ComplOrg defines seven maturity levels for individual compliance domains (Level 1 being the lowest maturity level and Level 7 being the highest):
Sporadic and ad-hoc
The focus is on the most apparent/critical areas but this may leave the organization exposed to a lot of compliance vulnerabilities.Planned but not comprehensive/documented
There is a deliberate focus on the most important areas but the compliance program may not be comprehensive and/or the organization may not be able to demonstrate compliance in the absence of appropriate documentation.Comprehensive and documented
The compliance program is comprehensive and the compliance activities are documented.Aligned with voluntary ESG
Compliance can support voluntary ESG reporting with the relevant data and metrics to satisfy key stakeholders’ expectations.Integrated compliance function
All compliance domains are considered, and a formal risk assessment is conducted to justify why any individual domains are not viewed as significant and why they are excluded from the integrated compliance function’s scope.Integrated with ERM
Compliance domains are linked to the organization’s ERM function.Integrated into external reporting
Compliance domains provide input into the organization’s mandatory external reports.
Download the comprehensive overview of ComplOrg here which outlines the requirements for each maturity level.
Every organization faces multiple compliance requirements
Organizations usually have multiple domains where compliance is important, and each of them may be at a different maturity level. Therefore, if you use a staircase to describe how an individual compliance domain moves up from one maturity level to another one, there are in fact several such staircases in every organization. On certain floors, or levels as they are called under ComplOrg, these compliance domains may connect to each other, and for a higher maturity level, an integration amongst the compliance domains and other corporate functions is necessary.