Back to course overview
Module 4Controls & audits 22 min

Workshop: Control matrix

Build Meridian's control matrix: map each high-risk obligation and risk to a specific control, its type, its owner, and the evidence that proves it works.

The control matrix is the workhorse artifact of an operating governance program — the traceable map from risks and obligations to the controls that address them and the evidence that proves it. You'll build Meridian's, focused on the high-risk HR tool where the obligations concentrate.

Step 1 — Set up the matrix

  1. 1Create a table with columns: Risk/Obligation · Control · Type (preventive/detective/corrective) · Owner · Frequency (how often the control runs or is performed) · Evidence · Testing (how and when its operation is verified) · Status (implemented/partial/gap).
  2. 2Seed the rows from your gap analysis (Module 2) and risk map (Module 1) — every high-risk obligation and every material risk gets at least one row.

Step 2 — Fill it for the HR tool

  1. 1Human oversight (obligation) → Control: no candidate rejected without a human reviewer confirming; Type: preventive; Owner: Head of Talent; Evidence: sign-off log per rejection.
  2. 2Non-discrimination (risk + LL144) → Control: independent annual bias audit + ongoing outcome monitoring across protected groups; Type: detective; Owner: the compliance lead, by name (the committee oversees — a committee can't own a control, the charter's named-person rule applies here too); Evidence: dated audit report + monitoring dashboard.
  3. 3Data governance (obligation) → Control: training-data representativeness review + datasheet before any model update; Type: preventive; Owner: Data lead; Evidence: datasheet + review record.
  4. 4Transparency → Control: candidates informed an AI tool is used + how to request review; Type: preventive; Owner: HR; Evidence: the notice + process doc.
  5. 5Record-keeping → Control: append-only log of every screening decision + model version; Type: detective; Owner: Engineering; Evidence: the log itself.
  6. 6Add corrective rows: a process to review and reverse wrongful rejections; a kill switch if bias monitoring breaches a threshold.
  7. 7Fill Frequency and Testing for every row — e.g. the human-review control runs per-decision and is tested by sampling sign-off logs monthly; the bias audit runs annually (with quarterly outcome monitoring) and is tested by internal audit reviewing the auditor's independence and scope. A control with no testing entry is a control you're hoping operates.

Step 3 — Find the uncovered and the unproven

  1. 1Scan for risks/obligations with no control — the dangerous gaps. Scan for controls with no evidence — the ones that'll fail an audit even if they work.
  2. 2Mark each row's status honestly. The realistic result for a company that shipped an HR tool fast: several 'gap' and 'partial' rows. That honesty is the value.
  3. 3Do a lighter matrix for the support agent (its elevated risks map to the guardrails and monitoring the technical courses teach — here, the controls you demand and verify) to show proportionality.

Step 4 — The matrix + remediation list

Save CONTROL-MATRIX.md. Extract the gaps into a prioritized remediation list (by risk × effort) — this becomes the near-term half of your capstone roadmap. You now have, for a real-shaped company, the traceable answer to 'for each way this could go wrong or run afoul of the law, what stops it, who owns it, and how do we prove it?' That table is what a board, a regulator, and an auditor all want to see.

Problem set 4

In the workbook: a control matrix for a credit-decisioning AI with three defects — an obligation with no control, a control with no evidence, and a 'human oversight' control that's actually a rubber stamp (the reviewer approves 100% in 2 seconds each). Identify all three and prescribe the fix that makes each control real.