This article looks at an approach for constructing a compliance matrix.
Compliance matrix
A compliance matrix is a document or tool, often in a table format, that ensures all requirements from a source (including regulations and policies) are fully addressed in a corresponding response or implementation. This approach typically lists each requirement and points to the specific location in the proposal or plan where it is met, acting as a guide for writers, a checklist for managers and a validation tool for evaluators.
Design
While compliance matrices may come in different formats, some universal design elements are recommended. These include:
- A list of each requirement from the regulation
- The section, page number or other specific location within the proposal where each requirement is addressed
- A column for tracking compliance status (e.g., fully compliant, partially compliant, non-compliant)
- Fields for explanations of partial compliance or strategies for meeting the requirement
A classic compliance matrix is a sequential index of all requirements correlated against the assessment of the regulation. This document lists each regulatory requirement (Section L), with the corresponding proposal section number, title and page number where it appears. Then, the matrix lists all the evaluation criteria (Section M), one after the other.
For example:
| Reference |
Document
section
|
Type of
issue
|
Regulatory
requirement (L)
|
Evaluation criteria /
risk outcome (M)
|
| |
|
|
|
|
| |
|
|
|
|
| |
|
|
|
|
| |
|
|
|
|
| |
|
|
|
|
More sophisticated and detailed tables can be constructed, drawing on some of the additional criteria discussed below.
Application
The use of the compliance matrix can vary. One approach is to:
1. Extract requirements: Identify and list every requirement stated in the regulation, guidance or policy
2. Map responses: For each requirement, find the corresponding section, page or paragraph
3. Cross-check: Cross-check the requirement against existing documents and policies
4. Identify gaps
5. Risk-assess the gaps
6. Consider mitigations in place
7. Develop action plans to resolve gaps
8. Track status: Note the compliance status and add any necessary explanations for partial compliance
9. Review: Use the matrix as a checklist to ensure every requirement is addressed accurately and completely
Assessing all parts of a regulatory document are important. However, sections that contain key terms (such as ‘requests’, ‘include’, ‘provide’, and ‘must’) are arguably those you need to pay special attention to.
Risk criteria
Applying clear risk assessment criteria is essential for contextualising each risk and comparing them relative to one another. This enables effective prioritisation. It is important to define and agree on the criteria that will be used to evaluate and rank risk factors consistently.
The common criteria in a compliance risk assessment matrix are:
| Probability |
The likelihood that a risk factor will happen to the business |
| Severity |
The likely impact that risk factor would have on the organisation if it did occur |
Risks are often rated against both criteria using qualitative scales (e.g. low, medium, high) or numerical ratings (e.g. 1 to 5), allowing for a more consistent and comparable assessment.
The following matrix can be used to assess each risk:
The output can be placed onto a list of risks, such as:
| Risk |
Areas affected |
Severity |
Likelihood |
Risk impact |
Recommended
action(s)
|
| |
|
|
|
|
|
| |
|
|
|
|
|
| |
|
|
|
|
|
| |
|
|
|
|
|
| |
|
|
|
|
|
Tracker
Creating a compliance matrix is only the first step - its value lies in how well it is maintained and used. To ensure progress is tracked and actions are followed through, each activity should include:
- Due dates
- Assignees
- Comments about necessary changes
As the matrix evolves through drafts and updates, content may shift and progress will (ideally) move forward. Be sure to regularly update the response location column to reflect these changes and maintain accuracy.
Additional considerations
The matrix can be supplemented with additional information. For example:
- Sub-factors: Breaking down evaluation factors into sub-factors for more granular assessment
- Scoring rubrics: Developing scoring rubrics for each evaluation factor to provide consistent criteria
- Comments section: Including a comments section to document specific observations or feedback
By blending instruction and evaluation factors in this manner, the compliance matrix will ensure that proposals meet the minimum requirements, while also providing a structured framework for evaluating overall quality and suitability.
Mitigations
Once systems have been mapped and specific risks identified, it becomes essential to implement appropriate mitigation measures. These controls should be established and put into action as early as possible to reduce exposure and support compliance. Effective mitigation relies not only on implementation but also on continued monitoring to assess how well the controls are working. In parallel, it’s important to ensure that all relevant staff are properly trained—both in how to apply the mitigation activities and in what actions to take if a control failure is detected. Embedding these practices into day-to-day operations helps ensure long-term effectiveness.
Avoiding error
A common challenge when using a risk matrix is the potential for misclassifying risks. Incorrect categorisation can lead to poor prioritisation and flawed decision-making. This is why it is best practice to assemble a team to debate and help the process. This collaborative approach helps ensure a broader range of perspectives, reduces blind spots and avoids the danger of acting on incomplete or biased information that could steer the organisation in the wrong direction.
