| 0 Non-existent | There is little awareness of external
requirements that affect IT, with no process regarding
compliance with regulatory, legal and contractual
requirements.
|
| 1 (Initial/Ad Hoc) | There is awareness of regulation,
contract and legal compliance impacting the
organisation. Informal processes are followed to
maintain compliance, but only as the need arises in new
projects or in response to audits or reviews.
|
| 2 (Repeatable but Intuitive) | There is an understanding for
the need to comply with external requirements and the
need is communicated. Where compliance has become a
recurring requirement, as in financial regulations or
privacy legislation, individual compliance procedures
have been developed and are followed on a year-to-year
basis. There is, however, no overall scheme in place
ensuring that all compliance requirements are met. It is
likely, therefore, that exceptions will occur and that new
compliance needs will only be dealt with on a reactive
basis. There is high reliance on the knowledge and
responsibility of individuals and errors are likely. There
is informal training regarding external requirements and
compliance issues.
|
| 3 (Defined Process) | Policies, procedures and processes
have been developed, documented and communicated to
ensure compliance with regulations and with contractual
and legal obligations. These are not always followed and
some may be out-of-date or impractical to implement.
There is little monitoring performed and there are
compliance requirements that have not been addressed.
Training is provided in external legal and regulatory
requirements affecting the organisation and the defined
compliance processes. Standard pro-forma contracts and
legal processes exist to minimise the risks associated
with contractual liability.
|
| 4 (Managed and Measurable) | There is full understanding
of issues and exposures from external requirements and
the need to ensure compliance at all levels. There is a
formal training scheme that ensures that all staff are
aware of their compliance obligations. Responsibilities
are clear and process ownership is understood. The
process includes a review of the environment to identify
external requirements and on-going changes. There is a
mechanism in place to monitor non-compliance with
external requirements, enforce internal practices and
implement corrective action. Non-compliance issues are
analysed for root-causes in a standard manner, with the
objective to identify sustainable solutions. Standardised
internal best practices are utilised for specific needs such
as standing regulations and recurring service contracts.
|
| 5 Optimized | There is a well-organized, efficient and
enforced process for complying with external
requirements, based on a single central function that
provides guidance and co-ordination to the whole
organisation. There is extensive knowledge of the
applicable external requirements, including their future
trends and anticipated changes, and the need for new
solutions. The organisation takes part in external
discussions with regulatory and industry groups to
understand and influence external requirements affecting
them. Best practices have been developed ensuring
efficient compliance with external requirements, resulting
in very few cases of compliance exceptions. A central,
organisation-wide tracking system exists, enabling
management to document the workflow and to measure
and improve the quality and effectiveness of the
compliance monitoring process. An external
requirements self-assessment process is implemented and
has been refined to a level of best practice. The
organisation’s management style and culture relating to
compliance are sufficiently strong and processes are
developed well enough for training to be limited to new
personnel and whenever there is a significant change.
|
![[To top of Page]](../../../images/up.gif){kind=small}
