Author: Maverisk

Funny, isn’t it? Not only do we see lots of articles about OT popping up on our socials’ timelines, but also item for the management of data.
Quite similar. ‘OT’ being among other things debunked for not being but a sub-branch of T (as is ‘traditional’ ‘IT’) – indeed, which was first ..? Which was first qua security? Even when the former was neglected for decades since not being tied into any visible i.e. Internet work and suddenly is back now it (?) is. And methodologically, not being very different indeed though denying any difference gets you a bit off tack at all levels. So watch out and do everything that needs done. Not declare Done after doing ony the latest craze.

Now then, back to the Data thing.
Once we [?? Hi post 70s n00bs] had MIS. Ma-na-ge-ment In-for-ma-tion Sys-tems. Already then, the OT (sic) equivalent of control rooms at soap cart size i.e., dashboards, were devised. To fit the mental capabilities of Really Important neighbourhood bullies. Already then, too, there was deep thinking (e.g., in this absolute but all too often overlooked, ignored masterpiece, the greater the task uncertainty, the greater the amount of information that must be processed among decision makers during task execution in order to achieve a given level of performance. The basic effect of uncertainty is to limit the ability of the organization to preplan or to make decisions about activities in advance of their execution. etc.etc. – note the enormously profound solutions proposed as well). And already there was some comments … in this: MIS is a mirage as ‘managers’ are not able to formulate what information they need – how exactly isn’t that today’s problem.

Analysing this a bit (big-if you could call what I do that), after the Sixties (and their heydays the Seventies ..!) there was this big backlash in the Eighties, plateauing in the Nineties, and then just before another freedom wave by the Internet, 2001 / SOx came along and gave us 15 years more of bureaucratia-revenge, the fear of freedom or of humanity in totalitarian Ancien Regimes everywhere, making Ohne Eigenschaften yeah baby better study the original in all of its three parts ..!! look like a dallying romance novel. Only now, two decades into the 21st, do we see a little lighter horizon again of human freedom – possibly brought forth by the very ASI that may also lead to blue pillishness everywhere including Morpheus’ You have to understand, most of these people are not ready to be unplugged. And many of them are so inert, so hopelessly dependent on the system that they will fight to protect it.

No wonder we have all the managers that we have today. Though the picture is not that bleak; I do know some that transcend the above already a bit.

But since Freedom and Galbraith and easy control-by-dashboard [Note: a dashboard has no steering wheels(s) ..!! It’s informing you that you’re veering off road into a tree at best!] didn’t make it, somethings had to replace those or consultants of the ‘Boardroom advisor’ kind wouldn’t have much to talk about (and be shown to wear emperor’s clothes, and not have skin in the game, oximoronically).
In came data warehouses. [Hey, these were times that were slower, exponentially (sic) slower than Today]
And out they went; unmanageable, no-one being able to realise much value from them except a few ad industry players.
In came data hypercubes.
And out they went; unmanageable, no-one being able to realise much value from them except a few ad industry players.
In came BI, too.
And out it went; unmanageable, no-one being able to realise much value from them except a few ad industry players.
In came Big Data.
And out it went; unmanageable, no-one being able to realise much value from them except a few ad industry players.
<See how the cycle increases in speed?>
In came data lakes, for AI/ML-driven predictive analytics.
And out they went; unmanageable, no-one being able to realise much value from them except a few ad industry players. Suddenly also demonstrating the snag: predictive would’ve worked when times were slower and the world seemed somewhat stable, in pockets. Now, at the very exact time that the world changes so fast it’s hard to keep up let alone keep abreast, does ‘predictive’ enter the scene … Looks around, and find itself being stared at as a ghost from the past and being hopelessly too late, now completely out of place, needed at another stage somewhere anywhere else.

And still we have no Galbraithian solution to managers’ information/insights needs.
As the latter are still not regarded as such, fundamentally. Spelling further dark ages for ‘control’, as that would be over ever cleverer AI in stead of today’s humans that one (simpleton) can at least understand. If you think about machine control management, that would in itself be the first thing that can be standardised, then replaced by AI/machines – since it’s so standardised, that is feasible. Shop floor work would remain, the ‘intelligent’ processing of information over shop floor processes would be taken over by AGI/ASI.
Flipping today’s visions.
Or of course, both management and the shop floor are replaced by systems. Have we a way to design them? Given the above, we would not know too well how to. Or we should have done so already ..?? Hence, data-lake driven AI is a mirage. Still.

No escape. Except maybe with:

[A Fiat 500 parade; Lucca]

Once again, about how the legal approach to GDPR ‘compliance’ did not work quite as intended.
How long until this is rightfully concluded to be the wrong way per se for the subject ..? For any subject ..?

Yes, some branch of the Big 3½ (them again) had used a wrong grounds for processing, and was subsequently fined for this.
Probably, there had been a lot of discussion, with regulators (DPA). Maybe also about all sorts of other things where there wasn’t anything outright illegal but concrete blocks of bureaucracy were put in the path of effectiveness and efficiency.
But certainly (it seems ..?) the legal staff had overblown their understanding of the subject by:

• Over-eagerly beavering through all ‘requirements’;
• As if all of them were new, and needed to be taken worst-case. This, a legal bookworm specialty. Not understanding almost anything of the real world, overshooting with the wrong checkbox approaches;
• Thus misreading not only the GDPR articles, but the introductory notes as well;
• And forgetting to see that legal definitions may be very far off normal business. E.g., Article 30 Record of processing activities [dunce’ly translated in Dutch into a ‘register’ of the same, no less…] is all too often taken by legal beavers to mean some sort of separate ‘system’ of record. Whereas any decent [wanted to write ‘half-‘ but that’s not good enough anyway] IT architecture should include a data architecture and when you add a few columns with privacy-sensitivity et al. there is nothing more you’d need;
• Hence introducing all sorts of new ‘requirements’ that would have been part of any minimally normal business operations. E.g., ‘appropriate technical and organisational measures’ – you do NOT want to do that for ‘privacy’ alone or the measures are by definition not be appropriate. And any org worth their salt has all those appropriate stuff in place already. Yes, a great many organisations didn’t, don’t, but you see, there’s your biggest problem: the organisation has no clue, now only the ‘about privacy protection’ is added. Note that the article 32 involved, has pseudonymisation and encryption as a solution. Whereas all in infosec that take their trade serious, already knew about this counterfact only the EU legalites didn’t have sufficient clue about the subject they were legislating.
• Trying to slam all businesses with expensive and ineffective form-over-substance procedural justice tools. Shame on you, to try to sell to the innocent fearful – made so by your ab auctoritate shout-outs; that’s parasitic;

The result: Fines. For doing the wrong thing. Hopefully (sic) we’ll hear a lot more of these kind of cases and fines, to in the end subdue the legalites [yes comparable to Luddites], and leave information business to information business experienced staff again. Hopefully. Since a lot of regulator staff and executives (often, the higher one gets, the more airheadic ones one sees) belong to the previous category, hindering actual privacy.

OK for now. This:

[London Winter Wonderland, the same circus as your legal office (internal, external) ..?]

Hey that’s refreshing! A report that was only just saved from another round of archiving department directories.

By means of this report, we are reminded that 2019 is quite similar – UK English for ‘not a hair different from’ – 2009. Or 1999.
Or so. the latter, maybe a bit less, as then, even some auditors were all too busy with Y2k. But you get it – the rate of change seems to be unproportional (i.e., unmoving on the solution side) to the client expectation gap. The Client Supreme, being the general publick.

To get to the content, the advice; to Self and to others:

• Strengthen the clarity and relevance of corporate reportingto ensure the entire corporate reporting ‘ecosystem’ is as effective as possible.
• Enhance the reporting and auditing of a company’s internal controls by requiring an attestation, from directors, of the design and effectiveness of a company’s internal controls, and a corresponding attestation on internal control from the auditor for larger companies.
• Develop better engagement between the audit profession, company management, shareholders and other stakeholders, such as through a new annual assurance meeting or the introduction of an Assurance Map.
• Create a single, coherent piece of company reporting that provides more insight into the future prospects of the company—including the scenarios in which the business model could fail, giving stakeholders a clearer picture of the risks that could lead to failure so they can make informed decisions.
• Provide more insight about the material uncertainties facing a company by considering whether, market‑wide, auditors should include a key audit matter on going concern in public interest audit reports.
• Consider the need to provide assurance over other forms of risk for which stakeholders may be seeking independent assurance, potentially as part of an Assurance Map exercise.
• Reporting and assurance need to expand to cover critical performance measures that stakeholders use in their decision making, such as non‑GAAP financial performance measures.
• Provide additional assurance over the companies that need it, without expanding the statutory audit for all and potentially overburdening smaller businesses.
• Continue to develop and roll out new technologies to improve the effectiveness of audits, focusing on using technology to improve quality, efficiency and auditor insight.
• Increase investment in the training, technology and people required to conduct consistently high quality audits through a long‑term commitment by audit firms.
• Strengthen the culture of challenge in audit teams to ensure consistently effective scrutiny of companies.
• Continue to reflect on how auditors can better tackle the risk of fraud, including considering use of fraud diagnostic surveys and involvement of forensic specialists at the planning stage.

See ..?
The one thing that you may have found different, is the idea of the Assurance Map. Indeed, worthwhile to consider:

The statutory audit is just one way to provide assurance over the many financial risks facing a company. A way to make sure all sources of assurance over a company’s principal risks, whether financial or not, are considered would be to make it an explicit responsibility for the audit committee to determine the level and type of assurance needed by their company’s stakeholders and to present it to them and discuss it at the beginning of the reporting cycle. Creating this Assurance Map would prompt a constructive discussion at the top of the business about the needs of their stakeholders and make it possible to get assurance over the areas that are important to those stakeholders.

Tying in with the change in risk management that we see the first blossoming of. At last! A chance to obliterate the 3LoD farce! – Or change the way you do risk management in a serious way, at last I mean. Now with audit support.
If, if. If all the above points are taken seriously. Which might mean a lot of investment of Big3½ firms in e.g., education. At the expense of fees and billable hours.

Oh dear.

Nevertheless:

[When the rate of change you need is at the speed of brick & mortar; Raadhuis Hilversum as a prime Dudok
Guess the date (analog pic, car maufacturing dates)]

On how Edgyle Skrrum Deaf Obs squares off with ‘traditional’ methods.

How not everything’s well- or better-suited to ‘agile’ change methods. Since that is a solution, to a problem. Not just to whatever it finds in its way.
Like, this here treatise: silo-busting as the goal/means; correct.

When suddenly, I realised that there’s another way of looking at the divide. Remember the traditional waterfall model that turned into a V when one would add appropriate levels of testing, as in:

[Plucked off the ‘net I know not-nice ‘reuse’ right?]

Thre you have it: In the Old model, in the bottom there was (is!) Coding as one block. This used to be a very, very large block. Filled with hackers [original meaning ..!] that coded away like madmen (madwomen, not often) and kept the doors closed to outside scrutiny. That knew their way around version control, for their own benefit. But were, in moderntalk, rather nontransparent. Products, ditto. Yes, they did ‘unit’ tests on whatever chunks of code they themselves considered ‘units’. Proud if not too many Warnings were left [if you have no clue what a clean compile is; go to programming 101 summer school…], not bothering too much if otherwise.
After that, not much room (time) to test left, eh? Just see that something reasonably recognizable to the end users was demonstrable hey we got this deadline on our hands.
Resulting in lots of ill-documented (but content-wise sometimes brilliant) code and systems; does the term ‘legacy’ ring a bell ..? [Oh, you mean ‘technology debt’ – you must be from the ’00s .. qua birth or qua evolution into something proxying sentience.]

Now, with scrummy methods, that is the part most improved. I.e., I don’t want a customer journey I want a pound of potatoes. So, only the sprints should be different from the old design methods that, when somewhat efficiencised and effectivised, won’t have to be changed that much at the ‘higher’ levels. Breaking up the coding part (only; well, almost) into manageable chunks. To be able to manage the programmers, maybe even more than the programming.

But also, managing away the hacker excellence of yesterday. Turning all into a mush of mediocrity. Being ‘lead’ by Bill Lumbergh.
Second to which: Has audit access improved? Like, the big stick to keep all in check, and to check that all do actually implement all those controls best implemented deep down in technology or they’re so weak. Yes, some-exceptional-times security officers are allowed into the èdzjile offices but, as above (and below (the pic)), no-sprint-fitting infra stuff still is problematic. Security things, often are in that category. Now what?

Whatever? Just that rien n’a changé.

I also wanted to include a link to yet another masterpiece. Like this. There you go, you’re welcome.
Topping this, even, didn’t realise that was possible. And this, magnificent but already paling in comparison.

[See? There is ways in between as well. Ottawa]

Oh and an end kicker, the summary:

Agile and waterfall style approaches are not competing methodologies; they exist at opposite ends of the production lifecycle.

They are both usually necessary in a large organisation.

Try waterfalling a new product idea, or agiling mass production and you’ll get it.

— Jon Ayre (@EnterprisingA) February 12, 2019

Sire, there are no Belgians … Still, we (NL) are sorely beaten. Not in football, too much. But c’mon, this …!?

My French isn’t all that well anymore but still…

[To edit; Royal Belgian Navy]

Well, no. Not of the pyramids. We did that one yesterday / below.
Today’s a new day, hence we move the the case part, though in a similar fashion:
‘But the authors of a recent paper argue that Wallace Donham, the man credited with establishing the case method as a force at HBS in the 1920s, had evolving views of business education that have never been surfaced, and that contradict the sense that management lessons should be viewed through the narrow lens of the case study. … In the upheaval, he says, Donham saw the limits of the approach he had championed. Strangely, Donham’s apparent change of heart is not recognized in conventional histories of HBS and its iconic case method, … … The modern world had developed “a creed of competitive business morality,” he wrote. Values, he observed, were being “politely bowed to, and then handed over to the clergy to be kept for Sundays.’”‘

Oh well, yet again, read the full piece, and understand that we are on the brink of letting suchly trained, rewrite the world in AI systems. Including the morality bits [minute crumbs] – spelling the end of the above-mentioned Values. Alisdair, John and many, many others would turn in their graves [as far as they’re there already; TL;DR I didn’t check – sorry!]; if there is any hope for humanity [both dimensions], it’s in enslavement. Of the AI system(s), of course.

Quite a though swing, right? Happy for it. And:

[Be free to enjoy the view, if you can; DC]

… Like, not very much.
An architect does not give a hoot about how the foundation of a new office block looks — have a look at any underground office parking garage and see how much effort the starchitect put into that [exceptions noted]. Yes, functionality-wise it’s all good, mostly, but the architect that wants to design a Statement building, hardly will use all his (?) pastel sketch skills on the form of the piles driven into the ground, eh? As long as it’s functional bedrock to build Beauty on, in the eyes of the beholder [i.e., infatuated critic(s) not so much the general public sometimes] and of the architect’s bill, not much thought is given to foundations.

The same [we’re coming to the pointe of this post yes finally] goes for information security.
From a strategic perspective, operational risks are mundane things to be managed i.e., controlled, subdued, not sexy or attention-worthy (!); don’t bother me with the details. Get it fixed period
From an ORM perspective, the same goes down (sic) towards IRM/infosec: Don’t bother me with the details: Get it fixed semicolon cheaply. I don’t want to hear complaints how difficult it all is and how much budget you are short. You don’t need to do anything beautiful or clever, just pour concrete. I want to do whatever business frivolity I get into my head [rather: some ‘boardroom consultants’ hah the oxymoron even without the oxy, often, mess with / push into my head]. Why should I care for the foundation?

You get it now, I guess.
So:

[One lives on the inside but still, wants to have a nice look onto it from the outside, too, sometimes, no? A what about water-proofing your … floating in sometimes troubled waters? Amsterdam Omval area]

The Dutch Central Bank released a discussion paper on general principles. On AI in Finance. Here.
Oh my. What a great attempt it seemed. But by simply reading it, before studying, one finds … the usual suspect #fail’s.

Like, the decades-old big Error of non-orthagonality (Basel-II big-time #fail in Ops Risk, remember?). The principles have been grouped to backronym into Safest: Soundness, Accountability, Fairness, Ethics, Skills, Transparency. See? Already there, one can debate ad infinitum – and yes I suggest to those that want to take the DNB paper seriously to do so and leave the rest of the world to get on with it w/o being bothered by the ad … nauseam.

Soundness:
1) Ensure general compliance with regulatory obligations regarding AI applications.
2) Mitigate financial (and other relevant prudential) risks in the development and use of AI applications.
3) Pay special attention to the mitigation of model risk for material AI applications.
4) Safeguard and improve the quality of data used by AI applications.
5) Be in control of (the correct functioning of) procured and/or outsourced AI applications.
Nothing here that needs discussion as it’s all generic for decades. So, if you’d need to point this out, the suggestion is that this hadn’t been arranged for all the trillions of LoC now defining the finance industry [humans are just cogs in the machine that may turn a little screw on the production lines here and there, but preferably not too much since they have been known to be major #fail factor #1 by a huge margin]. Oh dear.
And, if there would be a reason to re-iterate now instead of always: What is different with AI systems ..?

Accountability:
6) Assign final accountability for AI applications and the management of associated risks clearly at the board of directors level.
7) Integrate accountability in the organisation’s risk management framework.
8) Operationalise accountability with regard to external stakeholders.
The same. But presuming the old 3LoD thinking still holds sway at the paper issuer’s, one might better first improve that into something above-zero relevant or effective.

Fairness:
9) Define and operationalise the concept of fairness in relation to your AI applications.
10) Review (the outcomes of) AI applications for unintentional bias.
Notice how thin the ice suddenly becomes when AI-specifics come into play… The “concept of fairness” you say ..? You mean, this pointer to inherent (sic) inconclusiveness ..? What, when the fairness to the shareholders prevails? Not much, eh? So this one leaves the finance corp.s off the hook for whatever society thinks. A superfluous principle, then, given today’s finance corp.s practices.
Unintentional bias? Good. Intentional bias is in, then. Same conclusion. The idea that a human in the loop would be any good, or have the slightest modicum of effectiveness (towards what??), has ben debunked already for such lengths that it seems the authors had missed the past thirty years of discussions re this.

Ethics:
11) Specify objectives, standards, and requirements in an ethical code, to guide the adoption and application of AI.
12) Align the (outcome of) AI applications with your organisation’s legal obligations, values and principles.
Hahahahaha !!! Ethics in finance …!!! Given the complete insult[1] of the “bankers’ oath” which would get an F- grade when proposed by any undergrad freshman, how can one truly believe an ethical code might be worth the paper / digits it’s written on/in ..!? Wouldn’t anyone proposing such a thing (in effect, the Board of the regulator that is personally accountable) be forced to step down by shown lack of competence?
And the alignment is easy, once one sees that “anything that’s not explicitly illegal” will be pursued to the values and principles of bonus maximisation through short-term profit maximisation. No, that is a fact, still. If you don’t see that, refer to the previous.

Skills:
13) Ensure that senior management has a suitable understanding of AI (in relation to their roles and responsibilities).
14) Train risk management and compliance personnel in AI.
15) Develop awareness and understanding of AI within your organisation.
Again, nothing new. Again, this hasn’t happened anywhere in the finance industry ever. In particular 13) … See 11)-12).

Transparency:
16) Be transparent about your policy and decisions regarding the adoption and use of AI internally.
17) Advance traceability and explainability of AI driven decisions and model outcomes.
Ah, finally, things get interesting. Note the aspirational explanation that is in the discussion paper. But this leaves all one would actually want to discuss, out here, unfilled of proposals or lines of thought.

Which is why the discussion paper is a 0.3 version at best. Almost all of it is a summary of how things should have been for decades [remember, banks were early adopters of ‘computers’] but apparently (and known from first-hand practice) weren’t and aren’t, with a minimal tail of actual discussion items. If this were meant to just launch the backronym, one should’ve used a one-pager.

Oh well. Plus this:

[Now that’s principle(d) design; Utrecht]

[1] As if anyone would need it – society runs on the implicit contrat social already for centuries and longer. If one needs a specific oath, something terribly specific would have to be the case, and specific implications as well. E.g., the military oath. I have pledged the officers’ oath already, and would be very severely insulted if the suggestion would be to have laid that aside like a coat upon leaving active service to the constitution.

When the economy is moving to platforms as the core structure, can we do e.g., AI / data analysis as a service, white labelling some stuff that all accountants will have to go through, to get State-of-the-Art to them ..?

This could go in all sorts of directions, but preferably in the one that has loosely (sic) coupled systems [in the small-scope sense, not the cybernetics sense], one or a couple for every stage of the audit process. E.g., for the Know-Your-Customer Deep Dive Stage (after the KYC before acquiring a client, and the acquiring) have some process analysis tools; for the risk analysis / audit planning have … [I don’t see too much in this plane yet qua tooling!]; for the data-oriented (all-data checking) have the Mindbridge’s et al. for the crunching. The latter pointing to a. having nothing qua overarching workflow management tools yet [No, not the standard workflow things; I mean auto/AI-gated stuff far beyond the triviality of ‘RPA‘ (UI Path and others) that is just handy but trivial automation; unsure whether this is a step ahead already], b. intricacies of learning / feedback loops year over year.

And then, all this should, could be white-labelled up in the Cloud somewhere (in the EU) of course; ease of maintenance and interfacing.

But heck, this is just dropping the idea, right?

[Drafted 22 May, so in the mean time there may have been some developments. Hope so.]

And:

[But for this, no cloud-based thing suffices, you must do a site visit to check on quality; Valle dell’Acate]

Have naming conventions already sprung up around home eavesdropping listening devices ..?
Since ‘Alexa’ and ‘Siri’ may be too boring.

Then I would want to call it Computer, since then I’d be able to all the time say ‘OK Computer’. Not even for this. But certainly for this, that one would get a lot when one would use its (‘her’? oh, this may be taken to expect ‘his’) ‘services’ too often / too broad-ly.

I’ll stop now. For the vrijmibo – Friday’s Afternoon Drinks.

What ..? Now already? Yes; one’s taste buds are best in the second half of the morning. Later, your taste will develop in correlation with the number of drinks you can remember to have had. Also, I checked where it is 17:00h now on this site and got confirmation.

And:

[Off-‘Broadway’ Rafael Masó i Valentí, Farinera Texidor, Carrer Santa Eugènia 15, Girona though officially at Passatge de la Farinera Teixidor, 4]