Skip to main content

Overview

Control Assurance in Risk Legion provides a framework for evaluating the design and operational effectiveness of controls that mitigate business risks. The framework uses a dual assessment approach: Test of Design (ToD) and Test of Effectiveness (ToE).

Control Hierarchy

Risk Legion organizes controls in a two-level hierarchy:

Key Controls

Key Controls are high-level control categories that represent major control themes:
  • Preventive Controls - Stop risks from occurring
  • Detective Controls - Identify risks that have occurred
  • Corrective Controls - Remediate identified issues
Examples:
  • Automated Credit Scoring and Risk Rating
  • Multi-Factor Authentication (MFA)
  • Real-Time AML Transaction Monitoring
  • Asset-Liability Committee (ALCO)

Sub-Controls

Sub-Controls are specific control instances under each Key Control:
  • Represent individual control activities
  • Have their own ToD and ToE assessments
  • Link directly to risk scenarios in BRAs
Examples under “Multi-Factor Authentication (MFA)”:
  • Biometric Authentication Enrollment
  • Failed Authentication Lockout
  • Session Timeout Policy

Test of Design (ToD)

Test of Design evaluates how well a control is designed to mitigate the identified risk.

ToD Rating Scale

ToD Assessment Criteria

When assessing ToD, consider:

Documentation

Are control procedures documented?
  • Policy documents exist
  • Procedures are current
  • Responsibilities are clear

Coverage

Does the control address the full risk?
  • All risk scenarios covered
  • No significant gaps
  • Edge cases considered

Automation

Is the control automated where appropriate?
  • Manual vs. automated balance
  • Consistent execution
  • Scalable design

Integration

Does the control fit the process?
  • Integrated into workflows
  • Not easily bypassed
  • Sustainable long-term

Test of Effectiveness (ToE)

Test of Effectiveness evaluates how well the control operates in practice.

ToE Rating Scale

ToE Assessment Methods

Total Effectiveness Calculation

Risk Legion automatically calculates Total Effectiveness from the ToD and ToE ratings:

Effectiveness Matrix

The matrix uses a conservative approach: both design AND effectiveness must be strong for a control to be rated highly effective.

Control Assurance Workflow

Step 1: Identify Controls

During BRA creation, controls are linked to risk scenarios:
  1. System suggests controls from the Risk Library
  2. Assessor reviews and confirms relevant controls
  3. Additional controls can be added as needed

Step 2: Assess Test of Design

For each sub-control:
  1. Review control documentation
  2. Evaluate design against risk
  3. Assign ToD rating (A-E)
  4. Provide justification

Step 3: Assess Test of Effectiveness

For each sub-control:
  1. Select testing method
  2. Execute testing procedure
  3. Document testing date and tester
  4. Assign ToE rating (1-5)
  5. Provide justification and evidence notes

Step 4: Review and Update

Controls should be reassessed:
  • At each BRA assessment period
  • After significant control changes
  • Following control failures or incidents
  • When new risks are identified

Control Heat Map

The Control Heat Map visualizes control effectiveness across your organization:

Dashboard View

The dashboard displays:
  • ToD vs ToE Matrix - Distribution of controls by ratings
  • Effectiveness Summary - Counts by effectiveness level
  • Trend Indicators - Changes from previous period

Interpreting the Heat Map

1

Identify Clusters

Look for concentrations of controls in specific cells
2

Assess Risk Areas

Controls in bottom-right (D/E + 4/5) need immediate attention
3

Track Improvements

Monitor movement toward top-left over time
4

Plan Remediation

Prioritize controls with high residual risk scenarios

Key Control Effectiveness Aggregation

Key Control effectiveness is aggregated from its Sub-Controls using a worst-case approach:
This conservative approach ensures that weaknesses in individual sub-controls are not masked by stronger controls.

Control Library Management

Adding Controls

Client Admins can add custom controls:
  1. Navigate to Governance → Risk Library → Key Controls
  2. Click Add Key Control
  3. Enter control details (name, category, description)
  4. Add Sub-Controls under the Key Control

Linking Controls to Scenarios

Controls can be linked to risk scenarios:
  1. Navigate to Governance → Risk Library → Risk Scenarios
  2. Select a scenario
  3. Click Link Controls
  4. Select relevant Key Controls and Sub-Controls

Archiving Controls

Controls can be archived (soft delete):
  1. Click the archive icon on the control
  2. Confirm archiving
  3. Archived controls remain in historical BRAs
  4. Can be restored if needed

Best Practices

  • Develop rating guidelines for your organization
  • Train assessors on consistent application
  • Use calibration sessions for alignment
  • Document testing procedures
  • Retain evidence of testing
  • Reference specific findings in justifications
  • Reassess controls at least annually
  • Update after significant changes
  • Track trends over time
  • Create action plans for weak controls
  • Set improvement targets
  • Monitor remediation progress

API Reference

See API Reference for complete documentation.