Overview
Control Assurance in Risk Legion provides a framework for evaluating the design and operational effectiveness of controls that mitigate business risks. The framework uses a dual assessment approach: Test of Design (ToD) and Test of Effectiveness (ToE).Control Hierarchy
Risk Legion organizes controls in a two-level hierarchy:Key Controls
Key Controls are high-level control categories that represent major control themes:- Preventive Controls - Stop risks from occurring
- Detective Controls - Identify risks that have occurred
- Corrective Controls - Remediate identified issues
- Automated Credit Scoring and Risk Rating
- Multi-Factor Authentication (MFA)
- Real-Time AML Transaction Monitoring
- Asset-Liability Committee (ALCO)
Sub-Controls
Sub-Controls are specific control instances under each Key Control:- Represent individual control activities
- Have their own ToD and ToE assessments
- Link directly to risk scenarios in BRAs
- Biometric Authentication Enrollment
- Failed Authentication Lockout
- Session Timeout Policy
Test of Design (ToD)
Test of Design evaluates how well a control is designed to mitigate the identified risk.ToD Rating Scale
ToD Assessment Criteria
When assessing ToD, consider:Documentation
Are control procedures documented?
- Policy documents exist
- Procedures are current
- Responsibilities are clear
Coverage
Does the control address the full risk?
- All risk scenarios covered
- No significant gaps
- Edge cases considered
Automation
Is the control automated where appropriate?
- Manual vs. automated balance
- Consistent execution
- Scalable design
Integration
Does the control fit the process?
- Integrated into workflows
- Not easily bypassed
- Sustainable long-term
Test of Effectiveness (ToE)
Test of Effectiveness evaluates how well the control operates in practice.ToE Rating Scale
ToE Assessment Methods
Total Effectiveness Calculation
Risk Legion automatically calculates Total Effectiveness from the ToD and ToE ratings:Effectiveness Matrix
The matrix uses a conservative approach: both design AND effectiveness must be strong for a control to be rated highly effective.
Control Assurance Workflow
Step 1: Identify Controls
During BRA creation, controls are linked to risk scenarios:- System suggests controls from the Risk Library
- Assessor reviews and confirms relevant controls
- Additional controls can be added as needed
Step 2: Assess Test of Design
For each sub-control:- Review control documentation
- Evaluate design against risk
- Assign ToD rating (A-E)
- Provide justification
Step 3: Assess Test of Effectiveness
For each sub-control:- Select testing method
- Execute testing procedure
- Document testing date and tester
- Assign ToE rating (1-5)
- Provide justification and evidence notes
Step 4: Review and Update
Controls should be reassessed:- At each BRA assessment period
- After significant control changes
- Following control failures or incidents
- When new risks are identified
Control Heat Map
The Control Heat Map visualizes control effectiveness across your organization:Dashboard View
The dashboard displays:- ToD vs ToE Matrix - Distribution of controls by ratings
- Effectiveness Summary - Counts by effectiveness level
- Trend Indicators - Changes from previous period
Interpreting the Heat Map
1
Identify Clusters
Look for concentrations of controls in specific cells
2
Assess Risk Areas
Controls in bottom-right (D/E + 4/5) need immediate attention
3
Track Improvements
Monitor movement toward top-left over time
4
Plan Remediation
Prioritize controls with high residual risk scenarios
Key Control Effectiveness Aggregation
Key Control effectiveness is aggregated from its Sub-Controls using a worst-case approach:Control Library Management
Adding Controls
Client Admins can add custom controls:- Navigate to Governance → Risk Library → Key Controls
- Click Add Key Control
- Enter control details (name, category, description)
- Add Sub-Controls under the Key Control
Linking Controls to Scenarios
Controls can be linked to risk scenarios:- Navigate to Governance → Risk Library → Risk Scenarios
- Select a scenario
- Click Link Controls
- Select relevant Key Controls and Sub-Controls
Archiving Controls
Controls can be archived (soft delete):- Click the archive icon on the control
- Confirm archiving
- Archived controls remain in historical BRAs
- Can be restored if needed
Best Practices
Consistent Rating Criteria
Consistent Rating Criteria
- Develop rating guidelines for your organization
- Train assessors on consistent application
- Use calibration sessions for alignment
Evidence-Based Assessments
Evidence-Based Assessments
- Document testing procedures
- Retain evidence of testing
- Reference specific findings in justifications
Regular Updates
Regular Updates
- Reassess controls at least annually
- Update after significant changes
- Track trends over time
Remediation Tracking
Remediation Tracking
- Create action plans for weak controls
- Set improvement targets
- Monitor remediation progress
API Reference
See API Reference for complete documentation.