Imagine a scenario where your organization tracks user endpoints—like ThinkPads—under a specific entity class and type. Each time a new endpoint is added, the system automatically creates both a Risk record and a corresponding Control. The usual workflow is that the Control goes through an attestation step, followed by a Risk assessment. If there are 10,000 ThinkPads, this means you end up with 10,000 unique Controls and 10,000 matching Risks. Let’s say the initial assessment was completed for all of them with the same outcome: each Control was deemed ineffective.

Now, suppose at a later point the Control is updated and marked as effective. This revision should logically affect every Risk assessment and change the overall risk score for each of those 10,000 items. But how exactly is that handled?

Key question: When the Control’s status shifts from ineffective to effective, do you need to reevaluate every single Risk individually, or is there a way to make a single update that applies across all instances?

Additional Thoughts:

1. If the same Control applies to all endpoints, would it be more efficient to use a Common Control approach instead of creating thousands of separate controls?
2. If risk evaluations are driven by an automated or scripted factor on a schedule (e.g., monthly), and previously the score was based on the Control being ineffective, would the new effective status automatically recalculate the residual risk in the Risk Assessment Methodology (RAM) record? If so, would that updated residual risk then appear in the Risk report without requiring the creation of new assessment records?