Author: Maverisk

Gisteren stond er de post over wat er niet mis is aan risk heat maps. Voorwaar een (kennelijk) helder stukje, het kreeg vele hits en Likes. Echter, het bleek dat sommige mensen de post ook daadwerkelijk opende en er zelfs wat in snuffelden. Gezien de reacties was de post klaarblijkelijk nog niet helemaal helder. De onderliggende wiskunde en logica kwam zo te merken te weinig aan bod waardoor sommigen nog twijfelden of heat maps toch wel echt diepere managementinzichten geeft.

Die twijfel proberen we hieronder weg te nemen. In dezelfde stijl als gisteren, in vertaling van David Vose’s stuk.

Geschiedenis

De Kansrekening werd honderden jaren geleden in Europa ontwikkeld door mensen als De Cardano, Fermat, Pascal, Huygens, Laplace en Bernoulli. Er was ook toen al goud geld mee te verdienen dus ja, er deed dus ook een Hollander mee. Die wetenschappers gebruikten moeilijke vergelijkingen en grafieken. In de eeuwen daarna bleef het theorie, en de ideeën zijn weinig veranderd. En stagnatie, daar houden we niet van.
Vele jaren geleden was kansrekening een belangrijk element van risicomanagement. Waarmee we willen zeggen dat kansrekening, en dus risicomanagement, wortels had in de wiskunde en niet alleen in het gezonde verstand en dus waren beide onbruikbaar voor echte mensen die in de harde praktijk van de echte wereld werkten. Sindsdien is echter enorme vooruitgang geboekt. Software-ontwikkelaars begrijpen dat risicomanagement toch ook te maken heeft met de echte wereld, dus ontwikkelden ze ERM-software waarin vergelijkingen en grafieken volledig zijn vervangen door smiley-scores en kleurtjes. Dit was een revolutie in het risicomanagement; nu was risicomanagement beschikbaar voor allen die op school wiskunde niet begrepen. Voor bijna allen dus.
Continue reading “Heat maps lezen: Zo doe je dat”

In vertaling van David Vose‘s blog posts, met toestemming:
Vooraf even een paar woorden opdat u niet schrikt …:
Dit artikel gebruikt ironie. Zowat ieder idee dat hier te berde wordt gebracht, is volkomen en volslagen nonsens. Dit kan confronterend werken, omdat hier wel een min of meer exacte optekening staat van wat mensen daadwerkelijk doen.
Er staan enkele subtiele verwijzingen in naar Vose’s Pelican, een ERM-systeem dat de genoemde beperkingen niet kent. Het bekijken waard.
Veel leesplezier en bedenk het niet met alles te zeer eens te zijn…

In de afgelopen jaren zijn ‘heat maps’ – een populair en belangrijk hulpmiddel voor het managen van risico’s in projecten en in organisaties als geheel – onder vuur gekomen omdat ze op z’n best ‘misleidend‘ werden genoemd en op z’n slechtst ‘helemaal nutteloos‘, door de leidende denkers over risicomanagement. Dit artikel geeft een objectieve beoordeling van hun beschuldigingen.

Wat is een risico?

Zoals we allemaal weten: een risico is een gebeurtenis die al of niet zal plaatsvinden en als het plaatsvindt een ongewenst effect heeft. Het kent daardoor twee dimensies:

1. De kans dat het gebeurt
2. De grootte van het effect als het gebeurt

Wiskundigen, statistici, ingenieurs en wetenschappers hebben een speciale term voor de kans dat iets gebeurt: waarschijnlijkheid. Maar dat is alleen van toepassing op risico’s die maar één keer kunnen voorkomen. Voor risico’s die meerdere keren kunnen voorkomen (de overgrote meerderheid van risico’s) gebruiken ze de term verwachte frequentie. Dit is verwarrend. Om de wiskunde en statistiek simpel en bruikbaar genoeg te houden voor echte mensen, zullen we het in het vervolg maar gewoon over kans hebben en er vanuit gaan dat risico’s maar één keer kunnen gebeuren.
Continue reading “Er is niks mis met risk heat maps …”

Now I get it! That´s why it isn´t today´s date in GE ..!

Came across an important piece of work recently on business administration (for all sorts of organisations, not just businesses). Of the sort that clarifies and enhances our understanding of the world around us, so we can act in it with more distinction, in a manner befitting our self-perception of Being On Top Of It.

But alas. Once one has learned [understood and burnt into memory] the list of definitions and differences that I was talking about, one sees the impossibility to avoid being implicated. Though one can still maintain the illusion of only seeing all situations described [I mean all, not every] in just about any practice and not be a part of them – an illusion it is, certainly for the/those colleagues you know. I for certain have such high EQ that I see mostly you, not me, when assessing an environment, you understand ..?

No really. I just read (in the one-before-last full paragraph of the linked) that what I used as can’t-do-without audit interview technique for decades [literally] already, actually is the pre-mortem as dubbed by a Great One.
Nice.

And:

[Your organisation. All the time. Winter Wonderland London.]

What happens when your CEO wants concrete examples of a risk you mention:

1. He’s (less often, she’s!) the “don’t bring me problems, bring me solutions” kind of guy. Run. He doesn’t even understand his own role as the chief Leader. Just signing off on the preferred solution is for a middle, rather middling, manager [pejorative use; though I certainly don’t endorse that use, excepting exceptions] – don’t even bother trying to get the discussion going where you want it / where any sane person would require it to be; incompetence to think in abstractions oneself is what we have here. Whereas the solution, when it has to come from the ‘shop floor’ (relative! to the Board floor), it demonstrates the worst Peter Principle at work. Actually worse; the inverse i.e. those at the top have floated up by lack of weight the fastest, most ..!
2. He needs Gängelwagen [1] – conclusion: the same;
3. An ‘inversion of wits’ is what true Leaders demonstrate. Here, the surrounding themselves with people far smarter (obviously) may very, very well be the case but then not letting them have their way ..!? Second-guessing them ..!?
4. Hence [I’m using the numbered list style without purpose; you should know me to do such things by now] actually, one only has proper management-sometimes-ridiculously-called-governance, when communications any level up the organisation sees higher levers of abstraction being commonplace/rule. Including sanity checks along the way, of course, if that weren’t obvious as well.
5. Also, promote based on competence in thinking in abstractions, all the way up. The sheeple that come out of business schools with big-mouth blabber about how they understand and the rest not, may be relegated to literal-shop floor work. Such an increase in the quality of management!

Points 4 and 5 then, are hallmarks of Leaders. The other points, were already qualified. Did the above sound like frustration? Rightfully, yes; decades of it.

Never mind; and:

[Walls as thick as their skulls; Cordoba across the river]

[1] “So sind Beispiele der Gängelwagen der Urtheilskraft, welchen derjenige, dem es am natürlichen Talent derselben mangelt, niemals entbehren kann. (Kant, Kritik der reinen Vernuft 187 A 134, B 173-4)” [Note: the translation to ‘go-kart’ isn’t what Kant meant (read the original ..!!), ‘walker’ is the word you should use!]

Lately, there has been a slight resurge of the Leaders vs. Managers ‘debate’ [since I’m unsure it’s a debate as much as it is manager-bashing and oh the ideal is to be a Leader; later on that below], including some detail issues like language.

Contra this, first this, and then this. Plus this, and this.
( Contra that, many [of my own, and elsewhere]. )

Point being: The last This, is it. It is, since it shows that focusing on the ‘control’ element in ‘span of control’, doesn’t do much good; doesn’t help.

Leaders may be ‘above’ the fray, but they are still leading an army OR they’ll not achieve too much.
Yes, they may form the vanguard; yes, they may dwell in strategy – true leaders see that they also need to meddle in execution i.e., management and control or perish. Control, to manage the managers, and the managed messes.
Yes, the others, the not Our Kind Of People [think twice ..!!] are left to do the rear guard stuff ..? Or even the baggage train of all overhead of support functions, all of ‘GRC’ being a very, very prominent part in that. Your Head of IA is Mutter Courage, for example. With aside notes, of course.
Yes, the latter drags down. But also, the latter need to do risk management all the way, indeed. Freeing you the great Leader of the need to do that. Oh no, you only have to deal with visionary excellence – if and only if the Others do the chores of RM (being M) properly. But they don’t. And a leader that doesn’t check (s)he’s followed, will soon find himself alone, so very alone. Like these references among many others at the site of origin…

Case in point: Von Moltke the Elder’s remark re strategic plans. You go Leading in happyland; the rest of us will have to deal with the truth.

So, ‘control’ is not a dirty word. Even leaders ‘need’ to do it – true Leaders knwo they not only have to but see it is a major part of leading. No b-

Whatev’; and:

[Now there’s one; DC]

Following up on the earlier post on how GDPR is Y2k’s legal party sibling (as here and here), an evaluation – mid-term, mostly, re your compliance…:

1. You shouted loud enough. Right. That’s the Y2k escape claim in full force and colours. And untrue. The skies haven’t fallen in like they would have with the renewal of the millennium we live in, but a. things did go wrong, back then, and b. this time, non-compliance isn’t that obvious so your claim may fail, as shown in the next option:
2. There’s all sorts of under water non-compliance and you just haven’t been found out …yet. This is the dangerous one, where most of you will be…;
3. You actually are compliant and need not worry at all about possible audits, fines, etc. – that would be miraculous ..! Certainly since this.

So, all of you: Option 2 it is. ‘tMay now seem to just have been yet another law flying by to become and stay compliant with, but … are the professionals who do truly care the only ones that care somewhat, still ..?
Unfortunately, ‘privacy as a competitive differentiator’ hasn’t caught on. New-style-awareness hasn’t caught on.
Continue reading “The GDPR aftermath; your compliance from 00 to 0000”

You may have read that wrong. If so, that was my intention.

Skinny Tipping is about how tipping, e.g. in restaurants, is a balance thing. Certainly not to be overdone, like here. Nor Pittsburg blue but maybe closer to it. Yes, acknowledged, some Yanks err on the wrong side. Most ‘tourists’ err on the other wrong side, leaving only round-off change – next time, do please stay home if you think you can afford the (cattle class / cattle airliner) ticket but not proper behaviour … not defined by what you think that would be, but how it is defined where you find yourself. Fish out of the water? Don’t get out of the water, then. Bye. Don’t want to understand you, when you aren’t a proper guest. Good riddance.

The thing is, Skinny Tipping also goes for your (organisation’s) infosec. That should be done properly, but not a. close-to-zero, certainly not; b. ridiculous-spendwise, on the wrong things. Come to think of it; this also goes for organisation growth also in the private sector which by the way is a stupid name let’s revert to ‘for-profit’ that’s much clearer – why oh why must you grow into infinity where a. either you know can’t continue indefinitely or you’re a stool; b. that is in no way the purpose of your organisation nor of your existence.
Apart from the core basic full last penny’s worth of infosec you’re delivering already, right? The whole shazam, tit-for-tat [uh, no.], no holds barred. Not like this, au contraire my friend fully modern i.e. complete but leanymeany including this sort of sober wizardry but there’s more of course of this stuff to do.

But Skinny Tipping it is; sustainably doing a bit more than was strictly required; not by so slim a margin that no-one notices or feels unhappy/unsatisfied, nor by such an overshoot that anything later, or in parallel, the other ones feel undersold about and you can’t keep that up anyway.
And that is how it’s done, in infosec. True infosec, measured-bit-more than bang for the buck.

I’ll go party now. Because when you read this, it’s <something>:05 or :15, :25, :35, :45, :55 or close enough so the weekend has started.
Plus:

[I wouldn’t attempt skinny ‘tipping’ here…]

– still. Why don’t minds open up, and save a lot of lives ..?
I’m referring to this story, with this one behind it.

Imagine the cost savings if Science weren’t a. so stubborn, b. so completely tied up in commercial interests. The latter, proven over and over again to result in anti-societal behaviour. On a massive scale. If only science would be objective, reproduce claims, and then serve by whom it (?) is paid: Consumers i.e. human beings. No science doesn’t exist for the de-human shareholders nor the some of the latter that are the 0,1%.
Maybe millennials will shift society towards commusocialism. Which is dangerous in itself. Since it may lead to as many deaths as the inaction of science on this one. But the latter is more pernicious, harder to counter.

Well, let’s all stay positive, right?

[Under this starry ceiling, the chance of superbugs being present is … quite high yes; Grand Central]

It seems that LinkedIn posted a piece on how AI has taken over LinkedIn already, and <SkAInet!> they’re massaging our minds before they take over completely. Like, in this:

How you’d think that the first item is not heavily bot-driven, excusing, exonerating themselves [that word assumes agency, doesn’t it ..? 😳] ..? On command by some Power That/To Be, probably, but still.
Yes, I’m scaremongering. You’d need to, too.
Oh, plus of course:

[Don’t worry be happy, Blue Pill style all the way; Amsterdamse Bos]