Developing a Maturity Model for the Compliance Function of Investment Firms: A Preliminary Case Study from Norway

: This paper develops a model for the assessment of the maturity of the compliance function of investment ﬁrms. The model indicates a path of evolution wherein the compliance function matures from being reactive and inconsistent to becoming a proactive and integrated part of a ﬁrm’s business practices. A preliminary case study approach is used to test the practical application of the model in a Norwegian investment ﬁrm. The ﬁndings generally illustrate the ways in which the effectiveness of the compliance function can be evaluated using a maturity model. When it was used in the assessment of the compliance function within the case ﬁrm, the suggested model proved to be compatible with practice. The model represents an improvement framework that can help practitioners identify the status of the compliance function and provide guidance on its future improvement.


Introduction
Today's business environment is increasingly regulated, and firms are under intense pressure to comply with regulations, and to govern and manage in ethical and sustainable ways (Falcione and McKillop 2016;Merchant and Van der Stede 2017). This is especially the case for investment firms that provide investment services and financial instruments. The Markets in Financial Instruments Directive (MiFID II) requires that firms implement a robust governance framework (Prorokowski 2015;Yeoh 2019). This entails putting in place a series of systems and controls to secure a clear organizational structure, lines of responsibility, and effective risk management processes. ESMA (2020b, p. 6) states that "[t]his includes policies and procedures to ensure regulatory compliance and the establishment of a permanent, independent, and effective compliance function".
As the business environment evolves, stakeholders expect firms to be flexible, and to quickly adopt sophisticated and effective measures that meet industry demands (Blum 2020). Research also indicates that the firms which are able to adapt and change quickly often emerge as industry winners (Drnevich and Kriauciunas 2011;Teece et al. 1997). However, organizational changes are not made overnight. Just as children must learn to crawl before walking, firms need to go through a process of maturity in order to establish sophisticated and effective organizational functions and procedures (Blum 2020). This also applies to the development of an effective compliance function. Furthermore, the notion of "effective" should also be considered. What are the requirements for the organization of an effective compliance function, and what measures are needed to satisfy these requirements?
This study aims to develop a compliance function maturity model for application within investment firms. The proposed model will be based on current legislation and the prescribed guidelines from regulatory authorities, as well as ideas from practitioners on how to organize an effective compliance function. This assumes that effectiveness increases with maturity.
For the model to encompass the complexity of the real world, empirical data from a case study involving a Norwegian investment firm will be used to test the model. Such a case study will not only be valuable for testing the model but it will also provide the case firm with a better understanding of where their compliance function stands as of today. In addition, having mapped the case firm's current level of maturity, the model will also provide guidelines for how the firm might improve its compliance function to become more effective.
The main objective of this paper is the development of a compliance function maturity model. This entails (1) testing the suggested model in a real-world situation (a Norwegian investment firm), (2) evaluating the model based on empirical data from that case, and (3) using the model to evaluate the compliance function of the case firm. Thus, we seek to address two distinct but complementary research questions: (RQ1) How can the effectiveness of the compliance function within investment firms be evaluated using a maturity model? (RQ2) What is the state of the compliance function within the selected case firm as of today, and how can the function possibly be improved to become more effective?
In order to answer the first research question, we will review literature on how maturity models have been used to assess business processes, functions, programs, or systems Fraser et al. 2002;Pöppelbuß and Röglinger 2011;Solli-Saether and Gottschalk 2010;Solli-Saether and Gottschalk 2015). Insights from previous frameworks will be used to conceptually develop a maturity model for the compliance function in investment firms.
The second research question involves testing the model in a real-life situation. Testing the model is important because the model will be developed based solely on existing research, and therefore, it is not clear whether it has applicability in practice. A case study of the compliance function within a Norwegian investment firm will provide indications about the extent to which the model reflects real-life situations, and the extent to which it can be used for both as-is assessment and as an improvement framework.

Definition
Pullen (2007) defines a maturity model as "a structured collection of elements that describes the characteristics of effective processes at different stages of development. It also suggests points of demarcation between stages and methods of transitioning from one stage to another" (p. 1318).
Maturity models are often referred to as stages-of-growth models. These models have been widely used in a vast array of domains to assess the maturity (i.e., competency, capability, level of sophistication) of selected business processes, functions, programs, or systems Pöppelbuß and Röglinger 2011;Solli-Saether and Gottschalk 2010;Solli-Saether and Gottschalk 2015). Working both as a means of assessment and as part of a framework for improvement, maturity models are developed to assist firms in deriving an informed approach for increasing the capability of a specific area within the organization (Fraser et al. 2002).
The idea that maturity models can be used as improvement frameworks is based on the underlying assumption that predictable patterns exist in the maturity/growth process in all parts of an organization (Solli-Saether and Gottschalk 2015). From this, the core concept of maturity models is based on these stages being "(1) sequential in nature, (2) occur as a hierarchical progression that is not easily reversed, and (3) involve a broad range of organizational activities and structures" (Solli-Saether and Gottschalk 2015, p. 90).

The Modeling Process
There is considerable research on the modeling process of maturity models. In order to establish a reasonable catalog of requirements for the design of maturity models, many researchers (e.g., Batenburg et al. 2014;Becker et al. 2009;Maier et al. 2011;Mettler 2011) Adm. Sci. 2021, 11, 109 3 of 34 have taken a design science research perspective. With regards to the modeling process of maturity models, the design science perspective involves the understanding of maturity models as artifacts serving to solve problems (March and Smith 1995) in determining the status quo of a firm's capabilities and deriving measures for improvement therefrom.
As for the process of maturity model design, the research differs in terms of the ways in which different artifacts (constructs, models, methods and instantiations) are deployed to develop frameworks for the modeling process. For example, a review of the literature on maturity model design reveals differences in the number of phases of the procedure. Table 1 provides an overview of the different development frameworks. Becker et al. (2009) suggested a procedure model consisting of eight phases for the "theoretically founded development and evaluation of maturity models". They did this by relying on the guidelines for design science identified by Hevner et al. (2004). De Bruin et al. (2005) proposed a framework consisting of six generic phases, while Solli-Saether and Gottschalk (2010) and Maier et al. (2011) proposed five and four phases, respectively. Table 1. Overview of the development frameworks reviewed.

Research Article
Phases Frameworks Conceptualized Becker et al. (2009) (1) Problem definition (2) Comparison of existing maturity models (3) Determination of development strategy (4) Iterative maturity model development (5) Conception of transfer and evaluation (6) Implementation of transfer media (7) Evaluation (8) Rejection of maturity model Adm. Sci. 2021, 11, x FOR PEER REVIEW 3 of 35 There is considerable research on the modeling process of maturity models. In order to establish a reasonable catalog of requirements for the design of maturity models, many researchers (e.g., Batenburg et al. 2014;Becker et al. 2009;Maier et al. 2011;Mettler 2011) have taken a design science research perspective. With regards to the modeling process of maturity models, the design science perspective involves the understanding of maturity models as artifacts serving to solve problems (March and Smith 1995) in determining the status quo of a firm's capabilities and deriving measures for improvement therefrom.
As for the process of maturity model design, the research differs in terms of the ways in which different artifacts (constructs, models, methods and instantiations) are deployed to develop frameworks for the modeling process. For example, a review of the literature on maturity model design reveals differences in the number of phases of the procedure. Table 1 provides an overview of the different development frameworks. Becker et al. (2009) suggested a procedure model consisting of eight phases for the "theoretically founded development and evaluation of maturity models". They did this by relying on the guidelines for design science identified by Hevner et al. (2004). De Bruin et al. (2005) proposed a framework consisting of six generic phases, while Solli-Saether and Gottschalk (2010) and Maier et al. (2011) proposed five and four phases, respectively.

Research Article
Phases Frameworks Conceptualized Becker et al. (2009) (1) Problem definition (2) Comparison of existing maturity models (3) Determination of development strategy (4) Iterative maturity model development (5) Conception of transfer and evaluation (6) Implementation of transfer media (7) Evaluation (8) Rejection of maturity model De Bruin et al. (2005) (1) Scope (2) Design (3) Populate (4) Test De  (1) Scope (2) Design (3) Populate (4) Test (5) Deploy (6) Maintain Adm. Sci. 2021, 11, x FOR PEER REVIEW 3 of 35 There is considerable research on the modeling process of maturity models. In order to establish a reasonable catalog of requirements for the design of maturity models, many researchers (e.g., Batenburg et al. 2014;Becker et al. 2009;Maier et al. 2011;Mettler 2011) have taken a design science research perspective. With regards to the modeling process of maturity models, the design science perspective involves the understanding of maturity models as artifacts serving to solve problems (March and Smith 1995) in determining the status quo of a firm's capabilities and deriving measures for improvement therefrom.
As for the process of maturity model design, the research differs in terms of the ways in which different artifacts (constructs, models, methods and instantiations) are deployed to develop frameworks for the modeling process. For example, a review of the literature on maturity model design reveals differences in the number of phases of the procedure. Table 1 provides an overview of the different development frameworks. Becker et al. (2009) suggested a procedure model consisting of eight phases for the "theoretically founded development and evaluation of maturity models". They did this by relying on the guidelines for design science identified by Hevner et al. (2004). De Bruin et al. (2005) proposed a framework consisting of six generic phases, while Solli-Saether and Gottschalk (2010) and Maier et al. (2011) proposed five and four phases, respectively. There is considerable research on the modeling process of maturity models. In order to establish a reasonable catalog of requirements for the design of maturity models, many researchers (e.g., Batenburg et al. 2014;Becker et al. 2009;Maier et al. 2011;Mettler 2011) have taken a design science research perspective. With regards to the modeling process of maturity models, the design science perspective involves the understanding of maturity models as artifacts serving to solve problems (March and Smith 1995) in determining the status quo of a firm's capabilities and deriving measures for improvement therefrom.
As for the process of maturity model design, the research differs in terms of the ways in which different artifacts (constructs, models, methods and instantiations) are deployed to develop frameworks for the modeling process. For example, a review of the literature on maturity model design reveals differences in the number of phases of the procedure. Table 1 provides an overview of the different development frameworks. Becker et al. (2009) suggested a procedure model consisting of eight phases for the "theoretically founded development and evaluation of maturity models". They did this by relying on the guidelines for design science identified by Hevner et al. (2004). De Bruin et al. (2005) proposed a framework consisting of six generic phases, while Solli-Saether and Gottschalk (2010) and Maier et al. (2011) proposed five and four phases, respectively. There is considerable research on the modeling process of maturity models. In order to establish a reasonable catalog of requirements for the design of maturity models, many researchers (e.g., Batenburg et al. 2014;Becker et al. 2009;Maier et al. 2011;Mettler 2011) have taken a design science research perspective. With regards to the modeling process of maturity models, the design science perspective involves the understanding of maturity models as artifacts serving to solve problems (March and Smith 1995) in determining the status quo of a firm's capabilities and deriving measures for improvement therefrom.
As for the process of maturity model design, the research differs in terms of the ways in which different artifacts (constructs, models, methods and instantiations) are deployed to develop frameworks for the modeling process. For example, a review of the literature on maturity model design reveals differences in the number of phases of the procedure. Table 1 provides an overview of the different development frameworks. Becker et al. (2009) suggested a procedure model consisting of eight phases for the "theoretically founded development and evaluation of maturity models". They did this by relying on the guidelines for design science identified by Hevner et al. (2004). De Bruin et al. (2005) proposed a framework consisting of six generic phases, while Solli-Saether and Gottschalk (2010) and Maier et al. (2011) proposed five and four phases, respectively. Notes. * List and visualization of the phases proposed in the four maturity model development frameworks.
However, even though these frameworks differ in their suggested number of phases, they all assume that the process itself is evolutionary. This means that each phase offers Adm. Sci. 2021, 11, 109 4 of 34 new challenges as soon as the challenges of the prior phase are solved (Solli-Saether and Gottschalk 2015, p. 90). For example, Solli-Saether and Gottschalk (2010) refer to their stage-of-growth modeling process as "goal-oriented" (p. 7). What is meant by this is that the maturity model changes its status from a suggested maturity model, to a conceptual, theoretical and empirical model, and finally to a revised maturity model. This notion also applies to the modeling process of De Bruin et al. (2005), as they describe the phases as "guiding the development of a model through first the descriptive phase, and then to enable the evolution of the model through both the prescriptive and comparative phases within a given domain" (p. 4). The order of the generic phases is important because decisions made in one phase will have implications for the next phase. However, all of the frameworks encourage iterative progressions throughout the phases in order to improve theory-building and empirical validation (Becker et al. 2009;De Bruin et al. 2005;Maier et al. 2011;Solli-Saether and Gottschalk 2010;Solli-Saether and Gottschalk 2015).
As another step to remedy the lack of empirical validation (a typical criticism of maturity models), Maier et al. (2011) take inspiration from the Eisenhardt (1989) roadmap for developing theory from case studies. This includes alerting the reader to the steps and associated decision points in the development journey. The use of case studies also becomes evident when looking at the frameworks developed by Gottschalk (2010, 2015). Their development of theory on the sequential nature of the stages is largely based on case studies.

Developing a Compliance Function Maturity Model
When developing a maturity model for the compliance function within investment firms, it is relevant to examine the phases identified in previous frameworks (Table 1). This is because many of the frameworks have also been applicable in practice (see, for example, Solli-Saether and Gottschalk (2015)). Additionally, it will help ensure a well-structured and well-documented modeling process. In order to develop a foundation for (and an understanding of) the decisions that are made in the process of developing a Compliance Function Maturity Model (CFMM), the first phase of this process will consist of some of the elements included in the planning (Maier et al. 2011), scoping (De Bruin et al. 2005, and problem defining (Becker et al. 2009) phases introduced in Table 1.

Phase 1: Planning
As with every other project, it is natural to start with problem definition before initiating the actual design process. According to Becker et al. (2009), problem definition includes the determination of both the targeted domain versus the partial discipline and the target group (p. 217). According to De Bruin et al. (2005, p. 5) "[d]etermining the scope of the desired model will set the outer boundaries for model application and use". This will thus impact the remaining phases of the process.
In determining the focus of the model, one spells out which domain the maturity model will target and be applied to. Here, it is normal to divide between a domain-specific or general focus, i.e., whether the model is developed to assess and improve management in general, or in a particular discipline, say for example the management in software development Maier et al. 2011). After the initial focus of the model has been identified, the next step is to identify relevant stakeholders (e.g. from academia, industry, non-profits, and the government) that can help in the development of the model . Maier et al. (2011) suggested some additional decisions to be made in a planning phase, namely to (1) specify the audience, (2) define the aim, and (3) define the success criteria for the model. As Maier et al. (2011, p. 149) pointed out, the term "audience" refers to stakeholders that will take part in the assessment of the model. To specify the audience is important, as the model should consider the needs of the intended audience . Defining aims is related to maturity models being seen as analytic strategies (Maier et al. 2011). Based on a comprehensive review of existing models, Maier et al. (2011) suggested two overarching aims or improvement paradigms. These are improvements through "raising awareness" and improvement through "benchmarking" across companies or industry sectors (p. 149). Finally, a definition of the success criteria is suggested as a part of the planning phase. As these will be manifested in the form of high-level or specific requirements for the model's design, they become a basis for the evaluation of whether the development and application of the model were successful (Maier et al. 2011).
A Plan for the CFMM In order to effectively manage risk, firms must establish appropriate internal control. According to COSO (2013, p. 3), internal control is "a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance". Compliance objectives pertain to the adherence to the laws and regulations to which a firm is subject. If firms fail to do so, this could lead to sanctions (legal or regulatory), financial loss, or reputation loss (Singh 2005). The Norwegian financial market, MiFID II, implemented by law in 2018, requires firms to implement a series of systems and controls to secure an effective risk management process. ESMA (2020b, p. 6) states that "[t]his includes policies and procedures to ensure regulatory compliance and the establishment of a permanent, independent, and effective compliance function".
However, adaptations and changes to ensure an effective compliance function cannot be made overnight. Therefore, the aim is to develop a maturity model for the compliance function within Norwegian investment firms to raise awareness about the firm's "as-is" situation using the model. The results can then be used to make recommendations for where to go next to improve the effectiveness, or maturity, of the firm's compliance function. This means that the model, first and foremost, will have a descriptive and prescriptive purpose.
With the focus being domain-specific, Maier et al. (2011, p. 150) pointed out that "it is especially important to gather information about the context, the idiosyncrasies and terminology of the specific domain in order for it to be understood by and of relevance to the audience". The audience of the CFMM can be thought of as "industry professionals", e.g., CEOs in charge of corporate planning, or Chief Compliance Officers (CCOs) who wish to measure how their department is doing and see what can be done better. For that reason, development stakeholders that might be helpful in that regard can be both academics and practitioners. For example, literature studies will provide insight into the peculiarities of the phenomenon, and ideas from practice can further complement such information.
In general, the CFMM is meant to be used by and be useful for investment firms in the Norwegian financial market. The success criteria for usability, as such, should pertain to the clarity of the language used, and the architecture and rating scale of the model should not be too complex to apply for non-academics without prior knowledge of maturity models. On the other hand, the criteria for usefulness will revolve around whether the model turns out to be helpful, i.e., whether it triggers reflection and learning among its audience. This will be answered when testing the model with its intended users.

Phase: Design
As soon as the model's scope is set, the next step is to determine its design or architecture . Seemingly all of the process development frameworks reviewed emphasize the importance of a comprehensive comparison of existing maturity models as a foundation for the design phase. This is because the shortcomings in existing models can motivate modifications for enhancement. For example, design ideas can be transferred, as content from one domain could be found useful in a different domain (Becker et al. 2009;Solli-Saether and Gottschalk 2010).
However, it is not only the existing literature on maturity models that one should have a good overview of. Maier et al. (2011, p. 150) note that designers of maturity models make "decisions about the process areas to be assessed, the maturity levels (rating scale) to Adm. Sci. 2021, 11, 109 6 of 34 be assigned, the cell descriptions to be formulated, and the administration mechanism to be used".
It follows that the author needs to reference an established body of knowledge on the field in which the maturity model is to be applied. This is elaborated on by Gottschalk (2010, 2015) who describe what ought to be done in phase one of their modeling process, referred to as the development of the suggested stage model. Solli-Saether and Gottschalk (2010) make a distinction between the theoretical and empirical work related to the five phases. The theoretical work of phase one includes conducting a thorough review of the literature in the field where the model is to be applied. This provides indications on the theoretical concepts and definitions that will be of importance when defining the maturity levels and descriptions (Solli-Saether and Gottschalk 2015).
In the subsequent sections, we will address three important building blocks, which are important in the design phase according to the existing frameworks and research. As for this paper, the design process is meant to result in a preliminary maturity model for the compliance function of investment firms. Therefore, theories on compliance will be discussed on the basis of these building blocks. Ideas from practice are also considered by reviewing and comparing existing maturity models developed by practitioners to be applied in the same or similar domains.

Process Areas
An important design principle is that maturity is a number of cumulative stages where the higher stages build on the lower stages Rosemann and Bruin 2005). Although the number of stages may vary from one model to another, there is a general consensus among researchers and practitioners that the stages need to be distinct, welldefined, and have a logical progression Maier et al. 2011). Arguably, this is because clear and distinct definitions ease both the descriptive and comparative purposes of the model (e.g., positioning the firm along an evolutionary scale). Moreover, this has a prescriptive purpose if it gives clear guidelines and criteria for the firm to grow more mature.
It follows from this that each stage should be labeled with a name that provides the audience with a clear indication of what it entails. However, a more thorough definition of each stage name should also be provided to elaborate on the requirements and measures of the stage. De  suggest that this is done either through a top-down or a bottom-up approach. In a top-down approach, the emphasis is primarily on defining what represents maturity, and then how this can be measured. Typically, a top-down approach is appropriate if the field is relatively new and there is scant evidence on what maturity entails Maier et al. 2011). However, in more developed domains, there is more empirical evidence, and a better understanding of what maturity represents. Therefore, the focus shifts to the measurement of maturity and the development of definitions (De Bruin et al. 2005, p. 6). Maier et al. (2011) suggested starting the design phase by selecting the process area to be assessed. A key process area identifies a cluster of related activities that enable the achievement of a set of goals that are important for the establishment of the process capability at each maturity stage (Domingues et al. 2016;Hammer 2007). In existing maturity models, process areas have been labeled differently based on the improvement entity. Key attributes, components, pillars, or categories are examples of the different labels that are used. However, according to Maier et al. (2011, p. 150), a common goal (regardless of the label) is to identify "key process areas that are mutually exclusive and collectively exhaustive". Moreover, to accomplish this, "[a]n effective assessment should be based on an underpinning conceptual framework, generated from (traceable) principles of good practice" (Maier et al. 2011, p. 150).
There are many ways in which the assessment of process areas can be accomplished. Literature reviews have brought forward the fact that the most common strategies are expert interviews (Batenburg et al. 2014;Solli-Saether and Gottschalk 2015), synthesizing critical and frequently mentioned concepts in the literature , and understanding and recognizing organizational process goals as a point of departure for the definition of the key processes. This last alternative was described more closely by Maier et al. (2011). It includes defining the associated goals which are necessary to achieve the firm's overall objective, before deriving key process areas from these goals.

Process Areas of the CFMM
The predominant objective of the CFMM is to assess the maturity of the compliance function within Norwegian investment firms. Although the explicit establishment of separate compliance functions in the financial services sector was not evident before the late 1990s, ample literature from academia and practice is available to synthesize critical and frequently mentioned concepts . The reason is that the function was established as an answer to several business scandals that exposed weaknesses related to regulatory risk management and internal control (Ramakrishna 2015;Steinberg 2011). That again called for more research on how the control functions should be organized to become effective, and on how weaknesses can be mitigated.
Although there is no "canon of theory to which all scientist refer" (Maier et al. 2011, p. 154) in the field of corporate compliance, the existing literature is rich and crossreferences can be found concerning aspects of the organisation of an effective compliance function (and meeting the challenges in doing so). Furthermore, regulatory bodies have, with regards to MiFID II, explicitly stated what aspects they see as particularly important, and have developed guidelines for how they can be implemented. Therefore, a bottom-up approach has been used in defining the maturity steps of the CFMM. This means that the identified factors that influence the effectiveness of the compliance function are used to define the maturity steps of the model (De . In addition to reviewing the relevant research and guidelines from the regulatory body, a comprehensive comparison (Becker et al. 2009) of existing maturity models on corporate compliance and governance has been completed in order to identify the key factors of the compliance function.
The review shows that already, during the 1990s, the discussion revolved around measuring the effectiveness of compliance programs and their importance to firms' overall financial performance (Laufer 1999;Verschoor 1998). At the turn of the millennium, however, the research focus was expanded to also include the identification of challenges in establishing an effective compliance function and frameworks that take note of them (El Kharbili et al. 2008;Frigo and Anderson 2009;Mitchell 2007;Vicente and Mira da Silva 2011).
The challenges addressed in organizing an effective compliance program were the emergence of workplace silos (Frigo and Anderson 2009, p. 20;Kenton 2019), costs rising from redundancy and miscommunication (Loh 2019, p. 6;PwC 2004), and changing environmental and regulatory conditions (El Kharbili et al. 2008). As a step to meet these challenges, it seems to be commonly accepted that the compliance function should be organized to be proactive rather than reactive, and that it should be part of a holistic approach to meet integrity risk, i.e., that it is coordinated with other control functions and different business units.
Several existing maturity models were reviewed. Even though they are labeled differently, there is an underlying agreement about which components are deemed important for the effectiveness of an established compliance function. For example, the review reveals that many key processes evolve around four "enablers" suggested by Deloitte (2017): people, processes, technology, and analytics. More closely, it seems important that processes and policies are clearly defined and documented (Compliance Week and Reuters 2009). Regarding people, resources (in the form of the requisite skills and experience) and autonomy are in focus. For technology and analytics, connected and integrated technology is important for both monitoring and reporting (Deloitte 2017).
The compliance function requirements set out by the MiFID II directive and made explicit in the ESMA's guidelines show similarities to the above-mentioned key components.
For the compliance function to work effectively, it is key that it has access to relevant information as well as the necessary resources, authority, and expertise. In ensuring that appropriate human and other resources are allocated to the compliance function, it is pointed out that the firm must consider several factors, e.g., the scale and types of the investment services, activities, and supporting services. This means that the number of compliance staff coinciding with what is required for the tasks is considered important for the function's effectiveness. Furthermore, sufficient IT resources are important, not only for the information flow to be efficient in itself but also for the compliance staff to have access to relevant information at all times, i.e., access to relevant databases and records will ensure that the compliance officer has the relevant information that is important to disclose and mitigate compliance risk, and to plan adequate controls and policies. Lastly, it is also emphasized that the firm should establish arrangements and procedures so that information flows between the compliance function and other business units (i.e. ensuring that it is not siloed) (ESMA 2020b, p. 34).
Furthermore, the MiFID II Delegated Regulations require firms to "ensure that the compliance function performs its tasks and responsibilities on a permanent basis" (ESMA 2020b, p. 36). This is also seen as being important for the effectiveness of the function, because ensuring competent people take over the functions of the person who usually perform the tasks, for example in the event of planned or unforeseen absences (BAHR 2017), might save the company from violating regulations during such periods. Therefore, the guidelines require responsibilities, processes, expected competence and the authority of the compliance function to be explicitly defined and set out in a 'compliance policy' and other general policies or internal rules.
Based on the review of the literature, existing maturity models, and the regulatory guidelines in the domain, the following key process areas of the compliance function are suggested:

Processes
Processes should be clearly defined and implemented. This means that compliance processes should have well-thought-out and documented procedures, which also must be understood by employees and other stakeholders in order to arrive at an effective compliance solution (Feise 2020). The latter is important because having well-defined processes and policies that should mitigate risk considerably does not help if they are not understood and followed. Regarding this point, Laufer (Laufer 1999(Laufer , p. 1343 pointed out that the effectiveness of compliance programs was hard to determine, as the firms could "simply adopt the appearance of a program" and put less effort into actually preventing wrongdoings and violations. Oded (2013) supplemented this, saying that it could hinder firms from implementing the procedures and engaging in effective self-policing.

Resources
Appropriate human and financial resources must be allocated to the compliance function. When it comes to human resources, ESMA (2020b) emphasizes both the capacity and capability of the function. This means that the compliance function must have enough employees to handle the risk the firm is exposed to. Compliance employees are regularly provided with training to maintain their knowledge (ESMA 2020a;ESMA 2020b). Sufficient financial resources (e.g., budget size) provided to the compliance function have proven critical to its effectiveness. Hence, it protects the firm against financial losses and a damaged reputation (Verschoor 1998).

Technology
Ever since the beginning of start-up incubation in Silicon Valley, firms have sought to use technology to increase efficiency and transparency (Deloitte 2017, p. 5). As is illustrated in existing models assessing the maturity of firms' compliance initiatives, effective compliance programs should be supported by an automated system that removes friction, gathers data, and reports on real-time analytics (Feise 2020). What types of technology will be right for the firm will depend on the maturity of the other key process areas. However, creating the capacity for the employees to focus on activities of higher priority (from a risk perspective) through automation will improve efficiency.

Coordination
Workplace silos have been defined as "groups or departments within an organization that work in a vacuum with little functional access to other groups, or little communication with them" (Loh 2019). A lack of cooperation and communication between different risk and control functions and other business units has been shown to create accountability and communication gaps, as well as redundancies and confusion (PwC 2004, p. 6).
Vicente and Mira da Silva (2011) refer to the Open Compliance and Ethics Group's (OCEG) notion that "compliance is the act of adhering to, and the ability to demonstrate adherence to, mandated requirements defined by laws and regulations, as well as voluntary requirements resulting from contractual obligations and internal policies". According to Vicente and Mira da Silva (2011), organizations need an effective approach to verify that they conform to external and internal rules. This approach is, according to OCEG's statement, the responsibility of the compliance function. Vicente and Mira da Silva (2011) shed light on how this function needs assistance from risk management in identifying and prioritizing risks. It also needs assistance from the governance function, which prior to this must have defined those risks and aligned them to the corporate objectives (p. 10).

5.
Business integrity When you want to solve a problem in mathematics, it is normal for one variable to be held constant. This metaphor is used by Ramakrishna (2015) to describe how having fundamental principles of business integrity in place is important for the effectiveness of the compliance function when both the external and internal environment of the compliance system is in a state of constant flux (p. 159). This has also been a fundamental part of all of the reviewed frameworks for the organization of firms' governance, risk, and compliance initiatives, as suggested by practitioners in the field. As such, a firm's responsibility and commitment to integrity risk management (e.g., "tone at the top" and "tone at the middle") is critical for the effective functioning of the compliance initiatives set to live (Deloitte 2018, p. 9).
These five key process areas are expected to be evident in all of the stages of the maturity journey of the compliance function. Their characteristics, however, will evolve from the first stage to the last. In the following, an explicit statement of the underlying rationale for the intersection of the key process areas and maturity stages of the CFMM will be provided as an approach to promote theoretical rigor (Lasrado et al. 2015;Maier et al. 2011;Solli-Saether and Gottschalk 2015).

Maturity Levels and Their Intersection with the Process Areas
After key process areas have been identified, the next step in the design phase is to define a set of maturity levels and to decide on a rating scale (Maier et al. 2011). In order to ensure the comparability of the maturity assessments, the criteria should exhibit a high level of intersubjective verifiability, i.e., the corresponding descriptions should be precise, concise, and clear. Moreover, it should be possible to discriminate between the levels (Maier et al. 2009). For this purpose, Röglinger et al. (2012) also call for a definition of the underlying notion of maturity and an underpinning of the theoretical foundation concerning organizational evolution and change. This includes, for example, information about how change typically happens in the respective application domains, as well as about drivers and barriers in the maturation process (Pöppelbuß and Röglinger 2011, p. 8).
According to Maier et al. (2011), what rationale informs the rating scale is related to decisions on leverage points for organizational change. Kazanjian andDrazin (1989, p. 1489) argue that " [o]rganizations undergo transformations in their design characteristics which enable them to face the new tasks or problems that growth elicits". In terms of the architecture of the maturity model, what can be understood therefrom is that each maturity stage should be defined based on the characteristics of, or requirements for, the key process areas at that particular stage. Solli-Saether and Gottschalk (2010) refer to this part of the modeling process as defining benchmark variables or formulating cell text.

Maturity Stages in the CFMM
An analysis of the cell descriptions of existing maturity models reveals how the same subject can be conceptualized in different ways. This is interesting because it says something about the researchers' views of a firm and its processes, people, and products. Furthermore, these conceptualizations impact organizational change initiatives, as they specify leverage points. Maier et al. (2011) performed such an analysis, and suggested four underlying notions of maturity: "(1) existence and adherence to a structured process (e.g., infrastructure, transparency, and formality); (2) alteration of organizational structure (e.g., job roles and policy); (3) emphasis on people (e.g., skills, training, and building relationships); (4) emphasis on learning (e.g., awareness, mindset, and attitude)" (p. 148).
However, when conceptualizing the maturity of the compliance function within firms, it seems deficient to rely solely on one of the aforementioned notions. Based on the identified key process areas of the compliance function, emphasis on the existence and adherence to structured processes seems appropriate. This is because maturity models using infrastructure, transparency, and formality as leverage points define maturity as "the extent to which a specific process is explicitly defined, measured, controlled, and effective" (Paulk et al. 1993).
Defining maturity as the degree to which a process is institutionalized and effective coincides with one of the key components of the compliance function being seen as welldocumented and implemented compliance processes. If one were to map out the maturity journey on this aspect alone, one could rely on the definitions suggested by the Capability Maturity Model (CMM) model for software (Paulk 2009;Paulk et al. 1993). The first level (defined as "Initial") covers recently established processes performed on an ad-hoc basis, and the latter (defined as "Optimized") involves processes being measured, controlled and continuously improved. Furthermore, there has also been a focus on support from automated systems to relieve employees in the compliance function to focus on the areas of the firm that are most vulnerable to compliance risks. The architecture of maturity models assessing information systems is often adopted from the Software CMM, evaluating the system on an ordinal scale, as exemplified above.
In terms of coordination, compliance initiatives will become more effective/mature, as execution and oversight can be integrated among different control functions (Deloitte 2017). A compliance function that works in a vacuum with little functional access to other groups, or little communication with them (Loh 2019), will be seen as less effective because accountability and communication gaps will lead to the poorer management of control risk. Concerning the coordination of control functions, organizational change could also be initiated via structural changes in job roles and training (e.g., skills and methods), making it a candidate for focusing on organizational structures or people.
However, an emphasis on learning in discriminating between the maturity levels also seems adequate for this study. This is because it, in a prescriptive manner, can raise awareness towards adequate actions and attitudes. For example, in their study of communication in complex product development, the underlying notion of change for Maier et al. (2008) was that proactive actions are favored over reactive ones. With respect to the CFMM, one can make an example of the key process area referred to as "Business integrity". The underlying rationale for choosing this as one of the key process areas of the compliance function is basically that the overall attitude towards responsibility and the commitment to integrity risk management in the firm is critical for the effective functioning of the compliance initiatives set to live (Deloitte 2018, p. 9). "Tone at the top" was set as an example of this. Tone at the top can be defined as "the ethical atmosphere that is created in the workplace by the organization's leadership" (ACFE n.d., p. 1). What this means is that whatever tone the management sets will have a trickle-down effect on the employees of the firm. If the managers set at a tone that upholds ethical values, the employees will be more likely to uphold the same values (Merchant and Van der Stede 2017).
As for how the aforementioned is connected to the maturity of the compliance function, one can look to Ramakrishna's (2015) distinction between passive and active compliance. Positive and active compliance is defined as the proactive responsiveness of an organization to follow a set of rules and standards, yielding to change without disruption of its or the system's structure and function, which is an inclusive in approach for the well-being of itself and its stakeholders (p. 67). This approach to compliance is believed to form a basis for many of the underlying drivers yielding the firm's benefits from compliance through business integrity principles.
From the introduction, we understand that such benefits will only become evident if the compliance function is organized in an effective manner. The number of resources allocated to the compliance function by the management will give indications on the mindset and attitude of the firm towards ethical business. A study by Harvey (2004) exemplifies this in a good manner. Conducting a cost-benefit analysis of compliance in financial firms, Harvey finds support for what was already well acknowledged, i.e., that the avoidable costs saved by acting compliant are revenue earned. However, Harvey also adds that it is the intangible benefits, such as a better reputation, competitor relationships, employee morale, and customer satisfaction (Harvey 2004;Kenton 2020), that really add to the bottom line, and hence ensure value creation and perpetuate a healthy and sustainable growth of the business. As such, even though the cost of compliance is high and continuously increasing, "it would be a brave person who steps up to say that it is too high a price to pay for countering terrorism and serious crime" (Whitehouse 2003, p. 144). As such, in terms of resources, one can say that for the compliance function to mature, the right amount of resources, given the proportionality principle (ESMA 2020b), must be allocated to it.
Based on the above reasoning, the CFMM is both process-and learning-oriented, and hence the maturity stages and associated cell texts will be defined accordingly. The stage definitions will give an immediate indication of the existence and adherence to structured compliance processes, as well as whether the compliance function can be referred to as reactive or proactive. Based on the existing governance and compliance maturity models and concepts from the reviewed literature, the following four stages are suggested: Level 1: Reactive and inconsistent. Level 2: Organized but reactive. Level 3: Actively managed and understood. Level 4: Proactive and implemented.
For the descriptive purpose of use, cell descriptions provide specific descriptions of the characteristics expected from each process area, at each distinct maturity level. They will be phrased as clear statements to avoid misconceptions in the evaluation of whether the cell's statement corresponds to the firm's situation. Because specific characteristics of each process area have to be implemented to reach a new level of maturity, it can be argued that improvement measures for the prescriptive purpose of use are implicitly included in the model (Pöppelbuß and Röglinger 2011, p. 11).

Presenting the Compliance Function Maturity Model
In this section, the model developed to assess the maturity of the compliance function within investment firms-the CFMM-will be presented. So far, the relevant literature on compliance and a comprehensive comparison of the existing maturity models has been used as an input in the modeling process. At this point, the discussion on the different building blocks of the maturity model will be summarized and merged into what can be seen as a "user guide" for the model, explaining how it should be understood and used for a maturity assessment. Table 2 illustrates that the more a firm adheres to established and structured compliance processes and has a proactive approach to compliance, the more mature their compliance function is expected to be. However, it does not provide clear guidelines on how to position a firm along the evolutionary stage, e.g., the decision about whether a firm should be categorized as "Reactive and inconsistent" or "Actively managed and understood". Table 2 eases the model's descriptive purpose by establishing clear and distinct criteria for what to expect from each key process area Maier et al. 2011) at each distinct maturity stage (in the CFMM labeled "Key enablers").

Reactive and inconsistent
Organized but reactive Actively managed and understood Proactive and integrated

Level of maturity
As for the rating scale of the CFMM, the ISO 9001 is looked to as an example. The ISO 9001 is a binary model, and whether the firm is ISO-certified or not depends on the overall score of maturity (Paulk et al. 1993). For the CFMM, whether the firm meets the criteria of each distinct maturity stage can be determined using a binary pass/fail scale. As such, the CFMM can be used in two different ways, which will result in the same positioning of the firm. These two "pathways" will be described in the following sections.
The first pathway starts with the assessor comparing the situation in the firm as-is with the requirements set out in the cell descriptions associated with Level 1. Having "ticked-off" the boxes that can be ticked-off at Level 1, the assessor moves on to perform the same activity for Level 2, and so on. For the second pathway, the assessor compares the as-is situation in the firm with the cell text descriptions in the model. However, instead of moving level-wise upwards, an assessment is made for each key process. This involves comparing each key process of the CFMM with that of the firm as of today, and then placing these at the level that fits the firm's real-life situation.
Regardless of which path is applied for the as-is assessment, the firm's current situation is assessed with respect to the given criteria for the different process areas (Becker et al. 2009;Pöppelbuß and Röglinger 2011). Hence, in most cases, the assessor will find that the firm does not fulfill all of the criteria for each distinct maturity level. For example, the compliance function might be supported by business integrity principles that foster a healthy compliance culture and compliance processes that are well-integrated into the workflow, while at the same time being reactive and inconsistent in terms of technology and automated systems. Here, the prescriptive purpose of the CFMM comes into the picture.
As Feise (2020) describes it, from performing a self-assessment and taking inventory of where the compliance function stands as of today, low-hanging fruits can be identified, allowing the firm to develop a plan to address the function's most significant areas of growth, i.e., by understanding the as-is situation of the firm (its unique starting point), the CFMM will provide clear guidelines, in the form of cell descriptions, as to how the firm can optimize its compliance function and organize it to be as effective as possible. The example above would involve prioritizing supporting technology and automated processes to optimize the compliance function and make it more effective.
The proposed model will be tested using interviews with a Chief Compliance Officer in a relevant Norwegian investment firm. As was pointed out by Batenburg et al. (2014), the model could have value when it is presented in a compact and practical way, which can provide guidelines to firms when it comes to the improvement of their compliance maturity. Therefore, the case study will not only be helpful in the assessment of the maturity of the compliance function within the case firm but it will also reveal whether the model has relevance to practice (Phase 4: Evaluation).

The Case Firm
In the introduction, it was stated that the main objective is to develop a compliance function maturity model for use within Norwegian investment firms. In the previous part of this paper, the CFMM was developed based on a set of design principles retrieved from a literature study on maturity models and complementary literature on corporate compliance.
The accomplishment of the main objective, however, presupposes that the model is compatible with practice. For that reason, RQ2 was established to make sure that some underlying (but important) objectives were fulfilled, namely that the model was tested and evaluated in a real-life case. A case study approach using a semi-structured interview was deemed as an appropriate way to accomplish this. In maturity model research, interviews with experts are often used (Batenburg et al. 2014;Solli-Saether and Gottschalk 2015).
The interview with the informant from the case firm was carried out during the spring of 2021. The case firm was chosen because of its capacity to exemplify the analytical object of the inquiry. An examination of the selected case firm can contribute to the establishment of knowledge about the context in which the compliance function operates. This is important because the model is developed to assess the maturity of investment firms' compliance function. Therefore, the interview protocol questions were formulated to capture the information that is considered necessary to conduct a maturity assessment of the firm's compliance function (see Appendices A and B). However, information about the structure and other characteristics of the firm and its compliance function may also say something about the usability and usefulness of the model, and hence provide a basis for evaluating that as well.
As was previously explained, the interviewee was chosen due to his/her position in the case company. As the Head of Compliance and Risk, the interviewee is responsible for the organization of the compliance function, and will thus be a relevant user of the CFMM. Allowing the interviewee to test the model in practice without the intervention of the researchers allows for a more objective evaluation of the model. Therefore, the CFMM (Appendix B) was handed out to the interviewee so that it could be tested in the assessment of the case firm's compliance function. The interviewee was also asked relevant questions about the model's structure, language and cell descriptions, i.e., information about its usability and usefulness.
When using the segmentation function on the website www.proff.no (accessed on 20 January 2021), it appears that in Norway, 160 firms are registered under the NACE code "66,120 Securities brokerage". Filtering further, so that one is left with firms that have over 20 employees, 40 unique firms remain on the list. On average, these have about 85 employees. In this sense, the case firm (hereafter referred to as the Firm) is considered representative of the industry, as it has approximately 90 employees.
The Firm's client base is diversified, including corporations, institutions, non-profit organizations, and private individuals. Investigating the different firms appearing on the list, this appears to be a common practice for Norwegian investment firms, once again confirming the relevance of testing the CFMM within the Firm.
Since it was founded in the early 2000s, the Firm has experienced strong growth. The interview revealed that the Firm, five years ago, became large enough that it was perceived as relevant to establish a separate compliance function. The person who currently is Head of Compliance within the Firm was then appointed to the position. Considering the period, the first years' work was characterized by adapting the business to the requirements of MiFID II.
Until 2020, the Head of Compliance was alone in terms of being responsible for the function. However, due to changes in the Firm's structure as a result of growth, the department has now been expanded, and is expected to consist of three full-time positions before the end of 2021.
With support from the management and the board, the Head of Compliance is concerned with learning and further developing the firm's compliance function. Therefore, when requested, (s)he found it very interesting to participate in the testing of the CFMM and talk about the effectiveness and organization of the function. This has, after all, been a focus in line with the Firm's evolution.
Based on the interview conducted, the subsequent section will present the ways in which the Firm's compliance function is organized as of today, and thus how mature it is according to the CFMM. Based on this assessment, a proposal will also be presented for the ways in which the function can be further developed in terms of effectiveness, cf., the model's prescriptive purpose.

Organization of the Compliance Function
The area of responsibility for the compliance function is to ensure compliance with laws and regulations. Within the Firm, the responsibility of the compliance function lies in the "second line of defense". That is, it is a post-control function after the first-line control. The first line owns the operational risk and must ensure that employees in the "line", i.e., advisers, case officers, and the like, conduct satisfactory internal control. This means implementing measures to ensure that the business is run in accordance with external and internal requirements. This includes checking and following up on the risk of compliance breaches, and implementing corrective measures where this is considered necessary to deal with process and control deficiencies.
The regulations that must be complied with are defined based on which licenses the Firm holds. The interviewee confirmed that MiFID II is particularly important, and set out a framework for the organization of the Firm's business. Thus, the Securities Trading Act, the Money Laundering Act, and other legislation in which the MiFID II requirements are implemented also form the basis for which the Firm's processes and routines are defined.
The Firm also defines compliance risk as a separate risk related to which deviations may occur in connection with breaches of legislation and industry standards, such as the ESMA guidelines. The risks detected appear in the company's risk matrix (an explicit statement of the overall risk assessment of the firm), where all of the various business areas that may involve such risks are assessed in accordance with the probability of the events occurring, and their consequences. This matrix further forms the basis for the Firm's internal control, which provides guidelines for compliance function work (i.e., monitoring program/compliance plan). Furthermore, it is stated in the job description of the Head of Compliance and Risk that the function is to report to the CEO, and also directly to the board. The latter is to ensure the independence of the function.
Based on the above, the compliance function within the Firm can be considered to at least meet the requirements for the function to be permanent and independent, as described in ESMA's guidelines (ESMA 2020b, p. 6). Still, how effective the function is, is yet to be figured out.
The interview with the Head of Compliance and Risk in the Firm has provided information related to the Firm's overall integrity, how resources are allocated to the compliance function, its internal policies and processes, how the compliance function interacts with other business functions, and the use of technology in its workflow. In the following, this information will be analyzed in light of the requirements of the CFMM. This will result in a statement about the maturity of the function, and potential measures for improvement.

Business Integrity
In the CFMM, business integrity is linked to whether the firm "fosters a healthy compliance culture in which employees naturally promote". That this is important for an effective compliance function is, in the CFMM, justified by the fact that building a compliance culture in the company is critical for the effective functioning of the compliance initiatives set to live (Deloitte 2018, p. 9;Grimstad 2020).
When asked what the interviewee understands by the notion of an "effective compliance function", the answer was that compliance culture is one of the things that should be in focus: Fundamental to an effective compliance function is to work preventively and work to create understanding among both management and employees of why the regulations are formed as they are. By this, I simply mean that one must constantly focus on building culture.
In connection with building compliance culture, reference has previously been made to what is called "Tone at the Top" and "Tone at the Middle". This means that a firm's responsibility and commitment to integrity risk start with the management, and from there have a trickle-down effect on the rest of the firm's employees. The interviewee views this as a very positive aspect within the Firm, and says that "Tone at the Top is very good. We have a board that is very concerned with compliance and a CEO who also wants things to be done right-and not on the edge".
It also appears that the Firm has defined values and ethical starting points that form the basis for every decision made in the Firm, regardless of the business level. According to the CFMM, for these to function as building blocks in the development of an effective compliance function, it must also be natural for the Firm's employees to promote these in their daily work practices: The fact that the ethical principles form the basis for every decision in the company means that the management anchors its advice or new processes in these principles, and this, in turn, leads to all employees in the company being 'forced' to think about them.
The interviewee also emphasized that the principles serve as a sales argument to the Firm's customers, and pointed out that employees who seek to build a career in the industry must retain their authorization and a good reputation: "I think the employees are seeing more and more that compliance helps with customer satisfaction as every customer appreciates getting well-documented advice and supporting explanations". Nevertheless, it was also emphasized that even though the desire to do the "right thing" is present among the middle management and employees, it should be noted that in the financial industry, there is a close connection between compensation and the branch's or the individual employee's performance. Moreover, performance is normally measured primarily in the form of quantitative goal achievement or results controls (i.e., financial performance measures). A potential problem is that financial results controls, especially those which focus on short-term accounting profits, can cause employees to become excessively myopic in their decision-making (Merchant and Van der Stede 2017, p. 449). According to the interviewee, this is something that is being worked on preventively within the Firm.
For example, we have a remuneration scheme that hits managers and employees in the front office quite hard. If controls show that they are not compliant with rules and regulations and, for example, give poor advice to a client this is at the expense of the 'thickness of their wallet'.
According to a law firm that assists their clients with regulatory compliance in antimoney laundering and privacy, many of the firms that succeed in developing a compliance culture carry out quality controls of employees' compliance with routines and procedures: The fact that errors and shortcomings are captured by the employees' closest managers, or through quality controls, means that employees receive concrete feedback on which tasks are to be solved and what the individual must improve. (Grimstad 2020) In other words, when employees know that they are being measured and understand how they are measured, their attention and expectations are focused accordingly.
In terms of the CFMM, it can be argued that the Firm is mature when it comes to business integrity (Table 3). This is because they have a board and management focused on building a compliance culture within the firm. When and where there is doubt, control systems are in place to ensure that the right priorities to put in place. In the words of the interviewee: We are secured through soft values and harsh punishments, in the sense that if you are not compliant, you lose your bonus. This is part of laying the foundation for good compliance assessments to be made. Table 3. Maturity assessment related to business integrity (excerpt taken from the CFMM).

Business integrity
Compliancy viewed as a necessary evil

Business ethics and values are defined centrally Time is spent consulting and involving employees in business ethics and values
A healthy compliance culture is fostered. Employees naturally promote it.

Reactive and inconsistent
Organized but reactive Actively managed and understood Proactive and integrated

Resources
Until now, it has been stated that the Firm has a board and management that are very concerned about compliance. Therefore, it is not unexpected that the interviewee states that both the board and management are responsive when it comes to allocating resources to the compliance function when needed. The number of resources and the types of resources that are to be allocated are considered once a year through budget negotiations. However, this is also monitored on an ongoing basis, should any changes that are not considered in the budget negotiations occur. The interviewee referred to an example that illustrates this: The company was actually supposed to put in place an extra resource in the compliance function already in April this year, but the person concerned went on parental leave. As resources were needed it was then arranged so that another person, who was not really to be admitted until August, got to start earlier.
Based on this information, it can be assumed that the Firm does not consider having a compliance function a "necessary evil". Rather, the interviewee explains that appropriate resources are allocated to the function, both in terms of a risk-adjusted resource deployment through budgeting, and ad-hoc in accordance with changes in compliance requirements. This coincides with the cell description in Level 4, which is related to resource allocation (Table 4). Table 4. Maturity assessment related to resource allocation (Excerpt taken from the CFMM).

Insufficient resources allocated
Appropriate resources necessary to achieve compliance Scalable risk-adjusted resource deployment. Assessment done periodically.

Continuously monitored and effectively adapted to changes in compliance requirements
Reactive and inconsistent Organized but reactive Actively managed and understood Proactive and integrated

Policies and Processes
In order to arrive at an effective compliance solution, having well-defined processes and policies that mitigate compliance risk are helpful. However, this presupposes that they are understood and followed by employees (Feise 2020).
According to the informant, the Firm has defined policies and processes that are documented and available to all employees. It is also added that "We know that it takes more than making the pile of instructions and routines available for employees for these to be integrated into their daily work tasks". The Firm, therefore, arranges for policies and processes to be understood by the employees through various channels. This work starts during the onboarding process for new employees, and is followed up through the employment relationship through a prepared training plan that applies to all employees.
The compliance function is considered to be proactive when it comes to building a compliance culture, and it appears similarly to the way in which business integrity is implemented in the Firm's code of conduct. As part of this, it is viewed as important that compliance is involved in defining new routines to ensure that processes are carried out in accordance with relevant laws and regulations.
However, what is described as even more important is that "most often we try to include an employee from each office when new routines are to be defined". This is carried out both to obtain input from those who actually are involved with the processes in practice, and also to ensure training and understanding. According to the informant, "if you have a person who feels responsible for the routine out in the branches, it is more likely that he or she will stick to the 'case' and create focus on it among the rest of the employees".
The fact that the compliance function performs checks on the employees' performance in connection with established processes also leads to training and follow-up of each employee individually. Moreover, the informant stated that "these kinds of controls have often shown to reveal gaps in routines that require them to be updated". This entails that the Firm's processes and policies are continuously updated.
According to the interviewee, updates are not only carried out in response to incidents but also constantly, in line with new interpretations and circulars that come from the FSA: "For example, the Firm's guidelines were updated and approved by the board last autumn, prior to the Firm applying for a new license".
From the above discussion, one can argue that the Firm's policies and processes are integrated into the workflow through instructions and routines that the employees are expected to follow in their daily work practices. Furthermore, the training programs and controls carried out ensure that the processes are understood and continuously improved. Hence, in terms of policies and processes, the Firm's compliance function can be labeled as being proactive and integrated (Table 5). Table 5. Maturity assessment related to policy and processes (excerpt taken from the CFMM).

Policies and processes
Not documented. Ad-hoc in response to incidents.
Defined and documented but not integrated into the workflow Understood by employees and integrated into the workflow

Integrated into the workflow, continuously measured and improved
Reactive and inconsistent Organized but reactive Actively managed and understood Proactive and integrated

Coordination
A lack of cooperation and communication between the compliance function and other business units has been shown to create accountability and communication gaps, as well as redundancies and confusion (Loh 2019;PwC 2004).
Although it is emphasized that there is always room for improvement, the interviewee was satisfied with how the compliance function interacts with other units within the Firm. For example, it was pointed out that regular weekly meetings with the CEO had been set up, as well as periodic meetings with the board. Furthermore, the Head of Compliance is a permanent member of what is called the "project group for development projects", with the role of advising the group on how the various projects should be prioritized with regards to compliance risks.
One challenge the Firm has faced relating to coordination (which has now been improved) is the lack of a communication channel between compliance and the first line. The interviewee referred to this channel as "business compliance" or "business support": The fact that the Company has been in great growth has meant that compliance has made discoveries and identified risks which should be left to the first line of defense to rectify. However, the first line has been so congested at times that these things have been downgraded, and compliance has had to be much more involved in the change itself to get these improvements through. That is not really compliance's task and therefore incorrect use of resources.
According to the CFMM, concerning coordination, one should also assess the ways in which information is made available to the compliance function. The interviewee also mentioned this as particularly important, and it is described as a matter of course that compliance must have access to all of the documentation available in the firm: "there should be no barriers".
That it is seen as natural, or even taken-for-granted, that compliance participates in management meetings and projects is, for the Firm, seen as a measure both to ensure proactive compliance (again, referring to building a compliance culture) and to mitigate any information barriers.
So, when it comes to the key enabler "coordination", the Firm is "on the ball". It has improved previous communication gaps that have created congestion for the compliance function in being left with tasks that were not within their scope of work tasks. Further, regular interaction with the management, the board, and the project group suggest that the Firm has an overall goal in which business integrity plays an important part. In this way, it can be said that the interaction and information flow between the various business functions is actively managed and understood ( Table 6). As the next section will elaborate on, it is positioned at that level because there is room for improvement when it comes to the use of technological tools to improve any friction in how the function gains a hand on the needed information. Table 6. Maturity assessment related to coordination (excerpt taken from the CFMM).

No functional access and communication with other business lines
Defined lines of communication with other business lines and mutual functional access.

All business lines work towards shared goals and initiatives
Alignment of strategy, processes, technology to shared goals to improve effectiveness

Reactive and inconsistent
Organized but reactive Actively managed and understood Proactive and integrated

Technology
When it comes to coordination and how the business areas communicate, it is natural that technology also comes into the picture. As the CFMM shows, a proactive and integrated compliance function implies that the various business areas work towards a shared goal. The alignment of strategy, processes and technology will improve the likelihood of achieving that.
Until now, the Firm's compliance function has been considered to be relatively mature in terms of how it works to enhance business integrity through building compliance culture, how the management is responsive when it comes to resource allocation, and that policies and processes are constantly measured and improved. When it comes to coordination, on the other hand, there seems to be some room for improvement. This is seemingly due to the existence of a gap between what the interviewee refers to as a dream situation of "having a dashboard with access to all relevant information gathered in one place" and today's solution, in which "the information is available and we have access to relevant data, but it can feel a little cumbersome and convoluted to find". For example, to control whether a client lies within its chosen mandate, the interviewee explains that the compliance officer performing the check must assess this manually.
The thing about technology and automatization is that this is often the last building block that comes into place when it comes to establishing new business functions. This is because processes must be tested, and best practices must be identified before they can be automated (Falck-Ytter 2021). It can be understood that this also applies to the compliance function within the Firm: "There is a limit to what is a must-have, and what is nice to have"; according to the interviewee, this decides what is prioritized.
However, as can be understood by the analysis so far, the Firm mostly has what the CFFM describes as "must-haves" in place. According to the interviewee, the Firm is aware that there exists a gap in terms of technology and communication and has therefore initiated an infrastructure project: Once the project is in place, the compliance function will have access to better reports. For example, related to order receipt, more automated processes, with systems for flagging or notifications will require fewer resources from compliance being used in, for example, controls related to clients' mandates.
However, this is an as-is assessment of the maturity of the compliance function within the Firm. Therefore, improvements from the infrastructure project will not have implications for how the Firm scores in terms of technology at this point. From the above information, it seems like, as of today, some processes are automated while others are performed manually. This seems to have implications for the capacity of the compliance function, which-from a risk perspective-should spend more time and resources on activities of high priority, rather than having to spend time gathering data for routine and repeatable compliance processes. In terms of technology, the function is organized but reactive because of the many activities that still are handled manually (Table 7). Table 7. Maturity assessment related to technology (excerpt taken from the CFMM).

Technology
All processes are manual. No systems in place.

Some processes are automated while others are manual
All processes are supported by automated systems All processes are supported by and integrated in one and the same automated system

Reactive and inconsistent Organized but reactive Actively managed and understood Proactive and integrated
Having assessed the Firm's compliance function with respect to the given criteria for the different key enablers defined in the CFMM, Table 8 can be used to develop a plan to address the function's most significant growth areas. i.e., it provides guidelines for how to organize the compliance function to become more effective.
By obtaining information about how the compliance function is organized today from the CCO within the Firm, the compliance function was assessed to be at level 3 (Actively managed and understood). The reasoning is that, despite the fact that three out of five key processes were evaluated as proactive and integrated (i.e., level 4), scoring at levels 3 and 2 in regard to coordination and technology suggests that there is still room for improvement (Table 8)

Business integrity
Compliancy viewed as a necessary evil

Business ethics and values are defined centrally Time is spent consulting and involving employees in business ethics and values
A healthy compliance culture is fostered. Employees naturally promote it.

Reactive and inconsistent
Organized but reactive Actively managed and understood Proactive and integrated

Level of maturity
Earlier, we stated that using technology to enhance efficiency depends on the maturity of other key process areas. This has had its implications for the structure of the CFMM, and thus, the way in which assessing the function's key enablers starts with business integrity and moves upwards, ending with technology.
The interviewee mentioned that there exists a distinction between "must-have" and "nice to have". The same distinction can be interpreted as existing in the CFMM. When the "must-haves" are in place, what is "nice to have" often comes in the form of technology implemented to enhance efficiency. For example, the compliance processes required by law are first implemented in workflow routines. Once these are fully integrated, those that are manual (and therefore time-consuming) should be automated, creating the capacity for the compliance function to focus on tasks that, according to the Firm's risk matrix, are of higher priority.
In short, one can look to the CFMM and advise the Firm to invest in technology that supports and integrates all of the compliance processes in an automated system. However, as stated in the introduction to this paper, such changes cannot be made overnight. This implies that the process of getting to that point must be taken stepwise. For the Firm, this will, according to the cell descriptions in the CFMM (i.e., its guidelines), involve looking into whether and how processes that currently are manual can be automated, before these are integrated into one system.
Having access to all of the relevant information from all business units in one place will enhance coordination and remove the friction that today steals time from the compliance function. Therefore, integrating all of the compliance processes into one system should also involve access to relevant information from all of the business units which are important for monitoring and assessing these processes.

Discussion
This section will be divided into two parts. The first part concerns an evaluation of the CFMM. This is considered an important part of the discussion because it provides the basis for the evaluation of the development process; not only that of the CFMM specifically but also for maturity models in general, as the current process was inspired by ideas from existing development frameworks suggested in the research literature.

Evaluation of the CFMM
An important phase in the process of developing a maturity model is model evaluation. This phase naturally follows the model being tested in practice, as feedback on whether the model fulfilled its defined success criteria for usability and usefulness is provided (Maier et al. 2011). Maier et al. (2011, p. 152) argued that, ideally, "evaluations are conducted within companies or institutions that are independent of the development". This is because it is the choices made during the planning and design phases that are tested. Hence, as part of the interview with the Head of Compliance in the case firm, the CFMM was distributed so that it could be tested in practice.

Success Criterion 1: Usability
In the planning phase, it was stated that the CFMM was intended to be used by investment firms. As such, the success criterion for usability pertains to whether the cell descriptions are understandable and relatable. The model's structure should be intuitive for industry professionals, and not demanding in terms of the prior knowledge of maturity models. In short, the model must be tested for validity and relevance (Maier et al. 2011).
First, proving the relevance of the CFMM includes some degree of agreement on what elements should be included or excluded from the model. According to Maier et al. (2011), this is part of justifying the theoretical framework underlying the selection of the process areas.
Allowing for an element of subjectivity, this was investigated by asking the interviewee to name what elements (s)he considered most important in establishing an "effective compliance function". This question was posed early in the interview, to avoid any bias due to questions related to the content of the model being asked later.
When comparing the elements named by the interviewee to the key enablers defined in the CFMM, there were many similarities. For example, one of the first elements called out as being particularly important by the interviewee was the establishment of a compliance culture within a firm. This was thought of as elementary because it provides a basis for other important elements, such as resource deployment, access to information, and interaction between the business units. Seeing a well-established compliance culture as elementary for an effective compliance function coincides with naming the first key enabler in the CFMM "Business Integrity". As Koehn (2005) states, "integrity properly understood is not only some add-on feature for business; it is at the core of sound business" (p. 134). In a sense, a sound business is what the compliance function strives towards.
In the CFMM, the next key enabler listed is "Resources". This is not mentioned directly by the interviewee, but rather is incorporated into the discussion by highlighting "staffing" as another important element: One must make an overall assessment related to staffing within the compliance function where one assesses what kind of risks the company is exposed to . . . . and which areas are in focus at the FSA. Based on the overall assessment, the firm must look into what is sufficient in terms of staffing.
As such, it can be understood that, in connection with the staffing and other resources allocated to the compliance function, the interviewee sees having the proportionality principle in the back of the mind as being important for effectiveness. Interpreting the cell descriptions of the CFMM, one can understand that this is also used as a basis in the structuring of the model. For example, the upper levels focus on processes and resource allocation being continuously measured and subsequently improved or increased. This underlying thought, seemingly shared with the interviewee, also helps to validate the theoretical basis for the different levels and corresponding cell descriptions.
A healthy compliance culture forms the basis for whether the compliance function has access to all of the relevant information. It mitigates barriers between the compliance function, the management, and other business units. When the interviewee mentioned the element of having "access to all documents and information in the firm," this can arguably be seen as corresponding to the cell descriptions related to the key enabler "Coordination" in the CFMM.
Not explicitly in the model, however, is a key enabler that considers whether members of the compliance function have an understanding of business: Personally, I believe that being conscientious and wanting to do things right, but, at the same time being able to see the business part of it all, is one of the key requirements for an effective compliance function.
As an example, the interviewee mentions having worked in many companies where the Head of Compliance has come straight from working as a lawyer.
Things then are often seen from a very narrow point of view and the legislation is not adapted to fit the business. Compliance then is suddenly considered more of a brake pad and goodwill from the organization is consequently lost.
Previously it was stated that, for compliance initiatives to function effectively, there should be an underlying compliance culture that all employees support (Deloitte 2018, p. 9;Grimstad 2020). If employees feel that the compliance function does not "play on the same team" as the rest of the organization, it is reasonable to assume that employee support will weaken. In such situations, it is more likely that the employees will work their way around the established compliance routines that would require extra effort from them (Merchant and Van der Stede 2017). Based on this, incorporating a distinct key enabler that considers whether compliance is striving to adapt legislation to go hand-in-hand with firms' business practices could be relevant for the CFMM.
However, one could also argue that this is an element that is already incorporated into the model under the umbrella term "Coordination". That is because coordination is very much about the alignment of strategy to reach common goals. This does not only go one way. The compliance function must align its strategy with that of the firm, just as much as the firm must align its strategy to meet certain compliance objectives.
After having had the opportunity to test the model in practice, the interviewee provided feedback on the architecture of the model as well. Overall, it was considered easy to understand both in terms of its structure and content. According to the interviewee, clear cell descriptions made the overall assessment easier.
However, an interesting question related to the key enablers chosen for the model was raised after the interviewee had gotten more acquainted with its structure: What if the assessor finds it that the compliance function scores at the highest level for all the key enablers named in the CFMM-but there is lack of knowledge among its employees-can the function really be mature, then?
This question was found to be interesting because it touched upon the underlying notion of maturity in the model. Because the model was developed based on the first author's subjective interpretations of the existing literature, the model first and foremost says something about what that person sees as the drivers and barriers for maturation (Pöppelbuß and Röglinger 2011).
On the one hand, subjectivity can be seen as weakening the usability of the model. The assessor might feel confused when a component that he or she sees as important is missing. However, the model also leaves room for subjective interpretations on the part of the assessor, for example, when it comes to how he or she chooses to understand each key enabler and related cell descriptions. Therefore, it can be argued that subjective interpretations can also be seen as strengthening usability. This makes it easier for different assessors to use the model, as it can be adapted and understood in ways that fit firms' particular situations.
However, to comment on "knowledge" as a missing element, one can start by pointing to the underlying notion of maturity in the CFMM, which concerns improved processes and learning related to the compliance function. What lies behind this is the thinking that adherence to structured compliance processes, as well as the compliance function being proactive, is what drives its effectiveness. The latter is discussed in the context of what measures the firm takes that perpetuate a healthy and sustainable growth of the business. As part of this, resource allocation enters the picture (Harvey 2004).
In choosing "Resources" as one of the key enablers for an effective compliance function, human resources were discussed, not only in terms of capacity but also capability. The latter refers to how resources are allocated in terms of training in order to maintain the knowledge of compliance employees (ESMA 2020a;ESMA 2020b). Using the word "maintain" is based on it being a prerequisite for having established a compliance function in the first place, and that compliance employees have the necessary level of knowledge and/or expertise.
The fact that knowledge is not explicitly mentioned in the model does not mean that it is not considered an important element. Rather, knowledge is seen as a prerequisite for the compliance function, and therefore it is thought of as being incorporated into the discussion on resources, instead of being a distinct key enabler in the model.
Nevertheless, the overall verdict related to usability is that there is correspondence between our findings and the understandings of the interviewee. This verdict is based on the similarities found between the statements regarding the elements that are considered important in organizing an effective compliance function. Having discussed the aspect of "knowledge", as was brought forward by the interviewee, it can be argued that such a correspondence also applies to the theoretical rationale underlying the structure of the model. In the model, this component is seen as a prerequisite. In short, the CFMM can be considered relevant and valid.

Success Criterion 2: Usefulness
The next success criterion, usefulness, pertains to whether the model can be considered helpful. This is linked to whether it triggers reflection and learning among its audience (Maier et al. 2011, p. 153). In other words, it is about whether the intended users would consider using the CFMM as a tool for the mapping of its function, and whether they would use it as an improvement framework.
After getting acquainted with the model, the interviewee expressed that (s)he is in favor of using this kind of model in any future work on the improvement of the effectiveness of the compliance function. (S)he also sees it as relevant that other parts of the administration use the model, especially the top management: I believe that the model can make the top management aware of what it actually takes for the compliance function to work effectively. By using the model in an assessment, one is forced to think about each aspect of this.
Based on this, it can be understood that the CFMM at least stimulates learning effects (Maier et al. 2011). However, for the model to be useful and worth spending time on for a firm, it should also lead to effective plans for the improvement of a certain situation (e.g., raise the level of maturity in terms of technology). Lasrado et al. (2015, p. 7) note that one common criticism of maturity models is that they are "too simplistic to be useful". To some extent, this was also brought up by the interviewee: Maybe that is the way it's supposed to be, but I feel like the model would be even more useful if it came with an appendix-or like-that provided greater details on how to get from one level to another.
Here, the interviewee refers to how the cell descriptions are meant to be used as guidelines for planning further work to enhance the function's effectiveness, i.e., the prescriptive purpose of the CFMM. Although the cell descriptions themselves are considered "absolutely relevant guidelines", the interviewee finds them to be a little too simple. (S)he would want even more detailed information on how to proceed from having positioned the function at level 3, as is, and plan for it to move towards a higher level: If compliance is seen as a necessary evil, how should one specifically initiate the work of defining business ethics and values?

Sub-Conclusion
As a step towards model verification, the CFMM has now been evaluated vis-à-vis the success criteria and requirements defined during the planning phase (Maier et al. 2011). The overall verdict, based on feedback from the interviewee, is that the CFMM was both user-friendly and useful. However, there is always room for improvement, and the points that were made regarding the usefulness and usability of the model will be taken into consideration in the next subsection discussing the development process of maturity models.

The Process of Developing Maturity Models
As noted in the introduction, the main objective of this paper has been the development of a compliance function maturity model. In connection to this, RQ1 was formulated as follows: How can the effectiveness of the compliance function within Norwegian investment firms be evaluated using a maturity model?
To answer that question, a literature study on the modeling process of maturity models was initiated. Here, criticism of maturity models and their development was examined to ensure that these were taken into account in the development of the model. Moreover, existing research ideas suggesting different modeling processes and procedures were used as inspiration for the development process.

Meeting Criticism
During the literature review process, it became evident that, in the past, researchers have struggled with the development of maturity models. For example, researchers typically face challenges related to theoretical and empirical validation (Benbasat et al. 1984;Lasrado et al. 2015;Solli-Saether and Gottschalk 2010). Therefore, these potential problems needed to be addressed in an appropriate way.
The first problem in developing maturity models is related to the lack of a theoretical foundation (Lasrado et al. 2015, p. 6). For example, developers may simply adapt their model to the structure of models that already have wide acceptance, but that may have been developed for other purposes. This problem was addressed by considering the existing research in the field of corporate compliance when making decisions relating to what types of key enablers, maturity levels, and related cell descriptions to include in the CFMM.
The existing literature on the field of corporate compliance proved to be rich, and cross-references were found concerning the aspects of organizing an effective compliance function. Together with a comparison of the existing maturity models concerning corporate compliance and governance (a step suggested by Becker et al. (2009)), it was possible to conceptually ground the structure of the CFMM in relevant theory.
However, it does not help that the model is theoretically founded if it is not empirically validated. For this purpose, the suggested development frameworks for maturity models propose different methods. For example, Solli-Saether and Gottschalk (2010) and Solli-Saether and Gottschalk (2015) proposed carrying out a survey that can be used to empirically test the elements of the conceptual model. Maier et al. (2011) followed a different strategy that includes synthesizing viewpoints from future users through model applications in eight relevant firms.
As the second part of this paper shows, an attempt has been made to validate the CFMM empirically using a case study approach. Rather than sending out a survey, as suggested by Solli-Saether and Gottschalk (2010);Solli-Saether and Gottschalk (2015), or testing the model in various relevant firms (Maier et al. 2011), the CFMM was tested via an assessment of the compliance function within one chosen case firm. Since the Firm was selected because of its capacity to offer "exemplary knowledge" (Thomas 2011), the findings could indicate whether the model could be validated for use in practice.
However, as was indicated earlier, the way the development process has played out has implications for the end result, and remarks made by the interviewee after testing the CFMM may point to steps in the development process that should be revised.

Revision Based on Feedback
The remarks made by the interviewee, first and foremost, concern decisions related to what elements the CFMM presents as the key enablers for an effective compliance function, and how the model could be "true" if one important aspect is overlooked. These concerns can be related to the success criterion of usability, which again pertains to the model's architecture.
The model's architecture-i.e., its stages, key enablers, and cell descriptions-significantly impacts its use (Maier et al. 2011, p. 150). During the design phase, it was argued that each of these elements being distinct, well-defined, and showing logical progression would ease both the prescriptive and descriptive purpose of the model Maier et al. 2011). As a means to attain such a result, we looked to De Bruin et al. (2005), who recommend choosing between a top-down or bottom-up approach in structuring the key enablers and maturity stages of the model. As pointed out above, evidence on what represents maturity (or effectiveness) related to the compliance function can be found in the existing literature in the field of corporate compliance. This allowed for a bottom-up approach, where the key enablers in the CFMM were selected before the rest of the model was built based on how these elements could be measured (De Bruin et al. 2005, p. 6).
Research on the modeling process of maturity models found that such a practice is only sufficient in the sense that it provides a theoretical starting point (Becker et al. 2009;Maier et al. 2011;Solli-Saether and Gottschalk 2010). According to these researchers, it is necessary to use other means of identification to provide a comprehensive list of possible key enablers for the developer to choose from. Panel interviews or focus group interviews are often used to synthesize the elements most frequently mentioned or the elements that are considered most critical. However, when the developer has limited access to resources, De Bruin et al. (2005) argued that "[t]he important issue when populating the model is to select the combination of research methods that is most appropriate for model development in the context of earlier scoping decisions and desired model outcomes" (p. 6).
As for the development process of the CFMM, the options related to the key enabler selection process were limited due to both the time frame of the research project and pandemic-related restrictions. These limitations were identified before starting the study, and scoping decisions were made while we were well-aware of them. As the model's scope was decided to be domain-specific, a "theoretical starting point" was seen as providing necessary insight into the peculiarities of corporate compliance. These peculiarities were looked into more deeply, not only with reference to research but also to relevant legislation and ideas from practitioners in the field (e.g., financial authorities and consulting organizations).
As the desired outcome was a model for use within Norwegian investment firms, one of the last steps towards validation in the development process consisted of a "testing phase". This included discussing the most prominent elements selected for the model in an interview with an industry professional. Previously, this was also described as a way of meeting the criticism of maturity models lacking empirical validation.
In the frameworks reviewed as part of the literature study, the testing phase is considered an important part of the process of the development of maturity models, and is described as being iterative in nature (e.g., Becker et al. 2009;De Bruin et al. 2005;Maier et al. 2011;Solli-Saether and Gottschalk 2010). Referring to the process as "iterative" implies that once the suggested model has been presented and tested, it should be "revised" based on the feedback received. However, several of the previous studies cited above have a longitudinal character; see, e.g., Solli-Saether and Gottschalk (2015), whose "Stages-ofgrowth model for outsourcing, offshoring and backsourcing" was developed over several years. In contrast, the current study was carried out over a period of a few months during the spring of 2021, so the same extensive testing of the model has not been carried out.
In preparing their development framework, Solli-Saether and Gottschalk (2010) referred to previously developed maturity models. In particular, they pointed to how conceptual "based on interviews or their practical insight into the field of investigation" (Solli-Saether and Gottschalk 2010, p. 284). To a lesser extent, they have had these models tested and revised. Therefore, Solli-Saether and Gottschalk (2010) suggested including an exploratory survey in the testing phase. For their maturity model, such a survey was conducted among 133 major firms which were considered relevant, but only 50 of the responses were considered usable in the revision of the model. Maier et al. (2011) also made a point regarding this last phase. According to their research, "[e]valuations may be continued until a saturation point is reached, i.e., until no more significant changes are being suggested by participants and/or until the evaluation results are satisfactory" (Maier et al. 2011, p. 151).
Therefore, it is possible to argue that only having tested the CFMM in one relevant firm, and having discussed its elements and architecture with only one industry professional is not sufficient for moving forward to revise the model. Hence, this phase was not completed for the CFMM.

Sub-Conclusion
Given the research context, it is reasonable to argue that steps have been taken to ensure well-informed decisions related to the model's architecture. With a lengthier timeframe for the research project, however, the CFMM could be tested in more than one case firm, and could be modified based on the feedback. This could potentially enhance both its usability and usefulness. Still, the overall verdict is that the success criteria defined for the CFMM were attained.

Theoretical Implications
The suggested model-the CFMM-indicates a path of evolution where the compliance function matures from being reactive and inconsistent to becoming a proactive and integrated part of a firm's business practices. This paper has presented a comprehensive overview and comparison of the existing frameworks for the development process of maturity models. Additionally, the compliance function maturity model was developed following various phases suggested in previous maturity model research.
The development process of the CFMM was evaluated based on how the proposed model was thought to attain its defined success criteria of usability and usefulness. The findings generally aligned with those of other researchers, emphasizing the importance of developing maturity models that are not only built on a solid theoretical foundation but also empirically validated (Solli-Saether and Gottschalk 2009; Solli-Saether and Gottschalk 2010).
To be able to conceptually ground the structure of the CFMM in theory, we resorted to measures suggested in previous research by Solli-Saether and Gottschalk (2010), Maier et al. (2011), andBecker et al. (2009). The measures, involving the researchers looking to an established body of knowledge on corporate compliance and previously developed maturity models for the compliance function, helped with the accomplishment of this. As such, the current paper also affirms these scholars' work on how to meet with the established criticism on maturity models lacking theoretical foundations.
Furthermore, aiming for the empirical validation of the model, the CFMM was tested in a relevant case firm. The model was considered both usable and useful by a representative from its intended audience. Furthermore, the different development phases suggested in previous research are supported. Generally, the model attained the criteria of usability and usefulness.
It should be noted, however, that the development of the CFMM was not based solely on one specific framework. Rather, ideas from different frameworks were used. As such, the findings of the current study do not support the work of one particular scholar. Rather, the findings suggest that a canon of theory to which all scientists refer is emerging in the research on maturity model development. This brings new light to previous research by Wendler (2012), who identified a gap in the literature when it came to theoretical reflections on the concept of maturity.
The reasoning behind this statement can be explained as follows. In conducting an extensive literature review on the different development frameworks in the literature, it was noted that all of them were built to achieve the same purpose, i.e., to develop maturity models that can be theoretically and empirically validated, and therefore can be considered usable and useful for their intended audience. Because they aim for the same goal, the suggested frameworks also consist of many of the same elements. They are only defined and described differently. This implies that future developers of maturity models could look to any of the suggested frameworks and still gain much of the same advice regarding the underlying theories, quality criteria, or circumstances supporting the successful usage of their model (Wendler 2012).

Practical Implications
For practitioners, the CFMM represents an improvement framework that can help identify where a firm's compliance function stands as of today, and can further provide guidelines for its future improvement.
Through the assessment of specific characteristics of the function's key enablers, users of the model are provided "with a set of considerations that may deserve special attention" (Solli-Saether and Gottschalk 2015, p. 93). The findings from this study confirm that this attribute is particularly important, and suggest that it can lead to a better understanding of what is needed for managing and planning the evolution of the compliance function.
However, for maturity models to be usable and useful in practice, it follows that their key enablers must be of relevance in their intended area of application. The key enablers selected for the CFMM are based on the current legislation and regulations applying to all Norwegian investment firms. This speaks for the model being of relevance to its intended area of application. Furthermore, by comparing the key enablers defined in the CFMM to the elements considered most important by the interviewee (who represents the model's intended users), similarities were found.
However, in reviewing existing maturity models for the assessment of firms' risk functions, this study found that many of them lack sufficient empirical evidence to be validated. This is a concern for the CFMM as well. For that reason, practitioners should be aware of what maturity model they choose to use. Even though firms in the same industry are subject to the same legal requirements, practitioners should also pay attention to the particularities of the research context, and should compare that to the situation of their firm before applying the model.

Methodological Implications
With respect to the methodological implications, we look to the decisions made regarding the research design and methods chosen for this study. For the literature study, searches for potentially relevant articles were carried using various databases. As research on maturity models is conducted by researchers within a wide range of disciplines (Wong et al. 2013), using a narrative approach was deemed to be the most appropriate choice. A narrative approach ensures that potentially relevant literature is not overlooked because of any pre-specified inclusion/exclusion criteria (Baumeister and Leary 1997;Ferrari 2015). Such a comprehensive search resulted in a vast array of relevant articles. However, the number of articles that were eventually analyzed was relatively low.
For the narrative literature review, a four-stage process suggested by Demiris et al. (2019) was looked to. Based on the experiences gained from adhering to that process in the selection of the relevant literature for this study, methodological implications for conducting similar studies can be identified.
First, the identification of keywords was not only relevant to extend the search, as suggested by Demiris et al. (2019). It also proved to be helpful in narrowing down the number of articles considered relevant, as those which did not contain the specified keywords could be weeded out. This was achieved using different filtering options in the databases. Second, the literature review was documented (see Table 1) in order to provide transparency for the reader. It can also be viewed as a measure to maintain research quality (Demiris et al. 2019).
Further, the findings from the literature study indicated that research on maturity models is anticipated to involve some kind of empirical testing. As such, researchers developing maturity models should substantiate these with both a theoretical foundation and appropriate empirical evidence.
In the second part of the paper, a qualitative approach involving a single case study was used to test the model developed in the first part of the paper. This was carried out as part of establishing the empirical evidence to validate the model's suitability for practice. This paper concluded that the CFMM is valid and of relevance to its intended area of application.
Using a single case study for such a purpose can be problematic (Bryman et al. 2019). However, the findings of the study suggest that it could be an unnecessary concern in this particular case. Even though data from one single interview is usually thought of as being too little to base model modifications on, the findings that emerged from it provide the basis for concrete and context-dependent knowledge, which is of importance to address the research questions in this study.

Limitations and Further Research
Like any piece of research, this study has limitations that should be considered carefully.
First, one threat to the credibility of the findings produced is the risk of biases on the part of the researchers, e.g., in terms of experiences and viewpoints. To remedy this risk, findings from the literature study were tested in a case study, and the interpretations from the case study were then validated through member checking. Still, case studies cannot offer the same level of rigor in the same way as, for example, experiments do.
The first suggestion for further research is related to the limitations of using a case study approach to validate the model. As mentioned in the discussions on the development process of the CFMM, it was decided not to revise the model based on the feedback from one interview and testing. This decision was based on points made in previous research, namely that enough evaluations should be assessed to be able to reach a point where the participants are no longer suggesting significant changes. As the "revision phase" contributes to enhancing the usability of the model developed, it is suggested that the CFMM is tested in more cases, and that it should be modified based on feedback from those. This is because multiple case studies-for example, cross-case studies -to a greater extent, are thought to justify some confidence in the propositions derived from its analysis (Brookes et al. 2014, p. 242).
Another suggestion relating to enhancing the usefulness of the CFMM is to conduct a longitudinal study. Here, the researcher would follow the process from the CFMM being used for an as-is assessment, and further through the improvement process. This would be interesting because the current study is not able to say anything about the relationship between the guidelines presented in the model and the actual improvement of the compliance function's effectiveness.
Finally, two more suggestions are provided to improve the state of knowledge within research on maturity models in general. Throughout the literature study, it became evident that several conceptual descriptions exist for the development process of maturity models. However, empirical evaluations of such frameworks are relatively scarce. If they do exist, they are often undertaken by the same researchers who proposed the framework (e.g., Becker et al. 2010;Solli-Saether and Gottschalk 2015).
To some extent, the development of the CFMM can be viewed as an attempt to provide empirical evidence that these frameworks are sound. However, it is based on different ideas from these frameworks. Therefore, it is not just one specific framework that is tested. Hence, a suggestion for future research would be to address one of these frameworks specifically, and to test it step by step to find evidence that could support, contradict, or shed new light on previous research. Furthermore, if testing the whole process is too comprehensive, the testing of distinct phases could also be relevant. For example, researchers could examine whether the different steps of the design phase suggested by Maier et al. (2011) ensure that the model attains its defined success criteria relating to usability and usefulness.
Lastly, during the discussion of the theoretical contributions, we noted that there are indications that a canon of theory to which all researchers refer could be seen as emerging in the field of maturity models. This brings new light to previous research like that of Wendler (2012). However, for this to be more than just an assumption, a more thorough literature review should be conducted. Therefore, a suggestion for future research would be to replicate the study of Wendler (2012), aiming to structure and analyze the available literature on maturity models, and to determine the challenges and opportunities in this research area. Funding: The APC was funded by the University of South-Eastern Norway.

Institutional Review Board Statement:
The study was conducted according to the ethical guidelines of the NSD-Norwegian centre for research data (https://www.nsd.no/en, accessed on 20 January 2021).

Informed Consent Statement:
Informed consent was obtained from all of the subjects involved in the study.

Data Availability Statement: Not applicable.
Acknowledgments: The authors would like to thank the three anonymous reviewers and the academic editor for their helpful comments and suggestions.

Conflicts of Interest:
The authors declare no conflict of interest.
In short, one considers each individual key enabler (see the Y-axis) and evaluates this against the criteria in the model (the descriptions in each of the boxes). Thereafter, one then ticks off the description that best matches the firm's current situation.
When the exercise has been performed for each of the key enablers, the idea is that the cell descriptions at a higher level (along the x-axis) than the one ticked off can be used as guidelines in further work. An example of this could be that the function is considered reactive and inconsistent when it comes to technology and automated systems (Level 1). In that case, one can look at the next box, which indicates what it takes to reach a higher level. Here, a start would be to automate processes that seem to be ready for that.
Based on this brief introduction and the proposed model: -How do you think the structure of the model works in terms of usability? -Is the language in the model understandable? -Would you consider using this type of model in future work on improving the effectiveness of the compliance function? -Do you consider the "cell descriptions" to be relevant "guidelines"? -Did the model in any way trigger reflection or learning?
N.B. As the case company is Norwegian, and the interviewee is a Norwegian-speaker, the interview was conducted in Norwegian. A Norwegian version of the information sheet was also sent to the interviewee.

Key enablers
of an effective compliance function

Technology
All processes are manual. No systems in place.
Some processes are automated while others are manual All processes are supported by automated systems All processes are supported by and integrated in one and the same automated system