You are here:
How Control Effectiveness Drives Risk Scoring
See how control effectiveness ratings drive residual risk calculations, how control failures automatically increase risk scores, and how risk owners monitor which controls protect their risks.
Required Editions
| Available in: Lightning Experience |
| Available in: Enterprise, Performance, and Unlimited Editions with Agentforce IT Service. |
The Compliance Control Version Risk Record
When you create a Compliance Control Version Risk junction record, you document three critical pieces of information:
- The specific threat or vulnerability the control addresses. A single control can mitigate multiple risks, and a single risk can be mitigated by multiple controls.
- A percentage rating (0-100%) that quantifies how much the control reduces the risk's impact. This rating reflects the control's design effectiveness and operational effectiveness based on test results.
- Controls that pass their tests maintain their effectiveness rating. Controls that fail their tests drop to 0% effectiveness, signaling that the risk is no longer protected.
Risk Calculation
The Business Rules Engine uses control effectiveness ratings to calculate residual risk scores. The formula is:
Residual Risk = Inherent Risk × (1 - Control Effectiveness)
- For a single control mitigating a risk:
If the inherent risk score is 12 (Medium likelihood × High impact) and the control effectiveness is 80%, The residual risk becomes:
12 × (1 - 0.80) = 12 × 0.20 = 2.4 (Low).This calculation shows that the control is providing substantial risk reduction from High to Low. The 20% remaining risk represents the residual exposure even with the control in place.
- For multiple controls mitigating the same risk:
High-impact risks often require multiple preventive, detective, and corrective controls for adequate protection. When two or more controls protect a single risk, the Business Rules Engine applies them sequentially. The formula becomes
Residual Risk = Inherent Risk × (1 - Control A Effectiveness) × (1 - Control B Effectiveness)A risk has an inherent score of 20 (High likelihood × Very High impact). Control A (Preventive RBAC Check) is 80% effective and Control B (Detective Access Log Review) is 60% effective. The residual risk is:
20 × (1 - 0.80) × (1 - 0.60) = 20 × 0.20 × 0.40 = 1.6 (Low).This layered defense reduces the risk from Very High to Low, demonstrating the value of multiple controls working together.
When to Link Controls to Risks
Link controls to risks at control creation time, not after risk evaluation.
| Sequence | Task |
|---|---|
| 1 | Create the Compliance Risk record and define the inherent risk score. |
| 2 | Define the Compliance Control and Compliance Control Version that will mitigate the risk. |
| 3 | Create the Compliance Control Version Risk junction record and assign the effectiveness rating. |
| 4 | Create the Compliance Test that will validate the control is operating correctly. |
| 5 | Execute the test to establish a baseline pass/fail result. |
| 6 | Verify the Business Rules Engine calculated the residual risk correctly based on the control effectiveness. |
This workflow ensures the control-risk linkage is in place before the first risk evaluation, giving stakeholders accurate residual risk scores from the start.
