The Operating Model Test: Five Questions for Your GRC Program
You can't tell whether your GRC program is operating or just documented without asking specific, falsifiable questions on any random Tuesday.
Pick a random Tuesday at 2:30 PM. Not during audit prep. Not during a board meeting cycle. Not after a security incident triggered a review. Just a regular, unremarkable Tuesday.
Walk to your compliance lead's desk (or ping them on Slack) and ask five questions. The answers, and more importantly how long the answers take, will tell you whether your GRC program is operating or merely documented. Most programs fail by question two. Not because the information doesn't exist somewhere, but because retrieving it requires a meeting, a spreadsheet lookup, or a sentence that starts with "I'd need to check."
If your governance program can't answer basic operational questions on demand, it isn't an operating program. It's a documentation library with an annual activation ritual.
Why falsifiable questions matter
GRC programs love unfalsifiable claims. "We maintain a strong security posture." "Our controls are effective." "We're committed to continuous compliance." These statements can't be proven wrong because they don't make specific, measurable assertions.
Falsifiable questions are different. They have a number attached. They can be answered or they can't. The answer is either current or it's stale. There's no hedging. Either you know your control maturity score right now, or you don't.
NIST CSF 2.0 made this explicit with the new "Govern" function. GV.OC-03 requires that legal and regulatory requirements are "understood and managed." Not documented. Managed. Managing means you can report on them at any point, not just when someone asks you to compile a report.
ISO 27001:2022 Clause 9.1 requires organizations to "evaluate the information security performance and the effectiveness of the ISMS." If evaluation requires a two-week data collection exercise, you're not monitoring. You're reconstructing.
The five questions below test whether your program has crossed from documentation into operation.
The five questions
Question 1: What's our current control maturity score?
Not "what was our score at last audit." Not "what does the dashboard say based on data from Q1." What is the score right now, reflecting current evidence freshness, operational cadence, and framework coverage?
What a passing answer sounds like: "Our aggregate CMCAE score is 74.2. We have 6 controls below the Level 3 threshold, down from 9 last month. The main drag is three Azure Policy controls where evidence collection broke during last week's tenant migration, and we're remediating today."
What a failing answer sounds like: "I'd need to pull that together. Give me a day or two." Or worse: "Our last assessment showed 89% compliant." (When was that assessment? Three months ago? That number is fiction now.)
Why it matters: A current maturity score is the single best indicator of operational health. If it exists and is current, the underlying machinery must be running. If it's stale or absent, nothing downstream can be trusted.
Question 2: How many controls have evidence older than 30 days?
This question kills most programs. It requires knowing two things simultaneously: what evidence exists for each control, and when that evidence was last refreshed.
What a passing answer sounds like: "Twelve out of 87 in-scope controls have evidence older than 30 days. Eight are in the Vendor Risk Management category where we're waiting on Q2 SOC 2 reports from three subprocessors. Four are endpoint controls where the Defender XDR integration paused during a license change. Both are tracked and have remediation dates."
What a failing answer sounds like: "We'd need to check each control's evidence folder." Or: "Our evidence is current, we collected it for the last audit." (That was four months ago. It's not current.)
Why it matters: Evidence freshness is the operational heartbeat of a compliance program. Stale evidence means one of three things: the control stopped operating, the evidence pipeline broke, or nobody is monitoring freshness. All three are invisible without continuous tracking.
Question 3: Which frameworks have coverage below 80%?
This requires knowing, for every framework you're attesting to, what percentage of required controls are implemented and evidenced at an acceptable maturity level.
What a passing answer sounds like: "All five in-scope frameworks are above 80%. ISO 27001 at 94%, SOC 2 at 91%, CMMC Level 2 at 83%, PCI DSS at 88%, NIST CSF at 86%. CMMC is lowest because we added 12 new CUI-handling controls last month and three still lack production evidence."
What a failing answer sounds like: "We're compliant with all our frameworks." (Compliant means you passed the last audit. Coverage means controls are operating right now.) Or: "I'd need to run a gap analysis." (If it requires running, it isn't being monitored.)
Why it matters: Framework coverage below 80% is a leading indicator of audit risk. Discovering this during audit prep leaves insufficient time for remediation. Discovering it on a random Tuesday gives you months to fix it.
Question 4: What are our top 5 risk items by residual score?
This tests whether the Risk Registry is a living system or a document that gets updated before board meetings.
What a passing answer sounds like: "Top five by residual: 1) Third-party AI model dependency, residual 7.8, subprocessor hasn't completed their AI governance assessment. 2) Legacy authentication on billing, residual 7.2, migration scheduled for next sprint. 3) Insider threat on CUI repositories, residual 6.9, DLP policies deploying this quarter. 4) Cloud misconfiguration drift, residual 6.4, down from 8.1 last month via Azure Policy enforcement. 5) Ransomware recovery gap for ERP, residual 6.1, backup testing next week."
What a failing answer sounds like: "Let me pull up the risk register." (Followed by opening a spreadsheet last updated before the last board meeting.) Or: "Our top risks are outlined in the annual risk assessment." (Annual means stale.)
Why it matters: If the CISO can't name top risks from memory (or pull them instantly from a live system), the risk program isn't informing operational decisions. It's a compliance artifact, not a management tool.
Question 5: When was our last policy review completed?
Simple question. Specific answer required: a date, which policies were reviewed, and what changed.
What a passing answer sounds like: "Last completed review cycle was April 14. We reviewed Acceptable Use, Data Classification, and Incident Response. The IR Plan got a substantive update: added an AI incident classification tier, revised escalation from 4 hours to 2 hours for critical AI-system failures. Next cycle starts May 28."
What a failing answer sounds like: "Policies are reviewed annually." (When, specifically?) Or: "I'll check with the policy owner." (If the compliance lead doesn't know without checking, the review process isn't integrated into operating rhythm.)
Why it matters: Policy review cadence is a control itself (mapped to SOC 2 CC1.4, ISO 27001 A.5.1, NIST 800-53 PM-1). If the compliance lead can't answer when it last happened, that control is below Level 3. If the policy control itself is immature, the entire policy framework is suspect.
Scoring your answers
| Questions Answered Instantly | Program Status | Implication |
|---|---|---|
| 5 of 5 | Operating | Audit readiness is continuous. Board reporting is real-time. |
| 3-4 of 5 | Partially operating | Some systems are live, some are dormant. Inconsistent readiness. |
| 1-2 of 5 | Documented but dormant | The program activates periodically. Audit prep will always be a sprint. |
| 0 of 5 | Project-based | No operating model exists. Compliance is an event, not a function. |
Most organizations land at 1-2. They can answer the policy review question (because someone remembers the last review meeting) and maybe the risk question (because the CISO presented to the board recently). But evidence freshness and framework coverage require live systems that most programs don't have running between audits.
How Kyudo makes these questions trivial
Each of the five questions maps directly to a module that produces the answer in real time:
Question 1 (maturity score): The CMCAE engine calculates maturity scores continuously. The Controls Hub displays the aggregate and per-control scores. The number exists at all times because the scoring algorithm runs on evidence freshness signals, not on human-triggered assessments.
Question 2 (evidence freshness): The Evidence Hub tracks collection dates for every artifact and applies freshness scoring (fresh < 7 days, aging 8-30 days, stale > 30 days). A single filter shows controls with stale evidence. The count is always current because the freshness clock runs continuously.
Question 3 (framework coverage): The STRM Engine maps controls across frameworks using set-theoretic relationships. The Compliance Graph knows which controls satisfy which framework requirements and what maturity level each has achieved. Coverage percentage per framework is a computed value, not a manually maintained metric.
Question 4 (top risks): The Risk Registry maintains inherent and residual scores that update based on control effectiveness changes, new threat intelligence, and environmental shifts. Top-5 by residual is a sorted query, available instantly.
Question 5 (policy reviews): PolicyPilot tracks review cycles, completion dates, change histories, and upcoming scheduled reviews. The last completed review date is metadata on every policy object, not a memory that lives in someone's head.
The pattern across all five: the answer exists as computed system state, not as human-assembled reports. The data is live because the systems that produce it run continuously.
"We answer these questions fine during audit prep."
Yes. During audit prep, when three analysts have spent six weeks compiling data, you can answer all five. The issue isn't whether the answers exist somewhere. It's whether they exist right now, on a random Tuesday, without mobilizing a team.
The difference between "we can answer this after a sprint" and "we can answer this right now" is the difference between a documented program and an operating program. As explored in Readiness Is Not a Sprint, It's a Posture, the sprint model creates a false sense of readiness that collapses under time pressure.
Auditors know this. When they ask for evidence from month three of a 12-month observation period, they're testing whether the program was operating in month three or only activated in month ten. Board members are starting to know it too. A board that asks "what's our current compliance posture?" and gets "we'll have that in two weeks" understands that "current" means nothing if it requires a project to determine.
The Tuesday test: your action checklist
1. Run the test this Tuesday. Don't prepare. Don't warn your team. Ask the five questions. Time how long each answer takes. This is your baseline.
2. Identify the gaps. Which questions couldn't be answered instantly? Those are your operating model gaps, each representing a system dormant between audit cycles.
3. Pick one question to fix first. Start with Question 2 (evidence freshness) because it enables Question 1 (maturity scoring). You can't score maturity without knowing evidence state.
4. Set the 30-day retest. Run the test again in 30 days. Can your team answer that question instantly? If yes, move to the next gap. If no, the implementation isn't producing real-time state.
5. Make it a recurring ritual. The five questions aren't a one-time diagnostic. Run them on a random day each month. Track whether your instant-answer count increases. That trajectory is your operating model maturity trajectory.
Try the AI risk assessment to see how Kyudo answers all five questions for your control set in real time. Bring your framework list, your control inventory, and your risk register. We'll show you what operating (vs. documented) looks like against your actual program.