What the risk community refers to as "Control Effectiveness". This means has the control been designed correctly so you will often hear the terms such as "Design Effectiveness". 

Using another everyday example. If the Risk is "Intruder entering your house", then a control could be a door with a lock. However, if people forget to close the door or worse still forget to lock it and an intruder gains entry, then Control is ineffective and therefore badly designed. Once again an "Issue" should be raised with "Action Plan(s)" created to address this. This could result in the Control being updated to include an auto closer on the door and a handle only on the inside i.e. the Control is redesigned. Or potentially people need to be trained or agree to shut the door i.e. creation of a Policy and the attestation of said policy. 

Hopefully, I am starting to lift the lid on the interrelationships between the different components of Risk and how all these different elements come together.

On your Audit point @Eric Feron, absolutely, and "the business" who owns the controls should also be wary of the other assurance functions who will undertake independent control tests to determine effectiveness. Mainly the preserve of banks, I have seen dedicated testing teams within Operational Risk and Compliance who spent their time "auditing" (I only ever made the mistake of calling Compliance testers "auditors" one - they were not assumed 🙂

They, of course, look at it through their very specific lense, hence why having the core data in place aids Integrated Risk Management (or maybe that's GRC if the rumours are to be believed) but that's a completely different topic worthy of a dedicated discussion. 

For now, I will not try and hijack this one!