Risk and control assessment is often the point at which compliance assessment becomes most uncomfortable.
In my experience, many organisations are confident that controls exist. They have policies. They have procedures. They have assigned owners. They may even have positive maturity assessments and relatively few identified gaps.
But there is an important difference between believing a control exists and demonstrating that it works.
That distinction becomes very important when management, boards, auditors, inspectors or regulators ask a simple question:
How do you know? Or how did you ensure that ...?
I wrote this article because Risk and Control Matrix Assessment is the point where assumptions are challenged, and reliance begins to be tested.
Done properly, it helps organisations determine whether the controls they rely on are appropriately designed, properly implemented, operate effectively, and are supported by evidence.
If this article helps clarify and make that important stage of compliance assessment easier to explain, it has served its purpose.
Every effective compliance assessment starts with one simple question:
Are we meeting the requirements that apply to us?
By the time an organisation reaches Risk and Control Matrix Assessment, three important things should already have happened:
The next question is different:
Can management demonstrate that the controls it relies upon actually work?
That question matters because compliance assessments ultimately depend on reliance.
Management often relies on controls to:
A Risk and Control Matrix (RCM) Assessment helps confirm whether that reliance is justified.
This is the fourth article in NORVA's six-part series on practical compliance assessment.
In this article, we examine the fourth phase: Risk and Control Matrix (RCM) Assessment.
A Risk and Control Matrix Assessment is a structured evaluation of the controls management intends to rely upon.
The objective is to determine whether controls:
In practice, the Risk and Control Matrix (RCM) becomes the bridge between identified risks and the controls intended to manage them.
The assessment helps answer a practical assurance question:
Do the controls management intends to rely upon actually reduce risk to an acceptable level?
Unlike maturity assessment or gap analysis, this phase moves beyond identifying issues.
It seeks evidence that controls can support reliance.
A practical compliance assessment can be viewed as six connected phases:
The Risk and Control Matrix Assessment follows the gap analysis for an important reason.
Testing controls before understanding:
often creates unnecessary work.
Gap analysis helps level-set the environment.
The Risk and Control Matrix Assessment then determines whether the controls intended to address the identified risks can actually be relied upon. This aligns with how leading control-assessment and assurance methodologies approach design testing, implementation testing, operating-effectiveness testing, and remediation validation.
Many organisations ask:
Do we have a control?
The more useful question is:
Can we demonstrate that the control is reducing risk and supporting the position we rely upon?
That distinction changes the nature of the assessment.
The focus shifts from the existence of controls to their reliability.
A control that cannot be demonstrated may not be a control that can be relied upon.
Most mature assurance methodologies evaluate controls across three important dimensions.
The first question is:
Is the control properly designed?
The assessment should determine whether the control, if performed as intended, could reasonably address the identified risk.
Examples of design weaknesses include:
A control cannot be effective in operation if it is ineffective in design.
That is why many methodologies test design before moving further.
The second question is:
Has the control actually been implemented?
Policies and procedures may describe a control.
Implementation testing determines whether the control genuinely exists in practice.
This may involve reviewing:
The objective is simple:
Is the control actually in place?
The third question is:
Does the control operate consistently and effectively over time?
This is often the most evidence-intensive aspect of assessment.
The review may include:
The objective is to determine whether the control functions as intended throughout the period under review.
One of the most important lessons from assurance work is that identifying a deficiency is only the beginning.
The objective is not simply to identify weaknesses.
The objective is to improve the environment.
Where deficiencies are identified, the assessment should consider:
Once remediation is complete, controls should normally be reassessed.
This retesting helps determine whether remediation genuinely resolved the issue rather than simply creating additional documentation.
This is where a structured assessment becomes particularly valuable.
Risk and Control Matrix Assessment should not operate in isolation.
The results should be reconciled against earlier phases.
For example:
Did testing confirm the originally assigned maturity status?
Were the identified gaps accurate?
Were any significant gaps missed?
Did residual risk change following testing?
Does the evidence support the level of reliance management intended to place on the control?
This reconciliation creates a stronger and more defensible assessment record.
The greatest benefit of this phase is confidence.
Without testing, management may be relying on assumptions.
With testing, management gains greater assurance regarding:
That improves the overall credibility of the assessment.
One reason regulatory compliance and internal control methodologies place such emphasis on testing controls is that ineffective controls create a false sense of comfort.
An organisation may believe:
when the underlying control environment cannot support those conclusions.
A Risk and Control Matrix Assessment helps expose weaknesses before external stakeholders do.
Common problems include:
The goal is not to make the assessment larger.
The goal is to make it more reliable.
One of the strengths of NORVA's methodology is that each phase answers a different question.
What applies?
How ready do we appear to be?
What appears to be missing?
Can management demonstrate that the controls it relies upon are appropriately designed, implemented, operating effectively and supported by evidence?
Each question builds upon the previous one.
Together, they create a more complete picture of the assessment.
Risk and Control Matrix Assessment should not depend on disconnected spreadsheets, working papers or memory.
A practical assessment tool should help users:
This is one of the reasons NORVA's Compliance Assessment Toolkit includes flexible work-mode views.
Not every assessment requires a full RCM assessment.
However, where the assessment mandate requires deeper assurance, the underlying RCM capability is available without imposing unnecessary complexity on users whose mandates do not require it.
That supports a more proportionate assessment process.
Before concluding that management can rely on a control, the assessment team should be able to answer:
If the answer is yes, the organisation is generally in a stronger position to rely on the controls assessed.
Risk and Control Matrix Assessment is not about proving that controls exist.
It is about determining whether they deserve management's reliance.
Done properly, it helps organisations move from assumption to evidence.
Scope tells us what applies.
Maturity Assessment tells us where we stand.
Gap Analysis tells us what appears to be missing.
Risk and Control Matrix Assessment tells us whether the controls intended to address those issues actually work.
Only then can management say with greater confidence:
We know what applies. We understand the risks. We have tested the controls. We have evidence to support our position.
That is a much stronger foundation for compliance assurance.
I hope that helps.
If it applies, assess it. If you rely on it, document your evidence.
The NORVA Solutions Compliance Assessment Toolkit helps compliance teams and advisory firms perform structured Risk and Control Matrix Assessments using Excel-native smart templates supported by its Assessment Runtime Engine.
The toolkit helps users:
For organisations that need more structure than ordinary spreadsheets but do not want the burden of a full enterprise-level GRC platform, NORVA provides a practical middle ground.