Documented isn't defensible: rethinking compliance assessment (The Demo Room #21)

Welcome to The Demo Room – your front-row seat to the future of RegTech, RiskTech, and AI innovation. 

​

In this series, we document our research interviews with the most forward-thinking vendors tackling the industry's biggest challenges. Each blog is built around a comprehensive product demo, providing clear insights into how these innovations address industry challenges.

On this occasion, we feature Argus Pro, who provide a compliance assessment platform focused on maturity, effectiveness and evidence across regulatory frameworks.

Accountability regimes — SM&CR in the UK, equivalent structures elsewhere — have made personal liability for compliance failures explicit. Signing off a framework now requires more than confidence that policies are documented and controls have been designed. It requires evidence that they work.

That is a harder question to answer than it sounds. Traditional maturity assessments can show that a control exists, that a process has been defined, that a policy has been recorded. They are less reliable at showing whether any of it is working in practice. For senior managers with prescribed responsibilities under accountability regimes, that carries personal risk. If a control fails and scrutiny follows, the question will not be whether the framework was documented. It will be whether reasonable steps were taken to ensure it was working.

With the pace of regulatory change accelerating and supervision shifting from periodic review toward continuous oversight, compliance teams, who are already stretched, are absorbing more scrutiny with the same or fewer resources.

"With traditional assessments, you can get a maturity score and understand control coverage. But that misses whether they're actually working." – Victor Chauhan, Co-Founder of Argus Pro

The Problem for Firms

A strong maturity score is not the same as a functioning control framework. For firms operating under increasing supervisory scrutiny, that distinction is becoming harder to ignore.

Traditional assessments can show that policies are documented, processes are defined and controls have been recorded. What they struggle to show is whether those controls are applied consistently, whether staff in different jurisdictions interpret requirements the same way, and whether the data flowing through compliance systems is complete. A firm can score well on maturity and still carry significant regulatory risk exposure.

Workshops compound the problem. They are efficient, but they tend to surface what the room believes senior managers want to hear. Issues at the operational level — inconsistent application, workarounds, data gaps — rarely emerge cleanly from a facilitated session. The result is an assessment that reflects how the framework is understood in a room, not how it operates in practice.

Internal audit and external advisory work can help, but the traditional model is resource-intensive. It can also be periodic, broad and slow. For firms operating across DORA, anti-financial crime, data, cyber and operational resilience obligations, that creates a visibility problem.

Culture and data sit underneath much of this. Compliance failures often occur because incentives, behaviours and accepted workarounds undermine the formal framework. Data failures create a similar problem. If firms cannot show where data comes from, where it goes, how it is transformed and whether it arrived complete, they cannot demonstrate that controls operate as intended.

A Solution: Aegis Compass by Argus Pro

Aegis Compass is Argus Pro's structured compliance assessment platform. It converts regulatory requirements into multi-respondent assessments, weighted scoring, dashboards and targeted remediation outputs, designed to show whether controls exist and whether they are working.

1. Regulation-led compliance assessment

Aegis Compass builds its assessment frameworks directly from legislative, regulatory and guidance instruments rather than generic control checklists. The platform currently covers:

• Cyber security and digital operational resilience, drawing on DORA and requirements across 30 jurisdictions

• Anti-financial crime, anchored to the FATF 40 Recommendations with national legislation and guidance layered on top.

• AI Governance, built around the EU AI Act and ISO 42001, with jurisdiction-specific requirements added where needed

Each question maps back to its source requirement, so firms can trace assessment activity to the underlying regulation. For firms operating across multiple jurisdictions, the platform identifies the delta between global standards and jurisdiction-specific requirements — what Argus Pro describes as a FATF-plus approach — allowing firms to manage a scalable core framework while capturing local regulatory nuance where needed.

2. Maturity and effectiveness together

Aegis Compass scores both maturity and effectiveness. Maturity shows whether policies, procedures and controls exist and have been formalised. Effectiveness assesses whether those planned activities are producing the intended results — rooted in ISO 9000:2026, whether planned activities achieve planned results, then calibrated to the higher evidential bar regulated firms now face.

Where effectiveness scores are low, the platform flags that the organisation needs to investigate why the framework is not working as intended.

3. Triangulated responses across the organisation

Rather than relying on a single respondent or a facilitated workshop, Aegis Compass collects responses from multiple stakeholders across functions, locations and seniority levels. Results are then compared to surface discrepancies.

If internal audit, business continuity and front-line compliance teams answer the same question differently, that variance becomes visible. The firm can then investigate whether the gap reflects a difference in interpretation, execution, capability or something else entirely. Anonymity protections ensure that where respondent categories are small, individual answers are suppressed — helping surface honest responses without exposing individuals unnecessarily.

4. Targeted remediation

Aegis Compass distinguishes between types of control weakness. A gap may require training, a policy change, a process redesign, stronger data lineage, clearer ownership or a technology fix. The platform's reporting identifies not just where remediation is needed but what kind of intervention is most likely to address the root cause.

That precision matters where remediation costs are high and regulatory scrutiny is intense. Firms do not always need to redesign an entire programme. They need to identify which part of the operating model is failing and address it directly.

5. Hybrid AI with human oversight

Argus Pro maintains a structured registry of regulatory instruments mapped to clause level. When a rule changes, the platform identifies which specific obligations have moved, links them to the clauses already assessed, and pinpoints which parts of a firm's prior assessment are now affected.

Reassessment becomes targeted rather than wholesale, so instead of re-running an entire programme when a regulation shifts, a firm sees exactly which controls and questions need revisiting.

Natural language processing supports upstream ingestion of regulatory changes. Generative AI also compares updates to internal policies and identifies gaps. Machine learning will soon be applied to detect patterns across structured and unstructured data, supporting identification of emerging risk typologies.

“It’s using the AI for the productivity, not for the decision maker.” – Michael Falvey, Co-Founder of Argus Pro

Parker & Lawrence’s View

The maturity and effectiveness distinction is the product's central contribution. Maturity scoring has been the dominant model in compliance assessment for years. It is not without value. But it answers a different question from the one regulators and senior managers increasingly need answered. 

The competitive positioning is also well judged. Argus Pro sits in the space between regulatory intelligence, where platforms map and track obligations, and operational testing, where the question shifts to whether those obligations are being met in practice. Where many regulatory change management platforms stop is where Argus Pro’s assessments start. That is a clear and credible position in a market where many adjacent tools stop short of that operational layer.

The multi-jurisdiction capability adds further relevance. The FATF-plus approach, anchoring to global standards and identifying the delta against jurisdiction-specific requirements, is practically useful for firms expanding into new markets or managing controls across complex regulatory perimeters. 

The market is moving from documented compliance to evidenced compliance, and under accountability regimes, that shift is personal. The question is no longer whether the framework exists. It is whether it works, and whether you can show it. Documented is no longer defensible, and that is the gap Argus Pro is built to close.