Skip to main content

Overview

Control Assurance in Risk Legion provides a framework for evaluating the design and operational effectiveness of controls that mitigate business risks. The framework uses a dual assessment approach: Test of Design (ToD) and Test of Effectiveness (ToE).

Control Hierarchy

Risk Legion organizes controls in a two-level hierarchy: 
Key Control (Parent)
├── Sub-Control 1
├── Sub-Control 2
└── Sub-Control 3

Key Controls

Key Controls are high-level control categories that represent major control themes:
  • Preventive Controls - Stop risks from occurring
  • Detective Controls - Identify risks that have occurred
  • Corrective Controls - Remediate identified issues
Examples:
  • Automated Credit Scoring and Risk Rating
  • Multi-Factor Authentication (MFA)
  • Real-Time AML Transaction Monitoring
  • Asset-Liability Committee (ALCO)

Sub-Controls

Sub-Controls are specific control instances under each Key Control:
  • Represent individual control activities
  • Have their own ToD and ToE assessments
  • Link directly to risk scenarios in BRAs
Examples under “Multi-Factor Authentication (MFA)”:
  • Biometric Authentication Enrollment
  • Failed Authentication Lockout
  • Session Timeout Policy

Test of Design (ToD)

Test of Design evaluates how well a control is designed to mitigate the identified risk.

ToD Rating Scale

GradeRatingDescription
AExcellentControl design is comprehensive, automated, and addresses all aspects of the risk
BGoodControl design is well-structured with minor gaps that don’t significantly impact effectiveness
CAdequateControl design meets minimum requirements but has noticeable gaps
DWeakControl design has significant gaps that may allow risk to materialize
EInadequateControl design is fundamentally flawed or non-existent

ToD Assessment Criteria

When assessing ToD, consider:

Documentation

Are control procedures documented?
  • Policy documents exist
  • Procedures are current
  • Responsibilities are clear

Coverage

Does the control address the full risk?
  • All risk scenarios covered
  • No significant gaps
  • Edge cases considered

Automation

Is the control automated where appropriate?
  • Manual vs. automated balance
  • Consistent execution
  • Scalable design

Integration

Does the control fit the process?
  • Integrated into workflows
  • Not easily bypassed
  • Sustainable long-term

Test of Effectiveness (ToE)

Test of Effectiveness evaluates how well the control operates in practice.

ToE Rating Scale

GradeRatingDescription
1Highly EffectiveControl operates consistently and catches/prevents 95%+ of relevant issues
2EffectiveControl operates reliably with occasional minor exceptions (85-95%)
3Moderately EffectiveControl operates adequately but with regular exceptions (70-85%)
4Less EffectiveControl has significant operational gaps (50-70%)
5IneffectiveControl fails to operate as designed (<50%)

ToE Assessment Methods

MethodDescriptionWhen to Use
Sample TestingTest a sample of transactions/activitiesHigh-volume automated controls
WalkthroughObserve control in operationManual controls, processes
InquiryInterview control operatorsUnderstanding procedures
InspectionReview documentation/evidencePeriodic reviews, approvals
Re-performanceRe-execute the controlCritical calculations

Total Effectiveness Calculation

Risk Legion automatically calculates Total Effectiveness from the ToD and ToE ratings: 
Total Effectiveness = f(ToD, ToE)

Effectiveness Matrix

ToE 1ToE 2ToE 3ToE 4ToE 5
ToD AHighly EffectiveHighly EffectiveEffectiveModerately EffectiveLess Effective
ToD BHighly EffectiveEffectiveEffectiveModerately EffectiveLess Effective
ToD CEffectiveEffectiveModerately EffectiveLess EffectiveNot Effective
ToD DModerately EffectiveModerately EffectiveLess EffectiveNot EffectiveNot Effective
ToD ELess EffectiveLess EffectiveNot EffectiveNot EffectiveNot Effective
The matrix uses a conservative approach: both design AND effectiveness must be strong for a control to be rated highly effective.

Control Assurance Workflow

Step 1: Identify Controls

During BRA creation, controls are linked to risk scenarios:
  1. System suggests controls from the Risk Library
  2. Assessor reviews and confirms relevant controls
  3. Additional controls can be added as needed

Step 2: Assess Test of Design

For each sub-control:
  1. Review control documentation
  2. Evaluate design against risk
  3. Assign ToD rating (A-E)
  4. Provide justification
{
  "sub_control_id": "sc-001",
  "tod": "B",
  "tod_justification": "MFA design is comprehensive with biometric and OTP options. Minor gap: legacy systems not yet integrated."
}

Step 3: Assess Test of Effectiveness

For each sub-control:
  1. Select testing method
  2. Execute testing procedure
  3. Document testing date and tester
  4. Assign ToE rating (1-5)
  5. Provide justification and evidence notes
{
  "sub_control_id": "sc-001",
  "toe": "2",
  "toe_justification": "Sample testing of 100 transactions showed 93% MFA compliance. 7% exceptions were authorized by security team.",
  "testing_date": "2026-01-15",
  "tested_by": "Jane Smith",
  "evidence_notes": "Sample report attached, exception log reviewed"
}

Step 4: Review and Update

Controls should be reassessed:
  • At each BRA assessment period
  • After significant control changes
  • Following control failures or incidents
  • When new risks are identified

Control Heat Map

The Control Heat Map visualizes control effectiveness across your organization:

Dashboard View

The dashboard displays:
  • ToD vs ToE Matrix - Distribution of controls by ratings
  • Effectiveness Summary - Counts by effectiveness level
  • Trend Indicators - Changes from previous period

Interpreting the Heat Map

1

Identify Clusters

Look for concentrations of controls in specific cells
2

Assess Risk Areas

Controls in bottom-right (D/E + 4/5) need immediate attention
3

Track Improvements

Monitor movement toward top-left over time
4

Plan Remediation

Prioritize controls with high residual risk scenarios

Key Control Effectiveness Aggregation

Key Control effectiveness is aggregated from its Sub-Controls using a worst-case approach: 
def aggregate_key_control_effectiveness(sub_controls):
    # If any sub-control is "Not Effective", key control is "Not Effective"
    if any(sc.total_effectiveness == "Not Effective" for sc in sub_controls):
        return "Not Effective"
    
    # If any sub-control is "Less Effective", key control is "Less Effective"
    if any(sc.total_effectiveness == "Less Effective" for sc in sub_controls):
        return "Less Effective"
    
    # Continue up the scale...
This conservative approach ensures that weaknesses in individual sub-controls are not masked by stronger controls.

Control Library Management

Adding Controls

Client Admins can add custom controls:
  1. Navigate to Governance → Risk Library → Key Controls
  2. Click Add Key Control
  3. Enter control details (name, category, description)
  4. Add Sub-Controls under the Key Control

Linking Controls to Scenarios

Controls can be linked to risk scenarios:
  1. Navigate to Governance → Risk Library → Risk Scenarios
  2. Select a scenario
  3. Click Link Controls
  4. Select relevant Key Controls and Sub-Controls

Archiving Controls

Controls can be archived (soft delete):
  1. Click the archive icon on the control
  2. Confirm archiving
  3. Archived controls remain in historical BRAs
  4. Can be restored if needed

Best Practices

  • Develop rating guidelines for your organization
  • Train assessors on consistent application
  • Use calibration sessions for alignment
  • Document testing procedures
  • Retain evidence of testing
  • Reference specific findings in justifications
  • Reassess controls at least annually
  • Update after significant changes
  • Track trends over time
  • Create action plans for weak controls
  • Set improvement targets
  • Monitor remediation progress

API Reference

EndpointMethodDescription
/api/v1/controls/key-controlsGETList key controls
/api/v1/controls/key-controlsPOSTCreate key control
/api/v1/controls/sub-controlsGETList sub-controls
/api/v1/controls/sub-controlsPOSTCreate sub-control
/api/v1/controls/sub-controls/{id}PATCHUpdate sub-control (ToD/ToE)
/api/v1/controls/effectivenessGETGet effectiveness summary
/api/v1/controls/heat-mapGETGet heat map data
See API Reference for complete documentation.