Our Take
Maturity scoring has dominated compliance assessment for years, but regulators under accountability regimes now demand operational evidence that controls work—a gap that exposes senior managers to personal risk.
Why it matters
Under SM&CR and equivalent regimes globally, personal liability for compliance failures is explicit. Traditional assessments that confirm policies exist miss whether they function day-to-day, a distinction regulators now scrutinize heavily during enforcement actions.
Do this week
Compliance heads: audit your current assessment model this month to identify which controls are scored for maturity alone versus those with operational evidence of effectiveness.
Regulators shift from documentation to operational proof
Compliance assessment is moving beyond the traditional maturity model. Under the UK's Senior Managers and Certification Regime (SM&CR) and equivalent frameworks in other markets, regulators no longer accept documented controls as sufficient evidence. Senior managers must now demonstrate that controls are actually working in practice, a distinction that carries explicit personal liability if compliance fails.
Argus Pro, a compliance assessment platform provider, has released Aegis Compass to address this gap. The platform scores both maturity (whether policies and controls exist) and effectiveness (whether those controls produce intended results). Maturity scoring confirms that a control has been designed and documented. Effectiveness assessment surfaces whether the framework is delivering operational outcomes across the organisation.
The platform converts regulatory requirements directly from legislative instruments rather than generic checklists. Current coverage spans cyber security and digital operational resilience (DORA, 30 jurisdictions), anti-financial crime (FATF 40 Recommendations with national variants), and AI governance (EU AI Act and ISO 42001). Each assessment question maps back to its source requirement, enabling firms to trace compliance activity to underlying regulation.
Aegis Compass collects responses from multiple stakeholders across functions, locations and seniority levels rather than relying on single respondents or facilitated workshops. When responses diverge, the platform flags the variance as actionable. The tool also includes hybrid AI capability: natural language processing ingests regulatory changes, generative AI compares updates to internal policies, and machine learning identifies patterns in structured and unstructured data to detect emerging risk typologies.
On remediation, the platform distinguishes between types of control weakness. A gap may require training, policy change, process redesign, stronger data lineage, clearer ownership or technology intervention. Rather than simply flagging that remediation is needed, the tool identifies which type of intervention is most likely to address the root cause.
The gap between documented and operational is now a personal risk
Traditional maturity assessments have long served as the compliance industry's default benchmarking tool. They confirm that policies are documented and controls have been designed. What they are structurally ill-equipped to show is whether any of that translates into operational reality. For senior managers with prescribed responsibilities, that gap carries genuine personal exposure.
The problem compounds under current pressure on compliance functions. Regulatory change is accelerating, supervisory models are shifting from periodic review to continuous oversight, and teams are absorbing additional workload with flat or declining resources. A high maturity score does not equate to a functioning control framework. Firms under close supervisory attention across DORA, anti-financial crime, data governance and cyber resilience increasingly cannot ignore the delta between what is documented and what is operational.
Compliance failures frequently occur not because controls were absent, but because incentives, normalised workarounds and behavioural patterns gradually undermined them. Data quality compounds this: if a firm cannot trace where data originates, how it is transformed, where it travels and whether it arrived complete, it cannot credibly demonstrate that controls are operating as intended. When a regulator investigates a control failure, scrutiny will focus on whether reasonable steps were taken to verify the framework was working, not whether the framework was documented.
Audit the gap between your current scores and your operational reality
If your compliance assessment relies solely on maturity scoring or facilitated workshops, you are collecting how your framework is understood by attendees, not how it functions day-to-day across the organisation. Multi-respondent assessment tools that surface variance across functions and seniority levels will expose inconsistent application of controls and informal workarounds that single-respondent models miss.
For firms managing multi-jurisdictional regulatory perimeters, a FATF-plus approach (anchoring to global standards and identifying deltas against local requirements) will reduce wholesale reassessment cycles when regulations change. When a rule shifts, targeted reassessment of affected clauses is more efficient than re-running the entire control framework.
Begin by mapping your current controls to their source regulations. For each control, ask whether your assessment confirms maturity or effectiveness. If you cannot produce evidence that a control is producing its intended operational outcome, that is a gap regulators will find and senior managers will need to defend.