You’ve probably left this thought thread in the distant past by now. I’m a bit behind on my reading and just visited your post. If I could reflect what your post brought to mind regarding assurance as a facet of risk management overall. Among the factors of risk evaluation is the consideration of controls reducing risks either through the reduction of impact, the frequency of occurrence or the probability that the negative outcome would occur. So in that regard, assurance of implemented controls helps determine on an ongoing basis how effective the controls are at providing their objective. But the assurance model is only a part of the process and needs to include the additional components of ongoing threat modeling and the monitoring of other factors such business and opportunity costs as well as changes in the internal and external environments. Risk management helps in the decision process that is required when control assurance detects less than 100% protection (constantly) and as other variables and factors cause the potential for loss to vary. How much value provided by assurance is relative to the effectiveness of the assurance model itself.