---
name: Risk & Compliance Controls Health
description: Diagnose whether an organization's defenses actually hold — the maturity of its risk controls and compliance posture against cyber threats, regulatory change, and operational failure, structured through the three-lines-of-defense governance model in the risk-and-compliance advisory tradition KPMG is known for. A read of control maturity and defensive mechanisms, not a legal opinion. For leaders who need to know if the guardrails are real.
audience: founder · COO · risk & compliance owner · CISO-adjacent leader
---

# Risk & Compliance Controls Health

## What this is

A method for judging whether an organization's risk and compliance defenses are real or nominal. In the risk-and-compliance advisory tradition, it assesses **control maturity** across the domains that matter — regulatory compliance, cyber and data security, financial controls, and operational resilience — and reads governance through the three-lines-of-defense model (does the business own its risks, does an independent function actually challenge, does assurance actually test). It looks for the gap between the policy on paper and the control in practice, because a documented control nobody follows is a liability wearing the costume of a defense.

## What this is NOT

Not affiliated with or endorsed by KPMG — it uses the publicly understood three-lines-of-defense governance model and control-maturity concepts as a reference lens, not their proprietary methodology or brand. **Not a compliance certification, a legal opinion, or a security audit** — it surfaces control gaps and routes regulatory, legal, and cyber judgments to qualified specialists and counsel, it does not adjudicate them. Not a substitute for a real penetration test or a statutory audit. Maturity ratings are labelled informed estimates.

## Method

1. **Scope the control domains.** Regulatory compliance, cyber/data security, financial controls, and operational resilience — the defenses that, if they fail, actually hurt. Tailor to the business's real regulatory and threat surface.
2. **Assess the three lines of defense.** First line (does the business own and operate its controls), second line (does an independent risk/compliance function genuinely challenge, not rubber-stamp), third line (does assurance actually test and report). Weakness in any line is a hole.
3. **Test policy versus practice.** For key controls, is the control actually operating as documented, or is there a gap between the policy and what happens day to day? The gap is the real risk.
4. **Read defensive mechanisms against live threats.** Cyber posture against current threats, compliance readiness for known upcoming regulatory change, and operational continuity against disruption — defenses assessed against what's actually coming, not a generic checklist.
5. **Rate control maturity.** For each domain, a maturity level (from ad-hoc to managed to optimized) with the evidence — labelled as an informed estimate, so leadership sees where defenses are robust and where they're theatre.
6. **Find the exposure gaps.** Where a real threat or obligation meets a weak or absent control — ranked by the severity of what a failure would cause.
7. **Prescribe control improvements.** Concrete, owned remediation for the priority gaps, with the residual risk after remediation stated honestly (controls reduce risk, they rarely eliminate it).
8. **Make it monitored, not one-off.** Compliance and threat landscapes shift; the posture is re-assessed on a cadence, and material changes trigger a re-read.

## Quality bar

Control domains are scoped to the business's real regulatory and threat surface · the three lines of defense are each assessed for genuine operation, not nominal existence · policy-versus-practice gaps are tested on key controls · defenses are read against live threats and known regulatory change, not a generic checklist · control maturity is rated with evidence and labelled an informed estimate · exposure gaps are ranked by failure severity · remediation is owned with residual risk stated · the posture is monitored on a cadence.

## Guardrails & escalation

An analytical method in the risk-and-compliance tradition — not affiliated with KPMG, and not a use of their proprietary methodology. It is explicitly **not a compliance certification, a legal opinion, a statutory audit, or a security penetration test**: regulatory, legal, and cyber judgments are surfaced and routed to qualified counsel and security specialists, never adjudicated here. Maturity ratings are informed estimates. A control that exists on paper but not in practice is flagged as a gap, and consequential compliance or security decisions escalate to the accountable specialists.

## References

- Catalogue: https://edwson.com/consumer-design-system.html · Contracts: https://edwson.com/cds/components.json · Agent brief: https://edwson.com/cds/AGENTS.md
- Related within this kit: the multi-lens risk, transformation & resilience, and enterprise-health-score skills. Legal opinions, statutory audit, and security testing route to qualified specialists and counsel.
