A focused course, tailored for you
Risk Heat Map to Board Implementation Programme
Build the control action plan that turns a risk matrix into delivery an audit committee can track.
Every risk workshop ends with a heat map. The red squares are agreed. The owners are nodding. Then the engagement stalls, because nobody has built the mechanism that converts the heat map into a live control programme the board can track quarter to quarter.
$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.
Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.
Why this course
The heat map is not the deliverable. It is the input. What the audit committee, the CFO, and the risk committee actually want is evidence that the high-priority risks have named owners, a control design, a testing schedule, and a reporting line back to the committee at each cycle. Building that mechanism requires artefacts most advisory engagements stop short of: a risk register structured for control ownership, a control testing plan with milestone dates, an assurance mapping document that connects the testing cycle to the board reporting calendar, and a standing committee pack that shows movement rather than restating the original heat map. Advisory teams that can deliver all four artefacts close more implementation mandates and carry stronger renewal rates than teams that stop at the assessment.
The 12 modules
Module 1. What the Audit Committee Actually Reads
Most risk reporting describes the risk environment rather than showing delivery progress. This module analyses what audit committee members and risk committee chairs are scanning for in a reporting pack: control owner accountability, testing completion rates, outstanding remediation items with due dates, and any escalation flags. Understanding the reader's frame before building the document changes every design decision that follows.
Module 2. From Heat Map to Risk Register: The Structural Jump
A heat map is a prioritisation tool. A risk register is an accountability document. This module covers the structural differences: how to convert a risk-level assessment into register entries that carry control owner names, inherent versus residual risk ratings, control design descriptions, and testing status fields. Worked examples show a five-risk subset converted from a typical workshop heat map into a register suitable for board-level review.
Module 3. Assigning Control Ownership Without It Becoming a Political Exercise
Control ownership allocation is where implementation stalls most often. This module covers the assignment methodology: mapping risk categories to functional owners rather than generic business units, handling shared-ownership risks where two functions both contribute to control, documenting the escalation path when a control owner disputes the assignment, and getting the final ownership matrix signed off before the control design phase begins.
Module 4. Control Design: What Counts as Evidence
A control only exists if it produces evidence an auditor can test. This module covers the three evidence categories auditors rely on (documented policy, operational log, approval record), how to design controls that generate each type, and how to avoid the common design gap where a control is described in the register but produces no testable artefact. Includes a control design template used across governance, financial reporting, and regulatory compliance contexts.
Module 5. Building the Control Testing Plan
The control testing plan is the bridge between design and assurance. This module covers the testing plan structure: control reference, testing owner, testing frequency (continuous, periodic, point-in-time), sample size methodology for periodic controls, and the documentation standard for recording test results. Particular attention is given to aligning testing milestones with the client's reporting calendar so that committee reporting always reflects current testing status rather than trailing by a quarter.
Module 6. Regulatory-Specific Testing Requirements for Australian Entities
Australian entities operating under APRA CPS 234, ASIC reporting obligations, ASX corporate governance principles, or the Privacy Act face testing requirements that differ from generic internal control frameworks. This module maps those regulatory testing expectations to the control testing plan structure, identifies which controls regulators typically sample-test versus continuously monitor, and covers how to document testing outcomes in a format that supports regulatory examination as well as internal committee review.
Module 7. The Assurance Calendar: Mapping Testing to Reporting Dates
A testing plan without a calendar is a list of intentions. This module covers the assurance calendar design: starting from the board and audit committee reporting dates and working backwards to set testing windows, completion deadlines, and the escalation trigger for any control where testing will not complete in time. The calendar becomes the operational backbone of the implementation programme and the primary artefact the engagement uses to hold control owners accountable between reporting cycles.
Module 8. The Standing Committee Pack Structure
The standing committee pack replaces the one-off risk assessment as the primary reporting artefact once implementation is underway. This module covers the pack's five components: risk register summary showing current residual ratings, control testing status dashboard, outstanding remediation tracker, escalation items requiring committee decision, and the forward calendar of next testing milestones. Designed to be updated by the implementation team and read in under ten minutes by a committee chair.
Module 9. Escalation and Remediation Tracking
Not every control passes testing on the first cycle. This module covers the remediation tracking artefact: documenting the gap identified during testing, recording the remediation action agreed with the control owner, setting a due date, and tracking through to re-test completion. Also covers the escalation protocol when remediation is overdue, including how to present an overdue item to the audit committee without undermining the control owner relationship the advisory team has built.
Module 10. Presenting Progress to the Board: Language and Framing
Board members and audit committee chairs respond to specific, quantified progress statements rather than qualitative assessments. This module covers the language and framing choices that read as credible delivery reporting: using completion percentages rather than status labels, naming the specific control owner responsible for any outstanding item, and structuring the committee narrative so that escalation items are clearly separated from items tracking to plan. Includes before-and-after rewrites of actual committee reporting sections.
Module 11. Common Breakdown Points and Structural Fixes
The two most frequent breakdown points in heat-map-to-delivery transitions are control owner disengagement after the initial assignment and testing milestone slippage when business pressure competes with assurance commitments. This module covers the structural interventions for each: the ownership confirmation checkpoint built into the implementation timeline, the testing milestone escalation protocol triggered before slippage becomes a reporting problem, and the re-scoping conversation structure when the client's capacity to implement exceeds the original plan.
Module 12. Building a Repeatable Delivery Methodology for the Engagement Book
The artefacts built across the previous eleven modules form a repeatable methodology, not a one-client exercise. This module covers how to package it for the engagement book: the master template set, the calibration process for adjusting the risk register and assurance calendar to different regulatory environments, and the quality review protocol for a second Partner to verify a programme is tracking correctly before it reaches committee reporting.
How this addresses your situation
Specific modules that map to what you said you are dealing with.
You are in the room when the client's CEO says the board wants a delivery update at next quarter's audit committee. The heat map exists. The action plan does not. Modules 1-3 get you from that moment to a structured risk register with named owners by end of week.
Testing is underway but milestones are slipping and you need to brief the audit committee in three weeks. Modules 5-7 give you the assurance calendar and the escalation protocol before the next reporting date.
The committee pack you sent last quarter described risk. The chair asked why there is no progress section. Modules 8 and 10 give you the standing pack structure and the board-facing language that answers that question.
A control owner has not completed remediation and the re-test is overdue. Module 9 gives you the tracking artefact and the escalation framing that keeps the relationship intact while getting the item resolved.
Who it is for
Practitioners running risk and assurance engagements where the advisory phase has concluded and the client is moving into implementation. Typically a Partner or Senior Manager responsible for a client book that spans governance, risk, compliance, or internal audit mandates. You are accountable for delivery quality and for maintaining client relationships through the harder implementation cycles, not just the diagnostic workshops.
Who this is NOT for. Junior associates building their first risk frameworks under supervision. Teams focused exclusively on the heat-map diagnostic phase with no mandate to support implementation. Organisations where the board reporting function is owned entirely by an internal team with no advisory involvement.
How it arrives
Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.
Time investment. Approximately 6-8 hours across the fourteen modules, structured for working practitioners who complete modules between client commitments. Templates are ready to use immediately; no configuration required.
FAQ
Is this built for a specific regulatory environment or sector?
Module 6 covers Australian regulatory contexts specifically (APRA CPS 234, ASIC obligations, ASX corporate governance, Privacy Act). The remaining modules apply across sectors. The implementation playbook is tailored to your specific engagement environment.
What is the implementation playbook and how is it different from the course templates?
The course templates are master documents you adapt. The implementation playbook is hand-built by Gerard Blokdijk for your specific context after purchase: calibrated to your client's sector, regulatory environment, and committee reporting structure. It arrives alongside your course access within 24 hours.
Can this be used across multiple client engagements?
Yes. Module 12 covers how to document the methodology as a repeatable practice and calibrate the template set for different regulatory environments. All materials are yours to keep and adapt.