How to Perform a Control Assessment

Who is this article for?

 Risk Managers responsible for managing controls.

 Staff access to edit risk matrices is needed.

The Risk module allows you to assign controls to a risk event to reduce or eliminate a threat or consequence from event taking place. It is important to make sure these controls are fit for purpose, both in terms of their fundamental design and in their operational effectiveness.

When performing a control assessment you can either assign a rating band or you can use a control matrix to assess the control and to provide recommended courses of action on whether further action is needed.

This article outlines the steps to assess the control. This article does not include any details on how to build a control matrix or perform a risk assessment (please visit How to Create a Control Matrix or How to Perform a Risk Assessment for more details on those areas).

To make the assessment process easier to learn, this article is split into 4 sections so that you can either walk through the steps in sequence or you can jump to the section relevant to what you are doing in Q-Pulse Cloud:

1. Assign the Assessment Method
2. Assess the Control using a Control Ratings Band
3. Assess the Control using a Matrix
4. Further Reading

1. Assign the Assessment Method

The first thing you will need to set on the control is the assessment method.  There are two methods available:

• Using a Control Rating Band: The assessor has a simple selection of an effectiveness banding.
• Using a Control Matrix: The user completes a matrix which calculates the outcome.

Remember, there is no right or wrong approach to the matrix or the labels used. The best approach is one that is clear, concise, and meaningful to the user assessing the controls.

To set the assessment method on a control:

1. Click on Risk and then Risks.
2. Open the risk record.
3. Browse to the Controls section.
4. Open the control.
5. Click on the ellipsis and then select Set Assessment Method.

6. Select the assessment method and click [Update].

Important: This change affects only the instance of the control.  It does not affect the master control.

2. Assess the Control using a Control Ratings Band

If your assessment method is set as using a control ratings band then the assessment is quick and easy to follow:

1. Click on Risk and then Risks.
2. Open the risk record.
3. Browse to the Controls section.
4. Open the control.
5. Click on the ellipsis and then select Assess Control.
6. Assign the relevant band, then click [Next].

7. Click [Save].

3. Assess the Control using a Matrix

To assess the control using a matrix:

1. Click on Risk and then Risks.
2. Open the risk record.
3. Browse to the Controls section.
4. Open the control.
5. Click on the ellipsis and then select Set Matrix.
6. Choose the matrix.
7. Return to the control.
8. Click on the ellipsis and then select Assess Control.
9. Using the sliders, set the Design and Operation metrics.

10. Click [Next], then [Save].

4. Further Reading

• How to Create & Manage Control Matrices
• How to Perform a Risk Assessment