Category: ERM, GRC

Cultural maturity – of organisations

Adding to the Maslow-for-organisations idea of December 3rd’s post; would it be possible to gauge an organization its maturity level by trying to establish its ‘score’ on the various pyramid layers (to be) established? Though immediately, I see trouble for the method where e.g., companies may get into (financial / freshness/motivational) trouble and sink back some layers. But then again, we may then look up in DSM-5 what ails the company, and find avenues to restore good health.

Hmmm, how is it that when thinking of corporate culture, one so quickly ends up at the mental disorder metaphor? And I jump in with the option of (boardroom consulting) intervention; highly profitable, for the firm if it hires me for that, and for me anyway.

So it seems not to hinge on the Maslow pyramid. Nevertheless, as diagnostic tool, it may help.

To keep you sane till I’ve fully developed the method:
DSCN4044[Calatravalencia]

Continuous AssuMining

… Where the process mining for overall assurance, as e.g., @ConeyDataDriven do so well, may spill over into straightforward data point assurance. Of sorts.
Because, when one has visual petri nets (well… sort of) at the transactions level(s) all through the systems, wouldn’t it be dead easy to have tallies at stores and flows, that can be reported on – and when audited in real time, given assurance on! – in all their shining minute detail as compared to the late, very late after-the-fact yes even after-the-full-year-has-ran-its-course annual figures.

This would of course require auditors to sit by all the information flows as they go, and have controllers at hand to correct any single transactions (and reporting) that go unwarranted ways. But hey, there’s tons of fees there, right? So it will happen. In one form or another.
More importantly: No need to keep on dwelling in XML/XBRL quagmires; that level of operational capability would need to be stable or one would lose out. Hence one can from some stage on assume that all transactions are indeed captured and passed through the systems interfaces at all (lower) levels OR some balances will fail – that’s what balances are for. Having established that, the bliss of control room overview will come to administrative(!!)-information flows:
Reliance - 4[Just plucked off the search results, for a refinery. But you get the idea…]

Would there be any roadblocks to this development? Your call.

Jumping the aggre chasm

On the subject of individuality versus group aggregates. And where the characteristics just don’t add up because they do. As in:

  • Elections. Every vote counts, but no single one matters.
  • ‘Democratic’ (quod non) politics in general. Where one can only change things by joining political parties where your particular issue voice is lost, you are required to toe the party line on many (other) things against your ad hoc will and purpose, and parties end up not representing anyone in particular – no party has exactly all opinions right on all your issues, and in the end even parties don’t do as promised because they have to compromise.
  • Organizations. Where group think (is the) rule(s). Where all collectively are expected to behave individually. Or so. At the end of this.
  • Statistics. Where n times the average of n data points is nowhere the same as any of the data points. The statistician drowned in the river that is 1 ft deep on average. The average human has 1 nipple and 1 ball. Etc. [Let alone causality that is only implied in the human discourse, the Story, but has never yet been proven to exist. Philosophers’ stuff]
  • Mathematics (I). Where the greatest common divisor decreases rapidly as the number of elements increases.
  • Mathematics (II). Where there is a continuity ‘correction’ when jumping from discrete to real arithmetic.

But now, first, your pic of the day:
DSCN1315
[Also Girona, oft missed]

Which all reminds us of Ortega y Gasset’s rants against the hordes, the masses – his their Revolt is the fear of the shrinking greatest common divisor.

Which also reminds us of the perennial individual versus history movements when discussing innovation. One can go it alone but will not gain traction. Or (later) succumb to the pressure of joining others but losing something for the sake of being allowed to join. Hmmm, I feel there’s much more to be said here. But the bits margin on this blog did just not suffice. To be continued. In the mean time, I’d welcome your contributions to the above list …

Maslow for companies

Some first sketches of an idea that sprang to mind during some musings about (the feasibility of) schemes that classify maturity levels for companies, or organisations. The idea being that the common Maslow pyramid that, despite some critique here and there that usually points at critics’ misunderstanding of modeling and this model in particular, is still very much valid for establishment of personal preferences and comfort zones.
* Yes I do know the cultural variance in ‘it’.

But the idea quickly stalled due to lack of progress in the bottom layers of the OrgPsyPyramid – what comes first for e.g., start-ups; is that different for established organisations that are under threat of extinction due to disruptors and/or self-inflicted financial troubles ..? Is it market share (these days, a.k.a. active users), growth for growth sake, immediate positive cash flow (or the opposite; burn rate as a plume à l’honneur), or ..?

Hm, it’s time for:
DSCN5042[Tok’about old (?) and new classics]

The other layers, … will follow in a couple of weeks. Think traditional growth, market share, capitalization (or valuation), profits, foundation for longevity. But as we move up higher, as to be expected we’re entering the harder-to-understand regions, being the harder to define, implement and achieve ones too. If you would have some pointers to science already having been done; yes please I’d be happy to incorporate that. So, looking forward to your comments… (as if anyone would comment…)

From Sedlacek to accountancy

While going through Sedláček’s seminal Economics of Good and Evil – which should be a mandatory read for all economics, business, and audit (-of-all-sorts) students, I came across one part that struck me as possibly relevant for direct application in accountancy.
Oh but of course, there’s so great a many more parts that should be applied, the sooner the better. I’ll return one day, in the next couple of months, with probably a series of Book by Quote posts on the book, including some analysis and comments maybe this time. And by ‘direct application’ I meant application as useful underpinning undercurrent, root cause, in tha analysis, of what’s wrong with latter-day accountancy, helping as pointers towards possible improvement(s) there. The kicker is in the tail of this post …

First, this:
DSCN1004[According to legend, the exact spot (flag) where St. George slew the dragon, at the St. Jordi (of course) gate, Montblanc, Catalunya. Somewhat fittingly a bus stop 2 yards away, if you could make this post a similar exact slaying spot of accountancy’s woes ;-]

OK. To start. Sedláček has this chapter where a number of Value systems are lined up. On the far left is Kant, with the good-ness of a man’s actions being everything, regardless of the results. Next from the left towards the middle are Christian and Judean thought, and on with Aristoteles, Epicurists (which I think he interprets, and places, incorrectly), Hedonists and finally on the far Right flank, Utilitarians and Mandeville – Greed is Good or rather: only (!?) vice is good (for progress – and we all need that, right?). When reading this (and, as said, I don’t agree with everything there even taking into account Sedláček’s clear statement that the abbreviation may bend the correctness of content), something struck me:

What if, when, the utilitarians have kidnapped the meek of the middle-to-left; have made them believe that they could remain true to themselves in this hostile world, while at the same time the villains have isolated them from the real world and just harvest their proceeds?

[From here on, it gets contentious. Don’t be put off by what you might interpret as rebellious bluntness. I just have not sufficient time to write it all out in a diplomatic, friendly fashion – a diplomat is someone who tells you to go to heck in such a way that you look forward to the journey]
This, e.g., in the wider society where Jaron Lanier’s siren servers harvest all the data production that consumers do; promising benefits but keeping all the humongous moneys to themselves. And, as said, in accountancy, where the individual accountant (partner) is still allowed to believe (s)he works for the greater good of society, to be a really important cog in (economic) society’s good behavior machine. Where in the mean time, the leading partners (or the jump from individual to collective!) roam off all the vast margins and don’t care less about quality. The latter may sound coarse but considering the pressure on productivity levels and budgets, and considering the declared Holy goal of profit increase (second derivative!) …

Such kidnapping points at the improvements required in accountancy today, in particular re the ‘Big’ 4 their handywork for large organisations i.e. just signing off and caring less (proven) about the quality of investigative work done. The horror to think one would dig deep enough for root causes, that would only cost mo-ney…! and could set us up for confrontation with the client, even by causing the hassle or having to amend (processes – cumbersome and costly, and books – the same).

As stated, this may help in the current discussions about the ‘business model’ in accountancy in particular re the ‘Big’ 4. Where talk is of what the client is that should be served, and how to align payment accordingly. As now, in practice the Board, the very auditee, pays. Officially, the Board of Supervisors (Raad van Commissarissen) does, that in an ideal world would represent not only stockholders’ interests but also other stakeholders’; we live in not quite an ideal world where the RvC has to deal with Regulatory Capture if (not when) they’d be aware of that and would even be aware of the need to break the old boys’ networks. And even then, the client could be the RvC but paying the (external) accountant out of profits comes down to the Board registering that in the organization’s books after the best placed to understand and estimate, the Board, would negotiate the budget. In the end, the auditee pays. Who pays, stays. ‘Whose bread one eats, his words one speaks’ (Dutch). Despite the Good ones trying to maintain their independence, in appearance and practice; this shouldn’t be a struggle but an easy stable starting point not having to depart from or returned back to. Certainly not in public opinion..! But now, is troublesome.
Another option, to hire accountants via the insurance companies that insure the auditee organisations qua malpractice, may work but makes accountants dependent in other ways; insurance co’s aren’t philanthropic institutions and would have their own ways of setting budgets, not ex ante aligned with accountants’ societal interests first.

Thirdly, nationalization of accountants also pops up here and there again and again. Where all accountants – not; only the ones to audit organisations of societal interest – would then be allocated in some way or another to auditees. Regulatory capture and other distortions may readily start off in this mode as well; is this studied well enough? Though in this model, accountants with their legally protected task would earn much capped incomes in line with all (?) other civil servants like street cleaners and PMs.

And, of course, there’s the BOHICA approach.
Which might not even be that bad, if, IF paired with an introspection plus real change where the profit seekers are ousted (and not allowed to re-enter, through changed promotion paths) and the kidnapped are released. So that they can again do their best work, as virtuous (wo)men.

So, this above reasoning all the way from Sedláček to current accountancy business models, leads to the distinction of two different sorts of ‘Big’ 4 partners. Which in turn leads to the kidnap interpretation. Which, in turn, leads to changed promotion paths as way forward.

Aren’t we lucky that accountants know everything about true transparency … because that’s what will be needed when progressing with this. So that no lip service will be paid to these changed business principles.

But wait … all the above should not be news. And appears to be insufficient since, as accountants, the very few who actually do, discussed: shouting for ‘cultural change’ is just window dressing that in itself will not result in said change and may not prove to be doable, as goal. To put it very mildly. We may need more. Along the lines of Mandeville, where the Bad are allowed to exist, are required to exist but don’t tell them (no need), in order for the whole of virtuous society to benefit from them; if there were only virtuous citizens, society would come to a standstill until destroyed (from the outside, mostly).
What if we can devise a (business) model that would actually kidnap the despicable, the money grabbers, and turn them into the nible thrifty termites that we the virtuous ants could live off ..?
[Edited to add: This may require Piketty-style progressive taxes on specific professions, but would that be impossible ..? ‘t Might be done in-house in some way, e.g., by setting limits on the income range, the top 10% earning a max per person of … whatever, times the earning per person of the lower 20%]

I’ll leave you now. A much more extensive analysis may be in order of this subject. Which may or may not follow. In particular re the jump from (sum of) individuals to collective à la Ortega y Gasset and Brian (and followers); an oft overlooked but still Very Hard Problem. But your comments are welcomed already…:

Coining an answer; Bit-passports

The answer to the final question (“… why the governments didn’t invent this sooner,” he says. “I came up with this over a weekend in my spare time, why didn’t they? …”) in this here very interesting piece, is easy: Enrollment Problem Plus Risk Management.

But still, the idea of using Bitcoin crypto style solutions to the ‘international’ passport problem is useful, and might work. In some way. Not this self-certification one. If you’re aware of how long PGP has been around, you should be aware of all the failures of any form of tribal-cred-branching-out IDs.
And, a great many governments may just not have a sufficiently pressing need for a new passport scheme. The risks of the current model, are known and (again: apparently) manageable.

So I’ll leave you with:
DSCN1415[Apologising calmly. And frequently.]

Hiding or in plain sight (IoT dev’t)

In IoT development, there seems to be a disconnect between the hype and the underlying developments. By which I mean that of course, the hype will not play out according to itself, but according “We overestimate short-term impacts and underestimate the longer-term ones”. But moreover, I also mean that there’s a variety of development speeds for IoT. Since there is various types, categories of IoT developing.
As in this here one of my previous posts.

Oh right away:
DSCN8649
[Your office ‘life’, Zuid-As again]

So… what we’re seeing, is certain differences in speeds:

  • B-inhouse IoT develops rapidly; after some decades of slow introduction of robot-driven factories, we’re on the verge of a breakthrough at less than light speed where the same factories will be linked up to form semi-small, mid-size ‘local’ 3D printing warehouses. Maybe. But certainly, the factories will go the way of data centers, that can be anywhere around the world with only rump staffing locally and control being … anywhere else around the world. With the premise that in the ‘Western’ world, there will be sufficient sufficiently educated staff to control the factories elsewhere. So that ‘manufacturing’ may ‘return’ to the West its origination (Industrial Revolution and since). Nearness of production cutting the costly transport now that labour costs become less relevant, and leaving the most pollutive production where locals still don’t have the economic power to fight the externalities. Short-changing economic development in many places where it had barely started in earnest (no ‘trickle down’ yet). Unbalancing global power developments. We’ll see… Or not; these ‘secret’ in-house developments (in particular, within large conglomerates that can pilot) may not be too visible before their join-or-die breakthrough.
  • B2B IoT: Same, somewhat. Moving ahead with cutting out the middle men, DACcing all around. Pure economics (power play by big corp’s; ROI et al.) will determine speed(s) here. Join-or-die aspects play here, too; less in outright competition but more in missing out in cooperation, being left in the dust.
  • C2B IoT: Out in the open, where all the hype is. No concern – as for secrecy of developments; heaps of concerns re e.g. privacy ..!! Critical Mass (as defined in Yours Truly’s seminal graduation thesis of, already, 1990 (on office automation incl e-mail, where it played then) yes a great many years before it was to be called) Network Effect, or – Tipping Point may be the key point for development fits and starts in this one; in publicity, actual adoption and fruitful use.
  • C-internal: Same. Slower due to legacy. I.e., houses already out there. Some have been around for centuries. Massive update ..? [Edited to add: this here toytoolset seems helpful in this area]

We’ll see…

Flavours of IoT

In my on-going attempts to get a grip on IoT, I recently developed a first, for me … Being a broadest of classification of IoT deployment, with characteristics yet to work on:

  • B-internal; the ever more intelligent, ever more (visually) surroundings-aware robots in factories, replacing extorted laborers thus taking away the last options to life they had. On the other hand, freeing humanity of toils at last ..? If not when there’s a Hegelian end…
  • B2B; having near-AI ‘machines’ as the new middlemen, if at all or incorporated on the sell- or buy-side.
  • C2B; as with most lifelogging e.g., through wearables. You didn’t really think your health data was for your private consumption, did you!? If so, only as a weak collateral product of insurer’s ever better reasons to turn you down the more you need them. No escape.
  • C-internal; maybe, here and there, with domotics. And with this; will already a blend with the previous, probably.

To which I would then add some form of mapping to the various layers of discourse (as in:
blog-iot-security11
but then, much more stacked with OSI-like layers and elements performing various functions like collection, aggregation, abstraction. Seems relevant to do a risk analysis on all those levels and points/connections.
Yes, it’s rather vague, still. But will work on this; to see whether the classification can shed some light on various speeds of adoption, and where privacy concerns et al. may be worst. Your comments, additions and extensions are much welcomed.

I’ll leave you for now, with:
Photo21b[From an old analog to digital time, still SciFi ..?]

Your info – value

Wanted to post something on the value of information. Then, this came out a couple of weeks ago. By way of some sort of outside-in determinant of the value of (some) information… [Oh and this here, too, even more enlightening but for another discussion]

who-has-your-back-copyright-trademark-header
Which appears to be an updated but much shortened version of what I posted earlier. Players disappeared or doesn’t anyone care anymore about the ones dropped out ..?
Anyway.

Yes I wasn’t done. Wanted to add something about information value within ‘regular’ organisations, i.e., not the ones that live off ripping off people of their personal data for profit as their only purpose with collateral damage functionality to lure everyone, would value the information that they thrive on, by looking inside not circling around the perimeter.
I could see that being established via two routes:

  • The indirect avenue, being the re-build costs; what it would cost to acquire the info from scratch. Advantage: It seems somewhat tractable. Drawback: Much info would be missed out on, in particular the unstructured and intangibly stored. Employee experience …!?
  • The direct alley. Not too blind. But still, hard to go through safely. To take stock of all info, to locate it, tag it, among other things, with some form of revenue-increase value. Advantage: Bottom-up, a lot of fte’s to profit from the Augean labor (Hercules’ fifth). Drawback: the same.

OK, moving on. Will come back to this, later.

Not yet one IoTA; Auditing ‘technology’

[Apologies for the date/time stamp; couldn’t pass.]
First, a pic:
20140226_113554
[Classy classic industrial; Binckhorst]

Recently, I was triggered by an old friend about some speaking engagement of mine a number of years back. As in this deck (in Dutch…).
The point being; we have hardly progressed past the point I mentioned in that, being that ‘we’ auditors, also IT/IS auditors!, didn’t fully adapt to the, then, Stuxnet kind of threats. (Not adopt, adapt; I will be a grammar and semantics n.z. on that.)
As we dwelled in our Administrative view of how to control the world, and commonly though not fully comprehensively, had never learned that the control paradigms there, were but sloppy copies of the control paradigms that Industry had known for a long time already, effectively in the environment of use there. As in this post of mine. Etc.

But guess what – now many years later, we still as a profession haven’t moved past the administrative borders yet. Hence, herewith

A declaration of intent to develop an audit framework for the IoT world.

Yes, there’s a lot of ground to cover. All the way from classification of sensors and networks, up to discussions about privacy, ethics and optimistic/pessimistic (dystopian) views of the Singularity. And all in between that auditors, the right kind, IS auditors with core binary skills and understanding of supra-supra-governance issues, might have to tackle. Can tackle, when with the right methodologies, tools, attitude, and marketing to be able to make a living.

Hm, there’s so much to cover. Will first re-cover, then cover, step by step. All your comments are welcomed already.
[Edited to add: Apparently, at least Checkpoint (of firewall fame oh yes don’t complain I know you do a lot more than that yesterday’s stuff; as here) has some offerings for SCADA security. And so does Netop (here). And of course, Splunk). But admit; that’s not many.]

Maverisk / Étoiles du Nord