Every sophisticated business has a Risk Management framework in place. Normally a high-level risk identification process is undertaken to identify the major concerns the business has and as part of those considerations, Risk Managers consider what strategies are in place to mitigate the risk.

Frequently there will be specific tasks associated with the Risk and often at least some of these tasks will fall under the banner of Compliance items. How well these various tasks are performed will ultimately reflect in the Residual risk score determined by the business.

Many businesses are now moving beyond the Residual Risk score model to look at a quantifiable process to assess how effective (or otherwise) their risk controls are. Risk managers need to bring together associated risks, the linked compliance items and the lived experience of the business denoted in the Key Risk Metrics, Events and Incidents and Breaches.

This approach has many benefits for a business including better risk assessment methodology, better utilisation of resources to mitigate risk and a more transparent approach to justifying the validity of risk controls.

To provide TriLine customers with an appropriately sophisticated solution, the Control Inventory Module is integrated into the TriLine GRC solution. This powerful option allows an organisation to undertake the appropriate high-level overall assessment of the controls in place to manage a risk.

TriLine GRC already allows businesses to link risks, compliance items, events etc. together for assessment and reporting purposes. The Control Inventory takes this process a step further by introducing the ability to link all aspects of the risk control together and then rate the adequacy of the overall position.

The following diagram shows how TriLine brings together all components to allow risk managers to arrive at a quantifiable definition of control adequacy.

Control Effectiveness Assessment