top of page
  • Julian Talbot

Policy Assurance Compliance

PAC Model: The Triad Of Control Effectiveness

Effectively managing an organization's controls requires a deep understanding of three key elements: Policy, Assurance, and Compliance.

While acknowledging the importance of each element is crucial, so is the need for a framework to rate their effectiveness individually. A weak rating in any one element can compromise the overall control system. This article outlines the considerations and metrics for rating each of these critical elements.

Policy: The Framework for Rating

To rate the effectiveness of policies, you should consider the following aspects:

  1. Clarity: How easy is it to understand the policy documents?

  2. Completeness: Do the policies cover all the essential areas they are intended to govern?

  3. Relevance: Are the policies aligned with the current state and objectives of the organization?

  4. Accessibility: Are policies easily accessible to those who need to implement them?

  5. Update Frequency: How often are the policies reviewed and updated?

Rating Scale for Policy

  • Excellent (5): Complete, clear, highly relevant, easily accessible, and frequently updated.

  • Good (4): Missing minor elements but generally well-rounded.

  • Average (3): Adequate but may lack in one or more of the key aspects.

  • Poor (2): Incomplete or outdated; lacks clarity.

  • Very Poor (1): Ineffective, ambiguous, and not aligned with organizational goals.

Assurance: Metrics for Evaluation

Rating assurance involves assessing:

  1. Training Effectiveness: How well does training prepare employees?

  2. Resource Allocation: Are sufficient resources (time, money, personnel) allocated?

  3. Communication: How well are policies and updates communicated?

  4. Competency Levels: Are the people tasked with executing policies competent?

  5. Performance Monitoring: How is the assurance process itself evaluated?

Rating Scale for Assurance

  • Excellent (5): Robust training, ample resources, clear communication, high competency, and effective performance monitoring.

  • Good (4): Adequate in most areas but may have minor shortcomings.

  • Average (3): Fulfills basic requirements but has gaps.

  • Poor (2): Insufficient resources and training; poor communication.

  • Very Poor (1): Lack of training, resources, and communication leads to ineffective assurance.

Compliance: Criteria for Rating

To rate compliance, consider:

  1. Audit Frequency: How often are audits or inspections carried out?

  2. Report Quality: How comprehensive and actionable are the reports?

  3. Follow-through: Are action items from audits or inspections completed in a timely manner?

  4. Data Integrity: How reliable is the data used in compliance metrics?

  5. Feedback Implementation: How effectively is the feedback loop closed?

Rating Scale for Compliance

  • Excellent (5): Regular audits, high-quality reports, timely follow-through, reliable data, and effective feedback loop.

  • Good (4): Generally effective but may have one minor flaw.

  • Average (3): Adequate but has room for improvement.

  • Poor (2): Infrequent audits, poor report quality, or lack of follow-through.

  • Very Poor (1): Ineffective in all areas, creating a risk for the organization.


Rating the triad of Policy, Assurance, and Compliance provides a comprehensive view of your control system's effectiveness. Each element must be individually strong, as a poor rating in any can be the limiting factor for the entire system. Implementing a rating system offers a structured approach to identify areas of strength and weakness, enabling focused improvement.

By understanding and applying these metrics, organizations can significantly elevate their control effectiveness, driving not just compliance but excellence.


Download the SRMBOK Control Effectiveness Template from this link.

Recent Posts

See All


bottom of page