused with ordinary spreadsheet use.
The difference is that NORVA’s smart templates include programmed assessment functionality powered by NORVA’s Assessment Runtime Engine. That engine supports the guided template behaviour that helps users work through the assessment more consistently, efficiently and defensibly.
In practical terms, this means the template does more than just hold rows and columns. It is helping structure the assessment journey from source requirement to response, evidence, validation and output, through:
- Guided use: users are supported through a structured assessment flow rather than left to design their own process from a blank sheet.
- Consistency: programmed logic helps assessment responses and outputs follow a more repeatable method.
- Efficiency: the template is designed to reduce manual reconstruction by generating useful outputs from completed work.
- Defensibility: source links, assessment responses, evidence repositories and outputs are kept closer together, helping reviewers understand how the assessed response was reached.
A readiness check before buying a heavier enterprise-level platform
Before committing to a major enterprise-level implementation, I would encourage teams to ask ten practical questions:
- Do we know which requirements apply to us?
- Do we know which requirements do not apply to us, and can we explain why?
- Have we considered proportionality when deciding how deeply each requirement should be assessed?
- Can we see the regulatory source material behind the requirements we are assessing?
- Do we have a consistent assessment method?
- Do we capture evidence as part of the work, or chase it afterwards?
- Is evidence retained close enough to the assessment to support review or inspection?
- Can we explain how each answer was reached?
- Can we produce presentation-ready reports without manually rebuilding them?
- Do we understand the full cost of ownership, including implementation, upkeep and internal capacity?
If the answer to several of these questions is no, the immediate priority may not be a heavier platform. It may be a clearer workflow — one that helps the organisation define what applies, assess it proportionately, retain the evidence and explain the answer.
The practical takeaway
The strongest compliance tools do not remove the need for judgement, discipline or evidence. They depend on those things already being present.
That is why the most valuable first step is often not more software. It is a structured way to answer one simple question:
Are we meeting the requirements that apply to us?
The final words matter: that apply to us. They recognise that compliance assessment should be scoped, risk-based and proportionate. The aim is not to assess everything for the sake of completeness. The aim is to form a reasonable, evidence-based view of the requirements that apply to the organisation, at a depth appropriate to its risk environment.
For teams that are frustrated by ordinary spreadsheets but not ready for a heavy GRC platform, the opportunity lies in building the workflow first. Make the work consistent. Apply proportionality. Keep the evidence close to the assessment. Generate outputs as the work progresses. Then decide whether more tooling is genuinely needed.
That is the space NORVA’s Compliance Assessment Toolkit is built for: practical structure, familiar tools, direct links to regulatory source materials, proportionate scoping, built-in evidence repositories, programmed assessment functionality powered by NORVA’s Assessment Runtime Engine, and a clearer path from requirement to answer.
Build confidence before adding complexity
If your team is still relying on ordinary spreadsheets, but heavier enterprise-level software feels too costly, too complex or too soon, NORVA’s Compliance Assessment Toolkit gives you a more structured way forward.
Start with the source requirement. Decide what applies. Apply proportionality. Use the guided assessment logic. Capture the evidence in context. Answer the question. Build confidence before adding complexity.