Why I wrote this article
Risk and control assessment is often the point at which compliance assessment becomes most uncomfortable.
In my experience, many organisations are confident that controls exist. They have policies. They have procedures. They have assigned owners. They may even have positive maturity assessments and relatively few identified gaps.
But there is an important difference between believing a control exists and demonstrating that it works.
That distinction becomes very important when management, boards, auditors, inspectors or regulators ask a simple question:
How do you know? Or how did you ensure that ...?
I wrote this article because Risk and Control Matrix Assessment is the point where assumptions are challenged, and reliance begins to be tested.
Done properly, it helps organisations determine whether the controls they rely on are appropriately designed, properly implemented, operate effectively, and are supported by evidence.
If this article helps clarify and make that important stage of compliance assessment easier to explain, it has served its purpose.
Summary
Every effective compliance assessment starts with one simple question:
Are we meeting the requirements that apply to us?
By the time an organisation reaches Risk and Control Matrix Assessment, three important things should already have happened:
- Scope has determined what applies.
- Maturity Assessment has established current readiness.
- Gap Analysis has identified what appears to require attention.
The next question is different:
Can management demonstrate that the controls it relies upon actually work?
That question matters because compliance assessments ultimately depend on reliance.
Management often relies on controls to:
- reduce risk;
- support compliance;
- prevent failures;
- detect exceptions;
- support reporting;
- satisfy governance responsibilities; and
- provide confidence to stakeholders.
A Risk and Control Matrix (RCM) Assessment helps confirm whether that reliance is justified.
This is the fourth article in NORVA's six-part series on practical compliance assessment.
In this article, we examine the fourth phase: Risk and Control Matrix (RCM) Assessment.
What is a Risk and Control Matrix (RCM) Assessment?
A Risk and Control Matrix Assessment is a structured evaluation of the controls management intends to rely upon.
The objective is to determine whether controls:
- address the relevant risk;
- support the applicable requirement;
- have been properly designed and implemented;
- operate effectively and consistently; and
- can be supported by evidence.
In practice, the Risk and Control Matrix (RCM) becomes the bridge between identified risks and the controls intended to manage them.
The assessment helps answer a practical assurance question:
Do the controls management intends to rely upon actually reduce risk to an acceptable level?
Unlike maturity assessment or gap analysis, this phase moves beyond identifying issues.
It seeks evidence that controls can support reliance.
Where Risk and Control Matrix (RCM) Assessment fits within the six integrated phases
A practical compliance assessment can be viewed as six connected phases:
- Scope — identify what applies and assess inherent risk
- Maturity Assessment — understand current readiness and the assurance path
- Gap Analysis — identify what needs attention and what risk remains
- Risk and Control Matrix Assessment — evaluate the controls management relies upon
- Documentary Evidence — support the assessment position with documentary evidence
- Inspection-Ready Deliverables — produce usable reports and outputs
The Risk and Control Matrix Assessment follows the gap analysis for an important reason.
Testing controls before understanding:
- what applies;
- current readiness; and
- identified gaps
often creates unnecessary work.
Gap analysis helps level-set the environment.
The Risk and Control Matrix Assessment then determines whether the controls intended to address the identified risks can actually be relied upon. This aligns with how leading control-assessment and assurance methodologies approach design testing, implementation testing, operating-effectiveness testing, and remediation validation.
The practical question behind the Risk and Control Matrix (RCM) Assessment
Many organisations ask:
Do we have a control?
The more useful question is:
Can we demonstrate that the control is reducing risk and supporting the position we rely upon?
That distinction changes the nature of the assessment.
The focus shifts from the existence of controls to their reliability.
A control that cannot be demonstrated may not be a control that can be relied upon.
The three dimensions of control assessment
Most mature assurance methodologies evaluate controls across three important dimensions.
Design Effectiveness
The first question is:
Is the control properly designed?
The assessment should determine whether the control, if performed as intended, could reasonably address the identified risk.
Examples of design weaknesses include:
- unclear ownership;
- inappropriate approval thresholds;
- missing segregation of duties;
- incomplete review procedures;
- Inadequate escalation processes.
A control cannot be effective in operation if it is ineffective in design.
That is why many methodologies test design before moving further.
Implementation Effectiveness
The second question is:
Has the control actually been implemented?
Policies and procedures may describe a control.
Implementation testing determines whether the control genuinely exists in practice.
This may involve reviewing:
- walkthroughs;
- assigned owners;
- workflows;
- documented procedures;
- system configurations;
- governance arrangements;
- evidence repositories.
The objective is simple:
Is the control actually in place?
Operating Effectiveness
The third question is:
Does the control operate consistently and effectively over time?
This is often the most evidence-intensive aspect of assessment.
The review may include:
- sampling;
- observation;
- inspection;
- re-performance;
- evidence review.
The objective is to determine whether the control functions as intended throughout the period under review.
Why remediation and retesting matter
One of the most important lessons from assurance work is that identifying a deficiency is only the beginning.
The objective is not simply to identify weaknesses.
The objective is to improve the environment.
Where deficiencies are identified, the assessment should consider:
- root cause;
- risk impact;
- remediation actions;
- ownership;
- target completion dates.
Once remediation is complete, controls should normally be reassessed.
This retesting helps determine whether remediation genuinely resolved the issue rather than simply creating additional documentation.
The importance of reconciliation with earlier assessment phases
This is where a structured assessment becomes particularly valuable.
Risk and Control Matrix Assessment should not operate in isolation.
The results should be reconciled against earlier phases.
For example:
Reconciliation with Maturity Assessment
Did testing confirm the originally assigned maturity status?
Reconciliation with Gap Analysis
Were the identified gaps accurate?
Were any significant gaps missed?
Reconciliation with Risk Assessment
Did residual risk change following testing?
Reconciliation with Management's Position
Does the evidence support the level of reliance management intended to place on the control?
This reconciliation creates a stronger and more defensible assessment record.
Why Risk and Control Matrix Assessment improves assurance quality
The greatest benefit of this phase is confidence.
Without testing, management may be relying on assumptions.
With testing, management gains greater assurance regarding:
- control reliability;
- consistency;
- evidence sufficiency;
- residual risk;
- remediation effectiveness.
That improves the overall credibility of the assessment.
Why Risk and Control Matrix Assessment reduces risk
One reason regulatory compliance and internal control methodologies place such emphasis on testing controls is that ineffective controls create a false sense of comfort.
An organisation may believe:
- risks are controlled;
- obligations are being met;
- evidence exists;
when the underlying control environment cannot support those conclusions.
A Risk and Control Matrix Assessment helps expose weaknesses before external stakeholders do.
Common Mistakes in Risk and Control Matrix Assessment
Common problems include:
- testing operation without evaluating design;
- assuming implementation based on policy documentation;
- treating evidence as proof of effectiveness without testing;
- relying on management assertions;
- failing to validate remediation;
- collecting excessive evidence without focusing on risk.
The goal is not to make the assessment larger.
The goal is to make it more reliable.
How Risk and Control Matrix Assessment differs from earlier phases
One of the strengths of NORVA's methodology is that each phase answers a different question.
Scope
What applies?
Maturity Assessment
How ready do we appear to be?
Gap Analysis
What appears to be missing?
Risk and Control Matrix Assessment
Can management demonstrate that the controls it relies upon are appropriately designed, implemented, operating effectively and supported by evidence?
Each question builds upon the previous one.
Together, they create a more complete picture of the assessment.
How the assessment tool should support the Risk and Control Matrix Assessment
Risk and Control Matrix Assessment should not depend on disconnected spreadsheets, working papers or memory.
A practical assessment tool should help users:
- link risks to controls;
- map controls to requirements;
- record design assessments;
- record implementation assessments;
- record operating-effectiveness testing;
- capture remediation actions;
- document retesting outcomes;
- support evidence linkage;
- maintain an audit trail;
- preserve management rationale.
This is one of the reasons NORVA's Compliance Assessment Toolkit includes flexible work-mode views.
Not every assessment requires a full RCM assessment.
However, where the assessment mandate requires deeper assurance, the underlying RCM capability is available without imposing unnecessary complexity on users whose mandates do not require it.
That supports a more proportionate assessment process.
A practical Risk and Control Matrix Assessment checklist
Before concluding that management can rely on a control, the assessment team should be able to answer:
- Have we identified the key risks?
- Have we identified the controls intended to address those risks?
- Have we evaluated the control design?
- Have we confirmed implementation?
- Have we assessed operating effectiveness?
- Have we identified deficiencies?
- Have we assigned remediation actions?
- Have we performed retesting where required?
- Have we reconciled outcomes against maturity assessment and gap analysis?
- Have we reassessed residual risk?
- Can management demonstrate why reliance is reasonable?
- Is sufficient evidence available to support the conclusion?
If the answer is yes, the organisation is generally in a stronger position to rely on the controls assessed.
Conclusion: Confidence comes from demonstrated reliance
Risk and Control Matrix Assessment is not about proving that controls exist.
It is about determining whether they deserve management's reliance.
Done properly, it helps organisations move from assumption to evidence.
Scope tells us what applies.
Maturity Assessment tells us where we stand.
Gap Analysis tells us what appears to be missing.
Risk and Control Matrix Assessment tells us whether the controls intended to address those issues actually work.
Only then can management say with greater confidence:
We know what applies. We understand the risks. We have tested the controls. We have evidence to support our position.
That is a much stronger foundation for compliance assurance.
I hope that helps.
If it applies, assess it. If you rely on it, document your evidence.
Make Risk and Control Matrix Assessment Easier
The NORVA Solutions Compliance Assessment Toolkit helps compliance teams and advisory firms perform structured Risk and Control Matrix Assessments using Excel-native smart templates supported by its Assessment Runtime Engine.
The toolkit helps users:
- map risks to controls;
- assess design effectiveness;
- evaluate implementation;
- record operating-effectiveness testing;
- manage remediation activities;
- document retesting outcomes;
- link evidence to assessment conclusions; and
- produce more defensible compliance outputs.
For organisations that need more structure than ordinary spreadsheets but do not want the burden of a full enterprise-level GRC platform, NORVA provides a practical middle ground.