Question: Has the organization defined a compliance program with identified obligations, responsible owners, and review frequency?
Why This Matters
A structured compliance program transforms scattered tasks into a managed system of accountability. It ensures laws, standards, and contracts are tracked and acted upon.
Maturity
0 — Unaware
No compliance register or ownership.
No compliance register or ownership.
1 — Ad Hoc
Scattered documentation managed by individuals.
Scattered documentation managed by individuals.
2 — Defined
Compliance register established with owners and frequencies.
Compliance register established with owners and frequencies.
3 — Managed
Periodic reviews and status reports to management.
Periodic reviews and status reports to management.
4 — Integrated
Compliance linked with risk and audit plans.
Compliance linked with risk and audit plans.
5 — Optimized
Continuous tracking and real-time dashboards for all obligations.
Continuous tracking and real-time dashboards for all obligations.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | List all regulatory and contractual obligations. |
| 1 → 2 | Create compliance register with owner, evidence, and review frequency. |
| 2 → 3 | Establish monthly/quarterly review cadence and status reports. |
| 3 → 4 | Link compliance tasks to risk and audit cycles. |
| 4 → 5 | Automate reminders and dashboarding. |
Enablers
- People: Compliance Officer, Risk Manager, Legal Counsel
- Process: Identify → Map → Monitor → Report
- Technology: GRC tool, spreadsheet tracker, dashboard engine
Evidence
- Compliance register
- Assignment of responsibility
- Review meeting minutes
KPIs
- Number of obligations tracked
- Percentage with assigned owner
- Compliance review completion rate
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Register | Airtable / Excel | Ownership + frequency fields |
| Workflow | Odoo / n8n | Reminders and approvals |
| Dashboard | Metabase | Real-time status |
Common Pitfalls
- Register exists but never updated
- Duplicate ownership causing gaps
- No link to risk or audit program
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001 | A.5.31 (Compliance with requirements) |
| DPDP Act 2023 | Sec 10 (Accountability and Governance) |
| CERT-In 2022 | Rule 12 (Reporting and Oversight) |
| NIST CSF 2.0 | GV.OV / GV.MA |
| NIRMATA Mapping | CA-Q01 anchors the organization-wide compliance program. |